IP Mobility: IP Mobility: Threat Models and Security Requirements - - PowerPoint PPT Presentation
IP Mobility: IP Mobility: Threat Models and Security Requirements Threat Models and Security Requirements Vidya Narayanan (vidyan@qualcomm.com vidyan@qualcomm.com) ) Vidya Narayanan ( Lakshminath Dondeti (ldondeti@qualcomm.com
Vidya Narayanan ( Vidya Narayanan (vidyan@qualcomm.com vidyan@qualcomm.com) ) Lakshminath Dondeti ( Lakshminath Dondeti (ldondeti@qualcomm.com ldondeti@qualcomm.com) )
IETF IETF-
67 INT Area 2 2
IETF IETF-
67 INT Area 3 3
– – Forwards packets meant for an Forwards packets meant for an “ “anchor anchor” ” IP address to a IP address to a “ “transient transient” ” IP address IP address – – Several models (global, local, host Several models (global, local, host-
based, network-
based)
IETF IETF-
67 INT Area 4 4
L2 PoP1 L2 PoP2 L2 PoP3 L2 PoP4 AR AR Internet Home Network AAAL MA AAAH MN Local Network MA
L3 Mobility Management Entity L2 Mobility Management Entity Security Infrastructure Entity
CN1 CN2 CN3
Correspondent Entity
CA CA
IETF IETF-
67 INT Area 5 5
Mobility Agent Mobility Agent
– – Entity maintaining state on location of mobile nodes Entity maintaining state on location of mobile nodes
E.g., MIP HA, FMIP pAR, HMIP MAP, NETLMM LMA, MIP RO E.g., MIP HA, FMIP pAR, HMIP MAP, NETLMM LMA, MIP RO-
enabled CN
Mobility Facilitators Mobility Facilitators
– – Other entities that facilitate IP mobility Other entities that facilitate IP mobility
E.g., NETLMM MAG, MIP4 FA, HMIP AR E.g., NETLMM MAG, MIP4 FA, HMIP AR
– – It is plausible for these to fail/be compromised without denial It is plausible for these to fail/be compromised without denial of service
Mobility Provider Mobility Provider
– – Mobility Agent or Mobility Facilitator Mobility Agent or Mobility Facilitator
Mobility Recipient Mobility Recipient
– – Entity receiving the IP mobility service Entity receiving the IP mobility service – – Mobile node is the recipient Mobile node is the recipient
IETF IETF-
67 INT Area 6 6
Critical Assets Critical Assets
– – Failure/compromise of these assets leads to failed mobility sess Failure/compromise of these assets leads to failed mobility sessions ions
Mobile Node Mobile Node Mobility Agent Mobility Agent Security Infrastructure Entities Security Infrastructure Entities
Non Non-
critical Assets
– – The mobility session can continue despite failure/compromise of The mobility session can continue despite failure/compromise of these these assets assets
Network infrastructure, including links Network infrastructure, including links Mobility facilitators (e.g., ARs, routers) Mobility facilitators (e.g., ARs, routers)
Other Assets Other Assets
– – Correspondent Nodes Correspondent Nodes – – Other nodes (mobile or fixed) attaching to the mobility domain Other nodes (mobile or fixed) attaching to the mobility domain
IETF IETF-
67 INT Area 7 7
Assumption 1: Critical assets are not compromised Assumption 1: Critical assets are not compromised Assumption 2: The attacker has full control of the communication Assumption 2: The attacker has full control of the communication channel channel
– – Attacker can read, inject, remove, modify any packets without de Attacker can read, inject, remove, modify any packets without detection tection
Types of attacks Types of attacks
– – Passive attacks Passive attacks – – Active attacks Active attacks – – Off Off-
path Attacks – – On On-
path Attacks
Superset of Off Superset of Off-
path attacks
Reference: RFC3552 Reference: RFC3552 Are all these assumptions and/or attacks applicable to IP mobili Are all these assumptions and/or attacks applicable to IP mobility ty protocols? protocols? Are there other assumptions and/or attacks that are applicable t Are there other assumptions and/or attacks that are applicable to IP
mobility protocols? mobility protocols?
IETF IETF-
67 INT Area 8 8
A network can function in the presence of Byzantine failures A network can function in the presence of Byzantine failures
– – Entities lying about routing or other information selectively, w Entities lying about routing or other information selectively, while hile appearing to function correctly (due to compromise, appearing to function correctly (due to compromise, mis mis-
configuration)
As long as there is a non As long as there is a non-
faulty path between nodes A and B, they can communicate can communicate
– – Even if the adversary sends bogus and disparate information to Even if the adversary sends bogus and disparate information to legitimate infrastructure entities, e.g., routers legitimate infrastructure entities, e.g., routers A B
IETF IETF-
67 INT Area 9 9
Mobility signaling is possible even if one a few non Mobility signaling is possible even if one a few non-
critical assets fail in an adversarial fashion in an adversarial fashion Mobility facilitators may fail in a Byzantine fashion, yet MNs c Mobility facilitators may fail in a Byzantine fashion, yet MNs can and an and should be able to get service should be able to get service
MN MA
AR AR
MN C
IETF IETF-
67 INT Area 10 10
– – D D’ ’s malicious use of a protocol between C and D MUST not s malicious use of a protocol between C and D MUST not impact communication between A and B impact communication between A and B
A B C D
IETF IETF-
67 INT Area 11 11
Introduction and Goals Introduction and Goals Introduction and Goals Defining IP Mobility Defining IP Mobility Defining IP Mobility IP Mobility Models IP Mobility Models IP Mobility Models Typical network architecture Typical network architecture Typical network architecture Assets Assets Assets Internet Threat Model Internet Threat Model Internet Threat Model – – – A Recap A Recap A Recap Routing and IP Mobility Routing and IP Mobility Routing and IP Mobility
– – Threats to IP mobility Threats to IP mobility “ “providers providers” ” – – Threats to IP mobility Threats to IP mobility “ “recipients recipients” ” – – Off Off-
path vs. on-
path attacks – – Threats enabled by mobility protocols Threats enabled by mobility protocols
Security Requirements Security Requirements Security Requirements Security Models Security Models Security Models
IETF IETF-
67 INT Area 12 12
– – Ensuring that only authorized entities obtain the service Ensuring that only authorized entities obtain the service
Ensuring that service is provided as intended Ensuring that service is provided as intended
– – Only entities served by the provider are able to create state at Only entities served by the provider are able to create state at the mobility agent the mobility agent
– – Creation of state by unauthorized nodes Creation of state by unauthorized nodes – – Creation of incorrect state for valid nodes Creation of incorrect state for valid nodes
– – Creation of spurious state at the facilitator Creation of spurious state at the facilitator – – Use of facilitator to disrupt IP mobility Use of facilitator to disrupt IP mobility
IETF IETF-
67 INT Area 13 13
– – Ensuring undisrupted IP mobility service Ensuring undisrupted IP mobility service
– – Redirection Redirection
Recipient Recipient’ ’s traffic being redirected elsewhere s traffic being redirected elsewhere
– – DDoS DDoS
Recipient being victim to a DDoS attack and receiving spurious Recipient being victim to a DDoS attack and receiving spurious traffic traffic
– – DoS DoS
Disruption in IP mobility service Disruption in IP mobility service Redirection may lead to DoS Redirection may lead to DoS
IETF IETF-
67 INT Area 14 14
Mobility protocols have a unique feature Mobility protocols have a unique feature ☺ ☺
– – Any node on the network is a potential victim Any node on the network is a potential victim
Mobility signaling supplants routing state! Mobility signaling supplants routing state!
Set of assets expanded beyond mobility providers and recipients Set of assets expanded beyond mobility providers and recipients Redirection of traffic belonging to other nodes Redirection of traffic belonging to other nodes DDoS on any node in the Internet DDoS on any node in the Internet
– – IP mobility provides one more way of realizing a DDoS attack IP mobility provides one more way of realizing a DDoS attack – – Is it significantly easier to launch a DDoS using IP mobility pr Is it significantly easier to launch a DDoS using IP mobility protocols?
Perhaps! Perhaps! Traceability factors into the equation Traceability factors into the equation
IETF IETF-
67 INT Area 15 15
IP mobility protocols make an off IP mobility protocols make an off-
path attacker as powerful as an on an on-
path attacker Redirection Redirection
– – Attacker registers victim Attacker registers victim’ ’s address as the s address as the “ “anchor anchor” ” address address
Distributed DoS Distributed DoS
– – Attacker registers victim Attacker registers victim’ ’s address as the s address as the “ “transient transient” ” address address
DoS attack on a mobile node DoS attack on a mobile node Reflection attacks Reflection attacks Passive attacks alone are not a concern Passive attacks alone are not a concern
– – Mobility protocols themselves don Mobility protocols themselves don’ ’t require confidentiality t require confidentiality
Confidentiality for IP location privacy may change this Confidentiality for IP location privacy may change this
– – Data confidentiality can be achieved using end Data confidentiality can be achieved using end-
to-
end security
IETF IETF-
67 INT Area 16 16
B (IPb)
I P a x : : I P b
A (IPax) MA
(prefix X)
Data (IPax)
A (IPax) MA
(prefix X)
B (IPb)
Data (IPax) Redirection of a victim Redirection of a victim’ ’s traffic to the attacker s traffic to the attacker Target victims are nodes (fixed & mobile) on the prefix of the Target victims are nodes (fixed & mobile) on the prefix of the mobility agent mobility agent
IETF IETF-
67 INT Area 17 17
B (IPbx, IPb)
I P b x : : I P a
A (IPa) MA
(prefix X)
A (IPa) MA
(prefix X)
B (IPb)
Data (IPbx)
C D
Redirection of the attacker Redirection of the attacker’ ’s traffic to the victim s traffic to the victim DDoS can be caused by a variety of other ways, but IP mobility DDoS can be caused by a variety of other ways, but IP mobility allows amplification allows amplification
IETF IETF-
67 INT Area 18 18
B (IPb)
I P a x : : I P b
A (IPax) MA
(prefix X)
A (IPax, IPa) MA
(prefix X)
IPax :: IPa
B (IPb) A (IPax, IPa) MA
(prefix X)
IPax :: IPa
B (IPb)
IPax :: IPb
Disruption of service for an MN due to packet deletion/ modifica Disruption of service for an MN due to packet deletion/ modification/ tion/ bogus registrations bogus registrations
IETF IETF-
67 INT Area 19 19
A C B
Cause responses to be sent to a victim (DDoS) Cause responses to be sent to a victim (DDoS) Cause packets meant for the wrong address to be sent to the vict Cause packets meant for the wrong address to be sent to the victim im (forced redirection) (forced redirection)
IETF IETF-
67 INT Area 20 20
Introduction and Goals Introduction and Goals Introduction and Goals Defining IP Mobility Defining IP Mobility Defining IP Mobility IP Mobility Models IP Mobility Models IP Mobility Models Typical network architecture Typical network architecture Typical network architecture Assets Assets Assets Internet Threat Model Internet Threat Model Internet Threat Model – – – A Recap A Recap A Recap Routing and IP Mobility Routing and IP Mobility Routing and IP Mobility Security analysis of IP mobility protocols Security analysis of IP mobility protocols Security analysis of IP mobility protocols
– – Channel security Channel security – – IP Address Authorization IP Address Authorization – – Entity Authorization Entity Authorization – – Protection against unrelated entities Protection against unrelated entities – – Protection for unrelated entities Protection for unrelated entities Security Models Security Models Security Models
IETF IETF-
67 INT Area 21 21
– – Data Origin Authentication Data Origin Authentication
Integrity Protection Integrity Protection
– – Replay Protection Replay Protection
IETF IETF-
67 INT Area 22 22
Data Origin Data Origin Authentication
Authentication – – Ensures creation of state at the mobility Ensures creation of state at the mobility agent strictly by authorized nodes agent strictly by authorized nodes
Integrity Protection Integrity Protection
– – Really the same as data origin Really the same as data origin authentication! authentication! – – Protects against redirection, MiTM, DoS and Protects against redirection, MiTM, DoS and DDoS attacks DDoS attacks
Replay Protection Replay Protection
– – Protects against redirection, MiTM, DoS and Protects against redirection, MiTM, DoS and DDoS attacks DDoS attacks A MA E
SC (A-MA)
C B
SC (B-MA)
D A, B, MA – Signaling Endpoints C, D – On-path Attackers E – Off-path Attacker SC (A-MA) – Unique Secure Channel b/w A & MA SC (B-MA) – Unique Secure Channel b/w B & MA
IETF IETF-
67 INT Area 23 23
Authorization for Authorization for “ “anchor anchor” ” address address
– – MIP HoA, FMIP pCoA, HMIP MIP HoA, FMIP pCoA, HMIP RCoA, NETLMM LoA RCoA, NETLMM LoA
Ensures IP mobility service only Ensures IP mobility service only for authorized nodes for authorized nodes Protects against redirection, Protects against redirection, MiTM, and DoS attacks MiTM, and DoS attacks
A (IPax, IPa) MA
(prefix X)
B (IPbx, IPb)
IPax :: IPa I P a x : : I P b
Authzn: A IPax B IPax State: IPax :: IP1
IETF IETF-
67 INT Area 24 24
Authorization for Authorization for “ “transient transient” ” address address
– – MIP CoA, FMIP nCoA, HMIP LCoA, MIP CoA, FMIP nCoA, HMIP LCoA, NETLMM MAG NETLMM MAG
Prevents a DDoS attack Prevents a DDoS attack Attack needs to be detectable at a Attack needs to be detectable at a minimum minimum
– – Authorization of Authorization of “ “anchor anchor” ” address allows address allows detection of attack detection of attack
A (IPa) X B (IPbx, IPb)
I P b x : : I P a
State: IPax :: IP1 and/or IPbx :: IP1
IETF IETF-
67 INT Area 25 25
Entity: Signaling endpoint Entity: Signaling endpoint
– – A and B are the A and B are the “ “entities entities” ”
Ensures IP mobility service for a given Ensures IP mobility service for a given node only by authorized nodes node only by authorized nodes Two parts to entity authorization Two parts to entity authorization
– – Is the entity part of the domain? Is the entity part of the domain? – – Is the MN actually at the entity? Is the MN actually at the entity?
Particularly a concern in network Particularly a concern in network-
based mobility mobility
MA
(prefix X)
IPx1 :: IPa I P x 1 : : I P b
A (IPa) B (IPb) MN (IPx1)
Authzn: A IPx1 B IPx1 State: IPx1 :: A
IETF IETF-
67 INT Area 26 26
MN MA
AR AR
MN
Ensures service is not disrupted Ensures service is not disrupted by non signaling entities by non signaling entities Mitigates domino effects Mitigates domino effects Ensures service via Ensures service via uncompromised entities uncompromised entities
– – Entities: AR, HMIP AR, MIP4 FA, Entities: AR, HMIP AR, MIP4 FA, NETLMM MAG, FMIP nAR NETLMM MAG, FMIP nAR
IETF IETF-
67 INT Area 27 27
– – Same key must not be used for different purposes Same key must not be used for different purposes
– – No key sharing! No key sharing!
IETF IETF-
67 INT Area 28 28
Ensures non Ensures non-
participants are unaffected by IP mobility sessions unaffected by IP mobility sessions Allows routing and IP mobility to Allows routing and IP mobility to co co-
exist
MA MN C
IETF IETF-
67 INT Area 29 29
1.
Channel security
2.
IP address authorization
3.
Entity authorization
4.
Trust anchors should be security infrastructure entities
5.
Key distributor must be located “ “above above” ” the key recipient the key recipient
6.
Key scoping
7.
No key sharing
8.
Prevent domino effects
9.
Analyze applicable threat and security models
10.
Adhere to security model-
specific guidelines
IETF IETF-
67 INT Area 31 31
Introduction and Goals Introduction and Goals Introduction and Goals Defining IP Mobility Defining IP Mobility Defining IP Mobility IP Mobility Models IP Mobility Models IP Mobility Models Typical network architecture Typical network architecture Typical network architecture Assets Assets Assets Internet Threat Model Internet Threat Model Internet Threat Model – – – A Recap A Recap A Recap Routing and IP Mobility Routing and IP Mobility Routing and IP Mobility Security analysis of IP mobility protocols Security analysis of IP mobility protocols Security analysis of IP mobility protocols Security Requirements Security Requirements Security Requirements
– – AAA AAA-
based model – – Role of EAP in IP mobility Role of EAP in IP mobility – – Role of IPsec in IP mobility Role of IPsec in IP mobility – – CGA CGA-
based model
IETF IETF-
67 INT Area 32 32
Various security models in use in different networks Various security models in use in different networks Security Model Considerations Security Model Considerations
– – Presence of infrastructure entity Presence of infrastructure entity
E.g., AAA, PKI E.g., AAA, PKI
– – Need for infrastructure Need for infrastructure-
less security
E.g., CGA, self E.g., CGA, self-
signed certs certs
– – Use of existing security protocols Use of existing security protocols
E.g., IPsec, IKEv2, EAP E.g., IPsec, IKEv2, EAP
– – End End-
to-
end vs. hop-
by-
hop security
E.g., TLS, IPsec E.g., TLS, IPsec
Popular security models Popular security models
– – AAA AAA-
based authentication/authorization – – Use of EAP for authentication Use of EAP for authentication – – Use of IPsec for channel security and address authorization Use of IPsec for channel security and address authorization – – Use of CGAs for infrastructure Use of CGAs for infrastructure-
less SA creation
Threat analysis and security requirements conformance are vital Threat analysis and security requirements conformance are vital
IETF IETF-
67 INT Area 33 33
– – Allows re Allows re-
use of AAA-
based credentials – – Several managed networks use AAA Several managed networks use AAA – – Authentication and authorization are AAA functions Authentication and authorization are AAA functions
Authorization in AAA is different from IP address authorization Authorization in AAA is different from IP address authorization
– – draft draft-
housley-
aaa-
key-
management (soon to be a BCP) (soon to be a BCP)
IETF IETF-
67 INT Area 34 34
– – EAP EAP-
based network-
access authentication is popular – – Re Re-
use protocol supported by the MN and infrastructure
– – Minimize the number of authentications Minimize the number of authentications
Given, same credentials and the same server Given, same credentials and the same server
– – Leveraging keys produced by one run of EAP for other purposes Leveraging keys produced by one run of EAP for other purposes – – Limiting re Limiting re-
use to protocol and performing another EAP run for IP mobility protocol security IP mobility protocol security
IETF IETF-
67 INT Area 35 35
Distinguish network access from IP mobility Distinguish network access from IP mobility
– – One occurs *prior* to obtaining IP access; the other occurs afte One occurs *prior* to obtaining IP access; the other occurs after r
Use of EAP in IKEv2 for authentication is allowed and Use of EAP in IKEv2 for authentication is allowed and recommended recommended Follow EAP guidelines on key usages Follow EAP guidelines on key usages
– – EAP MSK is provided to the authenticator for network access cont EAP MSK is provided to the authenticator for network access control rol
Usage of MSK for other purposes gets into bad cryptographic Usage of MSK for other purposes gets into bad cryptographic practices practices Usage of MSK involves the NAS in IP mobility protocol security Usage of MSK involves the NAS in IP mobility protocol security
Use of EMSK Use of EMSK-
based keys for IP mobility protocol security is yet to be evaluated be evaluated
– – General concerns on layer violations General concerns on layer violations – – Efforts underway to make the EMSK hierarchy generic to ensure fu Efforts underway to make the EMSK hierarchy generic to ensure future ture usage usage – – No consensus yet on whether this is good or bad No consensus yet on whether this is good or bad
IETF IETF-
67 INT Area 36 36
IPsec typically provides channel security IPsec typically provides channel security Tying IP address authorization to IPsec Tying IP address authorization to IPsec
– – Assign IP address using IKEv2 and tie the IPsec SA to it Assign IP address using IKEv2 and tie the IPsec SA to it
Limited flexibility in address assignment Limited flexibility in address assignment
IPsec with Dynamic Keying IPsec with Dynamic Keying
– – Use of IKEv2 is a recommended approach Use of IKEv2 is a recommended approach
IPsec with Manual Keying IPsec with Manual Keying
– – Cumbersome Cumbersome – – No Replay protection No Replay protection – – Address authorization needs static address provisioning Address authorization needs static address provisioning
The necessary security properties are realizable using IPsec and The necessary security properties are realizable using IPsec and IKEv2 IKEv2 Limitations of IKEv2 and IPsec Limitations of IKEv2 and IPsec
– – Frequent signaling endpoint changes (e.g., FMIP) needs new Frequent signaling endpoint changes (e.g., FMIP) needs new IKE_SAs IKE_SAs – – IKEv2 exchanges add undesirable overhead IKEv2 exchanges add undesirable overhead
IETF IETF-
67 INT Area 37 37
– – Useful in networks that care less about access control and more Useful in networks that care less about access control and more about address authorization about address authorization
– – Differentiate between CGAs and SeND Differentiate between CGAs and SeND
SeND uses CGAs SeND uses CGAs
– – CGAs provide the infrastructure CGAs provide the infrastructure-
less security
CGAs do not mean AR involvement CGAs do not mean AR involvement
– – Consider use of CGAs in IKEv2 to re Consider use of CGAs in IKEv2 to re-
use IPsec
Currently undocumented Currently undocumented
– – Consider if use of self Consider if use of self-
signed certificates will work
Currently documented for IKEv2 Currently documented for IKEv2
– – Evaluate if use of CGAs satisfies all security requirements Evaluate if use of CGAs satisfies all security requirements