mobile ipv6 security
play

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center - PowerPoint PPT Presentation

Jun 13, 2023 •158 likes •669 views

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

  1. Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire d’Informatique de Paris 6

  2. Summary • IPv6 • Mobile IPv6 • Security and Mobile IPv6 • Protections by default 2. IPsec

  3. IPv6

  4. Differences With IPv4 Functional changes: • End-to-End communications • ARP replacement uses ICMPv6 Structural changes: • Fixed length header • Fragmentation at the source; no checksum 6. Extensions/options through header chaining

  5. The IPv6 Header

  6. Extensions

  7. Routing Header

  8. IPv6 Addresses • Hierarchical/geogra phical • 64 bits prefix • Interface ID dynamically generated

  9. Auto-configuration • Mechanism based on ICMPv6 • Steps: • Retrieval of the IPv6 prefix advertised by the access router (RS/RA: Router Solicitation/Advertisement) • Generation of an unique interface ID • Generation of the global address: concatenation of the prefix and the unique interface ID

  10. Mobile IPv6 RFC 3775

  11. Why ? • Use the same IPv6 address wherever you are located • Make changes of mediums transparent for transport layers • Keep connections alive while moving ➡ use a laptop/PDA the same way that you do with your cell-phone today

  12. Challenges • The routing is geographical, and the IP address have a double functionality: ✓ Identifier : identify the machine ✓ Locator: geographical position in the network • Architectural constraints: • Compatible with actual end nodes • Not modifying the actual routing system ➡ MIPv6 is only implemented in end points

  13. How ? • The protocol is integrated into the IPv6 stack • Separate identifier and locator functions using two IPv6 addresses: • HoA (Home Address) • CoA (Care of Address) • Three new entities: • Mobile Node , reachable at its HoA, not matter its CoA • Home Agent , binds the HoA and current CoA • Correspondent Node

  14. Behavior ? HoA: permanent address of the MN (identifier ) CoA: address of the MN in the visiting network (locator )

  15. In Details

  16. New Extensions • Allow packets to pass ingress filtering. IPv6 header always contains CoA, never HoA. • Maintain topological correctness • T ype 2 Routing Header • limited version of previously introduced T ype-0 Routing Header (but carries only a single address) • provides real destination address (HoA) of packets to MN • Home Address Option • provides real source address (HoA) of packets from MN

  18. T ype-2 Routing Header

  19. Home Address Option

  20. Triangular routing Provide an optimal routing

  21. Challenging Issues • Optimize MN/CN communications in a secure way • Ensure the relation between identifier and locator using the routing plane ✓ verify the MN is reachable at its HoA and CoA ➡ generate a key to sign the Binding Update sent to the CN

  22. Return Routability Procedure HoT: Home of Test CoT: Care of Test

  23. RRP in a nutshell • Goal: avoid triangular routing • Hypothesis: no trust relationship between MN/CN • Lack: provides no data integrity/confidentiality ➡ Efficiency/Security tradeoff

  24. Security & Mobile IPv6

  25. Possible T argets Protecting network infrastructure • Stateless behavior, Careful design ➡ Protecting communications between MN/HA (signaling and data) • IPsec ➡ Protecting direct communications between MN/CN (signaling and • data) Return Routability Procedure ➡ Signalisation MN <-> HA • 1. Tunnel MN<-> Signalisation MN <-> CN • 2. Trafic de données MN <-> CN Return Routability Procedure ➡

  26. Protecting the infrastructure

  27. Challenges and solutions • Advice: “Do no harm to the existing Internet” • Prevent spoofing • proof of HoA ownership • specific extensions: HAO and T ype-2 Routing Header • Prevent DoS • against infrastructure: “One message received, one sent” 4. against CN: stateless exchanges

  28. MN/CN Communications

  29. Return Routability Procedure • HoT/HoTI, CoT/CoTI and BU/BACK exchanges • CN : verify that the MN is able to receive/emit traffic with both its HoA and its CoA • MN : generate a key to sign BU emitted towards the CN • Possible problems (MiTM, eavesdropping) • attacker on the home network; • attacker on the foreign network; 5. attacker on both networks

  30. MN/HA Communications

  31. IPsec • Rationale for IPsec • Mandatory in IPv6 stacks • End-to-End communications • What must be protected • Signaling messages (i.e. BU et BACK) • Data traffic (i.e. MN/HA tunnel) • Return Routability Procedure (i.e. HoTI/HoT) ➡ Problems related to MIPv6/IPsec/IKE interactions

  32. Signaling traffic

  33. Basics BU BACK SA1 SA2 SA1: BU from HoA to HA@ => ESP in transport mode SA2: BACK from HA@ to HoA=> ESP in transport mode

  34. IPsec/MIPv6 Coordination • Binding Update: • Emission: IPsec protection, switch of CoA and HoA thanks to the HAO option • Reception : addresses switch before IPsec processing • Binding Acknowledgment: same kind of processing applied to T ype-2 Routing Header

  36. Bootstrapping • Setup of SA must be performed before sending BU/BACK • In Static Keying, no problem • In dynamic Keying, someone must direct IKE daemon to use CoA for negotiation of SA associated to the HoA. HoA is not already usable. • PF_KEY SADB_X_EXT_PACKET extension: • includes BU packet that triggered the negotiation • provides the CoA to IKE daemon

  37. Data traffic

  38. T unnel Mode SA Migration • Initially, SP/SA in tunnel mode use the MN’s HoA (CoA is not known at setup time). • An automatic update of SA tunnel’s endpoints is performed on MN/HA • MIPv6 stack emits a PF_KEY MIGRATE message when MN sends the BU, and when HA receives it • Message reception triggers: • SP/SA update by kernel • [ IKE daemon internal structures update ]

  40. IKE IKE Daemon Daemon Mobile Mobile 1. PF_KEY MIGRATE 4. SPD & SAD Update IPv6 IPv6 Userland PF_KEY Socket Kernel 2. SPD Update 3. SAD Update SPD SAD SPD SAD

  41. Conclusion

  42. Conclusion • Separation between identifier and locator is compatible with today’s Internet • End of “ perimetric security” ? • Built-in security mechanisms: IPsec and RRP

  43. Possible deployments Classic RRP Future ?! ?

  44. Future work • Leveraging IPsec protection to MN/MN traffic • New prerequisites: trust relationship between MN/MN (ex: PKI environment) 3. IKEv2 integration

  45. Demonstration

  46. 2001:db8:0:1::/64 CN Stream to HoA Soekris 1 2 3 4 5 Stream to HoA MN 2001:db8:0:ccc::/64

  47. 2001:db8:0:1::/64 CN Stream to HoA Soekris 1 2 3 4 5 Stream to HoA MN 2001:db8:0:ccc0::/64 IPsec

  48. 2001:db8:0:1::/64 2001:db8:0:ccc1::/64 CN Stream MN to HoA Stream to HoA Soekris 1 2 3 4 5 IPsec

  49. Questions ? Coffee ?

  50. NEMO Mobile Router A whole network moves.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Mobile IPv6 III IPv6 Global Summit Moscow Dr. Dimitrios Kalogeras dkalo@grnet.gr

Introduction to Mobile IPv6 III IPv6 Global Summit Moscow Dr. Dimitrios Kalogeras dkalo@grnet.gr

Introduction to Mobile IPv6 III IPv6 Global Summit Moscow Dr. Dimitrios Kalogeras dkalo@grnet.gr GRNET 1 Outline Introduction Relevant Features of IPv6 Major Differences between MIPv4 and MIPv6 Mobile IPv6 Operation Home

752 views • 35 slides
IPv6 Practices on China Mobile IP Bearer Network

IPv6 Practices on China Mobile IP Bearer Network

IPv6 Practices on China Mobile IP Bearer Network draft-chen-v6ops-ipv6-bearer-network-trials-00.txt IETF 81-Quebec, July 2011 G. Chen, T. Yang, L. Li and H. Deng Background China Mobile IPv6 trial program started over 3 years ago This

399 views • 8 slides
Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6 Christian Vogt,

Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6 Christian Vogt,

Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6 Christian Vogt, chvogt@tm.uka.de Roland Bless, bless@tm.uka.de Mark Doll, doll@tm.uka.de Tobias Kfner, kuefner@tm.uka.de IEEE Wireless and Communications and Networking

575 views • 35 slides
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
Mobile Networks Considerations for IPv6 Deployment

Mobile Networks Considerations for IPv6 Deployment

Mobile Networks Considerations for IPv6 Deployment http://tools.ietf.org/html/draft-koodli-ipv6-in-mobile-networks-01 v6ops Working Group Rajeev Koodli Internet-Draft

427 views • 15 slides
IPv6 Changes in Mobile IPv6 from Connectathon David B. Johnson The Monarch Project Carnegie

IPv6 Changes in Mobile IPv6 from Connectathon David B. Johnson The Monarch Project Carnegie

IPv6 Changes in Mobile IPv6 from Connectathon David B. Johnson The Monarch Project Carnegie Mellon University http://www.monarch.cs.cmu.edu/ dbj@cs.cmu.edu 47th IETF, Adelaide, Australia March 2631, 2000 Overview of Recent Changes I

94 views • 8 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG &amp; IPv6 IPv6 security &amp; threats IPv6 protocol attacks Issues for site network &amp; security teams Issues for sys admins

501 views • 34 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Vincent van der Eijk &amp;&amp; Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk &amp;&amp; Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk &amp;&amp; Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
IPv6 at Yahoo IPv6 at Yahoo: growth, disparity Large content network: we see traffic from eyeball

IPv6 at Yahoo IPv6 at Yahoo: growth, disparity Large content network: we see traffic from eyeball

IPv6 at Yahoo IPv6 at Yahoo: growth, disparity Large content network: we see traffic from eyeball networks Two main datasets I watch: HTTP logging Mobile data reporting to Splunk IPv6 at Yahoo: growth, disparity Countries: Mobile:

259 views • 4 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Versatile IPv6 Mobility Deployment with Dual Stack Mobile IPv6 Romain KUNTZ (LSIIT, Strasbourg,

Versatile IPv6 Mobility Deployment with Dual Stack Mobile IPv6 Romain KUNTZ (LSIIT, Strasbourg,

Versatile IPv6 Mobility Deployment with Dual Stack Mobile IPv6 Romain KUNTZ (LSIIT, Strasbourg, France) - kuntz@lsiit.u-strasbg.fr Jean LORCHAT (IIJ, Japan) - jean@iij.ad.jp 2008/08/22 - MobiArch IPv6 and Mobility In a nutshell Goal : moving

309 views • 15 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
COAs Integrated Behavioral Health &amp; Primary Care Supplement Melissa Dury, LCSW Associate

COAs Integrated Behavioral Health &amp; Primary Care Supplement Melissa Dury, LCSW Associate

COAs Integrated Behavioral Health &amp; Primary Care Supplement Melissa Dury, LCSW Associate Director of Standards Development Council on Accreditation Agenda 2 1 INT Overview Q &amp; A 2 1 INT Overview 3 INT Overview 4 INT Overview

587 views • 15 slides
4. Convex Sets and (Quasi-)Concave Functions Daisuke Oyama Mathematics II April 17, 2020 Convex

4. Convex Sets and (Quasi-)Concave Functions Daisuke Oyama Mathematics II April 17, 2020 Convex

4. Convex Sets and (Quasi-)Concave Functions Daisuke Oyama Mathematics II April 17, 2020 Convex Sets Definition 4.1 A R N is convex if (1 ) x + x A whenever x, x A and [0 , 1] . A R N is strictly

442 views • 40 slides
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on Problems Data transfer DHCP Encapsula$on Security IPv6 Adapted from J. Schiller,

441 views • 29 slides
Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue

Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue

Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue University Manik Varma Microsoft Research India Kernel Learning The objective in kernel learning is to jointly learn both SVM and kernel parameters

1.34k views • 38 slides
DETERMINATION OF NEED FAFSA &amp; CSS Profile Expected Family Contribution (EFC)

DETERMINATION OF NEED FAFSA &amp; CSS Profile Expected Family Contribution (EFC)

AMEDF Scholars Methodology: FINANCIAL AID FOR COLLEGE Scholars Methodology: A Review Complete Guide to College Funding with Session 2 One on One Conference FINANCIAL AID FOR COLLEGE Career &amp; Majors and CB Big Future 2019 20

163 views • 4 slides
UAV Presentation Bill Timmins GIS Services UAV copters can provide for a variety of sensors for

UAV Presentation Bill Timmins GIS Services UAV copters can provide for a variety of sensors for

UAV Presentation Bill Timmins GIS Services UAV copters can provide for a variety of sensors for solution requirements. Flight time depends on payload weight, temperature and alititude . UAV Unmanned Aerial Vehicles It is an aircraft

686 views • 22 slides
COAPS API A Generic Cloud Application Provisioning and Management API Why COAPS ? PaaS 1 Cloud

COAPS API A Generic Cloud Application Provisioning and Management API Why COAPS ? PaaS 1 Cloud

COAPS API A Generic Cloud Application Provisioning and Management API Why COAPS ? PaaS 1 Cloud consumer COAPS Needed Platform resources PaaS 2 Whats COAPS ? PaaS-independent approach for the provisioning and management of

339 views • 9 slides

More recommend