Академический Документы
Профессиональный Документы
Культура Документы
Mobile IP Entities
The entity that may change its point of attachment from network to network in the Internet
Assigned a permanent IP called its home address to which other hosts send packets regardless of MNs location
Since this IP doesnt change it can be used by long-lived applications as MNs location changes
This is router with additional functionality Located on home network of MN Does mobility binding of MNs IP with its COA Forwards packets to appropriate network when MN is away
Mobile IP Entities
Another router with enhanced functionality If MN is away from HA the it uses an FA to send/receive data to/from HA Advertises itself periodically Forwards MNs registration request Decapsulates messages for delivery to MN Address which identifies MNs current location Sent by FA to HA when MN attaches Usually the IP address of the FA End host to which MN is corresponding (eg. a web server)
Care-of-address (COA)
Agent Discovery
HAs and FAs broadcast their presence on each network to which they are attached
MNs listen for advertisement and then initiate registration When MN is away, it registers its COA with its HA
Registration
Registration control messages are sent via UDP to well known port
Mobile IP Operation
A MN listens for agent advertisement and then initiates registration If responding agent is the HA, then mobile IP is not necessary After receiving the registration request from a MN, the HA acknowledges and registration is complete Registration happens as often as MN changes networks HA intercepts all packets destined for MN This is simple unless sending application is on or near the same network as the MN HA masquerades as MN There is a specific lifetime for service before a MN must reregister There is also a de-registration process with HA if an MN returns home
Registration Process
Each router performs both home agent and foreign agent functionality:
Mobile IP Summary
Allows node mobility across media of similar or dissimilar types Uses the Mobile Nodes permanent home address when it changes its point of attachment to the Internet Not requires any hardware and software upgrades to the existing, installed base of IPv4 hosts and routers other than those nodes specifically involved in the provision of mobility services Mobile Node must provide strong authentication when it informs its Home Agent of its current location Uses tunneling to deliver packets that are destined to the Mobile Nodes home address 3 main entities: Mobile Nodes, Foreign Agents and Home Agents 3 basic functions: Agent Discovery, Registration, Packet Routing
Security Issues:
Insider Attack Mobile Node Denial-of-Service Replay Attacks Theft of Information: Passive Eavesdropping Theft of Information: Session-Stealing (Takeover) Attack Tunnel spoofing
Insider Attacks
Usually involve a disgruntled employee gaining access to sensitive data and then forwarding it to a competitor
Enforce strict control who can access what data Use strong authentication of users and computers Encrypt all data transfer on an end-to-end basis between the ultimate source and ultimate destination machines to prevent eavesdropping
An Attacker sends a tremendous number of packets to a host (e.g., a Web server) that brings the host CPU to its knees. In the meantime, no useful information can be exchanged with the host while it is processing all of nuisance packets An Attacker somehow interferes with the packets that are flowing between two nodes on the network. Generally speaking, the Attacker must be on the path between the two nodes on order to wreak any such havoc
Denial-of-Service Attack
An Attacker generates a bogus Registration Request specifying his own IP address as the care-of address for a mobile node. All packets sent by correspondent nodes would be tunneled by the nodes home agent to the Attacker:
Note: In case of mobility an Attacker could attack from anywhere in the network, it does not have to be on the way. Solution: to require cryptographically strong authentication in all registration messages exchanged by a mobile node and its home agent. Mobile IP by default supports MD5 Message-Digest Algorithm (RFC 1321) that provides secret-key authentication and integrity checking
Replay Attacks
An Attacker could obtain a copy of a valid Registration Request, store it, and then replay it at a later time, thereby registering a bogus care-of address for the mobile node To prevent that the Identification field is generated is a such a way as to allow the home agent to determine what the next value should be In this way, the Attacker is thwarted because the Identification field in his stored Registration Request will be recognized as being out of date by the home agent (timestamps or random numbers are used for Identification field)
A passive eavesdropping attack happens when an attacker start to listen to the traffic that is transferred between mobile device and its home agent. Use of Link-Layer Encryption Use of End-to-End Encryption (SSH, SSL)
The Attacker waits for a mobile node to register with its home agent The Attacker eavesdrops to see if the mobile node has any interesting conversation taking place (remote login session to another host, connection to the electronic mailbox) The Attacker floods the mobile node with nuisance packets The Attacker steals the session by sending the packets that appear to have come from the mobile node and by intercepting packets destined to the mobile node
Session-Stealing Prevention
minimally link-layer encryption between the mobile node and the foreign agent (session-stealing on the foreign link) With the preference of end-to-end encryption between the mobile node and its corresponding node (elsewhere) Note: a good encryption scheme provides a method by which a decrypting node can determine whether the recovered plaintext is gibberish or whether it is legitimate (integrity checking)
Tunnel spoofing
The tunnel to the home network or foreign network may be used to hide malicious packets and get them to pass through the firewall. Mobile IP uses identification fields and timestamp to protect registration from any such attacks.
The Attacker connects to the network jack, figures out he IP address to use, and tries to break to the other hosts on the network He figures out the network-prefix that has been assigned to the link on which the network jacks connected The Attacker guesses a host number to use, which combined with the network-prefix gives him an IP address to use on the current link The Attacker proceeds to try to break into the hosts on the network guessing user-name/password pairs
All publicly accessible network jacks must connect to foreign agent that demands any nodes on the link to be registered (authenticated). Remove all non-mobile nodes from the link and require all legitimate mobile nodes to use (minimally) link-layer encryption
THANK YOU!!!