1 / 13

Trusted Connection between Mobile Nodes and Mobility Anchor Points in Hierarchical Mobile IPv6

Trusted Connection between Mobile Nodes and Mobility Anchor Points in Hierarchical Mobile IPv6. Ying QIU 1 , Jianying ZHOU 1 , Kouichi SAKURAI 2 , Feng BAO 1 1: Institute for Infocomm Research, Singapore 2: Kyushu University, Japan. outline. Motivation Related work Trusted Connection

jett
Télécharger la présentation

Trusted Connection between Mobile Nodes and Mobility Anchor Points in Hierarchical Mobile IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trusted Connection between Mobile Nodes and Mobility Anchor Points in Hierarchical Mobile IPv6 Ying QIU1, Jianying ZHOU1, Kouichi SAKURAI2, Feng BAO1 1: Institute for Infocomm Research, Singapore 2: Kyushu University, Japan

  2. outline • Motivation • Related work • Trusted Connection • Performance Analysis • Conclusion

  3. HA CN RCoA MAP LCoA1 LCoA2 AR1 AR2 movement MN Motivation • Reachability when MN moving • Continuity of on-going connections • BU message to HA and CN to inform MN’s new location CoA • Protect and Authenticate BU message for against the redirect attacks • Reduce the latency • Less overhead (no global PKI)

  4. Related Works (1) • Simply Using IKE Protocol • use pure IKE to establish the security association (SA) between MN and MAP. • Need global PKI • amount of mobile devices • roaming mobile devices • mobile devices are easier to be broken and lost • Certificates revocation H. Soliman, C. Castelluccia, K. El Malki, “Hierarchical Mobile IPv6 Mobility Management (HMIPv6)”, RFC 4140

  5. Related Works (2) • Reducing Reauthentication based on Credentials • credentials which MN receives from AP as a proof of past honest behavior and which it presents when associating with a new AP. • AP1, where MN has been successfully authenticated or paid for the access, gives the MN a credential as a proof of its verified honest behavior. • MN presents this credential to AP2 when MN arrives at a new access point AP2. • cryptographic mechanism is used to prove that it is indeed the same mobile node to which the credential was issued. • a secret key shared by all access points and must be updated frequently and synchronized by all of access points. • manage and update the periodic secret key needs huge overhead. T. Aura and M. Roe, "Reducing Reauthentication Delay in Wireless Networks”

  6. Related Works (3) • Secure MAP Discovery • Step1, the MN sends tentative LBU message to MAP. If this binding were illegal or attacked, lifetime of tentative binding is expired silently. . • Step 2, MN sends global binding to the HA, and then it gets the legitimate MAP’s address list. • Step 3, MN sends LBU confirmation message to MAP for extension of binding lifetime. • The connection between MN and MAP is set up before authenticating each other • The unauthenticated connection could last up to 5 seconds. J. Choi and Y. Mun, "Mechanism of the Secure MAP Discovery in Hierarchical MIPv6”

  7. MAP HA MN COOKIE0 COOKIE1 BU1 long term messages REQCert REPCert BA1 Short term messages for BU BUi BAi Trusted Connection (long term) • COOKIE0 = {Src=LCoA, Des= MAP, Opt=HoA, C0} • COOKIE1 = {Src=MAP, Des=LCoA, Opt=HoA, C0, C1, N1} • BU1 = {Src=LCoA, Des=MAP, Opt=HoA, C0, C1, N1, N2, gx, TS, SIGMN, CertMN} • SIGMN = Sig(SKMN, LCoA|HoA|MAP|gx|N1|N2|TS) • CertMN = {HoA, PKMN, Valid_Iinterval, SIGHA } • REQCert = {Src=MAP, Des=HoA, requestcert}. • REPCert = {Src=HA, Des=MAP, OptionAdd=HoA, CertHA}. • BA1 = {Src=MAP, Des=LCoA, Opt=HoA, RCoA,C0, C1, gy, SIGMAP, CertMAP} • SIGMAP = Sig(SKMAP, MAP|LCoA|HoA|RCoA|gy|BU1) • CertMAP = {MAP, PKMAP, Valid_Interval, SIGCA}

  8. MAP HA MN COOKIE0 COOKIE1 BU1 long term messages REQCert REPCert BA1 Short term messages for BU BUi BAi Trusted Connection (short term) • BUi = {Src=new_LCoA, Des=MAP, Opt=HoA, old_LCoA, TS, SIGiMN} • SIGiMN = Sig(SKMN, new_LCoA|MAP|HoA|old_LCoA|TS) • BAi = {Src=MAP, Des=new_LCoA, Opt=HoA, SIGiMAP } • SIGiMAP = Sig(SKMAP, MAP|new_LCoA|HoA|BUi).

  9. Performance • Total cost as a function of average cell residence time (T) of MN J. Choi and Y. Mun, "Mechanism of the Secure MAP Discovery in Hierarchical MIPv6”

  10. Performance (2) Certificate Revocation List (CRL): • RFC4140 needs global PKI for all of mobile nodes • Assumption: • PKI with population of 300000 clients, • 365 day validity periods of a certificate • 10 certificates validated per day by each client • 200 revocations per day • 200 revoked certificates expire per day, • 321 Kbytes of each CRL entry • 12 hour CRL update interval • then a typical CRL scheme requires the peak bandwidth is 11.14 MB/sec or 182.4 GB/day • Our proposal: • Only the home agent requires the public certificates • The mobile node could just have the private certificates issued by its home agent

  11. Conclusion • Proposed a solution for the trusted connection between mobile nodes and mobility anchor points • Authenticates mobile nodes without the global PKI • Offers the balance between the stronger authentication and less authentication delay as well as lower cost

  12. Thanks

More Related