240 likes | 363 Vues
Mobile IP Security. Team : “ WARRIORS ” Anand Modh Chaitanya Chelamkuri Kinshuk Bansal Kshitij Shah Pramod Ramesh. CMPE 209 SPRING 2008. AGENDA. Mobile IP & Concepts. Mobil IP Packet Flow. Threats. Security. Mobile IP & Concepts.
E N D
Mobile IP Security Team : “WARRIORS” Anand Modh Chaitanya Chelamkuri Kinshuk Bansal Kshitij Shah Pramod Ramesh CMPE 209 SPRING 2008
AGENDA • Mobile IP & Concepts. • Mobil IP Packet Flow. • Threats. • Security.
Mobile IP & Concepts • Mobile IP is a protocol, developed by the Mobile IP Internet Engineering Task Force (IETF) working group. • Mobile IP inform the network about the change in network attachment such that the Internet data packets will be delivered in a seamless way to the new point of attachment. • The basic Mobile IP protocol permits mobile internetworking to be done on the network layer. • Care-of Address is an address of a Foreign Agent with which the Mobile Node is registered.
Need of Mobile IP • Terminology • A home link is the link on which a specific node should be located; that is the link, which has been assigned the same network-prefix as the node’s IP address • A foreign linkis any link other than a node’s home link – that is, any link whose network-prefix differs from that of the node’s IP address
Introduction • There are 3 functional entities where it is implemented: • Mobile Node – a node which can change its point-of-attachment to the Internet from one link to another while maintaining any ongoing communications and using its (permanent) IP home address • Home Agent – router with an interface on the mobile node’s home link, which: • Is informed by the mobile node about its current location, represented by its care-of-address • In some cases, advertises reachability to the network-prefix of the mobile node’s home address, thereby attracting IP packets that are destined to the mobile node’s home address • Intercepts packets destined to the mobile nodes home address and tunnels them to the mobile node’s current location, i.e. to the care-of-address
Introduction • Foreign Agent – a router on a mobile node’s foreign link which: • Assists the mobile node in informing its home agent of its current care-of address • In some cases, provides a care-of address and de-tunnels packets for the mobile node that have been tunneled by its home agent • Serves as default router for packets generated by the mobile node while connected to this foreign link
HA MN INTERNET FA FA HA FA FAForeign Agent HAHome Agent MNMobile Node
HA accepts or denies FA relays request to HA FA relay status to MN MN requests service MN requests service MN MN MN MN HA FA FA HA FA
CN HA encapsulates and send it to MN “TUNNELING” HA encapsulates and send it to MN “TUNNELING” HA Now if packets come addressed for MN will move through the tunnel shown. FA FA HA FA MN
CNA MNHA … Src Dest 3 1 4 Original IP Packet: CNA MNHA … MNHA … CNA Src Dest Src Dest Mobile IP Packet Flow Tunneled Packet HAA FAA 4 or 55 CNA MNHA Src Dest Prot Src Dest 2 HA FA MN HAAHA address MNHA MN Home Address CNA CN Address FAA FA Address CN
What is Tunneling • A tunnelis a path followed by a fist packet while it is encapsulated within the payload portion of a second packet: Figure from J. D. Solomon. Mobile IP - The Internet Unplugged. Prentice-Hall, 1997
Threat 1 INSIDER ATTACKS • This threat is due to the individuals who are suppose to be trustworthy. • This attack is due to the disgruntled employee gaining access to the sensitive data and then forwarding it to a competitor. • A survey suggests that twice as many attacks are due to insiders on corporate world.
Security form Threat 1 • By enforcing strict controls on who can access what data. • Use of strong authentication of users and computers, eliminate plaintext username/password based etc . • Encrypting all data transfer on an end to end basis between the source and the destination using various encryption algorithms.
Attacker’s address Sayy.y.y.y ATTACKER Original Care of address Sayx.x.x.x MN HA FA Registration request: “The mobile node’s new care of address” is y.y.y.y
Threat 2 Denial-of-service • This threat prevents someone from getting useful work done by: • An attacker sends the tremendous number of packets to a host that brings the host’s CPU to its knees attempting to process all the packets. • An attacker interfaces with the packets that are flowing between two nodes. • In the case of mobile node, if an attacker send a request message to HA as his IP address as the care of address for a mobile node then: • Attacker will get a copy of packets. • Mobile will not get any packets.
Security from Threat 2 • The security to this threat is implemented by cryptographically strong authentication in all registration messages exchanged between mobile node and its home agent. • Mobile IP allows the use of any authentication algorithm, bit all should support default “Keyed MD5”(Message-Digest) algorithm.
Registration Request Fun(MD5) Message Digest Fun(MD5) Message Digest EQUAL ? MN HA
Threat 3 Passive Eavesdropping • This threat occurs when an attacks on someone else’s packets in order to learn the confidential information. • Wireless networks are more vulnerable because in this the attacker need not physically be connected to the network. Security from Threat 3 • Link- Layer Encryption. • End-to-End Encryption.
Areas of vulnerability CN Plaintext HA FA Link Encryption Link- Layer Encryption. • In this the mobile node and the foreign agent encrypt all packets they exchange over the link. • This technique is important when wireless LAN is in use. MN
End-to-End Encryption CN HA FA MN End-toEnd Encryption. • In this encryption and decryption is done at the ultimate source and destination. • Data is protected irrespective of the medium used.
Threat 4 Session-Stealing • In this an attacker waits for the legitimate node to authenticate itself and then takes over the session without realizing the mobile node about this. • The attacker steals the session by sourcing packets that appear to come from the mobile node and intercepting packets destined for mobile node. Security from Threat 3 • Link- Layer Encryption. • End-to-End Encryption.
Threat 5 Other Active Threats • In this the attacker tries to connect to the network jack, find out the IP address and break into the other hosts on the network. HOW? • Attacker figures out the network prefixes assigned to the link- by listening the mob IP agent advertisements,by listening the packets and examine the source and destination IP address. • Then guessing the host number, which along with the network prefix, give him the IP address to use. • Then tries to break into the hosts on the network.
Security from Threat 5 • All network jacks must connect to a foreign agent that has been configured to enforce the policy with the R bit in its agent authentication. • There must not be nay nodes whose sessions can be captured. • Remove non mobile nodes. • All nodes should use link encryption.
? ? ? ? ?