1 / 33

Mobile IPv6 for Windows XP (.NET Server) and Windows CE 4.0

Mobile IPv6 for Windows XP (.NET Server) and Windows CE 4.0. Greg O’Shea, MSRC Joint with Lancaster University And Ericsson Research. Contents. Background Mobile IPv6 Demo Security. Background. The Internet. A network of networks Machines have 32-bit addresses comprising:

farhani
Télécharger la présentation

Mobile IPv6 for Windows XP (.NET Server) and Windows CE 4.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile IPv6forWindows XP (.NET Server)andWindows CE 4.0 Greg O’Shea, MSRC Joint with Lancaster University And Ericsson Research

  2. Contents • Background • Mobile IPv6 • Demo • Security

  3. Background

  4. The Internet • A network of networks • Machines have 32-bit addresses comprising: • Network Id: network of attachment • Host: unique within network • Machines hear traffic local to their network • Routers forward packets between networks • Machines send to remote net via router • DNS provides name to address lookup

  5. Why IPv6 • Initiative first started June 1992 • First draft published Jan 1996 • Initial response to concerns about IPv4 • Shortage of IPv4 32-bit addresses • Size of IPv4 routing tables • 128-bit address space • 64-bit network prefix (hierarchic structure to assist routing) • 64-bit Interface Id (~unique: e.g. derived from MAC address) • IPv6 addresses are cheap and easily acquired • Stateless address auto-configuration: router’s prefix plus IF-Id • Duplicate Address Detection (DAD) is integral to protocol

  6. MIPv6 Status • 1 – still no RFC, IETF draft 15 • awaiting consensus on security (~8 proposals) • 2 – IPv6 in XP-Pro (obscured) & .NET Server • 3 – MIPv6 for Win2000 (based on MSR NT4 stack) • Free download for research (src & bin) • 4 – Mobile extensions to .NET Server stack • Lancaster LandMARC project • 5 – (M)IPv6 code to CE4.0 Core OS group • Lancaster LandMARC project • 6 – Proposed security protocol to IETF • Joint with Ericsson Research

  7. Mobile IPv6

  8. Moving Between Networks Today

  9. Reason why Traditional IP address = (network + host-id) • is bound to a specific network • Connections break if node moves between nets • Problem for mobile, wireless computers (future)

  10. Solution: Mobile IPv6 • MIPv6 mobile node (MN) uses two addresses • Home Address (HoA): well known / used by apps • Care-of Address (CoA): forwarding address • IPv6 addresses: cheap and plentiful • Network connections survive movement • Mobile machines may use multiple link types • Transparent support for any IPv6-enabled app • NB: does not provide for IPv4 connections

  11. Mobile on home netCorrespondent elsewhere on internet

  12. Packets arrive on home net (normal)

  13. Mobile node moves to foreign net

  14. Mobile tells Home Agent its location

  15. Packets still arrive on home net

  16. Home agent forwards onto mobile

  17. Tell correspondent the current net

  18. So home agent can be bypassed

  19. Demo

  20. Demo : Logical network

  21. Demo : Home Agent in router

  22. Demo : Correspondent in router

  23. Demo : one router suffices

  24. Demo : small enough to carry

  25. MIPv6 on CE4.0+ WebPad

  26. MIPv6 on Outlook (pre-release)

  27. Security

  28. Attacks that exploit MIPv6 • Spoofed Binding Update • Attacker knows or guesses the address to attack • Secrecy and integrity • Attacker redirect packet flows via itself • Break packet flows (DoS) • Redirect packet flow into black hole • Amplification attack • Send packet to X • Asking X to send many packets to Y • “dump your 100GB disk to this UDP port”

  29. IETF draft (13) : use IPSec • V13 mandates IPsec AH on Binding Updates • Works, but too hard to configure and test • Doesn’t scale with manual key distribution • Doesn’t validate care-of address • Helps if administrator has: • network monitors attached • kernel debugger(s) installed on all machines • source code for IPv6 stack • program for configuring the program for configuring IPSec

  30. Elements of our protocol • Cryptographically Generated Addresses • Establish “ownership” of a Home Address • Return routability tests for CoA and HoA • A sort of cookie exchange (low cost) • Test the addresses we are given by a MN • Does a packet sent to CoA get correct response? • Is MN reachable on HoA via its Home Agent? • Precursor to any expensive public-key operations

  31. CAM: Childproof Authentication for MIPv6 • Mobile node m chooses key pair (PKm,SKm) • Mobile m chooses Home addr (IF-Id) Am = H(PKm, i) • Int i used to resolve IPv6 address collisions • Binding Update from m includes: A’m, Ac, Am, PKm, i, {H(A’m, Ac, Am, Tm)}SKm • Correspondent verifies Am = H(PKm, i) and the hash from the Binding Update • Use of PKm is uncertified, but says nothing about real-world identify • Impostor cannot submit bogus BU without finding (PK’, SK’) where H(PK’, i) = Am • (which is hard)

  32. References • Childproof Authentication for Mobile IPv6 (CAM), Greg O’Shea and Michael Roe, ACM Communications Review, April 2001. • Authentication of Mobile IPv6 Binding Updates and Acknowledgements, M. Roe, T. Aura, G. O’Shea, J. Arkko, http://www.ietf.org/internet-drafts/draft-roe-mobileip-updateauth-01.txt • MIPv6 BU Attacks and Defences, T.Aura and J. Arkko, http://www.ietf.org/internet-drafts/draft-aura-mipv6-BU-attacks-01.txt

More Related