WO2009099358A1 - Method and apparatus for use in a communications network - Google Patents
Method and apparatus for use in a communications network Download PDFInfo
- Publication number
- WO2009099358A1 WO2009099358A1 PCT/SE2008/050156 SE2008050156W WO2009099358A1 WO 2009099358 A1 WO2009099358 A1 WO 2009099358A1 SE 2008050156 W SE2008050156 W SE 2008050156W WO 2009099358 A1 WO2009099358 A1 WO 2009099358A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- mobile node
- access router
- address
- message
- established
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/02—Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
- H04W8/08—Mobility data transfer
- H04W8/082—Mobility data transfer for traffic bypassing of mobility servers, e.g. location registers, home PLMNs or home agents
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/04—Network layer protocols, e.g. mobile IP [Internet Protocol]
Definitions
- the present invention relates to a method and apparatus for use in telecommunications network.
- the present invention relates to a method and apparatus for use in a Mobile IP network to determine whether a Mobile Node in a visited network is reachable on a new claimed Care-of Address for the Mobile Node.
- IP address describes a topological location of a node in the network.
- the IP address is used to route the packet from the source node to the destination.
- the IP address is generally also used to identify the node, providing two different functions in one entity. This can be considered to be akin to a person responding with their home address when asked who they are.
- mobility is also considered, the situation becomes even more complicated: since IP addresses act as host identifiers in this scheme, they must not be changed; however, since IP addresses also describe topological locations, they must necessarily change when a host changes its location in the network.
- the solution is to use a fixed home location providing a "home address" for the node.
- the home address both identifies the node and provides a stable location for it when it is at home.
- the current location information is available in the form of a care-of address, which is used for routing purposes when the node is away from home.
- Cellular networks provide roaming capabilities, where visited networks provide connectivity to roaming users.
- the traffic of roaming users may be tunnelled back to the home network or it may leave or be terminated in the visited network.
- Possible reasons for using home tunnelling include: the ability to charge at home; enabling policy control at home; having a mobility anchor at home; providing location privacy; and allowing for the possibility that servers providing user service are in the home network.
- Possible reasons for local breakout include: optimal routing; shorter (and hence cheaper) access to the Internet; and access to services provided locally in the visited network.
- MN Mobile Nodes
- BU Location Updates
- CN Correspondent Nodes
- IP2 allows full control for the network to decide routing (including home tunnelling or route optimization), it is a complex system requiring IP2 to be implemented at the visited and home networks and also in the network of the CN. Its complexity makes it unsuitable for a number of purposes.
- Another form of route optimization (albeit a less powerful one) is the use of a locally- assigned IP address for communication by the MN instead of the home address. In this case, no specific mechanisms are needed to ensure direct routing between the CN and the MN; however, the transport session may break if the MN moves away. The MN may choose to initiate communication using a locally-assigned address at its own discretion.
- Mobile IP is a mechanism for maintaining transparent network connectivity to and from a Mobile Node (MN), such as a mobile terminal or telephone over an IP based network.
- MN Mobile Node
- Mobile IP enables a Mobile Node to be addressed by the IP address it uses in its home network (Home Address), regardless of the network to which it is currently physically attached. Therefore, ongoing network connections to and from a Mobile Node can be maintained even as the Mobile Node is moving from one subnet to the other.
- Mobile IP can be implemented using IP protocol version 4, IPv4 or IP protocol version 6, IPv6.
- IPv6 is generally preferred as IPv4 has a number of limitations in a mobile environment. The IPv6 protocol as such is specified in RFC 2460.
- each Mobile Node is always identified by its Home Address. While away from its home IP subnet (Home Subnet) a Mobile Node is also associated with a Care-of Address which indicates the Mobile Node's current location. The association of the Mobile Node's Home Address and the Care-of Address is known as Binding. A router in the Home Subnet, known as the Home Agent, maintains a record of the current Binding of the Mobile Node. The Mobile Node can acquire its Care-of Address through conventional IPv6 mechanisms called auto-configuration at the visited (or foreign) IP subnet.
- Correspondent Node Any node with which a Mobile Node is communicating is referred to as a Correspondent Node.
- the Correspondent Node could itself be either mobile or stationary.
- the first mode bidirectional tunnelling to/from the Home Agent, does not require Mobile IPv6 support from the Correspondent Node and is available even if the Mobile Node has not registered its current Binding with the Correspondent Node
- the first mode is illustrated in Figure 1 of the accompanying drawings.
- IP packets from the Correspondent Node are routed to the Home Agent and then tunnelled to the Mobile Node.
- Packets to the Correspondent Node are tunnelled from the Mobile Node to the Home Agent ("reverse tunnelled") and then routed normally from the Home Network to the Correspondent Node.
- the Home Agent intercepts any IPv6 packets addressed to the Mobile Node's Home Address and each intercepted packet is tunnelled to the Mobile Node's primary Care-of Address. This tunnelling is performed using IPv6 encapsulation.
- the second mode requires the Mobile Node to register its current binding at the Correspondent Node.
- the second mode is illustrated in Figure 2 of the accompanying drawings.
- Packets from the Correspondent Node can be routed directly to the Care-of Address of the Mobile Node.
- the Correspondent Node checks its cached bindings for an entry for the packet's destination address. If a cached binding for this destination address is found, the node uses a new type of IPv6 routing header to route the packet to the Mobile Node by way of the Care-of Address indicated in this binding.
- a routing header may be present as an IPv6 header extension, and indicates that the payload has to be delivered to a destination socket in some way that is different from what would be carried out by standard receiver host processing.
- Mobile IPv6 defines a new routing header variant, the type 2 routing header, to allow the packet to be routed directly from a Correspondent Node to the Mobile Node's care- of address.
- Use of the term "routing header" typically refers to use of a type 2 routing header.
- the Mobile Node's care-of address is inserted into the IPv6 Destination Address field. Once the packet arrives at the care-of address, the Mobile Node extracts the final destination address (equal to its home address) from the routing header, and delivers the packet to the appropriate socket as if the packet were addressed to the extracted address.
- the new routing header uses a different type than defined for "regular" IPv6 source routing, enabling firewalls to apply different rules to source routed packets than to Mobile IPv6.
- This routing header type (type 2) is restricted to carry only one IPv6 address and can only be processed by the final destination and not intermediate routers. All IPv6 nodes which process this routing header must verify that the address contained within is the node's own home address in order to prevent packets from being forwarded outside the node.
- the IP address contained in the routing header since it is the mobile node's home address, must be a unicast routable address.
- the mobile node must discard the packet.
- the Mobile Node registers its current binding at the Correspondent Node using a Binding Update message sent from the Mobile Node to the Correspondent Node (which the Correspondent Node acknowledges with a Binding Update Acknowledgement message).
- the Binding Update message contains as its destination address the address of the Correspondent Node.
- the source address of the message is the Care-of Address of the Mobile Node, whilst the home address of the Mobile Node is contained within a home address field of the message header.
- Route optimisation requires the inclusion of a routing header (a type 2 routing header) in the packet headers, indicating that the packets must be dealt with in a special way.
- a "proof-of-address" mechanism may be employed.
- One such mechanism requires that, prior to issuing a (first) Binding Update message, a roaming Mobile Node send to a Correspondent Node a first message (HoTI) to the Correspondent Node employing route optimisation and a second message (CoTI) not employing route optimisation.
- the second message travels via the Home Agent whilst the second does not.
- the Correspondent Node replies to the first message with a first part of a random number generated by the Correspondent Node, and replies to the second message with a second part of the random number.
- the Mobile Node will only receive both parts of the random number if it has given both a valid Care-of Address and a valid Home Address.
- the Mobile Node includes both parts of the random number in the message to prove ownership of the Care-of and Home Addresses.
- Route Optimisation allows the Mobile Node to send packets directly to the Correspondent Node.
- the Care-of Address is included as the source address in these "outgoing" packets. This is done by the Mobile IP protocol layer at the Mobile Node, which replaces the home address with the Care-of Address as the source address in outgoing packets.
- the Home Address is included in a further header field
- the Mobile IP protocol layer at the Correspondent Node screens incoming mails by comparing the source addresses of the packets with Care-of Addresses held in its binding cache If a match is found, the Care-of Address is replaced with the corresponding Home address, in the source address field, before passing the message to higher layers Transit through the home network is thus avoided
- packets from the Correspondent Node can be routed directly to the Care-of Address of the Mobile Node
- the Correspondent Node checks its cached bindings for an entry for the packet's destination address If a cached binding for this destination address is found, the node substitutes the destination address for the corresponding Care-of Address, whilst including the destination address ( ⁇ e the Home address) in a further header field
- the Mobile IP protocol layer replaces the Care-of Address in the destination field with the home address of the Mobile Node The packet is then passed to higher protocol layers Again, transit through the home network is avoided
- Routing packets directly to the Mobile Node's Care-of Address with 'route optimization' allows the shortest communications path to be used It also eliminates congestion at the Mobile Node's Home Agent In addition, the impact of any possible failure of the Home Agent or networks on the path to or from it is reduced
- the possibility of 'route optimization' that MIPv6 provides does lead to a terminal centric solution, as the establishment of home address to care-of address bindings in the correspondent node is decided, initiated and executed by the mobile node itself This does not allow network operators to influence whether traffic is tunnelled home or routed locally For example, home networks have no influence if a particular piece of traffic is route via them or not This is true even if the visited network fully co-operates with the home network in this regard
- the simple use of a local IP address is also decided by the terminal If (home) network control of route optimization is requested, the use of local addresses needs to be controlled too
- the RR procedure is followed by sending a binding update (BU) message to each CN to update it with the new MN's CoA (and probably receiving a binding acknowledgment (BA)).
- BU binding update
- BA binding acknowledgment
- the enhanced mobile IPv6 RO mode (see J. Arkko, C. Vogt, W. Haddad, "Enhanced Route Optimization for Mobile IPv6", IETF, RFC 4866, May 2007) has been designed and standardized.
- EMIPv6 relies on the cryptographically generated address (see T. Aura, “Cryptographically Generated Addresses", IETF, RFC 3972, March 2005) to bootstrap a long lifetime bidirectional security association (BSA) between the MN and the CN instead of relying on routing properties to establish a temporary BSA as is the case in MIPv ⁇ protocol.
- BSA bidirectional security association
- EMIPv ⁇ succeeds in substituting the RR with a CGA technique but at the expense of abandoning the protection against network flooding attack.
- a defence mechanism based on establishing a cryptographic relationship also know as a 'symbiotic' relationship
- AR access router
- the NFD protocol enables the visited network to repel a network flooding attack, which can be launched via using the RO mode. However, it does not provide any protection to the visited network in case the attack is launched via using the bidirectional tunneling (BT) mode where all data packets exchanged between the MN and the CN(s) are tunneled via the MN's HA. Furthermore, as the main goal in EMIPv ⁇ was to cut the number of mobility signalling messages on the MN side as much as possible, it is not appropriate to clone a CoTI/CoT exchange between the MN and the HA prior to sending a BU message.
- BT bidirectional tunneling
- a method for use in a Mobile IP network comprising determining whether a Mobile Node in a visited network is reachable on a new claimed Care-of Address for the Mobile Node using information relating to a pre-established cryptographic relationship between the Mobile Node and an Access Router of the visited network.
- the method may comprise determining through communication between a Home Agent for the Mobile Node in the Mobile Node's home network and the Access Router whether such a pre-established cryptographic relationship exists, the existence of such a pre-established relationship indicating that the Mobile Node is reachable on the claimed Care-of Address.
- the method may comprise communicating the Care-of Address in a message from the Home Agent to the Access Router, for use at the Access Router in the determining of whether the Access Router has a pre-established cryptographic relationship with the Mobile Node.
- the method may comprise checking whether the Care-of Address is stored at the Access Router as a result of the pre-established relationship.
- the method may comprise communicating a link to a certificate for the Access Router in a Binding Update message from the Mobile Node to the Home Agent.
- the method may comprise sending a Binding Complete message from the Access Router to the Home Agent, wherein the Binding Complete message comprises the information relating to the pre-established relationship, and wherein the method comprises checking the information at the Home Agent as part of the determining of whether the Access Router has a pre-established cryptographic relationship with the Mobile Node.
- the Binding Complete message may be signed by the Access Router, and the method may comprise checking the signature of the Binding Complete message at the Home Agent as part of the determining of whether the Access Router has a pre-established cryptographic relationship with the Mobile Node.
- SeND Secure Neighbor Discovery
- An embodiment of the present invention is also applicable in a case where there are a plurality of new claimed Care-of Addresses for the Mobile Node, with each supposedly being associated with a corresponding pre-established cryptographic relationship between the Mobile Node and the Access Router.
- a reachability test as described above in accordance with the invention may be performed in respect of fewer than all of, such as only one of, the pre-established cryptographic relationships. If the test against a certain number (e.g. one) of these fails, then the Mobile Node could be assumed to be a rogue node without performing any further tests.
- an apparatus for use as or in a node of a Mobile IP network comprising means for determining whether a Mobile Node in a visited network is reachable on a new claimed Care-of
- the node may be the Mobile Node, the Access Router, or a
- the apparatus may comprise means for determining through communication between a Home Agent for the Mobile Node in the Mobile Node's home network and the Access Router whether such a pre-established cryptographic relationship exists, the existence of such a pre-established relationship indicating that the Mobile Node is reachable on the claimed Care-of Address.
- the node may be the Access Router or the Home Agent.
- the apparatus may comprise means for receiving a Binding Complete message from the Access Router, the Binding Complete message comprising the information relating to the pre-established relationship, and further comprising means for checking the information as part of the determining of whether the Access Router has a pre- established cryptographic relationship with the Mobile Node.
- the node may be the Home Agent.
- the Binding Complete message may be signed by the Access Router, and the apparatus may comprise means for checking the signature of the Binding Complete message as part of the determining of whether the Access Router has a pre- established cryptographic relationship with the Mobile Node.
- the node may be the Home Agent.
- the apparatus may comprise means for sending a Binding Complete message to the Home Agent, the Binding Complete message comprising the information relating to the pre-established relationship.
- the node may be the Access Router.
- the apparatus may comprise means for signing the Binding Complete message.
- the node may be the Access Router.
- the apparatus may comprise means for communicating a link to a certificate for the Access Router in a Binding Update message from the Mobile Node to the Home Agent.
- the node may be the Mobile Node.
- a program for controlling an apparatus to perform a method according to the first aspect of the present invention is provided.
- the program may be carried on a carrier medium, where the carrier medium may be a storage medium or a transmission medium.
- a storage medium containing a program according to the third aspect of the present invention.
- An embodiment of the present invention is applicable to the enhanced Mobile IPv6 route optimization mode. It addresses the lack of any care-of address reachability test on the home agent side, which was justified by poor non-technical arguments and to avoid imposing additional mobility signalling messages on the mobile node itself. It enables the home agent to test the reachability of the claimed care-of address in a new way, which addresses implicitly the multi-homing scenario and enables the foreign network to repel a flooding attack but without involving the mobile node in any signalling message exchange.
- An embodiment of the present invention aims to improve Mobile IPv6 protocol security by enabling an enhanced care-of address reachability test for the home agent.
- the main goals are to discourage a rogue mobile node from misleading its home agent to flood a targeted foreign network and to empower the latter to thwart this type of attack if launched at a later stage.
- the two different modes in the Mobile IPv6 protocol for handling data packet exchange when the mobile node (MN) is located in a foreign network bidirectional tunneling (BT) and route optimization (RO), have two commonalities.
- the first one is the mechanism used to update the HA after each IP handoff and requires the MN to send a binding update (BU) message to its HA immediately after configuring a care-of address (CoA).
- BU binding update
- CoA care-of address
- a second commonality is the HA's reaction upon receiving a valid BU message and can be described as a blind trust in the MN claim(s) regarding its new CoA(s), The common consequence is that the HA will always tunnel data packets to the MN's new location without conducting any reachability test on the new claimed CoA.
- An embodiment of the present invention aims to avoid the potential consequences of a lack of CoA reachability test on the HA side.
- an enhanced and seamless CoA test is introduced which makes launching a network flooding attack complicated enough to discourage a rogue MN from misleading its HA to flood a particular target.
- it empowers the targeted network to thwart such attack if launched at a later stage.
- An embodiment of the present invention introduces an enhanced and seamless CoA reachability test which has been designed to address uncertainties surrounding a potential threat in MiPv ⁇ protocol. Consequently, the main goal is to improve MIPv ⁇ overall security in a way which does not require a periodic exchange of signalling messages and does not involve the MN in the exchange.
- the suggested reachability test does not directly involve the MN and does not affect the HA's basic treatment of the BU message (as described in RFC 3775) nor does it increase the overall latency.
- An embodiment of the present invention allows the visited network to protect itself regardless of whether the MN 10 behaves properly in performing the CoA reachability test.
- Figure 1 illustrates the bidirectional tunnelling mode of Mobile IP
- Figures 3A to 3C contain a schematic flowchart illustrating steps performed in an embodiment of the present invention
- Figure 4 is a message exchange diagram providing an overview of the messages exchanged during the steps of Figures 3A to 3C, and
- Figure 5 is a schematic illustration of parts of an embodiment of the present invention for performing the method of Figures 3A to 3C
- Figures 3A to 3C provide a schematic flowchart showing the steps performed by a MN 10, an AR 20 and a HA 30, in general, the steps of Figure 3B follow on from those of Figure 3A, and the steps of Figure 3C follow on from those of Figure 3B
- Figure 4 provides an overview of the signalling messages exchanged between the MN 10, AR 20 and HA 30
- Figure 5 is a schematic block diagram showing parts of the MN 10, AR 20 and HA 30 for performing the method of Figures 3A to 3C
- a CoA reachability test is introduced in an embodiment of the present invention which is triggered by the HA 30 associated with the MN 10 receiving a valid BU message from the MN 10
- the MN 10 is involved in establishing a cryptographic or symbiotic relationship (SR) with the AR 20, as illustrated in Figure 3A, for example as in the NFD protocol mentioned above (see also W Haddad, and M Naslund, "On Secure Neighbor Discovery Proxying Using 'Symbiotic' Relationship", Internet Draft, draft-haddad-cgaext-symbiotic-sendproxy-00 txt, January 2008)
- SR cryptographic or symbiotic relationship
- Establishing a SR with the AR 20 involves the MN 10 incorporating special parameters in order to generate the 128-b ⁇ t random parameter, RAND(128), to be used to configure its CGA address
- RAND(128) used together with the MN 10's public key and other parameters to generate the 64-b ⁇ t interface identifier (HD) should, in turn, be generated from the AR 20's public key and another random 128-b ⁇ t parameter, IRAND(128), this is done in step P1 of Figure 3A by generating portion AP1 of the MN 10
- an encrypting portion AP2 of the MN 10 then encrypts the IRAND(128) with the AR 20's public key and in step P3 an information sending portion AP3 of the MN 10 sends it to the AR 20 in an NDP (Neighbour Discovery Protocol) message signed with the MN 10's CGA private key.
- NDP Networkeighbour Discovery Protocol
- the MN 10 also includes two other parameters in the sending step P3 that are also required by the AR 20: the HA 30's IPv6 address and the HA 30's public key; this information can be sent in new options carried in a message used during a NDP exchange, e.g. the router solicitation (RtSoI) message.
- IRAND(128) can be considered to be an authentication token or shared secret, to be used later in an embodiment of the present invention.
- the MN 10 is denied access in the visited network, as in the NFD protocol described above, until it establishes such a cryptographic relationship SR with the AR 20.
- This cryptographic relationship enables the MN 10 to provide the HA 30 with information in order to enable the HA 30 to securely contact the AR 20 and to determine whether the MN 10 is reachable on the claimed CoA, as is explained below.
- a secure CoA reachability test is triggered when the MN 10 sends, in step S1 of Figure 3B, a BU message M1 to the HA 30 to update it with its new CoA, using BU sending portion AS1.
- the MN 10 discloses to its HA 30 information relating to the cryptographic relationship.
- the MN 10 includes in the BU message M1 the AR 20's IPv6 address, the AR 20's public key and a link to the AR 20's certificate, i.e. the same as the one obtained by the MN 10 when attaching to the AR 20 link.
- the MN 10 includes, in an encrypted form, a parameter derived from hashing IRAND(128), referred to here as HRAND(128); this may be a 64 bit parameter, or may greater in length, for example at least 96 bits.
- the information relating to the cryptographic relationship (128-bit random parameter) is encrypted in the BU message M1 with the key shared with the HA 30 from running IKEv2 (see C. Kaufman, "Internet Key Exchange (IKEv2) Protocol", IETF, RFC 4306, December 2005), i.e. when bootstrapping the IKE SA between the two nodes.
- the two parameters i.e. the AR's IPv6 address and the HRAND(128), are sent in two new options carried by the BU message M1.
- the BU message M1 is received by the HA 30 in step S2. This sets off an exchange of new signalling messages between the HA 30 and the AR 20 of the MN 10, which will now be explained in more detail.
- a BCR sending portion AS3 of the HA 30 sends a new message called a "Binding Complete Request (BCR)" message M2 to the AR 20 using the IPv6 address sent in the BU message.
- BCR Biting Complete Request
- the HA 30 authenticates the BCR message M2 with the HRAND(128) sent by the MN 10 in the BU message Ml
- the BCR message M2 carries the MN 10's CoA as sent in the BU message M1 , and is authenticated with the cryptographic relationship established between the MN 10 and the AR 20.
- the BCR message M2 contains a nonce which is to be subsequently returned in the BC/BR message (see step S9 below), and discloses what it knows about the SR established between the MN 10 and its AR 20, i.e. HRAND(128).
- the HA 30 signs the BCR message M2.
- the nonce is a random number generated by the HA 30 (by any means), which is then returned in the BC/BR message (see below); it serves to tell the HA 30 that the message has been sent by a node which is not anywhere in the Internet, so it narrows the possibility of an attack to just the nodes located on-path between the HA 30 and the AR 20.
- the BCR message M2 does not need explicitly to contain HRAND(128) in a new option.
- the HA 30 can authenticate the BCR message M2 with
- the nonce which is separate, is a way to protect against flooding the HA 30 with fake BC messages, and hence the reason why the AR 20 copies the nonce and inserts it in the
- the nonce is different to the HRAND(128).
- the nonce can be a random number generated by the HA 30 and is returned by the AR 20 in the
- the AR 20 determines whether or not it believes that the MN 10 is still attached to its link.
- a CoA checking portion AT1 of the AR 20 can start by checking in step T1 if the queried CoA is stored in its cache memory. Then in step T2 a fetching portion AT2 of the AR 20 fetches the MN 10's corresponding SR (i.e. IRAND(128)) and HA 30's public key. In step T3 the former is used by a validating and checking portion AT3 of the AR 20 to validate the HA knowledge, and the latter to check the signature of the BCR message M2.
- Validation of the HA knowledge means to check if the HA 30 has really received HRAND(128); the validation is done by checking the authentication carried in the BCR message M2 - if the authentication is done with HRAND(128) as being the key, then the HA 30 knows it, so it is valid. If the signature is valid, then the AR 20 should immediately reply by sending a "Binding Confirm (BC)" message (see step S9 below) in which it inserts its own SR, the nonce and signs the message with its private key. Note that the AR 20 should encrypt the SR with the HA 30's public key.
- BC Biting Confirm
- the AR 20 may perform a procedure to re-check the attachment of the MN 10, e.g., using a neighbour discovery (ND) message (see T. Narten, E. Nordmark, W. Simpson, H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", IETF, RFC 4861 , September 2007).
- ND neighbour discovery
- the AR 20 sends in step S5 a ND message M3 towards the CoA of the MN 10 as received in step S4 in the BCR message M2.
- This message M3 is received by the MN 10 in step S6 (assuming the message M3 actually arrives at the MN 10), and in step S7 a ND reply message M4 is sent back to the AR 20 and received in step S8.
- This procedure (involving messages M3 and M4) is optional.
- the AR 20 does not need to check if the MN 10 is on-link or not if it finds that there is an SR concerning this node stored in its cache memory.
- the MN 10 may be out of reach for some time (for example due to bad coverage) but it does not matter since in case of an attack, the AR 20 can use the SR only to alert the HA 30.
- a BC/BR sending portion AS9 of the AR 20 sends in step S9 a "Binding Complete (BC)" message M5, which is authenticated with the same RAND(128).
- the BC/BR sending portion AS9 of the AR 20 instead sends in step S9 an authenticated "Binding Reject (BR)" message M5 to the HA 30.
- the BC/BR message M5 is therefore sent by the AR 20 to the HA 30 of the MN 10 as a response to the BCR message M2.
- the BC message M5 is authenticated with the cryptographic relationship or SR (essentially, IRAND()) and is signed with the AR 20's private key (i.e. that which has been used to establish the cryptographic relationship).
- the BR message M5 is authenticated whenever possible (i.e. if the MN 10 has established the cryptographic relationship then left the network). Otherwise, the AR 20 signs the BR message M5 (which carries the nonce sent in the BCR message M2) with its private key (note that the AR 20 should have a CGA address built from the public key pair).
- the BC or BR message M5 is received by a BC/BR receiving portion AS10 of the HA 30 in step S10.
- a BC/BR receiving portion AS10 of the HA 30 receives a BC message from the AR 20
- a nonce checking portion AG1 of the HA 30 starts by checking the nonce (step G1 )
- a SR decrypting portion AG2 of the HA 30 decrypts the SR and validates it (step G2).
- a signature verifying portion AG3 of the HA 30 verifies the signature by using the AR 20's public key already stored in the MN 10's corresponding entry (step G3).
- the AR 20's signature allows the HA 30 to validate the certificate provided by the MN 10. Hence, if the signature is valid, then in step G4 a decision making portion AG4 of the HA 30 can consider with enough confidence that the MN 10 has indeed visited the AR 20 and exchanged NDP messages with it and an SR has been accepted. Furthermore, it also allows the HA 30 to validate the AR 20's certificate sent by the MN 10, which also serves as an indication to the HA 30 that the AR 20 is now empowered to repel any malicious behaviour that can emanate from the MN 10, e.g. launching a flooding attack at a later stage. It follows that the CoA reachability test does not need to be repeated periodically.
- the HA 30 After completing a successful reachability test, i.e., performed in parallel with the DAD procedure in the home network, the HA 30 starts tunnelling data packets to the MN 10's new CoA.
- the presence of the SR between the MN 10 and its AR 20 will prevent the MN 10 from moving away at some point, and launching a flooding attack by keeping sending acknowledgment messages to the CN, e.g. using another interface.
- the AR 20 will quickly detect the MN 10's absence on the link and securely request the HA 30 to halt the data packets flow to the MN 10's CoA.
- making a secure request means that the AR 20 must re-send the SR established by the MN 10 without encryption and must sign the message with its private key.
- a BA message M6 is sent by a BA sending portion AS1 1 of the HA 30 to the MN 10, in response to the BU message received in step S2, which is received by a BA receiving portion AS12 of the MN 10 in step S12.
- This message M6 can be sent immediately after the BU message M1 or in parallel with sending the BCR message M2 (or it could be piggybacked with the BCR message M2).
- the BA message is authenticated.
- Figure 4 provides an overview of the signalling messages exchanged between the MN 10, AR 20 and HA 30 in the method illustrated in Figures 3A to 3C.
- Figure 4 shows ND message A1 and A2 sent prior to message M1.
- Message A1 is sent by the MN 10 to the AR 20, in which it includes the SR and HA parameters.
- Message A2 is the reply the MN 10 gets from the AR 20.
- These two messages can be a Router Solicitation sent by the MN 10 and a Router Advertisement sent by the AR 20.
- the AR 20 located in the targeted network will be able to detect the attack and drop the incoming packets but it will not be able to stop the flooding as it has no mechanism to alert the HA 30 about the fake CoA.
- a malicious MN may try to bypass the AR by sending another IPv6 address in the BU message, which is not configured on the AR. This may be the case, for example, when using more than one interface to perform the update. In such a case, the HA will always believe that it can check the MN's reachability by sending a BCR message to the IPv6 address sent in the BU message M1. However, when the AR receives the BCR message, it needs to use ND to learn the MAC address associated with the IP address.
- the AR prior to discovering the MAC address, the AR first checks if the IPv6 address is stored in its cache memory, which also means checking whether or not a cryptographic relationship has been established. If not, the
- AR should drop the incoming BCR message, and this prevents the malicious MN performing the reachability test.
- the only consequence is that the HA will reject the binding and no data packets will be tunnelled to the targeted network, so the attack will be foiled by the HA.
- the IPv6 destination address sent in the BCR message has a cryptographic relationship with the AR then the latter will forward the BCR message to its destination and it is up to the MN as to whether or not to respond to the HA. It follows immediately that the MN has no interest in performing the reachability test exchange by itself as it won't bring it any benefit except additional signalling message and delay the whole procedure.
- the CoA reachability test can be performed in parallel with exchanging data packets on the HA 30 to MN 10 path (for example, if the BT mode is enabled) or in parallel with updating the CN 40 (for example, when the RO mode is used and no data packets are sent via the HA 30).
- a mechanism for handling fast mobility becomes unavoidable in order to guarantee an acceptable latency.
- the MN 10 configures more than one CoA on the same foreign link and sends all of them to the HA 30 in one BU message.
- the MN 10 would establish an SR per CoA, but the HA 30 would only need to check one particular CoA with the AR 20; if there is an attack, the AR 20 can use the particular CoA to alert the HA 30 that the MN 10 is an attacker and thus all its CoAs should be rejected.
- an embodiment of the present invention aims to improve MIPv ⁇ overall security without increasing the signalling message load on the MN.
- the key exchange in the proposed mechanism is performed between the MN's HA and the new AR. It should be noted that repeating the same CoA reachability test as the one which is periodically performed between the MN and its CN(s), i.e. as part of the return routability procedure, will result in a significant increase in the amount of signalling messages on the MN side as it needs also to be repeated periodically in order to be efficient.
- the resulting improvement from the proposed mechanism should also benefit other protocols which have been designed around MlPv ⁇ , e.g. network mobility protocol (described in V. Devarapalli, R. Wakikawa, A. Petrescu, and P. Thubert, "Network Mobility (NEMO) Basic Support Protocol", RFC 3963, January 2005).
- network mobility protocol described in V. Devarapalli, R. Wakikawa, A. Petrescu, and P. Thubert, "Network Mobility (NEMO) Basic Support Protocol", RFC 3963, January 2005.
- Another goal is to strengthen the network's ability to thwart network flooding attack launched via the MN's HA by improving the network protective means, in the same way as has already been suggested in the network flooding defence mechanism (as in NFD) for the enhanced route optimization (described in the "Enhanced Route Optimization for Mobile IPv6" detailed above).
- SeND secure neighbor
- the design of the suggested CoA reachability test should avoid increasing the latency.
- the HA triggers the CoA reachability test immediately after launching the DAD procedure for the MN's IPv6 home address, i.e. following the receipt of a valid BU message.
- operation of one or more of the above-described components can be controlled by a program operating on the device or apparatus.
- Such an operating program can be stored on a computer-readable medium, or could, for example, be embodied in a signal such as a downloadable data signal provided from an Internet website.
- the appended claims are to be interpreted as covering an operating program by itself, or as a record on a carrier, or as a signal, or in any other form.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP08705392A EP2241074A1 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communications network |
JP2010545822A JP5102372B2 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communication network |
PCT/SE2008/050156 WO2009099358A1 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communications network |
US12/866,641 US8413243B2 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communications network |
CA2714280A CA2714280A1 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communications network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/SE2008/050156 WO2009099358A1 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communications network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009099358A1 true WO2009099358A1 (en) | 2009-08-13 |
Family
ID=40952338
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2008/050156 WO2009099358A1 (en) | 2008-02-08 | 2008-02-08 | Method and apparatus for use in a communications network |
Country Status (5)
Country | Link |
---|---|
US (1) | US8413243B2 (en) |
EP (1) | EP2241074A1 (en) |
JP (1) | JP5102372B2 (en) |
CA (1) | CA2714280A1 (en) |
WO (1) | WO2009099358A1 (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009099358A1 (en) * | 2008-02-08 | 2009-08-13 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for use in a communications network |
EP2430856A4 (en) * | 2009-05-13 | 2015-08-05 | Apple Inc | Session suspend and resume using a transient binding option messaging |
US8477685B2 (en) * | 2009-07-30 | 2013-07-02 | Avaya, Inc. | Enhanced mobility management at a mobile access gateway |
US20110286597A1 (en) * | 2009-11-17 | 2011-11-24 | Qualcomm Incorporated | HOME AGENT PROXIED MIPv6 ROUTE OPTIMIZATION MODE |
US8868029B2 (en) * | 2010-01-29 | 2014-10-21 | Alcatel Lucent | Method and apparatus for managing mobile resource usage |
US8767584B2 (en) | 2010-01-29 | 2014-07-01 | Alcatel Lucent | Method and apparatus for analyzing mobile services delivery |
US8493870B2 (en) * | 2010-01-29 | 2013-07-23 | Alcatel Lucent | Method and apparatus for tracing mobile sessions |
US8542576B2 (en) * | 2010-01-29 | 2013-09-24 | Alcatel Lucent | Method and apparatus for auditing 4G mobility networks |
US8559336B2 (en) | 2010-01-29 | 2013-10-15 | Alcatel Lucent | Method and apparatus for hint-based discovery of path supporting infrastructure |
CN104519097B (en) * | 2013-09-29 | 2019-05-07 | 中兴通讯股份有限公司 | The acquisition of port block resource, port block resource distribution method and device |
US20170142162A1 (en) * | 2014-05-20 | 2017-05-18 | Nokia Technologies Oy | Method, Network Element, Mobile Terminal, System and Computer Program Product for Cryptographic Algorithm Negotiation |
US11470017B2 (en) * | 2019-07-30 | 2022-10-11 | At&T Intellectual Property I, L.P. | Immersive reality component management via a reduced competition core network component |
US11444955B2 (en) | 2020-06-30 | 2022-09-13 | Cisco Technology, Inc. | Verification of in-situ network telemetry data in a packet-switched network |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020114469A1 (en) * | 2001-02-21 | 2002-08-22 | Stefano Faccin | Method and system for delegation of security procedures to a visited domain |
US20030092425A1 (en) * | 2001-11-09 | 2003-05-15 | Docomo Communications Laboratories Usa, Inc. | Method for securing access to mobile IP network |
WO2003046778A2 (en) * | 2001-11-30 | 2003-06-05 | Activcard Ireland, Limited | Financial risk management system and method |
Family Cites Families (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3651721B2 (en) * | 1996-11-01 | 2005-05-25 | 株式会社東芝 | Mobile computer device, packet processing device, and communication control method |
US7769374B2 (en) * | 2001-03-12 | 2010-08-03 | Son Phan-Anh | Recovery techniques in mobile networks |
US7203837B2 (en) * | 2001-04-12 | 2007-04-10 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
FI116027B (en) * | 2001-09-28 | 2005-08-31 | Netseal Mobility Technologies | A method and system to ensure the secure transmission of messages |
JP3831331B2 (en) * | 2001-11-09 | 2006-10-11 | 株式会社エヌ・ティ・ティ・ドコモ | How to secure access to a mobile IP network |
JP3822555B2 (en) * | 2001-11-09 | 2006-09-20 | 株式会社エヌ・ティ・ティ・ドコモ | Secure network access method |
US7298743B2 (en) * | 2001-11-14 | 2007-11-20 | Nokia Corporation | Mobile router support for IPv6 |
US7561553B2 (en) * | 2002-02-27 | 2009-07-14 | Motorola, Inc. | Method and apparatus for providing IP mobility for mobile networks and detachable mobile network nodes |
US7370197B2 (en) * | 2002-07-12 | 2008-05-06 | Microsoft Corporation | Method and system for authenticating messages |
US7436804B2 (en) * | 2002-09-18 | 2008-10-14 | Qualcomm Incorporated | Methods and apparatus for using a Care of Address option |
US7280505B2 (en) * | 2002-11-13 | 2007-10-09 | Nokia Corporation | Method and apparatus for performing inter-technology handoff from WLAN to cellular network |
US20040148520A1 (en) * | 2003-01-29 | 2004-07-29 | Rajesh Talpade | Mitigating denial of service attacks |
DE60305869T2 (en) * | 2003-03-27 | 2006-10-05 | Motorola, Inc., Schaumburg | Communication between a private network and a mobile device |
US7886075B2 (en) * | 2003-05-16 | 2011-02-08 | Cisco Technology, Inc. | Arrangement for retrieving routing information for establishing a bidirectional tunnel between a mobile router and a correspondent router |
EP1505780B1 (en) * | 2003-08-06 | 2011-03-23 | Motorola, Inc. | A method of validated communication |
JP4750045B2 (en) * | 2004-07-09 | 2011-08-17 | パナソニック株式会社 | Network management method and network management apparatus |
KR100636318B1 (en) * | 2004-09-07 | 2006-10-18 | 삼성전자주식회사 | Method and system for authentication of address ownership using care of address binding protocol |
BRPI0419056A (en) * | 2004-09-20 | 2007-12-11 | Matsushita Electric Ind Co Ltd | method of managing a virtual private network tunnel endpoint from a first address to a second address, and virtual private network tunnel endpoint switch manager |
US7886076B2 (en) * | 2005-01-12 | 2011-02-08 | International Business Machines Corporation | Bypassing routing stacks using mobile internet protocol |
JP4705673B2 (en) * | 2005-03-08 | 2011-06-22 | パナソニック株式会社 | Network management method and network management apparatus |
WO2006112095A1 (en) * | 2005-03-31 | 2006-10-26 | Nec Corporation | Mobile communication control method, mobile communication system, routing device, management device, and program |
CN101176328B (en) * | 2005-04-28 | 2011-08-24 | 松下电器产业株式会社 | System, associated methods and apparatus for securing prefix-scoped binding updates |
US7925027B2 (en) * | 2005-05-02 | 2011-04-12 | Ntt Docomo, Inc. | Secure address proxying using multi-key cryptographically generated addresses |
US20060291422A1 (en) * | 2005-06-27 | 2006-12-28 | Nokia Corporation | Mobility management in a communication system of at least two communication networks |
EP1739893A1 (en) * | 2005-06-30 | 2007-01-03 | Matsushita Electric Industrial Co., Ltd. | Optimized reverse tunnelling for packet switched mobile communication systems |
JP2007036641A (en) * | 2005-07-27 | 2007-02-08 | Hitachi Communication Technologies Ltd | Home agent device, and communication system |
CN101268669B (en) * | 2005-09-20 | 2011-09-07 | 艾利森电话股份有限公司 | Method and mobility anchor point for authenticating updates from mobile node |
US20070113075A1 (en) * | 2005-11-10 | 2007-05-17 | Ntt Docomo, Inc. | Secure route optimization for mobile network using multi-key crytographically generated addresses |
US7593377B2 (en) * | 2006-03-29 | 2009-09-22 | Cisco Technology, Inc. | Route optimization for a mobile IP network node in a mobile ad hoc network |
US20090257401A1 (en) * | 2006-09-06 | 2009-10-15 | Panasonic Corporation | Communication system, mobile router and home agent |
US20100296481A1 (en) * | 2006-10-20 | 2010-11-25 | Panasonic Corporation | Methods in mixed network- and host-based mobility management |
US7633921B2 (en) * | 2006-11-21 | 2009-12-15 | Cisco Technology, Inc. | Mobile network automatic tunnels |
EP1926277A1 (en) * | 2006-11-24 | 2008-05-28 | Matsushita Electric Industrial Co., Ltd. | Method for mitigating denial of service attacks against a home agent |
US20100097993A1 (en) * | 2007-02-23 | 2010-04-22 | Jun Hirano | System for Effective Position Management Signaling Associated with Mobile Node Moving in Mobile Network, Router, Mobile Node, and Mobile Router |
US7885274B2 (en) * | 2007-02-27 | 2011-02-08 | Cisco Technology, Inc. | Route optimization between a mobile router and a correspondent node using reverse routability network prefix option |
EP1968272A1 (en) * | 2007-03-05 | 2008-09-10 | Matsushita Electric Industrial Co., Ltd. | Loop detection for mobile IP home agents |
RU2009146556A (en) * | 2007-05-16 | 2011-06-27 | Панасоник Корпорэйшн (Jp) | WAYS OF MIXED MOBILITY MANAGEMENT AT THE NETWORK AND HOST LEVEL |
US8533455B2 (en) * | 2007-05-30 | 2013-09-10 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for combining internet protocol authentication and mobility signaling |
US8266427B2 (en) * | 2007-06-08 | 2012-09-11 | Cisco Technology, Inc. | Secure mobile IPv6 registration |
US20100189000A1 (en) * | 2007-06-20 | 2010-07-29 | Panasonic Corporation | Prefix information check device and communication device |
US8279807B2 (en) * | 2007-10-05 | 2012-10-02 | Panasonic Corporation | Communication control method, network node, and mobile terminal |
US20100275253A1 (en) * | 2007-11-22 | 2010-10-28 | Panasonic Corporation | Communication method, communication system, mobile node, and communication node |
WO2009091306A1 (en) * | 2008-01-18 | 2009-07-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Route optimization in mobile ip networks |
WO2009099358A1 (en) * | 2008-02-08 | 2009-08-13 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for use in a communications network |
EP2253120B1 (en) * | 2008-03-12 | 2018-02-28 | Telefonaktiebolaget LM Ericsson (publ) | Re-establishment of a security association |
US20110055551A1 (en) * | 2009-08-27 | 2011-03-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and network nodes for generating cryptographically generated addresses in mobile ip networks |
-
2008
- 2008-02-08 WO PCT/SE2008/050156 patent/WO2009099358A1/en active Application Filing
- 2008-02-08 EP EP08705392A patent/EP2241074A1/en not_active Withdrawn
- 2008-02-08 US US12/866,641 patent/US8413243B2/en not_active Expired - Fee Related
- 2008-02-08 CA CA2714280A patent/CA2714280A1/en not_active Abandoned
- 2008-02-08 JP JP2010545822A patent/JP5102372B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020114469A1 (en) * | 2001-02-21 | 2002-08-22 | Stefano Faccin | Method and system for delegation of security procedures to a visited domain |
US20030092425A1 (en) * | 2001-11-09 | 2003-05-15 | Docomo Communications Laboratories Usa, Inc. | Method for securing access to mobile IP network |
WO2003046778A2 (en) * | 2001-11-30 | 2003-06-05 | Activcard Ireland, Limited | Financial risk management system and method |
Also Published As
Publication number | Publication date |
---|---|
CA2714280A1 (en) | 2009-08-13 |
US8413243B2 (en) | 2013-04-02 |
EP2241074A1 (en) | 2010-10-20 |
JP2011512734A (en) | 2011-04-21 |
US20100325416A1 (en) | 2010-12-23 |
JP5102372B2 (en) | 2012-12-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8413243B2 (en) | Method and apparatus for use in a communications network | |
Johnson et al. | Mobility support in IPv6 | |
JP4756048B2 (en) | System and associated method and apparatus for securing prefix scope binding updates | |
JP4291272B2 (en) | How to register home address of mobile node with home agent | |
EP2245799B1 (en) | Route optimization in mobile ip networks | |
US8918522B2 (en) | Re-establishment of a security association | |
US7895339B2 (en) | Network managing method and network managing apparatus | |
US8724553B2 (en) | Route optimization with location privacy support | |
ES2449574T3 (en) | Method and apparatus for roaming between communications networks | |
JP2010507301A (en) | Method in mixed network-based and host-based mobility management | |
JP2010506520A (en) | Method and apparatus for MobileIP route optimization | |
US20100275253A1 (en) | Communication method, communication system, mobile node, and communication node | |
US8036232B2 (en) | Apparatus and method for filtering packet in a network system using mobile IP | |
Li et al. | Mobile IPv6: protocols and implementation | |
Jo et al. | Secure Route Optimization for Network Mobility Using Secure Address Proxying | |
Johnson et al. | RFC 6275: Mobility Support in IPv6 | |
Arkko | IETF Mobile IP Working Group D. Johnson Internet-Draft Rice University Obsoletes: 3775 (if approved) C. Perkins (Ed.) Expires: January 14, 2010 WiChorus Inc. | |
Arkko | IETF Mobile IP Working Group David B. Johnson INTERNET-DRAFT Rice University Charles E. Perkins Nokia Research Center | |
Leung et al. | RFC 5213: Proxy Mobile IPv6 | |
Chowdhury et al. | Network Working Group S. Gundavelli, Ed. Request for Comments: 5213 K. Leung Category: Standards Track Cisco V. Devarapalli Wichorus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08705392 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2008705392 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2008705392 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010545822 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2714280 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12866641 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |