Professional Documents
Culture Documents
Security in Mobile IPv6 A Survey
Security in Mobile IPv6 A Survey
Security in Mobile IPv6 A Survey
available at www.sciencedirect.com
www.compseconline.com/publications/prodinf.htm
Published online 6 March 2007 Secure mobile communication is essential for the pervasive accessibility of critical infor-
mation infrastructure. Connecting control systems with the business enterprise, wireless
telemetry and mobile user interaction with critical infrastructure systems are examples
of services that motivate the need for secure mobile communication. Mobile IPv6 is being
touted to provide communication support for such services. The security of Mobile IPv6
poses key challenges impeding its wide-scale adoption. Several security mechanisms
have been proposed in the literature. This paper surveys security vulnerabilities of Mobile
IPv6, provides a taxonomy for the main existing and proposed solutions, and then extends
to outline some open issues.
ª 2007 Elsevier Ltd. All rights reserved.
* Corresponding author.
E-mail addresses: goarany@vt.edu (K. Elgoarany), toweissy@vt.eduy (M. Eltoweissy).
1363-4127/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved.
doi:10.1016/j.istr.2007.02.002
information security technical report 12 (2007) 32–43 33
The security of Mobile IPv6 has been a key issue blocking the
standardization of Mobile IPv6. The goal in designing MIPv6
was simply to make IPv6 mobile and at least as secure as
MIPv4. However, MIPv6 does introduce several additional se-
curity vulnerabilities into IPv6, mainly authorization of binding
updates (BUs), in addition to other vulnerabilities inherited
from IPv4 (Sudanthi, 2003). The following subsections discuss
the background of the main Mobile IPv6 security issues.
of the wireless technologies, leading the wireless link in gen- Preventing a CN from communicating with some or all
eral to easily become the weakest link in terms of system nodes.
and network security. It is fairly easy to setup a phony Wire- Preventing an HA from serving legitimate MNs.
less LAN base station for example, leading to various kinds
of access stealing, denial-of-service, and traffic snooping c Disclosure of sensitive information
attacks (Arkko et al., 2002). Disclosure of nodes serving as home agents in a network.
On the other hand, Mobile Ipv6 provides support for multi-
ple home agents, and a limited support for the reconfiguration
of the home network. In these cases, the mobile node may not 3.2. Classification of attackers
know the IP address of its own home agent, nor sufficient in-
formation about its home network, and even the home subnet The following classes of attackers are considered as a basis for
prefixes may change over time. The mechanism employed by the types of threat scenarios which are described in the fol-
Mobile Ipv6 nodes to learn new information about their home lowing subsection.
subnet prefixes, known as mobile prefix discovery, now creates
vulnerability by the possible leakage of critical information An arbitrary node, anywhere in the Internet, launching an
about the home network topology, and prefix lifetimes, to un- attack against an MN, a CN, or an HA.
trustworthy nodes such as those described above (Perkins, An attacker located on the same (wireless) link as the MN.
2004). An attacker located on the same link as the CN.
An attacker located on the same link as the HA.
2.3. Home address option in payload packets
Table 2 – Classification of main Mobile IPv6 threat scenarios (Mankin et al., 2001)
Attacker location Attacks Effect Attack requirements
Anywhere in the Internet 1. Tampering with MN /CN binding MITM/DoS Knowledge of home address,
cache entries DoS and any CN
2. BU flooding
MN/CN link 1. Sending spoofed BU/BA MITM/DoS Only the knowledge of any CN
2. BU flooding DoS
HA link 1. Acting as the HA Masquerade/DoS No additional knowledge
2. Tampering with HA binding MITM/DoS is required
cache entries MITM/DoS
3. Sending spoofed BU/BA DoS
4. BU flooding
Scenario 1 Attacker knows MNs home address and both end- b Effect
points of any session This can easily cause the binding cache memory to become in-
undated with entries for nodes that have no real meaning and
An MN and a CN have an ongoing session. A malicious node/ thereby preventing a valid node’s entry being created in the
attacker determines the MN’s home address through either binding cache. Thus, it poses another DoS threat.
Mobile Ipv6 advertisement mechanisms, such as mobile
prefix/dynamic home agent discovery, or through the home
address option in payload packets. 3.3.2. Threats presented by attackers located in the same
subnet/link as the MN or the CN
3.3.1.1. Tampering with the CN binding cache. The type of medium accessed by the MN at any point in
time provides various threat possibilities. If the access me-
a Threat dium is a shared multiple access network, such as a Wire-
The attacker can send a BU to the CN using the acquired HoA less LAN for example, the attacker could do passive
and a malicious CoA. The CN would believe that the MN has monitoring of the packets, leading to the interception of
moved and hence has a new CoA. It updates the entry for critical information about the ongoing sessions of the MN.
the MN in its binding cache. In the case of the attacker on the same link of the MN, it
is even easier for the attacker to insert himself as an
b Effect MITM and intercept and modify packets sent between the
The packet stream for the ongoing session from the CN to the MN and the CN. This subsection describes the main sce-
MN now is diverted to the malicious node. The MN in this case nario, threats and effects that deal with manipulating the
may be on its home network and not have any CoA or it may knowledge of CNs.
be on another network and have another CoA. The attacker in
this case would only need to know about the MN’s home address Scenario 2 Attacker knows a CN communicating with the MN
and any CN that the user may communicate with. The attacker An MN and a CN have an ongoing session. A mali-
could be anywhere on the Internet and does not have to be on cious node/attacker determines the CN with the
the same link or network as the MN. Even if the MN eventually MN through passive monitoring.
realizes that it is no longer receiving further packets from the
CN and sends another BU to the CN, this type of attack still poses
a DoS threat. Moreover, the intruder could also send a BU to the 3.3.2.1. Sending spoofed BUs.
MN, supposedly from the CN, and thus insert himself as a man
in the middle (MITM) for traffic between the two. a Threat
By being able to passively monitor the traffic, the attacker
3.3.1.2. Tampering with the MN binding cache. The changing could learn about the CNs that the MN is communicating
the binding cache entry for an Ipv6 MN in the CN was dis- with and also determine to which CNs the MN is sending
cussed. However an MN can also be considered as a CN from BUs. The attacker could in such a case send a spoofed BU
the perspective of being an end-point in a session that is being packet to the same CN. Furthermore, it can very easily send
terminated at the MN and originated from another MN. In a spoofed BU to the MN, claiming that the CN is currently on
such a case the MN (now in the role of a CN) also has a binding the same link as the MN (i.e., co-located with the attacker).
cache entry for the other MN. The same threats discussed
above are now opened up on the MN similarly. b Effect
Such attack can cause the traffic from the CN to the MN be
3.3.1.3. BU flooding. routed elsewhere. Changing the route of packets from CN to
MN is a serious threat. It can be classified as a DoS attack on
a Threat the MN or the CN. The latter case where the attacker sends
A malicious node or virus could keep sending fake BUs to any a BU to both the MN and the CN is considered to be an MITM
CN, the MN itself or the HA, at a very rapid rate and thereby attack, where the attacker could possibly alter the contents
create unnecessary state at the Mobile IPv6 node. of the traffic.
36 information security technical report 12 (2007) 32–43
3.3.2.2. Sending spoofed BAs. 3.3.3.2. Tempering with the HA binding cache.
a Threat a Threat
Being able to passively monitor the traffic and learning about A malicious node on the home subnet can send a binding up-
the CNs the MN is communicating with and to which it is date to the HA for an MN with false parameters, including
sending BUs also poses the threat of allowing the attacker to a lifetime set to zero.
synchronize with the MN, such that when MN sends a BU
the attacker would reply to MN with a spoofed BA, different b Effect
than the true BA it would receive from the CN (Status, Lifetime This latter attack described will thereby lead the HA into be-
or Refresh fields). lieving that the MN has returned to its home network and
hence does not need a binding to some COA. This will thereby
b Effect result in causing the binding cache entry for the mobile to be
This attack can result in (1) MN sends unnecessary BU’s (sub- deleted.
ject to rate limiting of sending BU’s) or (2) MN does not send
a BU that is necessary. As further effects of (2) unnecessary tri-
angular routing takes place or MN is not reachable at all, lead- 3.3.3.3. Sending spoofed BUs/BAs.
ing to a DoS effect.
a Threat
After intercepting BUs communicated between the HA and
3.3.2.3. BU flooding. A malicious node on the same link of the the MN, if the attacker was able to insert himself on the
MN or the CN could keep sending fake BUs to the CN, or the path between the HA and a CN communicating with the MN,
MN itself, at a very rapid rate and thereby create unnecessary it could start sending a spoofed BU packets the CN.
state at the Mobile IPv6 node. The threats and its effects are Being on the path between the HA and the CN, also allows the
the same as those described in subsection 3.3.1.3. attacker to simply monitor the traffic and learning about the
3.3.3. Threats presented by attackers located in the same CNs the MN is communicating with and to which it is sending
subnet/link as the HA BUs. This passive monitoring again poses the threat of allowing
An attacker on the same subnet of the mobile node’s home the attacker to synchronize with the MN, such that when MN
agent does not require additional information about the MN’s sends a BU the attacker would reply to MN with a spoofed BA,
home address, in addition to a relatively easy chance in the different than the true BA it would receive from the CN.
finding any CN which the MN may be communicating with.
This poses multiple drastic threats, which are detailed below. b Effect
This attack of sending spoofed BUs can lead to the changing
Scenario 2 Attacker monitors the HA and the MN communi- the route of packets from CN to MN, which is classified as
cating with it a DoS attack on the MN or the CN.
The latter case can be exploited by the attacker in sends a BU
An MN frequently communicates with its HA. A malicious to the CN and BA to the MN, which is considered to be an
node/attacker on the same subnet/link of the HA can be mon- MITM attack, where the attacker could possibly alter the
itoring this communication. This case can be considered of contents of the traffic. Another use is to simply prevent the
the most dangerous, since the malicious node would not MN–CN communication, which falls under the DoS attack
need any information about the MN’s home address before category.
it starts mounting its attacks.
in the IPv6 header (Perkins, 2004). However, an attacker can these requirements, and thus are of no less importance. These
simply spoof the home address option in packets sent to goals are described below.
a CN causing the CN to swap the source address with the ad-
dress contained in the home address option. This causes the 4.2. Mobile IPv6 security goals (Perkins, 2004)
CN to become a packet reflector in attacks on nodes whose ad-
dresses may be known. Using the CN as a packet reflector
would allow the attacker to mount a distributed denial-of-service A. Securing binding updates.
(DDoS) attack, while to hide itself, which makes it harder to B. Securing mobile prefix and dynamic home agent discovery.
successfully shut down the attack in the absence of knowl- C. Securing the mechanisms that Mobile IPv6 uses for trans-
edge about its origin. porting data packets.
Obtaining information about the home address of an MN
would also expose the structure of the operator’s network, A number of security solutions were developed to meet the
which is not desirable. It would also allow an attacker to deter- above goals and requirements. The following section presents
mine the routers acting as home agents and mount DoS at- an overview of the main security solutions.
tacks or other types of attacks on these routers and thereby
cause these routers to be unable to forward packets to MNs
that they are intended to serve. 5. Mobile IPv6 security solutions
The security vulnerabilities and threats discussed above
were the motive for a number of goals for the developed Mo- This section describes the evolution of Mobile IPv6 security so-
bile IPv6 security design. These goals and other general secu- lutions. The focus of the majority of solutions is mostly on the
rity requirements will be presented in the following section. authentication of binding updates.
is used to encapsulate IP packets. As a result, two kinds of SA encrypted, and a hash is used to authenticate the message
are defined: tunnel and transport. If the path to protect has in and provide liveliness proof.
its ends an SG then tunnel mode must be used. Transport
mode can only be used when communicating host to host. 5.1.3. IPsec and IKE uses in Mobile IPv6
It is necessary that hosts support both modes while SGs sup- In the initial design of Mobile IPv6, the straightforward secu-
port only tunnel mode (however an SG can be configured as rity solution was to use the IPsec protocol suite, which is
a host, for that purpose must support the two modes as well). a mandatory part of IPv6, along with IKE in the establishment
Each SA defines the algorithms for encryption, authentica- of secure channels for Mobile IPv6 communications.
tion, hash and key exchange (attributes) for protecting a partic- Currently, IPsec is used in protecting messages exchanged
ular path. How these security attributes are communicated between the mobile node and the home agent, and no new
from one end to the other is maintained and established by security mechanism exists for this purpose. The use of the
other specialized protocols, such as ISAKMP, OAKLEY, SKEME, mandatory IPsec authentication header (AH) and the encapsu-
or a combination of them such as IKE, which is described in fol- lating security payload (ESP) and a key management mecha-
lowing subsection. nism help to ensure the integrity of the binding update
messages between the MN and the HA.
5.1.2. Overview of IKE To prevent the MN from sending a binding update for an-
Internet Key Exchange (IKE) establishes a secure framework other mobile node using its association, the home agent also
for the distribution of public keys. In addition, it defines how verifies that the binding update message contains the correct
those keys will be generated. This combines ISAKMP (a proto- HoA, either as the source of the packet or in an optional field at
col to establish a framework authentication and key ex- end of the packet. Such a check is provided in the IPsec
change), Oakley (which describes a series of key exchange processing, by having the security policy database entries
defining in detail the services provided by them), and SKEME unequivocally identify a single security association for pro-
(a key exchange technique that provides anonymity, reputa- tecting binding updates between any given home address
bility, and quick key refreshment). IKE’s main objective is to and the HA. In order to make this possible, it is necessary
‘‘obtain authenticated keying material for use with ISAKMP, that the HoA of the mobile node is visible in either the BU or
and for other SAs such as AH and ESP’’ (Harkins and Carrel, the BA. The home address is used in these packets as a source
1998). So, after an IKE negotiation the parties involved can or destination, or in the home address destination option of
use the keying material to establish different SAs. the packets (Perkins, 2004; Cladera et al., 2000).
IKE’s main functionality consists of two phases: In Phase 1, Automatic key management with IKE may be supported as
the two peers involved in the communication establish the well in securing the MN–HA communications. When IKE is
ISAKMP SA. During Phase 2, the SAs are negotiated on behalf used, either the security policy database entries or the Mobile
of services such as IPsec, or any other service that needs key IPv6 processing relies on the unequivocal identification of the
material and/or parameter negotiation. Phase 1 can be accom- IKE Phase 1 credentials which can be used to authorize the
plished either in Main mode or Aggressive mode. The basic creation of security associations for protecting binding up-
difference between them is that Main mode provides identity dates for a particular HoA. These mappings may be main-
protection, while Aggressive mode does not. Phase 2 is per- tained, as a locally administered table in the home agent. If
formed with Quick mode. An additional mode, New Group the Phase 1 identity is a Fully Qualified Domain Name
mode, is used to change the group for future negotiations (FQDN), secure forms of DNS may also be used (Perkins,
(used for Diffie Hellman exchange during Phase 1). The 2004; Harkins and Carrel, 1998).
ISAKMP SA is bidirectional that is to say that once Phase 1 is However, the biggest security vulnerability of MIPv6, as dis-
finished, both parties can initiate Quick mode. The attributes cussed earlier, is the authentication and authorizing of binding
defined by the SA are the encryption algorithm, hash algo- updates sent from the mobile nodes to the correspondents. In
rithm, authentication method, and the group for the Diffie solving this problem, the straightforward application of stan-
Hellman (DH) exchange. dard Internet security protocols, namely IPsec and IKE, proved
Main mode consists of the exchange of three sets of two to have multiple shortcomings (Aura, 2006), which are dis-
messages: the first pair negotiates the security attributes in or- cussed in the following section.
der to form the SA; the second set exchanges the DH public pa-
rameters and identities; and the third pair authenticates the 5.1.4. Shortcomings
DH exchange. In Aggressive mode, the first two messages ne- The obvious solution to the BU spoofing is to authenticate the
gotiate policy as well as exchange DH public values and iden- binding updates exchanged between HA and MN, and MN and
tities. The third message authenticates the responder. The CNs. A typical authentication system would use a suite of
last message authenticates the sender and provides proof of strong cryptographic authentication protocols and a certifica-
participation. For both modes the authentication can be ac- tion infrastructure, such as IPsec and IKE. The problem is that
complished with any of the four following methods: digital the authentication needs to work between any MN and any
signature, public key encryption, revised mode of public key correspondent in the Internet (mobile or not). No infrastruc-
encryption and pre-shared key (Harkins and Carrel, 1998; ture-based solution currently exists that could be used to au-
Cladera et al., 2000). thenticate all IPv6 nodes. Neither is it realistic to suggest
Quick mode is not a complete exchange by itself – it de- creating such a service for the needs of Mobile IPv6 (Aura,
pends on Phase 1. It is part of the SA used to generate keying 2006). This means that using the conventional authentication
material for other non-ISAKMP SAs. All payloads are mechanisms, such that of IPsec/IKE would confine the Mobile
information security technical report 12 (2007) 32–43 39
One of the main research directions in finding alternatives to the mobile via a secure tunnel. The mobile then uses the se-
conventional application of standard infrastructure-based secu- cret to compute a message authentication code for the binding
rity protocols, described in the previous subsection, is to de- update (message 3). This mechanism is called the return rout-
velop solutions that do not rely on an end-to-end global ability test for the home address (RR for HoA) because the mobile
infrastructure. Since these solutions do not require any spe- must return to the correspondent (a function of) a secret value
cial security infrastructure, they are called infrastructureless sent by the correspondent to the HoA. In effect, the correspon-
authentication. Although their authentication has shown to dent verifies that the mobile is able to receive messages at the
be not necessarily as strong as that enabled by the infrastruc- home address.
ture-based IPsec/IKE in closed networks, it is, nevertheless, In the Mobile IPv6 standard terminology, message 2 is
better than no authentication (Aura, 2006). called the home test message (HoT) and the secret value is the
Moreover, what enables the applicability of an infrastruc- home keygen token. Messages 3 and 4 are simply the binding up-
tureless solution is that the security requirements for BU au- date (BU) and the binding acknowledgement (BA), respectively.
thentication are unusually weak. As mentioned earlier, one Although a number of shortcomings were found in both its
of the fundamental general security requirements stated in security performance and its QoS support, discussed in sub-
the IETF working group was that the Mobile IPv6 protocol sections 5.2.2 and 6.1, there are, nevertheless, strong argu-
should be at least as secure as the current non-mobile IPv4 Internet. ments in favor of the RR protocol design.
This means that a proposed solution need not be confined to First, the number of potential attackers and targets is dra-
designing a traditional strong security protocol. On the con- matically reduced. Without authentication, any Internet node
trary, the ambition was limited to making sure that Mobile could spoof binding updates to hijack connections between
IPv6 does not introduce any new major vulnerability to the any two Internet nodes. In this new protocol, the attacker
Internet, and was not to create a strong general-purpose au- must be on the route of the hijacked connection. There are
thentication protocol (Aura, 2006). typically only 10s or 100s of nodes on this route, including
In this context, a number of infrastructureless solutions both routers and hosts on the local networks of the end nodes.
were proposed, of which return routability (RR) was selected Compared with the situation where any malicious Internet
by the IETF to be now a part of the Mobile IPv6 suite, replacing node can mount an attack, it is much less likely that one of
IPsec/IKE in the authentication of binding updates to corre- this limited set of nodes would do so. The fewer and the
spondent nodes. more local the potential attack sources are, the easier it is
also to gain control of them if attacks sometimes occur. An-
5.2.1. Standard return routability protocol other way to explain the same idea is that a malicious Internet
Return routability authentication method is based on the fact node is able to target only the connections that pass though its
that routing in the Internet is semi-reliable. It is difficult for local network. For a typical attacker, such as a compromised
a remote attacker to change the route of packets that do not router or host, the number of such connections is small.
travel via the attacker’s network. Thus, in order to sniff or in- This reduction in the scale of the potential damage alone
tercept a packet, the attacker needs to be on its route. The first means that deployment of the Mobile IPv6 would no longer
version of the routing-based BU authentication protocol is be a danger to the Internet’s stability.
shown in Fig. 2. The idea is that, after the mobile initiates Second, the protocol fulfills the explicit design goal of being
the BU protocol (message 1), the correspondent sends a secret as secure as the current Internet without mobility. Assume
value as plaintext to the mobile’s home address (message 2). that the mobile node never leaves its home network and al-
The home agent intercepts the message and forwards it to ways communicates directly from the home address. In that
40 information security technical report 12 (2007) 32–43
case, an attacker on the route between the home address and Again, the exposure to on-path attacks corresponds to the
the correspondent can spoof, intercept and sniff packets be- objectives of the Mobile IPv6 security design. Flooding attacks
tween them, and it can execute all the same attacks that are initiated by an on-path attacker are already a threat in the
possible by exploiting the weaknesses of our BU authentica- non-mobile Internet: An on-path attacker could initiate, say,
tion protocol. Therefore, it is argued that the simple protocol a large file download from an FTP server on behalf of a victim
of Fig. 2 is sufficient for authenticating the sender of a binding if the attacker is on the path from the FTP server to the victim.
update. In this case, the attacker would probably do a TCP handshake
To summarize, the RR protocol protects against the spoof- using the victim’s IP address. As it is on-path, the attacker
ing of binding updates from the MN to the CN, except if the at- could hear the messages from the FTP server, and it could
tacker is located on the CN–HoA route or at the local network respond to them. The attacker would so learn the TCP Initial
of the CN, which is further discussed in the following subsec- Sequence Number, which it needs to later spoof acknowledge-
tion. An attacker anywhere else in the Internet, for example, ments on behalf of its victim.
in the local network of the CoA, cannot spoof the binding With these above considerations, the care-of-address test
updates. inherent in the RR protocol can be still considered to be an ef-
fective limitation of flooding attacks to exactly those situa-
5.2.2. Shortcomings tions in which comparable flooding attacks are already
The RR protocol was found to have some shortcomings in both possible today. However, the limitation to on-path attacks
its security performance and QoS support. This subsection alone is insufficient to prevent a related style of attack that
mainly discusses the security shortcomings and gives an over- is called ‘‘space- and time-shift attacks’’. In these attacks,
all security evaluation of the RR protocol, while shortly men- the perpetrator taps the critical wire in order to obtain the se-
tions its shortcomings in supporting QoS. cret information it needs, and it then moves to a saver place
To analyze the security of the return routability protocol, and starts an attack from there. The attacker could also wait
one should evaluate its protection against the following two for a better point of time. It may even install a binding on
main types of attacks: impersonation attacks against a mobile behalf of a victim before the victim starts communicating.
node or a correspondent node, and flooding attacks against Mobile IPv6 requires mobile nodes to refresh active care-of-
third parties. address registrations in intervals of at most 7 min in an at-
Mobile IPv6 uses the home address as an identifier for a mo- tempt to mitigate the threat of space- and time-shift attacks.
bile node. Impersonation attacks are thus based on claiming To combat the previously discussed problems, a number of
ownership of another node’s IP address. The return routability improvements or optional alternatives have been suggested to
procedure has proved to able to prevent such attacks. How- the standard RR protocol. The primary driver between these
ever, if an attacker happens to be on the critical path (on the improvements is usually further reduction of signaling mes-
path from the correspondent node to a stationary victim or sages and latency, but other improvements such as better se-
from the correspondent node to the victim’s home agent), it curity have also been suggested.
can eavesdrop on the returning HoT message, and learn the
information that is necessary for spoofing the BU, leading to 5.3. Cross-layering security approach
its breaking of the protocol. The impersonator can produce
its own care-of-address Keygen Token by sending the victim’s As mentioned earlier, Mobile IPv6 nodes are also expected to
correspondent node a false CoA, which can eventually allow interact with several wireless environments. For wireless net-
the attacker to send an authenticated binding update message works, smart forwarding and processing of packets are critical
on behalf of the victim. for overcoming the effects of the wireless links, especially
However, the described susceptibility to attacks from the highly variable delay and error rates. Several studies have
routing path between two communicating nodes was not shown that techniques such as smart scheduling with respect
found to be an inconsistency with the design objective; to to the type of data being sent and regulation of TCP acknowl-
make the security of a mobile Internet as secure as the cur- edegment information, can greatly improve end-to-end per-
rent, non-mobile Internet. This is because an on-path attacker formance in a wireless network (Choi et al., 2005). However,
can already compromise the communications of two nodes these services cannot be provided if end-to-end encryption
today, and is accordingly able to block communications, or in- is used, such as in IPsec, because the information needed by
terfering by ingesting its own packets. these algorithms resides inside the portion of the packet
The similarity between the home address test and the that is encrypted, and can therefore not be used by mobile
care-of-address test belies the different purpose of these routers. This problem still remains to be one of the fundamen-
exchanges. While the former is to prevent impersonation tal obstacles against applying the end-to-end infrastructure-
attacks, the latter tackles the problem of flooding attacks by based IPsec security design for Mobile IPv6, even where
probing a mobile node’s presence at a new care-of address. applicable, which motivated the search for alternative solu-
As with the home address test, a number of care-of-address tions, such as the return routability protocol, described in
test scenarios can be found where the care-of-address test the previous section.
has no effect. Namely, it cannot protect against attackers Another research direction exists, which instead of provid-
that are on the path between the victim and the correspondent ing a restricted infrastructureless solution that aims to replace
node at which traffic is to be redirected. In this scenario, the IPsec/IKE where it fails, this direction aims to find solution
attacker can perform a care-of-address test on behalf of the that modifies IPsec/IKE in a way so that so that certain por-
victim further down the path. tions of the datagram may be exposed to intermediate
information security technical report 12 (2007) 32–43 41
network elements, enabling these elements to provide perfor- each handoff. To enable Mobile IPv6 registration messages
mance enhancements (Choi et al., 2005). This approach is gen- to be received by the CN when an IPsec tunnel is in place be-
erally called cross-layering (Aune, 2004). tween the MH and HA, an additional routing entry is added
in the MH and the fact that route selection chooses the route
5.3.1. Mobile multi-layered IPsec having the longest prefix match among multiple matched en-
The need to have nodes inside the network examine packet tries is leveraged. When an agent advertisement is received by
payloads to perform smart packet processing or perform an MH, it adds a route entry for the CN. The new route entry
packet classification is in direct conflict with the current Inter- specifies the CN address as the gateway for all packets des-
net model of security implemented by the IPsec protocol suite tined to the CN. After adding this route, the Mobile IP registra-
(Choi et al., 2005). As described earlier, IPsec supports a variety tion message addressed to the CN will match the new route,
of operational modes including packet authentication, packet and therefore be sent directly to the CN, instead of using the
encryption, or both. In the most secure mode, tunnel mode, old entry through which packets are encrypted. The above fig-
the entire IP packet is encrypted and encapsulated with ure depicts the integration model between MML-IPsec and
a new IP packet header. Therefore, intermediate nodes in Mobile IPv6.
the network do not have access to the original IP header infor-
mation, nor the information contained in any of the transport 5.3.2. Key management
layer or application layer protocols. This precludes the net- While ML-IPsec (Zhang and Singh, 2000) was a promising
work from performing smart packet processing and packet start, it has limitations and several unknowns. First, it re-
classification to improve end-to-end performance. quires that SAs (secret keys, algorithms, parameters, etc.) be
A flexible solution to this problem is defined in the Multi-lay- established between multiple elements for a single data ses-
ered IPsec (ML-IPsec) protocol (Choi et al., 2005). This protocol al- sion. This requires an efficient key distribution algorithm
lows a user to define zones within an IP packet. Each zone is which has yet to be defined. Second, mobility is not sup-
encrypted and authenticated with its own security association. ported. The mobility requires that new SAs be established
Each zone may be accessed (decrypted) by different network el- as a mobile host moves during a data session. These modifica-
ements. This requires SAs to be established between a client tions must be performed quickly so that sessions are not dis-
and several nodes in a network, each of which can decrypt rupted during a handoff. Thus, it becomes more complex in
a certain portion of the IP packet while being unable to view supporting mobility, particularly with Mobile IP (Choi et al.,
the entire packet. In this way, portions of a datagram may be 2005) because in the MML-IPsec system, the huge number of
encrypted end-to-end, while portions may be read and oper- SAs would due to the nature of data applications expected
ated upon by network elements providing performance en- to be operated.
hancements. However, the ML-IPsec, as defined in (Zhang As previously discussed, IKE supports key distribution and
and Singh, 2000) and extended in (Zhang, 2006), is designed mutual authentication between two nodes but requires exten-
for static environments and does not deal with mobility. sions to support the multiple SAs used in ML-IPsec and is not
An initial version of ML-IPsec was extended in (Choi et al., suitable for mobility. An efficient method of key distribution
2005) to deal with mobility and make it suitable for wireless and authentication between a home network, security server
networks. A suite of protocols was created, which combines in a foreign network, and a mobile host is presented. However,
the simplified version of ML-IPsec, and an efficient key distri- this work does not address the distribution of multiple keys re-
bution protocol for initializing secure wireless sessions and quired for an ML-IPsec, does not account for mobility, and does
two protocols for managing mobility for these secure sessions. not provide any implementation or performance insights.
This protocol suite is called Mobile ML-IPsec (MML-IPsec) (Choi To solve these problems, efficient key distribution and
et al., 2005). mobility management schemes were proposed in (Choi
et al., 2005) for MML-IPsec integrated with Mobile IP. The paper
5.3.1.1. Mobility support. An integration model is proposed in includes procedures for session initialization (ML-IKE) and
(Choi et al., 2005) to integrate Mobile IP and MML-IPsec (Fig. 3). mobility management. The goal is to enable fast handoffs
This model does not require changes to the client software, while maintaining MML-IPsec sessions. In the proposed
and does not require IPsec tunnels to be re-established after model, the nodes involved in the MML-IPsec session are the
MH, HA, and FA. The MH and HA have access to both zones
in the MML-IPsec packets; the FA serves as the intermediate
node and has access to the first zone of the packet containing
CN
the TCP/IP header. The key management protocols are re-
sponsible for establishing the required SAs between these
MN Internet HA nodes, and for enabling mobility.
the network where one of the end-points resides, removes (b) Measure or simulate the performance impacts of various
some of the existing threats (Arkko and Voght, 2004). suggested security schemes to the different parts of the
Yet, a security association alone does not suffice as an en- stack.
hanced security mechanism. General security associations (c) Measure implementation differences between systems
typically do not show that a node owns a specific IP address, based on the same specifications. It would be valuable to
a property that is desired in the case of route optimization know how much implementation differ with regards to,
to authenticate home addresses. Certificate technology, for in- for instance, the use of the parallelism that RFC 3775 al-
stance, usually does not track the correct IP address assign- lows in the home and correspondent registrations, the
ments of a large group of users. RR procedure, and transmission of packets before binding
Also, the validity of care-of addresses cannot be ensured by acknowledgements have arrived.
a security association alone. The security association must (d) Measure the effect of network conditions, such as packet
either be accompanied by a trust relationship, or care-of loss, and their effect to existing and new route optimiza-
addresses must be checked otherwise. This shows that en- tion mechanisms.
hancements to the security of route optimization are likely (e) Collect data about the behavior of mobile nodes in differ-
to employ Mobile IPv6 specific technology rather than gen- ent networks. Different route optimization mechanisms
eral-purpose security tools (Arkko and Voght, 2004). behave differently depending on what the frequency of
In addition to above, many research problems exist that movements is, or what payload traffic streams exist at
can be divided in the following classification. the different stages of the mobile node’s existence.
(f) Measure or simulate the performance of different route
optimization schemes under different application scenar-
6.1. Security ios, such as symmetric/asymmetric applications, only
rarely active mobile nodes, and so on.
In the following, some of the potential research directions for
new security schemes are listed.
(a) Most of the proposed security protocols for Mobile IPv6, in-
7. Conclusion
cluding the one in the standard, depend on the special re-
lationship between the home network and the mobile. It is
Information infrastructures are core to modern society safety
a completely open question, what kind of security mecha-
and prosperity. In particular, all critical infrastructure systems
nisms would be needed if the home agent did not trust the
have become tightly coupled with computing and communi-
information provided by the mobile.
cation systems. Secure and pervasive mobile computing and
(b) Finding care-of address verification mechanisms that em-
communication services are therefore required for the opera-
ploy lower layer assistance or secure Neighbor Discovery
tion and interactions with critical infrastructure systems. Mo-
(Arkko and Voght, 2004).
bile IP v6 is being considered to support such services. This
(c) Finding route optimization security mechanisms that do
paper surveys security aspects of Mobile IP v6. Mobile IPv6
not require a reconfiguration of the shared secret between
design exhibits critical security vulnerabilities that inhibit its
mobile node and its correspondent node (Perkins, 2006).
wide-scale adoption in future pervasive networks. A survey
(d) Developing adaptive out-of-band security mechanisms
of security vulnerabilities and a taxonomy of the main exist-
that are not specific to the deployment environment of
ing and proposed security solutions for MIPv6 were presented
a network operator.
in this paper. Generally, security solutions for MIPv6 are add-
(e) Extending the developed mechanisms to full multi-
on. The evaluation of these solutions in terms of security and
addressing, i.e., including also multi-homing.
efficiency remains unclear given the complex interdepen-
dencies in critical infrastructure systems and the rapidly
evolving nature of pervasive networking. We conjecture that
we need to avoid the pitfall of patched security and develop
6.2. Performance
the next generation of mobility protocols based on well-de-
fined secure architecture and protocol engineering process.
Other than finding adaptive mechanisms that are capable of
addressing the current gaps in MIPv6 security, the delay re-
quirements and implementation issues remain to among the references
main obstacles against any newly proposed scheme, which
still requires extensive research. More performance measure-
ments of security schemes of Mobile IPv6 are also highly Aura Tuomas. Designing the Mobile IPv6 security protocol.
needed, particularly ones that: Annals of Telecommunications (Special issue on network and
information systems security) March–April 2006;61(3–4).
Arkko Jari, Aura Tuomas, Kempf James. Securing IPv6 neighbor
(a) Measure a realistic network scenario, enabling all features
discovery and router discovery. In: Proc. 2002 ACM Workshop
that would likely be needed in commercial deployment.
on Wireless Security (WiSe). Atlanta, GA, USA: ACM Press;
These features include link-layer access control, for September 2002. p. 77–86.
instance. Similarly, it is necessary to include support for Arkko J, Voght C. A taxonomy and analysis of enhancements to
already specified optimizations. mobile, Internet draft, October 2004.
information security technical report 12 (2007) 32–43 43
Aune Frank. Cross-layer design tutorial. Technical report. Kent S, Atkinson R. IP Encapsulating security payload (ESP), RFC
Norwegian University of Science and Technology, Electronics 4303, IETF, December 2005.
and Telecommunications Department; November 2004. Mankin Allison, Patil Basavaraj, Harkins Dan. Threat models
Cladera Jose, De-Niz Dionisio, Nakagawa Junichi. Performance introduced by Mobile IPv6 and requirements for security in
analysis of IPsec and IKE For Mobile IP on wireless Mobile IPv6, Internet draft, IETF, November 2001.
environments. Technical Report. Information Networking Perkins C. Mobility support in IPv6, RFC 3775, IETF, June 2004.
Institute, Carnegie Mellon University; 2000. Perkins C, Securing Mobile IPv6 route optimization using a static
Choi H, Song Hui, Cao Guohong. Mobile multi-layered IPsec, IEEE shared key, RFC 4449, IETF, June 2006.
INFOCOM, March 2005. Sudanthi Sudha. Mobile IPv6, GSEC Version 1.4b, 17 Jan 2003,
Harkins D, Carrel D. The Internet key exchange, RFC 2409, IETF, GSEC – SANS security essentials certified graduates.
November 1998. Zhang Y. Multi-layer protection scheme for IPSEC, Internet draft,
Kent S. Atkinson R. Security architecture for the Internet protocol, IETF, April 2006.
RFC 4301, IETF, December 2005. Zhang Y, Singh B. A multi-layer IPsec protocol. In: Proc. of nineth
Kent S. IP authentication header, RFC 4302, IETF, December 2005. USENIX security symposium, 2000.