Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Wireless security wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

IEEE 1355 wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

CAN bus wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Mobile IP Security
Team : “WARRIORS”
 Anand Modh
 Chaitanya Chelamkuri
 Kinshuk Bansal
 Kshitij Shah
 Pramod Ramesh
CMPE 209 SPRING 2008
AGENDA
 Mobile IP & Concepts.
 Mobil IP Packet Flow.
 Threats.
 Security.
Mobile IP & Concepts

Mobile IP is a protocol, developed by the Mobile IP Internet
Engineering Task Force (IETF) working group.

Mobile IP inform the network about the change in network
attachment such that the Internet data packets will be
delivered in a seamless way to the new point of attachment.

The basic Mobile IP protocol permits mobile internetworking
to be done on the network layer.

Care-of Address is an address of a Foreign Agent with which
the Mobile Node is registered.
Need of Mobile IP
 Terminology
– A home link is the link on which a specific node
should be located; that is the link, which has
been assigned the same network-prefix as the
node’s IP address
– A foreign link is any link other than a node’s
home link – that is, any link whose networkprefix differs from that of the node’s IP address
Introduction
 There are 3 functional entities where it is implemented:
– Mobile Node – a node which can change its point-of-attachment to
the Internet from one link to another while maintaining any
ongoing communications and using its (permanent) IP home
address
– Home Agent – router with an interface on the mobile node’s home
link, which:
• Is informed by the mobile node about its current location,
represented by its care-of-address
• In some cases, advertises reachability to the network-prefix of
the mobile node’s home address, thereby attracting IP packets
that are destined to the mobile node’s home address
• Intercepts packets destined to the mobile nodes home address
and tunnels them to the mobile node’s current location, i.e. to
the care-of-address
Introduction
 Foreign Agent – a router on a mobile node’s
foreign link which:
– Assists the mobile node in informing its home agent of
its current care-of address
– In some cases, provides a care-of address and detunnels packets for the mobile node that have been
tunneled by its home agent
– Serves as default router for packets generated by the
mobile node while connected to this foreign link
INTERNET
HA
FA
FA
HA
FA
FAForeign Agent
MN
HAHome Agent
MNMobile Node
HA
FA
HA accepts or denies
FA
MN
MN
FA relays request to HA
FA relay status to
MN
HA
FA
MN requests
service
MN
CN
Now if packets
come addressed
for MN will move
through the tunnel
shown.
HA
FA
FA
HA
FA
MN
Mobile IP Packet Flow
Tunneled Packet
HAA FAA
Src
Dest
4 or 55 CNA MNHA
Prot
Src
Dest
…
CNA MNHA
Src
Dest
2
HA
FA
3
1
4
Original IP Packet:
CNA MNHA
Src
MN
…
MNHA CNA
Dest
Src
…
Dest
HAAHA address
CN
MNHA MN Home Address
CNA CN Address
FAA FA Address
What is Tunneling
 A tunnel is a path followed by a fist packet while it is
encapsulated within the payload portion of a second
packet:
Figure from J. D. Solomon. Mobile IP - The Internet Unplugged. Prentice-Hall, 1997
Threat 1 INSIDER ATTACKS
 This threat is due to the individuals who are suppose to be
trustworthy.
 This attack is due to the disgruntled employee gaining
access to the sensitive data and then forwarding it to a
competitor.
 A survey suggests that twice as many attacks are due to
insiders on corporate world.
Security form Threat 1
 By enforcing strict controls on who can access what data.
 Use of strong authentication of users and computers,
eliminate plaintext username/password based etc .
 Encrypting all data transfer on an end to end basis between
the source and the destination using various encryption
algorithms.
ATTACKER
Attacker’s
address
Sayy.y.y.y
HA
FA
Original Care
of address
Sayx.x.x.x
Registration request:
“The mobile node’s
new care of address”
is y.y.y.y
MN
Threat 2  Denial-of-service
 This threat prevents someone from getting useful work
done by:
– An attacker sends the tremendous number of packets to a host that
brings the host’s CPU to its knees attempting to process all the
packets.
– An attacker interfaces with the packets that are flowing between
two nodes.
– In the case of mobile node, if an attacker send a request message to
HA as his IP address as the care of address for a mobile node then:
• Attacker will get a copy of packets.
• Mobile will not get any packets.
Security from Threat 2
 The security to this threat is implemented by cryptographically
strong authentication in all registration messages exchanged
between mobile node and its home agent.
 Mobile IP allows the use of any authentication algorithm, bit all
should support default “Keyed MD5”(Message-Digest)
algorithm.
Registration Request
Fun(MD5)
Message
Digest
Fun(MD5)
Message
Digest
EQUAL ?
MN
HA
Threat 3  Passive Eavesdropping
 This threat occurs when an attacks on someone else’s
packets in order to learn the confidential information.
 Wireless networks are more vulnerable because in this the
attacker need not physically be connected to the network.
Security from Threat 3
Link- Layer Encryption.
End-to-End Encryption.
Link- Layer Encryption.
 In this the mobile node and the foreign agent encrypt all
packets they exchange over the link.
 This technique is important when wireless LAN is in use.
Areas of vulnerability
CN
HA
FA
MN
End-toEnd Encryption.
 In this encryption and decryption is done at the ultimate
source and destination.
 Data is protected irrespective of the medium used.
End-to-End Encryption
CN
HA
FA
MN
Threat 4  Session-Stealing
 In this an attacker waits for the legitimate node to
authenticate itself and then takes over the session without
realizing the mobile node about this.
 The attacker steals the session by sourcing packets that
appear to come from the mobile node and intercepting
packets destined for mobile node.
Security from Threat 3
Link- Layer Encryption.
End-to-End Encryption.
Threat 5  Other Active Threats
 In this the attacker tries to connect to the network jack,
find out the IP address and break into the other hosts on the
network.
HOW?
1. Attacker figures out the network prefixes assigned to the
link- by listening the mob IP agent advertisements,by
listening the packets and examine the source and
destination IP address.
2. Then guessing the host number, which along with the
network prefix, give him the IP address to use.
3. Then tries to break into the hosts on the network.
Security from Threat 5
 All network jacks must connect to a foreign agent that has
been configured to enforce the policy with the R bit in its
agent authentication.
 There must not be nay nodes whose sessions can be
captured.
– Remove non mobile nodes.
– All nodes should use link encryption.
?
?
?
?
Related documents
Problem 3.4 For the circuit in Fig. P3.4: (a) Apply nodal analysis to
Problem 3.4 For the circuit in Fig. P3.4: (a) Apply nodal analysis to
Circulatory System: Blood system transporting materials in the body
Circulatory System: Blood system transporting materials in the body
Math 155. Reading 3. Preview to Section 1.11: The Heart. Section
Math 155. Reading 3. Preview to Section 1.11: The Heart. Section
Part I: Introduction
Part I: Introduction
Security in MobileIP, F.A. Saeed
Security in MobileIP, F.A. Saeed
Computer Networks - Career Center Construction Technology
Computer Networks - Career Center Construction Technology
TinkerNet System Overview Laboratory Experiments Current Set of
TinkerNet System Overview Laboratory Experiments Current Set of
4.2 KeyTerms
4.2 KeyTerms
Control of the Heart Rate (students)
Control of the Heart Rate (students)
Heartbeat
Heartbeat
Active Networks
Active Networks
Here we would like to find the three indicated node... method. So I’ll begin at node 1.
Here we would like to find the three indicated node... method. So I’ll begin at node 1.
Chapter 10.2 Part 2
Chapter 10.2 Part 2
Who Wants to Be a Millionaire?
Who Wants to Be a Millionaire?
Energy Aware Networks
Energy Aware Networks