Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Mobile IP Security Team : “WARRIORS” Anand Modh Chaitanya Chelamkuri Kinshuk Bansal Kshitij Shah Pramod Ramesh CMPE 209 SPRING 2008 AGENDA Mobile IP & Concepts. Mobil IP Packet Flow. Threats. Security. Mobile IP & Concepts Mobile IP is a protocol, developed by the Mobile IP Internet Engineering Task Force (IETF) working group. Mobile IP inform the network about the change in network attachment such that the Internet data packets will be delivered in a seamless way to the new point of attachment. The basic Mobile IP protocol permits mobile internetworking to be done on the network layer. Care-of Address is an address of a Foreign Agent with which the Mobile Node is registered. Need of Mobile IP Terminology – A home link is the link on which a specific node should be located; that is the link, which has been assigned the same network-prefix as the node’s IP address – A foreign link is any link other than a node’s home link – that is, any link whose networkprefix differs from that of the node’s IP address Introduction There are 3 functional entities where it is implemented: – Mobile Node – a node which can change its point-of-attachment to the Internet from one link to another while maintaining any ongoing communications and using its (permanent) IP home address – Home Agent – router with an interface on the mobile node’s home link, which: • Is informed by the mobile node about its current location, represented by its care-of-address • In some cases, advertises reachability to the network-prefix of the mobile node’s home address, thereby attracting IP packets that are destined to the mobile node’s home address • Intercepts packets destined to the mobile nodes home address and tunnels them to the mobile node’s current location, i.e. to the care-of-address Introduction Foreign Agent – a router on a mobile node’s foreign link which: – Assists the mobile node in informing its home agent of its current care-of address – In some cases, provides a care-of address and detunnels packets for the mobile node that have been tunneled by its home agent – Serves as default router for packets generated by the mobile node while connected to this foreign link INTERNET HA FA FA HA FA FAForeign Agent MN HAHome Agent MNMobile Node HA FA HA accepts or denies FA MN MN FA relays request to HA FA relay status to MN HA FA MN requests service MN CN Now if packets come addressed for MN will move through the tunnel shown. HA FA FA HA FA MN Mobile IP Packet Flow Tunneled Packet HAA FAA Src Dest 4 or 55 CNA MNHA Prot Src Dest … CNA MNHA Src Dest 2 HA FA 3 1 4 Original IP Packet: CNA MNHA Src MN … MNHA CNA Dest Src … Dest HAAHA address CN MNHA MN Home Address CNA CN Address FAA FA Address What is Tunneling A tunnel is a path followed by a fist packet while it is encapsulated within the payload portion of a second packet: Figure from J. D. Solomon. Mobile IP - The Internet Unplugged. Prentice-Hall, 1997 Threat 1 INSIDER ATTACKS This threat is due to the individuals who are suppose to be trustworthy. This attack is due to the disgruntled employee gaining access to the sensitive data and then forwarding it to a competitor. A survey suggests that twice as many attacks are due to insiders on corporate world. Security form Threat 1 By enforcing strict controls on who can access what data. Use of strong authentication of users and computers, eliminate plaintext username/password based etc . Encrypting all data transfer on an end to end basis between the source and the destination using various encryption algorithms. ATTACKER Attacker’s address Sayy.y.y.y HA FA Original Care of address Sayx.x.x.x Registration request: “The mobile node’s new care of address” is y.y.y.y MN Threat 2 Denial-of-service This threat prevents someone from getting useful work done by: – An attacker sends the tremendous number of packets to a host that brings the host’s CPU to its knees attempting to process all the packets. – An attacker interfaces with the packets that are flowing between two nodes. – In the case of mobile node, if an attacker send a request message to HA as his IP address as the care of address for a mobile node then: • Attacker will get a copy of packets. • Mobile will not get any packets. Security from Threat 2 The security to this threat is implemented by cryptographically strong authentication in all registration messages exchanged between mobile node and its home agent. Mobile IP allows the use of any authentication algorithm, bit all should support default “Keyed MD5”(Message-Digest) algorithm. Registration Request Fun(MD5) Message Digest Fun(MD5) Message Digest EQUAL ? MN HA Threat 3 Passive Eavesdropping This threat occurs when an attacks on someone else’s packets in order to learn the confidential information. Wireless networks are more vulnerable because in this the attacker need not physically be connected to the network. Security from Threat 3 Link- Layer Encryption. End-to-End Encryption. Link- Layer Encryption. In this the mobile node and the foreign agent encrypt all packets they exchange over the link. This technique is important when wireless LAN is in use. Areas of vulnerability CN HA FA MN End-toEnd Encryption. In this encryption and decryption is done at the ultimate source and destination. Data is protected irrespective of the medium used. End-to-End Encryption CN HA FA MN Threat 4 Session-Stealing In this an attacker waits for the legitimate node to authenticate itself and then takes over the session without realizing the mobile node about this. The attacker steals the session by sourcing packets that appear to come from the mobile node and intercepting packets destined for mobile node. Security from Threat 3 Link- Layer Encryption. End-to-End Encryption. Threat 5 Other Active Threats In this the attacker tries to connect to the network jack, find out the IP address and break into the other hosts on the network. HOW? 1. Attacker figures out the network prefixes assigned to the link- by listening the mob IP agent advertisements,by listening the packets and examine the source and destination IP address. 2. Then guessing the host number, which along with the network prefix, give him the IP address to use. 3. Then tries to break into the hosts on the network. Security from Threat 5 All network jacks must connect to a foreign agent that has been configured to enforce the policy with the R bit in its agent authentication. There must not be nay nodes whose sessions can be captured. – Remove non mobile nodes. – All nodes should use link encryption. ? ? ? ?