Add to collection(s) Add to saved
  1. Business
  2. Management

Application of Mobile IP and Proxy Mobile IP Security

advertisement 
ACP-WG I-06/IP-02
International Civil Aviation Organization
WORKING PAPER
Aeronautical Communication Panel
Working Group I – Internet Protocol Suite (IPS)
March 17-20, 2008
Montreal, Canada
Application
of
Mobile IP and Proxy Mobile IP
Security
Prepared by: Vic Patel and Tom McParland
SUMMARY
This paper summarizes the methods of security for IP layer mobility.
3/17/2008
1. INTRODUCTION
The IETF, WiMAX, 3GPP, and 3GPP2 standards development organizations (SDO)
have generally selected two approaches for mobility: Mobile IP [RFC 3344, RFC
3775] and Proxy Mobile IP [mip4-proxy-mode, proxymip6]. The interaction
between MIP and PMIP signaling entities is subject to various attacks [bu-attacks],
[RFC 4832]. This paper summarizes the methods of securing these approaches.
2. SECURITY OF MIP AND PMIP
2.1 Authentication of Signaling Messages
2.1.1 MIP Signaling Authentication
There two common approaches to securing MIP signaling:
a) IPsec [RFC 4301] and
b) the Authentication Protocol for Mobile IPv6 [RFC 4285].
For using IPsec with MIP, [RFC 3776] requires MNs and HAs to support the
Encapsulating Security Payload (ESP) [RFC 4303] in transport mode using a non-null
payload authentication algorithm.
[RFC 4285] defines a MIPv6-specific mobility message authentication option that can
be added to MIPv6 signaling messages.
2.1.2 PMIP Signaling Authentication
PMIP signaling is secured with IPsec. [proxymip6] requires MNs and HAs to
support ESP in transport mode as in the MIP case. Although IPsec is the mandatory
to implement security mechanism, [ proxymip6] states that additional documents may
specify alternative mechanisms.
2.2 Key Establishment
2.2.1 MIP Key Establishment and Entity Authentication
For MIP [RFC 3775] states that manual configuration of IPsec security associations
must be supported, and automated key management may be supported. Manual
configuration is generally not practical when large numbers of mobile nodes are
involved. [RFC 4877] describes the use of IKEv2 for dynamic keying.
Authentication and access control in access networks it is typically used with the
Extensible Authentication Protocol (EAP) [RFC 3748] and a backend Authentication,
Authorization, and Accounting (AAA) Server. EAP provides a basic request/response
protocol framework over which a specific authentication method, called an EAP
method, can run. Within EAP three entities are involved: the Supplicant (which is
the MN), the Authenticator (an entity in the access network), and the Authentication
Server (typically a AAA server in the home network). EAP between the MN and
Authenticator may operate over the access network link level protocol or in
conjunction with IKEv2 [eap-ikev2]. EAP between the Authenticator and AAA server
operates over RADIUS [RFC 2865] or DIAMETER [RFC 3588]. In cases where
there is a distinct home and visited network, the Authenticator may communicate with
a local or Proxy AAA server, which in turn communicates with Home AAA server.
In addition to authentication and key distribution, use of an AAA infrastructure
facilitates other configuration tasks, such as the MN and HA addresses. The
interaction with an AAA infrastructure for these tasks is referred to Mobile IPv6
bootstrapping [RFC 4640]. For MIP there are two scenarios for operation with an
AAA infrastructure. In the integrated scenario [bootstrapping-integrated],
authentication between the MN and HA is dependent on the network access
authentication process. Configuration parameters and keying material obtained
during network access authentication is used for subsequent mobility signaling. The
MN and HA interaction requires the HA to still interact with the AAA server. In the
split scenario [RFC 5026], the entire bootstrapping procedure is between the MN,
HA, and AAA server.
2.2.2 PMIP Key Establishment and Entity Authentication
For PMIP [ proxymip6] specifies that IKEv2 should be used to setup security
associations between the mobile access gateway and the local mobility anchor to
protect the Proxy Binding Update and Proxy Binding Acknowledgement messages.
The MAG and LMA can use any of the authentication mechanisms, as specified in
IKEv2, for mutual authentication.
For PMIP using an AAA infrastructure [dime-pmip6] specifies an interaction with the
AAA server similar to the MIPv6 integrated scenario.
4. REFERENCES
[bootstrapping-integrated]
K. Chowdhury, Ed., MIP6-bootstrapping for the Integrated
Scenario, draft-ietf-mip6-bootstrapping-integrated-05.txt,
June 2007
[bu-attack]
T.Aura and J. Arkko, MIPv6 BU Attacks and Defenses,
draft-aura-mipv6-bu-attack-01.txt, February 2002
[dime-pmip6]
J. Korhonen et al., Diameter Proxy Mobile IPv6 : Support for
Mobility Access Gateway and Local Mobility Anchor to
Diameter Server Interaction, draft-korhonen-dime-pmip6-03.txt
February 2008
[eap-ikev2]
H. Tschofenig et al., EAP-IKEv2 Method, draft-tschofenigeap-ikev2-15.txt, September 2007
[mip4-proxy-mode]
K. Leung et al., WiMAX Forum/3GPP2 Proxy Mobile IPv4,
draft-leung-mip4-proxy-mode-07.txt, February 2008
[netlmm-mip-interactions]
G. Giaretta, Ed., Interactions between PMIPv6 and MIPv6:
scenarios and related issues, draft-giaretta-netlmm-mipinteractions-02.txt, November 2007
[proxymip6]
D. Gundavelli, Ed., Proxy Mobile IPv6, draft-ietf-netlmmproxymip6-11.txt, February 2008
[RFC 2865]
C. Rigney et al., Remote dial-in user service (RADIUS),
RFC 2865, June 2000
[RFC 3344]
C. Perkins, Ed., IP Mobility Support for IPv4, RFC 3344,
August 2002
[RFC 3588]
P. Calhoun et al., Diameter in use, RFC 3588, September 2003
[RFC 3748]
B. Aboba et al., Extensible Authentication Protocol (EAP),
RFC 3748, June 2004
[RFC 3775]
D. Johnson et al., Mobility Support in IPv6, RFC 3775,
June 2004
[RFC 3776]
J. Arkko et al., Using IPsec to Protect Mobile IPv6 Signalling
Between Mobile Nodes and Home Agents, RFC 3776,
June 2004
[RFC 4285]
A. Patel et al., Authentication Protocol for Mobile IPv6,
RFC 4385 January 2006
[RFC 4301]
S. Kent and K. Seo, Security Architecture for the Internet
Protocol, RFC 4301, December, 2005
[RFC 4303]
S. Kent, IP Encapsulating Security Payload (ESP), RFC 4303
December 2005
[RFC 4382]
C. Vogt and J. Kempf, Security Threats to Network-Based
Localized Mobility Management (NETLMM), RFC 4382,
April, 2007
[RFC 4640]
A. Patel et al., Problem Statement for bootstrapping Mobile
IPv6, RFC 4640, September 2006
[RFC 4877]
V. Devarapalli and F. Dupont, Movile IPv6 Operation with
IKEv2 and the Revised IPsec Architecture, RFC 4877, April
2007
[RFC 5026]
G. Giaretta, Ed., Mobile IPv6 Bootstrapping in Split Scenario,
October 2007
Related documents
Medical Records Worksheet
Medical Records Worksheet
Supplementary Methods - Word file (23 KB )
Supplementary Methods - Word file (23 KB )
Network Protocols and Services
Network Protocols and Services
CS 2813 - Loyola College
CS 2813 - Loyola College
PPTX - Systems, software and technology
PPTX - Systems, software and technology
NW XI/PI Consultant SADDAM HUSSAIN shussain.sappo@gmail
NW XI/PI Consultant SADDAM HUSSAIN shussain.sappo@gmail
POLICIES and GUIDELINES - Stritch School of Medicine
POLICIES and GUIDELINES - Stritch School of Medicine
Chapter 11 HW
Chapter 11 HW
Download
advertisement