1 / 9

Securing Home Agent List in MIP6

Securing Home Agent List in MIP6. Sachin Dutta. Problem Statement. “ The communication between various Home Agents on the Home Link is not secured in MIP6 ”

brede
Download Presentation

Securing Home Agent List in MIP6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Home Agent List in MIP6 Sachin Dutta 63rd IETF, Paris , 1-5 Aug 2005

  2. Problem Statement “ The communication between various Home Agents on the Home Link is not secured in MIP6 ” As of now Home Agent List is vulnerable to these attacks but as interaction between the Home Agents increases there is a greater need to provide such security 63rd IETF, Paris , 1-5 Aug 2005

  3. Issue • RFC does not even mandate to send the HA’s own global addresses in the DHAAD reply • In such case HA Service is denied to all MN of the Link 63rd IETF, Paris , 1-5 Aug 2005

  4. Problem :- Is RA Necessary for HAL ? • Currently Home Agent List is populated based on RAs from another Home Agent on the link , but following are the issues in this approach Issue#1: - Neighbor confirmation or authentication is not done for RA received so any rogue node can populate Home Agent List with non existent and non reachable entries. ( No Node is able to register to HA ) Issue#2: - The frequency of RA can be very fast in MIP6 ( 30 Ms ) and is mainly useful for hosts. If multiple HAs on the link exit each sending RAs at higher frequency then lot of unnecessary processing is required for continuously updating Home agent list only ( CPU extensive process) 63rd IETF, Paris , 1-5 Aug 2005

  5. Solution 1:- New Message for Interaction between various HA on the link • New secured message can be defined for signaling between various HA’s on the link. Following are the trade-offs of this approach • Advantages • Addresses all Issues • Easy to enhance for any future signaling between HA-HA • Like Load distribution among HAs • Binding Cache transfer between various HAs • No dependency with any other protocol • Disadvantages • ??? • Security of this new message • IPSec support for this new message can be considered • Any other existing implementations can be enhanced ( ??? ) 63rd IETF, Paris , 1-5 Aug 2005

  6. Solution 2:-Use SEND • Existing SEND or modified SEND can be used. Following are the trade-offs of this approach • Advantages • RFC already exists • Disadvantages • Second issue will not be resolved 63rd IETF, Paris , 1-5 Aug 2005

  7. Solution 3:-Perform NUD • On receiving RA in ND neighbor cache is added in STALE state but in MIP6 directly Home agent list is updated Reachability for RA can be done before updating HAL. Following are the trade-offs of this approach • Advantages • Very simple • Disadvantages • May not resolve the complete issues 63rd IETF, Paris , 1-5 Aug 2005

  8. Solution 4:-Manual Configuration of HAL • Manually configure the Home Agent List. Following are the trade-offs of this approach • Advantages • Resolves all issues ( If in this case Section 7 of RFC 3775 may not be required) • No dependency on RA • Disadvantages • Scalability • The issue exist for future HA-HA signaling 63rd IETF, Paris , 1-5 Aug 2005

  9. End • Questions ? 63rd IETF, Paris , 1-5 Aug 2005

More Related