1 / 45

IPv4/v6 Mobility

IPv4/v6 Mobility. Youn-Hee Han yhhan@kut.ac.kr Korea University of Technology and Education Internet Computing Laboratory http://icl.kut.ac.kr. Why IPv6 and Mobile IPv6. New Message and Options of Mobile IPv6. New Signal Message related with Binging Management Binding Update (BU)

felix
Download Presentation

IPv4/v6 Mobility

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IPv4/v6 Mobility Youn-Hee Han yhhan@kut.ac.kr Korea University of Technology and EducationInternet Computing Laboratory http://icl.kut.ac.kr

  2. Why IPv6 and Mobile IPv6 New Message and Options of Mobile IPv6 • New Signal Message related with Binging Management • Binding Update (BU) • Binding Acknowledgement (BAck) • Binding Refresh Request (BRR) • Binding Error (BE) • New Signal Message related with Binding Authentication • Home Test Init (HoTI) • Care-of Test Init (CoTI) • Home Test (HoT) • Care-of Test (CoT) • New Destination Option • Home Address Destination Option • New Routing Header Type • Routing Header Type 2 KT 세미나

  3. Extension Header for mobility related Signalling (p.80) The total number of the Mobility Header is a multiple of 8 bytes Payload Proto IP_PROTO_NONE MH Type BRR: 0, HoTI: 1, CoTI: 2, HoT: 3, CoT: 4, BU: 5, BAck.: 6, BERR: 7 Mobility Header KT 세미나

  4. Processing Mobility Headers • MUST observe the following rules • Otherwise, the node MUST discard the messageand issue a BE(Binding Error) with status=2 • Otherwise, the node MUST discard the message and SHOULD send ICMP Parameter Problem (Code 0) • Otherwise, the node MUST silently discard the message • Otherwise, the node MUST discard the message and SHOULD send ICMP Parameter Problem (Code 0) 1. MH Type MUST be one of {0,1,…,7} 2. Paload_Proto MUST be IPPROTO_NONE 3. Checksum MUST be verified 4. Header Len MUST NOT be less than the length required KT 세미나

  5. Pad1(p.97) PadN(p.97) Pad1 and PadN KT 세미나

  6. Pad1 and PadN • Padding Example KT 세미나

  7. Binding Update(1/2) • Binding HoA & CoA • Lifetime • It indicates how long the CoA is to be associated with MN’s HoA. • Sequence # • It enables a CN to put incoming BU in proper chronological order. • Four flags (p.83, 89) • A: MN wants to get BAck. (when it is set) • H: MN considers the recipient to be its HA (when it is set) • L: MN’s HoA shares the same IID as its link-local address (when it is set) • HA can protect MN’s link-local address when MN does not locates in the home • K: MN has a (strong) security association with the recipient • CoA in src. addr field(or Alternative CoA option) • HoA in HAOpt KT 세미나

  8. Binding Update(2/2) • Binding HoA & CoA • Possible Options • Alternative CoA option (p.86, 96) • If BU contains this option, HA no longer uses the Source IP addr. as the CoA and instead uses the address supplied in this option • Binding Authorization Data option (P.89) KT 세미나

  9. Binding Acknowledgement • Acknowledging Binding Update • Notify the current status of Binding KT 세미나

  10. Binding Error • used by the correspondent node to signal an error related to mobility KT 세미나

  11. Binding Refresh Request • used by the correspondent node to request amobile node's binding from the mobile node KT 세미나

  12. Home Test Init (HoTI) • Initiate Return Routability • request a home keygen token from a correspondent node • Carrying Home Init Cookie KT 세미나

  13. Care-of Test Init (CoTI) • Initiate Return Routability • request a care-of keygen token from a correspondent node • Carrying care-of Init Cookie KT 세미나

  14. Home Test (HoT) • Responding to HoTI • Provide home keygen token • Carrying Home Init Cookie & Home Nonce Index KT 세미나

  15. Care-of Test (CoT) • Responding to CoTI • Provide care-of keygen token • Carrying Care-of Init Cookie & Care-of Nonce Index KT 세미나

  16. Home Address Destination Option (1/2) • Home Address Destination Option • within BU message and packets sent by MN to CN • Carrying Home Addr.to inform the recipient (CN) of that packet of the MN's home address • In every packet from MN, the followings are included • CoA in Source Addr. field • Home Addr. in Home Address Destination Option • making mobility transparent to upper layer • Ingress filtering (p.78) • It is not free to transmit packets with its Home Addr. As the Source Addr. field 201 (0xC9) 16 (0x10) KT 세미나

  17. Home Address Destination Option (1/2) • The meaning of top 2 bits of option type (p.72) • 00: skip over this option and continue processing the header • 01: discard the packet and take no further action • 10, 11: discard the packet and send an ICMP parameter problem message to the packet’s source address. • The meaning of the third bit of option type (p.72) • 0: the option data is not mutable in transit • 1: the option data is mutable in transit 201 (0xC9) 16 (0x10) KT 세미나

  18. Home Address Destination Option (2/2) • Home Address Destination Option • within BU message and packets sent by MN to CN • Carrying Home Addr.to inform the recipient (CN) of that packet of the MN's home address • In every packet from MN, the followings are included • CoA in Source Addr. field • Home Addr. in Home Address Destination Option • making mobility transparent to upper layer • Ingress filtering (p.78) • It is not free to transmit packets with its Home Addr. As the Source Addr. field 201 (0xC9) 16 (0x10) KT 세미나

  19. Type 2 Routing Header • Type 2 Routing Header • Carrying Home Addr to inform the recipient of that packet of the mobile node's home address • In packet destined to MN, the followings are included • CoA in Destination Address field • Home Address in Routing Header • making mobility transparent to upper layer KT 세미나

  20. BU Processing & Intercepting Packets destined to MN HA MN Binding Update (Initial) Binding Cache Entry MN’s HoA MN’s CoA H bit Lifetime A  1 t P.87 Neighbor Advertisement (dest. addr. is FF02::1) 001 HoA=A Target Link-Layer Address Option HA’s Link-Layer Addr. KT 세미나

  21. BU Processing & Intercepting Packets destined to MN Binding Cache Entry HA Lifetime MN’s HoA MN’s CoA H bit t A  1 HoA=A Neighbor Solicitation Neighbor Advertisement (dest. addr. is the address of soliciting node) 011 HoA=A Target Link-Layer Address Option HA’s Link-Layer Addr. KT 세미나

  22. Routing Header MIPv6 Header MIPv6 Header Home Address Destination Option Next Routing Addr. Source Addr. Destination Addr. Other Fields… Segment Source Addr. Destination Addr. Other Fields… Home Addr. BU CN’s Addr. … 1 MN A’s COA CN’s Addr. … MN A’s Home Addr. BAck MN A’s Home Addr. MN A’s COA Foreign Link A Foreign Link B MN A’s Home Addr. AP MN A’s COA BU CN MN A BAck BU Processing at CN • CN returns BAck accepting BU… Binding Cache KT 세미나

  23. Routing Header MIPv6 Header MIPv6 Header Home Address Destination Option Next Routing Addr. Source Addr. Destination Addr. Other Fields… Segment Source Addr. Destination Addr. Other Fields… Home Addr. BU CN’s Addr. … 1 MN A’s COA CN’s Addr. … MN A’s Home Addr. BAck MN A’s Home Addr. MN A’s COA BU BAck BU Processing at CN • CN returns BAck rejecting BU… Foreign Link A Foreign Link B AP CN MN A KT 세미나

  24. MN MN Returning Home Home Link Foreign Link AP 1. Using the movement detection algorithm HA 2. Send BU 5. Multicast own link-layer MAC Address to the own home link (Neighbor Advertisement) 3. HA removes the Proxy Neighbor Cache entry 4. Send BAck Deregistration BU Home Address Destination Option Binding Update Option IPv6 Header Lifetime Source Addr. Destination Addr. Home Addr. A bit H bit MN A’s Home Addr. Home Agent’s Addr. … MN A’s Home Addr. … 1 1 … 0 KT 세미나

  25. Return Routability • Return Routability • 배경요약 • MN이 자신의 임시 위치를 CN에게 알리려고 할 때 발생할 수 있는 인증, 기밀성 보장, DoS에 관련된 보안 문제를 좀 더 유연하고 확실하게 보장하기 위해 개발되었다. • MIPv6 version 15 드래프트가 RFC를 위한 사실상의 최종 버전이 되려고 했었는데, 그렇지 못한 이유가 바인딩 업데이트 부분에서 보안의 취약성이 문제로 제기되었기 때문에다. 기존에는 IPsec을 이용하여 바인딩 업데이트 메시지를 보호하도록 하였는데, 바인딩 업데이트를 강력하게 인증하기 위해 이 방법을 사용하려면 글로벌 PKI(Public Key Infrastructure) 구조를 구축해야 하고, 이것은 현재 인터넷 상황에서 가능하지도 강조되지도 않는다. KT 세미나

  26. Return Routability • Return Routability • BU 에 대한 보안 문제 • 1. MN이 HA로 BU 메시지를 전송할 때, attacker는 어떤 MN에 대해 현재 위치한 곳과 다른 곳에 위치해 있다는 정보(다른 CoA) 를 줄 수 있고, HA가 이 정보를 받아들인다면, MN은 패킷을 받지 못하는 반면 다른 노드가 원하지 않는 패킷을 수신하게 된다. • Attacker가 자신의 CoA(Care-of Address)를 거짓으로 알리는 경우 CN은 이동단말로 보내는 패킷을 모두 거짓 CoA로 전송하여 DoS 공격을 할 수 있다. • 2. Attacker가 CN으로BU 메시지를 전송할 때자신의 주소를 victimMN의 HoA로서 (Home Address destination option) 설정하여 거짓 정보를 알릴 경우, CN이 이 정보를 받아들인다면 CN에서 victimMN으로 전송하고자 하는 패킷은 attacker로 오게 되므로 availability와 confidentiality를 모두 위협한다. • 3. Attacker는 오래된 BU 메시지를 replay 하여 패킷들을 MN의 예전 위치로 전달시켜 MN이 패킷을 수신하지 못하게 만들 수 있다. KT 세미나

  27. Return Routability • Return Routability • BU 보안에 대한 대응책 • 이런 공격들을 막기 위해서 MN이 BU 메시지를 전달할 때 HA로는 IPsec ESP(Encapsulation Security Payload)를 사용하여 패킷을 보호하고, CN으로 BU 메시지를 전송할 때에는 기본 메커니즘으로 RR을 이용하여 HoA와 CoA가 도달가능한지를 확인한 후 메시지를 전송하는 방식을 적용하였다. • RR의 설명요약 • MN이 자신의 임시 위치를 CN에게 알리고자 할 때 MN은 자신이 만든 Random Value(쿠키값)을 두 개의 경로를 통하여 CN에게 보낸다 (하나는 HA를 거쳐서 가는 경로, 다른 하나는 직접 가는 경로). • CN은 각각의 경로로 도착한 두 개의 메시지에 대하여 MN에게 응답 메시지를 보낼 때, CN 자신이 생성한 서로 다른 Random Value 및 Nonce를 알려 준다. 이후에 서로 교환한 Random Value 및 Nonce 값들을 이용하여 MN과 CN은 공통의 Session Key를 생성하고 이 Key를 이용하여 CN은 MN이 자신의 임시 위치를 보내주는 메시지를 인증하게 된다. KT 세미나

  28. Why Return Routability? • Authentication for both BU and BA • Ver.15 assumes that authentication of both BU and BA is based on the IPsec. • “Authentication Data assuring the integrity of Binding Updates and Binding Acknowledgement MAY, in some cases, instead be supplied by other authentication mechanisms outside the scope of this document (e.g., IPsec [13]). ” [Mobile IPv6, Ver.15, Section 4.4] • Not all CNs can have the strong security association (e.g., IPsec) with a MN • It is ‘Not Global Scale’ • It is requried to develop a universal method for the authentication for both BU and BA • Solution : Return Routability(ver.18) KT 세미나

  29. Attack using Home Address Destination Option • DoS Attack using Home Address Destination Option • Hide the attacker’s identity • Scenario Home AddressDestination Option MIPv6 Header Source Addr. Destination Addr. Other Fields… Home Addr. CN(reflector) Attacker’s CoA CN addr. … Victim’s HoA Unexpected Traffic Attacker Victim KT 세미나

  30. Attack using Home Address Destination Option • Solution about DoS Attack using Home Address Destination Option • CN checks the validity of the home address • CN MUST process Home Address Destination Option If… • CN retains the binding cache for the MN’s home address, or • CN retains IPSec SA(Security Association) with the MN’s home address • It is requried to develop a scheme for defending the DoS attack • Solution : If the CN does not have a correct binding cache corresponding to a HoA, the CN does not process the data packets and sends Binding Error. KT 세미나

  31. How to process Binding Error • Binding Error : Sending Packets While Away from Home • CN does not have a binding cache for the sender IPv6 Packet Header Source Addr. Destination Addr. Other Fields… Home Addr. CN addr. … MN Home AddressDestination Option IPv6 Packet Header Source Addr. Destination Addr. Other Fields… Home Addr. COA CN addr. … Home Addr. Check : there is a binding cache Binding Error CN Source Addr. Destination Addr. Other Fields… Home Addr. CN addr CoA … Home Addr. KT 세미나

  32. Short Communication • Sending Packets While Away from Home • For short-term communication (ex. : DNS Query) DNS MIPv6 Header Source Addr. Destination Addr. Other Fields… COA CN addr. … KT 세미나

  33. Conceptual Data Structure • Binding Cache • Cache of bindings for other nodes • Maintained by each IPv6 node for each of its IPv6 addresses • CNs, HA, and • HA on the link on which the MN’s previous COA is located • Implemented in any manner • being combined with the node's Destination Cache as maintained by Neighbor Discovery • Destination Cache : mapping a destination IP address to IP address of the next-hop neighbor • Search Sequence : Binding Cache Destination Cache • Fields in Binding Cache entry Home Address (key value) COA Remaining Lifetime Flag 1 Maximum value of SN Recent usage info. KT 세미나

  34. Conceptual Data Structure • Fields in Binding Cache Entry • Home Address : Searching key, If the destination address of the packet matches a home address, the matching COA SHOULD be used in routing that packet • COA : The COA for the MN indicated by the home address field in this Binding Cache entry • Remaining Lifetime : Once the lifetime expires, the entry MUST be deleted from the Binding Cache • Flag: indicate whether or not this Binding Cache entry is a "home registration" entry • "home registration" entry : An entry in a node’s Binding Cache for which the node is serving as a home agent • Maximum value of the SN : value of Sequence Number field received in previous BU (8 bits long) • Recent usage information for this Binding Cache entry: related to implement cache replacement policy, and to assist determining whether a BR should be sent when the lifetime on this entry nears expiration KT 세미나

  35. Conceptual Data Structure • Binding Update List • List recording information for each BU sent by this MN • The Lifetime sent in that BU has not yet expired • Maintained by each MN • For multiple BUs sent to the same destination address, the Binding Update List contains only the most recent BU(with the greatest Sequence Number value) • Fields in Binding Update List Entry IP address (key value) Home Address COA Initial Value of Lifetime Remaining lifetime Maximum value of SN The time of last BU sent The state of retransmission Flag KT 세미나

  36. Conceptual Data Structure • Fields in Binding Update List Entry • IP Address : The IP address of the node to which a BU was sent. • Home Address: the mobile node's home addresses • COA: necessary for MN to determine if it has sent a BU giving its new COA to this destination after changing its COA • Initial value of lifetime: The initial value of the Lifetime field sent in BU • Remaining lifetime: decremented until it reaches zero, at which time this entry MUST be deleted from the Binding Update List • Maximum value of SN: The maximum value of the Sequence Number field sent in previous BUs to this destination • The time of last BU sent: needed to implement the rate limiting restriction for sending BUs • The state of retransmission: the time remaining until the next retransmission attempt for the Binding Update (the exponential back-off) • Flag: indicates that future BUs should not be sent to this destination • The MN sets this flag in the Binding Update List entry when it receives an ICMP Parameter Problem, Code 1, error message in response to a BU sent to this destination KT 세미나

  37. Source Destination HA’s Address MN’s Primary CoA Tunneling Intercepted Packets • In order to forward each intercepted packet to the MN, HA MUST tunnel the packet to the MN using IPv6 encapsulation • When a HA encapsulates an intercepted packet… • When received by the MN, normal processing of the tunnel header will result in decapsulation and processing of the original packet by the MN Source Destination CN’s Address MN’s HoA KT 세미나

  38. Source Destination MN’s Promary CoA HA’s Address Handling Reverse Tunneled Packets • Unless a binding has been established between the MN and CN, traffic from MN to CN goes through a reverse tunnel • The tunneled traffic arrives to HA using IPv6 encapsulation • The tunnel entry point is the primary CoA as registered with HA • The tunnel exit point is the HA Source Destination MN’s HoA CN’s Address KT 세미나

  39. Why Reverse Tunneling? • Processing HoA and Reverse Tunneling • If the MN directly sends data packets to a CN (without help of a HA) • But, the CN does not have a correct binding cache corresponding to the HoA included in the packets Home Agent CN CN discards the data packets CN sends Binding Error to MN MN MN sends BU to CN For some time, MN send the packets through the reverse tunnel MN continually sends the packet usingthe reverse tunnel CN rejects the BU ? MN directly sends the packets to CN NO YES KT 세미나

  40. Mobility is transparent over IP layer. The packets to and from MN (almost) always carries Home Address. Internet Packets from MN to CN HA CN Home N/W CN receives the packet and Extract HoA from Home Address Option Put HoA in Src addr field. Foreign N/W Sends the packet to upper layer for process AR MN sends CN the packet with - CN’s IP addr as destn addr & - CoA as src addr & MN - HoA in Home Address Option KT 세미나

  41. Mobility is transparent over IP layer. The packets to and from MN (almost) always carries Home Address. Internet Packets from MN to CN HA CN Home N/W CN sends MN the packet with - CN’s IP addr as src addr & - CoA as desn addr & - HoA in Routing Header Foreign N/W AR MN receives the packet and Extract HoA from Routing Header Put HoA in Desn addr field. Sends the packet to upper layer for process MN KT 세미나

  42. MN’s COA Looping Back How to process Routing Header Type 2 • Packet Delivery Method from CN to MN using Routing Type 2 Routing Header IPv6 Header Next Routing Addr. Source Addr. Destination Addr. Other Fields… Type Segment … CN’s Addr. MN’s COA … 2 1 MN’s Home Addr. Next Routing Addr. Source Addr. Destination Addr. Other Fields… Type Segment … CN’s Addr. MN’s Home Addr. … 2 0 MN’s COA Foreign Link A Foreign Link B AP CN MN KT 세미나

  43. Why Routing Header Type 2? • Problem of Routing Header • Go through firewall using Routing Header • It is required to discriminate between routing header for general usage and routing header for mobility • Solution • in addition to Routing Header Type 0, add Routing Header Type 2 • Firewall executes a different process for the routing type with type 2 Src = attackerDst = victimRoutingHeder addr = Web ServerSegment = 0 Src = attackerDst = Web serverRoutingHeder addr = victimSegment = 1 Web Server MN(Victim) CN(Attacker) Firewall KT 세미나

  44. CN Addr. Home Addr. Home Address Option • Home Address Option Processing • The Home Address destination option is used in a packet sent by a MN while away from home, to inform the recipient of that packet of the MN's home address Foreign Link B Foreign Link A AP MN Home AddressDestination Option MIPv6 Header Source Addr. Destination Addr. Other Fields… Home Addr. COA … Home Addr. KT 세미나

  45. CN’s transport layer CN Addr. Home Addr. How to process Home Address Dest. Option • Packet Delivery from MN to CN by using Home AddressDestination Option IPv6 Packet Header Source Addr. Destination Addr. Other Fields… Home Addr. CN addr. … MN Home AddressDestination Option IPv6 Packet Header Source Addr. Destination Addr. Other Fields… Home Addr. COA CN addr. … Home Addr. Check : there is a binding cache CN Source Addr. Destination Addr. Other Fields… Home Addr. Home Addr. COA … KT 세미나

More Related