1 / 14

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt. Ying Qiu, Fan Zhao, Rajeev Koodli. Outline. Why Need Location Privacy? How to Protect the Location Privacy? Pseudo Home Address Dynamic SPI Home Binding Update RR signaling

kiril
Download Presentation

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mobile IPv6 Location Privacy SolutionsUPDATEdraft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli

  2. Outline • Why Need Location Privacy? • How to Protect the Location Privacy? • Pseudo Home Address • Dynamic SPI • Home Binding Update • RR signaling • Correspondent Binding Update • What is different from original operation? Mobopts, IETF67, San Diego

  3. Analysis of Location Privacy in MIP6 IP Address Location Privacy and Mobile IPv6: Problem Statement: • draft-ietf-mip6-location-privacy-ps-04.txt Mobopts, IETF67, San Diego

  4. Pseudo Home Address pHoA Requirements: • Secure • Routable • Dynamic pHoA = Prefix_m || Enc(Kph_i, interface ID) Kph_i = HMAC_SHA1(Kph, IPsec sequence number) where,Kph is the symmetrical key between MN and HA, and Prefix_m is one of home network prefixes Mobopts, IETF67, San Diego

  5. Dynamic SPI SPI update After getting BU and BA, HA and MN change their SPIs respectively in order to protect the profiling attack. new SPI = (the current SPI + SPI_increment) SPI_increment = First(8, HMAC_SHA1(Kph, the current SPI)) If SPI_increment = 0, then set SPI_increment = 1 Mobopts, IETF67, San Diego

  6. Home Binding Update Home Binding Update with IPsec Transport Mode (i) • BU message: IPv6 header source = CoA destination = HA Destination option header Home Address option (pHoA) ESP header in transport mode (with dynamic SPI) Mobility header Home Binding Update Alternative CoA option (CoA) SA in Home Agent: SA_in (IN, spi_a’, home_agent, ESP, TRANSPORT): source = home_address & destination = home_agent & proto = MH Mobopts, IETF67, San Diego

  7. Home Binding Update Home Binding Update with IPsec Transport Mode (ii) • BA message: IPv6 header source = HA destination = CoA Destination option header Home Address option (pHoA) ESP header in transport mode (with dynamic SPI) Mobility header Home Binding Acknowledgement SA in Home Agent: SA_out (OUT, spi_b’, home_address, ESP, TRANSPORT): source = home_agent & destination = home_address & proto = MH Mobopts, IETF67, San Diego

  8. Home Binding Update Home Binding Update with IPsec Tunneling Mode • BU message: IPv6 header source = CoA destination = HA ESP header in Tunnel mode (with dynamic SPI) source = HoA destination = HA Mobility header Home Binding Update Alternative CoA option (CoA) • BA message: IPv6 header source = HA destination = CoA ESP header in transport mode (with dynamic SPI) source = HA destination = HoA Mobility header Home Binding Acknowledgement Mobopts, IETF67, San Diego

  9. RR signaling • CoTI/CoT no change • HoTI in MN-HA path: IPv6 header source = CoA destination = HA ESP header in tunneling mode IPv6 header source = pHoA destination = CN Mobility header HoTI • HoTI in HA-CN path: IPv6 header source = pHoA destination = CN Mobility header HoTI Mobopts, IETF67, San Diego

  10. RR signaling • HoT in CN-HA path: IPv6 header source = CN destination = pHoA Mobility header HoT • HoT in HA-MN path: IPv6 header source = HA destination = CoA ESP header in tunneling mode IPv6 header source = CN destination = pHoA Mobility header HoT Mobopts, IETF67, San Diego

  11. Correspondent Binding Update BU message IPv6 header source = CoA destination = CN Destination option pHoA Mobility header Seq# home nonce index care-of nonce index Enc(Kbm, iHoA) First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BU))) • where • Kbm = SHA1 (home keygen token | care-of keygen token) ; no change • home keygen token = First (64, HMAC_SHA1(Kcn, (pHoA | nonce | 0))) • care-of keygen token = First (64, HMAC_SHA1(Kcn, (CoA | nonce | 1))); no change • The identity address iHoA could be the real HoA or the first pHoA when established the session. Mobopts, IETF67, San Diego

  12. What is different from original operation? CN side: Original RR | With additional option -----------------------------------+-------------------------------- | 1) check the packet MUST contain | the same a unicast routable home address | | 2) the Sequence Number field in | the same the Binding Update is greater | than the Sequence Number | received in the previous valid | Binding Update. | | 3) a Nonce Indices mobility option | the same MUST be present | | 4) the correspondent node MUST | In the network i, we use the re-generate the home keygen | same pHoA_i in HoTI_i and BU_i token and the care-of keygen | messages, and CoTI and CoT as token from the information | usual, so the new method can contained in the packet. It | generate the valid Kbm and then then generates the binding | pass the step. management key Kbm and uses | it to verify the authenticator | field in the Binding Update | | 5) create/update the BU entry | first decrypt the new item Enc(Kbm, iHoA), according to HoA | get the iHoA, then create/update | the BU entry according to the iHoA. | BINDING CACHE: pHoA HoA iHoA CoA Lifetime Seq

  13. What is different from original operation? BINDING CACHE: pHoA HoA CoA Lifetime Seq# HA side: • Operation is almost the same as the original, but the key for searching the binding cache is the pHoA instead of the real HoA. MN side: • The additional operation is that MN needs to generate a pHoA at every new location and store/update the pHoA in the binding update list. BINDING UPDATE LIST: pHoA iHoA CN HoA CoA Lifetime Seq#

  14. Q & A Thank You

More Related