110 likes | 320 Views
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP). James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005. Motivation. Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers
E N D
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James KempfSamita ChakrarabartiErik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005
Motivation • Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers • Support deployments with a loose trust relationship between Serving Network Access Provider and Mobility Service Provider • Examples: • Enterprise networks • Hotspots with nonAAA-based network entry authorization • Maybe 90% of WLAN public access deployments in the US? • Future deployment possibilities • Infrastructureless deployments
Credit card provider sends authz decision to PAC Internet Access! HTTP PUT sends credentials to PAC Border Router Original page displayed AR Terminal initiates HTTP GET Authorization Decision! Example: Universal Access Method (UAM) PAC Internet Access Network PAC relays credentials to credit card provider PAC sends Redirect to Login Page AP Mobile Node AP: Access Point PAC: Public Access Control Gateway
Basic Problems Addressed • No AAA “hook” during network access authentication to provision the Mobile Node with the Home Agent address and mobility service authorization credentials • EAP solutions such as draft-giaretta-mip6-authorization require AAA during network access authentication • Tight trust lacking between Mobility Service Provider and Access Service Provider • DHCP solutions such as draft-ohba-mip6-boot require very high trust between networks for roaming support • Home Network Access Service Provider uses AAA but is not also a Mobility Service Provider
What the Mobile Node Starts With • A connection to the Internet on the serving (local) network authenticated and authorized (or not) through any means, i.e. 802.1x, PANA, etc. • The domain name of the Mobility Service Provider • Credentials to allow Home Agent IKEv2 to authenticate and authorize for mobility service • NAI or similar non-topological identity • Certificate or preshared key if IKEv2 auth/authz done with certificate or preshared key • User name/password or other credentials if IKEv2 auth/authz done using EAP • Optional: certificate for Home Agent if not available during DNS or IKE transaction
DNS SRV Rqst: mip6 ipv6 DNS SRV Rply: HA Address IKEv2 + EAP if required ESP + MIP6 BU! Border Router Border Router AR DNS SRV Rqst Forwarded (if not cached) LocalDNS Server MSPDNS Server The Protocol Internet Access Network Terminal now has Home Address and IPsec SAs MIP6 HA AP Mobility Service Provider Mobile Node
Security of BMIP Protocol • Replay protection provided by message identity code in DNS • RFC 1035 • Server to host data integrity and origination authentication provided by DNSSEC • RFC 2535 • DNSSEC is not today widely deployed, but then neither is MIP6 • For future DNS security, DNSSEC should be deployed
Security of Home Agent Address • Host to server authorization can be done by using DNS TSIG • RFC 2845 • Upside • Only authorized hosts can get the address • Downside • Requires MSP DNS server to perform auth on SRV Rqst in real time (i.e. no caching) • Address is unencrypted in transit so it can be intercepted by MiTM • Confidentiality protection can be provided by encrypting the address before inserting into DNS • Anybody can get the record, only authorized users with keys can decrypt • Draft in preparation for DNSEXT • Assumption: These measures assume some utility to “hiding” the address in the first place, presumably to prevent DoS
DoS Attack on the Home Agent Address • Address is in public DNS, anybody could snatch it! • IKEv2 contains measures to slow down an attacker if they should get it But... • DoS is a problem with any solution (including manual configuration) that exposes the Home Agent address to users on the Internet • User goes rogue • Someone steals the address from a legitimate user • Distributed worm probing attack discovers the Home Agent • Bottom line: “Hiding” the address from unauthorized users only makes launching a DoS attack a little harder
Realistic DoS Mitigation Measures • Overprovisioning • Network connections and Home Agent server capacity are enough to handle any conceivable load • Change Home Agent addresses aperiodically • Especially if someone suspicious has their account revoked • Provision Home Agents with: • Few users to avoid inconveniencing lots of users when an attack occurs • On topologically widely separated subnets to slow worm probing attacks