View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Institutional Knowledge at Singapore Management University Singapore Management University Institutional Knowledge at Singapore Management University Research Collection School Of Information Systems School of Information Systems 11-2002 Defending against redirect attacks in mobile IP Robert H. DENG Singapore Management University, [email protected] Jianying ZHOU Labs for Information Technology, Singapore Feng BAO Labs for Information Technology, Singapore DOI: https://doi.org/10.1145/586110.586120 Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research Part of the Information Security Commons Citation DENG, Robert H.; ZHOU, Jianying; and BAO, Feng. Defending against redirect attacks in mobile IP. (2002). CCS '02: Proceedings of the 9th ACM Conference on Computer and Communications Security, November 18-22, Washington, DC. 59-67. Research Collection School Of Information Systems. Available at: https://ink.library.smu.edu.sg/sis_research/1100 This Conference Proceeding Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please email [email protected]. Defending Against Redirect Attacks in Mobile IP Robert H. Deng Jianying Zhou Feng Bao Labs for Information Technology Labs for Information Technology Labs for Information Technology 21 Heng Mui Keng Terrace 21 Heng Mui Keng Terrace 21 Heng Mui Keng Terrace Singapore 119613 Singapore 119613 Singapore 119613 +65 6874-7862 +65 6874-8543 +65 6874-8456 [email protected] [email protected] [email protected] ABSTRACT people’s perceptions of the Internet. In mobile networking, The route optimization operation in Mobile IP Version 6 (MIPv6) communications activities are not disrupted when a user changes allows direct routing from any correspondent node to any mobile his/her device’s point of attachment to the Internet - all the node and thus eliminates the problem of “triangle routing” present network reconnections occur automatically and transparently to in the base Mobile IP Version 4 (MIPv4) protocol. Route the user. optimization, however, requires that a mobile node constantly In today’s Internet, the Internet Protocol (IP) routes packets from inform its correspondent nodes about its new care-of addresses by source to destination according to the subnet prefix derived from sending them binding update messages. Unauthenticated or the destination IP address by masking off some of the low-order malicious binding updates open the door for intruders to perform bits. Thus, an IP address typically carries with it information that redirect attacks, i.e., malicious acts which redirect traffic from specifies the IP node’s point of attachment to the Internet. As a correspondent nodes to locations chosen by intruders. How to mobile node roams in the Internet, it needs to change its IP protect binding update messages to defend against redirect attacks address every time it moves to a new location. On the other hand, is a challenging problem given the open environment in which however, to maintain existing transport-layer connections as a MIPv6 operates. In this paper, we first look at two solutions mobile node moves from one place to another, it must keep its IP proposed by the IETF Mobile IP Working Group and point out address the same, changing the IP address will cause the existing their weaknesses. We then present a new protocol for securing transport layer connections to be disrupted and lost. binding update messages. We also show that our protocol achieves strong security and at the same time is highly scalable to The above dilemma is solved in Mobile IP (MIP) by allowing a wide spread deployment. mobile node to be addressed by two IP addresses, a home address and a care-of address. The former is an IP address assigned to the mobile node within its subnet prefix on its home link and the Categories and Subject Descriptors latter is a temporary address acquired by the mobile node while C.3.3 [Computer-Communication Networks]: General – visiting a foreign link. The dual address mechanism in MIP allows security and protection. packets to be routed to the mobile node regardless of its current point of attachment and the movement of the mobile node away General Terms from its home link is transparent to transport and higher-layer Design, Security. protocols. MIP version 4 (MIPv4) was specified in [1] and the most recent specification for MIP version 6 (MIPv6) was Keywords published by the IETF Mobile IP Working Group in [2]. Mobility Authenticated key-exchange, mobile IP, mobile IP security, support in IPv6 is considered particularly important, since mobile redirect attack, secure binding update. devices are predicted to account for a significant fraction of the population of the Internet during the lifetime of IPv6. 1. INTRODUCTION MIPv6 shares many features with MIPv4 but there are several Mobile networking technologies, along with the proliferation of major differences. Among them is the support for “Route numerous portable and wireless devices, promise to change Optimization” as a built-in fundamental part of the MIPv6 protocol, rather than an after-thought being added as an optional extension that may not be supported by all the nodes as in MIPv4. The integration of route optimization functionality allows direct routing from any correspondent node to any mobile node, without Permission to make digital or hard copies of all or part of this work for needing to pass through the mobile node’s home link and be personal or classroom use is granted without fee provided that copies are forwarded by its home agent, and thus eliminates the problem of not made or distributed for profit or commercial advantage and that “triangle routing” present in MIPv4. copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, Route optimization in MIPv6 requires that the mobile node, its requires prior specific permission and/or a fee. home agent and the correspondent node maintain a Binding CCS’02, November 18-22, 2002, Washington, DC, USA. Cache. A binding is the association of a mobile node’s home Copyright 2002 ACM 1-58113-612-9/02/0011…$5.00. address with a care-of address for that mobile node, along with 59 the remaining lifetime of that association. A mobile node uses dynamically learn and cache the mobile node’s current binding. binding update messages to notify its correspondent node or its When sending a packet to the mobile node, a correspondent node home agent of its current binding. Unfortunately, unauthenticated checks its cached bindings for an entry for the packet’s binding update messages provide intruders an easy means to destination address. If a cached binding for this destination launch “Redirect Attacks”, i.e., malicious acts which redirect address is found, the node uses an IPv6 Routing Header [6] to traffic from correspondent nodes to destinations chosen by route the packet to the mobile node by way of the care-of address intruders. Therefore, security of the binding update messages is of indicated in this binding. If, instead, the correspondent node has paramount importance for MIPv6 to meet its basic security no cached binding for this destination address, the node sends the requirements. An earlier IETF draft on MIPv6 was returned by the packet normally (i.e., to the mobile node’s home address with no Internet Engineering Steering Group (IESG) to the Mobile IP routing header), and the packet is subsequently intercepted and Working Group due to concerns about the security and scalability tunneled to the mobile node by its home agent as described above. of binding update messages [3]. The rest of the paper is organized as follows. In Section 2, we CN give a short overview of the operations in MIPv6, with emphasis on route optimization and binding update operations. We also detail the types of redirect attacks and state the security Internet assumptions in MIPv6. In Section 3, we review two solutions MN HA proposed by the IETF Mobile IP Working Group for protecting Tunnel binding update messages against redirect attacks and point out their security limitations. Section 4 is devoted to our new protocol and its analysis. Finally, Section 5 contains our concluding Figure 1. Basic operation in MIPv6. remarks. 2. OPERATION, REDIRECT ATTACKS 2.2 Redirect Attacks AND SECURITY ASSUMPTIONS IN In the present paper we focus on redirect attacks and their countermeasures in MIPv6. We will not consider security issues MOBILE IPV6 such as data confidentiality, data integrity and user authentication since they are beyond the scope of MIPv6 and can be provided, 2.1 Mobile IPv6 Basic Operation for example, by IPsec or layers above IP. We classify redirect In MIPv6 [2], every mobile node has a home address, an IP attacks in MIPv6 into two categories, Session Hijacking and address assigned to a mobile node within its home link. A mobile Malicious Mobile Node Flooding, as depicted in Figure 2. node is always addressable by its home address, whether it is currently attached to its home link or is away from home. While a mobile node is at home, packets addressed to its home address are CN routed using the normal IPv6 routing mechanisms in the same MN2 1 way as if the node were never mobile. Since the subnet prefix of a Victim MN1 CN mobile node’s home address is the subnet prefix of its home link, CN2 packets addressed to it will be routed to its home link.