Mobile IPv6 Home Link Detection Mechanism Security considerations
draft-ebalard-mext-hld-security-00
| Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
|---|---|---|---|
| Author | Arnaud Ebalard | ||
| Last updated | 2009-04-30 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
MIPv6 defines the concept of Home Network for a MN, in opposition to the foreign network where this entity may find itself. A ``Home Link Detection'' mechanism is also specified to allow the MN to detect when it is at home. MIPv6 specification mandates the use of IPsec for protecting main signaling traffic and also defines how IPsec can be used to protect data traffic between the MN and its HA. Even if optional, it is expected that many deployments of MIPv6 will use it by default for MN which may roam outside a trusted infrastructure (e.g. outside a mobile operator network). When a MN detects it is at home, it is expected to stop IPsec protection for data traffic exchanged with its Home Agent. That event is the result of the Home Return procedure, triggered by the Home Link Detection mechanism. This document discusses the possible threats and security impacts associated with the use of this insecure NDP-based mechanism as a trigger to drop IPsec protection of data traffic for the MN. It also provides some results on the implementation of the attacks against an existing MIPv6 module. Possible solutions are suggested.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)