NEMO Working Group                                       Seongho Cho
   Internet Draft                                           Jongkeun Na
   Document: draft-cho-nemo-threat-                       Chongkwon Kim
   multihoming-00.txt                         Seoul National University
   Expires: August 4, 2004                                  Sungjin Lee
                                                          Hyunjung Kang
                                                           Changhoi Koo
                                                    Samsung Electronics
                                                       February 4, 2004


                   Threat for Multi-homed Mobile Networks
                    draft-cho-nemo-threat-multihoming-00


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
        http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
        http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 4, 2004.


Abstract

   In mobile networks, the Mobile Router (MR) is an operational main
   entity. With multiple MRs, mobile networks can provide the stability
   of service. And, there already exist various multi-homing scenarios.
   However, because of mobility and MR-HA relations, there are several
   security problems in multi-homed mobile networks. In this draft, we
   identify threats to multi-homed mobile networks. And we will
   illustrate several scenarios of Denial-of-Service (DoS) attacks,
   Redirection attacks, and Replay attacks.



Cho, et al.             Expires - August 2004                [Page 1]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004



Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119.

Table of Contents

   1. Multi-homing in Mobile Networks................................2
   2. Related Multi-homing Scenarios.................................3
   3. Denial-of-Service (DoS) Attacks................................3
   4. Redirection Attack.............................................4
      4.1 Redirection for Cryptographic Analysis.....................4
      4.2 Redirection for DoS Attack Stream..........................5
      4.3 Stream Redirection from the Attacker Node..................5
   5. Replay Attack..................................................5
   6. Another Kinds of Attacks.......................................6
   References........................................................7
   Acknowledgments...................................................7
   Author's Addresses................................................7


1. Multi-homing in Mobile Networks

   NEMO Basic Support Protocol [1] has been proposed to support
   transparent mobility to mobile network nodes (MNNs) with same
   mobility in mobile networks. Using MR-HA bi-directional tunneling,
   the MR provides the session mobility, continuity, and connectivity
   for all nodes in the mobile network as the network moves. Because the
   MR manages every session to the mobile network, the availability of
   MR affects all sessions to the mobile network.

   However, there exist fault tolerance problem. The operational
   concentration on the single MR has failure problems. Because the
   egress MR has a responsibility on the operation of the whole mobile
   nodes inside the subnet, single failure of MR can cause network
   service suspension. Especially, egress channel or MR node
   availability affect the session continuity and quality-of service.
   Therefore, multiple MRs are required to the big-size networks, such
   as train, bus, or airplane. And the other benefit of the multi-homing
   is traffic load sharing through multiple MRs. Static and dynamic load
   sharing mechanisms are possible at the HA level and MR level.

   To support fault tolerance and load sharing, various type of multi-
   homed mobile networks have been considered in several drafts [2, 3,
   4]. This Multi-homing concept can improve the performance of the
   mobile network. And multi-homing can help to get several operational
   advantages, like load balancing, network access cost optimization and


Cho, et al.             Expires - August 2004                [Page 2]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004


   optimal handover decision. Specific benefits of the multi-homing are
   described in the multi-homing issue draft [2].

   In NEMO threat analysis drafts [5, 6], threat for the NEMO basic
   support protocols has been treated. In this draft, we introduce
   several threats in multi-homed mobile networks. And we illustrate
   some scenarios of attacks to multi-homed mobile networks.


2. Related Multi-homing Scenarios

   In multi-homing issue draft [2], various scenarios have been treated.
   However, our concern is NEMO specific scenarios which can be
   different from site multi-homing of multiple ISPs model. Based on the
   above draft, we will describe our specific scope of multi-homed
   mobile networks by the configuration.

   Our main focus of multi-homed mobile networks is multiple Home Agent
   (HA) existence scenarios. In multi-homing draft [2], (1, N, 1), (N, N,
   1), (1, N, N) and (N, N, N) can be these cases. In current NEMO basic
   support protocol, no additional messages are added to the Mobile IPv6.
   However, in the presence of multiple HA, the multi-homed mobile
   network can be insecure without the neighbor MR-HA information.
   Especially in (N, N, 1) and (N, N, N) cases, multiple MR-HA relations
   can lead severe security problem. Especially in S/mP-(N, N, 1) case,
   different ISPs control each HA and each HA can't share the neighbor
   information. In this case, the tunnel recovery through the other MR
   is difficult. For load balancing or fault recovery, the binding
   update by the neighbor MR can be false without neighbor MR-HA
   information.

   In this draft, we focus on threats on the multi-homed mobile networks
   with multiple HA.


3. Denial-of-Service (DoS) Attacks

   In this section, we will describe the possible attacks by Denial-of-
   Service (DoS) attacks. Even though some kinds of attacks are not NEMO
   specific, these DoS attacks can be a preparation for another attack
   to the mobile network. Therefore, we will briefly describe possible
   DoS attacks.

   In mobile networks, the MR can be exposed to various DoS attacks.
   Because the MR has mobility, the access links are usually wireless
   channel. Therefore, simple channel jamming can cause the service
   unavailability. And, the packet flooding to the MR can lead the
   normal service unavailable to mobile networks. Except the packet
   flooding, the MR maintains binding update list and home agent list.
   If some malicious nodes keep updating binding information, or sending

Cho, et al.             Expires - August 2004                [Page 3]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004


   the route optimization [7] request to the correspondent node (CN),
   the MR can experience the overflow for this data structure. These DoS
   attacks can be classified as a DoS attack to the binding related data
   structure of the MR. To prevent this kind of attack, data structure
   should be updated after verification of the requested node. And stale
   binding update information in the binding update list should be
   managed efficiently. Finally A black hole attack can be described as
   a DoS attack. If the egress MR doesn't forward packets to the
   destination, the flow can't be served at all. This attack is very
   simple, but significant.

   This service unavailability of the MR from the DoS attack and MR
   failure requires tunnel recovery to an alternative tunnel in multi-
   homed mobile networks.


4. Redirection Attack

   Various types of redirection attacks can be possible in multi-homed
   mobile networks. Types of redirection attacks are a redirection for
   cryptographic analysis, redirection for DoS attack stream, and stream
   redirection from the attacker node. Each attack is described as
   follows.

                                               MR3
                   HA1             AR    MR1    _  |
                    _  |         |  _  |  _  |-|_|-|  _
                  -|_|-|  _____  |-|_|-|-|_|-|     |-|_|
                     |||-|     |-|     |------------>MNN1
            recoverd ||  |Inter|        original flow
             tunnel  ||  | net |                     MNN2
                    _|||-|_____|-|  _  |  _  |        _
                  -|_|-|=========|-|_|-|-|_|-|  _  |-|_|
                       |recovered|     |     |-|_|-|  _
                   HA2   tunnel    AR   Fake       |-|_|
                                         MR    MR4
                                        ------------>MNN3
                                         redirection

                  Figure 1. Redirection Attack by Fake MR


4.1 Redirection for Cryptographic Analysis

   For the redirection for cryptographic analysis, the fake MR can
   compromise as an alternative MR to multi-homed mobile networks. After
   the fake MR receives the previous tunnel to the primary MR, the fake
   MR can cause packets to be sent to the attacker. The attacker might
   receive packets to inspect or modify the payload or apply the
   cryptographic analysis to find the secret key or decrypt the original

Cho, et al.             Expires - August 2004                [Page 4]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004


   data. In Figure 1, the Fake MR can forward the original flow to the
   MNN3 which is an attacker. And the attacker node can analysis packet
   flows to break the security association between HA1-MR1 or HA_MNN1-
   MNN1.


4.2 Redirection for DoS Attack Stream

   Redirected packets can be used as attack flows to other MR or MNN.
   From this attack, packets can cause overload on the unrelated link.
   And in this case, the attack might be able to hide the location and
   identity. In Figure 1, the Fake MR can forward the original flow to
   the MNN3 which is a victim node. MNN3 can suffer from DoS attack
   stream which is identified as the attack stream from the CN of the
   MNN1.


4.3 Stream Redirection from the Attacker Node

   Similarly, the Fake MR can lead a MNN to accept attacker's packets.
   Unexpected packets can be delivered to the MNN by the redirection
   attack. In Figure 1, MNN3 can receive the attack stream through the
   Fake MR. Or MNN1 can receive the attack stream which is not from the
   original CN, but from the attacker. Of course, this case would not be
   the specific case of multi-homed mobile networks.

   To prevent this kind of redirection attack, the neighbor egress MR
   existence should be identified and the MR should be authenticated.
   From this authentication, non-repudiation can be obtained. To support
   authentication, the alternative MR registration mechanism is required.
   To provide the alternative MR registration, the MR-HA communication
   and HA-HA communication is required. From the MR and HA communication,
   HA can register neighbor MR information. And from the HA-HA
   communication, the validity of binding update information of the
   neighbor MR toward its own HA can be obtained.


5. Replay Attack

   In mobile networks, the MR has mobility. Therefore, the neighbor
   information can be stale after the neighbor moves away. Using
   previous neighbor information, a malicious MR can send binding update
   to false CoA. The malicious MR can move to the other place or already
   moved MR can compromise to the replay attack. And this attack can be
   used as another redirection attack. In Figure 2, after the Fake MR
   changes the point of attachment, it can send the Binding Update
   message to the wrong place using previous neighbor information. In
   this case, similar redirection attacks in Section 4 are possible.



Cho, et al.             Expires - August 2004                [Page 5]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004


   To prevent the replay attack, the HA should keep the neighbor MR
   information. And registration information should be updated whenever
   the MR moves or disappears. To keep registration information safely,
   expiration by the TTL and explicit removal after the neighbor MR
   movement detection can be used. The neighbor MR movement detection
   can be done after the periodic ICMP Mobile Prefix Advertisement
   expiration.


                                               MR3   MNN1
                   HA1             AR1   MR1    _  |
                    _  |         |  _  |  _  |-|_|-|  _
                  -|_|-|  _____  |-|_|-|-|_|-|     |-|_|
                       |-|     |-|     |     |
                         |     | |                   MNN2
                         |Inter|-|  _  |  _  |        _
                         | net | |-|_|-|-|_|-|  _  |-|_|
                         |     | | AR2 |Fake |-|_|-|  _
                    _  |-|     |         MR    MR4 |-|_|
                  -|_|-| |_____|-|  _                MNN3
                       |         |-|_|-
                   HA2           | AR3

                                   ||
                                  \||/
                                   \/

                                               MR3   MNN1
                   HA1             AR1   MR1    _  |
                    _  |         |  _  |  _  |-|_|-|  _
                  -|_|-|  _____  |-|_|-|-|_|-|     |-|_|
                     |||-|     |-|     |     |
                     ||  |     | |
               False ||  |Inter|-|  _
                 BU  ||  | net | |-|_|-
                     ||  |     | | AR2
                    _|||-|     |                     MNN2
                  -|_|-| |_____|-|  _  |  _  |        _
                       |=========|-|_|-|-|_|-|  _  |-|_|
                   HA2  False BU | AR3 |Fake |-|_|-|  _
                                         MR    MR4 |-|_|
                                                     MNN3
                  Figure 2. Replay Attack after Moving


6. Another Kinds of Attacks

   There can be other kinds of attacks to the multi-homed mobile
   networks.


Cho, et al.             Expires - August 2004                [Page 6]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004



References


   [1] Ernst, T. and H. Lach, "Network Mobility Support Terminology,"
      draft-ietf-nemo-terminology-00 (work in progress), May 2003.

   [2] C. Ng, J. Charbon, and E. Paik, "Multihoming Issues in Network
      Mobility Support,?draft-ng-nemo-multihoming-issues-02.txt (work in
      progress), Oct 2003.

   [3] J. Charbon, C-W. Ng, K. Mitsuya, and T. Ernst, "Evaluating
      Multi-homing Support in NEMO Basic Solution.?draft-charbon-nemo-
      multihoming-evaluation-00.txt (work in progress), Jul 2003.

   [4] E. K. Paik, H. S. Cho, and T. Ernst, "Multihomed Mobile Networks
      Problem Statements," draft-paik-nemo-multihoming-problem-00.txt
      (work in progress), Oct 2003.

   [5] S. Jung, F. Zhao, F. Wu, H. Kim and S. Sohn, "Threat Analysis for
      NEMO" (work in progress).  Internet Draft, IETF draft-jung-nemo-
      threat-analysis-01.txt, Oct 2003

   [6] A. Petrescu, A. Olivereau, C. Janreteau, H.-Y. Lach, Threats for
      Basic Network Mobility Support (NEMO threats),รถ draft-petrescu-
      nemo-threats-01.txt, (work in progress) Jan 2004.

   [7] P. Thubert, M. Molteni, and C. Ng, "Taxonomy of Route
      Optimization models in the Nemo Context," draft-thubert-nemo-ro-
      taxonomy-01 (work in progress) Jun 2003.


Acknowledgments




Author's Addresses

   Seongho Cho
   Seoul National University
   School of CSE, Seoul National University,
   San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea.
   Phone: +82-2-884-3936
   Email: shcho@popeye.snu.ac.kr


   Jongkeun Na
   Seoul National University
   School of CSE, Seoul National University,

Cho, et al.             Expires - August 2004                [Page 7]


Internet Draft  Threat for Multi-homed Mobile Networks   February 2004


   San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea.
   Phone: +82-2-884-3936
   Email: jkna@popeye.snu.ac.kr

   Chongkwon Kim
   Seoul National University
   School of CSE, Seoul National University,
   San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea.
   Phone: +82-2-884-3936
   Email: ckim@popeye.snu.ac.kr

   Sungjin Lee
   Telecommunication R&D Center,
   Samsung Electronics
   Dong Suwon P.O. BOX 105
   416, Maetan-3Dong, Paldal-Gu
   Suwon-City, Gyunggi-Do, 442-600, KOREA
   EMail : steve.lee@samsung.com

   Hyunjeong Kang
   Telecommunication R&D Center,
   Samsung Electronics
   Dong Suwon P.O. BOX 105
   416, Maetan-3Dong, Paldal-Gu
   Suwon-City, Gyunggi-Do, 442-600, KOREA
   EMail : hyunjeong.kang@samsung.com

   Changhoi Koo
   Telecommunication R&D Center,
   Samsung Electronics
   Dong Suwon P.O. BOX 105
   416, Maetan-3Dong, Paldal-Gu
   Suwon-City, Gyunggi-Do, 442-600, KOREA
   EMail : chkoo@samsung.com

















Cho, et al.             Expires - August 2004                [Page 8]