NEMO Working Group Seongho Cho
Internet Draft Jongkeun Na
Document: draft-cho-nemo-threat- Chongkwon Kim
multihoming-00.txt Seoul National University
Expires: August 4, 2004 Sungjin Lee
Hyunjung Kang
Changhoi Koo
Samsung Electronics
February 4, 2004
Threat for Multi-homed Mobile Networks
draft-cho-nemo-threat-multihoming-00
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 4, 2004.
Abstract
In mobile networks, the Mobile Router (MR) is an operational main
entity. With multiple MRs, mobile networks can provide the stability
of service. And, there already exist various multi-homing scenarios.
However, because of mobility and MR-HA relations, there are several
security problems in multi-homed mobile networks. In this draft, we
identify threats to multi-homed mobile networks. And we will
illustrate several scenarios of Denial-of-Service (DoS) attacks,
Redirection attacks, and Replay attacks.
Cho, et al. Expires - August 2004 [Page 1]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119.
Table of Contents
1. Multi-homing in Mobile Networks................................2
2. Related Multi-homing Scenarios.................................3
3. Denial-of-Service (DoS) Attacks................................3
4. Redirection Attack.............................................4
4.1 Redirection for Cryptographic Analysis.....................4
4.2 Redirection for DoS Attack Stream..........................5
4.3 Stream Redirection from the Attacker Node..................5
5. Replay Attack..................................................5
6. Another Kinds of Attacks.......................................6
References........................................................7
Acknowledgments...................................................7
Author's Addresses................................................7
1. Multi-homing in Mobile Networks
NEMO Basic Support Protocol [1] has been proposed to support
transparent mobility to mobile network nodes (MNNs) with same
mobility in mobile networks. Using MR-HA bi-directional tunneling,
the MR provides the session mobility, continuity, and connectivity
for all nodes in the mobile network as the network moves. Because the
MR manages every session to the mobile network, the availability of
MR affects all sessions to the mobile network.
However, there exist fault tolerance problem. The operational
concentration on the single MR has failure problems. Because the
egress MR has a responsibility on the operation of the whole mobile
nodes inside the subnet, single failure of MR can cause network
service suspension. Especially, egress channel or MR node
availability affect the session continuity and quality-of service.
Therefore, multiple MRs are required to the big-size networks, such
as train, bus, or airplane. And the other benefit of the multi-homing
is traffic load sharing through multiple MRs. Static and dynamic load
sharing mechanisms are possible at the HA level and MR level.
To support fault tolerance and load sharing, various type of multi-
homed mobile networks have been considered in several drafts [2, 3,
4]. This Multi-homing concept can improve the performance of the
mobile network. And multi-homing can help to get several operational
advantages, like load balancing, network access cost optimization and
Cho, et al. Expires - August 2004 [Page 2]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
optimal handover decision. Specific benefits of the multi-homing are
described in the multi-homing issue draft [2].
In NEMO threat analysis drafts [5, 6], threat for the NEMO basic
support protocols has been treated. In this draft, we introduce
several threats in multi-homed mobile networks. And we illustrate
some scenarios of attacks to multi-homed mobile networks.
2. Related Multi-homing Scenarios
In multi-homing issue draft [2], various scenarios have been treated.
However, our concern is NEMO specific scenarios which can be
different from site multi-homing of multiple ISPs model. Based on the
above draft, we will describe our specific scope of multi-homed
mobile networks by the configuration.
Our main focus of multi-homed mobile networks is multiple Home Agent
(HA) existence scenarios. In multi-homing draft [2], (1, N, 1), (N, N,
1), (1, N, N) and (N, N, N) can be these cases. In current NEMO basic
support protocol, no additional messages are added to the Mobile IPv6.
However, in the presence of multiple HA, the multi-homed mobile
network can be insecure without the neighbor MR-HA information.
Especially in (N, N, 1) and (N, N, N) cases, multiple MR-HA relations
can lead severe security problem. Especially in S/mP-(N, N, 1) case,
different ISPs control each HA and each HA can't share the neighbor
information. In this case, the tunnel recovery through the other MR
is difficult. For load balancing or fault recovery, the binding
update by the neighbor MR can be false without neighbor MR-HA
information.
In this draft, we focus on threats on the multi-homed mobile networks
with multiple HA.
3. Denial-of-Service (DoS) Attacks
In this section, we will describe the possible attacks by Denial-of-
Service (DoS) attacks. Even though some kinds of attacks are not NEMO
specific, these DoS attacks can be a preparation for another attack
to the mobile network. Therefore, we will briefly describe possible
DoS attacks.
In mobile networks, the MR can be exposed to various DoS attacks.
Because the MR has mobility, the access links are usually wireless
channel. Therefore, simple channel jamming can cause the service
unavailability. And, the packet flooding to the MR can lead the
normal service unavailable to mobile networks. Except the packet
flooding, the MR maintains binding update list and home agent list.
If some malicious nodes keep updating binding information, or sending
Cho, et al. Expires - August 2004 [Page 3]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
the route optimization [7] request to the correspondent node (CN),
the MR can experience the overflow for this data structure. These DoS
attacks can be classified as a DoS attack to the binding related data
structure of the MR. To prevent this kind of attack, data structure
should be updated after verification of the requested node. And stale
binding update information in the binding update list should be
managed efficiently. Finally A black hole attack can be described as
a DoS attack. If the egress MR doesn't forward packets to the
destination, the flow can't be served at all. This attack is very
simple, but significant.
This service unavailability of the MR from the DoS attack and MR
failure requires tunnel recovery to an alternative tunnel in multi-
homed mobile networks.
4. Redirection Attack
Various types of redirection attacks can be possible in multi-homed
mobile networks. Types of redirection attacks are a redirection for
cryptographic analysis, redirection for DoS attack stream, and stream
redirection from the attacker node. Each attack is described as
follows.
MR3
HA1 AR MR1 _ |
_ | | _ | _ |-|_|-| _
-|_|-| _____ |-|_|-|-|_|-| |-|_|
|||-| |-| |------------>MNN1
recoverd || |Inter| original flow
tunnel || | net | MNN2
_|||-|_____|-| _ | _ | _
-|_|-|=========|-|_|-|-|_|-| _ |-|_|
|recovered| | |-|_|-| _
HA2 tunnel AR Fake |-|_|
MR MR4
------------>MNN3
redirection
Figure 1. Redirection Attack by Fake MR
4.1 Redirection for Cryptographic Analysis
For the redirection for cryptographic analysis, the fake MR can
compromise as an alternative MR to multi-homed mobile networks. After
the fake MR receives the previous tunnel to the primary MR, the fake
MR can cause packets to be sent to the attacker. The attacker might
receive packets to inspect or modify the payload or apply the
cryptographic analysis to find the secret key or decrypt the original
Cho, et al. Expires - August 2004 [Page 4]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
data. In Figure 1, the Fake MR can forward the original flow to the
MNN3 which is an attacker. And the attacker node can analysis packet
flows to break the security association between HA1-MR1 or HA_MNN1-
MNN1.
4.2 Redirection for DoS Attack Stream
Redirected packets can be used as attack flows to other MR or MNN.
From this attack, packets can cause overload on the unrelated link.
And in this case, the attack might be able to hide the location and
identity. In Figure 1, the Fake MR can forward the original flow to
the MNN3 which is a victim node. MNN3 can suffer from DoS attack
stream which is identified as the attack stream from the CN of the
MNN1.
4.3 Stream Redirection from the Attacker Node
Similarly, the Fake MR can lead a MNN to accept attacker's packets.
Unexpected packets can be delivered to the MNN by the redirection
attack. In Figure 1, MNN3 can receive the attack stream through the
Fake MR. Or MNN1 can receive the attack stream which is not from the
original CN, but from the attacker. Of course, this case would not be
the specific case of multi-homed mobile networks.
To prevent this kind of redirection attack, the neighbor egress MR
existence should be identified and the MR should be authenticated.
From this authentication, non-repudiation can be obtained. To support
authentication, the alternative MR registration mechanism is required.
To provide the alternative MR registration, the MR-HA communication
and HA-HA communication is required. From the MR and HA communication,
HA can register neighbor MR information. And from the HA-HA
communication, the validity of binding update information of the
neighbor MR toward its own HA can be obtained.
5. Replay Attack
In mobile networks, the MR has mobility. Therefore, the neighbor
information can be stale after the neighbor moves away. Using
previous neighbor information, a malicious MR can send binding update
to false CoA. The malicious MR can move to the other place or already
moved MR can compromise to the replay attack. And this attack can be
used as another redirection attack. In Figure 2, after the Fake MR
changes the point of attachment, it can send the Binding Update
message to the wrong place using previous neighbor information. In
this case, similar redirection attacks in Section 4 are possible.
Cho, et al. Expires - August 2004 [Page 5]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
To prevent the replay attack, the HA should keep the neighbor MR
information. And registration information should be updated whenever
the MR moves or disappears. To keep registration information safely,
expiration by the TTL and explicit removal after the neighbor MR
movement detection can be used. The neighbor MR movement detection
can be done after the periodic ICMP Mobile Prefix Advertisement
expiration.
MR3 MNN1
HA1 AR1 MR1 _ |
_ | | _ | _ |-|_|-| _
-|_|-| _____ |-|_|-|-|_|-| |-|_|
|-| |-| | |
| | | MNN2
|Inter|-| _ | _ | _
| net | |-|_|-|-|_|-| _ |-|_|
| | | AR2 |Fake |-|_|-| _
_ |-| | MR MR4 |-|_|
-|_|-| |_____|-| _ MNN3
| |-|_|-
HA2 | AR3
||
\||/
\/
MR3 MNN1
HA1 AR1 MR1 _ |
_ | | _ | _ |-|_|-| _
-|_|-| _____ |-|_|-|-|_|-| |-|_|
|||-| |-| | |
|| | | |
False || |Inter|-| _
BU || | net | |-|_|-
|| | | | AR2
_|||-| | MNN2
-|_|-| |_____|-| _ | _ | _
|=========|-|_|-|-|_|-| _ |-|_|
HA2 False BU | AR3 |Fake |-|_|-| _
MR MR4 |-|_|
MNN3
Figure 2. Replay Attack after Moving
6. Another Kinds of Attacks
There can be other kinds of attacks to the multi-homed mobile
networks.
Cho, et al. Expires - August 2004 [Page 6]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
References
[1] Ernst, T. and H. Lach, "Network Mobility Support Terminology,"
draft-ietf-nemo-terminology-00 (work in progress), May 2003.
[2] C. Ng, J. Charbon, and E. Paik, "Multihoming Issues in Network
Mobility Support,?draft-ng-nemo-multihoming-issues-02.txt (work in
progress), Oct 2003.
[3] J. Charbon, C-W. Ng, K. Mitsuya, and T. Ernst, "Evaluating
Multi-homing Support in NEMO Basic Solution.?draft-charbon-nemo-
multihoming-evaluation-00.txt (work in progress), Jul 2003.
[4] E. K. Paik, H. S. Cho, and T. Ernst, "Multihomed Mobile Networks
Problem Statements," draft-paik-nemo-multihoming-problem-00.txt
(work in progress), Oct 2003.
[5] S. Jung, F. Zhao, F. Wu, H. Kim and S. Sohn, "Threat Analysis for
NEMO" (work in progress). Internet Draft, IETF draft-jung-nemo-
threat-analysis-01.txt, Oct 2003
[6] A. Petrescu, A. Olivereau, C. Janreteau, H.-Y. Lach, Threats for
Basic Network Mobility Support (NEMO threats),รถ draft-petrescu-
nemo-threats-01.txt, (work in progress) Jan 2004.
[7] P. Thubert, M. Molteni, and C. Ng, "Taxonomy of Route
Optimization models in the Nemo Context," draft-thubert-nemo-ro-
taxonomy-01 (work in progress) Jun 2003.
Acknowledgments
Author's Addresses
Seongho Cho
Seoul National University
School of CSE, Seoul National University,
San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea.
Phone: +82-2-884-3936
Email: shcho@popeye.snu.ac.kr
Jongkeun Na
Seoul National University
School of CSE, Seoul National University,
Cho, et al. Expires - August 2004 [Page 7]
Internet Draft Threat for Multi-homed Mobile Networks February 2004
San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea.
Phone: +82-2-884-3936
Email: jkna@popeye.snu.ac.kr
Chongkwon Kim
Seoul National University
School of CSE, Seoul National University,
San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea.
Phone: +82-2-884-3936
Email: ckim@popeye.snu.ac.kr
Sungjin Lee
Telecommunication R&D Center,
Samsung Electronics
Dong Suwon P.O. BOX 105
416, Maetan-3Dong, Paldal-Gu
Suwon-City, Gyunggi-Do, 442-600, KOREA
EMail : steve.lee@samsung.com
Hyunjeong Kang
Telecommunication R&D Center,
Samsung Electronics
Dong Suwon P.O. BOX 105
416, Maetan-3Dong, Paldal-Gu
Suwon-City, Gyunggi-Do, 442-600, KOREA
EMail : hyunjeong.kang@samsung.com
Changhoi Koo
Telecommunication R&D Center,
Samsung Electronics
Dong Suwon P.O. BOX 105
416, Maetan-3Dong, Paldal-Gu
Suwon-City, Gyunggi-Do, 442-600, KOREA
EMail : chkoo@samsung.com
Cho, et al. Expires - August 2004 [Page 8]