Internet Engineering Task Force                           Wassim Haddad
Internet Draft                        Helsinki University of Technology
Expires in February 2004                       Ericsson Research Canada
                                                        Suresh Krishnan
                                               Ericsson Research Canada
                                                         September 2003




                      Optimizing Mobile IPv6 (OMIPv6)

                    <draft-haddad-mipv6-omipv6-00.txt>



Status of this memo

   This document is an Internet Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-
   Drafts as reference material or to cite them other than as
   "work in progress."

   The list of current Internet Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Distribution of this memo is unlimited



Abstract

   Mobile IPv6 [1] is supposed to solve the mobility problem and
   offers a new mode, which allows the flows of data packets
   between a mobile node (MN) and a correspondent node (CN) to be
   exchanged via the direct path between them. However this
   efficiency comes at high price in terms of security needs and
   excessive mobility signaling messages.
   This draft introduces a proposal to make Mobile IPv6 more
   optimized with regards to security needs and less redundant in
   signaling messages.



Haddad, Krishnan              Expires February 2004             [Page 1]


INTERNET-DRAFT                        OMIPv6              September 2003



1. Introduction

   Mobile IPv6 defines the route optimization (RO) mode as one way
   of exchanging data packets between a mobile node and a
   correspondent node, via the direct path between them. While this
   mode is very efficient, it raises many security concerns and
   leads to high redundancy in mobility signaling messages.
   According to [1], these signaling messages are needed to keep
   creating shared secrets between the two entities talking to each
   other and testing the reachability of MN's IP addresses.

   This draft suggests an optimization to the RO mode, which aims
   to enhance its efficiency by making it less vulnerable and
   reducing the high number of signaling messages involved in the
   session.


2. Terminology

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY"
   in this document are to be interpreted as described in RFC 2219
   [2].


3. Motivation

   The RO mode allows one MN to talk directly to the CN, i.e, by
   using the direct path between them. For this to happen, the MN
   needs to create a shared secret (i.e., Kbm) with the CN in order
   to authenticate the binding updates (BUs) messages and let the
   CN authenticates the binding acknowledgements (BAs) messages
   with the same shared key. For security reasons, it is required
   that the lifetime of the shared secret be reduced to few
   minutes, thus obliging both entities to re-create a new Kbm at
   a high frequency. For more information about the security
   concerns related to the RO mode, please refer to [3].

   Each time the MN needs to update its Kbm, it needs to exchange
   four messages with the CN (i.e., the return routability (RR)
   procedure). Note that for security reasons, the MN's home agent
   (HA)must get involved each time the RR test is launched. The
   loss of any of the four messages requires the MN to exchange at
   least two additional messages with the CN.

   If the RR test succeeds (i.e., the MN and the CN compute a
   shared secret), the MN must send a BU message to its HA and
   waits for a BA. Upon receiving a BA from its HA, the MN sends a
   BU to its CN to update its binding cache entry (BCE) about its
   new location (i.e., care-of address (Co@)) and waits for a BA.



Haddad, Krishnan              Expires February 2004             [Page 2]


INTERNET-DRAFT                        OMIPv6              September 2003



   Note that authenticating BUs requires approximately 1.5 round
   trip times between the mobile node and each correspondent node
   (for the entire RR procedure in a best case scenario, i.e, no
   packet losses) and one round trip time between the MN and the
   HA. Such redundancy is not acceptable for time sensitive
   applications.

   It becomes clear from the above that the RO mode introduces an
   expensive efficiency in terms of excessive mobility messages,
   high latency and many security concerns.

   This draft describes one way to make the exchange of BUs/BAs
   more safe and substantially reduce the number of mobility
   signaling messages as well as the latency of the handover.


4. Overview of OMIPv6

   The suggested solution does not introduce nor replace any new or
   existing signaling messages. It is to be implemented on top of
   what has been accepted as the most efficient solution to the
   mobility problem. OMIPv6 exploits the RR test procedure, which
   has been designed in [1]. OMIPv6 MUST NOT be used alone.

   One of the main advantages behind using OMIPv6 is that it gives
   a malicious node only "one" chance to exploit spoofing, if and
   when it is possible, the HoT and CoT messages together, thus
   narrowing the window of vulnerability to the minimum. The second
   advantage of OMIPv6 is that it does not require the deployment
   of an infrastructure to distribute keys, thus eliminating any
   scalability problems.

   Another advantage behind using OMIPv6 lies in the possibility of
   deriving a longer shared secret key making it more difficult to
   crack.

   Finally, OMIPv6 substantially reduces the amount of mobility
   signaling messages and makes the exchange, if and when needed,
   of the HoTI/HoT and CoTI/CoT messages independant from the
   handover process.

   OMIPv6 consists on deriving a long shared secret key which will
   be used by both entities to authenticate the BUs/BAs messages.
   The new shared secret is derived from a DH exchange, which will
   be launched by the MN after successfully testing its new and
   home IP addresses with the CN's address (i.e., the RR test).

   The DH messages exchanged between the CN and the MN MUST BE
   authenticated by the Kbm key derived from the latest RR test.



Haddad, Krishnan              Expires February 2004             [Page 3]


INTERNET-DRAFT                        OMIPv6              September 2003



   The DH exchange will allow both entities to establish a
   bidirectional security association (SA) between them without the
   need to rely on any exisiting public key infrastructure.

   The DH messages MUST BE exchanged on the same paths used to
   exchange the RR test messages. For this purpose, the MN MUST use
   the Kbm to sign the first DH message and send it to the CN via
   the direct path. The MN MUST include its home address by using a
   home address option (HAO). The CN's reply to the first message
   MUST be signed with the Kbm and duplicated. One copy of the
   second DH message MUST BE send via the direct path and the
   second copy via the path going through the MN's HA. If the two
   messages are identical, the MN pursues the DH exchange and sends
   the third message via the direct path. The CN replies by sending
   the fourth DH message on the same path.
   Note that the main objective of duplicating the second message
   is the potential ability to reveal a possible MiTM attack on the
   first one (i.e., the malicious node knows the Kbm).
   By duplicating the second DH message, a successful MiTM attack
   will consist on attacking two duplicated messages sent on two
   different paths at the same time, which probably makes such kind
   of attack more difficult.

   The DH process will enable both entities (i.e., the MN and the
   CN) to compute a long shared secret called "authenticated
   binding management key" (Kabm). The Kabm will be used to
   authenticate the BU/BA messages exchanged via the direct path
   between the MN and the CN. In this case, the exchange of BU/BA
   messages will allow the two endpoints to test the reachability
   of the new direct path in both directions prior to injecting any
   new data packets on the new path.

   The DH exchange can be launched at any time during the ongoing
   session. In order to reduce the amount of signaling messages to
   the minimum, it MAY be launched, for example, immediately after
   running the first RR test.

   After running the DH procedure, any new mobility signaling
   message MUST be signed with the new Kabm computed from the DH
   exchange. The two endpoints SHOULD silently drop any mobility
   message related to the MN's home/care-of address or the CN's
   address and not signed with the Kabm.

   If the MN needs to exchange CoTI/CoT messages with the CN, it may
   be possible to send the CoTI message in parallel with the BU.

   The scheme below shows the different paths taken by the four
   messages of a DH exchange between a MN and the CN:




Haddad, Krishnan              Expires February 2004             [Page 4]


INTERNET-DRAFT                        OMIPv6              September 2003



           +------------+                       +------+
           |            |                       |      |
           |     MN     |<----------------------|  HA  |
           |            |          DH2          |      |
           +------------+                       +------+
            | ^     ^  |                           ^
            | |  DH2|  |DH1                       /
            | |     |  |                         /
         DH3| |DH4  |  |                        /
            V |     |  V                       /
           +------------+                     /
           |            |                    /
           |     CN     |-------------------/
           |            |       DH2
           +------------+


   As it has been mentioned, the DH messages MUST be authenticated
   from both sides by using the Kbm. The contents and the signature
   associated with each DH message has been detailed in [4].

   In OMIPv6, the DH messages exchanged between the two MNs are
   described in the following:


                        sid   , gX, N   , info
   MN                      MN        MN       MN                 CN
   --------------------------------------------------------------->


                     sid   , sid   , gY, N   , info
   MN                   MN     CN         CN      CN             CN
   <---------------------------------------------------------------



   sid   ,sid  ,MN, SIG  (N  , sid  ,gX, info , info ), MAC(MN)
      MN    CN        Kbm  CN    MN         MN     CN      Km    CN
   --------------------------------------------------------------->



   sid   ,sid,  ,info ,CN, SIG (N  ,sid ,gY,info, info), MAC(CN)
      MN     CN    CN      Kbm  MN   CN       CN    MN     Km    CN
   <---------------------------------------------------------------


   In the above scheme, the following abbreviations have been
   adopted:



Haddad, Krishnan              Expires February 2004             [Page 5]


INTERNET-DRAFT                        OMIPv6              September 2003



     -gX = shared part of MN's secret

     -gY = shared part of CN's secret

     -sid = session identifier used to specify the ongoing session.


     -N = nonce

     -info = additional information carried in the protocol
             messages

     -MN  = Identity of MN (e.g., MN's Home IP address)

     -CN = Identity of CN (e.g., CN's IP address)

     -Kbm = key generated from the RR test

     -SIG(msg) = denotes the signature of "msg" using the Kbm.

     -Km = key generated from DH (known only by the MN and the CN)

     -MAC(msg) = denotes a message authenticated code computed from
        Km       "msg" and signed by Km.


5. Security considerations

   The draft describes a method to make the route optimization mode
   more efficient.


6. Acknowledgements

   Authors would like to thank Laurent Marchand for reviewing the
   draft. Many thanks for Francis Dupont, Erik Nordmark, and Yuri
   Ismailov for their inputs on the idea.


7. Normative References

   [1] D. Johnson and C. Perkins, "Mobility Support in IPv6",
       draft-ietf-mobileip-ipv6-24.txt, June 2003.

   [2] S. Bradner, "Key words for use in RFCs to Indicate
       Requirement Levels", BCP 14, RFC 2119.






Haddad, Krishnan              Expires February 2004             [Page 6]


INTERNET-DRAFT                        OMIPv6              September 2003



8. Informative References

   [3] P. Nikander, T. Aura, J. Arkko, G.Montenegro and E. Nordmark
       "Mobile IP version 6 Route Optimization Security Design
       Background", draft-nikander-mobileip-v6-ro-sec-01.

   [4] Krawczyk, H., "SIGMA: the 'SIGn-and-MAC'Approach to
       Authenticated Diffie-Hellman and its use in the IKE
       Protocols", in Advanceds in Cryptography - CRYPTO 2003
       Proceedings, LNCS 2729, Springer, 2003. Available at:
       http://www.ee.technion.ac.il/~hugo/sigma.html


9. Author's Addresses

   Wassim Haddad
   Ericsson Research Canada
   8400, Decarie Blvd
   Town of Mount Royal
   Quebec H4P 2N2
   Canada
   Tel: +1 514 345 7900
   Fax: +1 514 345 7900
   E-mail: Wassim.Haddad@lmc.ericsson.se


   Suresh Krishnan
   Ericsson Research Canada
   8400, Decarie Blvd
   Town of Mount Royal
   Quebec H4P 2N2
   Canada
   Tel: +1 514 345 7900
   Fax: +1 514 345 7900
   E-mail: Suresh.Krishnan@lmc.ericsson.se


10. Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.
   This document and translations of it may be copied and furnished
   to others, and derivative works that comment on or otherwise
   explain it or assist in its implementation may be prepared,
   copied, published and distributed, in whole or in part, without
   restriction of any kind, provided that the above copyright
   notice and this paragraph are included on all such copies and
   derivative works. However, this document itself may not be
   modified in any way, such as by removing the copyright notice or
   references to the Internet Society or other Internet



Haddad, Krishnan              Expires February 2004             [Page 7]


INTERNET-DRAFT                        OMIPv6              September 2003



   organizations, except as needed for the purpose of developing
   Internet standards in which case the procedures for copyrights
   defined in the Internet Standards process must be followed, or
   as required to translate it into languages other than English.
   The limited permissions granted above are perpetual and will not
   be revoked by the Internet Society or its successors or
   assignees.

   This document and the information contained herein is provided
   on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
   OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
   IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
   PARTICULAR PURPOSE.





































Haddad, Krishnan              Expires February 2004             [Page 8]