[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01 02                                                      
NEMO Working Group                                                 Souhwan Jung
Internet-Draft                                             Soongsil University
Expires: December 22, 2003                                            Felix Wu
                                             University of California at Davis
                                                                       Hyungon Kim
                                                                     Seungwon Sohn
                     Electronics and Telecommunications Research Institute
                                                                     June 23, 2003


                              Threat Analysis for NEMO
                        draft-jung-nemo-threat-analysis-00

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 22, 2003.

Copyright Notice

   Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

   This document describes possible security threats on mobile networks
that include multi-homing. Many different kinds of security threats
exist on signaling and communication paths including mobile routers
and home agents. It is also the goal of this draft to explain a
three-layer threat model and to investigate vulnerabilities of the
network entities in NEMO.


S. Jung et. al.           Expires December 22, 2003                [Page 1]


Internet-Draft            Threat Analysis for NEMO               June 2003


Table of Contents

   1.    Motivations

   2.    Three-Layer Threat model

   3.    Threats to Target Protocols/Services
        3.1 Threats to Signaling Plane
        3.2 Threats to Communication Plane

   4.    Threats to Target Entities/Entry Points
        4.1 Compromise of MR
        4.2 Compromise of HA
        4.3 Compromise of FA
        4.4 Denial of Service
        4.5 Threats to Location Privacy

   5.    Security Considerations

   6.    Conclusions

         References

         Authors' Addresses

         Intellectual Property and Copyright Statements


S. Jung et. al.           Expires December 22, 2003              [Page 2]

Internet-Draft  Threat Analysis for NEMO June 2003



1. Motivations

Networks in motion (NEMO) introduces a new network entity called
Mobile Router(MR). MR has different features from Mobile Hosts that is
operated based on Mobile IP technologies. Since MR functions both as a
mobile node and a gateway to provide a mobile network with Internet
access in outside world, it needs specific treatment for managing
operations and securities.

In real world, many different types of NEMO configurations are
possible including multi-homing, which means that new kind of threats
specific to NEMO should be taken care of. For example, MR can
advertise its IP prefix to the access routers in foreign domain, and
this message can be intercepted and modified to advertise different
prefix of malicious attacker. This makes address stealing attack
possible: the packets that should be delivered to the mobile router
are destined to the attack router. Therefore, those messages like
address advertisement should be protected using authentication.

This draft proposes a three-layer threat model for analyzing
vulnerabilities of NEMO protocols and entities. Based on the model, we
describe and classify all possible threats to NEMO, and analyze those
threats according to their properties and scopes.

2. Three-Layer Threat Model

A huge number of different threats to network entities in NEMO are
possible and hard to describe all of them in a row. Some of the
threats can have multiple paths to achieve their goals, which means
that many different types of attacks are possible to obtain the same
objective that the attacker tries to achieve. Therefore, it requires a
hierarchical threat model to describe and classify all different
threats to NEMO.

This draft proposes a three-layer threat model to describe all
possible threats to NEMO according to their objectives/properties,
target protocols/services, and target entities/entry points. This
model is composed of a three-layer stack; objectives/properties on the
top layer, target protocols/services for attack on the second layer,
and finally target entities or entry points for attack at the bottom
layer.

The objectives of threats are usually a limited number of goals that
attackers try to achieve in abstract level. They could be like
eavesdropping of data, impersonation, data corruption or modification,
unauthorized use of resources, repudiation, and blocking services to
clients. The generic goals of security mechanisms therefore are such
as confidentiality, integrity, authentication, authorization, non-
repudiation, and service availability against those attacks, which are
common to all the security frameworks.

The second layer of the stack is composed of target protocols or
services for attack. Attackers always try to find vulnerabilities to
network protocols or services by monitoring protocol or service data
specific to the target. In NEMO, for example, binding update (BU)
message or address advertisement messages by MRs could be target data
for attack. Most of NEMO signaling protocols could be the target at
the second layer. Therefore, the vulnerabilities to the basic NEMO
mechanism should be scrutinized for the analysis. In the next section,
this draft will describe those vulnerabilities and possible threats
related to them.

The bottom layer of the threat model is comprised of target entities
or entry points for attacks. NEMO includes many network entities
called MR, HA, FA, and CN etc. Any of these entities could be a victim
for attack and be compromised. All the possibilities of different
types of attacks should be investigated based on the assumption of
these compromises. For example, the compromise of MR can lead all the
MNNs and FNs inside the mobile network with a compromised MR to
interception of their data or deception of their connection to a fake
HA or FA. The MNNs or FNs inside the mobile network have no knowledge
of the compromised MR since the NEMO protocols are transparent to
their connections. In section 4, those threats will be analyzed and
described.

3. Threats to Target Protocols and Services

This section describes threats to NEMO protocols and services. NEMO
operations are composed of two different planes; one is the signaling
plane for changing control or routing information, and the other is
the communication plane for data transmission between nodes. The
threats specific to each plane will be investigated.

3.1 Threats to Signaling Plane
The basic NEMO operations have three different signaling paths
between entities; the first path is the signaling between MR and FA,
the second one is the signaling between MR and HA, and the final is
the signaling between MR and CN. Each signaling messages can be
interrupted and modified by attackers on the way of the signaling
paths. The following threats exist over signaling paths.

     - Man-in-the-middle between MR and HA
This threat means that an attacker resides between MR and HA, and
intercepts the signaling messages such as CoA(Care-of-Address) or BU
messages. The messages could be modified and transferred to the HA
with corrupted information. For example, the attacker compromises the
access router, and intercepts and modifies all the messages that goes
through the access router. One of the attack results will be the
registration of MR to HA with wrong binding information. Security
mechanism for bi-directional tunneling like IPsec could prevent this
threat.

     - Discard registration messages from MR to FA
       This threat is a sort of DoS attack to block network connectivity
service to MR. The attacker compromises the FA, and keep discarding
the registration message from MR. The result of the attack is no
availability of network connection service to the mobile networks.

     - fake MR
       Mobile network could have multiple MRs for the case of multi-
homing. Assume that there is a mobile network with a single MR. The
fake MR claims to be the second MR for multi-homing the victim mobile
network, and register to FA with another spoofed IP prefix. The fake
MR advertises its spoofed IP prefix to the new MNNs that comes into
play. Then the victim MNN gets the wrong IP address from the fake MR,
and starts to communicate via the fake MR.

     - fake FA
When a mobile network enters into a new region, the MR of the
network tries to find an access router for network connection. The MR
will advertise its IP prefix and wait for the advertisement of CoA
from the FA. At this time, the fake FA can intercept the message and
assign  a false CoA to the victim MR. The result of this attack will be
that the entire mobile network will be connected to a wrong Internet
access.

    - corrupted routing information
       Attacker may send corrupted routing information to MR and cause
network instability such as network congestion or looping.

3.2   Threats to Communication Plane
      - eavesdropping/replay of messages between MR and HA
         All the data packets between MR and HA have to go through the
bi-directional tunnel. This tunnel should be secured by IPsec. But
some of the routing information that may not go through this tunnel
should be secured.

      - eavesdropping/replay of messages between MNN and CN
         The messages between MNN and CN are going through the bi-
directional tunnel, but there is no protection against sniffing data
between MR and FA or between HA and CN. So security mechanisms should
be applied on the part of the path uncovered.

      - traffic analysis
        Monitoring and analyzing the characteristics of data traffic
along the communication paths reveals some information on routing and
location privacy.

4. Threats to Target Entities

The basic network entities in NEMO are MR, HA, FA, CN on the main
network, and FN and MNN in the mobile network. Any of these entities
could be the target for attack, but this draft does concern only on
threats to entire mobile network rather than the individual nodes
inside the subnet. We will investigate possible threats by
compromising the network entities. The compromise of an entity means
that attacker can access the entity, and change or modify data inside
the system. The following attacks are possible with the compromise of
each entity. The authentication mechanism for each entity therefore
should be applied.

   4.1 Compromise of MR
- MR-A spoofing
   MR-A is the permanent address assigned statically or
dynamically to the MR by HA. MR-A should be used for identification of
MR while it is in the visited domain. The compromised MR can register
to FA with a spoofed MR-A, and try to collect data destinated to the
victim address.

         - MR-CoA spoofing
           MR-CoA is the Care-of-Address assigned to the egress
interface of MR by FA. The compromised MR can send a BU message to HA
with a spoofed CoA, and collect the data that were destinated to the
victim FA.

- Cache poisoning
The cache data for routing table in MR can be corrupted to
subvert routing path. The data packet could be redirected or looped
causing network instability.

   4.2 Compromise of HA
         - sniffing of tunneled packet
            The IPsec transport mode should be used for securing the
tunneled packets between MR and HA. With the compromise of the HA, the
attacker can sniff the decrypted data packet in HA.

         - corruption of binding cache
           HA keeps managing the BU information on binding cache. With
the corruption of binding information, the attacker can redirects
packets to where he want to deliver them.

   4.3 Compromise of FA
- DoS to MNN and FN
The compromised FA can reject registration message from MR,
thus blocking the network access to the MNN and FN within the victim
subnet.

   4.4 Denial of Service
        Denial of Service attack is possible against MR and HA by
flooding BU messages and bogus tunneled packets. The attack can be
more effective with distributed fake MRs or HAs.

   4.5 Threats to Location Privacy
        The location of MR or MNN inside the subnet may be the privacy
of the client, so the location information while network is in motion
should be secured. Attacker can analyze the header information MR-CoA
in the tunneled data packet and identify the location of the MR. Since
all the data packets between MNN and CN are also tunneled using MR-CoA
as new source address, the location of the MNN can also be disclosed.

5. Security Considerations

This document is all about information on threats and security for
mobile networks. There should be a separate draft produced by the
working group to design a security mechanism for NEMO.


6. Conclusions


References

   [1]   Ernst, T., et al, "Network Mobility Support Goals and
         Requirements", Internet Draft: draft-ietf-nemo-requirements-
01.txt, Work In Progress, May  2003.

   [2]   Ernst, T. and H. Lach, "Network Mobility Support Terminology",
         Internet Draft: draft-ietf-nemo-terminology-00.txt, Work In
         Progress, May 2003.

[3]  Wakikawa, R., et al, "Basic Network Mobility Support", Internet
         Draft: draft-wakikawa-nemo-basic-00.txt, Work In Progress,
         February 2003.

   [4]  Johnson, D. B., Perkins, C. E. and Arkko, J., "Mobility Support
in IPv6", Internet Draft: draft-ietf-mobileip-ipv6-21.txt, Work
In Progress, February 2003.

   [5]  Barbir, A. and et. Al, "Generic Threats to Routing Protocols",
         Internet Draft: draft-ietf-rpsec-routing-threats-01, April 2003.

   [6]   Kniveton, T. J., et al, "Mobile Router Tunneling Protocol",
         Internet Draft: draft-kniveton-mobrtr-03.txt, Work In Progress,
         November 2002.

   [7]   Petrescu, A., et al, "Issues in Designing Mobile IPv6 Network
         Mobility with the MR-HA Bidirectional Tunnel (MRHA)", Internet
         Draft: draft-petrescu-nemo-mrha-00.txt, Work In Progress,
         October 2002.

   [8]  Ng, C. W. and Tanaka, T., "Securing Nested Tunnels Optimization
         with Access Router Option", Internet Draft:
         draft-ng-nemo-access-router-option-00.txt, Work In Progress,
         October 2002.

    [9] Arkko, J. et. al. ,"Using IPsec to Protect Mobile IPv6
Signaling between Mobile Nodes and Home Agents," Internet
Draft: draft-ietf-mobileip-mipv6-ha-ipsec-04.txt, March 2003.

















Authors' Addresses

   Souhwan Jung
Soongsil University
   1-1, Sangdo-dong, Dongjak-ku
   Seoul 156-743
   Korea

   Phone: +82-2-820-0714
   EMail: souhwanj@ssu.ac.kr


   Felix Wu
   Department of Computer Science
University of California, Davis
   USA

   Phone: +1-530-754-7070
   EMail: wu@cs.ucdavis.edu

   Hyungon Kim
   Seungwon Sohn
   Electronics and Telecommunications Research Institute








Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification
can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.