CS625 - Advanced Computer Networks
Instructor - Bhaskaran Raman
Lecture 17 - 12th September 2003
Scribe - Udai Singh Meena (Y0361)
Overview
- MobileIP Security Issues
- Handoffs
- Multicast
Mobile IP (Recap)
This is an open standard to allow user to keep the same IP Address , stay connected and maintain ongoing applications while roaming between IP networks.
Mobile-IP Architecture
Terminology
- The Correspondent Host is the Mobile unaware server somewhere in the internet which is currently communicating with the Mobile Host.
- The Mobile Host is a device such as a personal digital assistant, or laptop whose software enables network roaming capabilities.
- The Home Agent is the router at the home network which redirects the packets meant for the Mobile agent to its new position.
- The Foreign Agent is the router in the Foreign network , which delivers packets coming from the Home Agent to the Mobile Host.
- The Care of Address (COA) This is the address assigned by the Foreign Agent to the Mobile Host while it is in that network so that it can communicate with the Foreign Agent.
Security Issues in Mobile IP
Authentication
between Mobile Host and Home Agent
- There can be a key sharing between Home Agent and Mobile Host.
While sending the Care Of Address (COA) to the Home Agent it should
send encrypted data using the private key k i.e it should send k(COAnew,
HAaddress).
Is this enough........? No... why??
Because any other Mobile node can cache this packet and after the authentic
node is gone or is off,this node can use this packet to receive all the
information intended to the real node .This attack is called the Replay Attack.What can be done to avoid
this ?...yes time stamping can be done, This is helpful in distinguishing
the illegal sender. Instead of time stamping we can also have some
random numbers shared between the Home Agent and and the Mobile Host.
the Mobile Host will also add a random number in the packet while sending the
encryped packet.
- One more possible way is the "Challenge Response" .But this is
not desirable here as this will create a undue latency which is not
acceptable as these COA updates has to fast.
How to avoid the triangular routing
- Home Agent sends a binding update to the CH as soon as it
sees the first redirected packet,so that further communication can be
direct i.e between CH and Mobile Agent .For this we need a
authentication protocol between Home Agent and CH .But the CH are many
,we don't know before hand about them.So what can be done?...send this
information in a plain text.
- CH can ask Home Agent for binding updates.It can be shown that the
security level in this case is same as the current Internet
standards.Lets see how. Here a attacker has to be in between CH and
Home Agent to attack.Also to send spurious binding update to CH ,It has
to be in the same network in which the Home Agent is .This means a
node in the same network can cause problem ,which can also be done in
the current standards of the Internet. An agent can send packets by using
any source address as far as the address belongs to its network ,this
way the routers (even they have source filtering) will not reject the
packet.
HandOffs
HandOffs is the phenomena of the Mobile Agent moving from one Foreign
Agent to another .This have a little latency.Here we can have two possiblities.
- Mobile Host can notify previous FA immediately so that further packets coming to the previous Foreign Agent are forwarded to the new one.
- The Home Agent can hold simultaneous binding
.This means for every packet that arrives at the Home Agent, it will
make copies and will send it to all the Foreign Agents , which are
curently in his list.
Security Association between Mobile Host and the Foreign Host
The security association between the mobile host and foreign should be
established when Mobile Host is getting services from Foreign Agent. So
that while sending information about a new Foreign Agent the Mobile Host
can use this shared key to update the information at the old Foreign
Agent.
Multicast Multicast means tranmission of a packet
to a subset of the hosts in the network.An efficient multicast facility
provides packet delivery to groups of hosts at a lower network and host
overhead than broadcasting to all hosts or unicasting to each host in a
group.
Multicast can be scoped. They can be admin scoped , this means that
the adminstrator of the network will decide what a multicast group
consist of .They can be number of hop scoped ,here the no of hops in
between will decide whether a node will receive a multicast or not.
This brings us to the end of this lecture. Next Lecture will describe Multicast in detail. Please don't forget to read the assigned reading for the same.