Section 11.5. Security

11.5. Security

If the data flow between home agent and mobile node is not secured, there are many possibilities for attacksfor example, Man-in-the-Middle attacks, Hijacking, or Denial of Service attacks.

To secure the tunnel between home agent and mobile node, an IPsec tunnel is configured. IPsec ESP is required for Mobile IPv6 messages. The Mobile IPv6 specification details this.

The following data flows have to be secured:

  • Binding Update and Binding Ack between MN and HA

  • Home Test Init and Home Test messages sent via HA during the Return Routability procedure

  • ICMPv6 messages between MN and HA used for prefix discovery

All control messages between mobile node and home agent need authentication, integrity, proper sequencing, and anti-replay protection. This protection requires a Security Association between home agent and mobile node. IPsec does not provide any means to control the sequence of messages. A correct sequence is given by the Sequence number in Binding Update and Acknowledgement messages. Higher protection from replay attacks can be provided only when Internet Key Exchange (IKE) is used.

For a description of security terms and concepts, refer to Chapter 5.

Binding Updates between the mobile node and correspondent node are protected by the SA established during the Return Routability procedure. Binding Updates between the mobile node and correspondent node must also be protected by the Binding Authorization Data option. This option includes a Binding Management Key, which is generated during the Return Routability procedure.

A more detailed discussion of Security aspects and mechanisms with Mobile IPv6 can be found in RFC 3775 ("Mobility Support in IPv6") and RFC 3776 ("Using IPsec to Protect Mobile IPv6 Signaling between mobile nodes and home agents"), as well as in general security RFCs.

RFC 4285, "Authentication Protocol for Mobile IPv6," specifies an alternate mechanism to secure MIPv6 messages in 3GPP2 networks. It is an informational RFC not reviewed by the IETF and consists of a MIPv6-specific mobility message authentication option that can be added to MIPv6 signaling messages.

IPv6 Essentials
IPv6 Essentials
ISBN: 0596100582
EAN: 2147483647
Year: 2004
Pages: 156
Authors: Silvia Hagen

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: