Secure Mobile IPv6 for B3G Networks 指導教授 : 黃培壝 老師 學生 : 藍成浩.

Secure Mobile IPv6 for B3G Networks

指導教授 : 黃培壝 老師學生 : 藍成浩

Author and Source

Celentano, D.; Fresa, A.; Longo, M.; Postiglione, F.; Robustelli, A.L.;

Software in Telecommunications and Computer Networks, 2006. SoftCOM 2006. International Conference onSept. 20

06 Page(s):331 - 335

Outline

Introduction

The IMS Scenario

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

Deploying MIPv6 In IMS Networks

A Solution To MIPv6 Security Threats

Conclusion

Introduction

Beyond-3G (B3G).

B3G <> 3G

B3G 是透過 (IP ; Internet Protocol) 整合 (Heterogeneous Multi-access Network) ，讓使用者在各種網路間 Roaming ，隨時隨地享受 Seamless 接取服務。

Introduction

B3G 存取技術以 OFDM 最受矚目。

OFDM 是一種多載波調變技術，將不同頻率載波中的大量訊號合併成單一訊號，而完成訊號傳送。

適合高速寬頻無線傳輸

抗雜訊及抗衰減能力強

Introduction

3GPP defined a network infrastructure named the IP Multimedia Subsystem (IMS) 。

基於 SIP( 會話初始化協議 ) 的通用平台。

Providing all real-time multimedia services to mobile users through the IP technology.

Introduction

MIPv6 permits an IPv6 user terminal to be reached and to reach other users while roaming across various subnets.

不過 , MIPv6 在異質無線網路裡存在一些安全性弱點。

Serious security threats are currently associated to the delivery of messages sent by a mobile terminal, towards other corresponding users notifying its new MIPv6 contact address.

Introduction

作者提出 在 SIP-based IMS networks 裡整合 MIPv6 framework ，而且提供 telephone-class security standards 。

We improve the security level of MIPv6 signalling messages exchanged in order to allow seamless session continuity.

The IMS Scenario

IMS 在 B3G all-IP networks 裡 將扮演著重要的角色。

It offers to telecom operators the opportunity to build a unified and open service infrastructure.

Easy deployment of new and rich real-time multimedia communication services.

The IMS Scenario

IMS introduced the Call Session Control Function (CSCF) servers that represent the core elements.

CSCF 的種類P-CSCF （ Proxy-CSCF ）I-CSCF （ Interrogating CSCF ）S-CSCF （ Serving CSCF ）

本質上它們都是 SIP 伺服器，處理 SIP 信令。

The IMS Scenario

The IMS Scenario

In such a scenario, a top priority for both users and operators is to achieve secure communications.

作者提供 robust framework 去保證 user’s identities and 防止 session hijackings and attacks.

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

HA

CN MN

(1) Packet

(3) Packets

(2) Tunneled Packet

(Triangle Routing)

HA

CN MN(2) Packets

(1) Binding Update

(Route Optimization)

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

MIPv6 presents some security vulnerabilities when adopted in heterogeneous wireless networks.

尤其在 MN 傳送 BU messages 給 CN(s) 將可能有 security threats.

Since security between MN and HA is guaranteed by adopting IPSec [8] together with the Encapsulation Security Payload (ESP) protocol [9].

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

MN 會儲存這些 cookie values 為了保證 CN 所傳回來的 cookie 是相同的。

CN generates

MN 使用 這 two tokens 產生 key 之後傳送 BU 到 CN 去認證 .

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

If the authentication data of the BU is valid, the correspondent node adds an entry in its Binding Cache for the particular MN and sends a BA message. Upon receipt of the BA message, the MN adds an entry to its Binding Update List for the CN.

First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BU)))

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

Security Vulnerabilities Of Mobile IPv6 And Return Routability Procedure

A malicious node, aware of a session between MN and CN, might simulate a handoff of the MN by sending fake HoTI and CoTI messages.

In such a way, it can obtain Kbm and send a fake BU to the CN in order to redirect the MN-CN communication to itself (Impersonation Attack) or possibly also forward the traffic to the MN.

Deploying MIPv6 In IMS Networks

這部份提到使用 IMS SIP-based Network 來分析作者提出的機制 .

The architectural implications of the SIP signalling infrastructure and the advantages of the integration of MIPv6 within IMS for mobility management and security.

Deploying MIPv6 In IMS Networks

The IMS defines a security mechanism which verifies that the IPv6 packet source address of SIP messages originating from the MN corresponds to the IPv6 address reported in the SIP headers.

Hence, this necessarily requires the MN to use the same address for both the IPv6 packet source address and the IPv6 address used at SIP level.

Deploying MIPv6 In IMS Networks

Therefore, several scenarios are possible for address management [12]:

(i) 在 SIP registration 和 session establishment 時 ,MN 使用 CoA 當作 source address . 這樣 MN 在每次改變 Link 時 , 將需要 re-register the new CoA with the Serving- CSCF;

In real-time communications this would cause loss of RTP packets while the re-INVITE procedure is completed and does not guarantee TCP-based sessions continuity;

Deploying MIPv6 In IMS Networks

(ii) 在 SIP signalling 裡 , MN provides both the CoA and HoA . This requires changes to current SIP standard

s and therefore it is neither easily feasible nor recommended;

(iii) 在 SIP registration 和 session establishment 時 MN provides the HoA 當作 IPv6 source address.

Deploying MIPv6 In IMS Networks

這樣當 MN changes CoA 時 就不需要 re-register or re-invite other nodes , but it updates the new CoA through MIPv6 signalling. If we suppose that the SIP proxy (P-CSCF), supports the MIPv6 stack, then the SIP application can be completely unaware of changes of MN’s CoA.

所以 第 (iii) 的方法對於在 existing applications, protocols and node 是 efficiency and low impact.

A Solution To MIPv6 Security Threats

在先前就提過 security vulnerabilities in an MIPv6-enabled IMS network.

As in [13], 作者提出 at call setup (INVITE message) 產生 the authentication key Kbm. and to distribute it to the MN and CN within the body of the SIP 200 OK and ACK messages, instead of using the RRP procedure.

A Solution To MIPv6 Security Threats

The distribution of the keys is secured between any SIP user (MN and CN) and its own P-CSCF.

IPSec with ESP

It is important to highlight that this procedure is performed only at the beginning of a communication session, while the standard MIPv6 RRP between MN and CN should be repeated, together with the BU, after every terminal handoff.

Such improvement can appreciably reduce end-to-end delays during real-time communications.

A Solution To MIPv6 Security Threats

A Solution To MIPv6 Security Threats

A Solution To MIPv6 Security Threats

Using only the Kbm key 免受第三者的攻擊 .

Our proposal against this kind of threats is based on the use of the AAA server that must generate an additional key, named Ka.

在 INVITE phase 將 Ka 傳送給 P-CSCF1 and CN, but not to the MN.

A Solution To MIPv6 Security Threats

The MN, after roaming to a new subnet and acquiring a new CoA, performs a BU towards its P-CSCF;

In the subsequent BA answer message the MN is provided with a value CoA-Auth generated by the P-CSCF as a hash function of Ka and the new CoA.

A Solution To MIPv6 Security Threats

The subsequent BU to the CN will then include the value CoA-Auth which will be used by the CN (together with the Ka key) to authenticate the new MN’s CoA.

However, in order to include the CoA-Auth value in the BA and BU messages, a new “IMS Care-of-Address Authentication” MIPv6 Mobility Option must be adopted.

Conclusion

這篇 paper 作者提出在 MIPv6-enabled IMS network 裡能夠達到 seamless session mobility.

The IMS centralised AAA Server will generate, manage and distribute the MIPv6 authentication keys, thus increasing security.

Furthermore, the handoff latency consequently minimised, as already shown in [13].