NEMO Working Group Seongho Cho Internet Draft Jongkeun Na Document: draft-cho-nemo-threat- Chongkwon Kim multihoming-00.txt Seoul National University Expires: August 4, 2004 Sungjin Lee Hyunjung Kang Changhoi Koo Samsung Electronics February 4, 2004 Threat for Multi-homed Mobile Networks draft-cho-nemo-threat-multihoming-00 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 4, 2004. Abstract In mobile networks, the Mobile Router (MR) is an operational main entity. With multiple MRs, mobile networks can provide the stability of service. And, there already exist various multi-homing scenarios. However, because of mobility and MR-HA relations, there are several security problems in multi-homed mobile networks. In this draft, we identify threats to multi-homed mobile networks. And we will illustrate several scenarios of Denial-of-Service (DoS) attacks, Redirection attacks, and Replay attacks. Cho, et al. Expires - August 2004 [Page 1] Internet Draft Threat for Multi-homed Mobile Networks February 2004 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. Table of Contents 1. Multi-homing in Mobile Networks................................2 2. Related Multi-homing Scenarios.................................3 3. Denial-of-Service (DoS) Attacks................................3 4. Redirection Attack.............................................4 4.1 Redirection for Cryptographic Analysis.....................4 4.2 Redirection for DoS Attack Stream..........................5 4.3 Stream Redirection from the Attacker Node..................5 5. Replay Attack..................................................5 6. Another Kinds of Attacks.......................................6 References........................................................7 Acknowledgments...................................................7 Author's Addresses................................................7 1. Multi-homing in Mobile Networks NEMO Basic Support Protocol [1] has been proposed to support transparent mobility to mobile network nodes (MNNs) with same mobility in mobile networks. Using MR-HA bi-directional tunneling, the MR provides the session mobility, continuity, and connectivity for all nodes in the mobile network as the network moves. Because the MR manages every session to the mobile network, the availability of MR affects all sessions to the mobile network. However, there exist fault tolerance problem. The operational concentration on the single MR has failure problems. Because the egress MR has a responsibility on the operation of the whole mobile nodes inside the subnet, single failure of MR can cause network service suspension. Especially, egress channel or MR node availability affect the session continuity and quality-of service. Therefore, multiple MRs are required to the big-size networks, such as train, bus, or airplane. And the other benefit of the multi-homing is traffic load sharing through multiple MRs. Static and dynamic load sharing mechanisms are possible at the HA level and MR level. To support fault tolerance and load sharing, various type of multi- homed mobile networks have been considered in several drafts [2, 3, 4]. This Multi-homing concept can improve the performance of the mobile network. And multi-homing can help to get several operational advantages, like load balancing, network access cost optimization and Cho, et al. Expires - August 2004 [Page 2] Internet Draft Threat for Multi-homed Mobile Networks February 2004 optimal handover decision. Specific benefits of the multi-homing are described in the multi-homing issue draft [2]. In NEMO threat analysis drafts [5, 6], threat for the NEMO basic support protocols has been treated. In this draft, we introduce several threats in multi-homed mobile networks. And we illustrate some scenarios of attacks to multi-homed mobile networks. 2. Related Multi-homing Scenarios In multi-homing issue draft [2], various scenarios have been treated. However, our concern is NEMO specific scenarios which can be different from site multi-homing of multiple ISPs model. Based on the above draft, we will describe our specific scope of multi-homed mobile networks by the configuration. Our main focus of multi-homed mobile networks is multiple Home Agent (HA) existence scenarios. In multi-homing draft [2], (1, N, 1), (N, N, 1), (1, N, N) and (N, N, N) can be these cases. In current NEMO basic support protocol, no additional messages are added to the Mobile IPv6. However, in the presence of multiple HA, the multi-homed mobile network can be insecure without the neighbor MR-HA information. Especially in (N, N, 1) and (N, N, N) cases, multiple MR-HA relations can lead severe security problem. Especially in S/mP-(N, N, 1) case, different ISPs control each HA and each HA can't share the neighbor information. In this case, the tunnel recovery through the other MR is difficult. For load balancing or fault recovery, the binding update by the neighbor MR can be false without neighbor MR-HA information. In this draft, we focus on threats on the multi-homed mobile networks with multiple HA. 3. Denial-of-Service (DoS) Attacks In this section, we will describe the possible attacks by Denial-of- Service (DoS) attacks. Even though some kinds of attacks are not NEMO specific, these DoS attacks can be a preparation for another attack to the mobile network. Therefore, we will briefly describe possible DoS attacks. In mobile networks, the MR can be exposed to various DoS attacks. Because the MR has mobility, the access links are usually wireless channel. Therefore, simple channel jamming can cause the service unavailability. And, the packet flooding to the MR can lead the normal service unavailable to mobile networks. Except the packet flooding, the MR maintains binding update list and home agent list. If some malicious nodes keep updating binding information, or sending Cho, et al. Expires - August 2004 [Page 3] Internet Draft Threat for Multi-homed Mobile Networks February 2004 the route optimization [7] request to the correspondent node (CN), the MR can experience the overflow for this data structure. These DoS attacks can be classified as a DoS attack to the binding related data structure of the MR. To prevent this kind of attack, data structure should be updated after verification of the requested node. And stale binding update information in the binding update list should be managed efficiently. Finally A black hole attack can be described as a DoS attack. If the egress MR doesn't forward packets to the destination, the flow can't be served at all. This attack is very simple, but significant. This service unavailability of the MR from the DoS attack and MR failure requires tunnel recovery to an alternative tunnel in multi- homed mobile networks. 4. Redirection Attack Various types of redirection attacks can be possible in multi-homed mobile networks. Types of redirection attacks are a redirection for cryptographic analysis, redirection for DoS attack stream, and stream redirection from the attacker node. Each attack is described as follows. MR3 HA1 AR MR1 _ | _ | | _ | _ |-|_|-| _ -|_|-| _____ |-|_|-|-|_|-| |-|_| |||-| |-| |------------>MNN1 recoverd || |Inter| original flow tunnel || | net | MNN2 _|||-|_____|-| _ | _ | _ -|_|-|=========|-|_|-|-|_|-| _ |-|_| |recovered| | |-|_|-| _ HA2 tunnel AR Fake |-|_| MR MR4 ------------>MNN3 redirection Figure 1. Redirection Attack by Fake MR 4.1 Redirection for Cryptographic Analysis For the redirection for cryptographic analysis, the fake MR can compromise as an alternative MR to multi-homed mobile networks. After the fake MR receives the previous tunnel to the primary MR, the fake MR can cause packets to be sent to the attacker. The attacker might receive packets to inspect or modify the payload or apply the cryptographic analysis to find the secret key or decrypt the original Cho, et al. Expires - August 2004 [Page 4] Internet Draft Threat for Multi-homed Mobile Networks February 2004 data. In Figure 1, the Fake MR can forward the original flow to the MNN3 which is an attacker. And the attacker node can analysis packet flows to break the security association between HA1-MR1 or HA_MNN1- MNN1. 4.2 Redirection for DoS Attack Stream Redirected packets can be used as attack flows to other MR or MNN. From this attack, packets can cause overload on the unrelated link. And in this case, the attack might be able to hide the location and identity. In Figure 1, the Fake MR can forward the original flow to the MNN3 which is a victim node. MNN3 can suffer from DoS attack stream which is identified as the attack stream from the CN of the MNN1. 4.3 Stream Redirection from the Attacker Node Similarly, the Fake MR can lead a MNN to accept attacker's packets. Unexpected packets can be delivered to the MNN by the redirection attack. In Figure 1, MNN3 can receive the attack stream through the Fake MR. Or MNN1 can receive the attack stream which is not from the original CN, but from the attacker. Of course, this case would not be the specific case of multi-homed mobile networks. To prevent this kind of redirection attack, the neighbor egress MR existence should be identified and the MR should be authenticated. From this authentication, non-repudiation can be obtained. To support authentication, the alternative MR registration mechanism is required. To provide the alternative MR registration, the MR-HA communication and HA-HA communication is required. From the MR and HA communication, HA can register neighbor MR information. And from the HA-HA communication, the validity of binding update information of the neighbor MR toward its own HA can be obtained. 5. Replay Attack In mobile networks, the MR has mobility. Therefore, the neighbor information can be stale after the neighbor moves away. Using previous neighbor information, a malicious MR can send binding update to false CoA. The malicious MR can move to the other place or already moved MR can compromise to the replay attack. And this attack can be used as another redirection attack. In Figure 2, after the Fake MR changes the point of attachment, it can send the Binding Update message to the wrong place using previous neighbor information. In this case, similar redirection attacks in Section 4 are possible. Cho, et al. Expires - August 2004 [Page 5] Internet Draft Threat for Multi-homed Mobile Networks February 2004 To prevent the replay attack, the HA should keep the neighbor MR information. And registration information should be updated whenever the MR moves or disappears. To keep registration information safely, expiration by the TTL and explicit removal after the neighbor MR movement detection can be used. The neighbor MR movement detection can be done after the periodic ICMP Mobile Prefix Advertisement expiration. MR3 MNN1 HA1 AR1 MR1 _ | _ | | _ | _ |-|_|-| _ -|_|-| _____ |-|_|-|-|_|-| |-|_| |-| |-| | | | | | MNN2 |Inter|-| _ | _ | _ | net | |-|_|-|-|_|-| _ |-|_| | | | AR2 |Fake |-|_|-| _ _ |-| | MR MR4 |-|_| -|_|-| |_____|-| _ MNN3 | |-|_|- HA2 | AR3 || \||/ \/ MR3 MNN1 HA1 AR1 MR1 _ | _ | | _ | _ |-|_|-| _ -|_|-| _____ |-|_|-|-|_|-| |-|_| |||-| |-| | | || | | | False || |Inter|-| _ BU || | net | |-|_|- || | | | AR2 _|||-| | MNN2 -|_|-| |_____|-| _ | _ | _ |=========|-|_|-|-|_|-| _ |-|_| HA2 False BU | AR3 |Fake |-|_|-| _ MR MR4 |-|_| MNN3 Figure 2. Replay Attack after Moving 6. Another Kinds of Attacks There can be other kinds of attacks to the multi-homed mobile networks. Cho, et al. Expires - August 2004 [Page 6] Internet Draft Threat for Multi-homed Mobile Networks February 2004 References [1] Ernst, T. and H. Lach, "Network Mobility Support Terminology," draft-ietf-nemo-terminology-00 (work in progress), May 2003. [2] C. Ng, J. Charbon, and E. Paik, "Multihoming Issues in Network Mobility Support,?draft-ng-nemo-multihoming-issues-02.txt (work in progress), Oct 2003. [3] J. Charbon, C-W. Ng, K. Mitsuya, and T. Ernst, "Evaluating Multi-homing Support in NEMO Basic Solution.?draft-charbon-nemo- multihoming-evaluation-00.txt (work in progress), Jul 2003. [4] E. K. Paik, H. S. Cho, and T. Ernst, "Multihomed Mobile Networks Problem Statements," draft-paik-nemo-multihoming-problem-00.txt (work in progress), Oct 2003. [5] S. Jung, F. Zhao, F. Wu, H. Kim and S. Sohn, "Threat Analysis for NEMO" (work in progress). Internet Draft, IETF draft-jung-nemo- threat-analysis-01.txt, Oct 2003 [6] A. Petrescu, A. Olivereau, C. Janreteau, H.-Y. Lach, Threats for Basic Network Mobility Support (NEMO threats),ö draft-petrescu- nemo-threats-01.txt, (work in progress) Jan 2004. [7] P. Thubert, M. Molteni, and C. Ng, "Taxonomy of Route Optimization models in the Nemo Context," draft-thubert-nemo-ro- taxonomy-01 (work in progress) Jun 2003. Acknowledgments Author's Addresses Seongho Cho Seoul National University School of CSE, Seoul National University, San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea. Phone: +82-2-884-3936 Email: shcho@popeye.snu.ac.kr Jongkeun Na Seoul National University School of CSE, Seoul National University, Cho, et al. Expires - August 2004 [Page 7] Internet Draft Threat for Multi-homed Mobile Networks February 2004 San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea. Phone: +82-2-884-3936 Email: jkna@popeye.snu.ac.kr Chongkwon Kim Seoul National University School of CSE, Seoul National University, San 56-1, Shillim dong, Gwanak gu, Seoul, 151-744, Korea. Phone: +82-2-884-3936 Email: ckim@popeye.snu.ac.kr Sungjin Lee Telecommunication R&D Center, Samsung Electronics Dong Suwon P.O. BOX 105 416, Maetan-3Dong, Paldal-Gu Suwon-City, Gyunggi-Do, 442-600, KOREA EMail : steve.lee@samsung.com Hyunjeong Kang Telecommunication R&D Center, Samsung Electronics Dong Suwon P.O. BOX 105 416, Maetan-3Dong, Paldal-Gu Suwon-City, Gyunggi-Do, 442-600, KOREA EMail : hyunjeong.kang@samsung.com Changhoi Koo Telecommunication R&D Center, Samsung Electronics Dong Suwon P.O. BOX 105 416, Maetan-3Dong, Paldal-Gu Suwon-City, Gyunggi-Do, 442-600, KOREA EMail : chkoo@samsung.com Cho, et al. Expires - August 2004 [Page 8]