NEMO Working Group Souhwan Jung Internet-Draft Soongsil University Expires: December 22, 2003 Felix Wu University of California at Davis Hyungon Kim Seungwon Sohn Electronics and Telecommunications Research Institute June 23, 2003 Threat Analysis for NEMO draft-jung-nemo-threat-analysis-00 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 22, 2003. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document describes possible security threats on mobile networks that include multi-homing. Many different kinds of security threats exist on signaling and communication paths including mobile routers and home agents. It is also the goal of this draft to explain a three-layer threat model and to investigate vulnerabilities of the network entities in NEMO. S. Jung et. al. Expires December 22, 2003 [Page 1] Internet-Draft Threat Analysis for NEMO June 2003 Table of Contents 1. Motivations 2. Three-Layer Threat model 3. Threats to Target Protocols/Services 3.1 Threats to Signaling Plane 3.2 Threats to Communication Plane 4. Threats to Target Entities/Entry Points 4.1 Compromise of MR 4.2 Compromise of HA 4.3 Compromise of FA 4.4 Denial of Service 4.5 Threats to Location Privacy 5. Security Considerations 6. Conclusions References Authors' Addresses Intellectual Property and Copyright Statements S. Jung et. al. Expires December 22, 2003 [Page 2] Internet-Draft Threat Analysis for NEMO June 2003 1. Motivations Networks in motion (NEMO) introduces a new network entity called Mobile Router(MR). MR has different features from Mobile Hosts that is operated based on Mobile IP technologies. Since MR functions both as a mobile node and a gateway to provide a mobile network with Internet access in outside world, it needs specific treatment for managing operations and securities. In real world, many different types of NEMO configurations are possible including multi-homing, which means that new kind of threats specific to NEMO should be taken care of. For example, MR can advertise its IP prefix to the access routers in foreign domain, and this message can be intercepted and modified to advertise different prefix of malicious attacker. This makes address stealing attack possible: the packets that should be delivered to the mobile router are destined to the attack router. Therefore, those messages like address advertisement should be protected using authentication. This draft proposes a three-layer threat model for analyzing vulnerabilities of NEMO protocols and entities. Based on the model, we describe and classify all possible threats to NEMO, and analyze those threats according to their properties and scopes. 2. Three-Layer Threat Model A huge number of different threats to network entities in NEMO are possible and hard to describe all of them in a row. Some of the threats can have multiple paths to achieve their goals, which means that many different types of attacks are possible to obtain the same objective that the attacker tries to achieve. Therefore, it requires a hierarchical threat model to describe and classify all different threats to NEMO. This draft proposes a three-layer threat model to describe all possible threats to NEMO according to their objectives/properties, target protocols/services, and target entities/entry points. This model is composed of a three-layer stack; objectives/properties on the top layer, target protocols/services for attack on the second layer, and finally target entities or entry points for attack at the bottom layer. The objectives of threats are usually a limited number of goals that attackers try to achieve in abstract level. They could be like eavesdropping of data, impersonation, data corruption or modification, unauthorized use of resources, repudiation, and blocking services to clients. The generic goals of security mechanisms therefore are such as confidentiality, integrity, authentication, authorization, non- repudiation, and service availability against those attacks, which are common to all the security frameworks. The second layer of the stack is composed of target protocols or services for attack. Attackers always try to find vulnerabilities to network protocols or services by monitoring protocol or service data specific to the target. In NEMO, for example, binding update (BU) message or address advertisement messages by MRs could be target data for attack. Most of NEMO signaling protocols could be the target at the second layer. Therefore, the vulnerabilities to the basic NEMO mechanism should be scrutinized for the analysis. In the next section, this draft will describe those vulnerabilities and possible threats related to them. The bottom layer of the threat model is comprised of target entities or entry points for attacks. NEMO includes many network entities called MR, HA, FA, and CN etc. Any of these entities could be a victim for attack and be compromised. All the possibilities of different types of attacks should be investigated based on the assumption of these compromises. For example, the compromise of MR can lead all the MNNs and FNs inside the mobile network with a compromised MR to interception of their data or deception of their connection to a fake HA or FA. The MNNs or FNs inside the mobile network have no knowledge of the compromised MR since the NEMO protocols are transparent to their connections. In section 4, those threats will be analyzed and described. 3. Threats to Target Protocols and Services This section describes threats to NEMO protocols and services. NEMO operations are composed of two different planes; one is the signaling plane for changing control or routing information, and the other is the communication plane for data transmission between nodes. The threats specific to each plane will be investigated. 3.1 Threats to Signaling Plane The basic NEMO operations have three different signaling paths between entities; the first path is the signaling between MR and FA, the second one is the signaling between MR and HA, and the final is the signaling between MR and CN. Each signaling messages can be interrupted and modified by attackers on the way of the signaling paths. The following threats exist over signaling paths. - Man-in-the-middle between MR and HA This threat means that an attacker resides between MR and HA, and intercepts the signaling messages such as CoA(Care-of-Address) or BU messages. The messages could be modified and transferred to the HA with corrupted information. For example, the attacker compromises the access router, and intercepts and modifies all the messages that goes through the access router. One of the attack results will be the registration of MR to HA with wrong binding information. Security mechanism for bi-directional tunneling like IPsec could prevent this threat. - Discard registration messages from MR to FA This threat is a sort of DoS attack to block network connectivity service to MR. The attacker compromises the FA, and keep discarding the registration message from MR. The result of the attack is no availability of network connection service to the mobile networks. - fake MR Mobile network could have multiple MRs for the case of multi- homing. Assume that there is a mobile network with a single MR. The fake MR claims to be the second MR for multi-homing the victim mobile network, and register to FA with another spoofed IP prefix. The fake MR advertises its spoofed IP prefix to the new MNNs that comes into play. Then the victim MNN gets the wrong IP address from the fake MR, and starts to communicate via the fake MR. - fake FA When a mobile network enters into a new region, the MR of the network tries to find an access router for network connection. The MR will advertise its IP prefix and wait for the advertisement of CoA from the FA. At this time, the fake FA can intercept the message and assign a false CoA to the victim MR. The result of this attack will be that the entire mobile network will be connected to a wrong Internet access. - corrupted routing information Attacker may send corrupted routing information to MR and cause network instability such as network congestion or looping. 3.2 Threats to Communication Plane - eavesdropping/replay of messages between MR and HA All the data packets between MR and HA have to go through the bi-directional tunnel. This tunnel should be secured by IPsec. But some of the routing information that may not go through this tunnel should be secured. - eavesdropping/replay of messages between MNN and CN The messages between MNN and CN are going through the bi- directional tunnel, but there is no protection against sniffing data between MR and FA or between HA and CN. So security mechanisms should be applied on the part of the path uncovered. - traffic analysis Monitoring and analyzing the characteristics of data traffic along the communication paths reveals some information on routing and location privacy. 4. Threats to Target Entities The basic network entities in NEMO are MR, HA, FA, CN on the main network, and FN and MNN in the mobile network. Any of these entities could be the target for attack, but this draft does concern only on threats to entire mobile network rather than the individual nodes inside the subnet. We will investigate possible threats by compromising the network entities. The compromise of an entity means that attacker can access the entity, and change or modify data inside the system. The following attacks are possible with the compromise of each entity. The authentication mechanism for each entity therefore should be applied. 4.1 Compromise of MR - MR-A spoofing MR-A is the permanent address assigned statically or dynamically to the MR by HA. MR-A should be used for identification of MR while it is in the visited domain. The compromised MR can register to FA with a spoofed MR-A, and try to collect data destinated to the victim address. - MR-CoA spoofing MR-CoA is the Care-of-Address assigned to the egress interface of MR by FA. The compromised MR can send a BU message to HA with a spoofed CoA, and collect the data that were destinated to the victim FA. - Cache poisoning The cache data for routing table in MR can be corrupted to subvert routing path. The data packet could be redirected or looped causing network instability. 4.2 Compromise of HA - sniffing of tunneled packet The IPsec transport mode should be used for securing the tunneled packets between MR and HA. With the compromise of the HA, the attacker can sniff the decrypted data packet in HA. - corruption of binding cache HA keeps managing the BU information on binding cache. With the corruption of binding information, the attacker can redirects packets to where he want to deliver them. 4.3 Compromise of FA - DoS to MNN and FN The compromised FA can reject registration message from MR, thus blocking the network access to the MNN and FN within the victim subnet. 4.4 Denial of Service Denial of Service attack is possible against MR and HA by flooding BU messages and bogus tunneled packets. The attack can be more effective with distributed fake MRs or HAs. 4.5 Threats to Location Privacy The location of MR or MNN inside the subnet may be the privacy of the client, so the location information while network is in motion should be secured. Attacker can analyze the header information MR-CoA in the tunneled data packet and identify the location of the MR. Since all the data packets between MNN and CN are also tunneled using MR-CoA as new source address, the location of the MNN can also be disclosed. 5. Security Considerations This document is all about information on threats and security for mobile networks. There should be a separate draft produced by the working group to design a security mechanism for NEMO. 6. Conclusions References [1] Ernst, T., et al, "Network Mobility Support Goals and Requirements", Internet Draft: draft-ietf-nemo-requirements- 01.txt, Work In Progress, May 2003. [2] Ernst, T. and H. Lach, "Network Mobility Support Terminology", Internet Draft: draft-ietf-nemo-terminology-00.txt, Work In Progress, May 2003. [3] Wakikawa, R., et al, "Basic Network Mobility Support", Internet Draft: draft-wakikawa-nemo-basic-00.txt, Work In Progress, February 2003. [4] Johnson, D. B., Perkins, C. E. and Arkko, J., "Mobility Support in IPv6", Internet Draft: draft-ietf-mobileip-ipv6-21.txt, Work In Progress, February 2003. [5] Barbir, A. and et. Al, "Generic Threats to Routing Protocols", Internet Draft: draft-ietf-rpsec-routing-threats-01, April 2003. [6] Kniveton, T. J., et al, "Mobile Router Tunneling Protocol", Internet Draft: draft-kniveton-mobrtr-03.txt, Work In Progress, November 2002. [7] Petrescu, A., et al, "Issues in Designing Mobile IPv6 Network Mobility with the MR-HA Bidirectional Tunnel (MRHA)", Internet Draft: draft-petrescu-nemo-mrha-00.txt, Work In Progress, October 2002. [8] Ng, C. W. and Tanaka, T., "Securing Nested Tunnels Optimization with Access Router Option", Internet Draft: draft-ng-nemo-access-router-option-00.txt, Work In Progress, October 2002. [9] Arkko, J. et. al. ,"Using IPsec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents," Internet Draft: draft-ietf-mobileip-mipv6-ha-ipsec-04.txt, March 2003. Authors' Addresses Souhwan Jung Soongsil University 1-1, Sangdo-dong, Dongjak-ku Seoul 156-743 Korea Phone: +82-2-820-0714 EMail: souhwanj@ssu.ac.kr Felix Wu Department of Computer Science University of California, Davis USA Phone: +1-530-754-7070 EMail: wu@cs.ucdavis.edu Hyungon Kim Seungwon Sohn Electronics and Telecommunications Research Institute Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.