Mobile IP is becoming more important for the average consumer and for businesses. Mobile IP standards are improving, as are the services offered by service providers. Because of this, more efficient services and applications are available to mobile users. In business, key employees can be kept up to date with critical information, which results in improved customer service and, ultimately, in improved customer relations. Mobile IP allows consumers to communicate and to avail of a variety of services, such as instant messaging and SMS alerts to their cellular phones with, for instance, the latest traffic reports or sports results.

With the development of large open networks – networks with access to the Internet, and other private and public networks – threats to security have increased and more security vulnerabilities have been discovered. The technical knowledge required to hack a network has become more widely available and hacking tools are more user friendly.

Because of the way Mobile IP operates, the transfer of information is vulnerable in terms of security. The registration process in itself is vulnerable because, typically, mobile computers are connected to the network via wireless links. When mobile nodes on foreign networks register with their home networks via wireless links, they are vulnerable to attacks such as passive eavesdropping and active replay. This means that authentication mechanisms in Mobile IP registration need to be particularly strong. For example, service providers need to authenticate messages sent between foreign agents and home agents to ensure only legitimate customers are provided with service and to enable billing.

Threats to Mobile IP

Specific threats to Mobile IP include the following:

• denial-of-service attack
• passive eavesdropping
• session-stealing attack
• replay attack

Denial-of-service attack

A denial-of-service (DoS) attack is specifically designed to disrupt the normal functioning of a system by destroying or modifying data, or by overloading the system’s servers. The organization (or user) is then deprived of services such as e-mail or perhaps the temporary loss of all network connectivity and services.

One type of DoS is a nuisance packet attack (TCP SYN flooding). This type of attack can be quite difficult to prevent because a sender can spoof the source address. However, the service provider can use ingress filtering in routers to make sure the IP source address of a packet is authenticated before it is forwarded.

Another type of DoS attack precludes packets from flowing between two nodes. For example, an attacker – who must be on the path between the two nodes – creates a bogus registration request, giving a personal IP address as the care-of address for a mobile node. This means the mobile node’s home agent will send all packets to the attacker.

This type of attack can be prevented if there are cryptographically resilient authentication procedures between a mobile node and its home agent. KEYED MD5 is the default algorithm used, drawing on RFC 1321 to provide secret-key authentication and integrity checking. Although all mobile nodes must sustain this algorithm, Mobile IP does enable a mobile node to use different types of authentication.

Passive eavesdropping

Theft of information can occur when an attacker accesses network packets that come across the network to which he is attached (man-in-the-middle attack), typically by using network packet sniffers and routing and transport protocols. Encryption is a common way of preventing a passive eavesdropping (or theft-of-information) attack, protecting the data from being accessed by unauthorized persons. Link-layer encryption is commonly used between a mobile node and its foreign agent of a wireless link where all packets exchanged over the link are encrypted. Because no physical connection is required, it can be easier to snoop on a wireless link.

End-to-end encryption, where the data is encrypted and decrypted at the source and destination, is the most thorough method of protecting the data. Secure Sockets Layer (SSL), Secure Copy (SCP), and Secure Shell (SSH) are examples of Internet-based applications that provide end-to-end protection. Other application programs that do not provide for encryption can use Encapsulating Security Payload RFC (1827) for end-to-end encryption.

Session-stealing attack

A session-stealing attack is when an attacker pretends to be a legitimate node and captures a session. The attacker waits for a valid node to authenticate itself and initiate an application session. The attacker then transmits numerous nuisance packets to prevent the node from recognizing that the session has been captured. Session-stealing attacks can be prevented by end-to-end and link-layer encryption.

Replay attack

A replay attack is when an attacker obtains and stores a copy of a legitimate registration request and replays it later to create a forged care-of address for a mobile node. To prevent this, a mobile node produces a unique value for the Identification field for each successive registration. The Identification field allows the home agent to ascertain what the subsequent value should be. The attacker is therefore hampered because the home agent will be able to identify the Identification field in the stored registration request as outdated.

Mitigating the threats to Mobile IP

The registration process of Mobile IP requires strong authentication procedures as it offers many opportunities for malicious intervention. Any sensitive data that is transferred should be encrypted. If location privacy is required, mobile nodes can connect to their home network via a tunnel. The home agent forwards any packets sent to the mobile node to its care-of address and so the mobile node still appears to be on the home network.

Cryptography

Cryptography is one of the main methods used to maintain confidentiality, that is, to ensure sensitive data is viewed only by users who are authorized. Cryptography involves the use of cryptographic algorithms and the exchange of either public or secret keys to ensure only authorized parties can decrypt information. There are two main categories of cryptographic algorithms: secret-key algorithms – where both the sender and receiver use the same key – and public-key algorithms. With public-key algorithms, a pair of related keys are used, one by the sender and the other by the receiver. One of these keys is published publicly and the other is kept private.

The information is authenticated using either private-key (secret-key) or public-key encryption. There are two categories of private-key encryption, one utilizes a type of cryptographic algorithm called a message digest (a fixed-length piece of data computed from a large piece of data), whereas the other category uses the same algorithms used to execute private-key encryption.

There are also two categories of public-key authentication – one method uses a similar method to secret-key authentication, except it uses public-key encryption. The other type of public-key authentication uses digital signatures. A public-key conversion is performed on a plain-text message, using the private key, and the resulting ciphertext is called a digital signature. Only the sender has the key, which means the sender cannot later deny having sent this information (non-repudiation). If necessary, the message, the time stamp, and a message digest confirming that the message has not been altered in transit (integrity checking) can be re-sent.

Problems with ARP

In Mobile IP registration, a mobility binding is created at the home agent where a mobile node’s home address is associated with its care-of address for a specified lifetime. If registration was not authenticated properly, this tunneling feature could prove to be a significant security vulnerability. It also means Address Resolution Protocol (ARP) was not authenticated, and could potentially be used to steal another host’s traffic. If Gratuitous ARP is used, where an ARP packet sent by a node in order to spontaneously cause other nodes to update an entry in their ARP cache, then all the risks associated with ARP will also need to be factored in. For these reasons, it is imperative that home agents and mobile nodes perform authentication.

Authentication

Mobile nodes and home agents must be able to perform authentication. There are several factors that determine the strength of an authentication mechanism. These include the strength and secrecy of the key used, the strength of the authentication algorithm, and the quality of the implementation. The default algorithm used by home agents and mobile nodes for message authentication is HMAC-MD5 with a key size of 128 bits. The foreign agent must support authentication using HMAC-MD5 with manual key distribution of key sizes of 128 bits or greater. It must also support keys with arbitrary binary values.

When producing and verifying the authentication data supplied with Mobile IP registration messages, new implementations of Mobile IP should use MD5 as one of the additional authentication algorithms. This is because the “prefix + suffix” use of MD5 to protect data is considered vulnerable to attack. However, the use of keyed MD-5 does not mean other authentication algorithms and modes cannot be used. Keyed MD-5 authentication should use a 128-bit key that is both secret and pseudo-random.

Key distribution in a Mobile IP network can often be a difficult task due to the absence of a network key management protocol. Because of this, some messages sent to the foreign agent do not require authentication.

Firewalls

A Firewall is a device that protects the resources of a private network from an untrusted public network such as the Internet. There are several different types of firewall. Firewalls use secure logon procedures and authentication certificates to allow mobile users remote access to the private network.

Common security policies such as ingress filtering – where routers do not forward packets that appear to have a topologically incorrect source address – can prove to be problematic in Mobile IP networks. For example, a router running firewall software could block incoming packets from a mobile node trying to contact a node on its home network. The firewall blocks this node as it is trying to enter the intranet using the address of a machine inside the intranet. However this mobile node is trying to access the home network using its own home address. To counteract this problem, a mobile node can use the foreign agent supplied care-of address as the source address – this is called reverse tunneling. Reverse tunneled packets can pass normally through routers that use ingress filtering, and the ingress filtering rules can still locate the true source of the packet in the same way as packets from non-mobile nodes.

Replay protection

To prevent a replay attack, a mobile node produces a unique value for the Identification field for each successive message. There are two methods used to interpret Identification fields – time stamps and nonces. All mobile nodes and home agents must implement replay protection based on time stamps. Nonce-based replay protection is optional.

With time stamp replay protection, the node generating a message inserts the current time of day. The node receiving the message checks that this time stamp is sufficiently close to its own time of day. The value used to limit the time difference should be greater than three seconds – the default value is seven seconds. These nodes must have adequately synchronized time-of-day clocks.

With nonce replay protection, a node – node A – includes a new random number in every message it sends to another node – node B. Node A then checks that node B returns that same number in its reply. Both messages use an authentication code to protect against alteration by an attacker.

As part of the mobile security association, a mobile node and its home agent have to agree on the method of replay protection that will be used. The low-order 32 bits of the identification has to be copied unchanged from the registration request to the registration reply regardless of which method is used. The foreign agent uses the mobile node’s home address and the low-order 32 bits to match registration requests with corresponding replies. The mobile node has to verify that the low-order 32 bits of any registration reply are identical to the bits it sent in the registration request. The identification used in a new registration request cannot be the same as the preceding request. Re-transmission is allowed, but a request shouldn’t be repeated while the same security context is being used between the mobile node and the home agent.