Upload
minor
View
37
Download
0
Embed Size (px)
DESCRIPTION
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP). James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005. Motivation. Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers - PowerPoint PPT Presentation
Citation preview
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP)
James KempfSamita Chakrarabarti
Erik Nordmarkdraft-chakrabarti-mip6-bmip-01.txt
Monday March 7, 2005
Motivation
• Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers
• Support deployments with a loose trust relationship between Serving Network Access Provider and Mobility Service Provider
• Examples:– Enterprise networks– Hotspots with nonAAA-based network entry authorization
• Maybe 90% of WLAN public access deployments in the US?
– Future deployment possibilities– Infrastructureless deployments
Example: Universal Access Method (UAM)
Border Router
AR
AP
Access Network
Mobile Node
Internet
PAC
PAC relays credentials
to credit card
provider Terminal initiates
HTTP GET
PAC sends Redirect to Login Page
HTTP PUT sends
credentials to PAC
Authorization Decision!
Credit card provider
sends authz decision to
PAC
Internet Access!
Original page
displayed
AP: Access PointPAC: Public Access Control Gateway
Basic Problems Addressed
• No AAA “hook” during network access authentication to provision the Mobile Node with the Home Agent address and mobility service authorization credentials– EAP solutions such as draft-giaretta-mip6-authorization require
AAA during network access authentication
• Tight trust lacking between Mobility Service Provider and Access Service Provider– DHCP solutions such as draft-ohba-mip6-boot require very high
trust between networks for roaming support
• Home Network Access Service Provider uses AAA but is not also a Mobility Service Provider
What the Mobile Node Starts With• A connection to the Internet on the serving
(local) network authenticated and authorized (or not) through any means, i.e. 802.1x, PANA, etc.
• The domain name of the Mobility Service Provider
• Credentials to allow Home Agent IKEv2 to authenticate and authorize for mobility service– NAI or similar non-topological identity– Certificate or preshared key if IKEv2 auth/authz done
with certificate or preshared key– User name/password or other credentials if IKEv2
auth/authz done using EAP• Optional: certificate for Home Agent if not
available during DNS or IKE transaction
The Protocol
Border Router
AR
AP
Access Network
Mobile Node
Internet
Terminal now has Home
Address and IPsec SAs
Border Router
Mobility Service Provider
MSPDNS Server
MIP6 HA
IKEv2 + EAP if
required ESP + MIP6 BU!
LocalDNS Server
DNS SRV Rqst: mip6
ipv6
DNS SRV Rqst
Forwarded (if not
cached)
DNS SRV Rply: HA Address
Security of BMIP Protocol
• Replay protection provided by message identity code in DNS – RFC 1035
• Server to host data integrity and origination authentication provided by DNSSEC– RFC 2535– DNSSEC is not today widely deployed, but
then neither is MIP6– For future DNS security, DNSSEC should be
deployed
Security of Home Agent Address
• Host to server authorization can be done by using DNS TSIG– RFC 2845– Upside
• Only authorized hosts can get the address– Downside
• Requires MSP DNS server to perform auth on SRV Rqst in real time (i.e. no caching)
• Address is unencrypted in transit so it can be intercepted by MiTM
• Confidentiality protection can be provided by encrypting the address before inserting into DNS– Anybody can get the record, only authorized users with keys can
decrypt– Draft in preparation for DNSEXT
Assumption: These measures assume some utility to “hiding” the address in the first place, presumably to prevent DoS
DoS Attack on the Home Agent Address
• Address is in public DNS, anybody could snatch it!• IKEv2 contains measures to slow down an attacker if
they should get it
But...• DoS is a problem with any solution (including manual
configuration) that exposes the Home Agent address to users on the Internet– User goes rogue– Someone steals the address from a legitimate user– Distributed worm probing attack discovers the Home Agent
Bottom line: “Hiding” the address from unauthorized users only makes launching a DoS attack a little harder
Realistic DoS Mitigation Measures
• Overprovisioning– Network connections and Home Agent server
capacity are enough to handle any conceivable load
• Change Home Agent addresses aperiodically– Especially if someone suspicious has their account
revoked
• Provision Home Agents with:– Few users to avoid inconveniencing lots of users
when an attack occurs– On topologically widely separated subnets to slow
worm probing attacks
Questions/Comments?