The present invention relates to a system and method for solving IPv6 address ownership problems.
This invention is related to IPv6 and more particularly to the address ownership problem. IPv6 has a well-known problem called address ownership. In current IPv6, hosts cannot prove that they own the claimed IP address and are authorized to use it. This problem is responsible for different potential attacks and as a consequence limits the benefits of protocol such as MIPv6. This problem is not unique and restricted to mobile networks but affects the whole IPv6 in general. The IPv6 address ownership problem is therefore an important security problem that should be properly addressed.
According to the initial design goals, the basic routing and packet forwarding mechanisms in IPv6 were supposed to be similar to those of IPv4. However there are considerable differences in the way the hosts and routers learn and use the information. The IPv6 address configuration procedures e.g. allow a more dynamic distribution and discovery of the routing information and facilitate mobility and network management. Mobility support has been considered since the beginning in the design of IPv6 and all hosts must support the specified extensions. Although these mechanisms bring known benefits, they also open the door for a new set of security threats.
Mobile IPv6 introduces new extensions to the IPv6 protocol and new entities, such as the Home Agent (HA) in order to support node mobility. Mobility is achieved thanks to the Binding update and Binding acknowledgement messages exchanged between the Mobiles Nodes (MN) and the HA, and between the MN and their correspondent nodes (CN). These Binding Update messages update the receiving ends with the current location of the MN (i.e. the Care of Address (CoA)) and must therefore be authenticated to prevent several types of attacks identified and described in “Allison Mankin, Basavaraj Patil, Dan Harkins, Erik Nordmark, Pekka Nikander, Phil Roberts, Thomas Narten. Threat Models introduced by Mobile IPv6 and Requirements for Security in Mobile IPv6. Internet draft, work-in-progress, Internet Engineering Task Force, 05 Nov. 2001”.
Defining a dynamic key establishment protocol between the MN and the CN, this MN-CN security key can be used to authenticate the binding update messages. By simply applying message authentication to the binding update message, the mechanisms remain vulnerable to a set of different attacks. In particular, the security threats derived from the address ownership problem: in current IPv6, hosts cannot prove that they own the claimed IP address and are authorized to use it. As a consequence the IPv6 world is vulnerable to different types of impersonation, denial of service and man in the middle attacks.
The problem is illustrated in this document via the future attacks but this is only one of the possible attacks derived from the IPv6 address ownership problem.
A typical attack derived from the address ownership problem is represented in FIGS. 3 to 5. An attacker may come to a subnet and knowing the interface ID of e.g. another user, he can derive the victim's to be CoA (Care-of Address) and steal all the future sessions of this user.
When assuming a victim, an attacker and a server, the attacker can know or learn the L2 address of the chosen victim by different means. When coming to a subnet, it can therefore derive the IP address that the victim will use when coming to this subnet; more particularly by concatenating the advertised network prefix, and the chosen victim's L2 address as specified e.g. in the stateless address auto configuration “S. Thomson, T. Narten: IPv6 Stateless Address Autoconfiguration, Internet Request for Comments RFC 2462, Internet Engineering Task Force, December 1998”. Let us call IP1 this IP address.
The attacker can open a session with the server using IP1: he will claim IP1 as its Home address (step 1). The attacker will then move to a different subnet and send a Binding update to create a binding cache in the server (step 2). When the victim will then send a request to the server (step 3), since this one has a binding cache for this IP address, it will send the response to the attacker.
The attacker can maintain the binding cache by sending binding update to the server, and even if these messages are authenticated thanks to a security key, this security association cannot prevent this type of attack. Unless a host can prove that it is authorized to use the claimed IP address, the mechanisms are thus vulnerable to different impersonation, denial of service and man in the middle attacks.
Two main schemes have been suggested so far to solve the IPv6 address ownership issue. A Return Routability (RR) test specified by the Mobile IP working group and mandated in the MIPv6 protocol requires seven messages to be exchanged between the mobile node and the correspondent node. Binding Security Associations are not used in MIPv6, but every time MN (Mobile Node) wants to send a BU, it needs to perform the RR test which requires seven messages to be sent over the air interface. In wireless links, this is unacceptable. In addition, the lifetime of the RR test is only 5 minutes; and the RR tests then needs to be re-executed. This large number of required messages is a major constraint for wireless networks where bandwidth is limited and expensive. In addition this RR test must be frequently (periodically) re-executed to prevent potential future attacks. And despite all these constraints, this protocol does not solve the problem; it just limits the potential damages that could be performed against the MN and the CN, and is still vulnerable to different types of attacks: e.g. considering a n ongoing IPv6 communication between two nodes A and B, which do not have to be mobile, (B just implementing the mandatory CN functionalities of MIPv6); a third node C located on the path between A and B could foil the RR test and send a BU to node B for node A including an own “CoA”.
A second solution is called Cryptographically Generated Address (CGA). This scheme relies on Public keys/Private keys operations; digital signatures require heavy computations both to compute the signature and to verify it; and are therefore an issue for mobile nodes which most probably will not have the computational capability to support digital signatures. Digital signatures and signatures verifications require a lot of processing. Many mobile nodes are low end processing and can not perform all the required computations.
Both solutions thus have major constraints and most probably IPv6 hosts will therefore not deploy them preventing the utilization of Route optimization which is a key driver for Mobile IP; these security issues may therefore hammer Mobile IP preventing the adoption and a large scale deployment of this protocol.
In the context of Mobile IPv6, in order to solve this problem, the MN and the CN must frequently perform the RR test but this protocol requires 7 messages to be exchanged; and this test must be performed not only when the MN changes its CoA but also periodically. The number of messages thus required, is a problem for wireless networks where bandwidth is limited and expensive.
The Fiat-Shamir identification protocol is described in: Handbook of Applied Cryptography; Menezes, van Oorschot and Vanstone p405-411. The Guillou-Quisquater identification protocol is discussed in: Handbook of Applied Cryptography; Menezes, van Oorschot and Vanstone p412-414. The “Handbook of Applied Cryptography”; Menezes, van Oorschot and Vanstone p412-414, describes the Schnorr identification protocol. The SUCV proposal is described in http://search.ietf.org/internet-drafts/draft-montenegro-sucv-02.txt.