The massive growth in the use of the Internet has exposed weaknesses and limitations of the current Internet protocol known as IPv4. The Internet Engineering Task Force (IETF), which is a loose connection of interested parties, is therefore developing an enhanced Internet protocol known as IPv6. IPv6 incorporates a much improved security mechanism known as IPSec (which enables two or more parties to communicate securely over the Internet) as well as provisions for mobile Internet access (Mobile IP). Mobile IP allows users to access the Internet on the move, roaming from one IP access node to another. Mobile IP will be used in particular by those accessing the Internet via wireless mobile devices (connected for example to wireless LANs and cellular telephone networks).
IPv6 provides for a much larger IP address space, providing IP addresses of 128 bits in length. The first 64 bits of an address form a routing prefix which uniquely identifies the Internet access node (or so-called “local link”) used by an IP terminal or host, whilst the last 64 bits form a host suffix which uniquely identifies the mobile terminal to the access node (or within the local link). The host suffix is referred to as an “interface identifier” as it identifies the host uniquely over the access interface. Typically, when a host registers with an access node, the host learns the routing prefix of the access node from an advertisement message sent from the access node. According to RFC3041 (IETF), a host then generates its interface identifier using a random number generated by the host. The host may additionally use a link layer address to generate the interface identifier, the link layer address being for example a MAC layer address used by the access network.
As already mentioned, Mobile IP allows hosts to roam between access nodes and even access networks, a feature which requires that hosts be allowed to change the IP addresses which define their current physical locations. Typically, a mobile host is allocated a “fixed” home IP address in a home network. When the host is at home, it can use this home address as its physical address. However, when a host attaches itself to a “foreign” access node, the host is allocated a temporary “care-of-address”. Hosts corresponding with the mobile host maintain a binding cache containing mappings between home addresses and care-of-addresses. For incoming packets, the Mobile IP layer at a correspondent host exchanges the care-of-address for the home address in the destination field, whilst for outgoing packets the mobile IP layer at a correspondent host exchanges the home address for the care-of-address in the destination address field. When a mobile host obtains a new care-of-address, it must send a binding update message to all correspondent hosts in order to update their binding caches (thus ensuring that subsequent datagrams are sent to the correct care-of-address). A Mobile IP scenario is illustrated in FIG. 1.
A potential risk of this mechanism is that a malicious third party may be able to send a falsified binding update to a correspondent host to cause data packets intended for a mobile host to be routed to the malicious party. If the packets are then forwarded to the mobile host by the malicious party (after being opened and read by that party), the mobile host may not even know that its packets are being re-routed and read. This problem is not limited to Mobile IP, but is also present in other signalling functions within the IPv6 architecture. The Mobile IP related problem and some of the other problems are described in more detail in the IETF submission “draft-nikander-ipng-address-ownership-00.txt” of February 2001.
A solution to this problem has been proposed in the IETF submission “draftbradner-pbk-frame-00.txt” of February 2001. This involves generating at the mobile host a purpose built key (PBK) pair comprising a public and a private key. An Endpoint ID (EID) is generated at the mobile host by applying a hash to the public key. The EID is sent to a correspondent host soon after initiation of an IP connection. Subsequently, the mobile host sends to the correspondent host the public key. The correspondent host is able to verify that the public key “belongs” to the connection by applying the one-way coding function to the key and comparing the result with the previously received EID. Any binding update which is subsequently sent, is signed at the mobile host with the host's private key. The correspondent host verifies the signature attached to the binding update using the previously received public key. Improved solutions offering enhanced security have been described in: P. Nikander, <draft-nikander-ipngpbk-addresses-00.txt>, Ericsson Nomadiclab, March 2001, “A Scaleable Architecture for IPv6 Address Ownership”; G. Montenegro, C. Castelluccia, Jul. 20, 2001, SUCV Identifiers and Addresses, Internet Draft (Work In Progress); and M. Roe. Microsoft, August 2001, “Authentication of Mobile IPv6 Binding Updates and Acknowledgements”, Internet Draft (Work In Progress), http://www.ietf.org/internet-drafts/draft-roe-Mobile IP-updateauth-00.txt.