Secure Networking Using Mobile IP

Transcription

1 Secure Networking Using Mobile IP Alexandros Karakos and Konstantinos Siozios Democritus University of Thrace eepartment of Electrical and Computer Engineering GR Xanthi, GREECE Abstract. The increasing number of portable computers, combined with the requirement of non-stop connections to networks (Internet/Intranet), makes the provision of Internet mobility by Mobile IP important. The goal of Mobile IP protocol is to allow a Mobile host to send and receive packets, regardless of its current point of attachment to the Internet as well as to maintain communicative associations (such as TCP connections), even if the point of attachment changes during them. In order to meet these goals of location transparency and connection durability, each Mobile host has a permanent Home IP address that does not change. This static IP address enables conventional Internet hosts, which are unaware of mobility issues, to communicate with the Mobile host. 1 Introduction Nowadays networks are as closer to everyone as they have never been in the past, due to the dramatic increase of the available network bandwidth. Obviously, this situation makes the need of developing new techniques for computer connectivity crucial. The most important of them is the ability of a Mobile host,i.e. a host that can changes its physical location, to connect to different networks, without the need of making any manual change at the network settings. 1.1 System Goals The primary objective of our implementation of the Mobile IP protocol is to design a transparent protocol for the users, as they move from a network to another. In other words, it should not be required from the user to make manually any changes to the network configuration, so that the movement would not to affect the way that the Mobile host uses the network services. We also aim at some practical goals, less visible to the user. The protocol should provide security, as well as it should not limit the number of active Mobile hosts. Furthermore, there will be no change in existing IP routers or non-mobile hosts, although changes to the later are supposed to increase the efficiency. 1.2 Related Work Recently, many universities and companies all over the world have implemented the Mobile IP protocol for educational, and commercial purposes in a variety of operating systems, i.e., Linux, FreeBSD, Solaris, IOS and Microsoft Windows.

2 The various implementation differ in at least three areas. First of all in the way the Home Agent determines where the Mobile host is attached. Also, in the way an ordinary host sends data directly to the Mobile host s current point of attachment, avoiding the wasteful trip through the Home Agent. And finally, in the way the two previous mechanisms interact when the Mobile Host is moving to a new network. Apart from these differences, all these implementations are very interesting and have usefully features. In our opinion, the implementation of Mobile IP protocol designed at Stanford University (see is the most interesting of all known implementations the authors are aware of. This implementation allows the Mobile host to dynamically choose the level of mobility. that is desired for the different traffic flows. The implementation of Lancaster University (see lancs.ac.uk/mobileip/). is able to work without any problem with the IPv4 and IPv6. Furthermore, it includes the appropriate software for demonstrating real time Mobile applications with IPv6. The Sun Microsystems implementation is also very interesting, as it can work both in Solaris (running either on SPARC workstations or an Intel processors) and Linux systems (see Last but not the least, Ecutel (see their web site at faq.htm) has designed a system that provides dynamic IP routing, dynamic registration, IP forwarding, IP encapsulation, encryption, authentication, firewall and access control. 2 How Classic Mobile IP Works A classical IP router makes connections among networks by forwarding packets from a source to a destination endpoint according to the routing table. Such a table usually maintains the next-hop information for each destination IP address. INTERNET CORRESPONDENT HOST (S) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT 1 (FA1) MOBILE HOST (MH) Fig. 1. How a Mobile host communicates when it is away from its Home network. For this reason, the Mobile host in order to maintain transparent-layer connections while it changes its physical location, it has to keep the same IP address (Home IP address). This Home IP address could be a private or a registered IP and makes the Mobile host appear, as if is constantly able to receive data on its Home network.

3 When a Mobile host attached a Foreign network, a new address (care-of address) is assigned to it [2]. Usually the care-of address is a private IP address and changes whenever the Mobile host moves to a new network, in order to save registered IP s. In this case, the Mobile host has two IP addresses, a registered and a private one. Figure 1 illustrates the basic architecture of the Mobile IP protocol. Here the Home and the Foreign Agent belongs to different networks and they are responsible for providing mobility extensions to the Mobile host. The Mobile host is a computer that has a registered IP address at the Home network, where the Home Agent is also located, but now it is connected to Internet through Foreign Agent [9]. When the Correspondent host (S) sends for the first time a packet to the Mobile host, it does not know if the destination host is stationary or not. So, it uses simple IP routing to forward the packet to the Mobile s host Home network, where it is received from the Home Agent. Then the Home Agent in turn, checks the packet to find out if the host with this target IP address is currently attached to this network or not. If the destination host is a local host, the packet is delivered to it through classic IP routing. Otherwise, the Home Agent uses IP in IP encapsulation in order to tunnel [8, 7], the packet at the network to which the Mobile host is currently attached. There, the packet is received from the Foreign Agent and after its decapsulation, is delivered to the Mobile host. This indirect routing through the Home Agent causes unnecessary overhead to the network sources. On the other hand, when the Mobile host sends a packet, in most cases it uses normal IP routing to forward it directly to its destination, without first bypassing the Mobile s host Home network. 3 Routing Optimization To overcome the problem of indirect routing, networks that support the Mobile IP must be able to perform Routing Optimization [5]. With this technique, when the Correspondent host (S), sends for the first time a packet addressed to the Mobile host, the packet is delivered by the way that described above. Then, the Home Agent informs the Correspondent host (S) about the Mobile host s current point of attachment, in order to send future packets directly to the network that the Mobile host is connected, without bypass the Home Agent. Figure 2 illustrates what happens when the Mobile host moves from one network with (FA1) to another with (FA2). In that case, in order to keep the connections alive, the (FA1) has to forward the incoming packets from (S) to (FA2), where the Mobile host is currently attached. At the same time the (FA1), informs the Home Agent about the Mobile host s movement to the new network [1]. Next, the Home Agent sends a message to the (S) that informs it about the change that happened, so that the last one will be able to send future packets addressed to the Mobile host, directly to its new point of attachment. After that, the network returns to a stable state again. This forwarding technique is working properly when all the networks belong to the same administrative domain, so that the connections to be trusted. But in real world, Mobile IP has to work in an environment of independent networks, protected by firewalls. This means, that some packets may not be delivered [4], even among

4 INTERNET CORRESPONDENT HOST (S) FOREIGN AGENT 1 (FA1) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT 2 (FA2) MOBILE HOST (MH) Fig. 2. What happens when the Mobile host change its point of attachment. Agents (for example between Home and Foreign Agent) due to the firewall policy, which discards the connections. In this case, a possible solution is shown in figure 3. INTERNET CORRESPONDENT HOST (S) FOREIGN AGENT 1 (FA1) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT 2 (FA2) MOBILE HOST (MH) Fig. 3. What happens when Foreign Agent (FA1) is not able to communicate with Foreign Agent (FA2). When the Mobile host move s to a new network, the (FA1) either does not know where the Mobile host is now attached, or it can not forward the packet to that network. So, in order not to discard the connection, it sends the packet to the Home network, where the Home Agent after looking up its database, finds out the new network where the Mobile host is now attached and forwards the packet directly there. In addition to that, the Home Agent informs and the (S) about the new point of attachment of the Mobile host. 4 Central Administrative Server Most of the problems that described above could be prevented by using the Central Administrative Server (CAS), which uses a database for tracking some critical information about the hosts that are involved in the Mobile IP protocol (Home and Foreign Agents, Mobile hosts, e.t.c.). Thus, it tracks the ethernet hardware address (MAC address), the PIN code, and the IP of the Mobile host at Home and at Foreign network

5 as well as the current point of attachment for any Mobile host. Moreover, the CAS would keep a log-file of the connections (successful or not) of the Mobile hosts. This logfile will also include information about attacks from or to every host (Mobile or immovable). Finally, it would keep some statistics about the connections. For example, duration, data speed transmission (upload and download) and how often the Mobile host changes its point of attachment. By using this information, the CAS is able to improve the mechanisms for routing optimization and security, compared with the classical Mobile IP protocol. This is possible, because the network administrators have all the necessary data in order to protect their system in the best possible way. The whole system also works properly at a local network which is not even connected to the Internet. To implement it, one of the hosts of the local network acts as the CAS, serving the whole network (and all the subnetworks). However, it is even better to have more than one CAS, that mirrors each other in order the system to be more reliable. As an extension of the Mobile IP protocol, any Mobile host could represent a Mobile Network, which in turn serves many Mobile hosts. 5 Improving Dynamic Registration When a Mobile host moves to a new location, it has first of all to determine if the network supports the Mobile IP protocol. The most common way to find this out is to broadcast an encrypted hello message. Unfortunately, this action may not be permitted to anyone, as if any host will be able to send broadcast messages to the whole network without any control, then it would put the system into a security risk. To overcome this problem, when the Mobile host is connected to a new network a temporary special IP address is assigned to it, for a very small time period. With this IP, the Mobile host sends the encrypted hello message directly to the CAS, acknowledging that it has been connected to a new network. When the CAS receives the acknowledge, it tries to find an appropriate IP for the Mobile host. In the next paragraph we describe how the remote network assign the IP to our Mobile host. Firstly, the CAS checks its database to find out if the Mobile host has access to that Foreign network. This check is based on the hardware address of the Mobile host s ethernet card as well as on the Mobile s host encryption key. The key is an encrypted message that differs from host to host and is described briefly bellow. There is a possibility for this key not to be valid. This occurs when the Mobile host has no access to the system, i.e. it has not a key, and tries to get access by using a random or a stolen key. When the CAS face such a case, it blocks the access to that Mobile host (specific MAC address) and updates its database about this attack. If the database contains two (or more) records pointing to different hosts but with the same MAC address or encryption key, then this means that one of the records is not true. The CAS, in order to protect the network, refuses immediately the connection to both Mobile hosts and requests from them to update their encryption keys. Then it informs all the Agents (Home and Foreign) that an attack from a specific Mobile host has been attempted. Moreover, it advises them not to provide access again to this host, until the CAS recalls the warning. At same time, it updates its database about

6 the attack and expects to receive a message with the new keys from the Mobile hosts. On the other hand, if the results of the check that made by the CAS are clear, the Foreign Agent is informed to grand access to the Mobile host. Of course, it makes sense that the Foreign network, and consequently the Foreign Agent, have its own security policy. This means that even though the Mobile host has granted access to the Foreign network by the CAS, it is possible this connection to be refused by the local firewall just because its own security police. In this case, the Foreign Agent informs the CAS about this refusal, so that if in the future this Mobile host tries to connect again to the same Foreign network, the access will be blocked directly from the CAS. If this policy rule changes, then a message is sent from the Foreign Agent to CAS in order to stop blocking the connection. If the previous step has been passed without a connection problem, the Foreign Agent gives an IP address to the Mobile host to use it as long as the host is connected to this network. When the Mobile host takes the new IP address, it sends a message to the CAS in order to update its database. Finally, the CAS informs the Home Agent of the Mobile host about where to forward future packets that are addressed to the specific Mobile host. 5.1 Handoff Mechanism Every Agent of the system (Home or Foreign) periodically sends an encrypted heartbeat message, which is received from all the hosts that are successfully connected to the same administrative domain. The use of this message is to determine if all the Mobile hosts are still connected to the same network. When a Mobile host receives such a message, it replies immediately with a new encrypted message that includes its identity and a timestamp. By the time this reply arrives to the Agent during a specific time period, the Agent recognizes that the Mobile host is still connected to the local network. If the Agent does not receive such a reply in a reasonable time span, it assumes that the Mobile host is still connected to the local network. This assumption is based on the fact that the Mobile host has not send any message to the Agent expressing its will to disconnect. Thus, the Agent expects another heartbeat message, to clarify the situation. If the Agent does not receive again a reply from the specific Mobile host, it informs the CAS to update its database, and to block the packets that are addressed to this Mobile host in order to reduce network load. On the other hand, when the Mobile host leaves its network to visit a new one, a message is sent from the Foreign Agent to the CAS, reporting that the Mobile host is disconnected from this network. At the same time, the Agent removes the route related to this Mobile host from its routing table. By receiving this message, the CAS updates its database and informs the Mobile s host Home Agent to block all the packets addressed to the Mobile host until it is connected again successfully to a new network (or to the same, if the Mobile host returns back). All the mechanism that takes place during the Mobile s host movement from a network to another is shown in figure 4.

7 INTERNET CORRESPONDENT HOST (S) CENTRAL ADMINISTRATIVE SERVER (CAS) DIRECT ROUTING HOME AGENT (HA) FOREIGN AGENT (FA) MOBILE HOST (MH) Fig. 4. The mechanism that take place when the Mobile host moves to a new network. 6 How CAS Improves Routing Optimization In this section we examine what happens when the host S wants to send a packet to the Mobile host. The host S probably does not know if the target host is immovable or mobile. It only knows the Mobile host s IP address at the Home network, so it send the packet there. When the Home Agent receives the packet, it contacts the CAS to find out if this host S is responsible for attacks to known networks. If the answer is affirmative, the CAS warns the Home Agent either to discard the connection or to monitor it. Otherwise, the packet tunneled to the Mobile host s current Foreign network. Next, the Home Agent informs the host S that the Mobile host has a new IP address, so that future packets will be sent directly to the Mobile host without first bypass the Home Agent. However, it is sometimes desirable for the Mobile host not to advertise its current point of attachment. For instance, the Mobile host may not want to receive packets that comes from a certain Corresponder host S. In this case, it sends a special encrypted message to the Foreign Agent informing it about this. The Agent with in turn first notifies the CAS to update its database about this choose and then informs the Home Agent, that when this host S sends again a packet to the Mobile host, the Home Agent not forward it. Also, the Home Agent should not inform any more the host S about the Mobile s host current point of attachment. Furthermore, this implementation of the Mobile IP protocol, if is supported in both the host S and the Foreign network, it could be used to help combined networks to handle situations of network congestion with the minimum cost for them. To achieve in this, the Foreign Agent should be able to make a decision about when the Foreign network is going to be in congestion. When something like this is going to happen, the correspond Agent informs the CAS to find out a backup network. This network should be close enough to the Foreign network and must support this extension of the Mobile IP protocol. When the CAS finds a backup network, informs the host S not to send packets to the congested network, but instead to forward them to the backup network. When the congestion is passed by, the packets moved from the backup network to the Mobile s host current point of attachment. Finally, when the Mobile host is at the Home network, it is important that its performance should be

8 approximately the same as if it was an immovable host. This ensures that the extensions of the Mobile IP protocol do not reduce the Home network performance. In this case, the Mobile host no longer needs to periodically re-register with its Home Agent and the Mobile host s routing table should be set for normal IP routing. 7 Tying System s Security First of all, it is common secret among security specialists that no computer system that is connected to the Internet can ever be completely secure, but it is usual to make it increasingly difficult for someone to compromise it. On the other hand, the more secure the whole system is, the more intrusive and hard to use it becomes. Systems such as kerberos can solve some of the security problems by providing privacy and authentication between applications at either end of the network. The aims of the CAS system are to maintain the Internet s current level of security for existing applications and help to prevent denial of service attacks on all applications, even those with end to end security [3]. 7.1 Key Management A common parameter for all the connections that transfer administrative messages is that they must be well encrypted, as they are the backbone of the whole system. The method of encryption may be based on a 1024-bit key algorithm like the MD5 one way hash function. This key, which will periodically change randomly when the TTL (Time To Live) expires, in addition to the ethernet MAC address and the PIN code, will assign every host (stationary or Mobile) that supports the Mobile IP protocol. The key of the encryption must be transparent to the Mobile host s user, as well as to the administrator of the Foreign Agent. Whenever this key changes, the CAS is informed through a special link, which is encrypted with the PIN code, in order to update its database. After the successful execution of the change key function, the Mobile host could use the new key to encrypt or decrypt messages. Despite the TTL expiration, when a Mobile host recognizes or is suspicious of someone else having learned the encryption key, it executes the change key function that is described above to generate a new key. The authentication and authorization of the Mobile host is done by a fixed PIN (Personal Identifier Number) code, which is an encrypted message that can not be changed by anyone. To increase the security, the PIN code is not transmitted through the network but it is assigned to the Mobile host during the Mobile IP protocol configuration. All the PIN codes are also stored in encrypted form in a database, located at the CAS. 7.2 Security Risks A possible security risk that might appear is when a Mobile host that has no admission to connect to a Foreign network, changes its ethernet card. Then probably the system will not be able to recognize this host any more. So, it can connect successfully at

9 any Foreign network without problems. But in this case, the PIN code can solve this security problem. As the Mobile host tries to connect to the Foreign network, the missing or incorrect PIN code will discard the connection. When such a case happens, the CAS is informed in order to block future attempts from this Mobile host with the new ethernet hardware address (MAC) [10]. However, a valid Mobile host has the opportunity to change its ethernet card without any problems. In this case, if the authentication is based only on the ethernet s hardware address (MAC), then the host would not be able to communicate any more with other computers because the new MAC would not be known at the CAS. Due to this, a special function that informs the Foreign Agent and the CAS securely about the ethernet change, is executed. The encryption used for those messages could be based on the Mobile host s PIN code. Another way to improve the system s security is to compare the logfiles from the CAS to them of any Agent. The most reasonable way for this, is the periodical logfile upload from any Foreign or Home Agent to the CAS. Then, a script running at the CAS will check and compare them to the local ones. Possible signs of system s attack may be found during this examination and the most common of them are the short, incomplete, missing logfiles, or even logfiles that contain strange timestamps. Moreover, records of starting or stopping services without reason and without first notify the CAS, as well as the access provision to a Mobile host without (or ignoring) the CAS advice is not something usual. It does not matter if the connections for the logfiles upload are slow, because the only data that are transmitted among them are administrative messages with small size. These connections may be implemented by Virtual Privates networks (VPNs) that are often used to connect securely two networks over the public Internet [6]. The timestamps that are attached to the administrative messages as reported above, consist of a critical point in the secure use of the Mobile IP protocol. Due to this, all the hosts that support the Mobile IP protocol should have the same time reference. This can be accomplished, if the CAS acts also as a timeserver. Then the Home and the Foreign Agent, as well as the Mobile host will periodically request from the CAS to send them each time in order to adjust their system clocks. Finally it is possible for security reasons not to permit Mobile hosts, when they are connected to a Foreign network, to have access to IP s that are blocked in their Home network. In order to manage this, the Home Agent informs the CAS about what connections are blocked for the specific Mobile host. So, when the Mobile host moves to a Foreign network, the Foreign Agent after finishing the algorithm for obtaining address, as described above, requests from the CAS to be informed about what connections of the Mobile host should be rejected. After receiving the reply from the CAS, it blocks that connection, simply by discarding them. 8 Future Work We plan to implement the ideas presented in this paper on a Linux box running kernel

10 9 Conclusion This implementation of the Mobile IP protocol has clearly some advantages over the classic one. The most important of them is the system s capability to reduce the system administrator s work load, without reducing the security standard. In other words, the scripts that run at CAS act as a super administrator who is authorized to protect all the networks. Moreover, the logfiles from the whole system are available to any network administrator, so that the protection is even better. On the other hand, at the classic Mobile IP protocol, any network has to protect itself alone, ignoring the experience of previous attacks to other networks. Acknowledgement We thank Apostolos Syropoulos for his valuable suggestions and comments. References 1. Stuart Cheshire and Mary Baker. Internet Mobility 4x4. In SIGCOMM 96, Also available from 2. Ralph Droms. Dynamic Host Configuration Protocol. RFC 1541 (available from http: // 3. Kevin Fenzi. Linux security howto. Electronic document available from linux.com/howto/security-howto.html, S. Glass, T. Hiller, S. Jacobs, and C. Perkins. Mobile IP Authentication, Authorization and Accounting Requirements. Electronic document available from org/rfcs/rfc2977.html, David B. Johnson and David A. Maltz. Protocols for Adaptive Wireless and Mobile Networking. Electronic document available from johnson96protocols.html, S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401 (available from G. Montenegro. Bi-directional Tunneling for Mobile IP. Electronic document available from txt, C. Perkins. IP Encapsulation within IP. RFC 2003 (available from org/rfcs/rfc2003.html), C. Perkins. IP Mobility Support. RFC 2002 (available from rfc2002.html), David C. Plummer. An Ethernet Address Resolution Protocol. RFC 826 (available from