Effectiveness of IPv6 in Addressing Wireless Security Vulnerabilities

Transcription

1 Effectiveness of IPv6 in Addressing Wireless Security Vulnerabilities Rahul Mukherjee and Animesh Jain December 10, 2003 Abstract Over the next several years it is expected that mobile devices will become one of the dominant ways that people connect to the Internet. Wireless communications are more vulnerable than typical wired messages due to the broadcast nature of wireless signals. The failure of WEP and the general lack of encryption for wireless communications renders most wireless data vulnerable to attack, which will become a growing concern with the rise of mobile commerce. In this paper, we examine the security features of IPv6 and their ability to alleviate the current vulnerabilities in wireless. We also examine the related Mobile IPv6 (MIPv6) protocol. It is our claim that the security features of IPv6 (namely the Authentication Header and Encapsulating Security Payload Header) can do a reasonable job of protecting wireless data; however, the MIPv6 protocol contains serious security threats to wireless communications through its use of IP address binding updates. 1

2 Contents 1 Introduction 3 2 Background The Growth of Wireless Internet Internet Protocols Internet Security Wired Security Wireless Security IPv Details of IPv The Need for Change Key differences between IPv6 and IPv Details of IPv Header Size and Efficiency Addressing Extension Headers Quality of Service Transition Support Wireless and the Need for IPv Security Features and Analysis of IPv Criteria for Analysis of IP Security IPsec Authentication Header Encapsulating Security Payload Header Analysis of IPsec Security Features MIPv Overview of MIPv Analysis of MIPv6 Security Flaws Improvements Conclusions 23 2

3 1 Introduction In this paper we aim to examine IPv6 and whether its purported security features can do an adequate job of protecting wireless communications. In Section 2 of the paper we give a background of relevant topics including Internet protocols and wireless security concerns. Section 3 contains a detailed description of IPv4, the new IPv6 and the differences between the two protocols. Section 4 focuses specifically on the security features that have been added to IPv6, and an analysis of these features. Section 5 introduces the Mobile IPv6 (MIPv6) protocol and analyzes its security vulnerabilities. Section 7 summarizes the major conclusions of this paper. The wireless Internet market is already growing at rapid rates and within the next several years could become one of the primary ways that people access the Internet. Concomitant with this growth in wireless Internet access will be the growth in mobile commerce, which will require secure wireless transactions. The current state of wireless communication is quite insecure due to the broadcast nature of wireless and the currently limited use of encryption. The WEP protocol, though intended to solve this problem, has been largely ineffective due to the sparse use of 256-bit encryption. The new Internet Protocol, IPv6, utilizes promising new security features, such as an Authentication Header, an Encapsulating Header. The security measures of IPv6 do an adequate job of resolving the current security problems with wireless communications. The related MIPv6 protocol, however, contains serious security vulnerabilities due to its location management system. 2 Background 2.1 The Growth of Wireless Internet The Internet originated as a small government sponsored network called the ARPANET. At this point the network was a small controlled network with a very limited user base. By the mid-nineties the network had been turned over to the private sector and began to grow rapidly. As the Internet spread into homes it was used primarily for sending casual s, chat rooms, instant messages and surfing the web as it was termed in the common parlance. By the late 1990 s, though, use of the Internet was widespread in most developed countries. Concomitant 3

4 with this growth in Internet usage was the growth of electronic commerce (e-commerce for short). In 2001 the e-commerce market had topped $286 billion; by 2004 it is projected that the market will grow to an astounding $3.2 trillion [20]. Prior to the development of e-commerce there was no single compelling reason for strong security in Internet communications. With the advent of online business, though, secure communications became essential, which gave rise to new security technology and greater use of encryption. One of the most rapidly growing fields in recent years has been wireless Internet communications. Wireless communication has been growing not just in terms of computers accessing the Internet but also cellular phones, personal digital assistants (PDAs) and other portable devices. In a parallel to the growth of commerce on the traditional wired Internet, commerce is rapidly growing on wireless devices; many have termed this form of business mobile commerce or m-commerce. The projected growth of m-commerce is mind-boggling. According to some analysts, the m-commerce market should reach $200 billion by 2004 and that there will be over 600 million users of wireless Internet [4]. Even more dramatically, it is expected that there will be more wireless Internet devices than wired Internet devices by 2008 [4]. Traditionally, wireless communications have not utilized strong security measures such as adequate encryption. So, it is often a trivial matter to intercept the content of many wireless transactions. With the dramatic growth of m-commerce, however, it serves to reason that there will be a growing necessity for secure and reliable wireless transactions. Viewed in this light, the security of wireless Internet access is a crucial issue for the future growth of the Internet. 2.2 Internet Protocols Protocols are one of the keys to the functioning of the Internet as well as local networks. Protocols can be defined as a set of rules and conventions used to impose a standardized, structured language for the communication between multiple parties...in fact, a data exchange can only take place between two computers using the same protocol [5]. This simple definition hints at the importance of protocols. Protocols define the standards for communication in the Internet. One could say that protocols serve as the common grammar of the Internet; without the standards provided by protocols the computers on the Internet would not know how to interpret or decode information from other computers. Another important feature of protocols is that they allow interoperability so that computers of different platforms can communicate with each other (as long as they adhere to the protocols). The issues of authority and jurisdiction play a significant role in the development of protocols: who gets to decide what the standards are? Although no single group 4

5 or government can claim ultimate authority over Internet standards, the Internet Engineering Task Force (IETF) is an international body that is responsible for the standardization of many of the most important Internet protocols. Internet protocols are tailored to a broad range of purposes, such as and file transfers. The Internet landscape is filled with dozens of protocols leading to a confusing jumble of names and acronyms: HTTP, FTP, SMTP, TCP, IP, Finger, UDP, POP3, DNS, and myriad others. One of the most well known protocols is the Hypertext Transfer Protocol (HTTP). The HTTP is a simple protocol that is most commonly used to define the standard for web pages on the Internet. The File Transfer Protocol (FTP) establishes a method for two computers on the Internet to transfer bulk files back and forth. The Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol version 3 (POP3) are two of the most common protocols used to deliver and retrieve across the Internet. The Domain Name Service (DNS) protocol is an essential component of the Internet because it is the protocol that associates colloquial web addresses, like to a computer usable numerical address [17]. Two of the most fundamental protocols in the Internet are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The TCP and IP protocols are jointly referred to as the TCP/IP stack or TCP/IP suite. They function together to form the basis of most communications on the Internet. The TCP deals with the creation of a physical connection and the transmission of data from the source to the destination [17]. The IP is responsible for routing a particular message (or section of a message, known as a packet) from its source to its destination. Gulati describes the IP as the common thread that holds the entire Internet together [5]. The most commonly used version of the Internet Protocol is version 4 or IPv4 (Section 2.1 contains a detailed description of IPv4 and its specifics). As the Internet grew in size it became evident that IPv4 could not meet the demand of the burgeoning electronic world. So, a new and improved version, IPv6, was introduced to replace IPv4. The concept of hierarchies and levels of abstraction also play a critical role in Internet protocols. Protocols build upon each other creating a hierarchical structure. For example, the TCP/IP suite takes care of the routing and transmission of data. Since this is the job of the TCP/IP protocols, other protocols can rely on them and simply assume that they do their job. The SMTP and POP3 mail protocols, for example, assume that the TCP/IP suite is in place and build on top of it to deliver to different users. Other protocols and applications, such as clients, can then build on the mail protocols. 5

6 2.3 Internet Security Wired Security As e-commerce took off, the need for secure transactions grew significantly. In the wired realm, three leading methods of security arose: digital certificates, Secure Sockets Layer (SSL), and Secure HTTP (S-HTTP). Digital certificates are used to provide a verified encryption key. This allows users on the Internet to be authenticated, and encrypts the user s data. Certificates are first obtained from a certificate authority. Both the Netscape and Internet Explorer browsers come with a collection of pre-verified certificates from different corporations and organizations. If used properly, certificates can provide adequate security with wired connections. However, several shortcomings exist. Certificates rely on the end user to have some understanding of how they work. In addition to this, managing a database of certificates can be difficult [19]. SSL creates a secure channel of communication between the server and the end user. It does so by providing both message privacy and message integrity. Message privacy refers to SSL s ability to encrypt all information exchanged between the web server and the end user. Each message is encrypted with the client s public key. In order to guarantee that each key is unique and not able to be replicated, SSL session keys are used only once. Message integrity refers to SSL s ability to guarantee that the party receiving the message is who the server intended. This is done by having the receiving parties generate a code based on the content of the message. If the code is altered in any way, the integrity of the message has been breached as far as SSL is concerned [19]. While SSL is designed to create a secure connection between two computers to transmit as much data as is necessary, the primary goal of S-HTTP is to transmit a single message securely. Both SSL and S-HTTP have been approved as standards by the IETF, and so the two can be seen as complementary standards which do not compete with each other. Of the two protocols, SSL is more prevalent on the Internet and is the protocol most widely used by commercial web sites for gathering sensitive information such as credit card numbers. In addition to these methods of securing a wired Internet connection, people often overlook one of the most beneficial and inherent security features with a wired connection, in order for the security to be compromised, a hacker must have some sort of a physical entrance to the network. This, in itself, acts as a 6

7 deterrent in preventing attacks Wireless Security There are two significant problems with wireless security today. First, the inherent broadcasting nature of wireless Internet allows intruders to hack into a system without ever physically being connected to the network. Secondly, wireless signals are not sufficiently encrypted in most cases. This combined with the fact that the signal is being broadcast to anyone in its range poses serious security threats which can lead to unwanted spying or tampering of packets being sent and received by a user [16]. In order to combat these blaring security deficiencies, the Wired Equivalent Privacy (WEP) protocol was designed. WEP creates a wireless network which can only be accessed by clients who have special encryption keys, and is designed to provide the same level of encryption that wired connections have. WEP-enabled wireless routers use three types of encryption: 40-bit, 128-bit, and 256-bit keys. The problem with WEP lies in the fact that, while 256-bit encryption keys are nearly impossible to crack, 40-bit and 128-bit WEP keys are relatively easy to gain access to. Among the three levels of keys, 40-bit keys are the most insecure and can be cracked simply by trying every possible string of 40 1 s and 0 s. On the other hand, 128-bit WEP keys cannot be cracked using this brute force method. Unfortunately, because of other vulnerabilities, it is also possible to crack 128-bit keys. Programs such as AirSnort ( aid in cracking 128-bit keys, and after gathering a sufficient amount of packets, the correct 128-bit key can usually be obtained within a relatively short period of time (less than two weeks usually on a moderately busy network). Finally, while 256-bit WEP encryption is very difficult to beat, routers using it are typically more expensive than non-256-bit routers. In addition to this, a large percentage of routers that have already been released to the market and purchased do not use 256-bit encryption, creating a serious security crisis [16]. Encryption key management is another significant point of vulnerability for WEP, since there is no key management standard described under the protocol. Normally, a key management system in which keys are short-lived will provide the best security. However, since client machines and access points must be programmed with the same key, machines tend to have the same key for a long time. Changing keys is difficult, since each machine must individually be changed if the access point s key is modified [16]. 7

8 Finally, many wireless networks require authentication in order to use the given access point. This is done so that the user must prove that they know the WEP key in order to use the network. However, this method has actually proven to compromise security more than provide additional security. This is because an attacker sniffing the network can detect what a successful authentication looks like in order to forge such an authentication at a later point [16]. 3 IPv6 3.1 Details of IPv4 One of the key requirements of the Internet is a system of sending data from one location to another. The Internet Protocol defines the standard for Internet addresses and how pieces of data, also called datagrams or packets, are transported from place to place in the Internet. At its simplest, the Internet Protocol is a header, containing source and destination addresses, that is attached to each datagram flowing through the Internet. The fourth version of the Internet Protocol, IPv4, was proposed through RFC 791 in 1981 and is currently the dominant IP version. According to the RFC, IPv4 serves two primary purposes: 1. Addressing; 2. Fragmentation. Addressing allows for the delivery of datagrams by accounting for from and to addresses. Fragmentation is a method for transporting datagrams that are too large to traverse the network in one piece. Datagrams can be fragmented into smaller pieces, sent across the network and then reassembled at the end [10]. The IP header consists of a strict sequence of fields with fixed lengths for each field. This strict format creates a common language that sender, recipient and intermediate nodes can understand. The sequence for the IPv4 header is as follows [10]: Internet Header Length (4 bits) Type of Service (8 bits) - indicates whether precedence should be given to the datagram Total Length (16 bits) - length of the entire datagram Identification (16 bits) - used for assembling fragmented packets Flags (3 bits) - indicates whether the datagram may be fragmented 8

9 Fragment Offset (13 bits) Identification (16 bits) - used for assembling fragmented packets Time to Live (8 bits) - the field is decremented by 1 for each hop that the datagram takes; if the field is zero, the packet is destroyed Protocol (8 bits) - indicates the next protocol Header Checksum (16 bits) - if the checksum does not match the computed value, the datagram is invalid; the checksum should be checked and recomputed at each hop Source Address (32 bits) Destination Address (32 bits) Options (variable length) - additional information, such as security or time stamps; this is the only variable field in IPv4 header; multiple options can be used Padding - a sequence of zeros added to the end of the header to make it a multiple of 32 bits Figure 1: IPv4 Header Due to the variable length of the options, the IPv4 header is actually not of a fixed size. The maximum size is 60 octets, whereas 20 octets is a more typical size. Though different networks may support different size datagrams, all networks must allow for datagrams of at least 576 octets to be compatible with IPv4 [10]. One of the key features of IPv4 is the simple addressing scheme. The first one, two, or three bits of the address indicate the type of address. The remaining bits identify the particular network as well as the individual host within the network. There is some flexibility within this simple addressing format, though. IPv4 has three different types of addresses (labelled Classes A-C), each serving different types of networks. 9

10 In large networks, for example, a Class A address, which utilizes 7 bits to identify the network and 24 bits for the host, can be used. For smaller networks, a Class C address could be used as it contains 21 bits to identify the network and 8 for the particular host [10]. Another key feature in IPv4 is fragmentation. The Internet is a large network composed of smaller networks, each of which can choose its own specifications (such as packet size). It is thus possible that a packet could encounter a network en route to its destination that does not support packets of its size. In this case, the packet could be fragmented into smaller datagrams which can be subsequently reassembled [10]. So, fragmentation is a key for the interoperability of the various networks that compose the Internet. The Time to Live field is another of the critical components of IPv4. If a datagram is undeliverable for some reason it could, in theory, stay in the network indefinitely. Such data accumulation would eventually clog the network and bring it to a halt. The Time to Live field provides a mechanism for eliminating data that has been in the network too long [10]. Finally, there is the issue of errors. It is inevitable that some data travelling through the Internet will contain errors due to corruption, hacking, malformed source data, etc. Features like the header checksum can be used to detect some of these errors. The Internet Control Message Protocol (ICMP) can also be used to send notification of errors to the source [10]. 3.2 The Need for Change At the time that the IPv4 protocol was adopted over 20 years ago the size of the Internet was relatively small. By the 1990s, however, the Internet began to grow at an exponential rate due largely to the shift towards privatization. In the mid to early 90s concerns were raised about the scalability of IPv4 the key concern being the limited 32-bit address size. The 32-bit address corresponds to a maximum of about 3 billion unique Internet addresses [22]. With the sustained rapid growth of the Internet and the projected growth of wireless Internet devices, it is expected that the Internet will run out of 32-bit addresses. As such, there seems to be a compelling need to implement a new protocol with an expanded address space. Though the primary shortcoming of IPv4 is considered the address size, the changing nature of the Internet has resulted in other problems with the protocol. The need for guaranteed quality of service by applications like streaming media have created an increased demand for quality of service support at the IP layer. IPv4 only contained an 8-bit type of service field that, in practice, did little to improve the quality of service. 10

11 Another significant change in the Internet has been the growth of e-commerce traffic. The rise of e-commerce has created a need for both security and authentication in Internet transactions. The lack of any serious security measures in IPv4 has been another impetus for the creation of a new Internet Protocol [9]. In 1995, via RFC 1883, a new version of the Internet Protocol, called IPv6, was proposed (the new protocol is also called IPng for IP next generation). The primary objective of the IPv6 protocol was to solve the address space issue. The IPv6 proposal also contained significant improvements for quality of service and security [9]. 3.3 Key differences between IPv6 and IPv4 In its essence, IPv6 is not a radical departure from IPv4: both define a format for an IP header that is used to route packets across the Internet. According to many, the primary difference is that IPv6 contains 128-bit addresses instead of the 32-bit addresses of IPv4. Despite this view, IPv6 contains several essential differences from IPv4. According to RFC 2460, which is the revised standard for IPv6, some of the key differences between the two protocols are [2]: Addressing - in addition to the longer addresses, IPv6 employs a more complex addressing scheme than the Class A-C addresses of IPv4. Simplified Header Format - several fields from the IPv4 header have been removed from the required portion of the IPv6 header; many of these fields can still be added as extensions. Extension Headers - extension headers can be added to the standard IPv6 header; extension headers replace the options that were embedded in the actual IP header for IPv4. Quality of Service Support (also called Flow Labelling) - all IPv6 headers have a flow label which can be used by routers to create traffic flows and thus maintain consistent throughput for applications like streaming media. 3.4 Details of IPv6 As described in section 2.1 the IPv4 header contains 12 fields not including any padding or any options that are added. The IPv6 header, by contrast, has been trimmed down to only 8 fields excluding any optional 11

12 extension headers. Moreover, the IPv6 header does not require any padding bits because the standard header is always aligned to 32 bits as are any extension headers. The fields of the IPv6 header are [2]: Version (4 bits) - the Internet Version number, in this case 6 Traffic Class (8 bits) - similar to the Type of Service field in IPv4 Flow Label (20 bits) - used to identify different traffic flows Payload Length (16 bits) - length of the data contained in the datagram excluding the length of the IPv6 header but including the length any extension headers Next Header (8 bits) - indicates what type of header follows the current header Hop Limit (8 bits) - analogous to the IPv4 Time to Live field Source Address (128 bits) Destination Address (128 bits) Extension headers, if present, will follow the IPv6 header. Figure 2: IPv6 Header Header Size and Efficiency The size of the IPv6 header is fixed at 40 octets, which is twice as long as the 20 octet minimum size of the IPv4 header. With the inclusion of options, though, the IPv4 header can balloon up to 60 octets. The IPv6 header remains fixed at 40 octets since options are added as distinct extension headers [6]. 12

13 There are two key issues with the header sizes of the two protocols. IPv4 has the limitation that all included options can only take up 40 octets because the maximum allowable size is 60 octets and the base header is 20 octets. With IPv6, there is no such limitation. The sender has the option of attaching as many optional extension headers as needed and there is no limitation to the size of each individual header. So, IPv6 is more flexible than IPv4 with regard to options. This flexibility also allows greater range in creating future extensions and options to the IP protocol. The second issue tied to the header size is router efficiency. When routers process IP headers, there is a clear relationship between header size and router efficiency: the smaller the headers the faster the router can process them. An IPv6 header is only twice as large as an IPv4 header if the version 4 header contains no options. The addition of options to an IPv4 packet augments the size of the IPv4 header and forces the router to examine the options since they are actually embedded in the header. With IPv6 routers can simply skip the optional information in the extension headers since they are distinct from the actual IP header. This leads to greater efficiency for routers as they do not have to waste time scanning optional header information that is not relevant to the routing of datagrams. There are few exceptions to this rule such as the hop-by-hop extension header and the routing header. Excluding these few headers, routers can simply skip over the other optional headers [2] Addressing The addressing scheme in IPv4 can be thought of as point-to-point a specific source address and a specific destination address. In IPv6, there are actually three different addressing methods: Unicast, anycast and multicast. The unicast address mechanism is simply the traditional point-to-point addressing method with specific source and destination addresses. The anycast address can refer to a group of nodes all having the same anycast address. An anycast message is delivered to the first or nearest node within the anycast set. A multicast message is similar to an anycast message except it is delivered to all nodes in the multicast set [9]. An example use of the anycast feature would be a corporate network. Currently, all traffic coming in to a corporate network will pass through one point of entry, unless the traffic is addressed to different IP addresses within the corporate network. If an anycast message were use a message would simply enter the corporate network through the quickest point of entry. If one of the corporation s servers crashes, the anycast message can simply enter through another server. 13

14 IPv6 also contains a hierarchical address structure with 64 bits for the network address and 64 bits for the interface (specific node) address. A by product of this hierarchy is that routing tables will become smaller allowing for more efficient routers [23] Extension Headers Extension headers are a key feature of IPv6 since they are the mechanism through which all optional data must be added to the IP layer of a packet. Some of the standard features of IPv4 have been made options in IPv6. For example, the fragment offset field has been eliminated from the IP header. Instead, if a packet is to be fragmented a fragmentation extension header is added after the IPv6 header. Though new extension headers can be created in the future, the following headers are currently defined and required for a complete implementation of IPv6: hop-by-hop options, routing, fragment, destination options, authentication, encapsulating security payload [2]. The routing header option allows the sender to partially control the path of the datagram by specifying specific nodes that the datagram must visit en route to its destination [2]. IPv6 also contains security options in the form of the Authentication Header (AH) and Encapsulating Security Payload (ESP) header. The AH header allows for authentication of the sender and integrity of data but does not ensure confidentiality. The ESP header provides the same features as the AH header but also provides confidentiality of the payload data [9] Quality of Service One feature lacking in IPv4 is suitable support for real-time or streaming applications. The flow label field in conjunction with the traffic class field allows for improved quality of service in IPv6. The traffic class can be used to indicate that the sender desires improved quality of service for the datagram. The flow label field allows the sender to uniquely label all datagrams that are part of a particular stream of data. It is the responsibility of the sender to place the same flow label in all datagrams that belong to one stream [9] Transition Support It is expected that the transition period from IPv4 to IPv6 will take several years. To accommodate this issue, IPv6 has the ability to create and use special addresses that are compatible with IPv4. One option is the IPv4-compatible IPv6 address. This type of address is a 128-bit IPv6 address but the first (low order) 14

15 32 bits of the address actually represents an IPv4 address. So, the IPv6 address can be tunnelled through IPv4 nodes by simply using the low order 32 bits. Another option is the IPv4-mapped IPv6 address. This type of address is also a 128-bit IPv6 address. In this case, the 128-bit address is essentially the 32 bit IPv4 address with zeros added to make 128 bits [9]. These address types in IPv6 will allow for routers that can be placed at the boundary of IPv4 and IPv6 networks and send packets across them. 3.5 Wireless and the Need for IPv6 Despite the improved security and quality of service features, the larger address space is the overriding improvement of IPv6. It is this larger address space that makes IPv6 especially appealing to the mobile Internet market. In recent years the number of mobile Internet users has increased dramatically and there is no sign of a slowdown. According to Juha Wiljakka of Nokia, A great number of mobile terminals and other wireless equipment will be connected to the Internet in the near future. The current [IPv4] cannot provide a sufficient number of unique IP addresses [23]. The expected growth in mobile users will create a need for more IP addresses, which is where IPv6 comes in. According to some the killer application for IPv6 will be wireless [15]. 4 Security Features and Analysis of IPv6 4.1 Criteria for Analysis of IP Security In analyzing the effectiveness of a security scheme we have established certain criteria which are listed below followed by an explanation of each: 1. Data confidentiality, authentication, and integrity 2. Flexibility 3. Functionality with non-ipv6 networks 4. Transparency 15

16 The first and foremost criterion of any security system is that it must have the ability to provide confidentiality, as well as authentication and integrity. As mentioned above, one of the major problems with wireless networks is that traffic is visible to anyone within the vicinity of the network. Thus, any reasonable security measure must encrypt user data to ensure privacy in the wireless environment. Authentication and integrity are also necessary to prevent fraud. Without authentication there is no way to verify who is sending the data a legitimate web server or a hacker. Authentication is a major step in preventing these masquerading attacks. Integrity of data is also essential to prevent a rogue user from modifying someone s data in transit. The second criterion, flexibility, is also a must. By the term flexibility we mean two things. First, the use of security measures should be optional, not required. So, if a particular user or application decides that it does not wish to secure its data, it should have the option to do so. This may be an especially useful feature for small handheld wireless devices that are sending insensitive data and do not wish to waste the resources to encrypt. Secondly, there should be flexibility to choose the particular encryption algorithm to be used. So, if a new algorithm is developed in the future or flaws are discovered in current algorithms there should be the flexibility to switch the particular algorithm used. In other words, the security system should not mandate the use of MD5 or any other encryption scheme. Third, it is important that a viable security scheme does not break down if it encounters non-ipv6 nodes. Currently, most of the traffic on the Internet is through IPv4 nodes and it is anticipated that the transition to IPv6 will take many years. As such, it is important that a secured message originating at an IPv6 node remain secure even if it passes through an IPv4 node along the way. Finally, the issue of transparency is important for a security measure. Security measures should cause minimal impact to other applications and protocols. A change in the implementation of the security system should not necessitate changes to other protocols. The security should be transparent to higher level applications as well to end users. The less a security system depends on users and other applications, the better. 4.2 IPsec IPv6 utilizes the IP Security (IPsec) protocol as its primary means of security management. IPsec is an open, standard protocol created by the IETF. The two major components of IPsec are the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header. IPsec provides data authentication, integrity, and confidentiality. This is done by encrypting packets of data at the IP layer of communication. 16

17 One of the primary benefits of IPsec is that no software changes in currently existing applications need to be made in order for IPsec to be implemented. IPsec was originally created to be implemented with IPv6. However, it was later retrofitted to be compatible with with IPv4. Authentication is provided through algorithms designed to prove the identity of the sender. These same algorithms are also used to provide data integrity. A cryptographic hash function is utilized to process each packet. The encrypted packet is created through the use of the function and a private key. The encrypted data is known as cyphertext, and can only be decrypted by the proper receiver (while in transit, the data is unreadable). On the receivers end, the same key and function are used to decrypt the message and view its real contents. The only way to modify data contained in each packet is to also change the key sent, a red flag that the data has been tampered with. A key concept in IPsec is the Security Association (SA). When either the AH or ESP is to be used, a SA is created for that specific traffic. The SA is used to give the necessary parties the needed information so that they can encrypt/decrypt the AH and ESP headers. Each AH or ESP header that is sent contains a Security Parameter Index (SPI) that is used to look up in the SA database and obtain the needed information to encrypt or decrypt the message [13]. IPv6 s security is based upon the IPsec protocol. While both IPv4 and IPv6 utilize the IPsec protocol, each uses it differently. In IPv4, implementing IPsec is optional since it was retrofitted after the definition of IPv4. Often times, the IPsec protocol is not leveraged for IPv4 since it was a later addition. Instead, higher-level applications often rely on their own proprietary methods of security. This may not provide end-to-end security. On the other hand, the IPv6 implementation of IPsec does provide complete end-to-end security. [3]. 4.3 Authentication Header One of the most important new security features implemented in IPv6 is the Authentication Header. The Authentication Header guarantees data integrity and data authentication for the IPv6 packet [3]. Data integrity refers to the ability to guarantee that a packet from a given source has not been modified anywhere along the path it took to the destination. The Authentication Header contains several fields, including the Next Header, Payload Length, Security Parameters Index, Sequence Number Field, and Authentication Data. The Next Header field contains an 17

18 Figure 3: Authentication Header identifier for the next header. The payload length contains the size of the Authentication Header. The sequential number field is used to count the number of packets that have been received. Essentially, packets sent from a host to the user are each numbered consecutively. Every time a new packet is sent, it is incremented by 1 (this occurs when the receiver transmits packets also) [8]. In the event that the same packet number is received twice, the packet is rejected, since IPv6 has anti-replay protection. This is very useful in the event that a hacker is attempting to send the user a packet numbered as the one the user is expecting (already been sent by the host), but has modified the data contained in it. This is called a Session Replay attack. Next, the variable length Authentication Data contains the Integrity Check Value (ICV). This is very important and does most of the work in creating data authentication and integrity. By using an authentication algorithm, the integrity check value is computed. The ICV is transmitted within the Authentication Header portion of the IPv6 packet within header fields that are not changed during transit. Once the user receives the packet with the ICV value, they then use the key they have based on the Security Association with the host. If the ICV value they generate using the key is the same as the one in the transmitted packet, then the user knows that the data is legitimate. The Authentication Header can be used to prevent some very common methods of hacking that could be done with IPv6. For example, users no longer have to worry about IP spoofing attacks [16]. IP spoofing occurs when a user sends data to another user posing to be from an IP address other than theirs. This is very dangerous, as users can pretend to be coming from an IP address which a host trusts, and can then exploit the system at their will. Specifically, if a user with a certain legitimate IP address has an active connection with some host, some can utilize IP spoofing to gain access to that host without actually passing any sort of security clearance [3]. Additionally, users can intercept packets in between two communicating computers. One illustration of the 18

19 seriousness of IP spoofing can be seen with the so-called Smurf Attack. In this kind of attack, a packet is sent in which the sender s IP address is spoofed to be the receivers IP address [8]. When the packet is received, the computer sends a broadcast echo request back to the sender (which is actually his/her IP address because of the IP spoofing). This continues to occur and floods and crashes the user s computer. 4.4 Encapsulating Security Payload Header Figure 4: ESP Header While the Authentication Header seems to adequately deal with the issues of data integrity and authenticity, it does not tackle the issue of confidentiality at all. That is, packets of data are not encrypted in any way, and so the data is not guaranteed to remain confidential (only be viewed by the host and recipient). To deal with this, IPv6 has another optional header known as the Encapsulating Security Payload header. Confidentiality guarantees that packets of data being sent are not viewed by third parties. However, certain data in the header of the packets must be viewed and interpreted by routers in order to reach their destination [8]. For this reason, when the ESP header is utilized, all packet data is encrypted, but header information remains largely untouched. By default, this is the case when using an ESP header. However, if a user desires, he/she may use tunnel mode, in which the IP header fields are also part of the encrypted encapsulation. [3] While the ESP header is capable of encrypting the packet data, it can also provide data authentication and integrity. In this sense, the Authentication Header contains a subset of the security options that the ESP header has. While using the ESP header, a user must either choose to have confidentiality or authentication (though both can be chosen simultaneously). The ESP header consists of the SPI, sequence number, payload data, next header, and authentication data. The SPI is used to identify the Security Association [8]. The 19

20 Security Association determines the type of security for a connection between two communicating parties, and typically contains the authentication or encryption key. The payload data is encrypted based on the algorithms specified in the Security Association. In transport mode, only the payload data is encrypted. However, as previously mentioned, if tunnel mode is selected, the entire packet (including the IP header) is encrypted [8]. 4.5 Analysis of IPsec Security Features Using the first criterion defined in section 4.1 the IPsec AH and ESP headers address the need for confidentiality, integrity and authentication. The ESP header is capable of encrypting the data packets to prevent third parties from viewing the information, a critical aspect when dealing with wireless networks. The AH header can be used to authenticate the source of datagrams as well as ensure that the data was not modified or corrupted. The only problem arises from the fact that the ESP header can not provide integrity for the encrypted data packet. This problem can be solved by first using the ESP header to encrypt the data and then applying the AH header to ensure integrity [14]. So, the use of the AH and ESP headers of IPsec adequately address the need for confidentiality as well as data integrity and source authentication. IPsec also does quite well at the flexibility criterion. Although IPsec is mandatory in the sense that any implementation of IPv6 must be able to support IPsec, it is flexible because the AH and ESP are optional extension headers. Any host can choose whether or not it wants to use the AH and ESP headers when sending data. RFC2406, which specifies the ESP header, clearly states that encryption (confidentiality) is optional [12]. Moreover, IPsec does not mandate the use of any single algorithm. The decision as to which algorithm is used occurs via the SAs [11],[12]. So, in order to change the which algorithm is used only information in the SAs database must be changed; there is no need to recompile or upgrade software and higher level applications are not at all affected. The IPsec standard also holds up under the third criterion defined in 4.1: security over IPv4 networks. Since the AH and ESP security measures are simply added to the IPv6 header they do not rely on any mechanisms within the network. The entire security functionality comes at the ends and as long as the end nodes are IPv6 compliant, the security measures will work. As described by Cary Hayward in the Electronic Engineering Times: IPsec works seamlessly with unsecured IP nets. If two network nodes are IPsec-compliant, their communications are secure, even if they cross networks that are not secured by the protocol [7]. 20

21 Since the IPsec protocol operates at the IP layer of communication, it is transparent to both higher level protocols and applications. So, the use of IPsec eliminates the need for end users to worry about security because the security is built into the lower IP layer. By placing security in the IP layer, higher level applications, like streaming media players or web browsers, can be guaranteed a certain level of security. Another issue with IPsec is the distribution of keys for encryption. The IPsec standard relies on public key digital certificates. One could contend that there is no well deployed global public key infrastructure. However, this would be a shortcoming of any security scheme relying on keys, not just IPv6. Further, the IPsec standard has its own Internet-key exchange (IKE) protocol that lets users ignore the considerable complexity of authentication and encryption [7]. One serious drawback of IPsec is that the protocol uses up significant computing resources. Hayward asserts, IPsec requires computational intensities that will burden the main processor of any networking device though compression can mitigate the problem [7]. This problem could be greatly exaggerated for mobile networks that may be designed for light traffic. The fact that IPsec is flexible enough to accommodate future algorithms, though, provides the possibility for future improvement. Overall, then, it seems that the IPsec security measures of IPv6, specifically the AH and ESP headers, do a sound job of creating a secure computing environment. The IPsec standard meets the criteria of confidentiality/integrity/authentication, flexibility, compatibility with IPv4 and transparency that were defined in 4.1. The option of encrypting data is especially important for wireless networks. The presence of such security measures at the IP layer serves to benefit higher level applications by providing them guaranteed support at the IP level. In terms of security measures, IPv6 is a major improvement over IPv4. The only major drawback of IPsec is its computational greediness, which is mitigated partly by the ability to use different algorithms in the future. 5 MIPv6 5.1 Overview of MIPv6 Mobile IPv6 (MIPv6) arose due to a desire for roaming mobile devices to seamlessly switch from one wireless network to another. MIPv6 is based on the concept of a mobile node and home agent. The home agent is a fixed router, and the mobile node can be any mobile (wireless) device connected to the Internet. In addition 21

22 to the home agent and the mobile node, there often consists a third device, the foreign agent. The foreign agent can be used to save dynamic IP addresses, making routing more efficient [18]. In MIPv6, as in IPv6, the first 64 bits of the 128-bit IPv6 address contain a routing prefix. The next 64 bits are the interface identifier, which identifies the specific node on the network (this can be a random number, and simply needs to distinguish the computer from other laptops on the network). One of the biggest improvements in MIPv6 over MIPv4 is with its route optimization. In MIPv6, packets can be routed directly between the mobile node and corresponding nodes. When the mobile node either enters a new network or switches from one network to another, a new type of message known as a binding update is sent to the home agent. According to the contents of this message, the home agent then redirects all packets of data directly to the new IP address of the mobile node[18]. This is much more efficient than the old MIPv4 design, in which all packets of data had to actually be rerouted through the home agent, instead of being sent directly to the mobile node. In terms of security, MIPv6 uses the IPsec protocol, the same protocol used in MIPv4 and IPv Analysis of MIPv6 Security Flaws A serious flaw of IPv6 exists in its location management system. Every mobile node contains an IP address on the network it is currently using. Each mobile node also contains a home agent, which has a permanent and secure relationship with the mobile node, and is able to forward packets to the current location of the mobile node. But how does the mobile node indicate to the home agent its current location? This is completed through binding updates, in which the mobile node indicates location changes to the home agent. Unfortunately, the concept of binding updates depends on the assumption that the updates are received safely by the home agent. An attacker can either redirect packets to his/her own machine, or can redirect packets to a nonexistent address in order to simply disrupt communications [1]. In such cases, a serious compromise of security can occur. Binding update attacks are especially frightening after investigating the ease with which one can fraudulently send binding updates. In order to do so, the attacker simply needs to know the IP address of the home agent and the IP address of the mobile node. In a passive attack, the attacker would have to wait for the user to send out a legitimate binding update message, intercept it, and replace it with a false message. In an active attack, which is more difficult to complete, the user could send the binding update at any time. 22

23 Clearly, existing procedures for updating binding addresses leave significant vulnerabilities for attacks to occur. Unfortunately, IPsec cannot adequately protect binding updates. Experts agree that this protocol would not work for several reasons. First, IPsec depends on a public key infrastructure that has not yet been deployed. Secondly, key management on the client side for IPsec is processor intensive. This means that encrypting and decrypting messages is too cumbersome and slow to be a feasible security solution [21]. This is especially important for many mobile devices which have simple and slow processors which do not expect to have many operations to perform. 5.3 Improvements One alternative to IPsec is Purpose-Built Keys (PBK). Essentially, PBK s are a less processor intensive way of authorizing binding update messages. Unfortunately, at the same time, PBK s are also less secure than IPsec. Because of this tradeoff between security and speed, an ideal protocol would allow a host to either accept or reject a transaction based on the level of security the client is using. For example, an e-commerce web site should be allowed to deny a transaction from occurring if the client is using only 40-bit security. While this places some of the responsibility on the side of the host, it also allows for greater overall flexibility for the end user [21]. PBKs are beneficial in that they allow roaming devices to be authenticated, ensuring that communications that occur are happening with the same device. At the beginning of each MIPv6 session, a new pair of keys would be created, and at the end of each session this pair would be discarded. Since these keys change very frequently, a user is allowed to remain anonymous [16]. 6 Conclusions At present, wireless communications are generally insecure due to the broadcast nature of wireless and the inadequate use of encryption. The general failure of WEP and the growing demand for m-commerce will require secure wireless transactions. The creation of IPv6, with its mandated implementation of IPsec, is a major improvement over IPv4. The Authentication Header and Encapsulating Security Payload Header of IPsec do a reasonable job of addressing the security needs of wireless users since they provide confidentiality, data integrity, and authentication. The IPsec standard also provides for flexibility and is functional even 23