[MEXT] [draft] MIPv6 Home Link Detection Mechanism Security considerations
arno@natisbad.org (Arnaud Ebalard) Thu, 30 April 2009 16:36 UTC
Return-Path: <arno@natisbad.org>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 045CD3A722A for <mext@core3.amsl.com>; Thu, 30 Apr 2009 09:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTnJGaHSc6vn for <mext@core3.amsl.com>; Thu, 30 Apr 2009 09:36:44 -0700 (PDT)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id 40BD83A6B72 for <mext@ietf.org>; Thu, 30 Apr 2009 09:35:40 -0700 (PDT)
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f79] (helo=small.ssi.corp) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1LzZFp-0002em-IK; Thu, 30 Apr 2009 18:36:57 +0200
X-Hashcash: 1:20:090430:mext@ietf.org::1zgSQSwXoZLuR5n7:00001st+
From: arno@natisbad.org
To: IETF MEXT WG ML <mext@ietf.org>
References: <20090430161918.5119D3A71F2@core3.amsl.com>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026
X-Hashcash: 1:20:090430:idsubmission@ietf.org::5Sc3ylgZmGiAkwAJ:00000000000000000000000000000000000000001Pvr
X-Hashcash: 1:20:090430:arnaud.ebalard@eads.net::VGgWN2xg5PA07tfx:000000000000000000000000000000000000005plo
Date: Thu, 30 Apr 2009 18:37:45 +0200
In-Reply-To: <20090430161918.5119D3A71F2@core3.amsl.com> (IETF I-D Submission Tool's message of "Thu, 30 Apr 2009 09:19:18 -0700 (PDT)")
Message-ID: <87eivaksh2.fsf@small.ssi.corp>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [MEXT] [draft] MIPv6 Home Link Detection Mechanism Security considerations
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2009 16:36:45 -0000
Hello, I have just submitted a draft describing possible attacks (implemented for demonstration against an existing implementation) associated w/ the Home Link Detection mechanism and the Home Return procedure. If some among you find some interest in the topic, I'd be interested by some feedback (questions, comments). Link to the document: http://www.ietf.org/internet-drafts/draft-ebalard-mext-hld-security-00.txt Cheers, a+ IETF I-D Submission Tool <idsubmission@ietf.org> writes: > A new version of I-D, draft-ebalard-mext-hld-security-00.txt has been > successfuly submitted by Arnaud Ebalard and posted to the IETF > repository. > > Filename: draft-ebalard-mext-hld-security > Revision: 00 > Title: Mobile IPv6 Home Link Detection Mechanism Security considerations > Creation_date: 2009-04-30 > WG ID: Independent Submission > Number_of_pages: 32 > > Abstract: > > MIPv6 defines the concept of Home Network for a MN, in opposition to > the foreign network where this entity may find itself. A ``Home Link > Detection'' mechanism is also specified to allow the MN to detect > when it is at home. > > MIPv6 specification mandates the use of IPsec for protecting main > signaling traffic and also defines how IPsec can be used to protect > data traffic between the MN and its HA. Even if optional, it is > expected that many deployments of MIPv6 will use it by default for MN > which may roam outside a trusted infrastructure (e.g. outside a > mobile operator network). > > When a MN detects it is at home, it is expected to stop IPsec > protection for data traffic exchanged with its Home Agent. That > event is the result of the Home Return procedure, triggered by the > Home Link Detection mechanism. > > This document discusses the possible threats and security impacts > associated with the use of this insecure NDP-based mechanism as a > trigger to drop IPsec protection of data traffic for the MN. It also > provides some results on the implementation of the attacks against an > existing MIPv6 module. Possible solutions are suggested.
- [MEXT] [draft] MIPv6 Home Link Detection Mechanis… Arnaud Ebalard