Mobile IPv6 Security & #65380; Authentication and DoS defense

Through the previous article, we have some knowledge about mobile IPv6 technology in CDMA. Now we will mainly explain about mobile IPv6 Security, authentication, and DoS defense. First, let's analyze the security threats and risks in Mobile IPv6 networks.

Mobile IPv6 Security Threats

When new features are added to the network architecture, new security risks are usually introduced:

◆ For Mobile IPv6, due to the need for MN mobile, it is often necessary to send Binding Update packets to the home site proxy and CN, this feature introduces many security issues. The biggest threat is that Binding Update packets has a redirection function for groups. attackers send bound Update packets to CN by impersonating MN, the Group sent to MN can be redirected to the location specified by the attacker ｡

◆ DoS (denialofservice) attacks allow attackers to block all traffic on unprotected links and prevent communication between MN and other nodes ｡

◆ In the mobile IPv4 protocol, the foreign proxy will authenticate and process the mobile node before the mobile node obtains the forwarding address. However, there is no foreign proxy in Mobile IPv6, this means that the security policy of mobile access needs to be completed by the router of the accessed network ｡

◆ Although the hometown address option solves the problem of filtering routers at the network entry, the current location information of MN is exposed, this poses a security threat to some communications that wish to hide the MN location information ｡

Mobile IPv6 Security Protection

Mobile IPv6 stipulates that IPSec is used as the security protection for MN binding and updating packets. However, before using IPSec communication, both parties must establish a security association in advance, which authentication and encryption algorithm is used? Generally, it is considered that it is easy for MN to establish a security association with its local proxy. However, in most cases, there is no security association or other security relationship between MN and CN ｡

Another problem with the use of IPSec is that it relies on PKI, and the construction of PKI is a complex project. The key management of IPSec requires the terminal to have a strong processing capability, in the future, Mobile IP devices, such as mobile phones and PDAs, will have weak computing power, and energy consumption needs to be considered, therefore, the security mechanism that requires massive computing is not suitable for these devices. Therefore, a lightweight security protection protocol, such as a custom key (PBK, purposebuiltkey), is also being discussed )｡

In the PBK protocol, before each Mobile IP session, both parties generate a new Public Key/private key, which is temporary and can only be used by both parties, you do not need to register with a third party. When the session ends, the key becomes invalid. The PBK protocol is simple, but the security is not as good as IPSec. For example, it does not solve problems such as man-in-the-middle attacks, and PBK does not implement user authentication, it is device authentication ｡

Defense Against DoS in Mobile IPv6 Security

In mobile IPv6, the DoS format is as follows:

◆ A hacker sends a forged registration request to the local proxy and regards his IP address as the forwarding address of the mobile node. After successful registration, the local proxy will follow the forwarding address registered by the hacker, the target address is the data group of the mobile node, which is sent to the hacker through tunnel. The hacker obtains the data that should be sent to the mobile node, but the real mobile node is denied ｡

◆ Hackers constantly bomb servers by data groups, and the server has to process these requests and allocate resources for each request without responding to other useful information ｡

The effective method to defend against DoS attacks with forged registration requests is to verify all registration information exchanged between the mobile node and the local proxy. The registration Response Message sent back from the local proxy to the MN adopts the message digest. method ｡

In addition, SCTP can be used to defend against DoS attacks. SCTP is a reliable connection-oriented transmission protocol. In SCTP, TCP connections are extended as associations, each association is identified by two SCTP port numbers and two IP address lists. SYNflooding uses the TCP three-way handshake in TCP/IP. Malicious attackers send a large number of SYN packets to the server, in this way, normal Connections cannot be established, and a large semi-connection list is formed on the server side, so normal services cannot be accepted. In the SCTP handshake, the receiving end of the INIT message does not need to save any status information or allocate any resources. It uses the "status cookie" mechanism when sending the INITACK message, even if you receive more INIT messages, the receiver does not consume any resources. It neither allocates any system resources nor saves the status of the new association, the cookie used for the corresponding reconstruction status is included in each INITACK message. The cookie will be sent back by the cookie-echo message, to prevent DoS attacks such as SYN flooding ｡