On the security of the Mobile IP protocol family

The Internet Engineering Task Force (IETF) has worked on\ud network layer mobility for more than 10 years and a number\ud of RFCs are available by now. Although the IETF mobility\ud protocols are not present in the Internet infrastructure as of\ud today, deployment seems to be imminent since a number\ud of organizations, including 3GPP, 3GPP2 and Wimax, have\ud realized the need to incorporate these protocols into their architectures.\ud Deployment scenarios reach from mobility support\ud within the network of a single provider to mobility support\ud between different providers and technologies. Current Wimax\ud specifications, for example, already support Mobile IPv4,\ud Proxy Mobile IPv4 and Mobile IPv6. Future specifications will\ud also support Proxy Mobile IPv6. Upcoming specifications in\ud the 3GPP Evolved Packet Core (EPC) will include the use of\ud Mobile IPv4, Dual Stack MIPv6 and Proxy Mobile IPv6 for\ud interworking between 3GPP and non 3GPP networks.\ud This paper provides an overview on the state-of-the-art\ud in IETF mobility protocols as they are being considered by\ud standardization organizations outside the IETF and focusing\ud on security aspects

Status of This Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). A mobile node needs at least the following information: a home address, a home agent address, and a security association with home agent to register with the home agent. The process of obtaining this information is called bootstrapping. This document discusses issues involved with how the mobile node can be bootstrapped for Mobile IPv6 (MIPv6) and various potential deployment scenarios for mobile node bootstrapping

Progetto e sviluppo di una soluzione con Diameter per l'interazione tra Mobile IPv6 e la piattaforma AAA dell'operatore

Negli ultimi anni, i terminali mobili hanno assunto un ruolo sempre più importante nelle reti di telecomunicazioni: con il frenetico sviluppo di nuove tecnologie e applicazioni, questo trend è oggi più attuale che mai. Al giorno d’oggi, oggetti quali telefoni cellulari e computer portatili (notebook) sono ormai entrati a far parte dell’uso comune. Ma già da qualche tempo si sta assistitendo ad un fenomeno di convergenza di questi due “mondi” con la diffusione di smartphone e computer palmari/PDA. Tali terminali sembrano incontrare il favore degli utenti sia business che consumer e si propongono come i dispositivi portatili della nuova generazione. Questi terminali sono sempre più potenti in quanto a capacità di calcolo, hanno memorie di massa e RAM sempre più grandi ed autonomie sempre maggiori. Al crescere della complessità di tali apparati, aumentano anche i requisti in termini di capacità trasmissiva (in mobilità) che gli operatori saranno tenuti a soddisfare nel prossimo futuro con diverse opzioni tecnologiche di accesso alla rete: UMTS, HSDPA, Wi¬Fi, Wi-Max, solo per citarne alcune. Quantunque non si chiaro quale/i di queste tecnologia/e godranno del favore degli utenti per far fronte ai nuovi requisiti di banda, l’utilizzo della comunicazione a pacchetto basata sul protocollo IP non sembra temere rivali. Il protocollo IPv4 (l’attuale versione di IP) sarà sostituito nel prossimo futuro da una nuova versione (IPv6), per la quale è stato definito un protocollo ad-hoc per gestire la mobilità dei terminli (Mobile IPv6). Tale protocollo fornisce un piano di controllo e opportuni meccanismi per garantire la raggiungibilità dei terminali che cambiano il loro punto di accesso alla rete (situazione non rara per terminali mobili e multihomed). L’infrastruttura di rete che realizza la mobilità è gestita tipicamente dagli operatori mobili, i quali necessitano di meccanismi di controllo dell’identità degli utenti che accedono alla loro rete, nonché delle loro autorizzazioni e dell’utilizzo fatto delle risorse di rete (per esigenze di tariffazione e/o di auditing). Per un operatore mobile, questo si traduce nella necessità di allestire una piattaforma di Autenticazione, Autorizzazione ed Accounting (AAA) per il controllo del servizio di mobilità. Da ciò emerge la finalità di questo lavoro di tesi: lo studio e la prototipazione di una soluzione per l’integrazione degli apparati necessari alla realizzazione della mobilità in ambito IPv6 nell’infrastruttura AAA di un operatore. La soluzione proposta prevede l’impiego del protocollo AAA di nuova generazione: DIAMETER

Design of multi-homing architecture for mobile hosts

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This thesis proposes a new multi-homing mobile architecture for future heterogeneous network environment. First, a new multi-homed mobile architecture called Multi Network Switching enabled Mobile IPv6 (MNS-MIP6) is proposed which enables a Mobile Node (MN) having multiple communication paths between itself and its Correspondent Node (CN) to take full advantage of being multi-homed. Multiple communication paths exist because MN, CN, or both are simultaneously attached to multiple access networks. A new sub layer is introduced within IP layer of the host’s protocol stack. A context is established between the MN and the CN. Through this context, additional IP addresses are exchanged between the two. Our MNS-MIP6 architecture allows one communication to smoothly switch from one interface/communication path to another. This switch remains transparent to other layers above IP. Second, to make communication more reliable in multi-homed mobile environments, a new failure detection and recovery mechanism called Mobile Reach ability Protocol (M-REAP) is designed within the proposed MNS-MIP6 architecture. The analysis shows that our new mechanism makes communication more reliable than the existing failure detection and recovery procedures in multi-homed mobile environments. Third, a new network selection mechanism is introduced in the proposed architecture which enables a multi-homed MN to choose the network best suited for particular application traffic. A Policy Engine is defined which takes parameters from iv the available networks, compares them according to application profiles and user preferences, and chooses the best network. The results show that in multi-homed mobile environment, load can be shared among different networks/interfaces through our proposed load sharing mechanism. Fourth, a seamless handover procedure is introduced in the system which enables multi-homed MN to seamlessly roam in a heterogeneous network environment. Layer 2 triggers are defined which assist in handover process. When Signal to Noise Ratio (SNR) on a currently used active interface becomes low, a switch is made to a different active interface. We show through mathematical and simulation analysis that our proposed scheme outperforms the existing popular handover management enhancement scheme in MIPv6 networks namely Fast Handover for MIPv6 (FMIPv6). Finally, a mechanism is introduced to allow legacy hosts to communicate with MNS-MIP6 MNs and gain the benefits of reliability, load sharing and seamless handover. The mechanism involves introducing middle boxes in CN’s network. These boxes are called Proxy-MNS boxes. Context is established between the middle boxes and a multi-homed MN

Estudio de la movilidad en redes de siguiente generación

El continuo avance de las redes de telecomunicaciones nos proporciona cada vez más facilidades en todos los ámbitos de nuestra vida. En este caso, nos hemos centrado en el estudio de la movilidad en Redes de Siguiente Generación. Una parte del presente proyecto se ha realizado en colaboración con Deutsche Telekom AG, durante una estancia de seis meses trabajando como colaboradora en sus laboratorios con emplazamiento en Berlín. El principal objetivo de este proyecto ha sido realizar un estudio sobre los diferentes estándares y tecnologías que facilitan la movilidad en Redes de Siguiente Generación. Por ello, en la primera parte se han estudiado los diferentes grupos de trabajo centrados en este aspecto, así como se ha recabado información sobre productos y soluciones disponibles en el mercado, para obtener una visión global de la situación actual. Como se puede comprobar más adelante, esta primera parte es la más extensa de todo el documento. Esto se debe a que es, probablemente, la parte más importante del trabajo, ya que contiene el estudio de los mecanismos que más tarde nos servirán para dar una solución teórica a los distintos escenarios que se plantean. En la segunda parte del proyecto, nos hemos centrado en desarrollar varios escenarios de interés en sistemas de Redes de Siguiente Generación y aportar, de forma posterior, posibles soluciones teóricas. Para finalizar, se han expuesto las conclusiones extraídas como resultado del trabajo y los aspectos que se podrán tratar sobre el mismo en un futuro próximo.Ingeniería de Telecomunicació

Mobility management across converged IP-based heterogeneous access networks

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University, 8/2/2010.In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme

Design of multi-homing architecture for mobile hosts

This thesis proposes a new multi-homing mobile architecture for future heterogeneous network environment. First, a new multi-homed mobile architecture called Multi Network Switching enabled Mobile IPv6 (MNS-MIP6) is proposed which enables a Mobile Node (MN) having multiple communication paths between itself and its Correspondent Node (CN) to take full advantage of being multi-homed. Multiple communication paths exist because MN, CN, or both are simultaneously attached to multiple access networks. A new sub layer is introduced within IP layer of the host’s protocol stack. A context is established between the MN and the CN. Through this context, additional IP addresses are exchanged between the two. Our MNS-MIP6 architecture allows one communication to smoothly switch from one interface/communication path to another. This switch remains transparent to other layers above IP. Second, to make communication more reliable in multi-homed mobile environments, a new failure detection and recovery mechanism called Mobile Reach ability Protocol (M-REAP) is designed within the proposed MNS-MIP6 architecture. The analysis shows that our new mechanism makes communication more reliable than the existing failure detection and recovery procedures in multi-homed mobile environments. Third, a new network selection mechanism is introduced in the proposed architecture which enables a multi-homed MN to choose the network best suited for particular application traffic. A Policy Engine is defined which takes parameters from iv the available networks, compares them according to application profiles and user preferences, and chooses the best network. The results show that in multi-homed mobile environment, load can be shared among different networks/interfaces through our proposed load sharing mechanism. Fourth, a seamless handover procedure is introduced in the system which enables multi-homed MN to seamlessly roam in a heterogeneous network environment. Layer 2 triggers are defined which assist in handover process. When Signal to Noise Ratio (SNR) on a currently used active interface becomes low, a switch is made to a different active interface. We show through mathematical and simulation analysis that our proposed scheme outperforms the existing popular handover management enhancement scheme in MIPv6 networks namely Fast Handover for MIPv6 (FMIPv6). Finally, a mechanism is introduced to allow legacy hosts to communicate with MNS-MIP6 MNs and gain the benefits of reliability, load sharing and seamless handover. The mechanism involves introducing middle boxes in CN’s network. These boxes are called Proxy-MNS boxes. Context is established between the middle boxes and a multi-homed MN.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

IEEE 802.21 in heterogeneous handover environments

Mestrado em Engenharia de Computadores e TelemáticaO desenvolvimento das capacidades tecnológicas dos terminais móveis, e das infra-estruturas que os suportam, potenciam novos cenários onde estes dispositivos munidos com interfaces de diferentes tecnologias vagueiam entre diferentes ambientes de conectividade. É assim necessário providenciar meios que facilitem a gestão de mobilidade, permitindo ao terminal ligar-se da melhor forma (i.e., optando pela melhor tecnologia) em qualquer altura. A norma IEEE 802.21 está a ser desenvolvida pelo Institute of Electrical and Electronics Engineers (IEEE) com o intuito de providenciar mecanismos e serviços que facilitem e optimizem handovers de forma independente da tecnologia. A norma 802.21 especifica assim um conjunto de mecanismos que potenciarão cenários como o descrito acima, tendo em conta a motivação e requerimentos apresentados por arquitecturas de redes futuras, como as redes de quarta geração (4G). Esta dissertação apresenta uma análise extensiva da norma IEEE 802.21, introduzindo um conjunto de simulações desenvolvidas para estudar o impacto da utilização de mecanismos 802.21 em handovers controlados por rede, numa rede de acesso mista composta por tecnologias 802.11 e 3G. Os resultados obtidos permitiram verificar a aplicabilidade destes conceitos a ambientes de próxima geração, motivando também uma descrição do desenho de integração de mecanismos 802.21 a arquitecturas de redes de quarta geração. ABSTRACT: The development of the technological capabilities of mobile terminals, and the infra-structures that support them, enable new scenarios where these devices using different technology interfaces roam in different connectivity environments. This creates a need for providing the means that facilitate mobility management, allowing the terminal to connect in the best way possible (i.e., by choosing the best technology) at any time. The IEEE 802.21 standard is being developed by the Institute of Electrical and Electronics Engineers (IEEE) to provide mechanisms and services supporting Media Independent Handovers. The 802.21 standard specifies a set of mechanisms that enable scenarios like the one described above, considering the motivation and requirements presented by future network architectures, such as the ones from fourth generation networks (4G). This thesis presents an extensive analysis of the IEEE 802.21 standard, introducing a set of simulations developed for studying the impact of using 802.21 mechanisms in network controlled handovers, in a mixed access network composed of 802.11 and 3G technologies. The obtained results allow the verification of the applicability of these concepts into next generation environments, also motivating the description of the design for integration of 802.21 mechanisms to fourth generation networks

Mobility management across converged IP-based heterogeneous access networks

In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme.EThOS - Electronic Theses Online ServiceGBUnited Kingdo