This excerpt is from Chapter 5, Securing Mobile IPv6 Signaling in Mobile IPv6: Mobility in a Wireless Internet written by Hesham Soliman and published by Addison Wesley. You can download the entire chapter here for free.
Mobility adds inherent security risks to those already in the Internet today. Some of these risks are introduced by the specific mobility protocol. Mobile IPv6 is a new protocol that attempts to do something that has not been done before on the Internet: redirect traffic between a mobile node and other correspondent nodes from one address to another. The signaling for such redirection is done between the mobile and correspondent nodes. To be able to design a protocol that avoids some or all of the security risks associated with it, we need to identify the types of threats specific to this protocol. Then we need to place requirements on the protocol to avoid some or all of these threats. In some cases, it is acceptable to have known threats associated with a protocol, provided that they are documented and understood. The output of the requirements study is used to test the protocol and see whether or not it conforms.
In this chapter, we focus on the security threats that result from the introduction of Mobile IPv6. We analyze different Mobile IPv6 messages and show how each one can be used by Bad Guy to produce undesired effects to the mobile node, correspondent node, and home agent. We then present the mechanisms used by Mobile IPv6 to secure its messages.
5.1 Why Do We Need to Secure Mobile IPv6?
Before we analyze the threats of Mobile IPv6's messages, we consider two different communication scenarios that are possible when Mobile IPv6 is used. Figure 5–1 shows the different cases.
A mobile node may tunnel its packets to the home agent, which in turn decapsulates and forwards them to the correspondent node. If route optimization were used (i.e., the mobile node sent a binding update to the correspondent node), the mobile node would send packets directly to the correspondent node after adding a home address option. The correspondent node would also send packets directly to the mobile node using a routing header type 2 that includes the mobile node's home address. We need to analyze the types of attacks that Bad Guy can launch when he is on-path or off-path. An on-path attacker is one that can see packets going through a certain link between two nodes. For instance, an attacker can be on-path between the mobile and correspondent nodes if he is located at the mobile node's link, the correspondent node's link, or any link between the two where packets between the two nodes are routed. On the other hand, an off-path attacker is unable to see packets sent between the two nodes he is trying to attack.
This was first published in June 2004