Internet Engineering Task Force S. Glass INTERNET-DRAFT Sun Microsystems Individual Submission March 2002 Security Issues in Mobile IPv4 draft-glass-mobileip-security-issues-01.txt Status of this memo This document is a submission to the Mobile IP Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the MOBILE-IP@STANDARDS.NORTELNETWORKS.COM mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html. Abstract Mobile IP is designed to provide IP services to roaming nodes, allowing them access to services, and enabling other nodes to reach them, as if they were on their home domain. By definition this functionality must be deployed on multiple subnets, and in many cases across domains, and while services which enable Mobile IP MUST be present on a subnet in order for a mobile node to have this reachability, deploying Mobile IP can introduce some security issues which may need to be addressed, by any network administrator overseeing Mobile IP subnets. While there are many domain policy details which must be considered in the decision to allow access to any subnet by mobile node, this document does not address them. In these cases the reader is directed to a series of documents produce by the AAA working group. This document details potential security issues those who have decided to provide access to mobile nodes should be aware of. Expires Sep 2002 draft-glass-mobileip-security-issues-01.txt [page 1] Internet Draft Security Issues in Mobile IPv4 S. Glass 1.0 Introduction With the ever-increasing number of roaming IP devices, users have access to far more points from which to connet to the internet than ever. While supporting mobile users on an IP subnet comes with its own functionality overhead, it also comes with increased security risks. Those risks are two-fold. First, opening a subnet to welcome visitors also means risking access by unwelcome visitors. The decision to open a network is complex, and among other things involves the potential gain from giving more freedom to those you are providing service constrasted with the potential liability from those not authorised to use it, and the likelyhood and extent of the damage than may result. For these issues, the reader is redirected to a series of documents produced by the AAA working group, and other working groups whose conclusions and recommendations produced them, listed in appendix A, and beyond the scope of this document. Second, for those who have determined the advantages of openning their networks to mobile users through the use of mobile ip, there are various potential security issues deployers of mobile ip may wish to familiarize themselves with, which is entirelly within the scope of this document. Mobile IP completely covers its functionality space with three orthogonal pieces, namely agent advertisements, registrations, and tunnelling. The potential security issues relavent to agent advertisement is covered in section 2.0, those surrounding registrations, in section 3.0, and those relavent to tunnels in section 4.0. 2.0 Agent Advertisements Agent Advertisements as defined by [1] append a mobility extension to the router advertisement packets of [4]. These will contain a code of 16 if the agent sending the advertisements does not support generic routing. The mobility extension contains a sequence number used by mobile nodes to detect if a foreign agent has reset its state, and has therefore (likely) lost the mobile node's mobility binding. This mechanism is protected from "falsing" in the case of a roll-over as the foreign agent is required to set the sequence number to 256 upon detecting the sequence number would roll-over. This mechanism MAY be used by a "man-in-the-middle" to fool the mobile node into thinking its current binding has been lost by forging an agent advertisement from the node with which the mobile node is currently recieving foreign agent services. The origin of this attack is somewhat limited since agent advertisements MUST be sent with a TTL of 1, meaning that smarter mobile node implementations check this before reacting, and hence such an attack must either come from the local link, or must have the TTL set correctly so that upon reaching the link on which the mobile node is currently residing the TTL has been reduced to 1. Moreover, agent advertisements are sent using either a broadcast/multicast mechanism, or unicast. Agent advertisements Expires Sep 2002 draft-glass-mobileip-security-issues-01.txt [page 2] Internet Draft Security Issues in Mobile IPv4 S. Glass destined for the entire link are sent to either the all subnet broadcast address of 255.255.255.255, or the all host multicast address 224.0.0.1 (the directed subnet broadcast address is not used as mobile node's are not expected to know apriori which subnets they'll be visiting, and therefore don't know what constitutes such an address, especially since the deployment of CIDR [8]). Attacks to these addresses from nodes off the mobile nodes current link do not pose a problem as packets originating from links other than the mobile node's current link with these destination addresses will never be routed to the mobile node's current link. Agent advertisements in response to an agent-solicitation sent by the mobile node are only sent to a mobile node's unicast address, and do pose a threat from attackers off the mobile node's current link. In this scenario, bogus agent advertisements are delivered to a mobile node, either from a node that happens to be sharing its current link, or from another link through more sophisticated messages. The intent is to make the mobile node think it has to reregister, e.g. by implying to the mobile node the Foreign Agent has rebooted, as indicated by a reset sequence number. Such an attack could be rendered [nearly] useless, however, if a mobile node implementation ignored unicast agent advertisements except when awaiting a response to an agent solicitation. The use of Challenge/Response [9] has also shown to be beneficial as mobile nodes can determine which advertisements should be ignored, and in the case of a reset, there is a syncronization loop defined that mobile nodes can apply before they reregister, at least preventing this attack from succeeding from other links. 3.0 Registration Issues 3.1 Registration Hijaking 4.0 Tunnel Issues 4.1 Tunnel Hijaking 4.2 Issues with Carrying Multicast and Broadcast Traffic Security Considerations This entire document addresses the security considerations for deploying mobile ip on, and by definition across, subnets. It addresses security issues that may pertain to mobile nodes roaming onto foreign subnets, to those foreign subnets that service such mobile nodes, to home subnets that wish to provide service to such roaming mobile nodes, as well as subnets in general now that Mobile IP has been standardized, implemented, and deployed. Expires Sep 2002 draft-glass-mobileip-security-issues-01.txt [page 3] Internet Draft Security Issues in Mobile IPv4 S. Glass Appendix A Policy Specific and AAA Generic Documents Mobile IP Specific ------------------ Mobile IP Authentication, Authorization, and Accounting Requirements RFC 2977 October 2000 S. Glass, T. Hiller, S. Jacobs, C. Perkins Network Access Server Specific ------------------------------ Criteria for Evaluating Network Access Server Protocols RFC 3169 September 2001 M. Beadles, D. Mitton Roaming User Specific --------------------- Criteria for Evaluating Roaming Protocols RFC 2477 January 1999 B. Aboba, G. Zorn Authentication, Authorization, Accounting Generic ------------------------------------------------- Criteria for Evaluating AAA Protocols for Network Access RFC 2989 November 2000 B. Aboba, P. Calhoun, S. Glass, T. Hiller, P. McCann, et. al. Authentication, Authorization, and Accounting: Protocol Evaluation RFC 3127 June 2001 D. Mitton, M. St.Johns, S. Barkley, D. Nelson, B. Patil, et. al. Acknowledgements The editor would like to thank the following persons for their contributions to this document: Expires Sep 2002 draft-glass-mobileip-security-issues-01.txt [page 4] Internet Draft Security Issues in Mobile IPv4 S. Glass References [1] IPv4 Mobility Support for IPv4 RFC 3220, January 2002 C. Perkins, Editor. Obsoletes RFC 2002 [2] Reverse Tunneling for Mobile IP, revisited RFC 3024, January 2001 (obsoletes RFC 2344) G. Montenegro, Editor. [3] Mobility Support in IPv6 work in progress, revision 13, November 2000 D. Johnson, and C. Perkins. [4] ICMP Router Discovery Messages RFC 1256, September 1991 S. Deering, Editor. [5] Mobile IP Network Access Identifier Extension for IPv4, RFC 2794, March 2000 P. Calhoun, C. Perkins. [6] Mobile IP Agents as DHCP Proxies work in progress, revision 01, February 2001 S. Glass [7] Registration Revocation in Mobile IP work in progress, revision 02, March 2002 S. Glass [8] Classless Inter-Domain Routing (CIDR) RFCs 1518, 1519 September 1993 Y. Rekhter, T. Li, and V. Fuller, T. Li, J. Yu, K. Varadhan [9] Mobile IPv4 Challenge/Response Extensions RFC3012, November 2000 C. Perkins, and P. Calhoun Expires Sep 2002 draft-glass-mobileip-security-issues-01.txt [page 5]