1
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP)

• James KempfSamita ChakrarabartiErik Nordmark
• draft-chakrabarti-mip6-bmip-01.txt
• Monday March 7, 2005

2
Motivation

• Support deployments in which Home Network Access
  Provider and Mobility Service Provider are
  different providers
• Support deployments with a loose trust
  relationship between Serving Network Access
  Provider and Mobility Service Provider
• Examples
• Enterprise networks
• Hotspots with nonAAA-based network entry
  authorization
• Maybe 90 of WLAN public access deployments in
  the US?
• Future deployment possibilities
• Infrastructureless deployments

3
Example Universal Access Method (UAM)
PAC
Internet
Access Network
PAC relays credentials to credit card provider
PAC sends Redirect to Login Page
AP
Mobile Node
AP Access Point PAC Public Access Control
Gateway
4
Basic Problems Addressed

• No AAA hook during network access
  authentication to provision the Mobile Node with
  the Home Agent address and mobility service
  authorization credentials
• EAP solutions such as draft-giaretta-mip6-authoriz
  ation require AAA during network access
  authentication
• Tight trust lacking between Mobility Service
  Provider and Access Service Provider
• DHCP solutions such as draft-ohba-mip6-boot
  require very high trust between networks for
  roaming support
• Home Network Access Service Provider uses AAA but
  is not also a Mobility Service Provider

5
What the Mobile Node Starts With

• A connection to the Internet on the serving
  (local) network authenticated and authorized (or
  not) through any means, i.e. 802.1x, PANA, etc.
• The domain name of the Mobility Service Provider
• Credentials to allow Home Agent IKEv2 to
  authenticate and authorize for mobility service
• NAI or similar non-topological identity
• Certificate or preshared key if IKEv2 auth/authz
  done with certificate or preshared key
• User name/password or other credentials if IKEv2
  auth/authz done using EAP
• Optional certificate for Home Agent if not
  available during DNS or IKE transaction

6
The Protocol
Internet
Access Network
Terminal now has Home Address and IPsec SAs
MIP6 HA
AP
Mobility Service Provider
Mobile Node
7
Security of BMIP Protocol

• Replay protection provided by message identity
  code in DNS
• RFC 1035
• Server to host data integrity and origination
  authentication provided by DNSSEC
• RFC 2535
• DNSSEC is not today widely deployed, but then
  neither is MIP6
• For future DNS security, DNSSEC should be
  deployed

8
Security of Home Agent Address

• Host to server authorization can be done by using
  DNS TSIG
• RFC 2845
• Upside
• Only authorized hosts can get the address
• Downside
• Requires MSP DNS server to perform auth on SRV
  Rqst in real time (i.e. no caching)
• Address is unencrypted in transit so it can be
  intercepted by MiTM
• Confidentiality protection can be provided by
  encrypting the address before inserting into DNS
• Anybody can get the record, only authorized users
  with keys can decrypt
• Draft in preparation for DNSEXT
• Assumption These measures assume some utility to
  hiding the address in the first place,
  presumably to prevent DoS

9
DoS Attack on the Home Agent Address

• Address is in public DNS, anybody could snatch
  it!
• IKEv2 contains measures to slow down an attacker
  if they should get it
• But...
• DoS is a problem with any solution (including
  manual configuration) that exposes the Home Agent
  address to users on the Internet
• User goes rogue
• Someone steals the address from a legitimate user
• Distributed worm probing attack discovers the
  Home Agent
• Bottom line Hiding the address from
  unauthorized users only makes launching a DoS
  attack a little harder

10
Realistic DoS Mitigation Measures

• Overprovisioning
• Network connections and Home Agent server
  capacity are enough to handle any conceivable
  load
• Change Home Agent addresses aperiodically
• Especially if someone suspicious has their
  account revoked
• Provision Home Agents with
• Few users to avoid inconveniencing lots of users
  when an attack occurs
• On topologically widely separated subnets to slow
  worm probing attacks

11
Questions/Comments?