This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
With the fast growth in the numbers of the mobile and handheld devices that are connected to the internet, the current IPv4 protocol is not able to cover all theses growth number of IP addresses. This is why the Internet Protocol IPv6 has been developed.
Mobile IPv6 is an essential mandatory feature of the IPv6 that has been built to enable mobility for mobile device in IP networks. Mobile IPv6 specification is still uncompleted, so the protocol most likely will has some changes in the future. Security of mobile IPv6 is an essential part; it will be discuss in detail in this chapter.
In addition of the mobility feature for the mobile IPv6, IPSec is also a mandatory feature that is required for IPv6 to provide data security and services for communication in IP networks and application layer protocols of TCP/IP. IPSec is used to protect Mobile IPv6 from the security threats, but there are still some issues that need to be solved.
6.1 Differences between MIPv4 and MIPv6
MIPv6 is the next generation standard for Mobile IP after MIPv4, the following is the main differences between MIPv4 and MIPv6:
Foreign agent, MIPv6 rely on DHCP (dynamic host configuration protocol) server or router advertisements on the foreign network to get a care-of address (CoA), this scenario make the mobile device to operate in any place without requiring any additional support from the local router, because it does not depend on the foreign agent to issue the care-of address as in MIPv4.
Home agent address discovery, IPv6 is has a feature called anycast that send data to the nearest or best receiver. With this feature mobile device can send update to the home agent any cast address. In this case, if there are multiple home agents on the network, the nearest home agent will send the response to the mobile device. By this feature, scalability and redundancy can be provided to the network by keeping track several home agents.
Security, Both Mipv6 and Mipv4 provide data security by using Virtual Private Network (VPN) solution. Once the mobile device traveling outside its home network and connecting to the foreign network; Mipv4 use IPSec v4 (Internet Protocol Security) and VPN Solution. Mipv6 use IPSec v6 and VPN solution.
Route Optimization, When the mobile device leave its own network and connect to other network , it get a new care-of address and then inform the home agent with this address, then the home agent record the new Care-of address in its binding table. MIPv6 has direct routing packet feature that routing between mobile device and the correspondent nodes that existed on the IPv6 network. All packets destined to the mobile device home address will be intercept by the home agent then tunnel them to its Care-of address. In case of MIPv4 traffic between correspondent node and the mobile device must go through the home agent. But in case of MIPv6 the correspondent node caches the Care-of address by using route optimization MIPv6 and then transfers the packets directly to the mobile device as it shown in the figure 1 .
Figure- 1 Route Optimization in MIPv6
6.2 Mobile IPv6 Security Threats
Mobile IP v6 has been developed to provide mobility and security for IPv6 as same as MIPv4. MIPv6 introduce different security threats as following :
1. Threats against Binding Updates sent to home agents: a attacker might claim that a certain mobile device is currently at a different location than it really is. If the home agent accepts the information sent to it as is, the mobile device might not get traffic destined to it, and other nodes might get traffic they didn't want.
2. Threats against route optimization with correspondent nodes: A malicious mobile device might lie about its home address. A malicious mobile device might send a correspondent node binding updates in which the home address is set to the address of another node, the victim. If the correspondent node accepted this forged binding update, then communications between the correspondent node and the victim would be disrupted, because packets that the correspondent node intended to send to the victim would be sent to the wrong care-of address. This is a threat to confidentiality as well as availability, because an attacker might redirect packets meant for another node to itself in order to learn the content of those packets. A malicious mobile device might lie about its care-of address. A malicious mobile device might send a correspondent node binding updates in which the care-of address is set to the address of a victim node or an address within a victim network. If the correspondent node accepted this forged binding update, then the malicious mobile could trick the correspondent into sending data to the victim node or the victim network; the correspondent's replies to messages sent by the malicious mobile will be sent to the victim host or network. This could be used to cause a distributed denial of service attack; the malicious mobile could trick a large number of servers so that they all send a large amount of data to the same victim node or network.
A malicious node might also send a large number of invalid binding updates to a victim correspondent node. If each invalid binding update took a significant amount of resources (such as CPU) to process before it could be recognized as invalid, then it might be possible to cause a denial of service attack by sending the correspondent so may invalid binding updates that it has no resources left for other tasks.
An attacker might also replay an old binding update. An attacker might attempt to disrupt a mobile device's communications by replaying a binding update that the node had sent earlier. If the old binding update was accepted, packets destined for the mobile node would be sent to its old location and not its current location.
3. Threats where MIPv6 correspondent node functionality is used to launch reflection attacks against other parties. The Home Address Option can be used to direct response traffic against a node whose IP address appears in the option, without giving a possibility for ingress filtering to catch the forged "return address".
4. Threats where the tunnels between the mobile device and the home agent are attacked to make it appear like the mobile node is sending traffic while it is not.
5. Threats where IPv6 Routing Header -- which is employed in MIPv6 -- is used to circumvent IP-address based rules in firewalls or to reflect traffic from other nodes. The generality of the Routing Header allows the kind of usage that opens vulnerabilities, even if the usage that MIPv6 needs is safe.
6. The security mechanisms of MIPv6 may also be attacked themselves, e.g. in order to force the participants to execute expensive cryptographic operations or allocate memory for the purpose of keeping state.
Most of the above threats are concerned with denial of service. Some of the threats also open up possibilities for man-in-the-middle, hijacking, and impersonation attacks.
6.3 Securing the Binding Update:
MIPv6 is a host routing protocol, developed to modify the normal routing for a specific host. As it changes the way of sending packets to the host. The binding update tell a correspondent node of the new care-of address, a correspondent node authenticate the binding update and verifying that it doesnââ‚¬â„¢t from the manipulated node . In order to successfully authenticate the update the mobile device and the correspondent node need to establish security association and share secret key.
IPSec in transport mode is used between home agent and its mobile device in order to secure the MIPv6 message such as binding update.
Mobile IP is used to maintain communications while the IP address is changing. Mobile IPv6 is much optimized and deployable than Mobile IPv4, like direct communication between the correspondent node and mobile device, even though Mobile IPv6 is still uncompleted; the issues have been with the security of the protocol.