1 / 12

Mobile IPv6 and Firewalls: Problem Statement

Mobile IPv6 and Firewalls: Problem Statement. Speaker: Jong-Ru Lin 95321508. Outline. Introduction Return Routability Test Overview of Firewalls MN is in a network protected by firewall(s) CN is in a network protected by firewall(s) HA is in a network protected by firewall(s) Conclusions.

kata
Download Presentation

Mobile IPv6 and Firewalls: Problem Statement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin 95321508

  2. Outline • Introduction • Return Routability Test • Overview of Firewalls • MN is in a network protected by firewall(s) • CN is in a network protected by firewall(s) • HA is in a network protected by firewall(s) • Conclusions

  3. Introduction • Mobile IPv6 protocol design also incorporates a feature termed Route Optimization. • Most firewalls available for IPv6 networks do not support Mobile IPv6. • Since most networks in the current business environment deploy firewalls, this may prevent future large-scale deployment of the Mobile IPv6 protocol.

  4. Return Routability Test • The Return Routability procedure provides some security assurance and prevents the misuse of Mobile IPv6 signaling to maliciously redirect the traffic or to launch other attacks.

  5. Overview of Firewalls • Stateful packet filtering refers to the process of forwarding or rejecting traffic based on the contents of a state table maintained by a firewall. • Parameters: (1)Source IP address (2) Destination IP address (3) Protocol type (4) Source port number (5) Destination port number

  6. MN is in a network protected by firewall(s) • Issue 1:The Binding Updates and Acknowledgements should be protected by IPsec ESP according to the MIPv6 specifications. • Issue 2:The packet is intercepted by the MN’s home agent, which tunnels it to the MN’s . The packet may be dropped since the incoming packet may not match any existing state. • Issue 3:The Home Test message of the RRT must be protected by IPsec in tunnel mode. However, firewalls might drop any packet protected by ESP.

  7. CN is in a network protected by firewall(s) • Issue 1: • Route optimization requires MN B to send a Binding Update to Node C in order to create an entry in its binding cache that maps the MN’s home address to its current care-of-address. • However, prior to sending the binding update, the mobile node must first execute a Return Routability Test.

  8. CN is in a network protected by firewall(s) • The Care of Test Init message is sent using the CoA of B as the source address. Such a packet does not match any entry in the protecting firewall . The CoTi message will thus be dropped by the firewall. • The HoTI is a Mobility Header packet, and as the protocol type differs from the established state in the firewall , the HoTI packet will also be dropped. • As a consequence, the RRT cannot be completed, and route optimization cannot be applied.

  9. CN is in a network protected by firewall(s) • Issue 2: • Changing the firewall states without verifying the validity of the Binding Update messages could lead to denial of service attacks. • Malicious nodes may send fake binding updates, forcing the firewall to change its state information • Therefore leading the firewall to drop packets from the connections that use the legitimate addresses.

  10. CN is in a network protected by firewall(s) • Issue 3: • Assume that the Binding Update to the CN is successful. • The CN may be protected by different firewalls, and as a result of the MN’s change of IP address, incoming and outgoing traffic may pass through a different firewall. • The new firewall may not have any state associated with the CN, and incoming packets (and potentially outgoing traffic as well) may be dropped at the firewall.

  11. HA is in a network protected by firewall(s) • Issue 1:Much of the MIPv6 signaling (e.g., Binding Update, HoT) may be dropped at the firewall(s) • Issue 2:If the home agent is in a network protected by several firewalls, an MN/CN’s change of IP address may result in the passage of traffic to and from the home agent through a different firewal.

  12. Conclusions • This document describes some of the issues between the Mobile IPv6 protocol and current firewall technologies. • This enables a better understanding of the issues when deploying Mobile IPv6 as well as the issues for firewall design and policies to be installed therein.

More Related