Network Working Group C. Vogt Request for Comments: 4832 Universitaet Karlsruhe (TH) Category: Informational J. Kempf DoCoMo USA Labs April 2007
Network Working Group C. Vogt Request for Comments: 4832 Universitaet Karlsruhe (TH) Category: Informational J. Kempf DoCoMo USA Labs April 2007
Security Threats to Network-Based Localized Mobility Management (NETLMM)
基于网络的本地化移动性管理(NETLMM)面临的安全威胁
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
This document discusses security threats to network-based localized mobility management. Threats may occur on two interfaces: the interface between a localized mobility anchor and a mobile access gateway, as well as the interface between a mobile access gateway and a mobile node. Threats to the former interface impact the localized mobility management protocol itself.
本文档讨论基于网络的本地化移动性管理面临的安全威胁。威胁可能发生在两个接口上:本地化移动锚和移动接入网关之间的接口,以及移动接入网关和移动节点之间的接口。对前一接口的威胁会影响本地化移动性管理协议本身。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Threats to Interface between LMA and MAG . . . . . . . . . . . 3 2.1. LMA Compromise or Impersonation . . . . . . . . . . . . . 3 2.2. MAG Compromise or Impersonation . . . . . . . . . . . . . 4 2.3. Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . 6 3. Threats to Interface between MAG and Mobile Node . . . . . . . 6 3.1. Mobile Node Compromise or Impersonation . . . . . . . . . 7 3.2. Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . 9 4. Threats from the Internet . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . . 10
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Threats to Interface between LMA and MAG . . . . . . . . . . . 3 2.1. LMA Compromise or Impersonation . . . . . . . . . . . . . 3 2.2. MAG Compromise or Impersonation . . . . . . . . . . . . . 4 2.3. Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . 6 3. Threats to Interface between MAG and Mobile Node . . . . . . . 6 3.1. Mobile Node Compromise or Impersonation . . . . . . . . . 7 3.2. Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . 9 4. Threats from the Internet . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . . 10
The network-based localized mobility management (NETLMM) architecture [1] supports movement of IPv6 mobile nodes locally within a domain without requiring mobility support in the mobile nodes' network stacks. A mobile node can keep its IP address constant as it moves from link to link, avoiding the signaling overhead and latency associated with changing the IP address. Software specifically for localized mobility management is not required on the mobile node, whereas IP-layer movement detection software may be necessary, and driver software for link-layer mobility is prerequisite.
基于网络的本地化移动性管理(NETLMM)体系结构[1]支持IPv6移动节点在域内本地移动,而无需移动节点网络堆栈中的移动性支持。移动节点可以在从一个链路移动到另一个链路时保持其IP地址不变,从而避免与更改IP地址相关的信令开销和延迟。移动节点上不需要专门用于本地化移动性管理的软件,而可能需要IP层移动检测软件,并且链路层移动性的驱动程序软件是先决条件。
The IP addresses of mobile nodes have a prefix that routes to a localized mobility anchor (LMA) [3]. The LMA maintains an individual route for each registered mobile node. Any particular mobile node's route terminates at a mobile access gateway (MAG) [3], to which the mobile node attaches at its current access link. MAGs are responsible for updating the mobile node's route on the LMA as the mobile node moves. A MAG detects the arrival of a mobile node on its local access link based on handoff signaling that the mobile node pursues. The MAG may additionally monitor connectivity of the mobile node in order to recognize when the mobile node has left the local access link. The localized mobility management architecture therefore has two interfaces:
移动节点的IP地址具有路由到本地化移动锚(LMA)[3]的前缀。LMA为每个注册的移动节点维护单独的路由。任何特定移动节点的路由终止于移动接入网关(MAG)[3],移动节点在其当前接入链路处连接到该网关。MAG负责在移动节点移动时在LMA上更新移动节点的路由。MAG基于移动节点追求的切换信令检测移动节点在其本地接入链路上的到达。MAG还可以监视移动节点的连接,以便识别移动节点何时离开本地接入链路。因此,本地化移动性管理体系结构有两个接口:
1. The interface between a MAG and an LMA where route update signaling occurs.
1. 在LMA和MAGAN接口之间发生信令更新的路由。
2. The interface between a mobile node and its current MAG where handoff signaling and other link maintenance signaling occur.
2. 移动节点与其当前MAG之间的接口,其中发生切换信令和其他链路维护信令。
The localized mobility management architecture demands no specific protocol for a MAG to detect the arrival or departure of mobile nodes to and from its local access link and accordingly initiate route update signaling with an LMA. An appropriate mechanism may be entirely implemented at the link layer, such as is common for cellular networks. In that case, the IP layer never detects any movement, even when a mobile node moves from one link to another handled by a different MAG. If the link layer does not provide the necessary functionality, the mobile node must perform IP-layer movement detection and auto-configuration signaling, thereby providing the trigger for the MAG to update its route on the LMA. A mobile node identity, established by the localized mobility management domain when the mobile node initially connects and authenticates, enables the MAG to ascribe the decisive link- or IP-layer signaling to the correct mobile node. Some wireless access technologies may require the mobile node identity to be reestablished on every link-layer handoff.
本地化移动性管理架构不要求MAG使用特定协议来检测移动节点到达或离开其本地接入链路,并相应地使用LMA发起路由更新信令。适当的机制可以完全在链路层实现,例如对于蜂窝网络来说是常见的。在这种情况下,IP层从未检测到任何移动,即使移动节点从一个链路移动到另一个链路,由不同的MAG处理。如果链路层不提供必要的功能,移动节点必须执行IP层移动检测和自动配置信令,从而为MAG提供在LMA上更新其路由的触发器。当移动节点最初连接和认证时,由本地移动管理域建立的移动节点标识使得MAG能够将决定性链路或IP层信令归因于正确的移动节点。一些无线接入技术可能要求在每个链路层切换上重新建立移动节点标识。
Vulnerabilities in either interface of the localized mobility management architecture may entail new security threats that go beyond those that already exist in IPv6. Potential attack objectives may be to consume network services at the cost of a legitimate mobile node, interpose in a mobile node's communications and possibly impersonate the mobile node from a position off-link, operate under the disguise of a false or non-existing identity, or cause denial of service to a mobile node or to the localized mobility management domain as a whole. This document identifies and discusses security threats on both interfaces of the localized mobility management architecture. It is limited to threats that are peculiar to localized mobility management; threats to IPv6 in general are documented in [4].
本地化移动性管理体系结构的任一接口中的漏洞都可能带来新的安全威胁,这些威胁超出了IPv6中已经存在的安全威胁。潜在的攻击目标可能是以合法移动节点为代价使用网络服务,介入移动节点的通信,并可能从断开链路的位置模拟移动节点,以虚假或不存在的身份伪装操作,或导致对移动节点或整个本地化移动管理域的拒绝服务。本文档确定并讨论本地化移动性管理体系结构的两个接口上的安全威胁。它仅限于本地化移动性管理特有的威胁;[4]中记录了对IPv6的总体威胁。
The terminology in this document follows the definitions in [2], with those revisions and additions from [1]. In addition, the following definition is used:
本文件中的术语遵循[2]中的定义,以及[1]中的修订和增补。此外,还使用了以下定义:
Mobile Node Identity
移动节点标识
An identity established for the mobile node when initially connecting to the localized mobility management domain. It allows the localized mobility management domain to definitively and unambiguously identify the mobile node upon handoff for route update signaling purposes. The mobile node identity is conceptually independent of the mobile node's IP or link-layer addresses, but it must be securely bound to the mobile node's handoff signaling.
初始连接到本地化移动性管理域时为移动节点建立的标识。它允许本地化的移动性管理域在切换时明确地识别移动节点以用于路由更新信令目的。移动节点标识在概念上独立于移动节点的IP或链路层地址,但必须安全地绑定到移动节点的切换信令。
The localized mobility management protocol executed on the interface between an LMA and a MAG serves to establish, update, and tear down routes for data plane traffic of mobile nodes. Threats to this interface can be separated into compromise or impersonation of a legitimate LMA, compromise or impersonation of a legitimate MAG, and man-in-the-middle attacks.
在LMA和MAG之间的接口上执行的本地化移动性管理协议用于为移动节点的数据平面业务建立、更新和拆除路由。对该接口的威胁可分为对合法LMA的妥协或模仿、对合法MAG的妥协或模仿以及中间人攻击。
A compromised LMA can ignore route updates from a legitimate MAG in order to deny service to a mobile node. It may also be able to trick a legitimate MAG into creating a new, incorrect route, thereby preparing the MAG to receive redirected traffic of a mobile node; it may cause the traffic forwarded by a MAG to be redirected to a different LMA; or it may simply have the MAG drop an existing route
受损LMA可以忽略来自合法MAG的路由更新,从而拒绝向移动节点提供服务。它还能够欺骗合法MAG创建新的、不正确的路由,从而使MAG准备接收移动节点的重定向流量;它可能导致由MAG转发的业务被重定向到不同的LMA;或者,它可能只是让MAG放下现有的路线
in order to deny the mobile node service. Since data plane traffic for mobile nodes routes through the LMA, a compromised LMA can also intercept, inspect, modify, or drop such traffic, or redirect it to a destination in collusion with the attacker. The attack can be conducted transiently to selectively disable traffic for any particular mobile node or MAG at particular times.
以拒绝移动节点服务。由于移动节点的数据平面流量通过LMA路由,受损LMA还可以拦截、检查、修改或丢弃此类流量,或与攻击者共谋将其重定向到目的地。攻击可以暂时进行,以便在特定时间选择性地禁用任何特定移动节点或MAG的流量。
Moreover, a compromised LMA may manipulate its routing table such that all packets are directed towards a single MAG. This may result in a denial-of-service attack against that MAG and its attached access link.
此外,受损LMA可能操纵其路由表,使得所有数据包都指向单个MAG。这可能导致针对该MAG及其连接的接入链路的拒绝服务攻击。
These threats also emanate from an attacker which tricks a MAG into believing that it is a legitimate LMA. This attacker can cause the MAG to conduct route update signaling with the attacker instead of with the legitimate LMA, enabling it to ignore route updates from the MAG, or induce incorrect route changes at the MAG as described above, in order to redirect or deny a mobile node's traffic. The attacker does not necessarily have to be on the original control plane path between the legitimate LMA and the MAG, provided that it can somehow make its presence known to the MAG. Failure to mutually authenticate when establishing an association between an LMA and a MAG would allow an attacker to establish itself as a rogue LMA.
这些威胁也来自一名攻击者,该攻击者诱使MAG相信它是合法的LMA。该攻击者可使MAG与攻击者而不是合法LMA进行路由更新信令,从而使其能够忽略来自MAG的路由更新,或如上所述在MAG处诱导不正确的路由更改,以重定向或拒绝移动节点的流量。攻击者不一定必须位于合法LMA和MAG之间的原始控制平面路径上,前提是它能够以某种方式使MAG知道其存在。在LMA和MAG之间建立关联时,如果不进行相互验证,则攻击者将自己确定为流氓LMA。
The attacker may further be able to intercept, inspect, modify, drop, or redirect data plane traffic to and from a mobile node. This is obvious if the attacker is on the original data plane path between the legitimate LMA and the mobile node's current MAG, which may happen independently of whether the attacker is on the original control plane path. If the attacker is not on this path, it may be able to leverage the localized mobility management protocol to redefine the prefix that the mobile node uses in IP address configuration. The attacker can then specify a prefix that routes to itself. Whether or not outgoing data plane packets sourced by the mobile node can be interfered with by an attacker off the original data plane path depends on the specific data plane forwarding mechanism within the localized mobility management domain. For example, if IP-in-IP encapsulation or an equivalent approach is used for outbound data plane packets, the packets can be forced to be routed through the attacker. On the other hand, standard IP routing may cause the packets to be relayed via a legitimate LMA and hence to circumvent the attacker.
攻击者还可以拦截、检查、修改、丢弃或重定向进出移动节点的数据平面流量。如果攻击者位于合法LMA和移动节点的当前MAG之间的原始数据平面路径上,这一点很明显,这可能与攻击者是否位于原始控制平面路径无关。如果攻击者不在此路径上,则可能会利用本地化移动管理协议重新定义移动节点在IP地址配置中使用的前缀。然后,攻击者可以指定路由到自身的前缀。源于移动节点的传出数据平面分组是否会受到来自原始数据平面路径的攻击者的干扰取决于本地化移动性管理域内的特定数据平面转发机制。例如,如果IP-in-IP封装或等效方法用于出站数据平面数据包,则这些数据包可能会被迫通过攻击者路由。另一方面,标准IP路由可能导致通过合法LMA中继数据包,从而绕过攻击者。
A compromised MAG can redirect a mobile node's traffic onto its local access link arbitrarily, without authorization from the mobile node. This threat is similar to an attack on a typical routing protocol
受损的MAG可以在没有移动节点授权的情况下,将移动节点的流量任意重定向到其本地接入链路上。这种威胁类似于对典型路由协议的攻击
where a malicious stub router injects a bogus host route for the mobile node. In general, forgery of a subnet prefix in link state or distance vector routing protocols requires support of multiple routers in order to obtain a meaningful change in forwarding behavior. But a bogus host route is likely to take precedence over the routing information advertised by legitimate routers, which is usually less specific; hence, the attack should succeed even if the attacker is not supported by other routers. A difference between redirection in a routing protocol and redirection in localized mobility management is that the former impacts the routing tables of multiple routers, whereas the latter involves only the compromised MAG and an LMA.
恶意存根路由器为移动节点注入虚假主机路由。通常,在链路状态或距离向量路由协议中伪造子网前缀需要多个路由器的支持,以便在转发行为中获得有意义的改变。但是,伪造的主机路由可能优先于合法路由器公布的路由信息,而合法路由器通常不太具体;因此,即使攻击者不受其他路由器的支持,攻击也应该成功。路由协议中的重定向与本地化移动性管理中的重定向之间的区别在于前者影响多个路由器的路由表,而后者仅涉及受损的MAG和LMA。
Moreover, a compromised MAG can ignore the presence of a mobile node on its local access link and refrain from registering the mobile node at an LMA. The mobile node then loses its traffic. The compromised MAG may further be able to cause interruption to a mobile node by deregistering the mobile node at the serving LMA, pretending that the mobile node has powered down. The mobile node then needs to reinitiate the network access authentication procedure, which the compromised MAG may prevent repeatedly until the mobile node moves to a different MAG. The mobile node should be able to handle this situation, but the recovery process may be lengthy and hence impair ongoing communication sessions to a significant extent.
此外,受损MAG可以忽略移动节点在其本地接入链路上的存在,并且避免在LMA处注册移动节点。然后,移动节点丢失其通信量。受损MAG还可以通过在服务LMA处注销移动节点,假装移动节点已断电,从而导致对移动节点的中断。然后,移动节点需要重新初始化网络接入认证过程,受损的MAG可能会重复阻止该过程,直到移动节点移动到不同的MAG。移动节点应该能够处理这种情况,但是恢复过程可能会很长,因此会在很大程度上影响正在进行的沟通。
Denial of service against an LMA is another threat of MAG subversion. The compromised MAG can trick an LMA into believing that a high number of mobile nodes have attached to the MAG. The LMA will then establish a routing table entry for each of the non-existing mobile nodes. The unexpected growth of the routing table may eventually cause the LMA to reject legitimate route update requests. It may also decrease the forwarding speed for data plane packets due to higher route lookup latencies, and it may, for the same reason, slow down the responsiveness to control plane packets. Another adverse side effect of a high number of routing table entries is that the LMA, and hence the localized mobility management domain as a whole, becomes more susceptible to flooding packets from external attackers (see Section 4). The high number of superfluous routes increase the probability that a flooding packet, sent to a random IP address within the localized mobility management domain, matches an existing routing table entry at the LMA and gets tunneled to a MAG, which in turn performs address resolution on the local access link. At the same time, fewer flooding packets can be dropped directly at the LMA on the basis of a nonexistent routing table entry.
对LMA的拒绝服务是MAG颠覆的另一个威胁。受损的MAG可以欺骗LMA,使其相信大量移动节点已连接到MAG。然后,LMA将为每个不存在的移动节点建立路由表条目。路由表的意外增长可能最终导致LMA拒绝合法的路由更新请求。它还可能由于较高的路由查找延迟而降低数据平面分组的转发速度,并且出于相同的原因,它可能减慢对控制平面分组的响应。大量路由表条目的另一个不利副作用是,LMA,以及作为一个整体的本地化移动性管理域,变得更容易受到来自外部攻击者的洪泛数据包的影响(参见第4节)。大量的多余路由增加了发送到本地移动性管理域内的随机IP地址的泛洪分组与LMA处的现有路由表条目匹配并被隧道传输到MAG的概率,而MAG又在本地接入链路上执行地址解析。同时,基于不存在的路由表条目,可以在LMA处直接丢弃更少的泛洪数据包。
All of these threats apply not just to a compromised MAG, but also to an attacker that manages to counterfeit the identity of a legitimate MAG in interacting with both mobile nodes and an LMA. Such an
所有这些威胁不仅适用于受损的MAG,也适用于在与移动节点和LMA交互时设法伪造合法MAG身份的攻击者。这样的
attacker can behave towards mobile nodes like an authorized MAG and engage an LMA in route update signaling. In a related attack, the perpetrator eavesdrops on signaling packets exchanged between a legitimate MAG and an LMA, and replays these packets at a later time. These attacks may be conducted transiently, to selectively disable traffic for any particular mobile node at particular times.
攻击者可以像授权MAG一样对待移动节点,并在路由更新信令中使用LMA。在一次相关的攻击中,犯罪者窃听合法MAG和LMA之间交换的信令包,并在以后重播这些包。这些攻击可以暂时进行,以便在特定时间选择性地禁用任何特定移动节点的通信量。
An attacker that manages to interject itself between a legitimate LMA and a legitimate MAG can act as a man in the middle with respect to both control plane signaling and data plane traffic. If the attacker is on the original control plane path, it can forge, modify, or drop route update packets so as to cause the establishment of incorrect routes or the removal of routes that are in active use. Similarly, an attacker on the original data plane path can intercept, inspect, modify, drop, and redirect data plane packets sourced by or destined to a mobile node.
在合法的LMA和合法MAG之间进行管理的攻击者可以充当控制平面信令和数据平面业务的中间人。如果攻击者位于原始控制平面路径上,则可以伪造、修改或丢弃路由更新数据包,从而导致建立不正确的路由或删除正在使用的路由。类似地,原始数据平面路径上的攻击者可以截获、检查、修改、丢弃和重定向由移动节点发出或发送到移动节点的数据平面数据包。
A compromised switch or router located between an LMA and a MAG can cause similar damage. Any switch or router on the control plane path can forge, modify, or drop control plane packets, and thereby interfere with route establishment. Any switch or router on the data plane path can intercept, inspect, modify, and drop data plane packets, or rewrite IP headers so as to divert the packets from their original path.
位于LMA和MAG之间的受损交换机或路由器可能会造成类似的损坏。控制平面路径上的任何交换机或路由器都可以伪造、修改或丢弃控制平面数据包,从而干扰路由的建立。数据平面路径上的任何交换机或路由器都可以拦截、检查、修改和丢弃数据平面数据包,或者重写IP头,以便将数据包从其原始路径转移。
An attacker between an LMA and a MAG may further impersonate the MAG towards the LMA, and vice versa in route update signaling. The attacker can interfere with a route establishment even if it is not on the original control plane path between the LMA and the MAG. An attacker off the original data plane path may undertake the same to cause inbound data plane packets destined to the mobile node to be routed first from the LMA to the attacker, then to the mobile node's MAG, and finally to the mobile node itself. As explained in Section 2.1, here, too, it depends on the specific data plane forwarding mechanism within the localized mobility management domain whether or not the attacker can influence the route of outgoing data plane packets sourced by the mobile node.
LMA和MAG之间的攻击者可在路由更新信令中进一步向LMA模拟MAG,反之亦然。即使路由建立不在LMA和MAG之间的原始控制平面路径上,攻击者也会干扰路由建立。离开原始数据平面路径的攻击者可能会进行同样的操作,以使目的地为移动节点的入站数据平面包首先从LMA路由到攻击者,然后路由到移动节点的MAG,最后是移动节点本身。正如第2.1节所解释的,这里也取决于本地化移动管理域内的特定数据平面转发机制,攻击者是否能够影响移动节点发出的数据平面数据包的路由。
A MAG monitors the arrival and departure of mobile nodes to and from its local access link based on link- or IP-layer mechanisms. Whatever signaling on the access link is thereby decisive must be securely bound to the mobile node identity. A MAG uses this binding to ascribe the signaling to the mobile node and accordingly initiate route update signaling with an LMA. The binding must be robust to
MAG基于链路层或IP层机制监控移动节点进出其本地接入链路的到达和离开。因此,接入链路上的任何信令都必须安全地绑定到移动节点标识。MAG使用该绑定将信令归属于移动节点,并相应地使用LMA发起路由更新信令。绑定必须对以下对象具有健壮性:
spoofing because it would otherwise facilitate impersonation of the mobile node by a third party, denial of service, or man-in-the-middle attacks.
欺骗,因为这将有助于第三方模拟移动节点、拒绝服务或中间人攻击。
An attacker that is able to forge the mobile node identity of a mobile node can trick a MAG into redirecting data plane packets for the mobile node to the attacker. The attacker can launch such an impersonation attack against a mobile node that resides on the same link as the attacker, or against a mobile node on a different link. If the attack is on-link, the redirection of packets from the mobile node to the attacker is internal to the MAG, and it involves no route update signaling between the MAG and an LMA. On-link attacks are possible in a regular IPv6 network [4] that does not use Secure Neighbor Discovery [5].
能够伪造移动节点的移动节点标识的攻击者可以欺骗MAG将移动节点的数据平面数据包重定向给攻击者。攻击者可以对与攻击者位于同一链路上的移动节点或不同链路上的移动节点发起此类模拟攻击。如果攻击发生在链路上,则从移动节点到攻击者的数据包重定向是MAG内部的,并且不涉及MAG和LMA之间的路由更新信令。在不使用安全邻居发现[5]的常规IPv6网络[4]中,可能会发生链路攻击。
Off-link impersonation requires the attacker to fabricate handoff signaling of the mobile node and thus trick the MAG into believing that the mobile node has handed over onto the MAG's access link. The attack is conceivable both if the attacker and the mobile node are on separate links that connect to different MAGs, as well as if they are on separate, possibly virtual per-mobile-node links that connect to the same MAG. In the former case, two MAGs would think they see the mobile node and both would independently perform route update signaling with the LMA. In the latter case, route update signaling is likely to be performed only once, and the redirection of packets from the mobile node to the attacker is internal to the MAG. The mobile node can always recapture its traffic back from the attacker through another run of handoff signaling. But standard mobile nodes are generally not prepared to counteract this kind of attack, and even where network stacks include suitable functionality, the attack may not be noticeable early enough at the link or IP layer to quickly institute countermeasures. The attack is therefore disruptive at a minimum, and may potentially persist until the mobile node initiates signaling again upon a subsequent handoff.
脱离链路模拟要求攻击者伪造移动节点的切换信令,从而诱使MAG相信移动节点已切换到MAG的接入链路。如果攻击者和移动节点位于连接到不同MAG的单独链路上,或者位于连接到同一MAG的单独的、可能是虚拟的每个移动节点链路上,则可以设想攻击。在前一种情况下,两个MAG会认为他们看到了移动节点,并且都会独立地使用LMA执行路由更新信令。在后一种情况下,路由更新信令可能只执行一次,并且从移动节点到攻击者的数据包重定向是MAG内部的。移动节点始终可以通过另一次切换信令从攻击者手中夺回流量。但是,标准移动节点通常不准备应对此类攻击,即使网络堆栈包含适当的功能,攻击也可能不会在链路或IP层足够早地被发现,无法快速采取对策。因此,该攻击至少是破坏性的,并且可能持续到移动节点在后续切换时再次发起信令为止。
Impersonation attacks can be prevented at the link layer, particularly with cellular technologies where the handoff signaling between the mobile node and the network must be authenticated and is completely controlled by the wireless link layer. Cellular access technologies provide a variety of cryptographic and non-cryptographic attack barriers at the link layer, which makes mounting an impersonation attack, both on-link and off-link, very difficult. However, for non-cellular technologies that do not require link-layer authentication and authorization during handoff, impersonation attacks may be possible.
可以在链路层防止模拟攻击,特别是使用蜂窝技术,其中移动节点和网络之间的切换信令必须经过身份验证,并且完全由无线链路层控制。蜂窝接入技术在链路层提供了各种加密和非加密攻击屏障,这使得在链路上和链路外发起模拟攻击非常困难。然而,对于在切换期间不需要链路层身份验证和授权的非蜂窝技术,模拟攻击可能是可能的。
An attacker that can forge handoff signaling may also cause denial of service against the localized mobility management domain. The attacker can trick a MAG into believing that a large number of mobile nodes have attached to the local access link and thus induce it to initiate route update signaling with an LMA for each mobile node assumed on link. The result of such an attack is both superfluous signaling overhead on the control plane as well as a high number of needless entries in the LMA's and MAG's routing tables. The unexpected growth of the routing tables may eventually cause the LMA to reject legitimate route update requests, and it may cause the MAG to ignore handoffs of legitimate mobile nodes onto its local access link. It may also decrease the LMA's and MAG's forwarding speed for inbound and outbound data plane packets due to higher route lookup latencies, and it may for the same reason slow down their responsiveness to control plane packets. An adverse side effect of this attack is that the LMA, and hence the localized mobility management domain as a whole, becomes more susceptible to flooding packets from external attackers (see Section 4). The high number of superfluous routes increases the probability that a flooding packet, sent to a random IP address within the localized mobility management domain, matches an existing routing table entry at the LMA and gets tunneled to a MAG, which in turn performs address resolution on the local access link. At the same time, fewer flooding packets can be dropped directly at the LMA on the basis of a nonexistent routing table entry.
能够伪造切换信令的攻击者还可能导致针对本地化移动管理域的拒绝服务。攻击者可以欺骗MAG,使其相信大量移动节点已连接到本地接入链路,从而诱导其使用链路上假定的每个移动节点的LMA来启动路由更新信令。这种攻击的结果是控制平面上的多余信令开销以及LMA和MAG路由表中的大量不必要条目。路由表的意外增长可能最终导致LMA拒绝合法路由更新请求,并且可能导致MAG忽略合法移动节点到其本地接入链路的切换。由于较高的路由查找延迟,它还可以降低入站和出站数据平面分组的LMA和MAG的转发速度,并且出于相同的原因,它可以减慢它们对控制平面分组的响应。这种攻击的一个不利副作用是,LMA,以及作为一个整体的本地化移动性管理域,变得更容易受到来自外部攻击者的洪泛数据包的影响(参见第4节)。大量的多余路由增加了发送到本地移动性管理域内的随机IP地址的泛洪分组匹配LMA处的现有路由表条目并被隧道传输到MAG的概率,而MAG反过来在本地接入链路上执行地址解析。同时,基于不存在的路由表条目,可以在LMA处直接丢弃更少的泛洪数据包。
A threat related to the ones identified above, but not limited to handoff signaling, is IP spoofing [6]. Attackers use IP spoofing mostly for reflection attacks or to hide their identities. The threat can be reasonably contained by a wide deployment of network ingress filtering [7] in routers, especially within access networks. This technique prevents IP spoofing to the extent that it ensures topological correctness of IP source address prefixes in to-be-forwarded packets. Where the technique is deployed in an access router, packets are forwarded only if the prefix of their IP source address is valid on the router's local access link. An attacker can still use a false interface identifier in combination with an on-link prefix. But since reflection attacks typically aim at off-link targets, and the enforcement of topologically correct IP address prefixes also limits the effectiveness of identity concealment, network ingress filtering has proven adequate so far. On the other hand, prefixes are not limited to a specific link in a localized mobility management domain, so merely ensuring topological correctness through ingress filtering becomes insufficient. An additional mechanism for IP address ownership verification is necessary to prevent an attacker from sending packets with an off-link IP source address.
与上述威胁相关(但不限于切换信令)的一个威胁是IP欺骗[6]。攻击者使用IP欺骗主要用于反射攻击或隐藏其身份。通过在路由器中广泛部署网络入口过滤[7],尤其是在接入网络中,可以合理地遏制这种威胁。这种技术可以防止IP欺骗,从而确保待转发数据包中IP源地址前缀的拓扑正确性。在接入路由器中部署该技术的情况下,仅当数据包的IP源地址前缀在路由器的本地接入链路上有效时,才会转发数据包。攻击者仍然可以将虚假接口标识符与链接前缀结合使用。但是,由于反射攻击通常针对非链接目标,并且拓扑正确的IP地址前缀的实施也限制了身份隐藏的有效性,因此到目前为止,网络入口过滤已被证明是足够的。另一方面,前缀不限于本地化移动性管理域中的特定链路,因此仅通过入口过滤确保拓扑正确性是不够的。需要一种额外的IP地址所有权验证机制,以防止攻击者发送带有断开链接的IP源地址的数据包。
An attacker that can interpose between a mobile node and a MAG during link- and/or IP-layer handoff signaling may be able to mount a man-in-the-middle attack on the mobile node, spoofing the mobile node into believing that it has a legitimate connection with the localized mobility management domain. The attacker can thus intercept, inspect, modify, or drop data plane packets sourced by or destined to the mobile node.
在链路和/或IP层切换信令期间,可以在移动节点和MAG之间进行干预的攻击者可能能够在移动节点上发起中间人攻击,欺骗移动节点,使其相信其具有与本地化移动管理域的合法连接。因此,攻击者可以拦截、检查、修改或丢弃由移动节点发出或发送至移动节点的数据平面数据包。
A localized mobility management domain uses individual host routes for data plane traffic of different mobile nodes, each between an LMA and a MAG. Creation, maintenance, and deletion of these routes cause control traffic within the localized mobility management domain. These characteristics are transparent to mobile nodes as well as external correspondent nodes, but the functional differences within the domain may influence the impact that a denial-of-service attack from the outside world can have on the domain.
本地化移动性管理域为不同移动节点的数据平面业务使用单独的主机路由,每个移动节点位于LMA和MAG之间。这些路由的创建、维护和删除导致本地化移动性管理域内的控制业务。这些特征对移动节点以及外部对应节点是透明的,但域内的功能差异可能会影响来自外部世界的拒绝服务攻击对域的影响。
A denial-of-service attack on an LMA may be launched by sending packets to arbitrary IP addresses that are potentially in use by mobile nodes within the localized mobility management domain. Like a border router, the LMA is in a topological position through which a substantial amount of data plane traffic goes, so it must process the flooding packets and perform a routing table lookup for each of them. The LMA can discard packets for which the IP destination address is not registered in its routing table. But other packets must be encapsulated and forwarded. A target MAG as well as any mobile nodes attached to that MAG's local access link are also likely to suffer damage because the unrequested packets must be decapsulated and consume link bandwidth as well as processing capacities on the receivers. This threat is in principle the same as for denial of service on a regular IPv6 border router, but because the routing table lookups may enable the LMA to drop part of the flooding packets early on or, on the contrary, additional tunneling workload is required for packets that cannot be dropped, the impact of an attack against localized mobility management may be different.
对LMA的拒绝服务攻击可以通过向本地移动性管理域内的移动节点可能正在使用的任意IP地址发送分组来发起。与边界路由器一样,LMA处于拓扑位置,大量数据平面流量通过该拓扑位置,因此它必须处理泛洪数据包并对每个数据包执行路由表查找。LMA可以丢弃IP目的地地址未在其路由表中注册的数据包。但其他数据包必须被封装和转发。目标MAG以及连接到该MAG的本地接入链路的任何移动节点也可能遭受损坏,因为未请求的分组必须被解除封装,并且消耗链路带宽以及接收机上的处理能力。该威胁原则上与常规IPv6边界路由器上的拒绝服务相同,但由于路由表查找可能使LMA能够尽早丢弃部分泛洪数据包,或者相反,对于无法丢弃的数据包,需要额外的隧道工作负载,攻击对本地化移动性管理的影响可能不同。
In a related attack, the attacker manages to obtain a globally routable IP address of an LMA or a different network entity within the localized mobility management domain and perpetrates a denial-of-service attack against that IP address. Localized mobility management is, in general, somewhat resistant to such an attack because mobile nodes need never obtain a globally routable IP address of any entity within the localized mobility management domain. Hence, a compromised mobile node cannot pass such an IP address off
在相关攻击中,攻击者设法获取本地移动管理域内LMA或不同网络实体的全局可路由IP地址,并对该IP地址实施拒绝服务攻击。一般来说,本地化移动性管理在某种程度上能够抵抗这种攻击,因为移动节点永远不需要获得本地化移动性管理域内任何实体的全局可路由IP地址。因此,受损的移动节点无法传递这样的IP地址
to a remote attacker, limiting the feasibility of extracting information on the topology of the localized mobility management domain. It is still possible for an attacker to perform IP address scanning if MAGs and LMAs have globally routable IP addresses, but the much larger IPv6 address space makes scanning considerably more time consuming.
对于远程攻击者,限制了提取本地化移动管理域拓扑信息的可行性。如果MAG和LMA具有全局可路由的IP地址,则攻击者仍有可能执行IP地址扫描,但更大的IPv6地址空间使扫描花费的时间大大增加。
This document describes threats to network-based localized mobility management. These may either occur on the interface between an LMA and a MAG, or on the interface between a MAG and a mobile node. Mitigation measures for the threats, as well as the security considerations associated with those measures, are described in the respective protocol specifications [3][8] for the two interfaces.
本文档描述了基于网络的本地化移动性管理面临的威胁。这些可以发生在LMA和MAG之间的接口上,或者发生在MAG和移动节点之间的接口上。两个接口的相应协议规范[3][8]中描述了威胁的缓解措施以及与这些措施相关的安全注意事项。
The authors would like to thank the NETLMM working group, especially Jari Arkko, Charles Clancy, Gregory Daley, Vijay Devarapalli, Lakshminath Dondeti, Gerardo Giaretta, Wassim Haddad, Andy Huang, Dirk von Hugo, Julien Laganier, Henrik Levkowetz, Vidya Narayanan, Phil Roberts, and Pekka Savola (in alphabetical order) for valuable comments and suggestions regarding this document.
作者要感谢NETLMM工作组,特别是Jari Arkko、Charles Clancy、Gregory Daley、Vijay Devarapalli、Lakshminath Dondeti、Gerardo Giaretta、Wassim Haddad、Andy Huang、Dirk von Hugo、Julien Laganier、Henrik Levkowetz、Vidya Narayan、Phil Roberts和Pekka Savola(按字母顺序排列)有关本文件的宝贵意见和建议。
[1] Kempf, J., Ed., "Problem Statement for Network-Based Localized Mobility Management", RFC 4830, April 2007.
[1] Kempf,J.,Ed.,“基于网络的本地化移动性管理的问题陈述”,RFC 4830,2007年4月。
[2] Manner, J. and M. Kojo, "Mobility Related Terminology", RFC 3753, June 2004.
[2] Way,J.和M.Kojo,“机动性相关术语”,RFC 3753,2004年6月。
[3] Levkowetz, H., Ed., "The NetLMM Protocol", Work in Progress, October 2006.
[3] Levkowetz,H.,Ed.,“NetLMM协议”,正在进行的工作,2006年10月。
[4] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.
[4] Nikander,P.,Kempf,J.和E.Nordmark,“IPv6邻居发现(ND)信任模型和威胁”,RFC 3756,2004年5月。
[5] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005.
[5] Arkko,J.,Kempf,J.,Zill,B.,和P.Nikander,“安全邻居发现(SEND)”,RFC 39712005年3月。
[6] CERT Coordination Center, "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks", September 1996.
[6] CERT协调中心,“CERT咨询CA-1996-21 TCP SYN洪泛和IP欺骗攻击”,1996年9月。
[7] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[7] Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[8] Laganier, J., Narayanan, S., and F. Templin, "Network-based Localized Mobility Management Interface between Mobile Node and Access Router", Work in Progress, June 2006.
[8] Laganier,J.,Narayanan,S.,和F.Templin,“移动节点和接入路由器之间基于网络的本地化移动性管理接口”,正在进行的工作,2006年6月。
Authors' Addresses
作者地址
Christian Vogt Institute of Telematics Universitaet Karlsruhe (TH) P.O. Box 6980 76128 Karlsruhe Germany
克里斯蒂安·沃格特远程通信研究所卡尔斯鲁厄大学(TH)邮政信箱6980 76128德国卡尔斯鲁厄
EMail: chvogt@tm.uka.de
EMail: chvogt@tm.uka.de
James Kempf DoCoMo USA Labs 3240 Hillview Avenue Palo Alto, CA 94304 USA
詹姆斯·肯普夫·多科莫美国实验室美国加利福尼亚州帕洛阿尔托山景大道3240号,邮编94304
EMail: kempf@docomolabs-usa.com
EMail: kempf@docomolabs-usa.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。