论文信息 - Credit-Based Authorization for Concurrent IP-Address Tests

Credit-Based Authorization for Concurrent IP-Address Tests

Route optimization enables mobile nodes to directly communicate with one another. This is an important efficiency benefit of modern mobility protocols like Mobile IPv6 or the Host Identity Protocol. However, route optimization can introduce the possibility for a new type of amplified flooding attacks if designed without care: An attacker may misuse the protocol to trick its peer into redirecting a flow of packets to a false, i.e., a victim's, IP address. A precautionary counter-measure used by various mobility protocols is to first determine whether the right node is present at a new IP address before any data packets are sent to that address. The test can be as simple as a ping carrying some unguessable, to-be-returned piece of data. Yet, an unfortunate side effect of this common approach is that it increases handover latency by one round-trip time, precluding interactive or real-time applications in many scenarios. This paper proposes a credit-based strategy that allows peers to continue communications while a new IP address is being examined. The optimization is exemplarily applied to Mobile IPv6 and the Host Identity Protocol, for which it reduces handover-signaling delays by 50%.

Christian Vogt

[1] Christian Vogt,et al. Early binding updates for mobile IPv6 , 2005, IEEE Wireless Communications and Networking Conference, 2005.

[2] Pekka Nikander,et al. Mobile IP Version 6 Route Optimization Security Design Background , 2005, RFC.

[3] Charles E. Perkins,et al. Mobility support in IPv6 , 1996, MobiCom '96.

[4] Jari Arkko,et al. Credit-Based Authorization for Mobile IPv6 Early Binding Updates , 2005 .

[5] Pekka Nikander,et al. Host Identity Protocol (HIP) Architecture , 2006, RFC.

[6] Vern Paxson,et al. An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[7] Michael Roe,et al. Authentication of Mobile IPv6 Binding Updates and Acknowledgments , 2002 .

[8] Michael Roe,et al. Security of Internet location management , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[9] David B. Johnson. Ietf Mobile Ip Working Group , 1998 .

[10] Pekka Nikander,et al. End-Host Mobility and Multi-Homing with Host Identity Protocol , 2004 .

[11] Paul Ferguson,et al. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[12] Wassim Haddad. Applying Cryptographically Generated Addresses to Optimize MIPv6 (CGA-OMIPv6) , 2005 .