Content uploaded by Mahedi Hassan
Author content
All content in this area was uploaded by Mahedi Hassan on Feb 01, 2014
Content may be subject to copyright.
Integrated Solution Scheme with One-time key
Diameter Message Authentication framework for Proxy
Mobile IPv6
Md. Mahedi Hassan, Poo Kuan Hoong
Faculty of Information Technology,
Multimedia University,
63100, Cyberjaya, Malaysia
{md.mahedihassan08, khpoo}@mmu.edu.my
Abstract. Proxy Mobile IPv6 (PMIPv6) is an effective mobility
management protocol for next generation wireless networks which improves
ubiquitous network access. However, PMIPv6 still suffers from lengthy
handover latency and packet loss during the handover when Mobile Host
moves to a new network. In order to improve the performance of PMIPv6,
we proposed an integrated solution scheme with Media Independent
Handover (MIH) and neighbor discovery message of IPv6 to reduce
handover latency and packet loss. The proposed protocol does not have
method to prevent from security threats such as replay attack and key
exposure when mobile host first enters in PMIPv6 domain. In order to
address this problem, we proposed one-time key with Diameter Message
authentication framework which is based on the one-time key generation
authentication protocol. It is expected the proposed framework is able to
enhance security as well as reduce authentication latency.
Keywords: Proxy Mobile IPv6, authentication method, security analysis
1 Introduction
The Proxy Mobile IPv6 (PMIPv6) is designed to provide an effective network-
based mobility management protocol for next generation wireless networks that
supports to a Mobile Host (MH) in a topologically domain [1] [2]. PMIPv6 extends
MIPv6 signaling messages and reuse the functionality of Home Agent (HA) to
support mobility for MH without host involvement. In the network, mobility
entities are introduced to track the movement of MH, initiate mobility signaling on
behalf of MH and setup the routing state required. The core functional entities in
PMIPv6 are the Mobile Access Gateway (MAG) and Local Mobility Anchor
(LMA). The main role of the MAG is to perform the detection of the MH
movement and initiate mobility-related signaling with the MH’s LMA on behalf of
the MH. In addition, the MAG establishes a tunnel with the LMA for forwarding
the data packets destined to MH and emulate the MH’s home network on the
access network for each MH. The main role of the LMA is to manage the location
of a MH while it moves around within a PMIPv6 domain and it also includes a
binding cache entry for each currently registered MH and also allocates a Home
Network Prefix (HNP) to a MH.
With regard to authentication, when the MH first enters in the PMIPv6 domain,
it sends Router Solicitation (RS) message to MAG. When MAG in the access
network receives the request from the MH, the access authentication and
authorization procedures are performed using a MH’s identify before providing
PMIPv6 services. While access is authenticated or network attachment events are
notified, the MAG obtains the MH profile which contains MH-Identifier and uses
it to access the MH's policy server (e.g. authentication, authorization and
accounting [AAA] server), supports address configuration mode and retrieves the
address of the LMA that serves as the MH's HA. After successful access
authentication, MAG configures a proxy care-of-address (PCoA) for the MH and
sends a proxy binding update (PBU) message including the MH-Identifier to the
MH’s LMA on behalf of the MH. In return, the LMA updates its binding cache
entry (BCE) for that MH and checks policy store to ensure that the sender is
authorized to send the PBU message. If the sender is a trusted MAG, the LMA
accepts the PBU message and replies with a Proxy Binding Acknowledgment
(PBA) that contains the MH's home network prefix assigned by the LMA. Upon
receiving the PBA, the MAG establishes a bidirectional tunnel between its proxy
CoA (PCoA) and the LMA address. Then, the MAG periodically sends Router
Advertisement (RA) messages to the MH on the access link advertising the MHs
home network prefix as the hosted on-link prefix. In a nutshell, in order to reduce
the handover latency and packet loss, our proposed integrated solution architecture
of PMIPv6-MIH is shown in fig. 1.
Fig.1: Integrated solution architecture of PMIPv6-MIH
In our proposed integrated solution, it includes Media Independent Handover
(MIH) and Neighbor Discovery (ND) messages. The key functionality is provided
by MIH which is communication among the various wireless layers and the IP
layer. The working group of IEEE 802.21 introduces a Media Independ ent
Handover Function (MIHF) that is located in the protocol stack between the lower
layer wireless access technologies and IP at upper layer. It also provides the
services to the layer 3 and layer 2 through well defined Service Access Points
(SAPs) [3].
Neighbor Discovery (ND) is a set of ICMPv6 messages and processes that
determine the relationship by sending network information to the neighbor MAG
before handover that can helps to eliminate the need for MAG to acquire the MH-
profile from the policy server/AAA whenever a MH performs handover between
two Access Points (AP). It avoids the packet loss of on-the-fly packet which is
routed between the LMA and previous MAG. This network information could
include information about MH-profile which contains the MH-Identifier, MH
home network prefix, LMA address (LMAA), MIH handover messages etc. The
module of ND is used to provide layer 3 movement detection. In the network, AP
sends RA messages periodically to inform the MH about the network prefix. The
prefix is the address of the AP. If RA messages contain a new prefix and inform
the interface manager, MH receives these RA messages and determines where ND
agent located. A timer is associated with the lifetime of the prefix. The prefix
expired and a notification is sent to the interface manager when the MH losses its
connection with the AP. The implementation of ND Agent is based on the
information of ND for IPv6 which is provided by RFC 2461[4] .
The objective of this paper is to propose an integrated scheme with one-time
key Diameter Message authentication framework that is able to reduce
authentication latency as well as prevent security threats such as replay attack and
key exposure for PMIPv6-MIH. The rest of this paper is organized as follows:
Section 2 presents related works, while Section 3 briefly explains the proposed
authentication method for PMIPv6-MIH. Section 4 conducts security and
performance analysis of the proposed authentication method. Finally, Section 5
concludes the paper and provides future works.
2 Related Works
To establish, update and tear down routes for mobility signaling messages of a
MH, PMIPv6 is executed on the interface between a MAG and an LMA. However,
there are many security threats to PMIPv6 that includes man-in-the-middle attacks
such as intercept, flaw, modify, or drop such traffic, or denial-of service attacks on
high-profile web servers such as banks, credit card payment gateways, and even
root name servers, or redirect it to destination in collusion with the attacker with
compromise or impersonation of a legitimate MAG or a legitimate LMA [5]. A
compromised MH can also attack the PMIPv6 system. Through inspection,
attacker can catch authentication data for MH and also spoofing attack can be done
to MH’s home network.
The current authentication problems on PMIPv6 can be summarized as follows:
There is no way to authenticate the legality of a MH
Compromise or impersonation of a legitimate MAG or a legitimate LMA
Compromise or impersonation of a legitimate MH
In order to solve these problems, there are two commonly used authentication
protocols implemented to secure authenticate of MH, i.e One Time Password and
One Time Key Generation. One Time Key Generation is one part of One Time
Password (OTP) because it used a time-synchronization type OTP function to
generate a key. Using the key, MH can authenticate when MH first enters in a
PMIPv6 domain. When MH moves one network to another within same domain,
MH accesses the new network to use that key.
2.1 One Time Password
An attacker can easily capture or stolen or attempts to crack traditional or static
passwords. To overcome these problems network working group developed One-
Time Password (OTP) system that is valid for only one login session. Based on
some specific values, OTP generates temporary password that can be used only
one time [6].
There are three approaches to generate password in OTP system. First
approach: using a mathematical algorithm, OTP generates new password based on
the previous password. Second approach: based on the time-synchronization, OTP
also generates password between authentication server and the client. In this
algorithm, password is valid for only short period of time. Third approach: the new
password is based on a challenge that chosen by authentication server or by client
using a mathematical algorithm.
2.2 One-time Key Generation
One-time key Generation protocol was proposed by Song et. al. [7][10]. One-
time key Generation protocol introduced two terminologies local-LMA and home-
LMA. This authentication protocol can generate One-time key with Timestamp,
Device ID and Key and some special functions as shown in fig. 2.
Fig.2: One-time Key Generation
In their proposed protocol, delivering authentication message from MH to
home-LMA will take an extra time because they used pseudo-Timestamp first and
they could not transmit Timestamp value with authentication request message for
security reason and also they don't have more space for Timestamp in MH-
Identifier. So, at the same time MH and home-LMA could not generate One-time
Key. To overcome this problem, MH and home-LMA used pseudo-Timestamp that
does not match the exact current timestamp. They could get pseudo-Timestamp
from simple modulo operation.
One-
time key
generati
ng
function
Device
ID
One-
time key
Device
Key
Pseudo-
timesta
mp
3 Proposed Authentication Method for Proxy Mobile IPv6
The One-time Key authentication protocol does not have method to prevent
from replay attack and key exposure and it is also time consuming. In order to
address the problems, we propose an alternative solution using One-time key
Generation with Diameter message to prevent security threats like replay attack
and key exposure. To prevent from replay attack and key exposure, we use
Diameter message [8] to communicate with backend AAA/Policy server for
applications such as network access or IP mobility. Diameter message consists of a
Diameter Header that is followed by a number of Diameter attribute value pairs
(AVPs). This Diameter Header comprises binary data which is similar to an IP
header [9]. AVPs contain AAA information elements and also routing, security and
configuration information elements which are relevant to the particular Diameter
request or answer message. Each AVP contains some AVP-specific data and an
AVP header. Diameter message is also intended to work in both local and roaming
AAA situations. We also introduced a terminology LMA/HA configuration of our
proposed modified PMIPv6 to reduce the authentication time which is depicted in
fig. 3.
Fig.3: Proposed Authentication Protocol of PMIPv6-MIH
A MH is identified by its globally unique network access identifier (NAI).
When a MH first enters into the PMIPv6 domain, the MH will initiate One -time
key generation authentication procedure with the AAA server by sending Mobile
Host-Identifier.
3.1 Mobile Host-Identifier (MH-Identifier)
Song et. al. specified the definition of format for MH-Identifier using One-time
key [7] [10]. In our proposed protocol, we introduce the similar format for MH-
Identifier but using Diameter message. MH-Identifier with Diameter Message
format is shown in fig. 4:
Fig.4: MH-Identifier with Diameter Message
3.1.1 MH-HNP (48bit)
Mobile Host-Home Network Prefix (MH-HNP) represents the home network
prefix of MH. It also introduces a per-MH prefix model in which every MH is
assigned a unique address. LMA/HA can find AAA/Policy server with this field.
After find the AAA/policy server, LMA/HA send PBU message to AAA/Policy
server.
3.1.2 Device ID (48bit)
Typically, Device ID is a MAC address of interface or provides special ID by
service provider. This is used to distinguish each MH and for generating properly
next field named One-time Key field.
3.1.3 One-time Key (32bit)
One-time Key is the verification field for MH and generated code by the
specific random function which is installed both side of MH and AAA/Policy
server. Generally, researchers used a time-synchronized type OTP function. There
are two approaches for generating this key. One of them is Device ID and the other
is current timestamp. The OTP function must have to regenerate One-time Key
every few seconds, because sequence of setting up will be done in a few hundred
milliseconds. This is one of the main features of this protocol. With this One-time
Key, MH can authenticate in simple one-way message from MH to AAA/Policy
server and also prevent man-in-the-middle attack because of short time validity of
the One-time key.
3.4 Interfacing between MH and MAG
MAG invokes the MH_ATTACH function on MAG when MH attaches to
MAG [11]. This function has sub-function that is called MAG_GET_MH_ID.
With this sub-function, MAG can get MH-Identifier. During the MH attachment,
MAG invokes MIH_Link_up function on MAG.
3.5 Interfacing between MAG and LMA/HA
The authentication mechanism among the MAG, LMA/HA and AAA/policy
server must have shared-key security association for communicating securely each
other because of some security threats that is described in [5]. As in theoretically,
there are lots of MAG than LMAs and number of MAGs are expanding when
deployment of PMIPv6 is ongoing. Thus, one PMIPv6 domain has one or several
LMAs and one or several MAGs have one LMA. As mentioned earlier, One Time
Key generation protocol has two terminologies: (1) It cannot prevent security
threats like replay attack and key exposure and (2) It is also time consuming for
authentication. In our proposed protocol, we introduced a terminology LMA/HA
that means home-LMA and local-LMA are one LMA. On the other hand, LMA is
also similar to the HA. LMA/HA are both under same operator’s network with
MAG that MH is attached and also under the home network of MH. MAG builds
up PBU message with the MH-Identifier mobility option for MH and sends it to
LMA/HA when MH attaches to MAG. MAG sends RA message to MH with data
from PBA if MAG receives positive reply from LMA/HA.
3.6 Interfacing between LMA/HA and AAA/Policy server
When LMA/HA receives PBU from MAG, LMA/HA extracts home network
prefix (HNP) from the PBU message and sends Diameter Authentication Request
Message to AAA/Policy Server. Using Public Key Infrastructure such as X.509
[12], LMA/HA can authenticate from AAA/Policy Server. The MH-AAA
authentication mobility option is used to authenticate the PBU message between
the MH and AAA/Policy Server. To verify the PMIPv6 protocol, the mobility
message replay protection option is generated and these messages are not replayed
by an attacker from some previous message. To compute a session key between
MAG and LMA/HA, the key generation nonce request option in the PBU is
constructed to request a nonce and that nonce can be stored into the key generation
Nonce reply option of PBA. The IPv6 home address request option and the IPv6
assigned home address option are designed to request the Home Address (HoA) of
MH.
3.7 Sequences of Authentication Protocol
The sequence of our proposed PMIPv6-MIH authentication protocol is shown in
fig. 4:
Fig.5: PMIPv6-MIH Authentication Procedure
The sequences of our proposed PMIPv6-MIH authentication signaling are
summarized as follows:
Step A:
MH_ATTACH has sub-function such as MAG_GET_MH_ID and with that
sub-function, MAG can get MH-Identifier. When MAG receives MIH_Link_up
trigger from link layer to IP layer in the MH, the MH sends an authentication
request (AuthReq) message that contains NAI, identity of MAG and replay
protection indicator (RPI) which are used for the AAA/Policy Server to identify
the MH and to protect from replay attack. Then a key is computed between MAG
and AAA/Policy server called MAG-AAA-KEY when MAG receives the AuthReq
message. After authentication, the MAG-AAA key is sent to the MAG. In addition,
the MH sends RS message to the MAG to request its home of address (HoA).
MAG acquires a PCoA in its PMIPv6 domain. The MAG builds up PBU message
with the MH-Identifier mobility option for MH. An authentication data is
computed using the MAG-AAA key and is put into the MH-Identifier mobility
option of PBU.
Auth1 = (Hash-based Message Authentication Code-Secure
Hash Algorithm1) HMAC-SHA1 (MAG-AAA-
KEY,PCoA||LMAA||PBU|| “MAG-AAA-PMIPv6”) (1),
where HMAC-SHA1(K,m) [13] is a keyed hash function computed on message
m with key K.
After that, the MAG sends this PBU to the LMA/HA;
Step B:
Upon receiving the PBU message to LMA/HA, it constructs a Diameter
authentication Request message which includes many attribute value pairs (AVPs)
as follows:
1. PMIPv6-Home-LMA-IPv6-Address
2. MH-Identifier
3. PMIPv6-MAG-Address
4. PMIPv6 Timestamp
5. PMIP Nonce=0
6. MIH Handover Indicator
7. Replay Protection Indicator
8. Access Technology Type
The LMA/HA transmits the Diameter PMIP authentication request message
to the AAA server.
Step C:
Upon receiving the Diameter message to AAA/Policy server, it acquires the
MH-Identifier and AVP also. It looks up the entire database which stored user
identity to identify the requested MH. It also searches the database, if there is
Device ID in the subscriber list or not. After that, the AAA generates MH-ONE-
TIME key with Device ID and timestamp and verifies whether the timestamp is in
the correct range to prevent replay attack. After checking the MH-Identifier data in
AAA/Policy server, the AAA can authenticate the MH and verify that the PBU is
correct. If all information is valid, then the AAA generates a key generation nonce
and computes a session key shared between LMA/HA and MAG.
PMIP-MAG-LMA-KEY = HMAC-SHA1 (MAG-AAA-KEY,
PCOA||LMAA||PMIP Nonce) (2)
The AAA/Policy server will construct a Diameter authentication answer
message which includes many AVPs as follows:
1. PMIPv6-Home-IPv6-HoA
2. PMIP-MAG-LMA-KEY
3. PMIP-MAG-LMA-KEY Lifetime
4. E (MAG-AAA-KEY, MH-ONE-TIME-KEY, PMIP Nonce)
The AAA/Policy server replies the result to the LMA/HA with the diameter
answer message. The key generation nonce is encrypted by the MAG-AAA-KEY.
Step D:
Upon receiving the diameter answer message to LMA/HA, LMA/HA computes
the Mobility Message Authentication option of PBA.
Auth2=HMAC-SHA1 (PMIP-MAG-LMA-KEY, IPv6 HoA||PBA||“LMA-
MAG-PMIPv6”) (3)
After that, LMA/HA sends this PBA message to MAG.
Step E:
The MAG receives this PBA message. The MAG decrypts nonce and calculates
PMIP-MAG-LMA-KEY. The MAG uses this key to verify the correctness of
authentication data. If it is valid, the MAG can authenticate the PBA.
The MAG sends Router advertise message with encrypt MH-ONE-TIME-KEY
including IPv6 HoA to the MH.
Step F:
The MH decrypts MH-ONE-TIME-KEY and authenticates and also configures
IP address using received IPv6 HoA.
Therefore, at the same time our proposed protocol can prevent security threats
like replay attack and key exposure, authenticating MH and binding update
procedure that will able to reduce authentication latency.
4 Security and Performance Analysis
In PMIPv6 domain, One-time Key authentication protocol (OK-AP) can be used
for authenticating MH. However, this authentication protocol cannot prevent from
replay attack and key exposure. Therefore, there is a need for an alternative
authentication method for PMIPv6-MIH that can protect from replay attack and
key exposure.
4.1 Key Exposure
MAG-AAA-KEY is a shared-key association between a MAG and an
AAA/Policy server. AAA/Policy server generates a key generation nonce and
computes a session key between LMA/HA and MAG called PMIP-LMA-MAG-
KEY and also generates MH-ONE-TIME-KEY with Device ID and timestamp to
authenticate MH legally. Thus, it is desirable not to leak these keys to the other
network entities. The AAA/Policy server construct a Diameter PMIP
authentication replay message with encrypts (MAG-AAA-KEY, MH-ONE-TIME-
KEY and PMIP nonce) and sends it to the LMA/HA and the MH respectively. The
value of key generation nonce encrypted by MAG-AAA-KEY can be decrypted by
the MAG and also calculates PMIP-MAG-LMA-KEY, while the other value
encrypted by MH-ONE-TIME-KEY is decrypted by the MH. Therefore, MAG-
AAA-KEY and MH-ONE-TIME-KEY are not exposed to other entities except the
MAG and the MH. With this measure, our proposed protocol is less vulnerable to
key exposure.
4.2 Replay Attack
Replay attack involves the passive capture of data and its subsequent
retransmission to produce an unauthorized effect. A malicious node keeps an
AuthReq message to make a false report of normal node and then it can retransmit
an old AuthReq message to trick the AAA/Policy server for false authentication. In
our proposed protocol, this replay attack can be prevented as follows: when MH
attaches to MAG, local challenge is created randomly that is a random number for
authentication procedure and hence it always changes. Therefore, the malicious
node cannot replay the old AuthReq message. When even the same local challenge
can be selected by the MAG by chance, RPI can prevent the replaying attack.
Table I shows the comparison results between OK-AP and our proposed
protocol OK-AP with Diameter message with some security factors.
PMIPv6 Authentication Protocol
OK-AP
OK-AP with Diameter Message
Auth MH (at home)
YES
YES
Auth MH (at foreign)
YES
YES
Auth LMA/HA
YES
YES
Auth MAG
Possible
YES
One-way Auth
YES
YES
Sniffing-proof
YES
YES
TABLE 1: Comparison Analysis of Our Proposed Protocol with OK-AP.
4 Conclusion
With the proposed authentication method, not only we are able to reduce
authentication latency but also we can prevent security threats like replay attack
and key exposure when MH first enters in the PMIPv6 domain. For our future
work, we will improve and implement our proposed authentication method on
network simulation environment and conduct a more comprehensive security
analysis as well as compare with other new authentication mechanism in the
PMIPv6 domain.
References
1. Kong, K., Lee, L., Han, Y., Shin, M., You, H.: Mobility management for all-IP mobile
networks: mobile IPv6 vs. proxy mobile IPv6. In: Proceedings of the International
Conference on Wireless Communications, pp. 36-45. (April 2008)
2. Lee, H., Han, Y., Min, S.: Network Mobility Support Scheme on PMIPv6 Networks.
International Journal of Computer Networks & Communications (IJCNC). Vol.2, no.5,
(September 2010)
3. Taniuchi, K. Ohba, Y., Fajardo, V.: IEEE 802.21: Media independent handover: features,
applicability, and realization, In: Proceedings of IEEE Communications Magazine. Vol.
47, Issue: 1, pp. 112–120. (January 2009)
4. Narten, T., Nordmark, E. and Simpson, W.: Neighbor Discovery for IP Version 6 (IPv6).
http://www.ietf.org/rfc/rfc2461.txt, (December 1998)
5. Vogt, C., Kempf, J.: Security Threats to Network-Based Localized Mobility Management
(NETLMM). IETF RFC4832, (April 2007)
6. Haller, N., Mets, C., Nesser, P., Straw, M.: A One-Time Password System. IETF
RFC2289, (February 1998)
7. Song, J., Han, S.: One-time Key Authentication Protocol for PMIPv6. In: Proceedings of
ICCIT 2008. Vol. 2, pp. 1150-1153. (November 2008)
8. Korhonen, J., Bournelle, J., Muhanna, A., Chowdhury, K., Meyer, U.: Diameter proxy
mobile ipv6: mobile access gateway and local mobility anchor to diameter server
interaction. draft-korhonendime-pmip6-03.txt, Siemens AG, Cisco Systems, (February
2008)
9. Le, F., Patil, B., Perkins, C. E., Faccin, S.: Diameter Mobile IPv6 Application. draft-le-
aaa-diameter-mobileipv6-04, (November 2004)
10. Song, J., Han, S.: Mobile Node Authentication Protocol for Proxy Mobile. International
Journal of Computer Science and Applications. Vol.6, No.3, pp 10-19. (2009)
11. Laganier, J., Narayanan, S., McCann, P.: Interface between a Proxy MIPv6 Mobility
Access Gateway and a Mobile Node. IETF netlmm WG Draft, (February 13, 2008)
12. Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., Nicholas, R.: Internet X.509 Public
Key Infrastructure: Certification Path Building. IETF RFC4158, (September 2005)
13. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message
Authentication. RFC 2104, (February 1997)
