““Secure” migration to host Secure” migration to host identity based networksidentity based networks

Kristian SlavovKristian Slavov, Patrik Salmela, Patrik Salmela

Ericsson Research, NomadicLabEricsson Research, NomadicLab

NordicHIP 9.10.2007NordicHIP 9.10.2007

AssumptionsAssumptions

Host Identity based networkHost Identity based network Hosts in the network utilise host identity binding Hosts in the network utilise host identity binding

protocols for communicationsprotocols for communications HIP, NodeIDHIP, NodeID

Legacy hostLegacy host Doesn’t support used communication protocolsDoesn’t support used communication protocols Cannot address all hosts due to complex global Cannot address all hosts due to complex global

network network Need to authenticates to the networkNeed to authenticates to the network

ProblemsProblems

Legacy hostLegacy host How to connect to a host not necessarily How to connect to a host not necessarily

reachable via legacy techniques?reachable via legacy techniques?

Peer hostPeer host How to identify and authenticate the client?How to identify and authenticate the client?

What is required? What is required? Security features, network protocol agility, Security features, network protocol agility,

name resolutionname resolution

HIP ProxyHIP Proxy

Basically a simple proxyBasically a simple proxy Store-(modify)-forwardStore-(modify)-forward Can do name resolution for the client hostCan do name resolution for the client host

Additional featuresAdditional features Can create HIP connections on behalf of the Can create HIP connections on behalf of the

legacy hostlegacy hostCreates temporary host identities for legacy hostsCreates temporary host identities for legacy hosts

Enables a mobile sub-networkEnables a mobile sub-network

Legacy Authentication ServiceLegacy Authentication Service

Understands legacy authentication Understands legacy authentication proceduresprocedures SIM, HTTP-Digest, etc.SIM, HTTP-Digest, etc.

Stores (host) identities for subscribed Stores (host) identities for subscribed usersusers AuC, AAA, etc.AuC, AAA, etc.

Issues binding certificates for temporary Issues binding certificates for temporary and permanent (host) identities.and permanent (host) identities.

λ*

ββ*

LAS

HIP Proxy

Legacy host performs network attachment.

HIP Proxy generates temporary identity for the legacy proxy.

α*

λ*

ββ*

LAS

HIP Proxy

Legacy host authenticates itself to the network.

A HIP connection is established between HIP proxy and the authentication server.

α*

λ*

ββ*

LAS

HIP Proxy

As a result LAS creates identity binding certificate for the HIP proxy.

α*α

β

λ*

ββ*

LAS

HIP Proxy

Traffic sent by the legacy host is intercepted at the HIP proxy.

New HIP association is created using identity certificate provided by the LAS.

α*α

β

RecapRecap

HIP Proxy creates temporary host identity to a HIP Proxy creates temporary host identity to a legacy hostlegacy host

Legacy host authenticates to LASLegacy host authenticates to LAS

LAS negotiates with HIP Proxy and issues a LAS negotiates with HIP Proxy and issues a certificate binding temporary identity and certificate binding temporary identity and permanent identity together.permanent identity together.

Legacy host initiates connection to a peer hostLegacy host initiates connection to a peer host

HIP Proxy intercepts, runs connection HIP Proxy intercepts, runs connection establishment protocol with the peer host using establishment protocol with the peer host using identity certificateidentity certificate

Traffic flows between legacy host and peer hostTraffic flows between legacy host and peer host

WeaknessesWeaknesses

Network access divided into two parts with Network access divided into two parts with different (security) propertiesdifferent (security) properties access network (i.e. legacy host to HIP proxy)access network (i.e. legacy host to HIP proxy) core network (i.e. HIP proxy to peer host)core network (i.e. HIP proxy to peer host)

Access network is insecureAccess network is insecure Security depends on the legacy hostSecurity depends on the legacy host Identification in the access networkIdentification in the access network

Security problemsSecurity problems

HIP proxyHIP proxy Uses legacy host’s identity to do bad thingsUses legacy host’s identity to do bad things

Target for hacking attacksTarget for hacking attacks Operators may certify HIP proxiesOperators may certify HIP proxies

LAS configured to issue identity binding certificates only to trusted LAS configured to issue identity binding certificates only to trusted HIP proxiesHIP proxies

Certificate revocationCertificate revocation LifetimesLifetimes The peer host must explicitly check from the CAThe peer host must explicitly check from the CA

The peer host could subscribe for revocation info at the LAS of the The peer host could subscribe for revocation info at the LAS of the certificatecertificate

Name resolutionName resolution No DNSSEC or alikeNo DNSSEC or alike

HIP proxy needs to tamper the DNS queries/repliesHIP proxy needs to tamper the DNS queries/replies

ConclusionConclusion

Allows legacy hosts to communicate with Allows legacy hosts to communicate with “full-featured” hosts“full-featured” hosts

Allows the peer hosts to associate the Allows the peer hosts to associate the legacy host with proper host identitylegacy host with proper host identity

Allows Allows certain type ofcertain type of network mobility for legacy network mobility for legacy hostshosts

An opportunistic security solutionAn opportunistic security solution