| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Mobile IP Security Considerations (Page 1 of 2) Security is always a concern in any internetworking environment these days, but is especially important with Mobile IP. There are a number of reasons for this, which are related to both how the protocol is used and the specific mechanisms by which it is implemented. In terms of use, security was kept in mind during Mobile IP's development because mobile devices often use wireless networking technologies. Wireless communication is inherently less secure than wired communication, because transmissions are sent out in the open where they can be intercepted. It's also easier for malicious users to possibly disrupt the operation of wireless devices than when they connect using wires. In terms of operation, Mobile IP has a number of risks due to it using a registration system and then forwarding datagrams across an unsecured internetwork. A malicious device could interfere with registration process, causing the datagrams intended for a mobile device to be diverted. A bad guy might also interfere with the data forwarding process itself, by encapsulating a bogus datagram to trick a mobile node into thinking it was sent something that it never was. For these reasons, the Mobile IP standard includes a limited number of explicit provisions to safeguard against various security risks. One security measure was considered sufficiently important that it was built into the Mobile IP standard directly: authentication of Registration Request and Registration Reply messages. This authentication process is accomplished in a manner somewhat similar to how the IPSec Authentication Header (AH) operates. Its goal is to prevent unauthorized devices from intercepting traffic by tricking an agent into setting up, renewing or canceling a registration improperly. All Mobile IP devices are required to support authentication. Nodes must use it for requests and agents must use it for replies. Keys must be assigned manually as there is no automated system for secure key distribution. The default authentication method uses HMAC-MD5 (specified in RFC 2403), which is one of two hashing algorithms used by IPSec.
Home - Table Of Contents - Contact Us The TCP/IP Guide (http://www.TCPIPGuide.com) Version 3.0 - Version Date: September 20, 2005 © Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved. Not responsible for any loss resulting from the use of this site. |