IP Routing for Wireless/Mobile Hosts
The Mobile IP Working Group has developed routing support to permit IP nodes to seamlessly ``roam'' among IP subnetworks and media types. The Mobile IP method supports transparency above the IP layer, including the maintenance of active TCP connections and UDP port bindings.
Protocol AAA-MIP (1) is used by a mobile node to authenticate in a visited network in order to receive service from foreign service providers, using the Internet Authentication, Authorization and Accounting (AAA) infrastructure.. It is defined in the Diameter Base Protocol, [44], together with the Diameter Mobile IPv4 Application, [43], and related drafts ([147,146]). During the protocol, the Home AAA server authenticates the mobile node (MN), (Problem: Entity authentication), and the MN is guaranteed that he is attached to a Foreign Agent in a ``trusted'' Visited Domain.
As part of the exchange, three short-lived keys are distributed: the Mobile-Home Session Key, the Mobile-Foreign Session Key, and the Foreign-Home Session Key. These three keys should be secret (Problems: Key authentication for Mobile-Home, for Mobile-Foreign, and for Foreign-Home).
Protocol AAA-MIP should provide Fresh Key Agreement and 3P-Authorization (G1-3,6,7,10,12).
Protocol MIP-BU (2) is a protocol used to secure a mobile-ip message known as a binding update (BU). When a mobile node moves (and in other circumstances), it sends to the correspondent a message called a binding update (BU), describing the new care-of-address needed to reach the mobile node directly. This BU must be secured, as otherwise anyone could pretend that a given mobile node had moved. Since we cannot assume the existence of a global PKI or other global security infrastructure, it is difficult to secure this packet, sent by any mobile node to any other Internet node (and those two nodes may have no previous relationship or common security infrastructure). What should be possible to ensure, at least in some versions of the protocol, is that the sender of the BUs does not change (Sender Invariance). The protocol design of [93] is unusual and would not be considered secure by the measures of traditional security protocol analysis. The security of the protocol depends on the partial reliability of the Internet routing infrastructure. Some ``regions'' of the Internet may be considered rather secure, and any insecurity in those regions that could be exploited in this setting, could also be exploited in the non-mobile case. But the only security requirement of the BU protocol is to counter the new threats created by mobility. The major problem when designing an unauthenticated BU is, surprisingly enough, the introduction of new Denial of Service threats, see [25].
In summary, Protocol MIP-BU should provide Sender Invariance and DoS Resilience (G15,16).