Mobopts Working Group Y. Qiu Internet-Draft Institute for Infocomm Research Expires: October 18, 2008 F. Zhao Marvell R. Koodli Starent Networks April 16, 2008 Mobile IPv6 Location Privacy Solutions draft-irtf-mobopts-location-privacy-solutions-08 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 18, 2008. Qiu, et al. Expires October 18, 2008 [Page 1] Internet-Draft MIP6 location privacy solutions April 2008 Abstract Mobile IPv6 [10] enables mobile nodes to remain reachable while roaming on the Internet. With its current specification, the location of a mobile node can be revealed and its movement can be tracked by simply monitoring its IP packets. In this document, we consider the MIP6 location privacy problem described in [14] and propose efficient and secure techniques to protect the location privacy of a mobile node. Qiu, et al. Expires October 18, 2008 [Page 2] Internet-Draft MIP6 location privacy solutions April 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Brief Overview of Location Privacy in MIP6 . . . . . . . . . . 8 4. Pseudo Home Address Generation Using Return Routability Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Route-Optimized Binding Update to the Correspondent Node . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Reverse-Tunneled Binding Update to the Correspondent Node . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5. Pseudo Home Address Generation Using Cryptography Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.1. Pseudo Home Address Generation . . . . . . . . . . . . . . 14 5.1.1. Requirements . . . . . . . . . . . . . . . . . . . . . 14 5.1.2. The Shared Key, Kph . . . . . . . . . . . . . . . . . 14 5.1.3. Routable Pseudo Home Address Generation . . . . . . . 15 5.1.4. Dynamic Pseudo Home Address . . . . . . . . . . . . . 15 5.2. Home Binding Updates and Acknowledgements . . . . . . . . 16 5.2.1. Solution with IPsec Transport Mode . . . . . . . . . . 16 5.2.2. Solution with IPsec Tunneling Mode . . . . . . . . . . 19 5.3. Processing of Correspondent Binding Updates . . . . . . . 20 5.3.1. Correspondent Binding Updates Signaling . . . . . . . 20 5.3.2. Modifications to Correspondent Node Binding Updates . 24 5.4. Reverse-Tunneling Mode . . . . . . . . . . . . . . . . . . 29 5.5. Prefix Discovery . . . . . . . . . . . . . . . . . . . . . 30 6. Profiling Attack . . . . . . . . . . . . . . . . . . . . . . . 33 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 33 6.2. Discussion . . . . . . . . . . . . . . . . . . . . . . . . 33 6.2.1. What Invariant should be Updated to Resist the Profiling Attack Effectively? . . . . . . . . . . . . 33 6.2.2. How Often these Invariants should be Updated? . . . . 34 6.2.3. What is the Scope of the Profiling Prevention? . . . 34 6.3. The Increment of Sequence Numbers in Correspondent Binding Updates . . . . . . . . . . . . . . . . . . . . . 34 6.4. The Increment of SPI . . . . . . . . . . . . . . . . . . . 35 7. Security Considerations . . . . . . . . . . . . . . . . . . . 36 7.1. Home Binding Update Procedure . . . . . . . . . . . . . . 36 7.2. Reverse Tunneling Mode . . . . . . . . . . . . . . . . . . 36 7.3. Route Optimization Mode . . . . . . . . . . . . . . . . . 36 7.4. Return Routability Procedure . . . . . . . . . . . . . . . 37 7.5. Pre-shared Key Establishment . . . . . . . . . . . . . . . 37 8. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 38 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 10. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 39 11. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 39 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix A. Version History . . . . . . . . . . . . . . . . . . . 41 Qiu, et al. Expires October 18, 2008 [Page 3] Internet-Draft MIP6 location privacy solutions April 2008 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 Intellectual Property and Copyright Statements . . . . . . . . . . 43 Qiu, et al. Expires October 18, 2008 [Page 4] Internet-Draft MIP6 location privacy solutions April 2008 1. Introduction IP address location privacy is about the concern that the location information of a mobile node is leaked from its IP addresses used during the communication without authentication. In the presence of mobility, there are two related aspects: disclosing the care-of address to a correspondent node, and revealing the home address to an eavesdropper. To protect its location privacy, a mobile node must not disclose the binding between its care-of address and home address. Related to IP address location privacy is "profiling", where the activities of a mobile node are linked and then analyzed. The profiled activities may contribute to compromising a mobile node's location privacy, especially when combined with additional out-of-band information. Furthermore, once the location privacy is compromised, it may lead to more targeted profiling. Therefore, in addition to protecting IP address location privacy, solutions should consider how to thwart profiling of various fields, especially those specific to mobility protocol operations. The location privacy problem is described in detail in [14]. In this document, we focus on the location privacy related threats posed by passive attackers. To compromise the location privacy of mobile nodes, these attackers are required to be at certain locations, for example, an eavesdropper along the paths traversed by the traffic flows of mobile nodes. The threats posed by active attackers are beyond the scope of this document. Furthermore, in order to simplify analysis, we assume that both correspondent nodes and home agents are fixed nodes. If either is mobile, the same analysis and solutions for mobile nodes may also apply. The basic idea is to use the "pseudo home address" to replace the real home address. One approach is by masking the real home address using Return Routability parameters to generate the pseudo home address. This approach, described in Section 4, provides an evolution towards location privacy based on Return Routability messages which are already specified in RFC 3775. The other approach to generate pseudo home address is by running cryptography algorithms with a pre-shared secret between the home agent and the mobile node using the real home address and other information as inputs. This approach, described in Section 5, can provide stronger cryptographic support at the cost of some additional operations. Both approaches would securely generate pseudo home address that is not statistically correlated to the real home address, and even the potential commonality of network prefix. Each approach can be implemented on its own without relying on the other. This document represents the consensus of the MobOpts Research Group. It has been reviewed by the Research Group members active in the Qiu, et al. Expires October 18, 2008 [Page 5] Internet-Draft MIP6 location privacy solutions April 2008 specific area of work. At the request of their chairs, this document has been comprehensively reviewed by multiple active contributors to the IETF Mobile IP related working groups. The rest of this document is organized as follows. Section 3 presents a brief overview of MIP6 location privacy. The mechanisms where pseudo home address is generated using the Return Routability test and cryptography algorithms are presented in Section 4 and Section 5 respectively. The profiling attacks and related considerations are addressed in Section 6. Finally we present the security consideration and summarize related works in section 7 and 8. 2. Terminology Throughout this document we use the commonly adopted terminology defined in [10] and [14], such as o Mobile Node (MN): A Mobile IPv6 Mobile Node that freely roams around networks o Correspondent Node (CN): A Mobile IPv6 node that corresponds with an MN o Home Agent: A router on the MN's home network that provides forwarding support when the MN is roaming o Home Address (HoA): The MN's unicast IP address valid on its home network o Care-of Address (CoA): The MN's unicast IP address valid on the visited network o Home Network: The network where the MN is normally present when it is not roaming o Visited Network: The network that the MN uses to access the Internet when it is roaming o Reverse Tunneling or Bidirectional Tunneling: A mechanism used for packet forwarding between the MN and its Home Agent o Route Optimization: A mechanism that allows direct routing of packets between a roaming MN and its CN, without having to traverse the home network Qiu, et al. Expires October 18, 2008 [Page 6] Internet-Draft MIP6 location privacy solutions April 2008 o Return Routability Procedure: The return routability procedure authorizes registrations by the use of a cryptographic token exchange. The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. Qiu, et al. Expires October 18, 2008 [Page 7] Internet-Draft MIP6 location privacy solutions April 2008 3. Brief Overview of Location Privacy in MIP6 The current MIP6 specification does not address location privacy. For example, both the home address and the care-of address are available in the following packets: o Home Binding Updates and Binding Acknowledgements o Return Routability packets o Correspondent Binding Updates and Binding Acknowledgements o Prefix Discovery messages o Data packets between mobile nodes and correspondent nodes in the Route Optimization mode Hence, correspondent nodes, eavesdroppers and of course the home agent(s) can learn the complete IP location information deterministically without authorization from a mobile node. With Route Optimization mode, in order to receive the packets through the optimized route and protect its location privacy, the mobile node must disclose its care-of address and conceal the real home address at the same time. If the mobile node is the initiator of the communication, it can conceal its home address from both correspondent nodes and eavesdroppers. When the correspondent node is the initiator, it may already know the real home address through certain means; therefore, the mobile node can conceal its home address from eavesdroppers only. With Reverse Tunneling mode, a mobile node can hide its current location from its correspondent node and eavesdroppers along the HA-CN path since the care-of address is invisible on that path. In the meanwhile, IPsec tunnel enables the mobile node to conceal its home address from any eavesdropper along the MN-HA path . In order to prevent the revealing of the location information of moving mobile nodes with Route Optimization mode, the term of Pseudo Home Address is introduced. Following we will propose two schemes to generate the Pseudo Home Addresses. The first scheme described in section 4, which uses the information of Return Routability Signaling, can hide the home address of a mobile node from eavesdroppers and the pseudo home address does not need to be routable because it is not used during RR procedure, but it cannot avoid revealing of the home address to CN during RR procedure. On the other hand, the later scheme described in section 5, which uses cryptography algorithms, can hide the real home address of a mobile Qiu, et al. Expires October 18, 2008 [Page 8] Internet-Draft MIP6 location privacy solutions April 2008 node from everyone, even from its correspondent nodes. Qiu, et al. Expires October 18, 2008 [Page 9] Internet-Draft MIP6 location privacy solutions April 2008 4. Pseudo Home Address Generation Using Return Routability Signaling In this section, we describe how to generate a pseudo home address by making use of information exchanged during the Return Routability procedure. This could provide an easier transition to location privacy with MIPv6. In this solution, it is not needed to derive a pseudo home address with the home agent. The basic idea is that both the correspondent node and the mobile node derive a shared privacy management key, Kpm, from the keygen tokens exchanged in the home address and care-of address test procedures. Afterwards, the mobile node uses Kpm to hide its home address in the Binding Update to the correspondent node, and finally the correspondent node authenticates the received Binding Update and restores the mobile node's home address therein. We describe this in the following sections. 4.1. Route-Optimized Binding Update to the Correspondent Node In the original MIPv6 procedure, the home address is visible in the Binding Update to the correspondent node. The mobile node can make the home address invisible to eavesdroppers by replacing the real home address with a pseudo home address generated as follows. The mobile node sets a 'P' bit in the reserved field of the HoTI message showed as following figure to indicate it wishes to use a pseudo home address in place of the home address. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Home Init Cookie + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Mobility Options . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The correspondent node, if it supports the 'P' bit, computes a privacy keygen token as follows: privacy keygen token = First (64, MAC_SHA1(Kcn(Home Init Cookie | nonce | 2))) Qiu, et al. Expires October 18, 2008 [Page 10] Internet-Draft MIP6 location privacy solutions April 2008 This computation is similar to computing the home keygen token except that the home address is replaced by the Home Init Cookie which the MN sends in the HoTI message. The privacy keygen token is returned in the HoT message as a Mobility Header Option along with the home keygen token. Following figure shows the change. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Home Nonce Index | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Home Init Cookie + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + (Home Keygen Token) Privacy Keygen Token + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . Mobility options . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The care-of address test procedure is exactly the same as specified in MIP6 protocol [10]. The mobile node computes Kpm and the pseudo home address after the Return Routability procedure as follows: Kpm = SHA1 (privacy keygen token | care-of keygen token) pseudo home address = String XOR HoA where String = First (128, HMAC_SHA1 (Kpm, (care-of address | Home nonce index | Care-of nonce index))) The mobile node then sends the following Binding Update to the correspondent node: o IPv6 header (source = care-of address, destination = correspondent node) o Destination Option * pseudo home address o Mobility header * Binding Update = (sequence number, home nonce index, care-of nonce index, Home Init Cookie) * First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | Binding Update))) Qiu, et al. Expires October 18, 2008 [Page 11] Internet-Draft MIP6 location privacy solutions April 2008 Following figure shows the binding update format with 'P' bit (the actual position of 'P' bit is waiting for IANA approval). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence # | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A|H|L|K| ... |P| Reserved | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + privacy factor: Home Init Cookie + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Mobility options . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ When a correspondent node receives a Binding Update with a new destination option carrying the pseudo home address, it must first compute Kpm as above. The computation is similar to how it would compute Kbm, except that the privacy keygen token is computed with the home address set to all zeros. With Kpm, the correspondent node computes the String and recovers the home address. It can then compute the home keygen token and Kbm, and verify the MAC for the Binding Update. If the Binding Update processing is successful, the pseudo home address is considered valid. The correspondent node then stores the nonce indices, and Kbm itself. It may also send a normal Binding Acknowledgment with an extra item of the pseudo HoA to the mobile node. The String is computed once by both the mobile node and the correspondent node, and hence the pseudo home address as computed above remains constant, until one of the address cookies expires or the mobile node undergoes a handover. 4.2. Reverse-Tunneled Binding Update to the Correspondent Node The mobile node may send the Binding Update not directly to the correspondent node, but via the home agent. No extension to the Return Routability signaling packets is required with reverse- tunneled Binding Updates. The privacy management key Kpm can be the same as the binding management key Kbm and the mobile node generates the pseudo home address as follows: Qiu, et al. Expires October 18, 2008 [Page 12] Internet-Draft MIP6 location privacy solutions April 2008 pseudo home address = Enc(Kpm, home address) Where Enc(.) is a symmetric key encryption algorithm, for example, AES. The format of the Correspondent Binding Update is as follows: o IPv6 header (source = care-of address, destination = home agent) o ESP header in tunnel mode o IPv6 header (source = home address, destination = correspondent node) o Destination Option * pseudo home address o Mobility header * Binding Update * Alternate Care-of Address option (care-of address) When the correspondent node receives a Binding Update with an Alternate Care-of Address option and a Pseudo Home Address option, it first computes Kbm, verifies the MAC for the Binding Update, and then recovers the home address from the pseudo home address, and verifies whether it is actually the same home address present as the source IP address. With this mechanism, the home address is visible as the source IP address along the HA-CN path. However the eavesdroppers on the HA-CN path can launch the attack to compromise the Return Routability procedure anyway. So, within the limitations of the existing Return Routability mechanism, this approach only requires a new destination option type and the associated processing to hide the home address from eavesdroppers. In the subsequent data packets that take the optimized route, only the care-of address and the pseudo home address are visible. Qiu, et al. Expires October 18, 2008 [Page 13] Internet-Draft MIP6 location privacy solutions April 2008 5. Pseudo Home Address Generation Using Cryptography Algorithms In this section, we present the mechanism to generate the pseudo home address between the home agent and the mobile node and illustrate the different packet formats when using this pseudo home address in the different scenarios. Due to employing cryptography algorithms, this scheme can provide stronger cryptographic support and the real home address of a mobile node can be hidden from everyone, even from its correspondent nodes. 5.1. Pseudo Home Address Generation The mobile node can generate a pseudo home address based on a shared secret with its home agent and use this pseudo home address to replace its real home address. When receiving the incoming packets from the mobile node, the home agent derives the real home address thereafter and uses the real home address as one of selectors to check with the local IPsec policy, just like described in RFC 3776 [11]. Afterwards, the home agent updates its Binding Cache to store the recent pseudo home address in addition to the real home address. 5.1.1. Requirements The mechanism to generate the pseudo home address needs to fulfill the following requirements: o Secure: The attacker could not learn the real home address from the eavesdropped pseudo home address. o Routable: When used in the Return Routability procedure, the pseudo home address must be routable, i.e. this IPv6 address should use one of home network prefixes. o Dynamic: To prevent the profiling attack based on the pseudo home address, it is desired that this pseudo home address can be updated periodically. Note that the update must not break the continuity of the current upper layer session(s). 5.1.2. The Shared Key, Kph The pseudo home address is generated based on a shared secret, denoted by Kph, between the mobile node and the home agent. As specified in RFC 3776 [11], IPsec is required to protect the signaling messages between the mobile node and the home agent; thus the trust relationship is in the form of an IPsec security association established either manually or through IKE [6] [7]. If this security association is manually established, Kph can be generated from the shared manual key, denoted by Ks, as follows: Qiu, et al. Expires October 18, 2008 [Page 14] Internet-Draft MIP6 location privacy solutions April 2008 Kph = HMAC_SHA1(Ks, 0) If this security association is established through IKE, Kph is negotiated and renewed by IKE as well, for example, by running the quick mode protected by a previously established IKE security association in phase 2. Either way, Kph is associated with the relevant security association entry in SAD. The location privacy protection option can be negotiated between the home agent and the mobile node. The home agent can distinguish the regular MIP6 signaling packets from those providing the location privacy based on the security association and process them appropriately. 5.1.3. Routable Pseudo Home Address Generation The mobile node could formulate its home address in either stateful or stateless manner. The computation of a routable pseudo home address is as follows: pseudo home address = one of home network prefixes || Enc(Kph, interface ID) where Enc(.) can be either a block cipher or a stream cipher AES is a popular block cipher that takes a 128-bit block as input and generates a 128-bit block as output. When AES is applied, the mobile node and the home agent need to append some padding, such as a sequence of zeros, to the Interface ID since it is typically shorter than 128 bits. Also only the first n bits from the output of AES are used so that the pseudo home address is still 128 bit long. If a stream cipher, such as RC4, is used, the interface ID is masked by a sequence of random bits, thus no additional padding or trimming is required. More details regarding how to process inbound and outbound packets are presented in the following sections. Note that the home agent should know the length of home network prefix, for example by looking up a home network prefix table; thus it can correctly identify the encrypted portion in the pseudo home address. Also, the mobile node may choose any from all the available home network prefixes when generating a specific pseudo home address. Preferably, the mobile node should choose the prefix which is not used in its real home address. 5.1.4. Dynamic Pseudo Home Address To update the pseudo home address, one possible way is to generate a sequence of secret keys, {K0, K1, ..., Kn}, from Kph and use these derived keys to generate new pseudo home addresses as follows: Qiu, et al. Expires October 18, 2008 [Page 15] Internet-Draft MIP6 location privacy solutions April 2008 Ki = HMAC_SHA1(Kph, i) pseudo home address = home network prefix || Enc(Ki, interface ID) To avoid maintaining a counter between the mobile node and the home agent, Ki can leverage on the sequence number in the IPsec header. Ki = HMAC_SHA1(Kph, IPsec sequence number) Whenever the mobile node sends a new Home Binding Update, it generates a new key with Kph and the current IPsec sequence number as inputs. As the sequence number in the IPsec header is incremented by at least one every time, the pseudo home address will look different to eavesdroppers on the MN-HA path. Also the mobile node and the home agent do not need to maintain some state when generating the pseudo home address; IPsec anti-replay service, if supported, can detect the reused pseudo home address. If the home agent does not support the anti-replay service, for example when a manual key is used, the mobile node should still use a new sequence number every time; although an eavesdropper could replay the eavesdropped pseudo home address, it is not a new vulnerability. If IKE is used, Kph is updated whenever an IPsec security association expires. If the lifetime of the IPsec security association is based on the number of packets sent, given that the extended sequence number is 64 bits, it is expected that there is no duplicated pseudo home address within a long time period. On the other hand, if Kph is derived from a manual secret key, the same output of Enc(Ki, interface ID) may appear after the sequence number wraps around. However, it may not be a new problem, because the output of Enc(.) (the same length as interface ID) may be not longer than IPsec extended sequence number. In summary, the real home address cannot be revealed from the pseudo home address without the knowledge of Kph. And the pseudo home address fulfills the requirements of being routable and dynamic. 5.2. Home Binding Updates and Acknowledgements 5.2.1. Solution with IPsec Transport Mode When the mobile node moves to a new foreign subnet, it sends the following modified Home Binding Update to its home agent, which usually happens before any other signaling message. o IPv6 header (source = care-of address, destination = home agent) Qiu, et al. Expires October 18, 2008 [Page 16] Internet-Draft MIP6 location privacy solutions April 2008 o Destination option header * Home Address option (pseudo home address) o ESP header in transport mode o Mobility header * Home Binding Update * Alternative Care-of Address option (care-of address) When the home agent receives the Binding Update from the mobile node, it first looks up its SAD using SPI, optionally together with IPsec protocol type and destination IP address. This should return the established security association between the home agent and the mobile node. RFC 3776 [11] represents the corresponding inbound SAD and SPD entries as follows: o home agent SAD: SA1(IN, spi_a, home_agent_1, ESP, TRANSPORT): source = home_address_1 && destination = home_agent_1 && proto = MH o home agent SPD IN: IF source = home_address_1 && destination = home_agent_1 && proto = MH THEN USE SA SA1 The home agent checks whether this is a replayed packet; if not, it uses this security association to process the received IPsec packet. The home agent also checks with its IPsec SPD by using the home address as one of selectors. If a block cipher is used to generate this pseudo home address, the home agent regenerates the pseudo home address from the real home address retrieved. This procedure is the same as described before. The home agent compares the output with the pseudo home address received in the Destination option. If they match, the home agent accepts this Binding Update message. On the other hand, if the stream cipher is used, the home agent recovers the real home address by decrypting the received pseudo home address and the rest is similar with the procedure documented in RFC 3776 [11]. The encryption/decryption operation over a small payload is efficient, thus there is no vulnerability to Denial-of-Service attacks. Note that the home agent should restore the network prefix Qiu, et al. Expires October 18, 2008 [Page 17] Internet-Draft MIP6 location privacy solutions April 2008 associated with the mobile node's real home address if a different home network prefix is used to generate the pseudo home address. If it succeeds, the home agent stores the pseudo home address in the home Binding Cache. The organization of the Binding Cache is extended by adding a new field of pseudo home address as follows: +-------------------+------------+---------------+--------+----+---+ |pseudo home address|home address|care-of address|lifetime|seq#|...| +-------------------+------------+---------------+--------+----+---+ If the pseudo home address is unique in any snapshot of the Binding Cache, the home agent can look up its Binding Cache by using either the pseduo home address or the home address. The home agent replies to the mobile node with the following modified Home Binding Acknowledgement: o IPv6 header (source = home agent, destination = care-of address) o Routing header (type 2) * pseudo home address o ESP header in transport mode o Mobility header * Home Binding Acknowledgement RFC 3776 [11] specifies the corresponding outbound SAD and SPD entries as follows: o home agent SAD: SA2(OUT, spi_b, home_address_1, ESP, TRANSPORT): source = home_agent_1 && destination = home_address_1 && proto = MH o home agent SPD OUT: IF source = home_agent_1 && destination = home_address_1 && proto = MH THEN USE SA SA2 The detailed procedure is as follows: the home agent generates the Qiu, et al. Expires October 18, 2008 [Page 18] Internet-Draft MIP6 location privacy solutions April 2008 Home Binding Acknowledgement with the mobile node's home address as the destination IP address, and then this packet is processed based on the IPsec security association, finally the home agent replaces the real home address with the appropriate pseudo home address. How the home agent derives the pseudo home address to be used in the Home Binding Acknowledgement, especially when the mobile node uses different pseudo home addresses with different correspondent nodes, is implementation specific and the details are beyond the scope of this document. For example, the home agent may record the IPsec sequence number received in the Home Binding Update and generate the pseudo home address, or the home agent marks the recent unacknowledged Binding Cache entry and uses the pseudo home address therein. The home agent can acknowledge the Home Binding Update in the ascending order of the IPsec sequence number or the time when the Binding Cache entry is created. Compared with the packet formats defined in RFC 3776 [11], the pseudo home address replaces the real home address. In case that the mobile node fails to receive the Binding Acknowledgement, it will retransmit the Binding Update but with a new IPsec sequence number and thus a new pseudo home address, which prevents the replay attack and the profiling attack targeting at the pseudo home address. 5.2.2. Solution with IPsec Tunneling Mode The packet formats above follow the fashion in RFC 3776 [11], in the following we show an alternative that uses the similar packet formats as in [21]. This is applicable when using IKEv2 [7] and the revised IPsec Architecture [3]. Binding Update: o IPv6 header (source = care-of address, destination = home agent) o ESP header in tunnel mode o IPv6 header (source = home address, destination = home agent) o Mobility header * Home Binding Update * Alternative Care-of Address option (care-of address) The home agent processes this Binding Update in the same way as specified in [21]. Additionally, the home agent uses the retrieved Kph to generate the pseudo home address and replaces the previous pseudo home address in respective existing home Binding Cache entry, Qiu, et al. Expires October 18, 2008 [Page 19] Internet-Draft MIP6 location privacy solutions April 2008 if any. The Binding Acknowledgement format looks as follows: o IPv6 header (source = home agent, destination = care-of address) o ESP header in tunnel mode o IPv6 header (source = home agent, destination = home address) o Mobility header * Home Binding Acknowledgement When the mobile node returns home, it can use the pseudo home address or the real home address as the source IP address in the communication with its home agent, for example, for the de- registration Binding Update. The packet formats are similar to those defined in RFC 3776 [11]. 5.3. Processing of Correspondent Binding Updates 5.3.1. Correspondent Binding Updates Signaling When initiating the communication with its correspondent node, the mobile node sends HoTI to its home agent in the following format: o IPv6 header (source = care-of address, destination = home agent) o ESP header in tunneling mode o IPv6 header (source = pseudo home address, destination = correspondent node) o Mobility header * HoTI The mobile node sets a 'Q' bit in the reserved field of the HoTI message showed in following figure to indicate it uses a pseudo home address generated by cryptography in place of the home address. Qiu, et al. Expires October 18, 2008 [Page 20] Internet-Draft MIP6 location privacy solutions April 2008 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P|Q| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Home Init Cookie + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Mobility Options . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The home agent would process the received HoTI message in a similar way as described in RFC 3776 [11]. Furthermore, it may derive the real home address by using pseudo home address as a key to look up its binding cache and verify the SPD using the real home address as one of selectors. After that, the home agent generates the following HoTI and forwards it to the correspondent node: o IPv6 header (source = pseudo home address, destination = correspondent node) o Mobility header * HoTI The correspondent node processes this received HoTI message in the same way as in RFC 3775 [10] and sends the following HoT message to the home agent. o IPv6 header (source = correspondent node, destination = pseudo home address) o Mobility header * HoT = (home init cookie, home keygen token, home nonce index) where home keygen token = First (64, HMAC_SHA1(Kcn, (pseudo home address | nonce | 0))) and Kcn is the correspondent node's local secret [10]. Since the pseudo home address is routable, the HoT message is forwarded to the home network and intercepted by the home agent there. Upon the reception, the home agent uses the pseudo home address as a key to look up its Binding Cache. The search should Qiu, et al. Expires October 18, 2008 [Page 21] Internet-Draft MIP6 location privacy solutions April 2008 return the real home address of the mobile node. Then the home agent uses the corresponding security association to process and forward the HoT message to the mobile node. The packet format is as follows: o IPv6 header (source = home agent, destination = care-of address) o ESP header in tunneling mode o IPv6 header (source = correspondent node, destination = pseudo home address) o Mobility header * HoT = (home init cookie, home keygen token, home nonce index) The care-of address test is exactly the same as specified in RFC 3775 [10]. After receiving both HoT and CoT messages, the mobile node sends the Binding Update to the correspondent node in the following format: o IPv6 header (source = care-of address, destination = correspondent node) o Destination Option * pseudo home address o Mobility header * Binding Update = (sequence number, home nonce index, care-of nonce index, Enc(Kbm, identity_address) ) * Binding Authorization Data = First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | Binding Update))) where Kbm is the binding management key given by Kbm = SHA1 (home keygen token | care-of keygen token) home keygen token = First (64, HMAC_SHA1(Kcn, (pseudo home address | nonce | 0))) care-of keygen token = First (64, HMAC_SHA1(Kcn, (CoA | nonce | 1))) The identity_address ensure that the current session is not broken. The identity_address could be the real HoA or the first pseudo home Qiu, et al. Expires October 18, 2008 [Page 22] Internet-Draft MIP6 location privacy solutions April 2008 address (pHoA) when established the session. Following figure shows the binding update format with 'Q' bit (the actual position of 'Q' bit is waiting for IANA approval). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence # | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A|H|L|K| ... |P|Q| Reserved | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + privacy factor: Enc(Kbm, identity_address) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Mobility options . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ After receiving the Binding Update, the correspondent node first computes the home keygen token and the care-of keygen token, then computes Kbm and verifies the MAC. If the MAC is valid, it keeps the pseudo home address in the Binding Cache. The correspondent node then generates the following binding acknowledgement and sends back to the mobile node: o IPv6 header (source = correspondent node, destination = care-of address) o Mobility header * Binding Acknowledgement = sequence number (within the Binding Update message header) * Binding Authorization Data = First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BA))) The subsequent data traffic between the mobile node and the correspondent node will follow the same procedure and the packet formats as specified in [10] except that the pseudo home address is used in place of the home address. Data packets from the mobile node to the correspondent node: o IPv6 header (source = care-of address, destination = correspondent node) Qiu, et al. Expires October 18, 2008 [Page 23] Internet-Draft MIP6 location privacy solutions April 2008 o Destination option * pseudo home address o Payload Data packets from the correspondent node to the mobile node: o IPv6 header (source = correspondent node, destination = care-of address) o Routing Header * pseudo home address o Payload 5.3.2. Modifications to Correspondent Node Binding Updates In the proposal, the processing and format of HoTI/HoT and CoTI/CoT messages is the same as original RR protocol, but use pseudo HoA instead of real HoA. The subsection analyzes the changes in correspondent node, home agent and mobile node. 5.3.2.1. Modifications on Correspondent Node A. BINDING CACHE: Referring to section 9.1, RFC 3775 [10], each Binding Cache entry conceptually contains the following fields: o The home address of the mobile node for which this is the Binding Cache entry. This field is used as the key for searching the Binding Cache for the destination address of a packet being sent. o The care-of address for the mobile node indicated by the home address field in this Binding Cache entry. o A lifetime value. o Sequence Number. We replace the home address by the pseudo HoA in the home address field. The pseudo HoA is routability and with home network prefix. Section 5.1 described the Pseudo Home Address Generation. Besides the original fields, we only add a new field -- identity_address that is used for ensuring the session continuation. Qiu, et al. Expires October 18, 2008 [Page 24] Internet-Draft MIP6 location privacy solutions April 2008 The identity_address could be the real HoA or the first pseudo HoA that was used to establish the session. B. OPERATION: In the BU payload, we introduce a new optional item Enc(Kbm, identity_address), where Enc(.) is a symmetric key encryption algorithm, for example, AES. So the BU processing in CN is little difference. Following is the comparison between the BU process in original MIPv6 (section 9.5.1, RFC 3775 [10]) and the one with the additional option in our proposal. original MIPv6 | With additional option -----------------------------------+-------------------------------- | 1) check the packet MUST contain | the same a unicast routable home address | | 2) the Sequence Number field in | the same the Binding Update is greater | than the Sequence Number | received in the previous valid | Binding Update. | | 3) a Nonce Indices mobility option | the same MUST be present | | 4) the correspondent node MUST | In the network i, we use the re-generate the home keygen | same pHoA_i in HoTI_i and BU_i token and the care-of keygen | messages, and CoTI and CoT as token from the information | usual, so the new method can contained in the packet. It | generate the valid Kbm and then then generates the binding | pass the step. management key Kbm and uses | it to verify the authenticator | field in the Binding Update | | 5) create/update the BU entry | first decrypt the new item according to HoA | Enc(Kbm, identity_address), | get the identity_address, then | create/update the BU entry | according to the identity_address | From the comparison, we learn that the only difference is the last step: how to identify the owner of the BU. The original MIPv6 is Qiu, et al. Expires October 18, 2008 [Page 25] Internet-Draft MIP6 location privacy solutions April 2008 based on the HoA. Ours need one more step -- decrypting Enc(Kbm, identity_address) first, then based on the identity_address. The identity_address could be the real HoA or the first pHoA that is used to establish the communication session. Following scenario shows the changes of the visited networks, pseudo HoAs, identity_addresses and BU messages. For example, MN began to communicate with CN1 at foreign network1. At that time, the pseudo HoA is pHoA1. Then identity_address for the CN1 session is the same as pHoA1, i. e. identity_address1=pHoA1. The BU11 = {src=CoA1, dest=CN1, opt=pHoA1, orig_payload+Enc(Kbm11, identity_address1)}. When MN moves to network2, and then start the connection with CN2. At this time, the pseudo HoA is pHoA2. Then the identity_addrees for the CN2 session is the same as pHoA2, i.e. identity_address2=pHoA2. Meantime, the identity_address for the CN1 session is still pHoA1, i.e. identity_address1=pHoA1, although the signaling pHoA for both CN1 and CN2 is changed to pHoA2. The BU message for CN1 is BU12 = {src=CoA2, dest=CN1, opt=pHoA2, orig_payload+Enc(Kbm12, identity_address1)}; The BU message for CN2 is BU22 = {src=CoA2, dest=CN2, opt=pHoA2, orig_payload+Enc(Kbm22, identity_address2)}. When MN in foreign network i, the signaling pseudo home address is pHoAi. When MN moving to foreign network j, the signaling pseudo home address become pHoAj. But the identity_address for CN1 and CN2 are still identity_address1 and identity_address2 respectively. The BU message for CN1 is BU1j = {src=CoAj, dest=CN1, opt=pHoAj, orig_payload+Enc(Kbm1j, identity_address1)}; The BU message for CN2 is BU2j = {src=CoAj, dest=CN2, opt=pHoAj, orig_payload+Enc(Kbm2j, identity_address2)}. After the processing of BU, the CoA is associated with the identity_address (instead of the HoA in original MIP6) in BU cache. The identity_address could be the HoA, or the first pHoA when set up a communication session. So the proposal is not change the processing of forwarding a packet to upperlayer . The new protocol is not more insecure than original MIPv6 protocol. As described above, the only difference between new one and original MIPv6 is the optional item Enc(Kbm, identity_address). Without the new item, the new proposal is the same as RR procedure of CN receiving the first BU message from MN. With the new item, CN can also ignore the item if CN does not support the new proposal or does not care the session continuity. Qiu, et al. Expires October 18, 2008 [Page 26] Internet-Draft MIP6 location privacy solutions April 2008 Before to decrypting the Enc(Kbm, identity_address), CN must verify the MAC of BU message and accept the Kbm. So the proposal does not bring new flood attack. If need much stronger correlation between pHoA and real HoA, we could send the session Ki (described in section 5.1.4) with HoA together to CN in encryption, i.e the E(Kbm, HoA|Ki). After decrypting the E(Kbm, HoA|Ki), CN gets HoA and Ki. Then CN can check if pHoA equal to the home network prefix || Enc(Ki, later 64 bit of real HoA). Since Ki is just hash value Ki = HMAC_SHA1(Kph, IPsec sequence number) and CN do not know the seq#, it would not leak the secret between MN and HA. 5.3.2.2. Modifications on Home Agent A. BINDING CACHE: Referring to section 10.1 and 9.1, RFC 3775 [10], each Binding Cache entry conceptually contains the following fields: o The home address of the mobile node for which this is the Binding Cache entry. This field is used as the key for searching the Binding Cache for the destination address of a packet being sent. o The care-of address for the mobile node indicated by the home address field in this Binding Cache entry. o A lifetime value. o Sequence Number. Besides the original fields, we only add a new field for pseudo HoA and use this field as the key for searching the Binding Cache for the destination address of a packet being sent. B. OPERATION: For correspondent binding update, the processing is not different from the original MIPv6 [10], but the key for searching the binding cache is the pseudo HoA instead of the real HoA. Section 5.2 described in detail the processing of home binding update: verify the pseudo HoA and store it. Qiu, et al. Expires October 18, 2008 [Page 27] Internet-Draft MIP6 location privacy solutions April 2008 5.3.2.3. Modifications on Mobile Node A. BINDING UPDATE LIST: According to section 11.1, RFC3775 [10], each Binding Update List entry conceptually contains the following fields: o The IP address of the node to which a Binding Update was sent. o The home address for which that Binding Update was sent. o The care-of address sent in that Binding Update. This value is necessary for the mobile node to determine if it has sent a Binding Update while giving its new care-of address to this destination after changing its care-of address. o Lifetime field. o Sequence Number field. Since MIPv6 support multi-home addresses, we add the pseudo home address to the home address field with the real home address together. The pseudo home address also has the feature of routability and with home network prefix. Besides the original fields, here, we also add a field -- identity_address. The identity_address is not involved in HoTI/HoT and CoTI/CoT process. B. OPERATION: The additional operation is that MN needs to generate a pseudo HoA at every new location and store/update the pseudo home address in the binding update list. If the mobile node is an initiator and uses the pseudo address to initiate a communication, it also keeps the pseudo home address as the identity_address in the binding update list. 5.3.2.4. Other Issues Note that it may be desirable for the mobile node use different pseudo home addresses when communicating with different correspondent nodes. To do so, the mobile node needs to register the new pseudo home address as the identity address by sending the Home Binding Update before communicating with a new correspondent node. And during the communication with a specific correspondent node, the mobile node uses the same identity address. The mobile node usually can check its Correspondent Binding list to see whether a new pseudo Qiu, et al. Expires October 18, 2008 [Page 28] Internet-Draft MIP6 location privacy solutions April 2008 home address is needed. If the correspondent node appears in the Correspondent Binding list, the mobile node uses the existing pseudo home address. Otherwise, the mobile node sends a Home Binding Update to the home agent. With a new IPsec sequence number, both the home agent and the mobile node will generate a new pseudo home address for this correspondent node. Note that the mobile node may extend its Correspondent Binding list to store the pseudo home address associated with a correspondent node. When the communication with a correspondent node is ended, the mobile node may send an explicit de- registration to the home agent to withdraw the corresponding pseudo home address. The home agent may also implicitly withdraw the pseudo home address, for example, when the Return Routability procedure is not renewed within a certain time period. The strategy to update the home agent's Binding Cache is beyond the scope of this document. The mobile node decides whether a new pseudo home address is needed or an old pseudo home should be withdrawn based on the communication activities with the correspondent node. Besides the solution described above, another way is to leverage on the availability of upper layer connection information; however it may require an interface between the IP layer and the upper transport layer. If the correspondent code as the initiator, the correspondent node may already know the real home address of the mobile node. When this is a concern, the mobile node should not publish its home address, e.g. via DNS. It may be able to make use of runtime binding of user identity to a dynamic home address, for instance using SIP Proxies. When the correspondent node contacts the mobile node at its home address, the mobile node may wish to communicate with the correspondent node via an optimized route. In this case, the identity address is the real HoA in the binding update message to correspondent node. 5.4. Reverse-Tunneling Mode To hide its care-of address from the correspondent node and its home address from eavesdroppers on the MN-HA path, the mobile node sends IP data packets via the IPsec-protected reverse tunneling in the following format. o IPv6 header (source = care-of address, destination = home agent) o ESP header in tunnel mode o IPv6 header (source = home address, destination = correspondent node) Qiu, et al. Expires October 18, 2008 [Page 29] Internet-Draft MIP6 location privacy solutions April 2008 o data payload The home agent forwards the data packet to the correspondent node in the following format. o IPv6 header (source = home address, destination = correspondent node) o data payload The correspondent node replies with the following data packet that would be intercepted by the home agent. o IPv6 header (source = correspondent node, destination = home address) o data payload The data packet forwarded by the home agent to the mobile node is as follows. o IPv6 header (source = home agent, destination = care-of address) o ESP header in tunnel mode o IPv6 header (source = correspondent node, destination = home address) o data payload Note that if the mobile node is the initiator of the communication with the correspondent node, it may also use the pseudo home address rather than the real home address in the Reverse Tunneling mode, which may require the home agent to look up its Binding Cache and to map the home address to the pseudo home address or the other way around. 5.5. Prefix Discovery Similar with that described in RFC 3776 [11], the following packet format is used for requests for prefixes from the mobile node to the home agent: o IPv6 header (source = care-of address, destination = home agent) o Destination Options header Qiu, et al. Expires October 18, 2008 [Page 30] Internet-Draft MIP6 location privacy solutions April 2008 * Home Address option (pseudo home address) o ESP header in transport mode o ICMPv6 * Mobile Prefix Solicitation Similarly, solicited and unsolicited prefix information advertisements from the home agent to the mobile node use the following format: o IPv6 header (source = home agent, destination = care-of address) o Routing header (type 2) * pseudo home address o ESP header in transport mode o ICMPv6 * Mobile Prefix Advertisement The packet formats similar with those described in [21] can also be used. o IPv6 header (source = care-of address, destination = home agent) o ESP header in tunnel mode o IPv6 header (source = home address, destination = home agent) o ICMPv6 * Mobile Prefix Solicitation and o IPv6 header (source = home agent, destination = care-of address) o ESP header in tunnel mode o IPv6 header (source = home agent, destination = home address) o ICMPv6 Qiu, et al. Expires October 18, 2008 [Page 31] Internet-Draft MIP6 location privacy solutions April 2008 * Mobile Prefix Advertisement Qiu, et al. Expires October 18, 2008 [Page 32] Internet-Draft MIP6 location privacy solutions April 2008 6. Profiling Attack 6.1. Overview Pseudo home address provides the IP address location privacy; however, eavesdroppers could still collect, link, and (either online or offline) analyze the activities of mobile nodes based on certain observed fields. The more information collected, the higher probability to compromise the location privacy of mobile nodes, which in return results in more targeted profiling. In the presence of mobility, there exist many invariants, such as fields in the packets and communication patterns, which allows eavesdroppers to easily correlate the observed activities. For example, eavesdroppers can use the following, but not limited to, information to profile the activities of mobile nodes. o On the MN-HA path: the care-of address, the home address, the pseudo home address, the IPsec sequence number, SPI, Initialization Vector (IV), the timing of HoTI messages o On the HA-CN path: eavesdroppers on this path could intercept the traffic to or from mobile nodes, thus we do not consider the threats arising from this path. o On the MN-CN path: the care-of address, the home address or the pseudo home address, the sequence number in the Correspondent Binding Update, the interval of Return Routability packets, etc. 6.2. Discussion To resist the profiling attack, these invariants need to be updated periodically. RFC 3041 [12] takes a similar approach to provide the privacy protection: the IPv6 address is updated over time. In the context of mobility support, there are the following three specific issues to be addressed. 6.2.1. What Invariant should be Updated to Resist the Profiling Attack Effectively? Different invariants allow eavesdroppers to correlate the observed activities with the different levels of assurance. Obviously a constant identity allows eavesdroppers to link the activities of a mobile node in a deterministic way; and other invariants may be less reliable because they are affected by other factors. For example, a malicious entity may profile the traffic based on the care-of address, however the mobile node may renew its care-of address via DHCP or IPv6 address privacy extension; the sequence numbers Qiu, et al. Expires October 18, 2008 [Page 33] Internet-Draft MIP6 location privacy solutions April 2008 appearing in the IPsec headers as well as the Correspondent Binding Updates in one flow may mix with those in another flow; the timing of MIP6 Return Routability packets is easily affected by the background traffic and routing dynamics. Nevertheless, these fields and phenomena provide additional hints to malicious entities. We must update the identity of mobile nodes and should update other invariants as much as possible. 6.2.2. How Often these Invariants should be Updated? Generally, the more frequent the update is, the more likely the profiling attack is prevented and also the higher costs in terms of communication and processing overheads. As the malicious entity has many choices to profile the activities, one might consider updating all the possible invariants with same frequency because the granularity of profiling depends on the longest interval of update. In other words, from the cost-effectiveness perspective, it is not necessary to update some invariants too frequently if other invariants cannot be updated so frequently. 6.2.3. What is the Scope of the Profiling Prevention? From the perspective of a mobile node, the activities when communicating with different correspondent nodes should not be correlated, nor should the different sessions with the same correspondent node. The former case requires that the mobile node use different pseudo home addresses when communicating with different correspondent nodes and the latter case requires that the mobile node use different pseudo home addresses in the different sessions with the same correspondent node. If the mobile node performs handover during the communication with its correspondent node, it is desired that eavesdroppers near the correspondent node cannot track the movements of the mobile node. Different scope of the profiling prevention results in different levels of complexity. In the previous sections, the packet formats when the mobile node uses different pseudo home addresses when communicating with different correspondent nodes are described. 6.3. The Increment of Sequence Numbers in Correspondent Binding Updates RFC 3775 [10] only requires that the sequence number in the Binding Update is greater than that received in the previous valid Binding Update for this home address. However, if the increment of sequence number is fixed, an eavesdropper is able to identify the activities of mobile node. We propose the increment of sequence number as follows: Qiu, et al. Expires October 18, 2008 [Page 34] Internet-Draft MIP6 location privacy solutions April 2008 o seq#_increment = First(8, HMAC_SHA1(Kbm, home nonce index | care nonce index)) o If seq#_increment = 0, then set seq#_increment = 1 o Seq# = (previous Seq# + seq#_increment) modulo (2^16) To avoid causing the sequence number wrapping around quickly and generate enough randomness, the first 8 bits of the keyed hash function output is used. 6.4. The Increment of SPI To prevent eavesdroppers on the MN-HA path correlating the packets based on the constant SPI, both the mobile node and the home agent can update the SPI based on the following method: o SPI_increment = First(8, HMAC_SHA1(Kph, the current SPI)) o If SPI_increment = 0, then set SPI_increment = 1 o the new SPI = (the current SPI + SPI_increment) modulo (2^32) The mobile node and the home agent could update the SPI when a Home Binding Update is sent or received. The new SPI is applied to the next Home Binding Update procedure. Qiu, et al. Expires October 18, 2008 [Page 35] Internet-Draft MIP6 location privacy solutions April 2008 7. Security Considerations This document addresses a security issue in the mobile environment, location privacy. The proposed solutions do not introduce any new vulnerability. 7.1. Home Binding Update Procedure When the mobile node roams to a new foreign subnet, it sends the modified Home Binding Update to its home agent and receives the modified Home Binding Acknowledgement from its home agent. In both messages, the pseudo home address is used in place of the home address. Eavesdroppers is unable to derive the real home address from the pseudo home address and thus to correlate the care-of address with the home address. Moreover, the pseudo home address can be updated to prevent eavesdroppers linking the mobile node's ongoing activities together. The home agent can derive the real home address from the received pseudo home address efficiently because the encryption/decryption operation is done over a small amount of data (in this case, less than 128 bits), thus the home agent could resist the Denial-of- Service attack when attackers flood with the forged Home Binding Updates. 7.2. Reverse Tunneling Mode In this mode, the correspondent node sends data packets to the mobile node's home address, thus it is not aware of the movement of the mobile node. The home agent intercepts the data packets from the correspondent node and tunnels them to the mobile node's care-of address by IPsec ESP tunneling mode. Thus the home address is not visible to the eavesdroppers on the MN-HA path either since the inner IPv6 header is encrypted. 7.3. Route Optimization Mode In this mode, since the mobile node communicates with the correspondent node using its care-of address, the mobile node has to hide its home address from eavesdroppers and even correspondent nodes. This is accomplished as follows. If the mobile node is the initiator of the communication with the correspondent node, it performs the modified Correspondent Binding Update procedure as described in section 3. By replacing the home address with the pseudo home address in the messages involved, the binding between the home address and the care-of address is not disclosed to eavesdroppers and the correspondent node. And the Qiu, et al. Expires October 18, 2008 [Page 36] Internet-Draft MIP6 location privacy solutions April 2008 continuity of the current session is kept. If the correspondent node is the initiator of the communication with the mobile node, the mobile node also performs the modified Correspondent Binding Update procedure with the correspondent node after the first contact. The mobile node can conceal its home address to eavesdroppers only since the correspondent node already knows its real home address. Note the same analysis also applies to the data packets. 7.4. Return Routability Procedure As the pseudo home address is required to be routable, the modified Return Routability procedure provides the same security strength as in RFC 3775 [10]. 7.5. Pre-shared Key Establishment The target of the solution is focused on IP layer. In this case, all of the session keys have been established and shared already. The process of establishing the session keys on the upper layer, such as IKE, which is beyond our scope. Qiu, et al. Expires October 18, 2008 [Page 37] Internet-Draft MIP6 location privacy solutions April 2008 8. Related Work Our work benefits from previous works and discussions. Similar with this document, many drafts proposed using a temporary identity to replace the mobile node's home address in IPsec SA, MIP6 signaling messages and data packets. However, the details of how to generate and update this additional identity are absent. RFC 3041 [12] specifies the mechanism to update a stateless IPv6 address periodically. Although it is possible to update the care-of address and the home address based on RFC 3041, we further consider the shortest interval to do so in order to resist the profiling attack effectively and efficiently. The draft [18] proposes using a temporary identity, TMI, to replace the home address in the scenarios of mobile client and mobile server, and also discussed the feasibility of utilizing CBID/CGA/MAP to further protect the location privacy. However, as a 128 bit random number, TMI is not suitable to be the source IP address in the HoTI message forwarded by the home agent to the correspondent node because TMI is not routable and the home agent cannot receive the HoT message from the correspondent node. Furthermore the draft does not specify how to update TMI or address profiling attacks. The draft [16] proposes to update the identity based on a key and a previous identity. The packet formats are presented. The draft [17] proposes to update the mobile node's home address periodically to hide the movement. The new identity is generated from the current local network prefix, the binding update session key and the previous home address. The new home address is random, routable, recognizable and recoverable. Also it seems that the home address is updated as frequently as the Return Routeability procedure. The draft [20] intends to achieve both route optimization and location privacy at the same time. The proposed solution is to reverse-tunnel the traffic to an additional entity. This kind of architectural solution achieves only the recoverable location privacy instead. 9. IANA Considerations The document does not define any new mobility header and mobility option, but it uses 2 bits ('P' bit and 'Q' bit) from the reserved fields of HoTI message and Binding Update Message respectively. . Qiu, et al. Expires October 18, 2008 [Page 38] Internet-Draft MIP6 location privacy solutions April 2008 10. Conclusion In this document, we introduced efficient and secure solutions to protect location privacy of a mobile node. The central idea is to use a pseudo home address instead of the mobile node's real home address in IP packets of this mobile node. It is possible to update this pseudo home address whenever the mobile node moves to a new location or starts a communication with a new correspondent node. This results in the binding between the care-of address and the home address is hidden to eavesdroppers or even correspondent nodes in some scenarios. Moreover, this pseudo home address is routable, thus the security of this proposed return routeability test is not weakened. We intend to make the best tradeoffs among many related factors during the design. Also we present the thorough analyses of MIP6 location privacy issues and also some best practices to enhance the location privacy. This would help design alternative solutions when a different tradeoff is desired. Furthermore, the mobile node may also desire to hide its movement to the home agent in some cases; the details are beyond the scope of this document. 11. Acknowledgement The authors wish to thank the co-authors of previous drafts from which this draft is derived: Vijay Devarapalli, Hannu Flinck, Charlie Perkins, Feng Bao, Robert Deng, James Kempf, and Jianying Zhou. In addition, sincere appreciation is also extended to Wassim Haddad, Claude Castelluccia, Francis Dupont, Gabriel Montenegro, Greg Daley, Kilian Weniger and Takashi Aramaki for their valuable contributions and discussions. 12. References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [2] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [3] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [4] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. Qiu, et al. Expires October 18, 2008 [Page 39] Internet-Draft MIP6 location privacy solutions April 2008 [5] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [6] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [7] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [8] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [9] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 Specification", RFC 2473, December 1998. [10] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [11] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents", RFC 3776, June 2004. [12] Narten, T. and R. Draves, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001. [13] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [14] Koodli, R., "IP Address Location Privacy and Mobile IPv6: Problem Statement", RFC 4882, March 2007. [15] Koodli, R., Devarapalli, V., Flinck, H., and C. Perkins, "Solutions for IP Address Location Privacy in the presence of IP Mobility", draft-koodli-mip6-location-privacy-solutions-00 (work in progress), February 2005. [16] Bao, F., Deng, R., Kempf, J., Qiu, Y., and J. Zhou, "Protocol for Protecting Movement of Mobile Nodes in Mobile IPv6", draft-qiu-mip6-mnprivacy-00 (work in progress), March 2005. [17] Bao, F., Deng, R., Kempf, J., Qiu, Y., and J. Zhou, "Protocol for Protecting Movement of Mobile Nodes in Mobile IPv6", draft-qiu-mip6-hiding-movement-00 (work in progress), March 2005. [18] Castelluccia, C., Dupont, F., and G. Montenegro, "Protocol for Protecting Movement of Mobile Nodes in Mobile IPv6", draft-dupont-mip6-privacyext-02 (work in progress), July 2005. Qiu, et al. Expires October 18, 2008 [Page 40] Internet-Draft MIP6 location privacy solutions April 2008 [19] Daley, G., "Location Privacy and Mobile IPv6", draft-daley-mip6-locpriv-00 (work in progress), January 2004. [20] Weniger, K. and T. Aramaki, "Route Optimization and Location Privacy using Tunneling Agents (ROTA)", draft-weniger-rota-01 (work in progress), October 2005. [21] Devarapalli, V. and F. Dupont, "Mobile IPv6 Operation with IKEv2 and the revised IPsec Architecture", draft-ietf-mip6-ikev2-ipsec-06 (work in progress), April 2006. Appendix A. Version History o v01 to v02 * Change the document structure. * Describe the process in detail how to derive a serials of secret keys. * New scheme to protect SPI profiling. * Use multi home link prefixes to generate pseudoHoA. * Propose two schemes of transferring BU message to HA in order to match the different protocols (RFC 3776 and IKEv2 in mobile IP). o v02 to v03 * Merger section 5.3.1.and 5.3.2 and a same BU process is employed to the correspondent node regardless initiator or responder. * Introduce a term of identity address to ensure location privacy and communication session continuity o v03 to v04 * Describe and compare the modifications of processing bindings in more detail. * Reformat section 5.3. o v04 to v06 Qiu, et al. Expires October 18, 2008 [Page 41] Internet-Draft MIP6 location privacy solutions April 2008 * Revise the algorithm proposed in section 4. * Update authors information. o v06 to v07 * Add traffic formats. * Update the section of IANA requirement. * Revise according to comments of reviewers Heejin and Vijay. o v07 to v08 * Re-edit section 1. * Update authors information. Authors' Addresses Ying Qiu Institute for Infocomm Research, Singapore 21 Heng Mui Keng Terrace Singapore 119613 Phone: +65-6874-6742 Email: qiuying@i2r.a-star.edu.sg Fan Zhao Marvell Semiconductor, Inc. 5488 Marvell Lane Santa Clara, CA 95054 US Email: fanzhao@marvell.com Rajeev Koodli Starent Networks, Corp. Email: rkoodli@starentnetworks.com Qiu, et al. Expires October 18, 2008 [Page 42] Internet-Draft MIP6 location privacy solutions April 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Qiu, et al. Expires October 18, 2008 [Page 43]