INTERNET DRAFT P. Mutaf C. Castelluccia February, 2002 INRIA IP Paging Threat Analysis Status of This Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents, valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document is an analysis of threats that arise from using link layer paging technologies or IP paging in the Internet where denial-of-service attacks are common and easy. These problems fall in the scope of IP paging, since link layer paging technologies do not have provisions for repelling such threats and the source of an attack may be anywhere in the Internet. In addition, vulnerabilities that may be added by IP paging are also discussed. Table of Contents 1. INTRODUCTION ................................................. 2 2. TERMINOLOGY .................................................. 3 3. ASSUMPTIONS .................................................. 4 4. MALICIOUS PAGING SIGNALING IN IP NETWORKS .................... 4 4.1. Exploiting Legitimate Dormant Mode Bindings ............. 5 4.2. Creating Fake Dormant Mode Bindings ..................... 7 4.3. Creating Fake Paging Requests ........................... 8 Mutaf, Castelluccia Expires August, 2001 [Page 1] INTERNET DRAFT IP Paging Threat Analysis February, 2001 5. ACCESSIBILITY THREATS ........................................ 8 5.1. Imitating the IP Paging Functions ....................... 8 5.2. Impersonating the Functional Entities ................... 9 6. BATTERY DRAINING ATTACKS ..................................... 10 6.1. Awakening a Dormant Host ................................ 10 6.2. Flooding an Active Host ................................. 10 6.3. Flooding a Dormant Host ................................. 10 6.3.1. Target is Stationary ............................... 10 6.3.2. Target is Mobile ................................... 11 7. DISCUSSION OF SOLUTIONS ...................................... 11 7.1. Defeating Attackers Residing Anywhere in the Internet ..........................................11 7.1.1. Weak Authentication Embedded in the IP Paging Protocol .......................... 12 7.1.2. Host Defined Access Control & Adaptive Paging ................................... 13 7.2. Authentication and Authorization of Hosts and Functional Entities ..................................... 13 7.3. Defeating Battery Draining Attacks ...................... 14 8. CONCLUSION ................................................... 15 9. SECURITY CONSIDERATIONS ...................................... 15 10. RELATED WORK ................................................ 16 11. ACKNOWLEDGEMENTS ............................................ 16 REFERENCES ....................................................... 16 AUTHORS' ADDRESSES ............................................... 17 1. INTRODUCTION Currently, the unique role of the IP routing system is routing packets to their destinations. IP paging adds a new responsibility to the routing system: detecting communication attempts of behalf of hosts which have limited energy. As a result, hosts will rely on this new service for their accessibility. Attackers may want to exploit this for rendering hosts inaccessible. Secondly, the network will offer this service at the considerable bandwidth cost of "paging", assuming that this will not be too frequent. In the Internet, this assumption can be abused by attackers. Paging which is intended for optimizing bandwidth use, may become a bandwidth threat. This problem arises from adding the paging functionality (existing link layer paging technologies or IP paging) to the operation of the Internet. Hence it is independent of IP paging. However, this problem falls Mutaf, Castelluccia Expires August, 2001 [Page 2] INTERNET DRAFT IP Paging Threat Analysis February, 2001 in the scope of IP paging since existing link layer technologies do not attempt to solve this problem. In addition, the attackers may be anywhere in the Internet, hence IP layer solutions may be necessary. Finally, in an IP network, attacks that drain a target host's battery by forcing it to continuously receive packets are easy. This problem also falls in the scope of IP paging since currently no other mechanism is intended for protecting battery. RFC 3154 [2] outlines some of these threats. This document is a detailed analysis of the techniques that can be used by attackers for implementing attacks that exploit and sabotage the IP paging service. Additionally the challenges of IP paging security and possible solutions are discussed. 2. TERMINOLOGY Host (H) An Internet host which implements IP paging. Correspondent Node (CN) A node residing anywhere in the Internet. Attacker, attacking host or attacking CN A rogue CN or H. The attacker generally uses forged (random) source addresses, except when impersonating another node. Paging IP paging or link layer paging technologies unified by IP paging as described in [1]. Paging Area A set of cells where a host is likely to be found (subnet->cell mappings are arbitrary) as described in [1][2]. IP Paging functions Dormant Monitoring Agent (DMA), Tracking Agent (TA), Paging Agent (PA) as defined in [2]. Dormant Mode Binding (DMB) The association between a dormant host's state and its identity. Wait-For-Sleep (WFS) timer Period of time a host waits before renewing its DMB (when the host is not in active IP communication). T The value of the WFS timer. Mutaf, Castelluccia Expires August, 2001 [Page 3] INTERNET DRAFT IP Paging Threat Analysis February, 2001 C Attacker's DoS (Denial-of-Service) capacity (in packets/second). Limited by the available bandwidth to the target region and processing power. N The number of DMBs exploited by the attacker. S Paging area size (in number of link layer cells). For simplicity it is assumed that all paging areas have the same size. S is the amplification factor of paging, since one IP packet triggers S link layer frames each received by a different access point (AP). This factor is independent of IP layer concepts such as "subnet". G_dos Malicious signaling gain of paging. Additionally, the definitions of Mobile IP and Mobile IPv6 terms such as home agent, home address, home subnet, care-of-address (CoA), can be found in [3][4]. 3. ASSUMPTIONS In the following threat analysis, the following assumptions are made: o A global security infrastructure is not necessarily available. Hence, authentication and authorization of CNs residing anywhere in the Internet is difficult. o The details of the IP paging protocol are not defined yet. According to recent IP paging proposals, the IP paging functions may be implemented on a single network element or separately in different network elements [5][6][7][8][9]. Therefore, the cases where the IP paging functions are in different network elements, are also analyzed. These assumptions imply that strong authentication and authorization of CNs is difficult. Secondly, if two IP functions are implemented in different network elements residing in different administrative domains, the authentication and authorization of these elements may be difficult. 4. MALICIOUS PAGING SIGNALING IN IP NETWORKS An attacker can exploit link or IP layer paging for amplifying the impacts of DoS attacks that reduce the available bandwidth on a target cellular region. The amplification factor is due to the paging process which consists of searching a destination dormant mode host in multiple cells. Mutaf, Castelluccia Expires August, 2001 [Page 4] INTERNET DRAFT IP Paging Threat Analysis February, 2001 As mentioned above, the bandwidth efficiency of the paging service is based on the assumption that hosts do not receive incoming sessions most of the time (in the order of 90% of time). This assumption has proven true for years and paging has been successfully keeping an equilibrium between paging and registration signaling. However, in a IP network where DoS attacks are very common, this assumption will be probably abused. Attackers may ruin the natural equilibrium between paging and registration signaling. The paging service intended for optimizing the bandwidth use, may become not only sub-optimal but also a bandwidth threat. Paging support is already available in current link layer technologies, hence the amplification factor mentioned above will exist regardless of whether IP paging is deployed or not. The additional threat rather arises from the deployment of an all-IP cellular system with millions of IP hosts. First, in an IP network, sending a single packet is interpreted as a communication attempt (e.g. a TCP SYN segment). If the destination host is dormant, then that packet should initiate paging. An attacker can generate millions of malicious packets, each initiating paging. In conclusion, in an all-IP cellular system, the amplification gain of paging can be exploited much more easily. This problem falls in the scope of IP paging, since link layer paging technologies do not have provisions for defending against such attacks. Furthermore, the source of a DoS attack may be anywhere in the Internet, hence IP layer solutions may be necessary. As a result, it is crucial to understand the methods that attacker can adopt for launching DoS attacks that exploit paging and define solutions if they are indeed feasible. Below is the analysis of the possible techniques for implementing bandwidth attacks that abuse the paging service. 4.1. Exploiting Legitimate DMBs A malicious CN residing anywhere in the Internet can send many packets to many different dormant hosts on a target region. Each malicious packet will be intercepted by one or more DMA(s) which informs one or more PAs. The PA(s) will in turn create signaling for paging the destination host in S cells. In other words, one malicious packet will create S link layer frames each received by a different AP in the paging area. It is noteworthy that the malicious packets have random and different source addresses. Thus, limiting the number of simultaneous pages per CN, does not help. The intervening DMA(s) cannot differentiate between malicious and legitimate packets. Hence, every packet (malicious or legitimate) initiates paging. S is the amplification factor, however this is not necessarily equal to the malicious signaling gain. When paging is exploited, the attacker can not transmit at a rate higher than N/(T+k) packets/second (where, k is DMB update latency). This is because Mutaf, Castelluccia Expires August, 2001 [Page 5] INTERNET DRAFT IP Paging Threat Analysis February, 2001 the attacker has to wait for a previously paged host to renew its DMB. This limits the intensity of the attack. Therefore, the overall malicious gain of this technique should be defined as: N x S G_dos = --------------- ; N/(T+k) <= C (T + k) x C The actual value of T is currently an open issue. Its exact definition is challenged by packet arrival irregularities observed in datagram networks. If T is too small a host may unnecessarily enter IP dormancy upon unimportant but frequent bandwidth degradations during a same session. If T is too large, this will reduce the benefit of paging since the host will enter IP dormancy too late. This issue is out of the scope of this document. The only parameter which is under the attacker's control is N. Therefore whether this technique arises malicious signaling threat depends on an attacker's ability to locate relatively large numbers of dormant mode hosts. If the attacker has high DoS capacity but is not able to locate a large number of dormant hosts, then this attack may result in loss (i.e., G_dos < 1). This is because the attacker will not be able to reap the benefit of high DoS capacity. The attacker's capacity is limited to C packets/second. Then, a full capacity attack will require C x (T + k) dormant mode bindings. For example, if the attacker is capable of pumping 20,000 packets/second, and if T is 10 seconds, then the attacker has to locate approximately 200,000 dormant hosts in order to obtain the maximum gain. In a cellular system, hosts are in dormant mode most of the time (in the order of 90%). Therefore, rather than searching or monitoring dormant mode binding updates, the attacker can simply send many packets to many different hosts in a cellular domain. Probably, most of the destination hosts will be in dormant mode, hence N will be large. Therefore, the attacker's problem is reduced to finding host identifiers. The home addresses and DNS names are attractive host identifiers since they are they are permanent, so the cellular host address collection work needs to be done only once. Home addresses may be even more attractive since they are transmitted over the network in home address options or in routing headers as clear-text. As a result they can be also detected by sniffers. The attacker may probe many home addresses by sending ICMP Echo Request or other packets. Locating a home subnet will be easy. However, guessing valid suffixes among 2^64 possibilities on a subnet may be a difficult task if home addresses are unpredictable e.g. configured using privacy extensions[10], or more similar techniques. Another possibility is to install a network sniffer placed strategically on a link across which many mobile nodes' Mutaf, Castelluccia Expires August, 2001 [Page 6] INTERNET DRAFT IP Paging Threat Analysis February, 2001 packets are routed. This can allow the attacker to obtain many home addresses (found in routing headers and home address options). Privacy extensions could solve this problem since they are intended for not revealing the true home addresses of hosts. However, this ensures privacy during sessions initiated by mobile nodes. A sniffer placed on the path between correspondent nodes and the home subnet can help detect many sessions destined for many mobile nodes, hence their home addresses. Alternatively, the attacker can exploit the DNS by launching a brute force analysis on the name space of a cellular service provider. There may be a continuity in the naming pattern for efficient use name space and the attacker can easily obtain many corresponding home addresses. An important factor which will challenge the attacker is the density of the destination hosts of which the dormant mode bindings are exploited. This can be defined as the number of destination hosts compared to the size of the target region (in number of cells). If the destination hosts are far away from each other, their paging areas may not superpose and the impacts of the attack may not be felt. In order to ensure high destination host density, the attacker can benefit from host location predictability. For example, a majority of the hosts served by a same home agent may be owned by users living in the same region. More importantly, the attacker can sample the CoA of many hosts using their home addresses, get an idea of their whereabouts and select the ones which move more or less in the same region. Probably, this information will remain valid for longtime (possibly years) unless users physically move to other regions, which is unlikely. 4.2. Creating Fake DMBs Alternatively, the attacker can organize a two-party attack where a malicious host creates dormant mode bindings each pointing to a different and "fake" host, and another malicious host (possibly under the control of the same attacker) transmits page trigger packets. Assuming that both hosts transmit C packets/second (not necessarily in a synchronous fashion), it is possible to obtain a much more important malicious gain: G_dos = S x P where P is the number of times a host should be paged before it can be assumed unreachable. This factor is due to the fact that the attacker probably does not reply to pages. The T factor is omitted since the attacker does not need to use a dormant mode binding twice. Fake dormant mode bindings can be directly created by a malicious cellular host. However, it may be also possible to spoof the TA->DMA traffic (if TA and DMA functions are implemented in different network elements). The attacker can impersonate a real Mutaf, Castelluccia Expires August, 2001 [Page 7] INTERNET DRAFT IP Paging Threat Analysis February, 2001 TA, or imitate the TA function, then send one or more DMAs many packets that report fake hosts entering dormant mode. The attacker may be also able to redirect the malicious paging traffic to a target region. In the RFC3154 architecture, the paging area information is provided by the hosts. In this case, the attacking host can issue many dormant mode binding updates as described above, but pointing to one or more paging areas away from its actual location. 4.3. Creating Fake Paging Requests The attacker may impersonate a real DMA or imitate the DMA function and request one or more PAs to page fake hosts. The advantage of this technique is that, the attacker does not need to locate nor create dormant mode bindings. The malicious gain is: G_dos = S x P for the same reasons described in the previous section. 5. ACCESSIBILITY THREATS This section is an analysis of possible malicious techniques that exploit IP paging for rendering hosts inaccessible. The attacks discussed below consist of impersonating one of the functional entities, or imitating the IP paging functions such as TA and DMA. Impersonation of an authorized functional entity can be detected by authenticating its IP address. Whereas, detecting an attacker acting as a TA for example, requires strong binding between the TA's identity and its authorization to act as a TA. In the following discussion, it is assumed that the attacker is able to monitor the packet exchanges between the functional entities, inject packets for impersonating or imitating them, but not capable of dropping packets. 5.1. Imitating the IP Paging Functions If informing the DMA when a host enters dormant mode is under the responsibility of TA, an attacker can pretend TA ability to visiting hosts (assuming that hosts are dynamically informed of the existence and addresses of TAs). A victim host believing to have registered a valid dormant mode binding may become completely unreachable until it obtains a valid binding. The impacts may be much more important than a case where a single access router (AR) is compromised and shut down. A victim host may Mutaf, Castelluccia Expires August, 2001 [Page 8] INTERNET DRAFT IP Paging Threat Analysis February, 2001 be unreachable in other subnets as well (covered by its current paging area). The unreachability duration may be extended up to several hours depending on whether the host frequently crosses paging area boundaries. The threat is considerable if the host does not change its paging area for longtime. Depending on the paging policy, the host may be spoofed repeatedly by the same attacker still pretending TA ability. Similarly, if hosts are dynamically informed of the existence and addresses of DMAs. An attacker imitating DMA function can spoof visiting hosts believing to register their DMBs with an authorized DMA. The impacts are the same as above. 5.2. Impersonating the Functional Entities An attacker on the path H->DMA or DMA->H can monitor many DMBs and host identities. It is also possible to exploit the fact that a given host is probably in dormant mode and guess the address of its DMA. Then, the attacker can impersonate a dormant host and send a dormant mode binding deregistration request. Upon reception of this request the DMA will remove the dormant mode binding of the host or change it to an active mode binding. The host which is still in dormant mode (hence, accessible only via paging) will become unreachable. Unreachability duration may be extended to several hours as described above. It is important to note that the acknowledgement of DMA sent to the host will be probably lost, since it is not a paging request nor sent to a PA. Alternatively, if the attacker is able to monitor the H->TA or TA->H traffic, it is possible to impersonate a host and send its TA a message indicating that the host changed its paging area. Upon receipt of a packet from a CN, the host will be paged in a wrong paging area, hence unreachable. The duration of unreachability may be extended to several hours. Secondly, an attacker on the path DMA->PA, can monitor the paging request messages sent by the DMA. Then, the attacker can impersonate the PA and send the DMA an immediate negative response indication for a host which is probably being paged (in the mean time) by the real PA, but the host has not yet replied due to paging delay. Upon reception of this message, the DMA may return an ICMP "Destination Unreachable" message to the CN. At that point, the host may reply to its real PA, which will in turn send a positive response indication to the DMA. However, the CN's application or transport layer will have already interrupted the session on receipt of the ICMP error message. Finally, an attacker on the path DMA->TA, can monitor the messages sent by the DMA informing the TA that a packet has arrived for the dormant host. Then, by impersonating the TA, the attacker can reply to the DMA with a message indicating a wrong PA's address. The host may be paged in a wrong paging area, hence become unreachable. Mutaf, Castelluccia Expires August, 2001 [Page 9] INTERNET DRAFT IP Paging Threat Analysis February, 2001 6. BATTERY DRAINING ATTACKS The attacks described in this section consists draining the battery of a target host by injecting packets to its link layer. End-to-end authentication does not solve this problem since the target is forced to receive packets in order to check their authenticity. Attacks that flood a target host with outstanding requests already exist. However, when the target is battery powered, this arises a more important threat: the host will become unreachable and incapable of running applications until the user has the possibility to re-charge it's battery. This problem falls in the scope of IP paging since no other mechanism is intended for protecting battery. Below is the analysis of the malicious techniques that an attacker can adopt for draining a target's battery. It is assumed that the attacker and target reside in different subnets. 6.1. Awakening a Dormant Host An attacker can periodically awaken a host by sending 1/T packets/second. Each packet will be intercepted by a DMA, which will in turn start the process of paging the target host. This attack is not different than the bandwidth attack described in Section 4.1. The malicious goal is different but the impacts are the same. 6.2. Flooding an Active Host An attacker can also send an active host C packets/second in order to prevent that host from beginning IP dormancy. Malicious packets may reset the WFS timer, hence the target host may not be capable of beginning IP dormancy. 6.3. Flooding a Dormant Host 6.3.1. Target is Stationary An attacker may try to flood a dormant host by injecting packets to its last known subnet. In this section it is assumed that the target host has not moved to another subnet and the attacker has knowledge of the last CoA used by the target before entering IP dormancy (i.e. the attacker is capable of monitoring its traffic). The attacker's packets may trigger frames destined to the target's link layer if the neighbor cache hold by the AR still contains a mapping between the host's last configured CoA and link layer address. Mutaf, Castelluccia Expires August, 2001 [Page 10] INTERNET DRAFT IP Paging Threat Analysis February, 2001 If a paging channel support is available, the target host's link layer will be no longer listening to the traffic channel, then the attack is defeated. In time-slotted dormant mode, the frames triggered by the attacker's packets will be received by the host's link layer forced to continuously listen to the traffic channel, hence consume battery. The host's link layer cannot switch to or remain in low-power mode. 6.3.2. Target is Mobile The target host may move to another subnet while the attack continues. As time passes, the attacker's uncertainty of the exact subnet of the target will increase. However, the attacker can try to flood the dormant host in several subnets where it is likely to be found. The AR in the new visited subnet will receive the attacker's packets and trigger Neighbor Discovery. If a paging channel support is available, the target host's link layer will not be listening to the traffic channel, hence the attack is defeated. In time-slotted dormant mode, the Neighbor Discovery packets will be buffered by the APs. Next time the target host's link layer wakes up, it will receive this packet. At this point, if the host's IP module is ON and if it has configured a CoA on that subnet (and given that the host's suffix remains the same), the host will reply to the request, revealing its link layer address to the AR. Then, the subsequent link layer frames triggered by the attacker will be continuously received by the host's link layer, which can no longer save power. 6.4. Impersonating or Imitating a PA or DMA The attacker may try to impersonate a PA or imitate the PA function in order to page the target host. Alternatively. the attacker may try to impersonate a DMA or imitate the DMA function and send paging request packets to the target's current PA. 7. DISCUSSION OF SOLUTIONS 7.1. Defeating Attackers Residing Anywhere in the Internet In the threats 4.1 and 6.1 the attacker is a malicious CN anywhere in the Internet. Source addresses of malicious packets are random, hence intervening DMAs cannot differentiate between malicious and legitimate packets. Mutaf, Castelluccia Expires August, 2001 [Page 11] INTERNET DRAFT IP Paging Threat Analysis February, 2001 These attacks can be defeated by the authentication and authorization of CNs before starting the paging process. However, it is assumed that a global security infrastructure is not available, and pre-shared trust relationships with millions of CN anywhere in the Internet will not scale. Hence, strong authentication and authorization using certificates that cryptographically prove identity and access rights are not feasible. Therefore other solutions are necessary. 7.1.1. Weak Authentication Embedded in the IP Paging Protocol Assuming that an attacking CN will not want to reveal its real IP address, a level of security near to strong authentication can be obtained by weak authentication (it is noteworthy that this does not have any bearing on the access rights of a CN). By current DoS practice, the assumption that attacker use random source addresses, generally holds. In this scheme, the intervening DMA sends a special message to the CN. This might be an ICMP "Destination Dormant" message containing a cookie or puzzle request. Then, the session is allowed by the DMA if only the correspondent node satisfies the authentication rule (correct cookie or puzzle reply). The definition of this protocol extension is out of the scope of this document. Other methods for implementing this DMA<->CN handshake prior to starting the paging process, may be also possible. The main problem of this approach is that it requires the modification of CNs. Additionally, care should be taken in order not to add any vulnerability to the CN side. There may be also privacy problems. Whether a given user is in active communication at a given time is possibly important information. This approach may be problematic if upper layers do not already reveal such information. Points in favor of this approach are simplicity, independence of any paging policy, and the existence of administrative or per-host security policies (i.e. a level of security is embedded in the IP paging protocol). There are also motivations other than security. For example, the diagnostic tools such as "ping" can be changed such that it does not unnecessarily cause paging cost and give information of the "actual state" of a destination host without changing its state (i.e. dormant). 7.1.2. Host Defined Access Control & Adaptive Paging Another approach can be the enforcement of per-host access control with the aid of adaptive paging area sizes. This approach separates the threats 4.1, 4.2, 4,3 and 6.1 into: Mutaf, Castelluccia Expires August, 2001 [Page 12] INTERNET DRAFT IP Paging Threat Analysis February, 2001 o Threats 4.1, 4.2, 4,3 Bandwidth attacks (network's problem) o Threat 6.1 Battery draining attack (host's problem) In adaptive paging, each time a host is paged, its paging area size is reduced (on the contrary, it is augmented each time the host crosses the boundaries of a paging area). In [12], paging area sizes are controlled hosts. However if paging area sizes are controlled by the network, the bandwidth attacks described in Section 4 can be defeated, since paging area sizes of the destination hosts will be eventually very small (due to very frequent paging, compared to host movement rate). In threat 4.1, the hosts of which the dormant mode bindings are exploited will have excessively small paging areas, hence can not reap the benefit of paging. This approach says that this is the hosts' problem (just like the threat 6.1). If a host desires protection against these attacks, then this host should register access control rules with its DMA in order to reliably benefit from the paging service. This approach has three problems. First, access control interferes with a host's ability to receive packets from new legitimate CNs. Hence, it is not always desirable. Secondly, per-host access control may not scale well if each host has many trust relationships with many CNs. Third, there exists a possible counter argument saying that paging is a service offered by the network (just like routing), hence paging area availability and helping preserve energy should be under the responsibility of the network. The network should not penalize a given host for not enforcing access control. The main argument in favor of this approach is that, bandwidth can be protected even if the attacking CN uses its real IP address. Secondly, the motivation of paging area size optimization is not limited to security, it is by all means advantageous (however, this is more a paging policy issue). 7.2. Authentication and Authorization of Hosts and Functional Entities The threat discussed in Section 4.2 requires the authentication of hosts so that a host can not have more than one DMB registered with the network. This may be possible if an AAA infrastructure exists. However, whether IP paging should rely on the existence of AAA is not clear. Defending against the accessibility threats discussed in the Section 5 and the bandwidth threat discussed in Section 4.3, requires the authentication and authorization IP paging functional Mutaf, Castelluccia Expires August, 2001 [Page 13] INTERNET DRAFT IP Paging Threat Analysis February, 2001 entities when communicating with each others. This may be difficult however it is hard to exactly define the problem before the IP paging protocol is designed. Defending against the threats discussed in Section 5.1 requires that hosts verify the authorization of DMA and TAs before registering their dormant mode bindings. However, the exact problem is hard to define exactly, before the IP paging protocol designed. 7.3. Defeating Battery Draining Attacks The threat 6.1 is already addressed in Section 7.1. In the following discussion it is assumed that this problem is solved. The most serious battery draining threat is 6.2, i.e. flooding an active host in order to prevent it from beginning IP dormancy. It is desirable to have an IP paging protocol that allows hosts to begin IP dormancy under attack. If in IP dormancy a host's battery is protected, in this case the battery draining threat can be solved. However, beginning IP dormancy under attack may be difficult. With IPsec [11], this might be possible depending on how IP paging is implemented. If packets dropped by IPsec do not reset the WFS timer, then the IP paging module can timeout and begin IP dormancy. Otherwise IPsec can not help begin IP dormancy under attack. This implies that, if the WFS timer is implemented below IP (i.e. at the link layer), IPsec is not helpful. Other solutions may be possible. The attacks 6.3 and 6.4 can be defeated to some extent if the dormant mode binding update message is encrypted and contains a random 64 bits IPv6 suffix (as part of the encrypted payload) that will identify the host in dormant mode. The advantage of this scheme is that, the defense is independent of how IP paging is implemented i.e., whether IP is ON in IP dormancy, or hosts configure CoAs in dormant mode (in this case the host would use its secret suffix for configuring CoAs in dormant mode). This scheme ensures that, only an authorized party can awaken the host (given that the host's current DMA is authorized). An attacker on the path H->DMA can not obtain the secret suffix that identify the target host. It is also noteworthy that no trust relationship is necessary between a given PA and the ARs in its paging area. An attacker can not impersonate a PA nor imitate the PA function in order to awaken a target host, since the dormant host's identity can be only provided by an authorized DMA. This also prevents an attacker from imitating the DMA function in order to awaken a dormant host. Mutaf, Castelluccia Expires August, 2001 [Page 14] INTERNET DRAFT IP Paging Threat Analysis February, 2001 However, DMA's authorization should be verified by the host before the dormant mode binding is registered. This may be difficult as mentioned in the previous section. In summary, battery security can be ensured by the following three mechanisms: 1) Host's capability of starting IP dormancy under attack, 2) Host's capability to check that a given DMA is authorized, 3) Host's capability to secretly share with a DMA its dormant mode identity (e.g. suffix). 8. CONCLUSION This document analyzed the threats that arise from using paging or IP paging in the Internet. Three classes of attacks were described. Attacks that exploit paging for degrading bandwidth on a target cellular region, attacks that drain a target host's battery and attacks that impersonate or imitate the IP paging functions for rendering hosts inaccessible. The bandwidth attacks that exploit paging are especially difficult to deal with, since the attacker can be anywhere in the Internet. DMAs cannot differentiate between malicious and legitimate packets, hence every packet will initiate paging. A global security infrastructure is not available, and pre-shared trust relationships with millions of CN anywhere in the Internet will not scale. This attack, many seriously reduce the motivation of using paging in the Internet. Paging is intended for optimizing battery. However, if it is exploited well, it may become a bandwidth threat. The above threat has also important implications on battery consumption on target hosts'. The remaining battery draining threats can be possibly defeated more easily. This document discussed several solutions, others may be possible. IP paging may also add new accessibility threats. Depending on how the IP paging protocol is designed, these problems may be difficult to deal with. However, these issues are currently not clear since the interactions between the IP paging functions are not yet defined. 9. SECURITY CONSIDERATIONS This document is a security analysis of IP paging. Mutaf, Castelluccia Expires August, 2001 [Page 15] INTERNET DRAFT IP Paging Threat Analysis February, 2001 10. RELATED WORK RFC3154 also mentioned a paging buffer overflow threat. For implementation reasons there may be an upper limit on the number of concurrent sessions on behalf of which a destination host can be paged. This upper limit will equal the size of a buffer where the first packets of the session initiating peers are hold (by the dormant monitoring agent). RFC3154 assumes an aggregated buffer, resulting in important threats. However, as will be shown below, when this buffer is per-host the threat is not serious. An attacker can send many packets (with different source addresses) to a destination host which is in dormant mode, in order to overflow the buffer where its concurrent session requests are hold. The main factor is the paging latency, i.e. the time period between initiating the paging process (by the dormant monitoring agent) and receiving its reply. This delay may be important. During this period, if the paging buffer is full, all packets from legitimate correspondent nodes will be lost. However, the first packet of the attacker will initiate paging and the host will send a MIPv6 binding update to its home agent. Then, the next packets of the correspondent nodes will reach the host. When paging buffers are per-host, this attack can be serious only when combined with the congestive impacts of another DoS attack causing packet loss (in particular, loss of paging and paging reply packets). In this case, the host may become unreachable instead of suffering from degraded performance. The vulnerability added by IP paging is the paging delay which is much more important than the processing delay of an ordinary IP router. As a result, additional risk exists, but it is difficult to exploit. 11. ACKNOWLEDGEMENTS The authors would like to thank James Kempf who has reviewed the threat analysis, and also Yoshihiro Ohba and Erik Anderlind for their valuable comments on the ICMP "Destination Dormant" message proposal during Seamoby mailing list discussions. In particular, Erik Anderlind pointed out the possible privacy problems with this approach. REFERENCES [1] Kempf, J., Editor, "Dormant Mode Host Alerting ("IP Paging") Problem Statement", RFC 3132, June, 2001. [2] Kempf, J., et. al. "Requirements and Functional Architecture for an IP Host Alerting Protocol," RFC 3154, August, 2001. [3] Johnson, D. B. and Perkins C., "Mobility Support in IPv6", Work in Progress, July 2001. Mutaf, Castelluccia Expires August, 2001 [Page 16] INTERNET DRAFT IP Paging Threat Analysis February, 2001 [4] Perkins, C., "IP Mobility Support for IPv4", RFC 3220, January 2002. [5] Faccin, S., et. al., "Dormant Mode Handover Support in Mobile Networks," draft-koodli-paging-00.txt, Work in Progress. [6] Liebsch, M., Renker, G., and Schmitz, R., "Paging Concept for IP based Networks," draft-renker-paging-ipv6-01.txt, Work in Progress. [7] Ohba, Y., Nakajima, N., and Zhang, T., "LH-DMHA - Last Hop DMHA (Dormant Mode Host Alerting) Protocol," draft-ohba-seamoby- last-hop-dmha-02.txt, Work in Progress. [8] Sarikaya, B., et. al., "Mobile IPv6 Hierarchical Paging," draft-sarikaya-seamoby-mipv6hp-00.txt, Work in Progress. [9] Gurivireddy, S., et. al., "Layer-2 aided mobility independent dormant host alerting protocol," draft-guri-seamoby-lahap- 00.txt, Work in Progress. [10] Narten T. and Draves R., "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", Work in Progress, July, 2001. [11] Kent S. and Atkinson R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [12] Castelluccia C. and Mutaf P., "An Adaptive Per-Host IP Paging Architecture", ACM SIGCOMM CCR Special Issue on Wireless Extensions to the Internet, October 2001. AUTHORS' ADDRESSES Pars Mutaf INRIA Rhone-Alpes 655 avenue de l'Europe 38330 Montbonnot Saint-Martin FRANCE email: pars.mutaf@inria.fr phone: +33 4 76 61 55 07 fax: +33 4 76 61 52 52 Claude Castelluccia INRIA Rhone-Alpes 655 avenue de l'Europe 38330 Montbonnot Saint-Martin FRANCE email: claude.castelluccia@inria.fr phone: +33 4 76 61 52 15 fax: +33 4 76 61 52 52 Mutaf, Castelluccia Expires August, 2001 [Page 17]