Title: A Scheme of Mobile Firewall in Mobile IPv6
1A Scheme of Mobile Firewall in Mobile IPv6
- draft-qiu-mip6-mobile-firewall-00.txt
- Feng BAO, Robert DENG, Ying QIU, Jiangying ZHOU
- 22 August 2018
2What are the features of mobile firewall
- The guardians can track and control the
activities of guarded person when they visit
foreign domain as well as in home domain. - The firewall will run at Mobility Anchor
Point(MAP) that the Mobile Node(MN) visited. - The guardians could dynamically monitor and
control the mobile nodes (MN) activities through
a remote machine. - All operations are transparent to the guarded
person. - The guardians could remotely specify the security
rules of the firewall.
3Where are the firewalls employed
- HA Home Agent
- CN Correspondent Node
- MAP Mobility Anchor Point
- AR Access Router
- MN Mobile Node
HA
CN
Internet
CN
Firewall
MAP
AR2
AR1
movement
MN
MAPs Domain
Hierarchical MIPv6 Mobility Management (HMIPv6) framework
4How to implement the mobile firewall
- Security Tables (I)
- Focuses on how to effectively manage the
security stuff, such as security keys, security
associations, security rules, etc. in order to
minimize the overhead on mobile devices and
provide strong security. - Trust MAP cache (in Home Agent HA)
- Security association cache (in HA)
- Security association cache (in MAP)
MAP address Accepted / Denied
MNs HoA MAP Add MNs RCoA MAPs RSA Public Key (PH) Encryption Key (kEN) Binding Update Key (kBU) Acknowledgement / Request Key (kBA/R) Time Stamp
MNs HoA MNs RCoA MNs LCoA MNs RSA Public Key (PH) Encryption Key (kEN) Binding Update Key (kBU) Acknowledgement / Request Key (kBA/R) Time Stamp
5How to implement the mobile firewall
- Security Tables (II)
- Security rule cache (in both HA and MAP)
Item Local Address Remote Address Action Life time Restriction
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) HAs Address Accept Any All
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) CN1s Address Pass / Drop Bytes / Time / Both Application protocols / Ports
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) .. . . .
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) CNns Address Pass / Drop Bytes / Time / Both Application protocols / Ports
6How to implement the mobile firewall
Firewall Setup (I) MN MAP HA REG_REQgt long term lt-----------------MAP_DENY--- messages lt---IKE_MSG--- ... set up ... VPN channel ... ----IKE_MSG--gt ------------------------------------------------------ INI_REQgt ltSEC_RUL short term MN_LOGgt message for ----MN_LOG---gt monitor/control ----MN_LOG---gt ------------------------------------------------------ ltMN_LEV
Message exchange among MN, MAP and HA
7How to implement the mobile firewall
- Messages in Mobile Firewall
- REG_REQ SrcHoA, DesHA, RCoA, MAP, Flag, Ran
- MAP_DNY SrcHA, DesRCoA, HoA, MAP, Denial,
Ran - IKE Negotiated messages
- INI_REQ SrcHoA, DesCN, CoA(RCoA), Req, Ran
- SEC_RUL SrcHoA, DesMAP, rules, SIG_h
- rules e(k_en, security_rules)
- SIG_h (S_h, HoAMAPrules)
- MN_LOG SrcMAP, DesHoA, i, HoA, log
- log e(k_en, activity_log)
8Conclusion
There are three main parts in our scheme Authentication and authorization Management Control and Monitor All the operations are transparent to the mobile nodes A mobile node will be served in a way specified by its guardian no matter where it roams. The mobile firewall could have full features of a conventional stateful firewall.
9Q AThanks