NAME

CN-5-4-1 - Preventing Replay Attacks

TARGET

Host

TOPOLOGY

       HA----------R2----------R1----------R0
       |           |           |           |
       |           |           |           |
       |----       |----       |----MN     |----CN(NUT)
       |           |           |           |
       |           |           |           |
   Home Link     Link2       Link1       Link0
               (Foreign)   (Foreign)
Link0 3ffe:501:ffff:100::/64  
Link1 3ffe:501:ffff:101::/64 Foreign Link
Link2 3ffe:501:ffff:102::/64 Foreign Link 2
Home Link 3ffe:501:ffff:104::/64 Home Link
CN(NUT) 3ffe:501:ffff:100::X
Auto Configuration (InterfaceID)		  
MN(in Link1) 3ffe:501:ffff:101::Y
Increased in each test (InterfaceID)		 MN care-of address
MN(in Home Link) 3ffe:501:ffff:104::Y
Increased in each test (InterfaceID)		 MN home address
R0(Link0) 3ffe:501:ffff:100::1  
R1(Link1) 3ffe:501:ffff:101::1  
R2(Link2) 3ffe:501:ffff:102::1  
HA(Home Link) 3ffe:501:ffff:104::1  

INITIALIZATION



Reboot NUT (reboot.rmt)










TEST PROCEDURE


       MN      R1      HA      R0     CN(NUT) 
        |       |       |       |       |
        |       |       |       |------>| 1.RA
        |       |       |       |       |
        |       |       |       |------>| 2.NS
        |       |       |       |       |
        |       |       |       |<------| 3.NA
        |       |       |       |       |
        |-------------->|-------------->| 4.Echo Request
        |       |       |       |       |
        |<--------------|<--------------| 5.Echo Reply
        |       |       |       |       |
        |------------------------------>| 6.Echo Request(Home Address option)
        |       |       |       |       |
        |<------------------------------| 7.BE(Status=1)
        |       |       |       |       |
        |-------------->|-------------->| 8.HoTI
        |       |       |       |       |
        |<--------------|<--------------| 9.HoT
        |       |       |       |       |
        |------------------------------>| 10.CoTI
        |       |       |       |       |
        |<------------------------------| 11.CoT
        |       |       |       |       |
        |------------------------------>| 12.BU(Sequence NO=10000)
        |       |       |       |       |
        |<------------------------------| 13.BA(Status=0)
        |       |       |       |       |
        |------------------------------>| 14.BU(Lifetime=0)
        |       |       |       |       |
        |<------------------------------| 15.BA(Status=0)
        |       |       |       |       |
        |------------------------------>| 16.Echo Request(Home Address option)
        |       |       |       |       |
        |<------------------------------| 17.BE(Status=1)
        |       |       |       |       |
        |------------------------------>| 18.BU(Sequence NO=10000)
        |       |       |       |       |
        |<------------------------------| 19.BA(Status!=0) (*1)
        |       |       |       |       |
        |------------------------------>| 20.Echo Request(Home Address option)
        |       |       |       |       |
        |<------------------------------| 21.BE(Status=1) (*2)
        |       |       |       |       |



1. Send Router Advertisement.
2. Send Neighbor Solicitation.
3. Receive Neighbor Advertisement.
4. Send ICMP Echo Request.
5. Receive ICMP Echo Reply.
6. Send ICMP Echo Request(Home Address option).
7. Receive Binding Error(Status=1).
8. Send Home Test Init.
9. Receive Home Test.
10. Send Care-of Test Init.
11. Receive Care-of Test.
12. Send Binding Update(Sequence No=10000).
13. Receive Binding Acknowledgement(Status=0).
14. Send Binding Update(Lifetime=0).
15. Receive Binding Acknowledgement(Status=0).
16. Send ICMP Echo Request(Home Address option).
17. Receive Binding Error(Status=1).
18. Send Binding Update(Sequence No=10000).
19. Receive Binding Acknowledgement(Status=135).
20. Send ICMP Echo Request(Home Address option).
21. Receive Binding Error(Status=1).



Packet Format
18. Binding Update
19. Binding Acknowledgement
20. ICMP_Echo Request(Home Address option)
21. Binding Error










JUDGEMENT




(*1) MN receives Binding Acknowledgement.
  - The Destination Address is set to the Source Address of the Binding Update (MN care-of address).
  - The Status field is not set to 0.



(*2) MN receives Binding Error.
  - The Destination Address is set to the Source Address of ICMP Echo Request (MN care-of address).
  - The Status field is set to 1.
  - The Home Address field is set to the value in the Home Address option in the ICMP Echo Request (MN home address).










REFERENCE


(draft-ietf-mobileip-ipv6-24.txt)





9.5.3 Requests to Delete a Binding



   If the Binding Cache entry was created by use of return routability
   nonces, the correspondent node MUST ensure that the same nonces are
   not used again with the particular home and care-of address.  If both
   nonces are still valid, the correspondent node has to remember the
   particular combination of nonce indexes, addresses, and sequence
   number as illegal, until at least one of the nonces has become too
   old.



5.2.8 Preventing Replay Attacks



   The return routability procedure also protects the participants
   against replayed Binding Updates through the use of the sequence
   number and a MAC.  Care must be taken when removing bindings at the
   correspondent node, however.  Correspondent nodes must retain
   bindings and the associated sequence number information at least as
   long as the nonces used in the authorization of the binding are still
   valid.  Alternatively, if memory is very constrained, the
   correspondent node MAY invalidate the nonces that were used for the
   binding being deleted (or some larger group of nonces that they
   belong to).  This may, however, impact the ability to accept Binding
   Updates from mobile nodes that have recently received keygen tokens.
   This alternative is therefore recommended only as a last measure.