Security Architecture for Global
Host Mobility (MoIPS)
The
objective of this project is to develop technology for the advancement of secure
and scaleable mobile IP-based communication. This includes a Domain Name System
(DNS) based public-key infrastructure (PKI) and key management protocols to be
used by mobility-aware Internet nodes to support authenticated mobile Internet
host location updates and secure efficient IP packet forwarding. It also
includes extension of the IETF Mobile IP standard to support domain-based mobile
host admission control and mobility management. The DNS-based PKI and key
management protocols will allow peer Internet hosts to maintain secure
uninterrupted communication sessions with mobile hosts, while domain-based
mobile IP technology can be used to efficiently support rapid host movements in
the global Internet.
The
project is organized into two overlapping phases, consistent with its
objectives. Phase I focused on the development of an IETF-compatible secure
Mobile IP by integrating a DNS-based PKI and a Diffie-Helman key exchange
protocol with the IETF Route-Optimized Mobile IP. This approach is intended to
enable authenticated IP-based connectivity between mobile hosts (MH's) and
arbitrary "corresponding hosts" (CH's) on the Internet, without requiring all
CH->MH packets to be (inefficiently) forwarded through a "home agent"
intermediate Internet node.
Phase II
is aimed at the development of two extensions of the IETF Mobile IP: an
efficient mobile-host registration protocol to support uninterrupted data flow
during fast handoffs; and a scaleable mobility hiding scheme to limit the
network overhead associated with host location updates. Both of these extensions
will be built upon two basic ideas: (1) separation of the flat Internet into
hierarchical "mobility domains", and (2) division of the mobile host migration
process into two steps -- establishment of a temporary residence when a mobile
host first enters into a mobility domain, and local updates of the "care-of
address" of the mobile host when it changes its attachment point within the
domain. As the result, a mobile host can quickly roam within a domain by
contacting only the mobility agents in the domain, without a requirement to
contact its home agent. The public key management mechanism will be used in
support of the authentication of host location updates and the administration of
domain-based admission control.
-
Testbed Construction:
developed a four-node Internet mobility testbed
with two desktop PCs as base stations and two laptop PCs as mobile nodes. All
four nodes are running FreeBSD UNIX. It is anticipated that the testbed will
be made available on the DARTnet for mobile IP experimentation.
-
Porting Effort:
ported the CMU basic Mobile IP protocol
implementation to the FreeBSD UNIX environment. The ported Mobile IP was
installed and tested on the four-node Internet mobility testbed and was
returned to CMU for future distribution.
-
Authenticaion Key Generation Algorithm:
designed a lightweight authentication key
generation algorithm based on Diffie-Helman key exchange. The algorithm uses
no encryption operations and hence is computationally efficient and may not be
subject to export control restrictions. Such characteristics are of relevance
to the ultimate goal of globally-pervasive authenticated mobile IP
communication involving a variety of Internet node types.
-
DNS-based X.509 Public Key
Infrastructure: (1) added new Resource
Records for X.509 v3 public key certificates and v2 certificate revocation
lists to the DNS system; (2) integrated a hierarchy of certification
authorities and the certificate registration system to DNS zone management;
(3) implemented certificate verification modules for the specific certificate
profiles to be used in secure Mobile IP. The DNS-based PKI will facilitate
general secure IP-level communication and specific authentication requirements
of mobile IP communication.
-
Secure Mobile IP Implementation:
included integration of the lightweight
authentication key generation mechanism and the DNS-based PKI.
-
Hierarchical Domain-based Extensions of
IETF Mobile IP: supports fast handoff and
mobility hiding when mobile hosts are roaming within foreign Internet domains.
Implement essential protocols of the extensions and integrate them with secure
Mobile IP.
-
Integration with
CMU IETF Mobile IP (FreeBSD UNIX
implementation) has been transferred back to CMU for distribution. Secure
mobile IP software developed was made available to the Internet research
community and other interested parties for non-commercial usage and mobility
experimentation.
-
Connection between BBN MoIPS testbed and DARTnet for experimentation within
DARPA community. MoPIS testbed consisted of two desktop PCs as base stations
and two laptop PCs as mobile nodes. All four nodes ran FreeBSD and were used
as BBN's platforms for secure mobile IP development.
-
Participation in Integrated Capability Track (ICT) III under DARPA Global
Mobility (GloMo) Program. MoIPS will offer its secure mobile IP technology to
address the security issues of integrated end-to-end networking.