Cisco Systems 78-11741-02 Wireless Office Headset User Manual

Open as PDF

of 624

Configuring Mobile IP

How Mobile IP Works

IPC-163

Cisco IOS IP Configuration Guide

Figure 28 Mobile IP Typical Packet Forwarding

Mobile IP Security

Mobile IP provides the following guidelines on security between its components:

• Communication between MN and HA must be authenticated.

• Communication between MN and FA can optionally be authenticated.

• Communication between FA and HA can optionally be authenticated.

Also, communication between an active HA and a standby HA, as implemented when using the HA

redundancy feature, must be authenticated. For more information on this feature, see the “Home Agent

Redundancy” section later in this chapter.

MN-HA

In particular, the Mobile IP registration process is vulnerable to security attacks, because it informs the

HA where to tunnel packets to a traveling MN. An illegitimate node could send a bogus registration

request to an HA and cause all packets to be tunneled to the illegitimate node instead of the MN. This

type of attack, called a denial-of-service attack, prevents the MN from receiving and sending any

packets. To prevent denial-of-service attacks, Mobile IP requires that all registration messages between

an MN and an HA be authenticated.

Cisco IOS software supports the Mobile-Home Authentication Extension (MHAE). All registration

messages between an MN and an HA include a mandatory authentication extension.

Message Digest 5 (MD5) is an algorithm that takes the registration message and a key to compute the

smaller chunk of data, called a message digest, plus a secret key. The MN and HA both have a copy of

the key, called a symmetric key, and authenticate each other by comparing the results of the computation.

The time stamp is an identifier in the message that ensures the origination of the registration request and

the time it was sent, thereby preventing replay attacks. A replay attack occurs when an individual records

an authentic message that was previously transmitted and replays it at a later time. The time stamp is

also protected by MD5.

Mobile node

visiting foreign

network

Mobile node

at home

Internet

Foreign

network

Home

network

Foreign

agent

Home

agent

Correspondent

node

53031

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems 78-11741-02 Wireless Office Headset User Manual