Secure and efficient binding updates in host-based distributed...
Transcript of Secure and efficient binding updates in host-based distributed...
Secure and efficient binding updates in host-based distributedmobility management
Seyeong Lee1 • Hyoung-Kee Choi1 • Ejin Kim1• Jong-Hyouk Lee2
Published online: 4 December 2017� Springer Science+Business Media, LLC 2017
AbstractRapid evolution in mobile communication is geared toward reliable and responsive network connectivity, thereby
necessitating a network protocol operated in a distributed fashion. Distributed mobility management (DMM) achieves low
latency and high reliability by shifting the main signaling functions from the core center to the edge of the network.
However, there is still room for improvement, especially in the delay response of security operations. This paper proposes
the design of an efficient security protocol for binding updates in a DMM environment. The proposed security protocol is
designed especially for host-based DMM in which a mobile node plays an active role in mobility and authentication
signaling instead of delegating it to the network. The security and performance of the new design are evaluated via
theoretical analysis and empirical evaluation in both a laboratory and a live network setting. Based on these evaluations, we
contend that in terms of security and performance the proposed security protocol is practical for host-based DMM.
Keywords Distributed mobility management (DMM) � Centralized mobility management (CMM) � Binding update (BU) �Quadratic residue (QR)
1 Introduction
Ongoing radical revolution in the 5G standard has
demonstrated that technology requirements are not merely
doubling at the speed of an air interface. Instead, the
demand is for a ubiquitous, reliable, and responsive mobile
broadband network that will carry network traffic with
always-on availability and little-to-no latency. This shift in
the service paradigm and momentum of the technology
revolution will bring us unprecedented network connec-
tivity through the Tactile Internet.
The Tactile Internet [1, 2] brings ultrareliable and
ultraresponsive network connectivity that enables it to
deliver real-time steering and physical tactile experiences
remotely. A low round-trip latency in conjunction with
carrier-grade robustness and availability will make the
Tactile Internet capable of servicing the aspects of our
social life. The very low latency on the order of 1 ms or
less is unattainable if the processing logic is located in the
center of a network. This is because data traffic must travel
for processing from the edge to the center and return.
Mobile edge computing (MEC) overcomes this lag by
transforming mobile base stations into intelligent service
hubs. This transformation exploits the close proximity of
mobile nodes (MN) and forms decentralized entities at the
edge of the Internet. A key challenge of 5G wireless access
and core networks is to cope with a distributed architectural
design to offload centralized services and a protocol opti-
mization for efficient and prompt delivery of data traffic.
Another characteristic represented by 5G wireless
mobile networks is the mobility of nodes. When a mobile
node moves from one network to another its IP address
& Hyoung-Kee Choi
Seyeong Lee
Ejin Kim
Jong-Hyouk Lee
1 Department of Computer Science an Engineering,
Sungkyunkwan University, Suwon, South Korea
2 Department of Software, Sangmyung University, Cheonan,
South Korea
123
Wireless Networks (2019) 25:1443–1459https://doi.org/10.1007/s11276-017-1603-1
changes to reflect the new network address. The change
must be transparent to the other end node for session
continuity. Providing an illusion of location-independent
routing of an IP datagram involves additional signaling
traffic and network delays. Sometimes frequent hopping
between networks by a number of mobile nodes may sig-
nificantly affect the performance of a 5G network.
Numerous proposals for mobility management have
been proposed, and the Internet Engineering Task Force
(IETF) has elected extensions or modifications of the well-
known, yet classic, IP mobility version 6 (MIPv6) [3],
Proxy Mobil IPv6 (PMIPv6) [4], and Dual Stack Mobile
IPv6 (DSMIPv6) [5] as standard mobility management for
the core network in the 5G.
These classic approaches to mobility managements are
all based on a centralized scheme in which mobility
anchors in the center of a core network distribute data
traffic to and from the mobile node. A downside of such a
centralized scheme is the time required for all data traffic
generated from the edge to make the round trip to and from
the center of the core network. The result inevitably may be
to overload the core network as mobile traffic increases
rapidly and significantly. Another problem in deploying
centralized mobility management (CMM) is the lack of
scalability for a single mobility anchor. Distributed
mobility management (DMM) is proposed as a way to
overcome such weaknesses by placing the anchor close to
the edge of the network [6, 7]. The responsibilities of the
single anchor are distributed over the access routers where
the mobile node is currently under control. The change in
role from center to edge and the routing path optimization
for delay enhancement are aligned with a contemporary
design requirement for a mobile network as seen in the
Tactile Internet.
Despite incremental progress in the DMM to shorten the
network delay, works for improving security operations
and correctness for the DMM is lagging because a main
body of security implementation has been shifted to the
network side and the first hop security was not specific to
the DMM anymore. In other words, the current DMM
simply inherits the security operations that have been
developed for CMM, which means no architectural con-
siderations of DMM.
Our goal in this paper is to take significant steps toward
a mobile network security mechanism that reduces the
volume of signaling traffic and at the same time strengthens
security against nefarious attacks. We examined possible
optimization of security by having the MN carry a token to
verify session ownership. The MN shares the secret token
with a mobility anchor (MA) at the instant a session starts.
Later, the MN may change the MA as it moves and atta-
ches to another MA. Data traffic remains deliverable to and
from the other end node by a tunnel established between
the new anchor and the first anchor. We assigned the first
anchor the role of verifying the ownership of the session at
the time the tunnel is established. The MN and the first
anchor mutually verify session ownership be checking the
secret token.
The proposed protocol includes a few distinct ideas
advanced in other studies. We could have designed security
of the mobility management without any involvement of
the MN. This idea has numerous potential advantages such
as mobility localization and easy extension to other tech-
nologies. However, in what might be called network-based
mobility management, the MN must delegate security
operations to the network, thereby playing a passive role in
the verification of changing locations. The success of this
delegation hinges on a trust relationship between the net-
work and the MN, which in most cases cannot be assumed
to be guaranteed. Consequently, we dispensed with a net-
work-based approach. Instead, in the proposed protocol,
the MN actively participates in negotiating the security
parameters with network entities. From this perspective,
the proposed protocol is an extension of a host-based
mobility management scheme. In addition, we wanted the
proposed method to outperform existing protocols and still
introduce lesser imperative amendments to the behavior of
existing devices and protocols. This requirement leads us to
design new functions that can be realized by updating
software in the current system.
The remainder of this paper is as follows. Section 2
presents related works for Internet mobility. Section 3
presents our design goals for securing mobility signaling in
a host-based DMM environment. The proposed security
protocol is then illustrated with detailed operation
descriptions in Sect. 4. Section 5 presents conducted
analysis results of the proposed protocol. Section 6 is also
given to provide the literature survey. Section 7 concludes
this paper.
2 Architectural network model
2.1 Mobility management
Host-based mobility management in the MIPv6 is built on
hierarchically centralized mobile architecture in which a
central MA called a home agent (HA) manages mobility
context and routing information for all registered mobile
nodes. The MA maintains a database to bind an IP address
of the MN to a location of the MN. Data traffic between an
MN and its communication peers (also known as corre-
1444 Wireless Networks (2019) 25:1443–1459
123
sponding nodes, CNs) must transit through the MA. As the
MA tends to be located in the center of a core network for
better accessibility from all mobile nodes all data traffic to
and from the moving MNs usually passes to the central MA
in the core network. That obviously causes a long trans-
mission latency of data traffic.
Mobility management in the MIPv6 are designed to
maintain the continuity of ongoing sessions for an MN so
that the MN can change its point of attachment to the
network without interrupting ongoing sessions with the
CN. A function of mobility management assigns the MN
two addresses. One is a static home of address (HoA) the
CN uses to identify the MN. The other address is a dynamic
care of address (CoA) the MA uses to locate the MN. The
CN associates all conversational context with the MN as
occurring through the HoA. Regardless of the MN’s
dynamic CoA, this association gives the CN an illusion that
it is connected to the MN located at a static HoA. If the MN
changes its CoA by visiting a new foreign network, the MN
must immediately inform the MA and the CN of the new
CoA.
The MIPv6 protocol uses a binding update (BU) to
update the CoA of the MN when the MN changes its point
of attachment. The BU has two purposes. In the first, the
BU registers the MN’s CoA at the MA. To prevent any
attempts to modify BU messages, a secure channel is
established between the MN and the MA by using the IP
security (IPsec). In the second, the BU delivers the new
MN’s CoA to the CN to assure that the CN can still reach
the MN at the new location. The routing path is somewhat
suboptimal because packets from the CN are routed to the
MA and then tunneled to the MN’s location. This routing
path is inefficient because it forms a triangular shape. The
MIPv6 protocol eliminated this inefficient routing through
a new mechanism, called Route Optimization (RO), that
connects the CN directly to the MN, bypassing the MA.
The architectural design of the CMM has at least two
issues: performance and scalability. High traffic volume
through the MA may burden the core network. A subop-
timal routing option tends to augment a delivery path,
degrading the delay response between communicating
parties. All MNs sharing the same home network should
choose the same MA. If the MA fails, all the MNs under its
control become incapable of communicating with any CNs
in the networks. These problems are becoming real and
worsening because of the growing number of devices
attached to networks and by the large volume of traffic
generated by bandwidth-hungry applications.
Distributed mobility management (DMM) suggests an
attractive solution to those issues in the centralized
mobility management. A key concept in its design is that it
shifts the roles and functionalities of the MA from a central
HA to multiple access routers (ARs) located at the edges of
the network. This shift is naturally aligned with a con-
temporary design preference for a flat network architecture
in pursuit of a low-delay latency. An AR is typically
located close to the MN, forming a direct routing path
between the MN and the CN. Unlike CMM that permits
only one-way traffic from the CN to the MN to flow in a
direct path, the DMM allows traffic to flow in a direct path
both ways.
In the DMM not only is the location of the HA moved to
edge networks but its functionality is also distributed to
multiple access routers [8]. Because a multitude of ARs
share the duties of the MA, DMM is scalable and largely
immune to failure. The flat mobile architecture permits
traffic to be dispersed locally close to the edge networks
and the MN. As a result, significant volumes of traffic can
bypass the complex backhaul and core infrastructure.
2.2 Binding update in host-based DMM
A DMM approach inherits many features of CMM. The
BU is one of the CMM features that DMM adopts after
slight modification. The MN in the host-based DMM still
owns two network address, the HoA and the CoA. The MN
is still required to use the BU to update a new CoA at the
MA. However, the BU for the RO is unnecessary because
the shift to the flat architecture has already resulted in
routing path optimization. This means that the CN does not
get updates of changing CoAs and always identifies the
MN with the MN’s HoA.
Figure 1 illustrates the BU procedure in host-based
DMM [6]. In the beginning MN, without any history of
mobility, is in the network boundary of AMA1 and is
assigned an IP address of AMA1::MN1 (� in Fig. 1). MN
initiates its first conversation with CN1 while remaining in
the network. MN associates a serving AMA with AMA1 for
the current session. MN also remembers AMA1 as an
original AMA in order to distinguish the first serving AMA
from the rest of the serving AMAs. While talking to CN1,
MN moves to the second network (` in Fig. 1). At this
point, MN’s new address is changed to AMA2::MN1 and
AMA2 becomes a new access router. Soon afterward, MN
sends the BU message to AMA2 (´ in Fig. 1). This message
includes information of the original AMA and a list of
MN’s past IP addresses since this session started.
AMA2 sends the access binding update (ABU) message
to the original AMA (ˆ in Fig. 1). This message is
intended to deliver a new location of MN and to request to
set up an IPsec tunnel with the original AMA. The original
AMA responds with an access binding acknowledgment
(ABA) message to permit the IPsec setup (˜ in Fig. 1).
AMA2 sends back an acknowledgment of the BA message
to MN (Þ in Fig. 1). MN’s registration at the AMA2’s
network is completed. At the same time, MN changes the
Wireless Networks (2019) 25:1443–1459 1445
123
serving AMA to AMA2. An IPsec tunnel is established (þin Fig. 1) between AMA1 and AMA2.
The CN does not even recognize MN’s movement in the
network. Without knowledge of MN’s movement, CN1
continues to send packets to MN at an address of
AMA1::MN1. Upon receiving these packets AMA1 finds
out from its binding cache that MN has moved to the
second network and forwards these packets to AMA2
through the IPsec tunnel. AMA2 learns from its binding
cache of MN’s existence in its network boundary and
delivers the packets to MN. Packets sent to CN1 from MN
also follow the same path in a reverse order.
An MN records a current IP address and past IP
addresses with a state for ongoing sessions. The current IP
address is set to a state of ‘‘preferred,’’ and past IP address
are relegated to ‘‘deprecated.’’ If MN creates another con-
versation with CN2 in the second network, MN uses an IP
address of AMA2::MN1. The original AMA is assigned to
the current access router, AMA2. If MN moves to a third
network while maintaining two sessions in parallel, the BU
procedure is quite similar, with some exceptions, to the one
shown in Fig. 1. The exceptions are (1) the serving AMA
changes to AMA3; (2) AMA3 creates an IPsec tunnel with
AMA1 for the first session and another IPsec tunnel with
AMA2 for the second session; and (3) AMA1 releases the
IPsec tunnel with AMA2 that was created for the first
session.
3 Design goals
Some security requirements were imposed in the course of
designing the system. These requirements were made after
taking into consideration both practical implementation
issues and performance issues.
3.1 Adversarial model
Unfortunately, unprotected and unauthenticated BU mes-
sages may allow intruders an easy means of access to
maliciously manipulate BU messages to hijack an ongoing
session to a location chosen by the intruder. This security
problem is caused by an IP’s inability to attach a unique
identifier to the multitude of locations in mobility and
multihoming environments. Further, IP does not support an
easy means for the MN to claim ownership of a session. To
overcome such vulnerabilities, the DMM is outfitted with
existing security mechanisms.
In one of these, the IPsec establishes a secure tunnel
between the two ends after these ends authenticate each
other and then share a secure key by using the Internet Key
Exchange version 2 (IKEv2). The IPsec tunnel protects
packets in the routing path between the serving AMA and
the original AMA. Moreover, most of the edge networks
grant foreign devices access their networks only after
proper security is set up on those devices according to the
link-layer protocol. We assume that link-layer security
such as Extensible Authentication Protocol (EAP) protects
the first hop link between the wireless interfaces of the MN
and the serving AMA. In this setup an authentication server
must detect rogue routers. The MN’s movement does not
change the routing path between the original AMA and the
CN. This means that the CN does not participate in
mobility management and that security in the routing path
beyond the original AMA hinges on security of the IP
layer.
This combination of the two mechanisms, the IPsec and
the link-layer security, is still insufficient for the security of
BU between the MN and the original AMA. The serving
AMA does not play a main role in the BU because it
changes over the course of a single session as the MN
1AMA2AMA
A�achment to AMA2
Route Solicita�on
Route Adver�sement (AMA1::/64)
Route Solicita�on
Route Adver�sement (AMA2::/64)
Binding Update
Access Binding Update
Access Binding Acknowledgement Binding Acknowledgement Bi-direc�onal IPsec Tunnel
MN
A�achment to AMA1
AMA1::MN1/64
AMA2::MN1/64
Fig. 1 Procedures of binding
updates in the host based DMM
1446 Wireless Networks (2019) 25:1443–1459
123
moves into new networks. Mobility contexts, including
security parameters, cannot be stored in the serving AMA.
Although one would prefer a single end-to-end security
mechanism applicable to the MN and the original AMA,
the basic security model in DMM is to divide the path
between the main entities into two segments and to apply a
separate independent security mechanism for each seg-
ment. Sometimes, these two separate security mechanisms
do not work as one in the process of verifying the two main
entities as a session owner.
This clear lack of effectiveness of the basic security
model opens the operations of DMM to at least two kinds
of threat models. One is the risk that an ongoing session
will be hijacked. The other is a vulnerability to a form of
denial-of-service (DoS) attack. We will consider each of
them in turn.
3.1.1 Session hijacking by malicious MN
Before the session hijacking attack the MN in the network
of N1 is communicating with the CN as shown in � in
Fig. 2. After the MN has visited several networks, the
serving AMA and the original AMA for an ongoing session
are AMA1 and AMA2, respectively. An attacker in the N3
network who has already acquired the MN’s IP address
sends the BU message toward the CN in N2, pretending to
be the MN. The AMA3 in the N3 network accepts the
message and forwards the ABU message to AMA2. Upon
receiving the ABU from the attacker, AMA2, which is not
capable of authenticating the origin of a message, responds
positively to AMA3 about the ABC message. Next, AMA2
releases the tunnel set up for AMA1 and proceeds to create a
tunnel with AMA3. From this point on, all packets destined
to the MN are detoured to the attacker (see ` in Fig. 2).
The main reason this attack can succeed lies with the
inability of the original AMA to authenticate the MN as an
owner of a session. This attack assumes an attacker has
access to two pieces of information: (1) the IPv6 address of
a victim; and (2) an original AMA for a target session. An
IPv6 address is a combination of the network address and
the MAC address encoded with EUI-64, factors that lend
themselves to guess the correct address. An original AMA
is also easy to acquire by monitoring two ends of the
current IPsec tunnel.
3.1.2 N-jump attack
An MN keeps a history of the IP addresses associated with
each and every ongoing session. This means that the
binding cache of an MN may have N IPv6 addresses if an
MN has visited N different networks and created at least
one session in each one and those N sessions are still
running. In parallel, the MN have N IPsec tunnels bridging
between the serving AMA and N original AMAs for
N different sessions. Figure 3 illustrates N IPsec tunnels
between serving AMA AMAm to N original AMA, AMA1
through AMAn.
An attacker can exploit the large cache size and over-
heads to keep multiple sessions levied on the MN. An
attacker triggers an attack by launching the BU message
toward its access router, AMAa and pretending to be the
MN. This BU message includes the current serving AMA
and information regarding N ongoing sessions and their
original AMAs and their past IPv6 addresses. According to
the DMM, AMAa contacts each original AMA for N ses-
sions and signals a change in the MN’s location to AMAa.
All IPsec tunnels are reestablished between the AMAa and
N original AMAs. At the same time, the IPsec tunnels
centered on the MN’s serving AMA are released.
Overheads levied on the serving AMA and the network
are proportional to the number of networks the MN visits.
The amount of traffic can be quite significant if the number
increases or if the frequency of the false BU increases. This
attack can be categorized as a DoS attack because an
AMA2 AMA3
MN
A�acker
AMA1
N3N2
N1
CNTunneling
Fig. 2 A session hijacking
attack. Two communicating
parties before attack (�) and
after attack (`)
Wireless Networks (2019) 25:1443–1459 1447
123
attacker’s single fake BU can result in a significant amount
of traffic and overhead in the network.
This vulnerability originates in the decentralization of
mobile traffic and distributed MA responsibility. Decen-
tralization makes it difficult for the BU to validate a
request. The difficulty worsens as the number of networks
visited by the MN increases. The distributed access router
near the edge is prone to physical attacks and opens the
door to participation in man-in-the-middle (MITM) types
of attacks. Furthermore, this attack is possible because the
MN does not participate in the negotiations that set up the
IPsec tunnel; as a result, anyone can change the two end
points of the tunnel. Checking on address ownership by a
reachability test thus will enhance the level of security
significantly.
3.2 Security requirements
In consideration of security requirements we do not pro-
pose any improvements to stand against any attacks already
caused by vulnerabilities in IPv6 security. The security
policy we propose tries to maintain a degree of security at
least equal to the security of the IPv6 and limits the scope
of application only to those related to incidents involving
mobility. We have found at least three weaknesses of the
BU in the considered host-based DMM.
3.2.1 Session ownership
At the time requests are made to switch a serving AMA,
the original AMA is unable to verify if a challenging MN
owns the session. Upon receiving the ABU message in
Fig. 1, the original AMA is ready to switch an end point of
the IPsec tunnel to the new serving AMA specified in the
message. However, the original AMA is unable to verify
that the message just received truly originated from the MN
that created the current session. It is also unable to
authenticate the ABU message as free of manipulation.
3.2.2 Active participation in authentication
As the main entities, the MN and the original AMA should
interact directly with each other to negotiate security
parameters in the BU. However, the MN delegates to the
serving AMA the relay of messages between these main
entities. Working on behalf of the serving AMA, the MN
negotiates directly with the original AMA to detour the
IPsec tunnel to its location. Because of the limited infor-
mation conveyed by the ABU message, the original AMA
cannot examine the authenticity of the request. Conse-
quently, the original AMA grants the detour after simple
checks of the information. The main cause of this weakness
is the MN’s passive role in changing one end of the IPsec
tunnel.
3.2.3 Location reachability
Because the bare IP was designed without any considera-
tion of mobility, a sender of IP packets cannot bind the IP
address to a location, meaning no easy means exist for a
receiver to assert the location of the sender. This inserts a
security weakness into the host-based DMM by permitting
an adversary to manipulate the MN location to one the
adversary chooses. Security in the DMM [6, 8] could be
enhanced by enabling the original AMA to verify each
purported new location of an MN.
AMA1
AMAaA�acker AMAn
AMA2
...
AddressAMA(n)::MN
StatePreferred
Binding Update List
AMA(n-1)::MN Deprecated... Deprecated
AMA2::MN DeprecatedAMA1::MN Deprecated
MNAMAm
Fig. 3 N jump attack. MN has N hosts in the binding update list
1448 Wireless Networks (2019) 25:1443–1459
123
4 Proposed security protocol
The proposed protocol is composed of two phases: (1) an
information register, and (2) information verification. In
implementing the proposed protocol, we eliminated a
heavy-weighted IPsec tunnel for low overheads. We
adopted the quadratic residue problem for the sharing of a
secret key and Rabin public key encryption for finding the
unique square root of the quadratic residue.
4.1 Quadratic residue problem
An element Q 2 Zn is a quadratic residue mod n if there is
an element r 2 Zn such that r2 � Q mod nð Þ [9]. Otherwise,Q is called a quadratic nonresidue mod n. The quadratic
residue problem is to determine if an integer a 2 Zn is a
quadratic residue. This problem is easy to solve if the
moduli are an odd prime. If a is a quadratic residue in the
odd prime modulus, then a has two square roots. If the
moduli are a composite number of two odd primes, that is
n ¼ p � q, and these two primes are congruent to 3 modulo
4 (p � 3mod 4Þ every quadratic residue mod n has four
square roots. Finding square roots of quadratic residue a �r2 mod nð Þ is also easy if p; q are available.
Applying the Chinese remainder theorem to
a � r2 mod nð Þ, we can say that a � r2p mod pð Þ and a �r2q mod qð Þ in which rp and rp are a square root of a quad-
ratic residue mod p and mod q, respectively. Quadratic
residue a has two square roots in mod p (rp1, rp2) and two
square roots in mod q (rq1, rq2). Using the Euler’s criterion,
we can derive Eq. 1 and find four square roots of quadratic
residue a in Eq. 2.
�a pþ1ð Þ=4� �2
� a pþ1ð Þ=2 � a p�1ð Þ=2 � a � a mod p where
a p�1ð Þ=2 � 1 mod p
ð1Þ
rp � �a pþ1ð Þ=4mod p and rq � �a pþ1ð Þ=4mod q ð2Þ
If p; q are unavailable, finding the square root is as hard as
an integer factorization problem. The difficulty of finding a
square of the quadratic residue in composite moduli has
been applied for many cryptographic systems, including
Rabin public key encryption.
In Rabin public key encryption [10], a public key is n,
and a private key is p; qð Þ in which n ¼ p � q. Message M is
encrypted by using C ¼ M2mod n. Ciphertext C is a
quadratic residue mod n of plaintext M. For decryption, the
Rabin scheme solves a square root of the ciphertext. The
solution determines four square roots. Determining which
of these is the plaintext becomes straightforward with a
predetermined redundancy appended to the plaintext. For
instance, the redundancy could be the last ten bits of the
plaintext. If this is the case, finding the plaintext among the
four roots becomes clear: one root with a duplicate of the
last 20 bits. Rabin encryption is quite efficient because it
only involves a single modular squaring. Rabin decryption
is slower than encryption, but comparable in speed to other
encryption schemes with similar strength.
4.2 Phase 1: Information register
The first stage happens once in the beginning of a session.
The main goal at this stage is to share a secret for a session
between the MN and the original AMA. Figure 4 illustrates
a diagram of four messages exchanged in the first phase.
M1-1 and M1-2 (Preparation) The MN is connected to
a network in which AMA1 is an access router. The MN
exchanges the router’s solicitation message and its adver-
tising message with the access router in order to assign the
MN’s IPv6 address to AMA1::MN/64.
M1-3 (Binding update) As shown in Fig. 4, the MN
sends the BU message to the original AMA, AMA1. This
message carries two pieces of information, the MN’s IPv6
address and a composite number, n. The composite number
is a product of two large, distinct odd primes, p and q, that
the MN secretly generates.
M1-4 (Binding acknowledgment) AMA1 checks IPv6
address in the BU message to assure that the MN belongs
to the network. AMA1 selects a prime secret,
SAMA1 1\SAMA1\nð Þ as a relative prime n and computes
VAMA1 in Eq. 3. VAMA1 is a quadratic residue mod n. The BA
message carries VAMA1.
VAMA1 ¼ S2AMA1mod n ð3Þ
Upon receiving the BA message, the MN computes four
square roots of quadratic residue mod n. VAMA1. Secret
SAMA1 is one of these. Determination of the true square root
is straightforward because it must contain a predetermined
redundancy for the secret. The MN and the original AMA
share secret SAMA1.
AMA1
A�achment to AMA1
M1-1. Route Solicita�on
M1-2. Route Adver�sement(AMA1::/64)
M1-3. Binding Update(AMA1::MN/64,n)
M1-4. Binding Acknowledge(VAMA1)
AMA1::MN1/64
VAMA1 = SAMA12 mod n
MN
Fig. 4 Diagram of four messages exchanged in the first phase
Wireless Networks (2019) 25:1443–1459 1449
123
4.3 Phase 2: Information verification
This stage occurs every time the MN enters a new network.
We describe this phase from the perspective of a single
session. However, the second phase happens as many as the
number of on-going sessions in the MN.
To protect the MN’s binding update from malicious
intent, the original AMA and the MN use a simple chal-
lenge and response exchange to confirm that they share the
same secret SAMA1. The confirmation ensures that they own
the session. Furthermore, the MN checks verifies reacha-
bility with the original AMA from its new location and vice
versa. Figure 5 illustrates a diagram of message exchanges
in the second phase.
M2-1 and M2-2 (Preparation) Once the MN is attached
to a new network, the MN exchanges routing information
with a new serving AMA, AMA2, to assign a new IP
address, AMA2::MN/64.
M2-3 (Binding update) This message is sent to the new
serving AMA. It carries five parameters, including the
MN’s random number RiMN and the MN’s past and current
addresses associated with the current session. The MN
chooses another secret for the new network,
SiMN 1\SiMN\n� �
and ViMN � SiMN
� �2mod n
� �. This secret
is valid only in the network in which it is created. It must
be updated in a new network. The new secret SiMN is used to
send the shared secret SAMA1 to the original AMA without
revealing its value over public networks; that is, SAMA1 is
multiplied by SiMN as shown in Eq. 4. The shared secret is
transformed into SKT as shown in Eq. 5. By doing so, the
shared secret changes in every new network, providing
fresh shared keys and forward secrecy. The last parameter,
MACBU , is created in Eq. 6 by using a keyed hash with a
secret SKiT and is included to authenticate the parameters of
the BU message.
PRODY ¼ SiMN � SAMA1modn ð4Þ
SK iT ¼ H1 PRODY ; SAMA1;R
iMN
� �ð5Þ
MACBU ¼ Hk ID2jRiMN jPRODY ; SK
iT
� �ð6Þ
M2-4 (Binding challenge) The serving AMA verifies the
MN’s address and forwards four parameters in the BC
message to the original AMA.
M2-5 (Binding response) The original AMA verifies the
BC message with MACBU . This confirms that the BC
message is an unmodified version and was created by
someone who knows the shared secret. The original AMA
computes MACBR in Eq. 7 and sends this value to the MN,
along with the random number RAMA1.
MACBR ¼ Hk ID2jRAMA1jRiMN þ 1; SKi
T
� �ð7Þ
M2-6 (Access binding update) The MN authenticates
the BR message by verifying MACBR. Correctness of
MACBR authenticates the original AMA because the creator
of MACBR knows the shared secret and because it is the
original AMA. The role of the ABU is quite similar to its
role in the original protocol in Fig. 1. The ABU message
carries the MN’s previous IPv6 address, ViMN a quadratic
1AMA2AMA
A�achment to AMA2
M2-1. Route Solicita�on
M2-2. Route Adver�sement(ID2)
M2-3. Binding Update (ID1,ID2,RMN,PRODY,MACBU)
M2-5. Binding Response(RAMA1,MACBR)
M2-6. Access Binding Update(ID1,V1MN,MACABU)
M2-7. Access Binding Acknowledge
M2-8. Binding Acknowledge Tunneling to and from AMA1::MN/64
IDi = AMAi::MN/64V1MN = (S1MN)2 mod nPRODY = S1MN·SAMA1 mod nSKT = H1(PRODY|SAMA1)MACBU = Hk(ID2|RMN|y,SKT)MACBR = Hk(ID2|RMN+1|RAMA1|VAMA1,SKT)MACABU = Hk(ID1|RAMA1+1|V1MN,SKT)
M2-4. Binding Challenge(ID2,RMN,PRODY,MACBU)
MN
Fig. 5 Time diagram of a message exchange in the second phase for MN’s ith movement in the network
1450 Wireless Networks (2019) 25:1443–1459
123
residue modn of MN’s secret and the MAC of the message,
MACABU , in Eq. 8.
MACABU ¼ Hk ID1jViMN j IP1 � � � � � IPnð Þ; SKi
T
� �ð8Þ
M2-7 (Access binding acknowledgment) The original
AMA finally acknowledges MN’s movement based on the
ABU message.
Y ¼ ViMN � VAMA1modn ð9Þ
Parameter Y in Eq. 9 is compared with the square of
PRODY received in the BC message (see message M2-4 in
Fig. 5). If comparison is positive the original AMA can
confirm that the challenging MN is an owner of the current
session. The original AMA sends the ABA message to the
serving AMA to grant the IPsec tunnel between them.
M2-8 (Binding acknowledgment) The serving AMA
updates the MN’s mobility context in the binding cache.
The MN’s current IP address is assigned to a status of
‘‘preferred,’’ and the rest of the addresses are set to
‘‘deprecated.’’ In this way the serving AMA can distin-
guish a new session from a handover session because this
AMA is required to function as an original AMA for those
new sessions. The BA message delivers a response to the
MN’s request to change the serving network. Upon
receiving the BA message, the MN also updates its
mobility context in the binding cache.
After the BU is completed, an IP security tunnel is
established between the serving AMA and the original
AMA. Because the IKEv2 key exchange protocol in the IP
tunnel is expensive, the proposed protocol dispenses with
the IKEv2. The secret SKiT in Eq. 5 is used for the secret
key. The MN delivers the secret key to the serving AMA
after receiving message M2-8 through a channel secured
by the link-layer protocol. The secret key changes its value
in different networks. Hence, the old serving AMA cannot
access the secret key in the current serving AMA.
5 Performance analysis
5.1 Security analysis
The security of the proposed protocol is verified by
checking how well it satisfies its design requirements and
defends against threat models.
5.1.1 Session ownership
In the proposed protocol, the MN and the original AMA
mutually verify the owner of a session every time the MN
notifies the original AMA of a change in its location. At the
very beginning of a session these two entities share secret
SAMA1 and later authenticate ownership by verifying
knowledge of the shared secret. In the first phase, the
original AMA generates the shared secret and sends the
quadratic residue mod n of the shared secret. Only the MN,
which can factorize the modulus n, can derive the shared
secret from its quadratic residue.
In the second phase, the MN sends
PRODYð¼ SiMN � SAMA1mod n) to the original AMA in
message M2-4 in Fig. 5. Multiplication of the MN’s secret
SiMN to the shared secret SAMA1 serves to demonstrate
knowledge of the shared secret without disclosing it pub-
licly. In message M2-6 in Fig. 5, the MN reveals ViMN to
the original AMA. The original AMA compares ViMN �
VAMA1 with the square of PRODY as shown in Eq. 10.
ViMN � VAMA1 � SiMN
� �2� SAMA1ð Þ2� SiMN � SAMA1
� �2mod n
ð10Þ
If the two values are equal, the original AMA confirms the
challenging MN as an owner of the session. The correct-
ness of the MAC MACBR (see Eq. 5) confirms the chal-
lenging AMA as a holder of the shared secret. Because in
the first phase the MN shares the secret with only the
original AMA, the MN can verify that the challenging
AMA also owns the session.
5.1.2 Active authentication
Based on these four messages, M2-3, M2-4, M2-5, and
M2-6, in Fig. 5, the MN executes a three-way handshake
with the original AMA. Messages M2-3 and M2-4 are
illustrated as two separate messages in Fig. 5, but they are
a single message because the latter message is a part of the
former one. In the three-way handshake, the MN is active
in changing the delivery path of the IPsec tunnel. We can
describe this as an active role because the MN corroborates
with the original AMA that a request for a change is valid
and negotiates mobility parameters directly with the orig-
inal AMA.
5.1.3 Location reachability
We followed a general approach to verify reachability to
and from a new location of the MN. The general approach
is that one end sends a cryptographic token to the other end
to determine if it can then demonstrate knowledge of the
dispatched token. We designed the proposed protocol so
that the verifier includes a random number in the challenge
message, and a proven receiver includes a secure hash of
the random number in its returning message.
Wireless Networks (2019) 25:1443–1459 1451
123
The MN challenges the original AMA with a random
number, RMN , in message M2-4. The original AMA returns
a secure hash value of RMN þ 1 in message M2-5. An
attacker located anywhere in the routing path can obtain
the token in clear text. However, the attacker is unable to
fabricate the secure hash value of the token in the returning
message. The original AMA does the same in a reacha-
bility check to the MN with random number RAMA1 in
messages M2-5 and M2-6. One downside of this approach
is the increased delay imposed because an agreement on
reachability involves at least a three-way exchange
between the MN and the original AMA.
5.2 Performance evaluation
Our consideration at the outset in designing the security
protocol for the host-based DMM was to strengthen its
security. Communication costs and computational delays
are the overhead measurements of the proposed protocol,
and these measurements for our proposal were compared
with those of two other protocols that have been advanced.
For comparison purposes, we computed the communica-
tion costs of the proposed protocol and the communication
costs of the host-based DMM in an IPsec operation with a
pre-shared key.
5.2.1 Communication costs
Communication costs are by definition the number of bits
transmitted in the networks to complete all the BU for N
addresses in the BU list. The N addresses imply that the
MN has N ongoing sessions with different IP addresses of
the MN. These computations in Table 1 are based on the
length of the parameters and the type of operations.
Table 2 lists message notations and their sizes used to
compute the communication costs.
We compared the communication costs in the first phase
of the proposed protocol with the one in the first BUs of the
host-based DMM. The first phases in both protocols are the
same except for messages M1-3 and M1-4 (see Fig. 4).
The messages in the proposed protocol carry additional
parameters such as modulo n and quadratic residue mod n,
VAMA1.
In the second phase, the two protocols contain eight and
ten messages, respectively. The total number of messages
to complete the BUs for N addresses is 4þ 3 N � 1ð Þ for
the proposed protocol and 4þ 6 N � 1ð Þ for the host-basedDMM. Table 4 contains a comparison of communication
costs when the BU list has two addresses. The two proto-
cols cost the same up to the second message. At the fourth
message, the DMM generates more data and more mes-
sages than the proposed protocol. The total communication
cost of the DMM is 18,304 bits, three times more than the
cost of the proposed protocol. The total communication
cost is calculated based on equations in Table 3.
5.2.2 Computational delays
We took advantage of the Crypto ?? Library [11] to
measure the elapsed time of the cryptographic operations.
The measurement ran on an Intel Quad Core 3.60 GHz and
8 gigabyte RAM under an Ubuntu 14.04 operating system
with a Linux kernel version of 3.19.
Figure 6 shows our comparison of the communication
costs for the two protocols with up to ten addresses in the
BU list. As the number of addresses increases, the differ-
ence in the communication costs between the two protocols
is imminent. When the number of addresses in the BU list
is ten the communication cost of the DMM is 148 bit while
the one of the proposed protocol is 43 bit, which is 3.5
times smaller than the DMM.
Table 5 demonstrates an average elapsed time of 12
atomic operations for cryptography. Generating two large
prime numbers and computing a modulus by production of
these two numbers created the longest delay. This delay is
denoted as TQRparam, and its value is 6518.68 microseconds.
The addition of TQRparam and TQRdec brings the total delay
to 6606.02 microseconds. This is the total delay of the
proposed protocol in the first phase. However, the com-
putational delay of the proposed protocol does not include
Table 1 Parameters used in
measurements of
communication costs
Protocol Parameters Details
DMM Initial vector and nonce 32 bits
Encryption AES-128-CBC
MAC and PRF HMAC-SHA1-96
DH Group Alternate 1024-bit MODP group
Proposed ID 128 bits
Random numbers (RX) 32 bits
n; SMN ; SAMA Alternate 1024-bit MODP group
H1ðÞ SHA256
HkðÞ HMAC-SHA256
1452 Wireless Networks (2019) 25:1443–1459
123
this delay. This is because a series of operations related to
this delay can be done ahead of time in the MN before the
BU initiates so they are an offline operation. This claim
concludes the computational delay of the proposed proto-
col in the first phase in which the MN is 87.34 microsec-
onds as shown in Fig. 7.
In contrast, operations on the part of an interactive
protocol cannot be done offline or independently because
input parameters to the operations are determined in real
time. For instance, generation of the secret key in the
Diffie–Hellman key exchange requires an input parameter
from a peer for a fresh key, which means a key must be
established once one peer is connected to another. The
IKEv2 in the IPsec protocol uses the Diffie–Hellman key
exchange. Consequently, the computational delay in the
DMM must include delays associated with the Diffie–
Hellman key exchange whenever new IPsec tunnels are
established between a serving AMA and an original AMA.
Figure 7 depicts a comparison of the computation delays
of both protocols in the MN and in the AMA. In the first
phase, the MN in the DMM does not involve any crypto-
graphic operations at all and neither does the AMA. This
observation sets to zero four computational delays of the
first phase in Fig. 7. In contrast, the two peers in the pro-
posed protocol involve encryption and decryption for
quadratic residue operations. These operations take 43.8
microseconds and 87.34 ls, respectively. In the second
phase, the MN in the DMM does not involve any crypto-
graphic operations because the serving AMA terminates a
secure IP connection toward the MN. The serving AMA
and the original AMA in the DMM do the exactly same
cryptographic operation, which takes 666.3 microseconds.
As shown in Table 6, the serving AMA in the proposed
protocol does not involve any cryptographic operations but
the original AMA in 80.2 microseconds does five hash
operations, two multiplications, one addition, and one
random generation. The original AMA in the DMM took
about eight times longer than the original AMA’s compu-
tation in the proposed protocol. The MN in the proposed
protocol executes operations similar to the original AMA,
except for QR encryption. The computational delay in the
MN is 122.9 microseconds.
2.1
18.3
34.5
50.8
67.0
83.2
99.4
115.6
131.9
148.1
3.67.9
12.316.6
20.925.2
29.533.9
38.242.5
1 2 3 4 5 6 7 8 9 100
20
40
60
80
100
120
140
Com
mun
icat
ion
cost
(Kbi
ts)
Number of binding update list
DMM Proposed
Fig. 6 Communication costs of two protocols when the BU list
contains 10 addresses
Table 2 Message notations and
their sizesNotation Description Size in bytes
SRS; SRA Size of RS/RA messages 52, 80
SBU ; SBA Size of the BU/BA messages 56, 56
SABU ; SABA Size of the ABU/ABA messages 56, 56
SBINDINGCHALL Size of the BINDING CHALLENGE message 168
SBINDINGRES Size of the BINDING RESPONSE message 92
STU ; SMO Size of the tunneling header and mobility option 40, 20
SMAC Size of message authentication code 12
SIKEINITREQ Size of the IKE INIT REQUEST message 298
SIKEINITRES Size of the IKE INIT RESPONSE message 298
SIKEAUTHREQ Size of the IKE AUTH REQUEST message 568
SIKEAUTHRES Size of the IKE AUTH RESPONSE message 568
Four messages at the bottom are related to the IPsec protocol
Table 3 Messages required to complete a single binding update in the proposed protocol and in the DMM
DMM SIKEINITREQ þ SIKEINITRES þ SIKEAUTHREQ þ SIKEAUTHRES þ SABU þ SABA þ 4SMAC þ 2STU þ 2SMO
Proposed SBINDINGCHALL þ SBINDINGRES þ SABU þ SABA þ 2STU þ 2SMO þ 44
Wireless Networks (2019) 25:1443–1459 1453
123
5.2.3 Actual delay measurements
We have implemented the host-based DMM and proposed
protocols in a real LTE-advanced network so as to measure
actual delays. This measurement is of critical importance to
developers and engineers in the mobile industry as a
determinant of whether to deploy these protocols in the real
environment. Figure 8 illustrates an experimental setup for
the measurement. The setup contains a notebook, six
tethered smartphones, and one Wi-Fi access point (AP).
The notebook implements the MN in the setup. The six
smartphones playing the role of the AMA are subscribed to
three service providers in Korea: (1) SK (SK Telecom); (2)
KT (Korean Telecom); and (3) LG U ? . In this setup, the
MN is connected to the AMA over the Wi-Fi, and the
AMA is connected to the Internet over the LTE-Advanced
network. The seventh AP connects the notebook to the
Internet through the research-oriented public Korean
Advanced Research Network (KOREN).
Table 7 lists the six smartphones and the AP in the
experiment and their assignment to each AMA. The
table also shows the number of hops between the AMAs
and the round trip time (RTT) in milliseconds, which were
measured using tools ping and traceroute. The number of
hops varies from 12 to 31. The RTT varies from 33 to
96 ms. The last column in Table 7 shows the average RTT
of each AMA as measured over time.
We have measured three delays based on three experi-
mental scenarios. These are (1) the MN undergoes but one
handover; (2) the MN visits N networks but visits the same
network no more than once; and (3) the MN visits N net-
works but visits the same network more than once.
According to the experimental scenario, the MN chooses a
serving AMA at random and immediately initiates the
handover once the last handover is completed. We have run
each experiment 3500 times and used only those values
within the 97% quantile for averages to present in Figs. 9
and 10.
In the first scenario, we wanted to compare a single
handover delay between the proposed protocol and the
DMM. A delay in the first handover measures the initial
BU delay when a new session is started. Although the
proposed protocol has different protocols for the initial BU
87.343.8
122.9
666.3
80.2
666.3
0.0
DMM Proposed DMM Proposed DMM Proposed100
101
102
103
S-AMAO-AMA
Phase #2 Phase #1
Com
puta
tiona
l del
ay (m
icro
seco
nds)
MN
Fig. 7 Computational delays of two protocols. O-AMA and S-AMA
stand for original and serving AMAs, respectively
Table 4 Communication costs of the BU for the proposed protocol and the DMM with two addresses. The cost is measured in bits
Bits M.2-1 M.2-2 M.2-3 M.2-4 M.2-5 M.2-6 M.2-7 M.2-8 M.2-9 M.2-10 Total
Proposed 416 640 1728 1344 736 1184 928 96 7936
DMM 416 640 704 2384 2384 4640 4640 1024 1024 448 18,304
Table 5 Average elapsed time
of 12 atomic operations for
cryptography used in comparing
computational delays
Operations Symbol Delay in microseconds
Diffie–Hellman parameter TDHparam 221.94
Diffie–Hellman shared key TDHshare 244.84
Nonce Tnonce 1.26
Pseudo random function TPRF 11.18
AES-128-CBC TAES 12.1
HMAC-SHA1-96 THMAC 9.52
Quadratic residue parameter TQRparam 6518.68
Quadratic residue encryption TQRenc 43.8
Quadratic residue decryption TQRdec 87.34
SHA-256 TSHA256, THMAC�256 15.28
Addition of nonce Tadd 0.38
Multiplication in modulo Tmul 1.08
1454 Wireless Networks (2019) 25:1443–1459
123
from the rest of BUs, the DMM shows no difference across
any number of BUs. The first handover delay in the DMM
is 86.9 ms, and the one in the proposed protocol is 95.8 ms.
The initial BU setup in the proposed protocol takes 8.9 ms
longer than the one in the DMM. This is because the
proposed protocol has more cryptographic operations. The
second and later handovers compensate for this extra delay.
The second and third experiments measured the delays
between handovers three and seven. Our prohibition in the
second experiment on a repeat visit to any network permits
us to estimate a range of handover delay in a worst case
scenario. Although this estimate is very general, it gives
service providers numbers they can anticipate and plan to
accommodate. By allowing a repeat visit to a network in
the third scenarios, we are able to measure a handover
delay much closer to reality.
When seven handovers occur in the third experiment,
the host-based DMM takes 3198 ms compared with the
2050 ms required by the proposed protocol. As shown in
Fig. 10, the handover delay in the DMM takes about 50%
Table 7 The number of hops
and the delay between seven
AMAs. The delay is measured
in milliseconds (ms)
RTT (ms) # of hops
SK1 KT1 LG SK2 SK3 KT2 KOREN Average (ms)
AMA1 AMA2 AMA3 AMA4 AMA5 AMA6 AMA7
SK1 AMA1 27 31 30 30 26 16 79.7
KT1 AMA2 79 28 27 27 23 13 69.2
LG AMA3 80 67 31 31 17 17 73.1
SK2 AMA4 89 76 78 30 26 16 77.5
SK3 AMA5 96 83 85 94 26 16 83.4
KT2 AMA6 88 75 77 85 93 12 76.6
KOREN AMA7 46 33 34 43 50 42 41.5
Table 6 Atomic operations
consisting of the computational
delay for MN, original AMA,
and serving AMA for the DMM
and the proposed protocol
Protocol Entity Phase 1 Phase 2
Proposed MN TQRdec TQRenc þ Tnonce þ Tadd þ Tmul þ TSHA256 þ 4 � THMAC�256 ¼ 122:9
Original AMA – Tadd þ Tnonce þ 2 � Tmul þ TSHA256 þ 4 � THMAC�256 ¼ 80:2
Serving AMA TQRenc –
DMM MN – –
Original AMA – TDHparam þ TDHshare þ Tnonce þ 8 � TPRF þ 4 � TAES þ 4 � THMAC
Serving AMA – TDHparam þ TDHshare þ Tnonce þ 8 � TPRF þ 4 � TAES þ 4 � THMAC
S1
NotebookS3
S5
S6
S2
S4
Wi-Fi
SK
KT
LG U+
Internet
KOREN
Fig. 8 Experimental setup for delay measurements
Wireless Networks (2019) 25:1443–1459 1455
123
longer than in the proposed protocol. The slight differences
in results in the second and the third experiments imply that
the computational delay saved in visiting the same network
is so tiny that the communication delay makes up the most
pf the handover delay. The graphs in Fig. 10 are quickly
saturated after the number of handovers passes two. We
can extend this observation to conclude that in a steady
state, the handover delay is quite close to those in Fig. 10.
6 Literature survey
A range of objects in network protocols can enforce
security in mobility management. For ease of understand-
ing, we divide them into two groups, based on the protocol
layer in which each object is located. One group consists of
objects in the IP layer. The other group is made up of
objects in layers other than IP. We will consider these in
turn.
6.1 IP layer
Chuang et al. [12] suggested improvements in the
authentication and handover procedures of the Proxy
MIPv6 (PMIPv6). The PMIPv6 enables network-based
localized mobility management for an MN, thereby pro-
visioning transparency in mobility to the MN and reducing
signaling overheads. However, the PMIPv6 still suffers
from packet losses, inefficient authentication procedures,
and security threats. A bicasting scheme was designed to
avoid packet loss and out-of-sequence delivery. Local
authentication was tested for efficiency in reducing
authentication latency.
Lee [13] introduced secure authentication between the
MN and the distributed anchor through dynamic tunneling
in the DMM that coexists with the PMIPv6. The proposed
scheme considers a session-to-mobility ratio to determine
which distributed anchor is responsible for managing a
tunnel to the local mobility anchor (LMA). If the session-
to-mobility ratio is high, the current distributed anchor
established a tunnel for the MN’s data packets to the CN.
Otherwise, the tunnel established remains between dis-
tributed anchors.
Rossi et al. [14] tackled security issues in routing opti-
mization (RO) for the MIPv6. The former inefficient tri-
angular routing path in the MIPv6 was resolved by having
the RO follow a direct path from the MN to the CN. As a
side effect, the RO raised a number of security issues by
merely being subject to session-hijacking attacks. The
authors proposed a secure and efficient RO by using
enhanced cryptographically generated address (ECGA) and
DNS security (DNSSEC). Because the IP address is gen-
erated cryptographically, their proposed approach makes it
difficult to forge the source IP address. The security keys
are securely stored and delivered to a verifier by use of the
DNSSEC.
6.2 Non-IP layer
One of the main advantages of locating security above the
IP layer is to provide transparency in IP changes to
applications in mobile nodes.
Snoren et al. [15] proposed a mobility management
system implemented in the layers of the transport control
protocol (TCP). An update of IP addresses through the
domain name server (DNS) allows the CN an easy means
to find the MN’s IP address in the new location. Using a
connection migration implemented on a TCP option, peers
87.7
2875.0
98.3
1821.0
1 21
10
100
1000
Del
ay (m
illise
cond
s)
Number of handovers
DMM Proposed
Fig. 9 Delay measurements of two protocols for the first experiment
in the first and second handovers
3 4 5 6 7
2000
2200
2400
2600
2800
3000
3200
3066 3091 3115 3116 3145
19211976
2018 2029 2050
30553099
31433183 3218
1940 19772027 2057 2056
Del
ay (m
illise
cond
s)
Number of handovers
DMM (3rd) Proposed (3rd) DMM (2nd) Proposed (2nd)
Fig. 10 Delay measurements of two protocols for the second and
third experiments in handovers up to seven
1456 Wireless Networks (2019) 25:1443–1459
123
can negotiate changes of IP addresses securely and effi-
ciently without breaking the end-to-end connection
semantic.
Aura et al. [16] introduced DoS attacks, connection
hijacking, and packet flooding. The multihoming function
in the streaming control transport protocol (SCTP) is sub-
ject to these attacks when the function supports dynamic
addressing and endpoint mobility. The authors proposed
countermeasures by changing mobility extensions in the
SCTP.
Seggelmann et al. [17] adopted datagram transport layer
security (DTLS) to support secure mobility. Address
changes will be notified implicitly, a process than is prone
to attacks because the source address is not protected by
DTLS. However, it can be secured by using the Heartbeat
extension to verify the new address. Mobility operations
such as a Heartbeat message are as secure as operations in
the DTLS.
The Request For Comments 5201 (RFC) [18] introduced
a new layer, called the host identity protocol (HIP),
between the TCP layer and the IP layer. Most of the
security issues in mobility management are attributed to the
duplicate roles of IP addresses, which are used to simul-
taneously identify and locate a host. However, this dual
roles became quickly invalid in facing of birth of mobile
hosts. The idea behind the HIP was to insert the identifi-
cation layer to relieve the IP layer of this role. The HIP
innovation is responsible for making IP addresses more
secure.
Multipath TCP (MPTCP) is capable of using multiple
network paths for a single connection and managing mul-
tiple, underlying TCP connections (called subflows) to a
single TCP destination. Mobility management can be
simpler with a capability of simultaneously establishing
connection from network interfaces in MPTCP; a new
subflow is initiated on the second interface before ongoing
subflow is terminated on the first interface. Conversation is
switched to the subflow seamlessly [19]. Jadin et al. [20]
proposed MPTCPsec, an MPTCP extension for protecting
application data and authenticating TCP options.
MPTCPsec can be applied for mobility management in
MPTCP to counter nefarious security attacks.
Quick UDP Internet connections (QUIC) is a transport
protocol developed by Google, running on top of the UDP.
In comparison with the performance of TCP, QUIC redu-
ces connection latency by reducing the number of round-
trip time (RTT) required for connection establishment and
avoiding head-of-line blocking occurred in a single TCP
connections. Every QUIC segment has a 64-bit globally
unique identifier (GUID). This information is used in
mobility management to identify a session after transition
to a new network interface. QUIC provides secure transport
functionalities equivalent to the TLS including encryption
of all segments. However, replay and denial of service
attacks may be applicable in situations [21].
A secure channel is established between the mobile node
and the mobile anchor by using the IPsec. IKEv2 (Internet
Key Exchange version 2) provides a mechanism for mutual
authentication and establishment a Security Association
(SA) for the IPsec. The SA is bound to the IP addresses of
the IPsec endpoints. When the MN changes its IP address
because of mobility lengthy and expensive rekeying of the
IKE SA must occur. The IKEv2 Mobility and Multihoming
(MOBIKE) is defined as an extension to the existing IKEv2
protocol to provide secure mobility. The MOBIKE [22]
offers a solution to the problem by decoupling the SA
identity from the MN’s location (IP address). Besides the
MOBIKE provides multihoming features to allow traffic
movement between different network interfaces.
Complex and expensive operations in the IPsec estab-
lished between the MN and the HA can be replaced by TLS
as recommended in [23]. A Home Agent Controller (HAC)
located in between the MN and the HA can relieve burdens
levied on the MN caused by IPsec operations and man-
agements. Roles and functions in the HAC are less useful
to the MN in the DMM than in the CMM because the HA is
already close enough to the MN in the DMM. The DMM
has shifted functions of the HA on the access router. In
such situations the link-layer security alone can protect
traffic between the MN and the HA.
A Protocol for carrying Authentication for Network
Access (PANA) [24] is an UDP/IP based network access
protocol, offering a unified authentication method transpar-
ent to diverse underneath communication technologies. As
theMAmoved close to the AR, the PANA can be used for an
authentication protocol between the MN and the HA. The
Extensible Authentication Protocol (EAP) compensate for
the PANA by specifying authentication and key agreement.
Handover keying (HOKEY) [25] is an effective han-
dover keying protocol working with keying materials
produced by the EAP. HOKEY was designed to enhance
the EAP by method-independent fast re-authentication with
low handover latencies.
7 Conclusion
This paper proposed an applicable security protocol for the
BU in the host-based DMM. Because the BU in the con-
sidered host-based DMM simply inherits the security
mechanism developed for the MIPv6, it has security
weaknesses and its delay performance is inefficient. The
proposed mechanism improves DMM security by having
the two main entities of the BU share a secret token. This
sharing occurs at the onset of a session. Later, when the
MN enters a new network, the two main entities, the MN
Wireless Networks (2019) 25:1443–1459 1457
123
and the original AMA, mutually confirm session ownership
by checking the value of the token. Thorough analysis and
empirical evaluation in both a laboratory and in a live
network setting confirm that the proposed protocol out-
performs the incumbent BU in the host-based DMM.
Finally, we believe that there are several aspects that still
need be investigated to improve the delay response associ-
ated with the BU. We plan to expand experiments with the
study into diverse service usages to assess how the system
performs in different environments. Further, our proposed
mechanism could be extended tomake use ofmore advanced
access networks, such as the Tactile Internet.
Acknowledgements This work was supported by Institute for Infor-
mation and communications Technology Promotion (IITP) grant
funded by the Korea government (MSIT) (No. 2017-0-01861,
Research on the security of operating system).
References
1. Simsek, M., et al. (2016). 5G-enabled Tactile Internet. IEEE
Journal of Selected Areas in Communications, 34(3), 460–473.
2. Maier, M., et al. (2016). The Tactile Internet: vision, recent
progress, and open challenges. IEEE Communications Magazine,
54(5), 138–145.
3. Perkins, C., Johnson, D., & Arkko, J. (2011). Mobility support in
IPv6. IETF RFC 6275.
4. Gundavelli, S., et al. (2008). Proxy mobile IPv6. IETF RFC 5213.
5. Soliman, H. (2009). Mobile IPv6 support for dual stack hosts and
routers. IETF RFC 5555.
6. Lee, J., et al. (2014). Mobile data offloading: A host-based dis-
tributed mobility management approach. IEEE Internet Com-
puting, 18(01), 20–29.
7. Liu, D., et al. (2015). Distributed mobility management: Current
practices and gap analysis. IETF RFC 7429.
8. Lee, J., et al. (2013). Distributed IP mobility management from
the perspective of the IETF: Motivations, requirements, approa-
ches, comparison, and challenges. IEEE Wireless Communica-
tions, 20(5), 159–168.
9. Dummit, D., Dummit, E., & Kisilevsky, H. (2016). Characteri-
zations of quadratic, cubic, and quartic residue matrices. Journal
of Number Theory, 168, 167–179.
10. Elia, M., Piva, M., & Schipani, D. (2015). The Rabin cryp-
tosystem revisited. Applicable Algebra in Engineering, Commu-
nication and Computing, 26(3), 251–275.
11. Crypto ?? Libtsty 5.6.3. http://www.cryptopp.com/.
12. Chuang, M., Lee, J., & Chen, M. (2013). SPAM: A secure
password authentication mechanism for seamless handover in
proxy mobile IPv6 networks. IEEE Systems Journal, 7(1),
102–113.
13. Lee, J. (2016). Secure authentication with dynamic tunneling in
distributed IP mobility management. IEEE Wireless Communi-
cations, 23(5), 38–43.
14. Rossi, A., Pierre, S., & Krishnan, S. (2013). Secure route opti-
mization for MIPv6 using enhanced CGA and DNSSEC. IEEE
Systems Journal, 7(3), 351–362.
15. Snoeren, A., & Balakrishnan, H. (2000). An end-to-end approach
to host mobility. In Proceedings of ACM/IEEE international
conference on mobile computing and networking (MobiCom).
16. Aura, T., et al. (2004). Effects of mobility and multihoming on
transport-protocol security. In Proceedings of IEEE symposium
security and privacy.
17. Seggelmann, R., et al. (2012). DTLS mobility. In Proceedings of
international conference of distributed computing and network-
ing (ICDCN), pp. 443–457, Hong Kong, China.
18. Moskowitz, R., et al. (2008). Host identity protocol. IETF RFC
5201.
19. Raiciu, C., et al. (2011). Opportunistic mobility with multipath
TCP. In Proceedings of the sixth international workshop on
MobiArch, pp. 7–12, Bethesda, USA.
20. Jadin, M., et al. (2017). Securing multipath TCP: Design and
implementation. In Proceedings of IEEE international confer-
ence on computer communications (INFOCOM), Atlanta, USA.
21. Cui, Y., et al. (2017). Innovating transport with QUIC: Design
approaches and research challenges. IEEE Internet Computing,
21(2), 72–76.
22. Eronen, P., et al. (2006). IKEv2 mobility and multihoming
(MOBIKE) protocol. IETF RFC 4621.
23. Korhonen, J., et al. (2012). Mobile IPv6 security framework using
transport layer security for communication between the mobile
node and home agent. IETF RFC 6618.
24. Forsberg, D., et al. (2008). Protocol for carrying authentication
for network access (PANA). IETF RFC 5191.
25. Zorn, G., et al. (2012). Handover Keying (HOKEY) architecture
design. IETF RFC 6697.
Seyeong Lee received a master’s
degree in IT convergence from
Sungkyunkwan University,
South Korea in 2016. He is a
software engineer at Samsung
Electronics. His research inter-
ests include network and
android security.
Hyoung-Kee Choi received a
Ph.D. degree in electrical and
computer engineering from
Georgia Institute of Technol-
ogy, USA, in 2001. He is a
professor in Department of
Computer Science and Engi-
neering, Sungkyunkwan
University, South Korea. He
joined Lancope in 2001 and
remained until 2004, where he
guided and contributed to
research in Internet security. His
research interests include net-
work security and vulnerability
assessment.
1458 Wireless Networks (2019) 25:1443–1459
123
Ejin Kim is a master’s degree
student in electronic, electrical
and computer engineering at
Sungkyunkwan University,
South Korea. She received her
bachelor’s degree in informa-
tion security from Seoul
Women’s University, South
Korea in 2016. Her research
interests include authentication,
Internet mobility management
and reverse engineering.
Jong-Hyouk Lee received a
Ph.D. degree in Computer
Engineering at Sungkyunkwan
University, South Korea in
2010. In 2009, he joined the
project team IMARA at INRIA,
where he undertook the protocol
design and implementation for
IPv6 vehicular (ITS) communi-
cation and security. Dr. Lee
started his academic profession
at the Network, Security, and
Multimedia (RSM) Department
of TELECOM Bretagne, France
in 2012 as an Assistant Profes-
sor. In September 2013, he moved to Sangmyung University,
Republic of Korea. He has involved in standardization activities at the
ISO TC204 WG16, ETSI TC ITS, and IETF. He twice received
Excellent Research Awards from the School of Information and
Communication Engineering, Sungkyunkwan University. Dr. Lee
won the Best Paper Award at the IEEE WiMob 2012 and received the
2015 Best Land Transportation Paper Award from the IEEE Vehic-
ular Technology Society. He was a tutorial speaker at the IEEE
WCNC 2013, IEEE VTC 2014 Spring, and IEEE ICC 2016. In
November 2014, he was selected as the Young Researcher of the
month. He is a senior member of the IEEE. He is an associate editor
of Wiley Security and Communication Networks, IEEE Transactions
on Consumer Electronics, IEEE Consumer Electronics Magazine, and
Springer Annals of Telecommunications. His research interests
include malware, vulnerability exploitation, authentication, privacy,
mobility management, and protocol analysis.
Wireless Networks (2019) 25:1443–1459 1459
123