1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
|
Internet Research Task Force (IRTF) Y. Qiu
Request for Comments: 5726 Institute for Infocomm Research
Category: Experimental F. Zhao, Ed.
ISSN: 2070-1721 Google
R. Koodli
Cisco Systems
February 2010
Mobile IPv6 Location Privacy Solutions
Abstract
Mobile IPv6 (RFC 3775) enables a mobile node to remain reachable
while it roams on the Internet. However, the location and movement
of the mobile node can be revealed by the IP addresses used in
signaling or data packets. In this document, we consider the Mobile
IPv6 location privacy problem described in RFC 4882, and propose
efficient and secure techniques to protect location privacy of the
mobile node. This document is a product of the IP Mobility
Optimizations (MobOpts) Research Group.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Research Task
Force (IRTF). The IRTF publishes the results of Internet-related
research and development activities. These results might not be
suitable for deployment. This RFC represents the consensus of the IP
Mobility Optimizations Research Group of the Internet Research Task
Force (IRTF). Documents approved for publication by the IRSG are not
a candidate for any level of Internet Standard; see Section 2 of RFC
5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5726.
Qiu, et al. Experimental [Page 1]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Qiu, et al. Experimental [Page 2]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Table of Contents
1. Introduction ....................................................5
2. Conventions and Terminology .....................................6
2.1. Conventions ................................................6
2.2. Terminology ................................................6
3. Requirements ....................................................8
4. Solution Overview ...............................................9
5. Reverse-Tunneled Correspondent Binding Update ..................11
5.1. The Procedure .............................................12
5.2. Route-Optimized Payload Packets ...........................14
5.3. Mobile Node Operation .....................................15
5.3.1. Conceptual Data Structures .........................15
5.3.2. Reverse-Tunneled Correspondent Binding
Update to the Correspondent Node ...................15
5.3.3. Reverse-Tunneled Correspondent Binding
Acknowledgement from the Correspondent Node ........16
5.3.4. Route-Optimized Payload Packets ....................16
5.3.5. Receiving ICMP Error Message .......................17
5.3.6. Binding Error from the Correspondent Node ..........17
5.3.7. Binding Refresh Request from the
Correspondent Node .................................17
5.4. Home Agent Operation ......................................17
5.5. Correspondent Node Operation ..............................18
5.5.1. Conceptual Data Structures .........................18
5.5.2. Reverse-Tunneled Correspondent Binding
Update from the Mobile Node ........................18
5.5.3. Reverse-tunneled Correspondent Binding
Acknowledgement to the Mobile Node .................18
5.5.4. Route-Optimized Payload Packets ....................18
5.5.5. ICMP Error Message to the Mobile Node ..............19
5.5.6. Binding Error to the Mobile Node ...................19
5.5.7. Binding Refresh Request to the Mobile Node .........19
5.6. Summary ...................................................20
6. IP Address Location Privacy Solution Using the Pseudo
Home Address ...................................................20
6.1. Home Binding Update .......................................20
6.1.1. Pseudo Home Address Registration ...................20
6.1.2. Home De-Registration ...............................21
6.2. Correspondent Binding Update Using the Pseudo Home
Address ...................................................22
6.2.1. Return Routability Procedure .......................22
6.2.2. Route-Optimized Correspondent Binding Update .......24
6.2.3. Reverse-tunneled Correspondent Binding Update ......25
6.2.4. Using Different Pseudo Home Addresses with
Different Correspondent Nodes ......................25
6.3. Payload Packets ...........................................25
6.3.1. Reverse Tunneling Mode .............................25
Qiu, et al. Experimental [Page 3]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
6.3.2. Route Optimization Mode ............................26
6.4. Prefix Discovery ..........................................26
6.5. Mobile Node Operation .....................................26
6.5.1. Conceptual Data Structures .........................26
6.5.2. Binding Update to the Home Agent ...................27
6.5.3. Binding Acknowledgement from the Home Agent ........27
6.5.4. Home Test Init to the Home Agent ...................28
6.5.5. Home Test from the Home Agent ......................28
6.5.6. Route-Optimized Payload Packets ....................29
6.5.7. Receiving Binding Refresh Request ..................29
6.6. Home Agent Operation ......................................29
6.6.1. Conceptual Data Structures .........................30
6.6.2. Binding Update from the Mobile Node ................30
6.6.3. Binding Acknowledgement to the Mobile Node .........31
6.6.4. Home Test Init from the Mobile Node ................31
6.6.5. Home Test to the Mobile Node .......................32
6.7. Correspondent Node Operation ..............................32
7. Extensions to Mobile IPv6 ......................................32
7.1. Encrypted Home Address Destination Option .................32
7.2. Encrypted Home Address Routing Header .....................33
7.3. Pseudo Home Address Mobility Option .......................34
7.4. Pseudo Home Address Acknowledgement Mobility Option .......35
8. Security Considerations ........................................37
8.1. Home Binding Update .......................................37
8.2. Correspondent Binding Update ..............................38
8.3. Route-Optimized Payload Packets ...........................38
9. Related Work ...................................................39
10. IANA Considerations ...........................................40
11. Conclusion ....................................................40
12. Acknowledgements ..............................................41
13. References ....................................................41
13.1. Normative References .....................................41
13.2. Informative References ...................................42
Appendix A. Profiling Attack: Discussion ..........................44
A.1. The Care-of Address ........................................44
A.2. Profiling on the Encrypted Home Address ....................44
A.3. The IPsec SPI ..............................................45
A.4. The IPsec Sequence Number ..................................45
A.5. The Regular Interval of Signaling Messages..................46
A.6. The Sequence Number in the Binding Update Message ..........46
A.7. Multiple Concurrent Sessions ...............................46
A.8. Summary ....................................................47
Qiu, et al. Experimental [Page 4]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
1. Introduction
The IP address location privacy problem is concerned with unwittingly
revealing the current location of a mobile node to eavesdroppers and
to communicating parties. In the presence of mobility as specified
in Mobile IPv6 [6], there are two related problems: disclosing the
care-of address to a correspondent node, and revealing the home
address to an eavesdropper (please see the terminology below). A
detailed description of the location privacy problem can be found in
RFC 4882 [11]. This document assumes that the reader is familiar
with the basic operation of Mobile IPv6 specified in RFC 3775, as
well as the location privacy problem described in RFC 4882.
In order to protect location privacy, a mobile node must not disclose
the binding between its care-of address and its home address. In
this document, we propose a set of extensions to the Mobile IPv6
specification to address the IP address location privacy problem.
Related to the IP address location privacy is "profiling", where the
activities of a mobile node are linked and then analyzed. Profiled
activities may contribute to compromising a mobile node's location
privacy, especially when combined with additional information.
Furthermore, once location privacy is compromised, it may lead to
more targeted profiling. Solutions to thwart profiling are
important; however, they are not central to this document. We
discuss profiling in the appendix.
We propose two IP address location privacy solutions in this
document. With the first solution (as described in Section 5), the
mobile node can communicate with the correspondent node by using the
real home address without location privacy being breached by
eavesdroppers. This is done by using parameters generated during the
return routability procedure to mask the real home address, which
provides an evolution towards location privacy protection based on
return routability messages already specified in RFC 3775. With the
second solution (as described in Section 6), an IPsec tunnel mode
security association with a non-null encryption algorithm is
negotiated to encrypt signaling messages (including the real home
address therein) exchanged between the mobile node and the home
agent, for example, during the home binding update procedure.
Furthermore, during the return routability procedure and the
correspondent binding update procedure, a "pseudo home address" (the
definition of this new term and many other commonly used mobility
related terms is provided in Section 2) is used to replace the real
home address in various messages, which allows the mobile node to
hide its real home address from both the correspondent node and
eavesdroppers without the need for additional extensions to the
correspondent node. Moreover, the mobile node may mask the pseudo
Qiu, et al. Experimental [Page 5]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
home address by using the mechanism specified in Section 5 to further
enhance location privacy protection. Each of these two solutions can
be implemented on its own without relying on the other.
The solutions presented in this document are designed based on the
following assumptions. First, we focus on location privacy issues
arising when the mobile node attaches to a foreign link; location
privacy issues when the mobile node attaches to its home link, if
any, are outside the scope of this document. Second, we assume that
IPsec [2] is used to secure mobility signaling messages exchanged
between the mobile node and the home agent; therefore, location
privacy solutions when other security mechanisms are used are beyond
the scope of this document. Third, we assume that eavesdroppers are
passive attackers, e.g., an eavesdropper along the path traversed by
traffic flows from or to the mobile node. We make this assumption
because messages generated by active attackers can either be
discarded based on local policy at a mobile node or the mobile node
could choose to treat such messages like those of any other
correspondent nodes. Thus, specific threats to location privacy
posed by active attackers are also beyond the scope of this document.
Fourth, in order to simplify analysis, we assume that both the
correspondent node and the home agent are fixed nodes; if either is
mobile, the same analysis and solutions for the mobile node may also
apply. Finally, the same solution applies to each of the care-of
addresses if a mobile node maintains more than one care-of address.
This document represents the consensus of the MobOpts Research Group.
It has been reviewed by the Research Group members active in the
specific area of work. At the request of their chairs, this document
has been comprehensively reviewed by multiple active contributors to
the IETF Mobile IP related working groups.
2. Conventions and Terminology
2.1. Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
2.2. Terminology
In this document, we introduce two new terms, "pseudo home address"
and "encrypted home address". The definition of these two terms is
provided in the following.
Qiu, et al. Experimental [Page 6]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
o Pseudo Home Address (pHoA): A unicast IPv6 address formed to
replace the real home address used in certain Mobile IPv6
signaling or data packets. Without explicit indication, the
pseudo home address looks like a regular IPv6 address [5].
o Encrypted Home Address (eHoA): The output when applying an
encryption algorithm to the real home address or the pseudo home
address with additional inputs, e.g., a key. The real home
address can be recovered from the encrypted home address by using
a decryption algorithm.
In addition, we use commonly adopted mobility-related terms as
defined in [6] and [11] throughout this document. Some of these
terms are provided below for easier reference. Nevertheless, we
assume that readers are familiar with the basic operation of the
Mobile IPv6 protocol as defined in RFC 3775 [6], RFC 3776 [7], and
RFC 4877 [8].
o Mobile Node (MN): A Mobile IPv6 compliant mobile node that can
roam on the Internet
o Correspondent Node (CN): An IPv6 node that communicates with the
mobile node
o Home Network: The network where the mobile node is normally
present when it is not roaming
o Visited Network: The network that the mobile node uses to access
the Internet when it is roaming
o Home Agent (HA): A router on the mobile node's home network that
provides forwarding support when the mobile node is roaming
o Home Address (HoA): The mobile node's unicast IP address valid on
its home network
o Care-of Address (CoA): The mobile node's unicast IP address valid
on the visited network
o Return Routability (RR): A procedure which enables secure binding
between the care-of address and the home address when no pre-
existing security association exists between the mobile node and
the correspondent node
o Home Test Init (HoTI) / Home Test (HoT) / Care-of Test Init (CoTI)
/ Care-of Test (CoT): Messages used during the return routability
procedure
Qiu, et al. Experimental [Page 7]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
o Binding Update (BU): A message used by the mobile node to securely
bind its care-of address to its home address at the correspondent
node or the home agent
o Binding Acknowledgement (BA): A response to the Binding Update
o Message Authentication Code (MAC): The value, which is computed
using HMAC_SHA1 in this document, that protects both a message's
integrity and its authenticity
o Route Optimization: A mechanism that allows direct routing of
packets between a roaming mobile node and its correspondent node,
without having to traverse the home network
o Reverse Tunneling or Bidirectional Tunneling: A mechanism used for
packet forwarding between a roaming mobile node and its
correspondent node via its home agent
3. Requirements
In this section, we describe the requirements that should be met by
the Mobile IPv6 location privacy solutions, hereafter referred to as
"the solution". These are some of the basic requirements set forth
in order to make the solution readily implementable by those familiar
with Mobile IPv6 and the related security protocols used with it
(such as IKEv2 [4] and IPsec).
R01: The solution must follow the framework and architecture of IPv6
and Mobile IPv6 (as specified in RFC 3775, RFC 3776, and RFC
4877).
R02: The solution must not interfere with the operation of IPsec.
This means that the principles and the operation specified in
RFC 3776 and RFC 4877 need to be followed. For example, the
IPsec security association and policy must be identified by the
real home address.
R03: The solution should provide back-compatibility in order for
different Mobile IPv6 entities to work together even though they
may have different capabilities. This requires the mobile node
to be able to detect whether the home agent or the correspondent
node supports the use of the location privacy solutions.
R04: The overhead resulting from the solution, in terms of payloads
or messages transmitted and memory, should be kept minimal.
Qiu, et al. Experimental [Page 8]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
4. Solution Overview
The IP address location privacy solutions proposed in this document
intend to conceal the binding between the mobile node's real home
address and its care-of address from eavesdroppers and the
correspondent node. In this section, we present an overview of the
proposed solutions.
With the Mobile IPv6 specification, during the home binding update
procedure, both the real home address and the care-of address are in
the cleartext when either the IPsec tunnel mode or the IPsec
transport mode is used with no encryption. As described in
Section 6.1, the solution to prevent the real home address being
leaked to eavesdroppers on the MN-HA path during the home binding
update procedure is to set up an IPsec tunnel mode security
association with a non-null encryption algorithm to encrypt home
binding signaling messages and the real home address therein. This
method is also used to enable location privacy protection during
other mobility signaling message exchanges between the home agent and
the mobile node, such as the prefix discovery procedure (see
Section 6.4).
When communicating with the correspondent node with the reverse
tunneling mode, the mobile node can hide its current location from
the correspondent node and eavesdroppers along the HA-CN path, since
the care-of address is not included in payload packets transmitted on
that path. Also, an IPsec security association with a non-null
encryption algorithm established between the mobile node and the home
agent can conceal the real home address carried in payload packets
from eavesdroppers along the MN-HA path.
In order to communicate with a correspondent node in the route
optimization mode, the mobile node needs to perform the return
routability procedure followed by the correspondent binding update
procedure. With the current Mobile IPv6 specification, the real home
address and the care-of address in the correspondent Binding Update
message and payload packets are visible to eavesdroppers. Therefore,
in order to send and receive packets through the optimized route and
protect location privacy at the same time, the mobile node needs to
disclose its care-of address and conceal its real home address.
There are two different scenarios and we propose a different solution
for each scenario.
One scenario is that the correspondent node is able to obtain the
mobile node's real home address and initiates communication with the
mobile node by using the real home address. In this case, the mobile
node needs to continue to use the real home address with the
correspondent node in order to maintain session continuity, and to
Qiu, et al. Experimental [Page 9]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
conceal the real home address from eavesdroppers. The solution for
this scenario (hereinafter referred to as "reverse-tunneled
correspondent binding update") is described in Section 5. With this
solution, the mobile node exchanges the same return routability
signaling messages as defined in RFC 3775 with the correspondent node
and then derives a privacy management key from keygen tokens and uses
this key to encrypt the real home address. Finally, it reverse-
tunnels an extended correspondent Binding Update message via the home
agent to register the encrypted home address and the real home
address at the correspondent node. After the correspondent
registration, the mobile node and the correspondent node use the
registered encrypted home address, instead of the real home address
in payload packets exchanged via the optimized route. The encrypted
home address is different for different correspondent nodes since the
privacy management key would be different.
The other scenario is that the mobile node prefers to conceal its
real home address from both the correspondent node and the
eavesdroppers (typically the mobile node initiates communication in
this case, since the correspondent node does not know the real home
address). The solution for this scenario is described in
Section 6.2. With this solution, the mobile node first obtains a
home keygen token generated based on the pseudo home address during
the home address test procedure. Subsequently, the mobile node sends
the correspondent Binding Update message to register the binding
between the pseudo home address and the care-of address at the
correspondent node via the optimized route. After the correspondent
registration, the mobile node and the correspondent node use the
registered pseudo home address, instead of the real home address, in
payload packets exchanged via the optimized route. Note that the use
of the pseudo home address is completely transparent to the
correspondent node.
Furthermore, it is feasible to throttle "profiling" on the pseudo
home address by using a combination of these two solutions. That is,
the mobile node uses the pseudo home address in the extended home
address test procedure to obtain a home keygen token; then, it uses
the pseudo home address instead of the real home address in the
reverse-tunneled correspondent binding update procedure. With this
solution, the encrypted pseudo home address used in route optimized
payload packets looks different to eavesdroppers each time, after a
new round of the return routability procedure is completed.
Before a pseudo home address is used with a correspondent node, it
MUST be registered with the home agent during the home registration
procedure. The mobile node indicates the requested pseudo home
address in a new mobility option, called the Pseudo Home Address
option (see Section 7.3), carried in the home Binding Update message,
Qiu, et al. Experimental [Page 10]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
and the home agent indicates the status of pseudo home address
registration in another new mobility option, called Pseudo Home
Address Acknowledgement option (see Section 7.4), carried in the home
Binding Acknowledgement message. The pseudo home address MUST be
routable in order for the home agent to intercept packets destined at
this pseudo home address. It is statistically difficult for other
nodes to derive the real home address from the pseudo home address.
A detailed description of pseudo home address generation is provided
in Section 6.1.1.1.
With extensions introduced in this document, a mobile node is able to
discover whether the home agent and the correspondent node support
the location privacy solutions or not. When present in the home
Binding Update message, the Pseudo Home Address mobility option
indicates that the mobile node requests the use of the location
privacy solutions. If such a Binding Update message is valid and the
home agent supports the location privacy solutions for this
particular mobile node, it responds with the Pseudo Home Address
Acknowledgement mobility option in the Binding Acknowledgement
message. Otherwise, if the home agent does not support the location
privacy solutions, it does not include the Pseudo Home Address
Acknowledgement mobility option in the Binding Acknowledgement
message. Similarly, the presence of the Encrypted Home Address
destination option in the correspondent Binding Update message
indicates to the correspondent node that the mobile node requests the
use of the location privacy solutions. If such a Binding Update
message is valid and the correspondent node supports the location
privacy solutions for this particular mobile node, it responds with
the Encrypted Home Address routing header in the correspondent
Binding Acknowledgement message to the mobile node. If the
correspondent node does not support the location privacy solutions,
it rejects the mobile node's request by returning an ICMP Parameter
Problem message with Code value set to 2. Furthermore, a home agent
that recognizes such extensions but does not wish to provide location
privacy protection MAY redirect the mobile node to another home
agent. If the request for using the location privacy solutions is
rejected, the mobile node may either proceed without location privacy
protection, or try with a different home agent or a correspondent
node, or abort the operation.
5. Reverse-Tunneled Correspondent Binding Update
In this section, we describe a solution that protects location
privacy against eavesdroppers when the mobile node uses the real home
address during communication with the correspondent node via the
optimized route. Note that this solution does not require any change
to return routability signaling messages. The detailed description
is as follows.
Qiu, et al. Experimental [Page 11]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
5.1. The Procedure
After the return routability procedure is completed, if the mobile
node needs to protect location privacy, and at the same time still
uses the real home address with the correspondent node, the mobile
node derives a privacy management key, Kpm, from the Kbm, where Kpm =
HMAC_SHA1 (Kbm, 0). The mobile node uses Kpm to generate the
encrypted home address as follows.
encrypted home address = Enc(Kpm, the home address)
Where Enc() is a symmetric key encryption algorithm. AES is the
default encryption algorithm.
Kpm changes upon every change of Kbm, which itself changes when
return routability is run (e.g., upon change of care-of address,
expiry of keygen token, etc.). So, Kpm is not re-used when a care-of
address changes.
The mobile node generates a correspondent Binding Update message and
reverse-tunnels this message to the correspondent node via the home
agent. The format of this message after encapsulation is:
IPv6 header (source = care-of address,
destination = home agent)
ESP header in tunnel mode
IPv6 header (source = home address,
destination = correspondent node)
Destination option header
Encrypted Home Address option (encrypted home address)
Parameters:
Alternative Care-of Address option (care-of address)
sequence number (within the Binding Update message header)
home nonce index (within the Nonce Indices option)
care-of nonce index (within the Nonce Indices option)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BU)))
This packet is protected by the IPsec security association with a
non-null encryption algorithm. If the home agent can process this
packet successfully, it forwards the following packet to the
correspondent node.
IPv6 header (source = home address,
destination = correspondent node)
Destination option header
Encrypted Home Address option (encrypted home address)
Qiu, et al. Experimental [Page 12]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Parameters:
Alternative Care-of Address option (care-of address)
sequence number (within the Binding Update message header)
home nonce index (within the Nonce Indices option)
care-of nonce index (within the Nonce Indices option)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BU)))
After receiving a reverse-tunneled correspondent Binding Update
message, the correspondent node performs the operation as described
in Section 5.5. If the correspondent Binding Update message is
processed successfully and an acknowledgement is requested, the
correspondent node constructs a Binding Acknowledgement message shown
below.
IPv6 header (source = correspondent node,
destination = home address)
Encrypted Home Address routing header
encrypted home address
Parameters:
sequence number (within the Binding Update message header)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BA)))
Upon receiving this Binding Acknowledgement message, the home agent
applies the IPsec security association with a non-null encryption
algorithm to this message and forwards the following packet to the
mobile node.
IPv6 header (source = home agent,
destination = care-of address)
ESP header in tunnel mode
IPv6 header (source = correspondent node,
destination = home address)
Encrypted Home Address routing header
encrypted home address
Parameters:
sequence number (within the Binding Update message header)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BA)))
The reverse-tunneled correspondent binding update procedure is
completed after the mobile node processes the received Binding
Acknowledgement message. Note that when the mobile node communicates
with a different correspondent node, the encrypted home address looks
different.
Qiu, et al. Experimental [Page 13]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
To delete an established Binding Cache entry at the correspondent
node, the mobile node reverse-tunnels the following Binding Update
message via the home agent. Note that the Encrypted Home Address
option is optional during the correspondent binding de-registration
and only the home keygen token is used to generate Kbm and Kpm, if
needed, in this case.
IPv6 header (source = care-of address,
destination = home agent)
ESP header in tunnel mode
IPv6 header (source = home address,
destination = correspondent node)
Destination option header (optional)
Encrypted Home Address option (encrypted home address)
Parameters:
Alternative Care-of Address option (care-of address)
sequence number (within the Binding Update message header)
home nonce index (within the Nonce Indices option)
care-of nonce index (within the Nonce Indices option)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BU)))
If an acknowledgement is requested, the correspondent node returns
the following Binding Acknowledgement message to the mobile node.
IPv6 header (source = correspondent node,
destination = home address)
Encrypted Home Address routing header (optional)
encrypted home address
Parameters:
sequence number (within the Binding Update message header)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BA)))
Since the destination IP address in this message is the home address,
the home agent will receive this message and forward it to the mobile
node via the reverse tunnel.
5.2. Route-Optimized Payload Packets
After the correspondent registration is completed successfully,
subsequent payload packets are exchanged via the optimized route
between the mobile node and the correspondent node. In such packets,
only the encrypted home address carried in the Encrypted Home Address
destination option and the Encrypted Home Address routing header are
visible to eavesdroppers.
Qiu, et al. Experimental [Page 14]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
The format of payload packets sent from the mobile node to the
correspondent node is:
IPv6 header (source = care-of address,
destination = correspondent node)
Destination option header
Encrypted Home Address option (encrypted home address)
Payload
The format of payload packets sent from the correspondent node to the
mobile node is:
IPv6 header (source = correspondent node,
destination = care-of address)
Encrypted Home Address routing header
encrypted home address
Payload
5.3. Mobile Node Operation
5.3.1. Conceptual Data Structures
The Binding Update List entry for the correspondent registration is
extended with a new field to store the current encrypted home address
used with a particular correspondent node. The encrypted home
address is stored when the mobile node sends a reverse-tunneled
correspondent Binding Update message, and the state of the
corresponding Binding Update List entry is updated when the mobile
node successfully processes the correspondent Binding Acknowledgement
message. Note that the encrypted home address field is not valid in
the Binding Update List entry for the home registration.
Given that the encrypted home address is 128 bits long, it is
expected that each encrypted home address or the combination of the
encrypted home address and the correspondent node's IP address stored
in the Binding Update List is unique. Therefore, the mobile node can
use the encrypted home address (or use it together with the
correspondent node's IP address) as a primary key to look up the
Binding Update List.
5.3.2. Reverse-Tunneled Correspondent Binding Update to the
Correspondent Node
After the return routability procedure, if the mobile node chooses to
use the location privacy solution with the correspondent node, e.g.,
based on the mobile node's configuration, it generates the encrypted
home address, updates or creates a new correspondent Binding Update
List entry to store the encrypted home address, then forwards the
Qiu, et al. Experimental [Page 15]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
correspondent Binding Update message through the reverse tunnel
established with the home agent. Note that the MAC is generated in
the same way as specified in RFC 3775, and it does not cover the
encrypted home address.
5.3.3. Reverse-Tunneled Correspondent Binding Acknowledgement from the
Correspondent Node
When the mobile node receives a Binding Acknowledgement message from
the correspondent node in response to a previously sent reverse-
tunneled correspondent Binding Update message, if this Binding
Acknowledgement message contains an Encrypted Home Address routing
header, the mobile node considers that the correspondent node
supports the location privacy solution. The mobile node
authenticates this message based on RFC 3775. If authentication is
successful, the mobile node decrypts the encrypted home address and
compares the result with the real home address, or compares the
encrypted home address with the one stored in the Binding Update List
entry. If they match, the mobile node considers that the
correspondent registration is successful and updates the state of the
corresponding Binding Update List entry. If they do not match, the
mobile node MAY start the correspondent binding update procedure
again.
5.3.4. Route-Optimized Payload Packets
In order to maintain session continuity, upper layers of the IP stack
in the mobile node still use the real home address, even after the
reverse-tunneled correspondent registration.
A possible way of implementation is as follows. When the Mobile IP
sublayer at the mobile node receives a packet from the upper layer,
the normal processing as specified in RFC 3775 is performed.
Subsequently, the Home Address option is replaced with the Encrypted
Home Address option carrying the encrypted home address stored in the
corresponding Binding Update List entry, and then the mobile node
forwards the packet to the correspondent node via the optimized
route.
On the other hand, when the mobile node receives a payload packet
carrying the Encrypted Home Address routing header, the mobile node
uses the encrypted home address (optionally together with the IP
address of the correspondent node) to look up the Binding Update
List. If an entry is found, the mobile node accepts this packet,
replaces the Encrypted Home Address option with the Home Address
option carrying the real home address, and continues with processing
based on RFC 3775. If no entry is found, the mobile node silently
drops the received packet.
Qiu, et al. Experimental [Page 16]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
5.3.5. Receiving ICMP Error Message
The mobile node may receive an ICMP Parameter Problem, Code 2,
message forwarded by the home agent via the bidirectional tunnel, for
example, when the correspondent node does not support the use of the
Encrypted Home Address option. If such a message is received, the
mobile node SHOULD not attempt to use the location privacy solution
with the correspondent node. The mobile node may choose either not
to communicate with the correspondent node, or to communicate without
location privacy protection.
5.3.6. Binding Error from the Correspondent Node
When the mobile node communicates with a correspondent node by using
the encrypted home address, a Binding Error message with the Status
field set as 1 (unknown binding for Home Address destination option)
may be received by the mobile node if there is no valid Binding Cache
entry established at the correspondent node. Note that we do not
specify a new Status value to be used in this case because the
implementation of the Binding Update List entry can contain an
indication of whether an encrypted home address is currently used
with the correspondent node. Upon receiving the Binding Error
message, the mobile node can find out which encrypted home address is
invalid by looking at the Home Address field of the Binding Error
message. The mobile node may then perform the correspondent binding
update procedure to establish a valid binding for the encrypted home
address.
5.3.7. Binding Refresh Request from the Correspondent Node
When the mobile node receives a Binding Refresh Request message sent
from the correspondent node and forwarded by the home agent via the
bidirectional tunnel, the mobile node needs to perform the
correspondent binding update procedure to refresh the binding for the
encrypted home address at the correspondent node.
5.4. Home Agent Operation
With the solution described in this section (i.e., Section 5), there
is no new home agent operation to be specified. That is, the home
agent behaves based on RFC 3775 when processing signaling or data
packets.
Qiu, et al. Experimental [Page 17]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
5.5. Correspondent Node Operation
5.5.1. Conceptual Data Structures
The Binding Cache entry is extended with a new field to store the
current encrypted home address used with a particular mobile node.
The encrypted home address is stored when the correspondent node
successfully processes a reverse-tunneled correspondent Binding
Update message.
Given that the encrypted home address is 128 bits long, it is
expected that each encrypted home address or the combination of the
care-of address and the encrypted home address stored in the Binding
Cache entry is unique. Therefore, the correspondent node can use the
encrypted home address (or use it together with the care-of address)
as a primary key to look up the Binding Cache.
5.5.2. Reverse-Tunneled Correspondent Binding Update from the Mobile
Node
When receiving a reverse-tunneled Binding Update message with the
Encrypted Home Address option, if the correspondent node supports the
location privacy solution, it verifies the message by using the same
method as defined in RFC 3775. If this verification succeeds, the
correspondent node generates Kpm and uses it to decrypt the encrypted
home address, and compares the result with the source IP address. If
they match, the correspondent node stores the encrypted home address
in the corresponding Binding Cache entry.
5.5.3. Reverse-tunneled Correspondent Binding Acknowledgement to the
Mobile Node
If an acknowledgement to the reverse-tunneled correspondent Binding
Update message is requested by the mobile node, the correspondent
node returns a Binding Acknowledgement message with the Encrypted
Home Address routing header, if it supports the location privacy
solution. The MAC in the Binding Acknowledgement message is
generated in the same way as specified in RFC 3775 and does not cover
the encrypted home address carried in the Encrypted Home Address
routing header.
5.5.4. Route-Optimized Payload Packets
In order to maintain session continuity, upper layers of the IP stack
in the correspondent node still use the real home address, even after
the reverse-tunneled correspondent registration.
Qiu, et al. Experimental [Page 18]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
A possible way of implementation is as follows. When the IP layer at
the correspondent node finishes processing the packet received from
the upper layer based on RFC 3775, the Type 2 routing header together
with the real home address therein is replaced with the Encrypted
Home Address routing header with the encrypted home address found in
the corresponding Binding Cache entry. Then, this packet is
forwarded to the mobile node via the optimized route.
On the other hand, when the correspondent node receives a payload
packet with the Encrypted Home Address option, it uses the encrypted
home address (optionally together with the care-of address of the
mobile node) to look up the Binding Cache. If there is an entry, the
correspondent node replaces the Encrypted Home Address option with
the Home Address option carrying the real home address before
forwarding the packet to the upper layer. If no matching entry is
found, the correspondent node sends a Binding Error message to the
source IP address, i.e., the care-of address of the mobile node.
5.5.5. ICMP Error Message to the Mobile Node
When receiving a reverse-tunneled correspondent Binding Update
message with the Encrypted Home Address option, if the correspondent
node does not support location privacy extensions, it sends an ICMP
Parameter Problem, Code 2, message to the source IP address (i.e.,
the home address of the mobile node) and the home agent then forwards
this ICMP message to the mobile node via the bidirectional tunnel.
5.5.6. Binding Error to the Mobile Node
When the correspondent node receives a payload packet with the
Encrypted Home Address option for which there is no valid Binding
Cache entry, it returns a Binding Error message with the Status code
set as 1 back to the source IP address of the packet. Furthermore,
the Home Address field in the Binding Error message MUST be copied
from the Encrypted Home Address field in the Encrypted Home Address
destination option of the offending packet, or set to the unspecified
address if no such option appears in the packet.
5.5.7. Binding Refresh Request to the Mobile Node
When the correspondent node realizes that a Binding Cache entry is
about to expire, it sends a Binding Refresh Request message to the
real home address of the mobile node stored in the Binding Cache
entry.
Qiu, et al. Experimental [Page 19]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
5.6. Summary
With the solution in Section 5, the real home address is visible in
the Binding Update and Binding Acknowledgement messages along the
HA-CN path. Like Mobile IPv6 itself, it has not been designed to
change the communications between the home network and the
correspondent node; the same issues would affect non-mobile hosts as
well. This solution meets all the requirements set forth for the
location privacy solutions and provides a simple way to provide
location privacy protection while allowing the use of the real home
address with the correspondent node.
6. IP Address Location Privacy Solution Using the Pseudo Home Address
6.1. Home Binding Update
When the mobile node attaches to a foreign link, it first performs
the home binding update procedure for the real home address with the
home agent, as specified in RFC 3775. For hiding the real home
address, we require the use of IPsec Encapsulating Security Payload
(ESP) [3] in tunnel mode. In order to provide location privacy, a
non-null encryption transform must be used so that the real home
address is encrypted and encapsulated, and made invisible to
eavesdroppers on the MN-HA path. The packet formats and processing
rules are the same as specified in RFC 3775 and RFC 4877.
6.1.1. Pseudo Home Address Registration
6.1.1.1. Generation
To protect location privacy in the route optimization mode, the
mobile node replaces the real home address used in certain signaling
and payload packets with the pseudo home address. Different from the
encrypted home address, the pseudo home address needs to be routable
so that the home agent can intercept packets with the pseudo home
address used as the destination address. The pseudo home address is
generated by concatenating one of the home network prefixes with a
random bit string. There are many ways to generate such a random bit
string, for example, by using a random number generator or a secure
encryption or hash algorithm.
Using the pseudo home address instead of the real home address even
in return routability and binding update to the correspondent has the
following advantages. First, the pseudo home address does not reveal
the identity of a mobile node since it is not (or should not be)
publicly known. Hence, the signaling on the HA-CN is path is more
secure since attackers will not be able to determine the identity of
the mobile node based on the pseudo home address. Second, the mobile
Qiu, et al. Experimental [Page 20]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
node can communicate with a correspondent without disclosing its real
home address. Finally, the chosen pseudo home address can be
different with different correspondents for both signaling and data
traffic purposes.
The prefix used to form the pseudo home address MUST be managed by
the same home agent so that it can forward the return routability
messages. Even though it does not have to be the same as that used
in the real home address, the prefix is highly recommended to be
different. For instance, a home agent may use a different prefix
pool for location privacy purposes for a set of mobile nodes. This
ensures that the real home address and the pseudo home address are
not co-related (assuming the mobile node chooses different interface
identifiers (IIDs)).
6.1.1.2. Registration
The mobile node MUST register the pseudo home address to be used with
the home agent before actually using it with a correspondent node.
To do so, the mobile node indicates a pseudo home address in the
Pseudo Home Address mobility option in the Binding Update message
sent to the home agent. If the home agent supports the location
privacy solution, it performs the Duplicate Address Detection to
detect whether this pseudo home address conflicts with other pseudo
home addresses submitted from different mobile nodes. Based on the
result, the home agent indicates whether to accept the pseudo home
address by setting the appropriate status code in the Pseudo Home
Address Acknowledgement option in the Binding Acknowledgement
message. If the home agent prefers the use of a different home
network prefix from that of the requested pseudo home address, the
home agent returns the new pseudo home address in the Pseudo Home
Address Acknowledgement mobility option to the mobile node.
The mobile node MAY register the pseudo home address when it is about
to communicate with a correspondent node with location privacy
protection. The default lifetime of registered pseudo home addresses
is the same as the Home Binding Cache entry; however, a mobile node
may choose any value and a home agent may grant any value. The
mobile node can add or delete any pseudo home address by using the
Pseudo Home Address mobility option in the home Binding Update
message. The home agent does not have to recover the real home
address from the pseudo home address.
6.1.2. Home De-Registration
When the mobile node returns to its home link, the home de-
registration procedure is the same as specified in RFC 3775, i.e.,
the real home address is used as the source IP address in the Binding
Qiu, et al. Experimental [Page 21]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Update message and the destination IP address in the Binding
Acknowledgement message. The de-registration of the real home
address results in automatic de-registration of all pseudo home
addresses. When the mobile node decides to disconnect from the home
agent while at its foreign link, the format of the Binding Update and
Acknowledgement is the same as that defined for the home
registration, except that the Lifetime field is set to zero. The
home agent deletes the corresponding Binding Cache entry including
the registered pseudo home address, if any.
6.2. Correspondent Binding Update Using the Pseudo Home Address
6.2.1. Return Routability Procedure
The location privacy solution specified in this section does not
introduce any change to the care-of address test procedure as
specified in RFC 3775. In the following, we highlight the extensions
to the home address test procedure, during which the mobile node
obtains a home keygen token generated based on the pseudo home
address.
The mobile node generates and sends a Home Test Init message to the
home agent. The format of this message is:
IPv6 header (source = care-of address, destination = home agent)
ESP header in tunnel mode
IPv6 header (source = home address, destination = correspondent)
Mobility Header (HoTI)
Home Init Cookie
Pseudo Home Address mobility option (pseudo home address)
The difference from what is specified in RFC 3775 is that the mobile
node includes a Pseudo Home Address mobility option (see Section 7.3)
in the Home Test Init message. A new option for carrying the pseudo
home address is necessary because the security association between
the mobile node and the home agent is based on the real home address.
The pseudo home address contained in the Pseudo Home Address option
is selected by the mobile node from a set of pseudo home addresses
that have been registered with the home agent during the home
registration procedure. Note that the Home Test Init message is
protected by an IPsec security association in the ESP tunnel mode
with a non-null encryption algorithm and a non-null authentication
algorithm, as specified in RFC 3776.
When receiving a Home Test Init message, the home agent performs the
operation as specified in Section 6.6.4. If this operation succeeds
when the Pseudo Home Address mobility option is present in the Home
Test Init message, the home agent generates a Home Test Init message
Qiu, et al. Experimental [Page 22]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
and forwards it to the correspondent node. As shown in the
following, the pseudo home address carried in the Pseudo Home Address
mobility option is used as the source IP address in the forwarded
Home Test Init message.
IPv6 header (source = pseudo home address,
destination = correspondent)
Mobility Header (HoTI)
Home Init Cookie
The forwarded Home Test Init message looks the same to the
correspondent node as what is specified in RFC 3775 and the
correspondent node does not realize that the pseudo home address is
used, and just generates a home keygen token using the same algorithm
as specified in RFC 3775.
home keygen token =
First (64, HMAC_SHA1 (Kcn, (pseudo home address | nonce | 0)))
The correspondent node then replies with a Home Test message. As
shown in the following, the format of this message is the same as
that specified in RFC 3776, and the pseudo home address is used as
the destination IP address.
IPv6 header (source = correspondent,
destination = pseudo home address)
Mobility Header (HoT)
Home Init Cookie
Home Keygen Token
Home Nonce Index
When the home agent intercepts the Home Test message using proxy
Neighbor Discovery, it performs the operation as specified in
Section 6.6.5. If this operation succeeds, the home agent generates
the following Home Test message and forwards to the mobile node.
IPv6 header (source = home agent, destination = care-of address)
ESP header in tunnel mode
IPv6 header (source = correspondent, destination = home address)
Mobility Header (HoT)
Home Init Cookie
Home Keygen Token
Home Nonce Index
Pseudo Home Address Acknowledgement mobility option
(pseudo home address)
Qiu, et al. Experimental [Page 23]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
When the mobile node receives the Home Test message, it performs
operation as specified in Section 6.5.5. If such operation succeeds,
the mobile node obtains a home keygen token computed using the pseudo
home address. After the care-of address test is completed, the
mobile node hashes the care-of keygen token and the home keygen token
together to generate Kbm using the same method as specified in RFC
3775.
6.2.2. Route-Optimized Correspondent Binding Update
In this procedure, the mobile node MUST use the same pseudo home
address used during the home address test procedure. The pseudo home
address is carried in the Home Address option in the correspondent
Binding Update message.
IPv6 header (source = care-of address,
destination = correspondent)
Destination option header
Home Address destination option (pseudo home address)
Parameters:
sequence number (within the Binding Update message header)
home nonce index (within the Nonce Indices option)
care-of nonce index (within the Nonce Indices option)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BU)))
When the correspondent node receives the Binding Update message, it
performs the same operation as specified in RFC 3775. If such
operation succeeds and an acknowledgement is requested by the mobile
node, the correspondent node replies with the following Binding
Acknowledgement message.
IPv6 header (source = correspondent,
destination = care-of address)
Parameters:
sequence number (within the Binding Update message header)
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
| BA)))
After the mobile node receives the Binding Acknowledgement message
indicating that the correspondent registration succeeds, the mobile
node can now use the pseudo home address for communicating with the
correspondent node.
Qiu, et al. Experimental [Page 24]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Such a Binding Update message may also be used by the mobile node to
delete a previously established binding at the correspondent node.
In this case, similar to what is specified in RFC 3775, Kbm is
generated exclusively from the home keygen token that is based on the
pseudo home address.
6.2.3. Reverse-tunneled Correspondent Binding Update
The mobile node may choose to use reverse tunneling for sending the
Binding Update. The format of messages during such a procedure is
similar to what is described in Sections 5 and 6.2.1, except that a
pseudo home address is used in place of the real home address. The
Encrypted Home Address destination and the Encrypted Home Address
routing header SHOULD be used to carry the encrypted pseudo home
address.
6.2.4. Using Different Pseudo Home Addresses with Different
Correspondent Nodes
Based on its configuration and policy, the mobile node can choose to
use the same or different pseudo home addresses when communicating
with different correspondent nodes. Using a different pseudo home
address with each correspondent node may help prevent the mobile
node's activities from being linked and correlated. To do so, the
mobile node selects a different but already registered pseudo home
address and repeats the return routability procedure and the
correspondent binding update procedure with each correspondent node.
In addition, if the mobile node prefers, it MAY use different pseudo
home addresses for different sessions with the same correspondent
node. This typically requires additional configuration at the mobile
node that associates a specific session (for example, identified by
the port number and the protocol number, among others) with a
specific pseudo home address. This document does not address details
of this solution.
6.3. Payload Packets
6.3.1. Reverse Tunneling Mode
The format of payload packets reverse-tunneled via the home agent is
the same as that specified for the home address test procedure in
Section 6.2.1.
Qiu, et al. Experimental [Page 25]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
6.3.2. Route Optimization Mode
When the route-optimized correspondent binding update procedure is
performed, the format of payload packets exchanged between the mobile
node and the correspondent node is the same as specified in RFC 3775.
The operation of the mobile node when communicating with the
correspondent node via the route optimization mode is described in
Section 6.5.6.
When the reverse tunneled correspondent binding update procedure is
performed, the format of payload packets exchanged between the mobile
node and the correspondent node is the same as specified in Section
5, except that the encrypted pseudo home address SHOULD be included
in the Encrypted Home Address destination option and the Encrypted
Home Address routing header.
6.4. Prefix Discovery
The solution to protect location privacy during the prefix discovery
procedure is similar to that used during the home binding update
procedure.
6.5. Mobile Node Operation
In this section, we describe the mobile node's operation when the
location privacy solution is used.
6.5.1. Conceptual Data Structures
6.5.1.1. Pseudo Home Address Table
We introduce a new data structure, called Pseudo Home Address table,
to record the information of pseudo home addresses. The mobile node
may maintain a Pseudo Home Address table for each home agent it
registers with. Each entry in the table contains a pseudo home
address and its associated state, i.e., "unconfirmed" or "confirmed".
The mobile node creates or updates entries in the Pseudo Home Address
table when sending the home Binding Update message or receiving the
home Binding Acknowledgement message. The pseudo home address can be
used as a key to search the table. There MUST NOT be any duplicated
pseudo home addresses stored in the Pseudo Home Address table.
6.5.1.2. Binding Update List
The Binding Update List entry is extended with a field, called Pseudo
Home Address. This field MAY be implemented as a pointer that points
to a corresponding entry in the Pseudo Home Address table. This
pointer is initialized as NULL when the Binding Update List entry is
Qiu, et al. Experimental [Page 26]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
created (for example, when the mobile node sends a Binding Update
message or a Home Test Init message to the home agent). For the
binding sent to a specific home agent, the Pseudo Home Address field
points to the first entry in the Pseudo Home Address table (or NULL
if the table is empty), so that the mobile node can access all the
pseudo home addresses registered at this home agent; on the other
hand, for the binding sent to a specific correspondent node, the
Pseudo Home Address field points to the Pseudo Home Address table
entry that contains the actual pseudo home address used with this
correspondent node (or NULL if no pseudo home address is used with
this correspondent node).
6.5.2. Binding Update to the Home Agent
The mobile node may decide to perform the home registration with
location privacy protection, for example, when it attaches to a
foreign link or when it needs to extend the lifetime of a registered
home binding.
Since IPsec tunnel mode is used, the mobile node MUST negotiate a
non-null encryption algorithm (for example, during the bootstrapping)
and use it to protect the home Binding Update message as specified in
RFC 3775 and RFC 4877. In addition, the mobile node can register a
pseudo home address as described above. If the mobile node does not
wish to register the pseudo home address at this point, but wishes to
discover whether the home agent supports the location privacy
solution, the mobile node includes a Pseudo Home Address mobility
option without the Pseudo Home Address field in the Binding Update
message sent to the home agent.
After sending the home de-registration binding update message, in
addition to the operation specified in RFC 3775, the mobile node MUST
stop using any data structure specific to the location privacy
solution and MAY delete them after the Binding Acknowledgement
message is processed successfully.
6.5.3. Binding Acknowledgement from the Home Agent
With IPsec tunnel mode, the mobile node follows the rules specified
in RFC 3775 and RFC 4877 to process the Binding Acknowledgement
message.
In addition, if one or more Pseudo Home Address Acknowledgement
mobility options are present in the Binding Acknowledgement message,
the mobile node checks the Status field in each option. If the
Status field in one option is 0 (Success), the pseudo home address,
if not already present, is added into the Pseudo Home Address table,
and the state of the corresponding entry is set to "confirmed".
Qiu, et al. Experimental [Page 27]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Otherwise, the mobile node deletes any existing pseudo home address
with the "unconfirmed" state (i.e., either an error code or no
acknowledgement for such a pseudo home address is received) from the
Pseudo Home Address table.
The mobile node considers that the home agent supports the location
privacy solution, if a valid Pseudo Home Address Acknowledgement
mobility option with or without a Pseudo Home Address field is
received.
Note that the mobile node MUST determine whether the home
registration succeeds or not based on what is specified RFC 3775.
6.5.4. Home Test Init to the Home Agent
To enable location privacy protection during communication with the
correspondent node in the route optimization mode, the mobile node
generates a Home Test Init message based on what is specified in RFC
3775 and RFC 3776. In addition, if the return routability procedure
is for a new session with the correspondent node, the mobile node
selects any pseudo home address from those already registered with
the home agent and stored in the Pseudo Home Address table;
otherwise, the mobile node must use the same pseudo home address as
used with the same correspondent node before. The selected pseudo
home address is carried in the Pseudo Home Address mobility option of
the generated Home Test Init message. This Home Test Init message is
protected by an IPsec security association with a non-null encryption
algorithm.
After sending the Home Test Init message to the home agent, if there
is no Binding Update List entry existing for the correspondent node,
the mobile node creates one entry that points to the pseudo home
address used; otherwise, the mobile node updates the existing entry.
6.5.5. Home Test from the Home Agent
When the mobile node receives a Home Test message from the home
agent, it processes the packet based on processing rules specified in
RFC 3775 and RFC 3776. If this is a valid packet and there is a
Pseudo Home Address Acknowledgement option included, the mobile node
examines the Status field inside this mobility option as follows:
o If the Status field indicates that the home address test procedure
using the pseudo home address succeeds (the Status field is 0), in
addition to what is specified in RFC 3775, the mobile node
prepares to use the pseudo home address carried in the Pseudo Home
Address Acknowledgement option for the correspondent registration.
Qiu, et al. Experimental [Page 28]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
o If the Status field indicates that the home address test procedure
using the pseudo home address fails (the Status field is larger
than 127), the mobile node can take steps to correct the cause of
the error and retransmit the Home Test Init message, subject to
the retransmission limit specified in RFC 3775. If this is not
done or it fails, then the mobile node SHOULD record in its
Binding Update List that the future home address test procedure
SHOULD NOT use the pseudo home address with this correspondent
node.
6.5.6. Route-Optimized Payload Packets
After the mobile node completes the route-optimized correspondent
registration procedure using the pseudo home address, payload packets
are sent to the correspondent node with the pseudo home address in
the Home Address destination option.
The packet processing rules when sending and receiving route-
optimized packets are the same as in RFC 3775 except that pseudo home
addresses are used. In addition, if encrypted pseudo home addresses
are used, both the mobile node and the correspondent node need to
replace the encrypted address with the pseudo home address before
passing them to the upper layers.
In the case that the mobile node masks the pseudo home address and
uses the reverse-tunneled correspondent binding update procedure, the
mobile node performs the operation specified in Section 5.3.4, except
that the pseudo home address rather than the real home address is
expected.
6.5.7. Receiving Binding Refresh Request
When the Mobile Node receives a Binding Refresh Request message from
a correspondent node, the destination IP address may be the pseudo
home address. In this case, the mobile node needs to check the
corresponding Binding Update List entry for the correspondent node.
If the pseudo home address is invalid, the mobile node silently
discards this message. Otherwise, the mobile node refreshes the
binding with the correspondent node by using the same pseudo home
address.
6.6. Home Agent Operation
In this section, we describe the home agent's operation when the
location privacy solution is used.
Qiu, et al. Experimental [Page 29]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
6.6.1. Conceptual Data Structures
The Binding Cache entry is extended with a field that points to a
list of currently accepted pseudo home addresses. Note that each
registered pseudo home address MUST be unique and all the registered
pseudo home addresses SHOULD be organized in such a way that the
associated Binding Cache entry can be quickly located when a pseudo
home address is used as the key to look up the Binding Cache.
6.6.2. Binding Update from the Mobile Node
If the received Binding Update message contains one or more Pseudo
Home Address mobility options, the home agent MUST ignore such an
option if it does not recognize it. If the home agent recognizes
such an option, a Pseudo Home Address Acknowledgement mobility option
is generated and some fields therein are set as follows:
o If the Pseudo Home Address field received is empty, the Status
field is set to 0 (Success), and the Pseudo Home Address field is
empty.
o If the Pseudo Home Address field received is set to all zero, the
Status field is set is 0 (Success), and a pseudo home address
SHOULD be included in the Pseudo Home Address field, if the home
agent supports the dynamic pseudo home address assignment;
otherwise, the Status field is set to 132 (Dynamic pseudo home
address assignment not available) and the Pseudo Home Address
field is empty.
o The Pseudo Home Address field received may contain an IPv6
address. If the format of such an IP address is incorrect, the
Status field is set to 130 (Incorrect pseudo home address). If
such an IP address is invalid, for example, the prefix is not a
valid home network prefix or this is detected as a duplicated IP
address, the Status field is set to 131 (Invalid pseudo home
address). In both cases, the Pseudo Home Address field is empty.
If the home agent suggests a different pseudo home address, the
Status field is set to 0 (Success), and the new pseudo home
address is included in the Pseudo Home Address field. Otherwise,
if the home agent accepts the requested pseudo home address, the
Status field is set as 0 (Success), and the same IP address is
included in the Pseudo Home Address field.
o If the home agent does not allow the mobile node to use the pseudo
home address with the correspondent node, the Status field SHOULD
be set as 129 (Administratively prohibited) and the Pseudo Home
Address field is empty.
Qiu, et al. Experimental [Page 30]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
o In case that the home agent does not accept the Pseudo Home
Address mobility option for all other reasons, the Status field
SHOULD be set as 128 (Failure, reason unspecified) and the Pseudo
Home Address is empty.
When receiving a Binding Update message protected with the IPsec
tunnel mode, the home agent performs the operation specified in RFC
4877.
When receiving and successfully processing a Binding Update message
for de-registration from the mobile node, in addition to what is
specified in RFC 3775, the home agent MUST delete data structures
related to the location privacy extension.
6.6.3. Binding Acknowledgement to the Mobile Node
When sending a Binding Acknowledgement message protected with the
IPsec tunnel mode, the home agent performs the operation specified in
RFC 4877.
The processing rules related to the Pseudo Home Address
Acknowledgement mobility option are described in Section 6.6.2.
6.6.4. Home Test Init from the Mobile Node
When receiving a Home Test Init message from the mobile node, the
home agent first verifies this message based on the IPsec processing
rules as specified in RFC 3776. If the verification fails, the home
agent acts based on such IPsec processing rules. Otherwise, if the
Pseudo Home Address option does not exist in the Home Test Init
message, the home agent performs the operation as specified in RFC
3775. Otherwise, the following operation is performed.
1. The home agent looks up its Binding Cache by using the real home
address as a key. If the pseudo home address carried in the
Pseudo Home Address option does not match any pseudo home address
associated with the corresponding Binding Cache entry (including
when the Pseudo Home Address field is set as zero), it MUST
reject the Home Test Init message by sending back a Home Test
message including the Pseudo Home Address Acknowledgement option
with the Status field set as 131 (Invalid pseudo home address).
2. Otherwise, the home agent constructs a Home Test Init message
with the pseudo home address as the source IP address, and
forwards the Home Test Init message to the correspondent node.
Qiu, et al. Experimental [Page 31]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
6.6.5. Home Test to the Mobile Node
When the home agent intercepts a Home Test message using proxy
Neighbor Discovery, if the destination IP address matches with one of
the real home addresses, the home agent performs the operation as
specified in RFC 3775. Otherwise, the home agent uses the
destination IP address to look up the Binding Cache to find if there
is a matched pseudo home addresses. If not, the home agent discards
this message silently. When a matching pseudo home address is found,
the home agent generates a Home Test message with a Pseudo Home
Address Acknowledgement option and sends it to the mobile node.
Inside the Pseudo Home Address Acknowledgement option, the Status
field is set to zero (Success) and the Pseudo Home Address field is
filled with the found pseudo home address.
6.7. Correspondent Node Operation
With the solution described in this section, when the correspondent
node is involved in the route-optimized correspondent binding update
procedure, there is no new operation if only pseudo home addresses
are used without encryption. This specification recommends using
encrypted pseudo home addresses to thwart revealing any prefix
information about a mobile node. The additional operations are the
same as specified in Section 5.5, except that the pseudo home
address, instead of the real home address, is used.
7. Extensions to Mobile IPv6
This section describes the experimental extensions to Mobile IPv6
used in this document. For experimentation purposes, the
experimental IPv6 Option Type, the experimental IPv6 Routing Header
Type, and the experimental Mobility Option Type as defined in RFC
4727 [12] and RFC 5096 [13] can be used in the Encrypted Home Address
destination option, the Encrypted Home Address routing header, the
Pseudo Home Address mobility option, and the Pseudo Home Address
Acknowledgement mobility option. In the following, we describe the
format of each extension for illustration purpose.
7.1. Encrypted Home Address Destination Option
This option is used in the Destination Option extension header (Next
Header value = 60).
Qiu, et al. Experimental [Page 32]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Encrypted Home Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Type
A type for identifying the use of the encrypted home address in
this option. Implementations of this RFC can use the value
0xFE. This value is reserved in RFC 4727 for all experiments
involving IPv6 destination options.
Encrypted Home Address
The encrypted home address generated from a either real or
pseudo home address.
The processing of other fields in the Encrypted Home Address option
is the same as that of those fields in the Home Address option
described in RFC 3775. Note that if the Encrypted Home Address
option is present in a packet, the encrypted home address therein
MUST NOT be treated as the real source IP address by the receiver.
7.2. Encrypted Home Address Routing Header
The encrypted home address is carried in this routing header.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len=2 | Routing Type |Segments Left=1|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Encrypted Home Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Qiu, et al. Experimental [Page 33]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Routing Type
A type for identifying the use of the encrypted home address in
this option. Implementations of this RFC can use the value
0xFE. This value is reserved in RFC 4727 for all experiments
involving IPv6 routing header.
Encrypted Home Address
The encrypted home address generated from a either real or
pseudo home address.
The processing of other fields in the Encrypted Home Address routing
header is the same as described in RFC 3775. Note that if this
routing header is present in a packet, the encrypted home address
therein MUST NOT be treated as the real destination IP address by the
receiver.
7.3. Pseudo Home Address Mobility Option
This mobility option is included in the mobility header, including
the Binding Update message and the Home Test Init message, and
carries zero or one pseudo home address. The alignment requirement
for this option is 4n.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |A| Reserved | Prefix length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Pseudo Home Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
A unique type (together with the 'A' bit in the Reserved field)
for identifying the Pseudo Home Address Acknowledgement
mobility option. For experimental purpose, the value of this
type is 18 as reserved in RFC 5096.
Qiu, et al. Experimental [Page 34]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Length
The length of the Pseudo Home Address mobility option excluding
the Type field and the Length field. It MUST be 2 when the
Pseudo Home Address field is not present; otherwise, it MUST be
18.
Reserved Field
The 'A' bit, which MUST be set to zero to indicate that this is
a Pseudo Home Address mobility option. The rest of bits MUST
be set as zero by the sender and ignored by the receiver.
Prefix Length
The length of the home network prefix of the included pseudo
home address. When the Pseudo Home Address field is not
present, the Prefix Length field MUST be set as zero.
Pseudo Home Address
If present, the field contains a pseudo home address that the
mobile node wants to use for location privacy protection or
zero if the mobile node requests a pseudo home address from the
home agent. This field is not present if the mobile node only
intends to discover whether the home agent supports the
location privacy solutions. The Length field is used to detect
whether the Pseudo Home Address field is present in the Pseudo
Home Address mobility option.
7.4. Pseudo Home Address Acknowledgement Mobility Option
This mobility option is included in the mobility header, including
the Binding Acknowledgement message and the Home Test message sent to
the mobile node, and carries zero or one pseudo home address. This
mobility option is used to indicate the status of the pseudo home
address registration and/or whether the home agent supports the
location privacy solutions. The alignment requirement for this
option is 2n.
Qiu, et al. Experimental [Page 35]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A| Reserved | Prefix length | Status | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Pseudo Home Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
A unique type (together with the 'A' bit in the Reserved field)
for identifying the Pseudo Home Address Acknowledgement
mobility option. For experimental purpose, the value of this
type is 18 as reserved in RFC 5096.
Length
The length of the Pseudo Home Address Acknowledgement mobility
option excluding the Type field and the Length field. It MUST
be 4 when the Pseudo Home Address field is not present;
otherwise, it MUST be 20.
Reserved
The 'A' bit, which MUST be set to one to indicate that this is
a Pseudo Home Address Acknowledgement mobility option. The
rest of bits MUST be set as zero by the sender and ignored by
the receiver.
Prefix Length
The length of the home network prefix of the included pseudo
home address. When the Pseudo Home Address field is not
present, the Prefix Length MUST be set as zero.
Status
It indicates the status of the pseudo home address
registration. Values from 0 to 127 indicate success. Higher
values indicate failure. The following values are reserved:
Qiu, et al. Experimental [Page 36]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
0 Success
128 Failure, reason unspecified
129 Administratively prohibited
130 Incorrect pseudo home address
131 Invalid pseudo home address
132 Dynamic pseudo home address assignment not available
Reserved
This field is reserved for future use. It MUST be set to zero
by the sender and ignored by the receiver.
Pseudo Home Address
If present, the field contains a pseudo home address that the
home agent registers for the mobile node to use for location
privacy protection. This field is not present when the home
agent only needs to indicate that it supports the location
privacy solutions as a response to the query from the mobile
node. The Length field is used to detect whether the Pseudo
Home Address field is present in the Pseudo Home Address
Acknowledgement mobility option.
8. Security Considerations
The solutions proposed in this document address one of the security
issues in the mobile environment, i.e., location privacy. Throughout
the document, we provide a detailed analysis of how the proposed
solutions address the location privacy problem. We carefully design
such solutions to make sure that they fit well into the Mobile IPv6
framework; therefore, the same threat analysis, security mechanisms
(such as IPsec, the sequence number in binding signaling messages,
the return routability procedure), and considerations as described in
RFC 3775 still apply. Nevertheless, in the following we provide an
in-depth analysis on security threats involving the use of the
location privacy solutions and demonstrate that the proposed
solutions do not introduce any new vulnerability or weaken the
strength of security protection of the original Mobile IPv6 protocol.
8.1. Home Binding Update
Given the strong security of the cryptography algorithm used to
generate the encrypted home address, eavesdroppers are unable to
derive the real home address from the encrypted home address and thus
to correlate the care-of address with the real home address.
Moreover, the encrypted home address can be updated to prevent
eavesdroppers from linking the mobile node's ongoing activities.
Qiu, et al. Experimental [Page 37]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
During the pseudo home address registration, the home agent verifies
that the requested pseudo home address is not in use by other mobile
nodes; therefore, the other mobile node cannot, inadvertently or
maliciously, intercept ongoing sessions of a victim mobile node by
registering the same pseudo home address.
A mobile node may attempt to register a large number of pseudo home
addresses that may exhaust the pool of available pseudo home
addresses and prevent other mobile nodes using location privacy
protection. The home agent MUST limit the number of pseudo home
addresses that can be requested by a mobile node. Also, with the
IPsec security association between the home agent and the mobile
node, if any misuse of the pseudo home address registration is
detected, the home agent can identify the malicious mobile node and
take further actions.
8.2. Correspondent Binding Update
The return routability procedure using the pseudo home address
follows the same principle of the original return routability
procedure, i.e., the message exchange verifies that the mobile node
is reachable at both the pseudo home address and the care-of address
(this is because the pseudo home address is required to be routable).
Furthermore, the extended return routability procedure also utilizes
the same security mechanisms as defined in RFC 3775, such as the
nonce, the node key, and the sequence number, to protect against
attacks. Overall, it provides the same security strength as the
original return routability procedure.
The reverse-tunneled correspondent binding update procedure does not
weaken security either. Although the real home address is
transferred in cleartext on the HA-CN path, eavesdroppers on this
path can already perform more serious attacks against the mobile node
with the Mobile IPv6 protocol.
8.3. Route-Optimized Payload Packets
Using the Encrypted Home Address option in route-optimized packets
results in the same security implications when the Home Address
option is used in such packets. For example, the Encrypted Home
Address option may be used by attackers to launch reflection attacks,
e.g., by indicating the IP address of a victim node in the Encrypted
Home Address option. Similar to the processing rule for the Home
Address option specified in RFC 3775, this document restricts the use
of the Encrypted Home Address option: it can be used only if there is
an established Binding Cache entry containing the encrypted (pseudo)
home address.
Qiu, et al. Experimental [Page 38]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
With the proposed location privacy solutions, the Encrypted Home
Address routing header is used to carry the encrypted (pseudo) home
address. The same threats specified in RFC 3775 for the Type 2
routing header are also possible when the routing header carries the
encrypted (pseudo) home address. Similar processing rules are also
used in this document to address such a threat: if the encrypted
(pseudo) home address in the Encrypted Home Address routing header
does not match with that stored in the Binding Update List entry, the
packet will be dropped.
9. Related Work
Our work benefits from previous work and discussion on this topic.
Similar to the concept of the pseudo home address, many documents
have proposed using a temporary identity to replace the mobile node's
home address in the IPsec security association, Mobile IPv6 signaling
messages, and data packets. However, the details of how to generate
and update this identity are absent. In the following, we provide a
survey of related work.
RFC 4941 [10] specifies a mechanism to generate randomized interface
identifiers, which can be used to update the care-of address and the
home address. However, with our solution, the prefix of a pseudo
home address can be different from that of the real home address and
other pseudo home addresses, which prevents eavesdroppers from
correlating and analyzing IP traffic based on a common prefix.
Furthermore, we also discuss the interval of IP address update in the
mobility scenario in order to resist the profiling attack both
effectively and efficiently.
In [16], the authors propose using a temporary identity, called the
Temporary Mobile Identifier (TMI), to replace the home address, and
discussed the feasibility of utilizing the Crypto-Based Identifier
(CBID), Cryptographically Generated Addresses (CGA), or Mobility
Anchor Point (MAP) to further protect location privacy. However, as
a 128-bit random number, the TMI is not routable; therefore, it is
not suitable to be the source IP address in the Home Test Init
message forwarded by the home agent to the correspondent node.
Otherwise, the home agent cannot receive the Home Test message from
the correspondent node. Furthermore, the document does not specify
how to update the TMI to address the profiling attack.
In [14], the authors propose a mechanism that uses an identity as the
home address and periodically updates such an identity by using a key
and a previous identity as inputs to a cryptography algorithm.
Qiu, et al. Experimental [Page 39]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
In [15], the authors propose to update the mobile node's home address
periodically to hide its movement. The new home address is generated
from the current local network prefix, the Binding Update session
key, and the previous home address, and updated every time when the
return routability procedure is performed. The generated home
address is random, routable, recognizable, and recoverable.
In [18], the authors propose a mechanism to achieve both route
optimization and location privacy at the same time. This is done by
discovering a tunneling agent near the correspondent node and
bidirectionally tunneling data traffic between the mobile node and
the tunneling agent.
10. IANA Considerations
This document creates a new registry "Pseudo Home Address
Acknowledgement Status Codes" for the Status field in the Pseudo Home
Address Acknowledgement mobility option. The current values are
described in Section 7.4 and are the following:
0 Success
128 Failure, reason unspecified
129 Administratively prohibited
130 Incorrect pseudo home address
131 Invalid pseudo home address
132 Dynamic pseudo home address assignment not available
11. Conclusion
In this document, we have proposed solutions to address location
privacy issues in the context of mobility. The main idea is to hide
the binding between the home address and the care-of address from
eavesdroppers and the correspondent node. We have described two
methods. The first method extends the return routability to hide the
real home address in Binding Update and data packets. This method
uses the real home address in return routability signaling, and does
not require any changes to the home agent. The second method uses
pseudo home addresses starting from return routability signaling, and
requires some extensions to the home agent operation. This method
protects revealing the real home address on the HA-CN path. The two
methods provide a means to hide the real home address from
eavesdroppers, and the second method can also hide it from the
correspondents.
Qiu, et al. Experimental [Page 40]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
The solutions we have proposed are for the basic Mobile IPv6 protocol
as specified in RFC 3775. Recently, many extensions to Mobile IPv6
have been proposed, such as the NEMO Basic Support protocol [19],
Dual Stack Mobile IPv6 Support [20], Multiple Care-of Addresses
Registration [21], Binding Revocation [22], Generic Signaling Message
[23]. It is expected that the proposed location privacy solutions
can be applied with some modifications, if needed, to address
location privacy issues when these extensions are used. One of our
future works is to clarify related issues, if any, when the location
privacy solutions are used with new Mobile IPv6 extensions.
12. Acknowledgements
The authors would like to thank the co-authors of previous documents
from which this document is derived: Vijay Devarapalli, Hannu Flinck,
Charlie Perkins, Feng Bao, Robert Deng, James Kempf, and Jianying
Zhou. In addition, sincere appreciation is also extended to Claude
Castelluccia, Francis Dupont, Gabriel Montenegro, Greg Daley, Kilian
Weniger, Takashi Aramaki, Wassim Haddad, Heejin Jang, and Michael
Welzl for their valuable contributions, review, and discussion. Work
by Fan Zhao was done while he was at University of California, Davis
and Marvell Semiconductor, Inc.
13. References
13.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
[3] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
[4] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[5] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998.
[6] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
IPv6", RFC 3775, June 2004.
[7] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to
Protect Mobile IPv6 Signaling Between Mobile Nodes and Home
Agents", RFC 3776, June 2004.
Qiu, et al. Experimental [Page 41]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
[8] Devarapalli, V. and F. Dupont, "Mobile IPv6 Operation with
IKEv2 and the revised IPsec Architecture", RFC 4877,
April 2007.
[9] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006.
[10] Narten, T., Draves, R., and S. Krishnan, "Privacy Extensions
for Stateless Address Autoconfiguration in IPv6", RFC 4941,
September 2007.
[11] Koodli, R., "IP Address Location Privacy and Mobile IPv6:
Problem Statement", RFC 4882, March 2007.
[12] Fenner, B., "Experimental Values in IPv4, IPv6, ICMPv4, ICMPv6,
UDP, and TCP Headers", RFC 4727, November 2006.
[13] Devarapalli, V., "Mobile IPv6 Experimental Messages", RFC 5096,
December 2007.
13.2. Informative References
[14] Bao, F., Deng, R., Kempf, J., Qiu, Y., and J. Zhou, "Protocol
for Protecting Movement of Mobile Nodes in Mobile IPv6", Work
in Progress, March 2005.
[15] Bao, F., Deng, R., Kempf, J., Qiu, Y., and J. Zhou, "Protocol
for Hiding Movement of Mobile Nodes in Mobile IPv6", Work
in Progress, March 2005.
[16] Castelluccia, C., Dupont, F., and G. Montenegro, "A Simple
Privacy Extension for Mobile IPv6", Work in Progress,
July 2006.
[17] Daley, G., "Location Privacy and Mobile IPv6", Work
in Progress, January 2004.
[18] Weniger, K. and T. Aramaki, "Route Optimization and Location
Privacy using Tunneling Agents (ROTA)", Work in Progress,
October 2005.
[19] Devarapalli, V., Wakikawa, R., Petrescu, A., and P. Thubert,
"Network Mobility (NEMO) Basic Support Protocol", RFC 3963,
January 2005.
[20] Soliman, H., "Mobile IPv6 Support for Dual Stack Hosts and
Routers", RFC 5555, June 2009.
Qiu, et al. Experimental [Page 42]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
[21] Wakikawa, R., Devarapalli, V., Tsirtsis, G., Ernst, T., and K.
Nagami, "Multiple Care-of Addresses Registration", RFC 5648,
October 2009.
[22] Muhanna, A., Khalil, M., Gundavelli, S., Chowdhury, K., and P.
Yegani, "Binding Revocation for IPv6 Mobility", Work
in Progress, October 2009.
[23] Haley, B. and S. Gundavelli, "Mobile IPv6 Generic Signaling
Message", Work in Progress, August 2008.
Qiu, et al. Experimental [Page 43]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Appendix A. Profiling Attack: Discussion
Profiling attacks pose a significant threat to user privacy. By
collecting and analyzing (either online or offline) IP traffic,
attackers can obtain sensitive user information. In the context of
mobility, although the profiling attack does not directly lead to
compromise of location privacy in the way the disclosure of the
binding between the home address and the care-of address does,
attackers can infer the mobile node's roaming and track its movement
(i.e., handover) by profiling the mobile node's communication based
on certain fields in IP packets, such as a constant IPsec SPI used
during the home registration. The more information collected, the
higher probability location privacy is compromised, which in return
results in more targeted profiling.
We have taken the profiling problem into consideration when designing
the solution to IP address location privacy; however, not all aspects
of profiling attacks are addressed since the profiling problem spans
multiple protocol layers. In the following, we provide a broad
discussion on the profiling attack and protection mechanisms. Our
discussion is organized based on how profiling attacks can be
performed. Note that the following sections are not sorted based on
any criteria or may not exhaustively list all the possible attack
means (for example, profiling attacks based on upper-layer payloads
in data packets are not discussed).
A.1. The Care-of Address
Eavesdroppers on the MN-HA path and/or the MN-CN path can profile the
mobile node's communication by collecting packets with the same
care-of address. It is recommended that the mobile node periodically
updates its care-of address by using DHCPv6 or IPv6 address privacy
extension, even if it does not change its current attachment point.
Furthermore, it is even better to change the network prefix of the
care-of address periodically, since eavesdroppers may profile IP
packets based on the common network prefix.
Since the binding update procedure needs to be performed once the
care-of address is changed, in order to reduce signaling overheads,
the mobile node may choose to change its care-of address when the
Binding Cache entry at the home agent or the correspondent node is
about to expire.
A.2. Profiling on the Encrypted Home Address
Generated from either a real or pseudo home address, the encrypted
home address can be dynamically updated, because a new key is
generated when a new round of the return routability procedure is
Qiu, et al. Experimental [Page 44]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
performed, which makes the encrypted home address look different in
subsequent Binding Update and Acknowledgement messages.
Nevertheless, the same encrypted home address is used in payload
packets forwarded via the optimized route before the next round of
the return routability procedure. Given the cost and overhead of
updating the encrypted home address, the proposed location privacy
solutions still provide a reasonable level of protection against such
profiling attacks.
A.3. The IPsec SPI
Eavesdroppers on the MN-HA path can profile the mobile node's
communication based on the SPI of an IPsec security association that
is for protecting the home Binding Update and Acknowledgement message
or for protecting bidirectional-tunneled payload packets.
To resist this kind of profiling attack, the IPsec SPI needs to be
periodically updated. One way is that the mobile node and the home
agent rekey the IPsec security association or perform re-
authentication periodically. This may result in more signaling
overhead. Another way is that the mobile node or the home agent
generates a new SPI and then notifies each other by exchanging the
Binding Update and Acknowledgement messages protected by an existing
IPsec security association with a non-null encryption algorithm. In
this way, the information of the new SPI is hidden from
eavesdroppers. The new SPI MUST not conflict with other existing
SPIs; and if the conflict is detected on one end point, another SPI
MUST be generated and be synchronized with the other end point. The
new SPI is applied to the next packet that needs to be protected by
this IPsec security association. This solution requires close
interaction between Mobile IP and IPsec. For example, when the home
agent receives a new SPI suggested by the mobile node, it needs to
change the corresponding Security Association Database (SAD) entry.
A.4. The IPsec Sequence Number
The IPsec sequence number is required to be larger than that in the
previous valid IPsec packet if the anti-replay service is enabled.
However, if the increment of the IPsec sequence number is fixed (for
example, the IPsec sequence number is sequentially increased), it is
possible for eavesdroppers to identify a sequence of IPsec packets
that are from/to the same mobile node and to track the mobile node's
activities. One possible solution is to randomize the increment of
the IPsec sequence number on both end points (i.e., the mobile node
and the home agent) of the IPsec security association. The algorithm
to generate randomness is implementation specific. It can be, for
example, any random number generator, and independently chosen by
each end point.
Qiu, et al. Experimental [Page 45]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
A.5. The Regular Interval of Signaling Messages
As described in RFC 3775, certain signaling messages may be exchanged
on a regular basis. For example, the correspondent registration
needs to be performed every MAX_RR_BINDING_LIFETIME seconds and the
home binding update procedure needs to be performed regularly, if the
lifetime of the home Binding Cache entry is fixed. Such timing
allows eavesdroppers to perform traffic analyses and correlate
different messages. Due to background traffic and routing dynamics,
the timing of messages observed by an eavesdropper at a certain
vantage point may be irregular. Nevertheless, a better solution is
to randomize the lifetime of the Binding Cache entry in the home
agent and the correspondent node.
A.6. The Sequence Number in the Binding Update Message
RFC 3775 requires that the sequence number in the Binding Update
message be larger than that in the previous valid Binding Update
message for a particular mobile node. However, if the increment of
the sequence number in the home or correspondent Binding Update
message is fixed (for example, the sequence number is sequentially
increased), it is possible for eavesdroppers on the MN-HA or MN-CN
path to identify a sequence of Binding Update messages that are from
the same mobile node and to track the mobile node's movement. One
possible solution is that the mobile node randomizes the increment of
the sequence number used in subsequent Binding Update messages. The
algorithm to generate randomness is implementation specific. It can
be, for example, any random number generator. Note that such an
algorithm is not needed when the sequence number is encrypted, for
example, when the home Binding Update message is protected by an
IPsec tunnel mode security association.
A.7. Multiple Concurrent Sessions
It is possible for (colluded) eavesdroppers to correlate the mobile
node's different sessions with the same or different correspondent
nodes, for example, based on the same pseudo home address and/or the
same care-of address. A possible solution is to use different pseudo
home addresses and different care-of addresses in different sessions.
Note that the mobile node may also use the same pseudo home address
with different correspondent nodes, if the pseudo home address is
masked by different privacy management keys generated during the
return routability procedure with different correspondent nodes. In
this way, the encrypted pseudo home addresses used with different
correspondent nodes look different to eavesdroppers.
Qiu, et al. Experimental [Page 46]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
A.8. Summary
As discussed above, there exist multiple means for eavesdroppers to
correlate observed activities. For example, some IP fields, which
contain certain constant values and remain unchanged for a long time,
allow eavesdroppers to identify and link the mobile node's activities
deterministically. Other means may be less reliable when used for
traffic analysis and correlation; nevertheless, they provide
additional hints to malicious attackers.
The solution to the profiling attack is to update certain IP fields
periodically. Generally, the more frequently, the higher the
probability that the profiling attack is resisted and also the higher
the cost in terms of communication and processing overheads and
complexity. As eavesdroppers can profile activities based on
multiple fields, it may not be cost-effective to update some fields
more frequently than others. Furthermore, it may reduce some
overheads, if all the related IP fields are updated together with the
same frequency.
The profiling attack is a complicated issue. A complete solution
would have to consider tradeoffs of many different factors, such as
complexity, effectiveness, and efficiency.
Qiu, et al. Experimental [Page 47]
^L
RFC 5726 MIP6 Location Privacy Solutions February 2010
Authors' Addresses
Ying Qiu
Institute for Infocomm Research, Singapore
1 Fusionopolis Way
#21-01 Connexis (South Tower)
Singapore 138632
Phone: +65-6408 2053
EMail: qiuying@i2r.a-star.edu.sg
Fan Zhao (editor)
Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
US
EMail: fanzhao@google.com
Rajeev Koodli
Cisco Systems
EMail: rkoodli@cisco.com
Qiu, et al. Experimental [Page 48]
^L
|
