Credit-Based Authorization for Concurrent IP-Address Tests
Autor: C. Vogt Links:
Quelle: Juni 2005
Route optimization enables mobile nodes to directly communicate with one another. This is an important efficiency benefit of modern mobility protocols like Mobile IPv6 or the Host Identity Protocol. However, route optimization can introduce the possibility for a new type of amplified flooding attacks if designed without care: An attacker may misuse the protocol to trick its peer into redirecting a flow of packets to a false, i.e., a victim's, IP address. A precautionary counter-measure used by various mobility protocols is to first determine whether the right node is present at a new IP address before any data packets are sent to that address. The test can be as simple as a ping carrying some unguessable, to-be-returned piece of data. Yet, an unfortunate side effect of this common approach is that it increases handover latency by one round-trip time, precluding interactive or real-time applications in many scenarios. This paper proposes a credit-based strategy that allows peers to continue communications while a new IP address is being examined. The optimization is exemplarily applied to Mobile IPv6 and the Host Identity Protocol, for which it reduces handover-signaling delays by 50%.