spacer back contents
ERCIM News No.49, April 2002


Mobile IP Security in Foreign Networks

by Sami Lehtonen

Mobile IP itself doesn't offer security features such as access restrictions in foreign networks. In the project WLANSecu, started in 2000, a group of scientists at VTT, Kimmo Ahola, Sami Lehtonen, and Sami Pönkänen researched security of mobile users visiting foreign networks.

The aim of the project was to design and implement additional security features to a standard Mobile IP environment. The main prerequisite was to leave the Mobile Node (MN) and Home Agent (HA) unmodified. When the MN is communicating with nodes in the same foreign network the traffic will be routed unnecessarily through the public Internet. This causes a major problem that had to be solved. Another significant objective was to provide a mechanism for the mobile user and the users in the foreign network to dynamically allow and deny connections in between.

Normally, when optimizing routes, the MN requests the HA to send Binding Update to all CNs. In this project the triangular routing between the Home Agent (HA), the Correspondent Node (CN) and the MN (via FA, Foreign Agent) was solved using a Binding Update message sent to the particular CN by the FA. Only the nodes located in the foreign network were altered, thus leaving the MN and the HA unmodified.

An additional application, which we call Mobile Firewall Daemon (MFWD), was designed to provide the dynamic connectioncontrol. The FA notifies the MFWD whenever a MN arrives to its network. All traffic to and from the MN would go through MFWD. MFWD would then listen to its web user interface for local and mobile users requesting changes in firewall rules.

These designed mechanisms were implemented on Linux-based systems with the intent to create a 'proof-of-concept' trial network. The function of this trial network has been demonstrated numerous times since its initial setup.

The success in the trial network setup showed that the project achieved reasonable results. However, many improvement ideas have arised, and we are planning to take this concept for another iteration round. A major enchancement would be to implement the MFWD in an Active Network environment, which would make it possible to offer more flexible traffic control and supporting services.

Please contact:
Sami Lehtonen, VTT
Tel: +358 9 456 7240