General

Mobile Security Flaws Send
IPv6 Back to the Drawing Board—continued

What is to be done?

One possibility is the use of Purpose Built Keys (PBK), which use temporary public/private key pairs to verify that a mobile device is the same one that started a communication session. A new key pair is generated for each new session then discarded when no longer needed. Since they are used only for a particular communication, there is no need to register the key pairs with a third party.

The advantage of PBK is that it puts far less demand on the processing power of the mobile device and, as a result, it's much faster.

The disadvantage to the PBK approach is that it's less secure than IPSec. Also, since PBKs only confirm the identity of the device and not the actual user, the security is no better than what is currently available with mobile IPv4. Using PBKs for Mobile IPv6 would do little to prevent "middle man" or "man-in-the-middle" attacks.

Fast v. secure
The question comes down to, what's more important in mobile communications—speed or security? Those who believe security is imperative say adopting a PBK solution over an IPSec solution would kill one of the primary benefits of MIPv6.

"As a security person, my preference is to implement security at all costs," said Schiller. "But I might compromise and say to move forward if the security is no worse than it is today." He cautioned, however, that moving forward without adequate security could be a major mistake.

Others say speed is the single most important element of any mobile communication. If it takes forever to download an email message, mobile communications will never be ready for prime time.

"Different users might have different views of this tradeoff—there is no answer that is true in all cases," commented Kent when asked if speed or security should be the main concern.

The European wireless community's plan to roll out their Third-Generation Partnership Project (3GPP) reportedly won't be affected by the current MIPv6 glitch. While 3GPP requires IPv6, it does not dictate MIPv6.

"3GPP has specified IPv6 for IP multimedia for release 5, but they use only their own security and also their own mobility, so Mobile IPv6 is not applicable to release 5," said Latif Ladid president of the IPv6 Forum.

The chief selling point of IPv6 for 3GPP is its large address space. With tens of thousands of mobile devices being put into use every day, it won't be long before the address limitations of IPv4 reach critical mass.

In an ideal world, MIPv6 would have both speed and security in its first release. But, that may not be possible if the protocol is to be released in a timely fashion.

Middle ground potential
One possibility is a compromise. "If it can be implemented without making it worse than it is today, then it could be approved within a month, they could also go forward without the binding update and attack that part later," suggested Schiller.

Kent agrees, saying, "The other parts of IPv6 are unaffected, so I would not delay the rest of IPv6 because of this problem. One can [implement] IPv6 mobility the way IPv4 does it, and suffer the extra hop, until this problem is fixed."

Mobile IPv6 has already been tested in a real-world environment. In late January of this year, Nokia ran a full-scale demonstration of the protocol at the Global IPv6 Forum in Madrid.

"The demonstration illustrates a major step towards providing future proof networks in different access environments and shows the functionality of Mobile IPv6 and it capability to support applications in the rapidly evolving mobile environment," said Asko Rasanen, head of the Nokia IPv6 program.

The issue will also get a full airing at the upcoming Global IPv6 Summit in Ottawa, Canada, May 14-16.

So, why wait? I say that the time is right to adopt both IPv6 and Mobile IPv6.

—End

< Back to page 1: Mobile Security Flaws