Trusted Node-Based Algorithm to Secure Home Agent NATed IPv 4 Network from IPv 6 Routing Header Attacks

Providing a secure mobile communication in mixed IPv4/IPv6 networks is a challenging task. One of the most critical vulnerabilities associated with the IPv6 protocol is the routing header that potentially may be exploited by attackers to bypass the security. This paper discusses an algorithm to secure home agent network from the routing header vulnerability, where the home agent network uses IPv4 Network Address Translation (NAT) router. The algorithm also takes into account multi-hops destination in the routing header. Verification was done through implementation of the algorithm at the Home Agent modul in a testbed network. The experimental results show that the proposed algorithm provides secure communication between Correspondent nodes and Mobile Nodes that moved into the NATed network without causing a significance filtering delay.


Introduction
Due to the direct incompatibility between IPv4 and IPv6 the security concern in mixed IP networks is considered to be one of the most critical issues in mobile Internet Protocol (MIP) networks [1].
Tunneling technique is being used to support mobility in mixed IP networks.The encapsulation of IPv6 packets into IPv4 packets may intruduce new security vulnerabilities, because the security devices of the home agent network may not be able to perform deep traffic inspection on the IPv6 header that contains routing header (RH).The RH has two types: RH type 0 (RH0) and type 2 (RH2).
IPv4 and IPv6 will coexist for a long period of time [2].During this period, the movement of the mobile nodes (MNs) among networks configured with different IP protocols is unavoidable [3], [4].Therefore, mobility support in mixed IPv4 and IPv6 networks has gained vital importance.
Many researchers have shown interests in proposing new mechanisms to address the security issue of IPv4 and IPv6 coexistence with mobility support.Several studies have investigated security concerns and implications of MIP such as [5]- [7].Moreover, authors in [8] discuss security issues of IPv4 and IPv6 and also analyze different security threats that may emerge due to implementation of various transition mechanisms.Vulnerability can occur due to exploitation of the IPv6 RH feature which has been demonstrated and analyzed in many recent studies [9].All the nodes that support IPv6 must be able to process IPv6 RHs.At the same time, such vulnerability can be used by attackers to bypass network security through avoiding access control lists on destination addresses.In this concern, the firewall policy must block forwarding packets with type 0 RHs (RH0) and permit other types of RHs (RH2) to pass through.Blocking all IPv6 packets containing RHs is, however, not a worthy solution as this could have serious implications for the IPv6 future development.Recently, most of firewall policies block all packets containing RH0.In addition, the default firewall configuration prevents the forwarding of IPv6 traffic with RH0.
The RH functionality which is originally provided by IPv6 can be used to list one or more intermediate nodes to be visited on the way to a packet's destination.At the same time, it can be exploited by the attackers to bypass the traffic filtering mechanism and generate a Denial of Service (DoS) attack [10], [11].
An attacker can exploit the RH in order to generate malicious packets which are performed through specifying a victim node's IP address in the RH.These kinds of packets will  ISSN: 1693-6930 TELKOMNIKA Vol. 12, No. 4, December 2014: 969 -976 970 be routed through a public accessible IP address (e.g., network server) and some intermediate nodes to be finally delivered to the victim host.Certainly, the malicious packets will be subjected to a checking process in the server of the intended network.The server forwards these packets based on the IP addresses specified in the RH.Thus, the malicious packets will reach the victim host without breaking any of security policies as shown in Figure 1.Therefore, all packets which are received and passed through the HA must be subjected to an inspection process.

Research Method
When a MN moves to a different IP network the tunneling connectivity to the HA is accomplished by using IP encapsulation mechanism.The encapsulated packet consists of IPv4-UDP-IPv6.The first receiver node forwards the packet to the final destination based on the inner IPv6 header, and then, the packet is decapsulated and forwarded to the next nodes, whereas; the list of IP addresses attached in the RH justifies this process.All of the received packets that are in encapsulated format are subject to a filtration process to protect the Home Network (HN) from possible spoofing attacks.The purpose of checking the RH is to determine whether the type of the RH is either 0 or 2 and either the IPv6 addresses inlcuded in RH2 are valid or not.Table 1 shows the hardware specifications and the configuration settings for the undertaking experiment.Five scenarios are used in the experiments as follows.Scenario 1: multiple CNs send IPv6 packets containing 50% normal packets and 50% suspicious packets.Each RH type are conducted 10 runs in the experiment, starting with 500 packets up to 5000 packets with 500 packets increament.According to [12] the majority of observations should be at least 60% of the population as a normal packets.Hence, in this paper 70% normal packets (i.e., packets without RH0) and 30% malicious (packets that include RH0) are considered to be the representative of the majority of the packets.The packets which include RH0 are distributed as follows: (1) 20% of the packets have matched IP destination addresses with the authorized list, and (2) 10% of those packets have unmatched IP destination addresses (i.e., suspicious packets) in the RH.The unmatched packets can be divided into 7% malicious packets and 3% normal packets.
Experiments are conducted for this scenario, and the results have been subsequently used to calculate the accuracy of the proposed algorithm in terms of preventing the HA from RH0 vulnerability using Equation (1) and Equation (2).* 100% (1) * 100% In this paper, the false positive is defined as the situation in which the actual normal packet is detected as an attack.False positive occurres because the proposed algorithm rejects all the suspicious packets (i.e., malicious and normal packets) carrying unmatched IPv6 routing header addresses.Scenario 3: Five CNs are emulated to send IPv6 packets to HA clients through NAT and the proposed algorithm module in HA.The CNs are divided into three sets.The first set has two nodes which are intended to generate and send suspicious packets with RH2 (containing unregistered IPv6 destination address).The second set contains two nodes that generate and send packets without RH2.The last set represents an authorized CN which intends to generate packets containing RH2 with valid IPv6 destination address.The generated packets sent by the authorized CN are specified with only one RH destination IP address per packet.The embedded IP addresses within the RH2 must be matched with the home address of the MN that has already stored in the IPv6CoA_cache.Total number of packets is 5000.Scenario 4: Same as Scenario 1, but with the ratio of normal packet to malicious packet is set to 40% to 60%.Scenario 5: Same as Scenario 1, but with the ratio of normal packet to malicious packet is set to 60% to 40%.

Results and Analysis
Two aspects of performances are considered in the experiments; performance in term of packet filtering process time and accuracy in detecting malicious packets.

Filtration Time
Figure 4 displays the time required to filter the same amount of packets while the size of packets also increased in accordance with the IPv6 RH0.The figure also leads to the conclusion that when the number of IPv6 RH addresses increase, the time required for the filtration process also increased.It is worth noting that the developed algorithm requires more time to filtrate the matched packets than unmatched packets.The reason behind this observation is that the filtration process for matched packets continues until the last RH IP address while in case of unmatched packets the filtering process stops when at least one of those IP addresses does not match with the IP addresses in the dataset.Hence, it can be concluded that this algorithm performs better considering the time required for filtering the unmatched packets.Figure 5 shows the filtration processing time on RH2 which containing and not containing multi-hop IP addresses, and also the one without any security policy in the HA.The proposed algorithm affects the network performance in terms of filtering delay.The filtration process time for packet containing multi-hop RH2 is higher than non-multi-hop packet.

Accuracy
In Figure 6, the plot with red color represents the case when the number of malicious packets is greater than normal packets.In this concern, the number of malicious packets is a multiple of normal packets.However, the blue line represents the case at which the number of normal packets is greater than the malicious packets.Based on this figure, it is obvious that the accuracy of the proposed algorithm performs better when the number of malicious packets  The extended algorithm has a high accuracy in protecting the home network and handles suspicious packets containing multi-hops of RH IP addresses.Compared to no multihop algorithm, the multi-hop algorithm has accuracy of 97% with a difference of 2%. Figure 7 shows the accuracy of the proposed algorithm with multi-hop and no multi-hop addresses handling.The results of the t-test shown in Table 2 present that the proposed algorithm has a significant effect on the effectiveness of packet filtration.It is clearly seen that there is a significant difference in Mean between trial one and two.The t-test result also indicates a high significance for the developed algorithm at (sig = 0.000 < 0.01), i.e. the confidence is greater than 95% [13].

Conclusion
An algorithm for securing home agent network in a mobile IPv4/IPv6 mixed network from IPv6 routing header vulnerability has been proposed.The proposed algorithm is incorporated into the Home Agent of a NATed IPv4 network.Testbed experimental results show that the proposed algorithm accurately filter malicious packets coming into the NATed IPv4 network without significance delay on filtering process.
This paper focuses only the routing header type 0 and type 2. In future, other vulnerabilities in mixed IP network will be considered with the intention of providing seamless and secure handover process.

Figure 1 .
Figure 1.Scenario on Routing Header Attacks

Figure 3 .
Figure 3. Testbed Topology for the Experiment

TELKOMNIKAScenario 2 :
ISSN: 1693-6930  Trusted Node Based Algorithm to Secure Home Agent NATed IPv4 .... (Mohamed Shenify)973 Five CNs are emulated to craft and send simultaneously 5000 IPv6 packets to the HA.Three CNs send IPv6 packets containing RH0, while the rest send packets without RH0.

Figure 5 .
Figure 5. Average Packet Filtering Time on RH2

TELKOMNIKA
ISSN: 1693-6930  Trusted Node Based Algorithm to Secure Home Agent NATed IPv4 .... (Mohamed Shenify) 975 greater than normal packets.The cause of better accuracy is mainly resulted from the decreament of the false positive rate.

Figure 6 .
Figure 6.Accuracy of the Proposed Algorithm on RH0 Based on 31 Observations

Figure 7 .
Figure 7. Accuracy of the Proposed Algorithm on RH2 Packets

Table 1 .
Hardware Specifications and Configuration Settings

Table 2 .
t-Test For Results Significance