Securing Host-Based Mobility and Multi-Homing Protocols against On-Path Attackers

Host-based mobility and multi-homing protocols allow hosts to migrate ongoing transport sessions between networks or network interfaces. While such protocols can facilitate vertical mobility in a cost-efficient and access-agnostic manner, they are hard to secure when strong authentication between end points is not available. We present a balanced security solution which protects these protocols against redirection- and DoS attacks performed by on-path adversaries, while demanding only insignificant processing overhead on the end nodes. The solution is based on proof of session ownership using secret/answer chains as well as temporal separation and routability tests. It creates a level of protection that requires more (in some cases, significantly more) effort to break than conducting corresponding attacks through existing Internet signaling protocols. We discuss how this solution can strengthen the security of Multi-path TCP. We further show how it improves the security of route-optimized Mobile IPv6 while permitting operation without home agent.