SPECIAL ISSUE PAPER ALPP: anonymous and location privacy preserving scheme for mobile IPv6 heterogeneous networks † Sanaa Taha 1,2 and Xuemin (Sherman) Shen 1 * 1 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Canada 2 Faculty of Computers and Information, Cairo University, Cairo, Egypt ABSTRACT The integration of mobile IPv6 heterogeneous networks enhances networking performance; however, it also breaks mobile node’s anonymity and location privacy. In this paper, we propose an anonymous and location privacy preserving (ALPP) scheme that consists of two complementary subschemes: anonymous home binding update and anonymous return routability. In addition, anonymous mutual authentication and key establishment schemes have been proposed to work in conjunction with ALPP to authenticate a mobile node to its foreign gateway and create a shared key between them. ALPP adds anonymity and location privacy services to mobile IPv6 signaling to achieve mobile senders and receivers’ privacy. Unlike existing schemes, ALPP alleviates the trade-off between the networking performance and the achieved privacy level. Combining onion routing and anonymizer in ALPP scheme increases the achieved location privacy level where no entity in the network except the mobile node itself can identify this node’s location. Using entropy model, we show that ALPP achieves higher degree of anonymity than the mix-based scheme. The anonymous home binding update and anonymous return routability subschemes require less computation overheads and thwart both internal and external adversaries. Simulation results demonstrate that our schemes have low control packets routing delays and are suitable for the seamless handover. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS anonymity; location privacy; mobile IPv6 security; heterogeneous networking privacy; next-generation networks *Correspondence Xuemin (Sherman) Shen, Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada. E-mail: xshen@bbcr.uwaterloo.ca † Part of this paper is published in the 2011 IEEE Global Communication Conference [1]. 1. INTRODUCTION The revolution of next-generation networks enables mobile nodes (MNs) that are equipped with multiple network interfaces to perform seamless handovers across heteroge- neous networks [2,3]. A seamless handover [4,5] is a vertical handover process in which an MN roams among different types of networks, such as cellular networks and Wireless Local Area Networks (WLANs), without inter- rupting this node’s active Internet protocol (IP) session. When using this timely restricted handover process, both MN and service provider have some benefits, including low cost, wide coverage, and high bandwidth. Therefore, many applications such as infotainment and video-stream downloading explore seamless handovers to increase networking performance. Different network layers, including data link, IP, and transport layers, engage in this seamless handover process. However, the integration of these heterogeneous networks is mainly accomplished in the IP layer. The mobile IP is the most famous mobility management protocol that is responsible for managing user’s mobility across heteroge- neous networks. Therefore, as all share the usage of the mobile IP, these heterogeneous networks are also called “all-IP” networks [6]. We consider the mobile IPv6 protocol [7] because, unlike mobile IPv4 protocol, it introduces the route optimization procedure. This procedure contributes in decreasing networking routing delays and hence permits the mobile IPv6 to achieve seamless handover process for roaming MNs. Previous studies have attempted to secure the mobile IPv6 networks by focusing on the authentication and integrity problems [8–11]. Moreover, much research work has been done on anonymity and location privacy problems [1,12,13]. The anonymity of a network is the ability to hide a specific item among a group of similar items. The location privacy is the ability to prevent tracking user mobility by using any kind of geolocation schemes. As mentioned in [14] and [15], location privacy threats vary from a simple interfering personal activities, SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2013; 6:401–419 Published online 9 October 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.625 Copyright © 2012 John Wiley & Sons, Ltd. 401