Beruflich Dokumente
Kultur Dokumente
Mobile IP (I)
Mobile IP adds mobility support to the Internet network
The Internet started at a time when no-one had a concept of mobile computers.
The Internet of today lacks mechanisms for the support of users traveling through the world. IP is the common base for thousands of applications and runs over dozens of different networks; this is the reason for supporting mobility at the IP layer.
based on IP destination address, network prefix determines physical subnet Change of physical subnet implies change of IP address to have a topological correct address (standard IP) or needs special entries in the routing tables
3
Mobile IP (II)
Mobile IP (III)
Requirements to Mobile IP: Transparency
Compatibility
mobile end-systems keep their IP address continuation of communication after interruption of link possible point of connection to the fixed network can be changed support of the same layer 2 protocols as IP does no changes to current end-systems and routers required Mobile end-systems can communicate with fixed systems
Mobile IP (IV)
Security
authentication of all registration messages
Real-life Solution
Take up the analogy of you moving from one
Leave a forwarding address with your old postoffice The old post-office forwards mail to your new post-office, which then delivers it to you
Mobile IP - Definition
Mobile IP (MIP) is a modification to IP
that allows nodes to continue to receive datagrams no matter where they happen to be attached to the Internet
Mobile IP (V)
Terminology: Mobile Node (MN)
system (node) that can change the point of connection to the network without changing its IP address
Mobile IP (VI)
10
Mobile IP in detail
Combination of 3 separable mechanisms: Discovering the care-of address Registering the care-of address Tunneling to the care-of address
11
Mobile IP in detail
MIPv4
MN FA HA -- CoA and HA Discovery -2 2. HA Discovery Request 3 3. HA Discovery Reply -- Registration Procedure -4 5 4. HA Registration through FA 5. HA Registration Ack. -- MN is Registered with HA --- CN starts communication with MN -6 7 9 6. Data Packet 7. IP-in-IP Encapsulation 8. Tunneled Data 8a Detunnelled Data 9. Binding Update 10 10a 10. IP-in-IP tunneling 10a. Detunnelled Data
10 8 8. Tunneled Data 9 9. Binding Update 10. Binding Ack -- CN starts communication with MN -6 7 5 -- Registration Procedure -4 4. HA Registration BU 5. HA Registration BU Ack. -- MN is Registered with HA -3 3. HA Discovery Reply
MIPv6
MN FA HA -- CoA and HA Discovery -2 2. HA Discovery Request CN
CN
1. CoA Discovery
1. CoA Discovery
8a
-- MN starts communication with CN --- Discovery and Registration as above -6a 6a. Data Packet -- Signals 6-10a as above --
-- MN starts communication with CN --- Discovery and Registration as above -6a 6a. Data Packet -- Signals 6-10 as above --
12
standard protocol: router advertisements Router advertisements extended to carry available care-of addresses called: agent advertisements Foreign agents (and home agents) send agent advertisements periodically A mobile host can choose not to wait for an advertisement, and issue a solicitation message
13
Agent advertisements
Foreign agents send advertisements to advertise
available care-of addresses Home agents send advertisements to make themselves known Mobile hosts can issue agent solicitations to actively seek information If mobile host has not heard from a foreign agent its current care-of address belongs to, it seeks for another care-of address
14
registers it with the home agent A registration request is first sent to the home agent (through the foreign agent) Home agent then approves the request and sends a registration reply back to the mobile host Security?
15
Registration Illustration
16
communicate with the home agent, a home agent discovery message is used The message is sent as a broadcast to the home agents in the home network
17
mobile host, it forwards packets to the care-of address How does it forward it? - encapsulation The default encapsulation mechanism that must be supported by all mobility agents using mobile IP is IP-within-IP Using IP-within-IP, home agent inserts a new IP header in front of the IP header of any datagram
18
Tunneling (contd.)
Destination address set to the care-of
address Source address set to the home agents address After stripping out the first header, IP processes the packet again
19
Tunneling Illustration
20
Mobile IP (VII)
Example network
HA
MN
router home network (physical home network for the MN) Internet
FA
CN
end-system router
foreign network
21
Mobile IP (VIII)
Data transfer to the mobile system
HA
MN
3
FA
CN
sender
1. Sender sends to the IP address of MN, HA intercepts packet 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN 22
Mobile IP (IX)
Data transfer from the mobile system
HA
MN
sender
FA
foreign network
CN
receiver
1. Sender sends to the IP address of the receiver as usual, FA works as default router
23
Mobile IP (XIII)
Optimization of packet forwarding: Triangular routing
sender sends all packets via HA to MN higher latency and network load
Solutions optimization
HA informs a sender about the location of MN sender learns the current location of MN direct tunneling to this location big security problems!
24
Mobile IP (XIV)
Change of FA
Packets on-the-fly during the change can be lost new FA informs old FA to avoid packet loss, old FA forwards remaining packets to new FA this information also enables the old FA to release resources for the MN
25
Mobile IP (XV)
CN
data
data t
26
Reverse tunneling:
HA
Mobile IP (XVI)
2
MN
1
FA
sender
foreign network
CN
receiver
1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)
27
Mobile IP (XVII)
Mobile IP with reverse tunneling
problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing) the extensions can be implemented easily and cooperate with current implementations without these extensions Agent Advertisements can carry requests for reverse tunneling
28
Mobile IP in detail
29
[modified from Ericsson Tech. Rep. 11/0362-FCB, Dec 2000
Agent advertisement
0 7 8 15 16 23 24 type code checksum #addresses addr. size lifetime router address 1 preference level 1 router address 2 preference level 2 ... type = 16 type = 16 length length = 6 + 4 * #COAs registration lifetime R: registration required COA 1 B: busy, no more registrations COA 2 H: home agent F: foreign agent M: minimal encapsulation G: GRE encapsulation r: =0, ignored (former Van Jacobson compression) T: FA supports reverse tunneling reserved: =0, ignored sequence number R B H F M G r T reserved 31
...
Registration
MN
FA HA MN HA
S: simultaneous bindings B: broadcast datagrams D: decapsulation by MN M mininal encapsulation G: GRE encapsulation r: =0, ignored T: reverse tunneling requested x: =0, ignored
31
Encapsulation
original IP header original data
new IP header
new data
outer header
inner header
original data
Encapsulation I
e.g. IPv6 in IPv4 (6Bone), Multicast in Unicast (Mbone) here: e.g. IP-in-IP-encapsulation, minimal encapsulation or GRE (Generic Record Encapsulation) tunnel between HA and COA
ver. IHL DS (TOS) IP identification TTL IP-in-IP IP address of HA Care-of address COA ver. IHL DS (TOS) IP identification TTL lay. 4 prot. IP address of CN IP address of MN TCP/UDP/ ... payload length flags fragment offset IP checksum length flags fragment offset IP checksum
Encapsulation II
avoids repetition of identical fields e.g. TTL, IHL, version, DS (RFC 2474, old: TOS) only applicable for non fragmented packets, no space left for fragment identification
ver. IHL DS (TOS) length IP identification flags fragment offset TTL min. encap. IP checksum IP address of HA care-of address COA lay. 4 protoc. S reserved IP checksum IP address of MN original sender IP address (if S=1)
RFC 1701
ver. IHL DS (TOS) IP identification TTL GRE IP address of HA Care-of address COA C R K S s rec. rsv. ver. checksum (optional) key (optional) sequence number (optional) routing (optional) ver. IHL DS (TOS) IP identification TTL lay. 4 prot. IP address of CN IP address of MN TCP/UDP/ ... payload length flags fragment offset IP checksum
new header
Route Optimizations
Enable direct notification of the
corresponding host Direct tunneling from the corresponding host to the mobile host Binding cache maintained at corresponding host
38
39
Binding Update
When a home agent receives a packet to be
tunneled to a mobile host, it sends a binding update message to the corresponding host When a home agent receives a binding request message, it replies with a binding update message Also used in the the smooth-handoffs optimization
40
tunneling subsequent packets Lifetime of binding? Corresponding host that perceives a near-expiry can choose to ask for a binding confirmation using the binding request message Home agent can choose to ask for an acknowledgement to which a corresponding host has to reply with a binding ack message
41
Binding warning
When a foreign agent receives a tunneled
message, but sees no visitor entry for the mobile host, it generates a binding warning message to the appropriate home agent When a home agent receives a warning, it issues an update message to the corresponding host What if the foreign agent does not have the home agent address (why?) ?
42
BA Corresponding Host
BR
43
sender sends all packets via HA to MN higher latency and network load sender learns the current location of MN direct tunneling to this location HA informs a sender about the location of MN big security problems! packets on-the-fly during the change can be lost new FA informs old FA to avoid packet loss, old FA now forwards remaining packets to new FA this information also enables the old FA to release resources for the MN
Solutions
Change of FA
Update ACK
Data Warning Request Update ACK Data
Data
Data
Data
MN
1
FA
sender
foreign network
CN
receiver
1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)
a packet from the MN encapsulated by the FA is now topological correct furthermore multicast and TTL problems solved (TTL in the home network correct, but MN is to far away from the receiver) problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing) the extensions can be implemented easily and cooperate with current implementations without these extensions Agent Advertisements can carry requests for reverse tunneling
protocols
security is integrated and not an add-on, authentication of registration is included COA can be assigned via auto-configuration (DHCPv6 is one candidate), every node has address autoconfiguration no need for a separate FA, all routers perform router advertisement which can be used instead of the special agent advertisement; addresses are always co-located MN can signal a sender directly the COA, sending via HA not needed in this case (automatic path optimization) soft hand-over, i.e. without packet loss, between two subnets is supported
MN sends the new COA to its old router the old router encapsulates all incoming packets for the MN and forwards them to the new COA authentication is always granted
48
authentication with FA problematic, for the FA typically belongs to another organization no protocol for key management and key distribution has been standardized in the Internet patent and export restrictions
Firewalls
typically mobile IP cannot be used together with firewalls, special set-ups are needed (such as reverse tunneling)
many new reservations in case of RSVP tunneling makes it hard to give a flow of packets a special treatment needed for the QoS
QoS
and discussions!
49
Security in Mobile IP
Security requirements (Security Architecture for the
Integrity any changes to data between sender and receiver can be detected by the receiver Authentication sender address is really the address of the sender and all data received is really data sent by this sender Confidentiality only sender and receiver can read the data Non-Repudiation sender cannot deny sending of data Traffic Analysis creation of traffic and user profiles should not be possible Replay Protection receivers can detect replay of messages
50
IP security architecture I
Two or more partners have to negotiate security mechanisms
IP header
ESP header
encrypted data
IP security architecture II
Mobile Security Association for registrations
parameters for the mobile host (MH), home agent (HA), and foreign agent (FA) extended authentication of registration
MH-FA authentication FA-HA authentication MH-HA authentication registration request registration request
MH
registration reply
FA
registration reply
HA
Key distribution
Home agent distributes session keys
FA MH
HA
home agent answers with a new session key for foreign agent
Recap
Host mobility and Internet addresses
Post-office analogy
Home agent, foreign agent, care-of address, home
address Registration and Tunneling Mobile IP problems Mobile IP Optimizations Other options
54