EPL476 Mobile Networks

Mobile Network Protocols

Instructor: Dr. Vasos Vassiliou

Slides adapted from Prof. Dr.-Ing. Jochen H. Schiller and W. Stallings

MOBILE NETWORK LAYER Mobile IP

Mobile IP (I)
Mobile IP adds mobility support to the Internet network

layer protocol IP.

The Internet started at a time when no-one had a concept of mobile computers.

Motivation for Mobile IP: Routing

The Internet of today lacks mechanisms for the support of users traveling through the world. IP is the common base for thousands of applications and runs over dozens of different networks; this is the reason for supporting mobility at the IP layer.

based on IP destination address, network prefix determines physical subnet Change of physical subnet implies change of IP address to have a topological correct address (standard IP) or needs special entries in the routing tables
3

Mobile IP (II)

Create specific routes to end-systems mobile nodes?

change of all routing table entries to forward packets to the right destination does not scale with the number of mobile hosts and frequent changes in the location

Changing the IP address?

adjust the host IP address depending on the current location almost impossible to find a mobile host, DNS has not been built for frequent updates TCP connection break

Mobile IP (III)
Requirements to Mobile IP: Transparency

Compatibility

mobile end-systems keep their IP address continuation of communication after interruption of link possible point of connection to the fixed network can be changed support of the same layer 2 protocols as IP does no changes to current end-systems and routers required Mobile end-systems can communicate with fixed systems

Mobile IP (IV)

Security
authentication of all registration messages

Efficiency and scalability

only little additional messages to the mobile system required (connection typically via a low bandwidth radio link) world-wide support of a large number of mobile systems in the whole Internet

Real-life Solution
Take up the analogy of you moving from one

apartment to another. What do you do?

Leave a forwarding address with your old postoffice The old post-office forwards mail to your new post-office, which then delivers it to you

Mobile IP - Definition
Mobile IP (MIP) is a modification to IP

that allows nodes to continue to receive datagrams no matter where they happen to be attached to the Internet

Mobile IP (V)
Terminology: Mobile Node (MN)
system (node) that can change the point of connection to the network without changing its IP address

Home Agent (HA)

system in the home network of the MN, typically a router registers the location of the MN, tunnels IP datagrams to the COA

Foreign Agent (FA)

system in the current foreign network of the MN, typically a router forwards the tunneled datagrams to the MN, typically also the default router of the MN

Mobile IP (VI)

Care-of Address (COA)

address of the current tunnel end-point for the MN (at FA or MN) actual location of the MN from an IP point of view can be chosen, e.g., via DHCP

Correspondent Node (CN)

communication partner

10

Mobile IP in detail
Combination of 3 separable mechanisms: Discovering the care-of address Registering the care-of address Tunneling to the care-of address

11

Mobile IP in detail
MIPv4
MN FA HA -- CoA and HA Discovery -2 2. HA Discovery Request 3 3. HA Discovery Reply -- Registration Procedure -4 5 4. HA Registration through FA 5. HA Registration Ack. -- MN is Registered with HA --- CN starts communication with MN -6 7 9 6. Data Packet 7. IP-in-IP Encapsulation 8. Tunneled Data 8a Detunnelled Data 9. Binding Update 10 10a 10. IP-in-IP tunneling 10a. Detunnelled Data
10 8 8. Tunneled Data 9 9. Binding Update 10. Binding Ack -- CN starts communication with MN -6 7 5 -- Registration Procedure -4 4. HA Registration BU 5. HA Registration BU Ack. -- MN is Registered with HA -3 3. HA Discovery Reply

MIPv6
MN FA HA -- CoA and HA Discovery -2 2. HA Discovery Request CN

CN

1. CoA Discovery

1. CoA Discovery

6. Data Packet 7. IP-in-IP Encapsulation

8a

-- MN starts communication with CN --- Discovery and Registration as above -6a 6a. Data Packet -- Signals 6-10a as above --

-- MN starts communication with CN --- Discovery and Registration as above -6a 6a. Data Packet -- Signals 6-10 as above --

12

Discovering the care-of address

Discovery process built on top of an existing

standard protocol: router advertisements Router advertisements extended to carry available care-of addresses called: agent advertisements Foreign agents (and home agents) send agent advertisements periodically A mobile host can choose not to wait for an advertisement, and issue a solicitation message

13

Agent advertisements
Foreign agents send advertisements to advertise

available care-of addresses Home agents send advertisements to make themselves known Mobile hosts can issue agent solicitations to actively seek information If mobile host has not heard from a foreign agent its current care-of address belongs to, it seeks for another care-of address

14

Registering the Care-of Address

Once mobile host receives care-of address, it

registers it with the home agent A registration request is first sent to the home agent (through the foreign agent) Home agent then approves the request and sends a registration reply back to the mobile host Security?

15

Registration Illustration

16

Home agent discovery

If the mobile host is unable to

communicate with the home agent, a home agent discovery message is used The message is sent as a broadcast to the home agents in the home network

17

Tunneling to the Care-of address

When home agent receives packets addressed to

mobile host, it forwards packets to the care-of address How does it forward it? - encapsulation The default encapsulation mechanism that must be supported by all mobility agents using mobile IP is IP-within-IP Using IP-within-IP, home agent inserts a new IP header in front of the IP header of any datagram

18

Tunneling (contd.)
Destination address set to the care-of

address Source address set to the home agents address After stripping out the first header, IP processes the packet again

19

Tunneling Illustration

20

Mobile IP (VII)
Example network
HA

MN
router home network (physical home network for the MN) Internet

FA

CN
end-system router

router (current physical network for the MN)

foreign network

21

Mobile IP (VIII)
Data transfer to the mobile system
HA

MN

home network Internet

3
FA

receiver foreign network

CN
sender

1. Sender sends to the IP address of MN, HA intercepts packet 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN 22

Mobile IP (IX)
Data transfer from the mobile system
HA

MN

home network Internet

sender

FA

foreign network

CN
receiver

1. Sender sends to the IP address of the receiver as usual, FA works as default router
23

Mobile IP (XIII)
Optimization of packet forwarding: Triangular routing
sender sends all packets via HA to MN higher latency and network load

Solutions optimization
HA informs a sender about the location of MN sender learns the current location of MN direct tunneling to this location big security problems!

24

Mobile IP (XIV)

Change of FA
Packets on-the-fly during the change can be lost new FA informs old FA to avoid packet loss, old FA forwards remaining packets to new FA this information also enables the old FA to release resources for the MN

25

Mobile IP (XV)

Change of the foreign agent with the optimized mobile IP

HA FAold FAnew MN

CN

request update ACK

data registration update data warning update ACK data data

data registration ACK MN changes location

data

data t
26

 Reverse tunneling:
HA

Mobile IP (XVI)
2

MN

home network Internet

1
FA

sender

foreign network

CN
receiver

1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)

27

Mobile IP (XVII)
Mobile IP with reverse tunneling

Router accept often only topological correct addresses (firewall!)

a packet from the MN encapsulated by the FA is now topological correct furthermore multicast and TTL problems solved (TTL in the home network correct, but MN is to far away from the receiver)

Reverse tunneling does not solve

problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing) the extensions can be implemented easily and cooperate with current implementations without these extensions Agent Advertisements can carry requests for reverse tunneling
28

The standard is backwards compatible

Mobile IP in detail

29
[modified from Ericsson Tech. Rep. 11/0362-FCB, Dec 2000

Agent advertisement
0 7 8 15 16 23 24 type code checksum #addresses addr. size lifetime router address 1 preference level 1 router address 2 preference level 2 ... type = 16 type = 16 length length = 6 + 4 * #COAs registration lifetime R: registration required COA 1 B: busy, no more registrations COA 2 H: home agent F: foreign agent M: minimal encapsulation G: GRE encapsulation r: =0, ignored (former Van Jacobson compression) T: FA supports reverse tunneling reserved: =0, ignored sequence number R B H F M G r T reserved 31

...

Registration
MN
FA HA MN HA

Mobile IP registration request

0 7 8 15 16 23 24 S B D MG r T x lifetime type = 1 home address home agent COA identification extensions . . . 31

S: simultaneous bindings B: broadcast datagrams D: decapsulation by MN M mininal encapsulation G: GRE encapsulation r: =0, ignored T: reverse tunneling requested x: =0, ignored

Mobile IP registration reply

0 7 8 type = 3 code home address home agent identification Example codes: extensions . . . registration successful 0 registration accepted 1 registration accepted, but simultaneous mobility bindings unsupported registration denied by FA 65 administratively prohibited 66 insufficient resources 67 mobile node failed authentication 68 home agent failed authentication 69 requested Lifetime too long registration denied by HA 129 administratively prohibited 131 mobile node failed authentication 133 registration Identification mismatch 135 too many simultaneous mobility bindings 15 16 lifetime

31

Encapsulation
original IP header original data

new IP header

new data

outer header

inner header

original data

 Encapsulation of one packet into another as payload

Encapsulation I

e.g. IPv6 in IPv4 (6Bone), Multicast in Unicast (Mbone) here: e.g. IP-in-IP-encapsulation, minimal encapsulation or GRE (Generic Record Encapsulation) tunnel between HA and COA
ver. IHL DS (TOS) IP identification TTL IP-in-IP IP address of HA Care-of address COA ver. IHL DS (TOS) IP identification TTL lay. 4 prot. IP address of CN IP address of MN TCP/UDP/ ... payload length flags fragment offset IP checksum length flags fragment offset IP checksum

IP-in-IP-encapsulation (mandatory, RFC 2003)

 Minimal encapsulation (optional)

Encapsulation II
avoids repetition of identical fields e.g. TTL, IHL, version, DS (RFC 2474, old: TOS) only applicable for non fragmented packets, no space left for fragment identification
ver. IHL DS (TOS) length IP identification flags fragment offset TTL min. encap. IP checksum IP address of HA care-of address COA lay. 4 protoc. S reserved IP checksum IP address of MN original sender IP address (if S=1)

TCP/UDP/ ... payload

Generic Routing Encapsulation

original header original header original data outer header GRE header new data original data

RFC 1701
ver. IHL DS (TOS) IP identification TTL GRE IP address of HA Care-of address COA C R K S s rec. rsv. ver. checksum (optional) key (optional) sequence number (optional) routing (optional) ver. IHL DS (TOS) IP identification TTL lay. 4 prot. IP address of CN IP address of MN TCP/UDP/ ... payload length flags fragment offset IP checksum

new header

RFC 2784 (updated by 2890)

protocol offset (optional) C reserved0 checksum (optional) ver. protocol reserved1 (=0)

length flags fragment offset IP checksum

Route Optimizations
Enable direct notification of the

corresponding host Direct tunneling from the corresponding host to the mobile host Binding cache maintained at corresponding host

38

Route optimizations (contd.)

4 types of messages

Binding Binding Binding Binding

update request warning acknowledge

39

Binding Update
When a home agent receives a packet to be

tunneled to a mobile host, it sends a binding update message to the corresponding host When a home agent receives a binding request message, it replies with a binding update message Also used in the the smooth-handoffs optimization

40

Binding Update (Contd.)

Corresponding host caches binding and uses it for

tunneling subsequent packets Lifetime of binding? Corresponding host that perceives a near-expiry can choose to ask for a binding confirmation using the binding request message Home agent can choose to ask for an acknowledgement to which a corresponding host has to reply with a binding ack message

41

Binding warning
When a foreign agent receives a tunneled

message, but sees no visitor entry for the mobile host, it generates a binding warning message to the appropriate home agent When a home agent receives a warning, it issues an update message to the corresponding host What if the foreign agent does not have the home agent address (why?) ?

42

Binding Update and Warning

Home Agent
BU BW Foreign Agent BW Mobile Host

BA Corresponding Host

BR

43

Optimization of packet forwarding

Problem: Triangular Routing

sender sends all packets via HA to MN higher latency and network load sender learns the current location of MN direct tunneling to this location HA informs a sender about the location of MN big security problems! packets on-the-fly during the change can be lost new FA informs old FA to avoid packet loss, old FA now forwards remaining packets to new FA this information also enables the old FA to release resources for the MN

Solutions

Change of FA

Change of foreign agent

CN Data Update ACK Data Data MN changes location Registration HA Data FAold FAnew Data MN

Update ACK
Data Warning Request Update ACK Data

Data

Data

Data

Reverse tunneling (RFC 3024, was: 2344)

HA

MN

home network Internet

1
FA

sender

foreign network

CN
receiver

1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)

Mobile IP with reverse tunneling

Router accept often only topological correct addresses (firewall!)

a packet from the MN encapsulated by the FA is now topological correct furthermore multicast and TTL problems solved (TTL in the home network correct, but MN is to far away from the receiver) problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing) the extensions can be implemented easily and cooperate with current implementations without these extensions Agent Advertisements can carry requests for reverse tunneling

Reverse tunneling does not solve

The standard is backwards compatible

Mobile IP and IPv6

Mobile IP was developed for IPv4, but IPv6 simplifies the

protocols

security is integrated and not an add-on, authentication of registration is included COA can be assigned via auto-configuration (DHCPv6 is one candidate), every node has address autoconfiguration no need for a separate FA, all routers perform router advertisement which can be used instead of the special agent advertisement; addresses are always co-located MN can signal a sender directly the COA, sending via HA not needed in this case (automatic path optimization) soft hand-over, i.e. without packet loss, between two subnets is supported
MN sends the new COA to its old router the old router encapsulates all incoming packets for the MN and forwards them to the new COA authentication is always granted
48

Problems with mobile IP

Security

authentication with FA problematic, for the FA typically belongs to another organization no protocol for key management and key distribution has been standardized in the Internet patent and export restrictions

Firewalls

typically mobile IP cannot be used together with firewalls, special set-ups are needed (such as reverse tunneling)
many new reservations in case of RSVP tunneling makes it hard to give a flow of packets a special treatment needed for the QoS

QoS

Security, firewalls, QoS etc. are topics of current research

and discussions!

49

Security in Mobile IP
Security requirements (Security Architecture for the

Internet Protocol, RFC 1825)

Integrity any changes to data between sender and receiver can be detected by the receiver Authentication sender address is really the address of the sender and all data received is really data sent by this sender Confidentiality only sender and receiver can read the data Non-Repudiation sender cannot deny sending of data Traffic Analysis creation of traffic and user profiles should not be possible Replay Protection receivers can detect replay of messages
50

IP security architecture I
Two or more partners have to negotiate security mechanisms

to setup a security association

typically, all partners choose the same parameters and mechanisms

Authentication-Header
guarantees integrity and authenticity of IP packets if asymmetric encryption schemes are used, non-repudiation can also be guaranteed IP-Header IP header Authentification-Header authentication header UDP/TCP-Paket UDP/TCP data

Two headers have been defined for securing IP packets:

Encapsulation Security Payload

protects confidentiality between communication partners
not encrypted encrypted

IP header

ESP header

encrypted data

IP security architecture II
Mobile Security Association for registrations

parameters for the mobile host (MH), home agent (HA), and foreign agent (FA) extended authentication of registration
MH-FA authentication FA-HA authentication MH-HA authentication registration request registration request

Extensions of the IP security architecture

MH

registration reply

FA

registration reply

HA

prevention of replays of registrations

time stamps: 32 bit time stamps + 32 bit random number nonces: 32 bit random number (MH) + 32 bit random number (HA)

Key distribution
Home agent distributes session keys
FA MH

HA

response: EHA-FA {session key} EHA-MH {session key}

foreign agent has a security association with the home agent

mobile host registers a new binding at the home agent

home agent answers with a new session key for foreign agent

and mobile node

Recap
Host mobility and Internet addresses

Post-office analogy
Home agent, foreign agent, care-of address, home

address Registration and Tunneling Mobile IP problems Mobile IP Optimizations Other options

54