Mobile IP: Enabling Internet Connectivity for Mobile Devices, Study notes of Computer Systems Networking and Telecommunications

Download Mobile IP: Enabling Internet Connectivity for Mobile Devices and more Study notes Computer Systems Networking and Telecommunications in PDF only on Docsity! Page 1 Chuah, Winter 2006 EEC173B/ECS152C, Winter 2006 Mobile Management in Wireless Networks Mobile IP Acknowledgment: Selected slides from Prof. Mohapatra and Prof. Schiller 2 IP address problem Internet hosts/interfaces are identified by IP  address ‐ Domain name service translates host name to IP  address ‐ Based on IP destination address, network prefix (e.g.  129.13.42) locates physical subnet ‐ Mixes naming and location Moving to another network requires different  network address  => change of IP address ‐ But this would change the host’s identity ‐ How can we still reach that host?  => or needs special entries in the routing tables Page 2 3 Routing Issues Changing the IP‐address? ‐ Adjust the host IP address depending on the current  location ‐ Almost impossible to find a mobile system, DNS  updates take to long time ‐ TCP connections break, security problems Specific routes to end‐systems? ‐ Change of all routing table entries to forward packets  to the right destination ‐ Does not scale with the number of mobile hosts and  frequent changes in the location, security problems 4 Mobile IP: Introduction Mobile IP was developed to enable computers to maintain  Internet connectivity while moving from one Internet  attachment point to another Leaves Internet routing fabric unchanged Does not assume “base stations” exist everywhere Simple Correspondent hosts don’t need to know about mobility Works both for changing domains and network interfaces Although applicable for wired environment, it is  particularly suited for wireless environment Mobile versus nomadic connectivity ‐ Mobile: connection is maintained ‐ Nomadic: new connection after every move Page 5 9 Data transfer from the mobile system Internet receiver FA HA MN home network foreign network sender 1 1. Sender sends to the IP address of the receiver as usual, FA works as default routerCN 10 Overview CN router HA router FA Internet router 1. 2. 3. home network MN foreign network 4. CN router HA router FA Internet router home network MN foreign network COA Page 6 11 Basic Capabilities 1. Discovery ‐ Uses discovery process to identify prospective home agents  and foreign agents 2. Registration ‐ Uses an authenticated registration procedure to inform its  home agent of its care‐off address 3. Tunneling ‐ Forwarding IP datagram for a home address to a care‐off  address 12 1. Discovery The discovery process is very similar to the router  advertisement process used in ICMP (Internet Control  Message Protocol) Agent Advertisement ‐ HA and FA periodically send advertisement messages into  their physical subnets ‐ MN listens to these messages and detects, if it is in the home  or a foreign network (standard case for home network) ‐ MN reads a COA from the FA advertisement messages A mobile node listens for these agent advertisement  messages. It compares its own network address with that  of the router to determine if it is in home or foreign  network Page 7 13 type = 16 length = 6 + 4 * #COAs R: registration required B: busy, no more registrations H: home agent F: foreign agent M: minimal encapsulation G: GRE encapsulation r: =0, ignored (former Van Jacobson compression) T: FA supports reverse tunneling reserved: =0, ignored Agent advertisement preference level 1 router address 1 #addresses type addr. size lifetime checksum COA 1 COA 2 type = 16 sequence numberlength 0 7 8 15 16 312423 code preference level 2 router address 2 . . . registration lifetime . . . R B H F M G r reservedT 14 1. Discovery – other issues Agent Solicitation ‐ Foreign agents are expected to issue agent advertisement  messages periodically ‐ If a mobile agent needs agent information immediately, it can  issue an ICMP router solicitation message Move Detection ‐ Use of lifetime field ‐ Use of network prefix Co‐Located Addresses ‐ If a mobile node moves to a network which has no foreign  agent, it may act as its own foreign agent using a co‐located  care‐of address ‐ A co‐located care‐off address is an IP address obtained by the  mobile node that is associated with its network interface Page 10 19 Mobile IP registration reply home agent home address type = 3 lifetime 0 7 8 15 16 31 code identification extensions . . . Example codes: registration successful 0 registration accepted 1 registration accepted, but simultaneous mobility bindings unsupported registration denied by FA 65 administratively prohibited 66 insufficient resources 67 mobile node failed authentication 68 home agent failed authentication 69 requested Lifetime too long registration denied by HA 129 administratively prohibited 131 mobile node failed authentication 133 registration Identification mismatch 135 too many simultaneous mobility bindings 20 The Role of Home Agent Advertisement ‐ HA advertises the IP address of the MN (as for fixed  systems), i.e. standard routing information ‐ Routers adjust their entries, these are stable for a longer  time (HA responsible for a MN over a longer period of  time) ‐ Packets to the MN are sent to the HA,  ‐ Independent of changes in COA/FA Page 11 21 3. Tunneling Once a MN is registered with a HA, the HA must be able  to intercept IP datagrams sent to the MN’s home address  so that these data can be sent via tunneling The HA needs to inform the other nodes on the same  network that IP datagrams with a destination address of  the MN in question should be delivered (at the link level)  to this agent To forward an IP datagram to a care‐of address, the HA  puts the entire IP datagram into an outer IP datagram – this process is known as a form of encapsulation 22 Basic Mobile IP – tomobile hosts MH = mobile host CH = correspondent host HA = home agent FA = foreign agent (We’ll see later that FA is not necessary or even desirable) •MH registers new “care-of address” (FA) with HA •HA tunnels packets to FA •FA decapsulates packets and delivers them to MH HA CH Home network Foreign network FA MH Page 12 23 Packet addressing Source address = address of CH Destination address = home IP address of MH Payload Source address = address of HA Destination address = care-of address of MH Source address = address of CH Destination address = home IP address of MH Original payload Packet from CH to MH Home agent intercepts above packet and tunnels it 24 Encapsulation IP‐within‐IP Encapsulation ‐ The entire IP datagram becomes the payload in a new  IP datagram Minimal Encapsulation ‐ The new header is inserted between the original IP  header and the original payload Generic Routing Encapsulation (GRE) ‐ Generic encapsulation method developed before  Mobile IP Page 15 29 Optimization of Packet Forwarding Triangular Routing ‐ Sender sends all packets via HA to MN ‐ Higher latency and network load “Solutions” ‐ Sender learns the current location of MN ‐ Direct tunneling to this location ‐ HA informs a sender about the location of MN ‐ Big security problems! Change of FA ‐ Packets on‐the‐fly during the change can be lost ‐ New FA informs old FA to avoid packet loss, old FA  now forwards remaining packets to new FA ‐ This information also enables the old FA to release  resources for the MN 30 When mobile host moves again HA CH Home network Foreign network #1 FA #1 MH Foreign network #2 FA #2 MH •MH registers new address (FA #2) with HA & FA #1 •HA tunnels packets to FA #2, which delivers them to MH •Packets in flight can be forwarded from FA #1 to FA #2 Page 16 31 Change of Foreign Agent  CN HA FAold FAnew MN MN changes location t Data Data Data Update ACK Data Data RegistrationUpdate ACK Data Data Data Warning Request Update ACK Data Data 32 Problems with Foreign Agents Assumption of support from foreign networks ‐ A foreign agent exists in all networks you visit? ‐ The foreign agent is robust and up and running? ‐ The foreign agent is trustworthy? Correctness in security‐conscious networks ‐ We’ll see that “triangle route” has problems ‐ MH under its own control can eliminate this problem Other undesirable features ‐ Some performance improvements are harder with FAs We want end‐to‐end solution that allows  flexibility Page 17 33 Solution HA CH Home network Foreign network MH •Mobile host is responsible for itself -(With help from infrastructure in its home network) -Mobile host decapsulates packets -Mobile host sends its own packets -“Co-located” FA on MH ⇒MH must acquire its own IP address in foreign network This address is its new “care-of” address Mobile IP spec allows for this option 34 Obtaining a Foreign IP Address Can we expect to obtain an IP address? ‐ DHCP becoming more common ‐ Dynamic IP address binding like some dial‐up services ‐ Your friend can reserve an IP address for you ‐ Various other tricks ‐ More support for dynamic IP address binding in IPv6 This assumes less than getting others to run a FA Page 20 39 More about Reverse Tunneling Reverse tunneling does not solve ‐ Problems with firewalls, the reverse tunnel can be  abused to circumvent security mechanisms (tunnel  hijacking) ‐ Optimization of data paths, i.e. packets will be  forwarded through the tunnel via the HA to a sender  (double triangular routing) The standard is backwards compatible ‐ The extensions can be implemented easily and  cooperate with current implementations without these  extensions  ‐ Agent Advertisements can carry requests for reverse  tunneling 40 Mobile IP and IPv6 Mobile IP was developed for IPv4, but IPv6  simplifies the protocols ‐ Security is integrated and not an add‐on,  authentication of registration is included ‐ COA can be assigned via auto‐configuration (DHCPv6  is one candidate), every node has address  autoconfiguration ‐ No need for a separate FA, all routers perform router  advertisement which can be used instead of the special  agent advertisement; addresses are always co‐located Page 21 41 Mobile IP and IPv6 (Cont’d) ‐ MN can signal a sender directly the COA, sending via  HA not needed in this case (automatic path  optimization) ‐ “soft“ hand‐over, i.e. without packet loss, between two  subnets is supported • MN sends the new COA to its old router • the old router encapsulates all incoming packets for  the MN and forwards them to the new COA • authentication is always granted 42 Problems with mobile IP Security ‐ Authentication with FA problematic, for the FA  typically belongs to another organization  ‐ No protocol for key management and key distribution  has been standardized in the Internet ‐ Patent and export restrictions Firewalls ‐ Typically mobile IP cannot be used together with  firewalls, special set‐ups are needed (such as reverse  tunneling) QoS ‐ many new reservations in case of RSVP ‐ tunneling makes it hard to give a flow of packets a  special treatment needed for the QoS Security, firewalls, QoS etc. are topics of current research  and discussions! Page 22 43 Security in Mobile IP Security requirements (Security Architecture for the  Internet Protocol, RFC 1825) ‐ Integrity: any changes to data between sender and receiver  can be detected by the receiver ‐ Authentication: sender address is really the address of the  sender and all data received is really data sent by this  sender ‐ Confidentiality: only sender and receiver can read the data ‐ Non‐Repudiation sender cannot deny sending of data ‐ Traffic Analysis creation of traffic and user profiles should not be possible ‐ Replay Protection receivers can detect replay of messages 44 Problem: performance Example: short‐lived communication ‐ When accessing a web server, why pay for mobility? ‐ Do without location‐transparency ‐ Unlikely to move during transfer; can reload page ‐ Works when CH keeps no state about MH