computer communication iii€¦ · partly adapted from requirements to mobile ip • transparency

Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11

Computer Communication III

Mobile IP


“Normal Routing”


Moving Host


Motivation for Mobile IP •  Internet Intra domain Routing

– based on IP destination address, network prefix (e.g. 129.13.42.XXX), which determines the physical subnet

– change of physical subnet implies a change of IP address to get a topological correct address (according to standard IP)


Mobility management

•  We really need two addresses... "– One address for locating the mobile host. – Another address for identifying the

communication end-point. – Standard IP uses one address for both.

•  So what’s the problem? Use host address in routers? Or DHCP works just fine!

•  This address duality is the basis of Mobile IP."


Moving Host


Host specific routes

•  Specific routes to end-systems? – change of all routing table entries in

(an unlimited number of) routers to forward packets to the right destination

– does not scale with the number of mobile hosts and frequent changes in the location and have security problems (Why?)


Change IP address of the mobile host. DHCP approach.


Requirements to Mobile IP

•  Transparency – mobile end-systems keep their IP

address – point of connection to the fixed

network can be changed •  IP address topology intact

– continuation of communication after interruption of link


Requirements to Mobile IP 1

•  Compatibility – support of the same layer 2 protocols as

IP – no changes to current end-systems and

routers required – mobile end-systems can communicate

with fixed systems, non-modified systems. •  Security

– authentication of all registration messages


Requirements to Mobile IP 2

•  Scalability – support of a large number of mobile

systems in the whole Internet •  Efficiency

– only a few additional messages communicated with the mobile system should be required (important for low bandwidth radio)


Terminology •  Mobile Node (MN)

–  system (node) that can change the point of connection to the network without changing its IP address

•  Home Agent (HA) –  system in the “home

network” of the MN, typically a router

–  registers the current location of the MN. Tunnels IP datagrams to the COA

•  Foreign Agent (FA) –  System (node) in the current

“foreign network” of the MN, typically a router (or MN itself)

–  forwards the tunneled datagrams to the MN. Normally the default router to the MN

•  Care-of Address (COA) –  address of the current tunnel end-

point for the MN (at FA or MN) –  actual location of the MN from an

IP address point of view –  COA can be chosen, e.g., via

DHCP •  Correspondent Node (CN)

–  The communication partner (possibly non-IP featured).


Mobile Node registration


Registration

t

MN HA

t

MN FA HA


MN registration of a new location

– MN signals it’s COA to the HA, via the FA. HA acknowledges via FA to MN

–  these actions have to be secured by authentication

– The lifetimes of registrations are limited, they must be regularly renewed. Why?


De-registration


Agent Advertisement

– HA and FA periodically send advertisement messages into their physical subnets

– MN listens to these messages and decides if it is in the home or in a foreign network

– MN gets the COA from the FA advertisement messages and starts registration.


Internal book-keeping

– HA advertises the IP address of the MN (as for fixed systems), i.e. standard routing information

–  routers adjust their entries, which are stable for a longer time (HA responsible for a MN over a longer period of time)

– packets to the MN are sent to the HA, independent of changes in COA/FA

–  “Triangular routing” of packets to MN, controlled by the HA


Triangular Routing


Encapsulation, tunnel HA-COA

original IP header original data

new data new IP header

outer header inner header original data


Encapsulation II

Care-of address COA IP address of HA

TTL IP identification

IP-in-IP IP checksum flags fragment offset

length DS (TOS) ver. IHL

IP address of MN IP address of CN

TTL IP identification

lay. 4 prot. IP checksum flags fragment offset

length DS (TOS) ver. IHL

TCP/UDP/ ... payload


Triangular Routing

•  Triangular Routing – sender sends all packets via HA to MN – higher latency and network load

•  “Solutions” – sender learns the current location of MN

•  direct tunneling to this location

– HA informs sender about the location of MN •  Potential security problems!


Reverse tunneling RFC 3024

Internet

receiver

FA

HA

MN

home network

foreign network

sender

3

2

1

1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)

CN


Mobile IP with reverse tunneling

•  Routers often only accepts “topological correct“ addresses (e.g. a firewall!) – a packet from the MN encapsulated by the FA

is topological correct - but not with the original MN address as Source Address.

– multicast and TTL problems need to be solved •  TTL from the home network correct, but MN is too

far away from the receiver to have a correct TTL. •  How is multicast performed?


Mobile Node changes FA

•  Packets on-the-fly may be lost during a change of FAs. Possible solutions: –  the new FA informs the old FA, the old FA

may forward remaining packets to new FA –  this information also enables the old FA to

release resources for the MN. –  “soft state” (must be regularly renewed) that

will release resources if inactive too long time


Change of FA with direct route CN HA FAold FAnew MN

MN changes location

t

Data Data Data Update ACK

Data Data

Registration Update ACK

Data Data Data Warning Request

Update ACK

Data Data


Problems with mobile IP 1

•  Firewalls – MIP often has problems with firewalls.

•  special set-ups are needed (such as reverse tunneling)

•  QoS –  tunneling makes it hard to give a specific flow

of packets QoS treatment •  resource reservation, priority, etc)


Problems with Mobile IP 2

•  Security – authentication with FA often problematic,

since the FA typically belongs to another organization

– no protocol for key management and key distribution has been standardized


Security issues for Mobile IP •  Integrity - any changes to data between sender and

receiver must be detected by the receiver •  Authentication – ensure that the sender address is

really the address of the sender and all data received is really data sent by this sender

•  Confidentiality - only sender and receiver can read the transmitted data

•  Non-Repudiation - sender cannot deny sending data •  Traffic Analysis - creation of traffic and user profiles,

including location paths, should not be possible •  Replay Protection - receivers can detect a replay of

messages by an adversary.


•  Preventing a replay of registrations. –  time stamps: 32 bit time stamp number, and –  nounces: a 32 bit random number

MIP security authentication

registration reply

registration request registration request

MH FA HA registration reply

MH-HA authentication MH-FA authentication FA-HA authentication


Integrity and confidentiality

•  Foreign Agent (FA) establishes a security association with the Home Agent (HA)

•  Mobile Node registers a new binding at the Home Agent with the secure association

•  Home Agent answers with a new session key to the Foreign Agent and Mobile Node for the session. Done.

FA MH

HA

response: EHA-FA {session key} EHA-MH {session key}


Last Slide

• 

computer communication iii€¦ · partly adapted from requirements to mobile ip • transparency

Documents