computer communication iii€¦ · partly adapted from requirements to mobile ip • transparency
TRANSCRIPT
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Computer Communication III
Mobile IP
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
“Normal Routing”
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Moving Host
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Motivation for Mobile IP • Internet Intra domain Routing
– based on IP destination address, network prefix (e.g. 129.13.42.XXX), which determines the physical subnet
– change of physical subnet implies a change of IP address to get a topological correct address (according to standard IP)
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Mobility management
• We really need two addresses... "– One address for locating the mobile host. – Another address for identifying the
communication end-point. – Standard IP uses one address for both.
• So what’s the problem? Use host address in routers? Or DHCP works just fine!
• This address duality is the basis of Mobile IP."
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Moving Host
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Host specific routes
• Specific routes to end-systems? – change of all routing table entries in
(an unlimited number of) routers to forward packets to the right destination
– does not scale with the number of mobile hosts and frequent changes in the location and have security problems (Why?)
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Change IP address of the mobile host. DHCP approach.
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Requirements to Mobile IP
• Transparency – mobile end-systems keep their IP
address – point of connection to the fixed
network can be changed • IP address topology intact
– continuation of communication after interruption of link
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Requirements to Mobile IP 1
• Compatibility – support of the same layer 2 protocols as
IP – no changes to current end-systems and
routers required – mobile end-systems can communicate
with fixed systems, non-modified systems. • Security
– authentication of all registration messages
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Requirements to Mobile IP 2
• Scalability – support of a large number of mobile
systems in the whole Internet • Efficiency
– only a few additional messages communicated with the mobile system should be required (important for low bandwidth radio)
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Terminology • Mobile Node (MN)
– system (node) that can change the point of connection to the network without changing its IP address
• Home Agent (HA) – system in the “home
network” of the MN, typically a router
– registers the current location of the MN. Tunnels IP datagrams to the COA
• Foreign Agent (FA) – System (node) in the current
“foreign network” of the MN, typically a router (or MN itself)
– forwards the tunneled datagrams to the MN. Normally the default router to the MN
• Care-of Address (COA) – address of the current tunnel end-
point for the MN (at FA or MN) – actual location of the MN from an
IP address point of view – COA can be chosen, e.g., via
DHCP • Correspondent Node (CN)
– The communication partner (possibly non-IP featured).
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Mobile Node registration
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Registration
t
MN HA
t
MN FA HA
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
MN registration of a new location
– MN signals it’s COA to the HA, via the FA. HA acknowledges via FA to MN
– these actions have to be secured by authentication
– The lifetimes of registrations are limited, they must be regularly renewed. Why?
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
De-registration
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Agent Advertisement
– HA and FA periodically send advertisement messages into their physical subnets
– MN listens to these messages and decides if it is in the home or in a foreign network
– MN gets the COA from the FA advertisement messages and starts registration.
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Internal book-keeping
– HA advertises the IP address of the MN (as for fixed systems), i.e. standard routing information
– routers adjust their entries, which are stable for a longer time (HA responsible for a MN over a longer period of time)
– packets to the MN are sent to the HA, independent of changes in COA/FA
– “Triangular routing” of packets to MN, controlled by the HA
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Triangular Routing
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Encapsulation, tunnel HA-COA
original IP header original data
new data new IP header
outer header inner header original data
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Encapsulation II
Care-of address COA IP address of HA
TTL IP identification
IP-in-IP IP checksum flags fragment offset
length DS (TOS) ver. IHL
IP address of MN IP address of CN
TTL IP identification
lay. 4 prot. IP checksum flags fragment offset
length DS (TOS) ver. IHL
TCP/UDP/ ... payload
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Triangular Routing
• Triangular Routing – sender sends all packets via HA to MN – higher latency and network load
• “Solutions” – sender learns the current location of MN
• direct tunneling to this location
– HA informs sender about the location of MN • Potential security problems!
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Reverse tunneling RFC 3024
Internet
receiver
FA
HA
MN
home network
foreign network
sender
3
2
1
1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)
CN
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Mobile IP with reverse tunneling
• Routers often only accepts “topological correct“ addresses (e.g. a firewall!) – a packet from the MN encapsulated by the FA
is topological correct - but not with the original MN address as Source Address.
– multicast and TTL problems need to be solved • TTL from the home network correct, but MN is too
far away from the receiver to have a correct TTL. • How is multicast performed?
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Mobile Node changes FA
• Packets on-the-fly may be lost during a change of FAs. Possible solutions: – the new FA informs the old FA, the old FA
may forward remaining packets to new FA – this information also enables the old FA to
release resources for the MN. – “soft state” (must be regularly renewed) that
will release resources if inactive too long time
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Change of FA with direct route CN HA FAold FAnew MN
MN changes location
t
Data Data Data Update ACK
Data Data
Registration Update ACK
Data Data Data Warning Request
Update ACK
Data Data
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Problems with mobile IP 1
• Firewalls – MIP often has problems with firewalls.
• special set-ups are needed (such as reverse tunneling)
• QoS – tunneling makes it hard to give a specific flow
of packets QoS treatment • resource reservation, priority, etc)
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Problems with Mobile IP 2
• Security – authentication with FA often problematic,
since the FA typically belongs to another organization
– no protocol for key management and key distribution has been standardized
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Security issues for Mobile IP • Integrity - any changes to data between sender and
receiver must be detected by the receiver • Authentication – ensure that the sender address is
really the address of the sender and all data received is really data sent by this sender
• Confidentiality - only sender and receiver can read the transmitted data
• Non-Repudiation - sender cannot deny sending data • Traffic Analysis - creation of traffic and user profiles,
including location paths, should not be possible • Replay Protection - receivers can detect a replay of
messages by an adversary.
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
• Preventing a replay of registrations. – time stamps: 32 bit time stamp number, and – nounces: a 32 bit random number
MIP security authentication
registration reply
registration request registration request
MH FA HA registration reply
MH-HA authentication MH-FA authentication FA-HA authentication
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Integrity and confidentiality
• Foreign Agent (FA) establishes a security association with the Home Agent (HA)
• Mobile Node registers a new binding at the Home Agent with the secure association
• Home Agent answers with a new session key to the Foreign Agent and Mobile Node for the session. Done.
FA MH
HA
response: EHA-FA {session key} EHA-MH {session key}
Partly adapted from www.jochenschiller.de http://www.it.uu.se/edu/course/homepage/datakom3/vt11
Last Slide
•