mobile ipv6: an overview dr martin dunmore, lancaster university
TRANSCRIPT
Mobile IPv6:Mobile IPv6:An OverviewAn Overview
Dr Martin Dunmore, Lancaster Dr Martin Dunmore, Lancaster UniversityUniversity
ContentsContents
Mobile IPv6 IntroductionMobile IPv6 Introduction Mobile IPv6 Operation and Mobile IPv6 Operation and
ExamplesExamples Mobile IPv6 Security and Mobile IPv6 Security and
PrivacyPrivacy Technical ChallengesTechnical Challenges SummarySummary
MIPv6 IntroductionMIPv6 Introduction
Routing protocol for mobile IPv6 Routing protocol for mobile IPv6 hostshosts– Transparent to upper layer protocols Transparent to upper layer protocols
and applicationsand applications Uncommon protocol architecture…Uncommon protocol architecture…
– Avoids actively involving routers!Avoids actively involving routers!– Protocol state held in end-hostsProtocol state held in end-hosts
Mobile nodesMobile nodes Correspondent nodesCorrespondent nodes
– One exception… the One exception… the Home AgentHome Agent
MIPv6 OperationMIPv6 Operation
Mobile Nodes ‘Acquire’Mobile Nodes ‘Acquire’– Home addressHome address– Home agentHome agent
When away from homeWhen away from home– Acquire care-of addressAcquire care-of address– Register care-of address with home Register care-of address with home
agent and any relevant agent and any relevant correspondent nodes…correspondent nodes…
– Mobile IPv6 ensures correct routingMobile IPv6 ensures correct routing
MIPv6 Bindings CacheMIPv6 Bindings Cache
Maintains a mapping between the Maintains a mapping between the mobile node’s home address and its mobile node’s home address and its current care-of addresscurrent care-of address
Held by home agents and Held by home agents and correspondent nodescorrespondent nodes
Provides info to allow correct routing Provides info to allow correct routing of IPv6 packets to mobile node via IPv6 of IPv6 packets to mobile node via IPv6 routing header…routing header…
Provides a de-coupling between an Provides a de-coupling between an IPv6 address and routing informationIPv6 address and routing information
Mobile IPv6 ExampleMobile IPv6 ExampleMobile Node on home networkMobile Node on home network
IP v6N etw ork
IPv6 Data
Home Address
2001:630:80:7000::1
Mobile IPv6 ExampleMobile IPv6 ExampleMobile Node on foreign Mobile Node on foreign networknetwork
IP v6N etw ork
Home AgentIPv6 Data
IPv6 DataBinding Update
Binding Update
Router AdvertisementRouter Solicitation
IPv6 Data
Care-of Address: 2001:630:80:8000::1
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Home Address: 2001:630:80:7000::1
Mobile IPv6 ExampleRoute Optimisation
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Care-of Address: 2001:630:80:8000::1Home Address: 2001:630:80:7000::1
Mobile IPv6 ExampleMobile IPv6 Example
Okay, but what if we move again?Okay, but what if we move again?
Two casesTwo cases– Move from one foreign network to Move from one foreign network to
anotheranother– Return home…Return home…
Need to send more binding Need to send more binding updates…updates…
Mobile IPv6 ExampleMobile IPv6 ExampleOptimised MN-CN sessionOptimised MN-CN session
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Care-of Address: 2001:630:80:8000::1Home Address: 2001:630:80:7000::1
Mobile IPv6 ExampleMobile IPv6 ExampleMN moves again! Stale Bindings MN moves again! Stale Bindings CacheCache
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Router AdvertisementRouter Solicitation
Home Address: 2001:630:80:7000::1Care-of Address: 2001:630:80:9000::1
Binding Update
2001:630:80:7000::12001:630:80:9000::1
Bindings Cache
How to update CN?How to update CN?
Bindings cache entry out of date…Bindings cache entry out of date…
SolutionSolution– Maintain a list of active correspondent Maintain a list of active correspondent
nodes in mobile node.nodes in mobile node.– Generated when a tunnelled packet Generated when a tunnelled packet
received from home agentreceived from home agent– Known as the Known as the binding update listbinding update list
Mobile IPv6 ExampleMN maintains BU list
IP v6N etw ork
Home AgentIPv6 Data
IPv6 Data
Binding UpdateIPv6 Data
Care-of Address: 2001:630:80:8000::1
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Home Address: 2001:630:80:7000::1
CN’s IPv6 Address
Binding Update List
CN
Mobile IPv6 ExampleOptimised Route
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Care-of Address: 2001:630:80:8000::1Home Address: 2001:630:80:7000::1
CN’s IPv6 Address
Binding Update List
CN
Mobile IPv6 ExampleMN uses its BU list
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Router AdvertisementRouter Solicitation
Home Address: 2001:630:80:7000::1Care-of Address: 2001:630:80:9000::1
Binding Update
2001:630:80:7000::12001:630:80:9000::1
Bindings Cache
CN’s IPv6 Address
Binding Update List
Binding Update
2001:630:80:7000::12001:630:80:9000::1
Bindings Cache
CN
Mobile IPv6 ExampleOptimised Route
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:9000::1
Bindings Cache
Home Address: 2001:630:80:7000::1Care-of Address: 2001:630:80:9000::1
2001:630:80:7000::12001:630:80:9000::1
Bindings Cache
CN’s IPv6 Address
Binding Update List
CN
What address do we What address do we use?use?
When away from home what When away from home what address does a mobile node use as address does a mobile node use as its source address?its source address?
Its Home Address?Its Home Address?
But ingress filtering?But ingress filtering?– Implemented by many border routers to Implemented by many border routers to
avoid spoofing attacks.avoid spoofing attacks.– Any packets received by a router on an Any packets received by a router on an
interface which interface which do not matchdo not match the source the source address of that packet are discarded.address of that packet are discarded.
Can’t source from home address, as its Can’t source from home address, as its prefix doesn’t match current location…prefix doesn’t match current location…
Its Care-Of Address?Its Care-Of Address?
But what about TCP?But what about TCP?– TCP uses the IP(v6) source address as TCP uses the IP(v6) source address as
an indexan index– Without a device using a consistent Without a device using a consistent
IPv6 address, the TCP connection IPv6 address, the TCP connection would break…would break…
Can’t source from care-of address, Can’t source from care-of address, for reasons of protocol stability…for reasons of protocol stability…
The solution?The solution?
Source from BOTH…Source from BOTH…
New IPv6 destination optionNew IPv6 destination option The The Home AddressHome Address Option Option
Included in Included in EVERYEVERY outgoing packet outgoing packet Understood by all correspondent nodesUnderstood by all correspondent nodes Home address replaces source address on Home address replaces source address on
reception by destination (correspondent node)reception by destination (correspondent node)
IPv6 packetsIPv6 packets sourced from care-of addresssourced from care-of address Contain home address as an optionContain home address as an option
What about network What about network errors?errors? Mobile IPv6 bindings are Mobile IPv6 bindings are soft soft
statestate– Refreshed periodicallyRefreshed periodically– Contain sequence numbersContain sequence numbers– Can be ack’d- Can be ack’d- binding binding
acknowledgementsacknowledgements
– Binding Updates and Acks are Binding Updates and Acks are retransmitted (rate limited) until retransmitted (rate limited) until the protocol convergesthe protocol converges
What Format are the What Format are the Control Messages?Control Messages?
New IPv6 extension header ‘Mobility New IPv6 extension header ‘Mobility Header’Header’– Binding UpdatesBinding Updates– Return RoutabilityReturn Routability– BU, BA, CoTi, CoT, HoTi, HoTBU, BA, CoTi, CoT, HoTi, HoT
Home Address option is carried in an IPv6 Home Address option is carried in an IPv6 destination optiondestination option– Not reliant on higher level protocolsNot reliant on higher level protocols– Multiple messages per IP packetMultiple messages per IP packet– Messages can append existing packetsMessages can append existing packets– E.g. TCP connection requests…E.g. TCP connection requests…
Security and PrivacySecurity and Privacy
AuthenticationAuthentication– Massive security / denial of service attack Massive security / denial of service attack
in MIPv6 as described so far.in MIPv6 as described so far.– What’s to stop an attacker sending bogus What’s to stop an attacker sending bogus
Binding Update messages?Binding Update messages?– IPSec protects signalling between mobile IPSec protects signalling between mobile
node and its home agentnode and its home agent– ‘‘Return Routability’ test allows Return Routability’ test allows
correspondent nodes to determine binding correspondent nodes to determine binding updates are authenticupdates are authentic
PrivacyPrivacy– IPSec between the mobile node and its IPSec between the mobile node and its
home agent is control traffic only!home agent is control traffic only!
Mobile IPv6 ExampleMiTM attack!
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Care-of Address: 2001:630:80:8000::1Home Address: 2001:630:80:7000::1
Care-of Address: dead:dead:dead::1
2001:630:80:7000::1dead:dead:dead::1
Bindings Cache
Binding Update
Return Routability…Return Routability…
……or or Route EquivalenceRoute Equivalence..
Argument:Argument:
““All that really matters is that the All that really matters is that the optimized route is functionally optimized route is functionally equivalent to a non-optimized route”equivalent to a non-optimized route”
Return RoutabilityReturn Routability
Home Agent implicitly trustedHome Agent implicitly trusted– Assumed it is hosted on secure siteAssumed it is hosted on secure site– Assumed that IPsec is used between Assumed that IPsec is used between
mobile host and its home agent.mobile host and its home agent.
Dynamic key distribution for use with Dynamic key distribution for use with correspondent nodes.correspondent nodes.
Uses cookies to build session keys…Uses cookies to build session keys…
HoT Cookie
Return RoutabilityReturn Routability
IP v6N etw ork
Home AgentIPv6 Data
IPv6 Data
CoTi MessageIPv6 Data
Care-of Address: 2001:630:80:8000::1
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Home Address: 2001:630:80:7000::1
CoT Cookie
HoT Cookie
HoT Cookie+
CoT Cookie=
Session Key
Binding Update+ Session Key HoTi Message
HoTi message
Mobile IPv6 ExampleMobile IPv6 Example
IP v6N etw ork
Home Agent
IPv6 Data
2001:630:80:7000::12001:630:80:8000::1
Bindings Cache2001:630:80:7000::12001:630:80:8000::1
Bindings Cache
Care-of Address: 2001:630:80:8000::1Home Address: 2001:630:80:7000::1
Technical ChallengesTechnical ChallengesThings to think about if you wish to deploy MIPv6 Things to think about if you wish to deploy MIPv6 servicesservices
BootstrappingBootstrapping Security and PrivacySecurity and Privacy AAAAAA Handover LatenciesHandover Latencies Firewalls and NATsFirewalls and NATs IPv4 / IPv6 co-existenceIPv4 / IPv6 co-existence
BootstrappingBootstrapping
How does the MN discover...How does the MN discover...– its Home Address?its Home Address?
static home address assignment is static home address assignment is really the only home address really the only home address configuration technique compatible with configuration technique compatible with the current specification the current specification
dynamic assignment is more desirabledynamic assignment is more desirable
– its Home Agent?its Home Agent?– the SA with its Home Agent?the SA with its Home Agent?
Security and PrivacySecurity and Privacy
RR gives some protection as RR gives some protection as describeddescribed
RFC 4285 alternative RFC 4285 alternative authentication between MN and authentication between MN and HAHA– negates the need to have IPSec SAnegates the need to have IPSec SA
Privacy between MN and CNPrivacy between MN and CN Location privacy concernsLocation privacy concerns
AAAAAA
2 different types2 different types mobility service provider (home network)mobility service provider (home network) network service provider (at foreign network)network service provider (at foreign network)
AAA for MSP needs to be integrated AAA for MSP needs to be integrated with MIPv6with MIPv6– has implications for bootstrappinghas implications for bootstrapping
procedure for bootsrapping away from home procedure for bootsrapping away from home needs to be definedneeds to be defined
AAA for foreign networks can be AAA for foreign networks can be transparent to MIPv6transparent to MIPv6
Or integrate both types?Or integrate both types?
Handover LatenciesHandover Latencies
HO times in the order of seconds!HO times in the order of seconds!– no good for real-time servicesno good for real-time services
Fast Handovers for MIPv6 (RFC 4068)Fast Handovers for MIPv6 (RFC 4068)– Enables MN to pre-configure new address Enables MN to pre-configure new address
before movingbefore moving– Requires cooperation between ‘previous’ Requires cooperation between ‘previous’
and ‘next’ access routersand ‘next’ access routers Hierarchical Mobile IPv6 (RFC 4140)Hierarchical Mobile IPv6 (RFC 4140)
– Uses a ‘Mobility Anchor Point’ to reduce Uses a ‘Mobility Anchor Point’ to reduce HO times when roaming within same HO times when roaming within same foreign networkforeign network
NATs and FirewallsNATs and Firewalls
The Care of Address MUST be The Care of Address MUST be global!global!– thus obtaining a private address thus obtaining a private address
behind a NAT is problematicbehind a NAT is problematic Firewalls will block BUs until user Firewalls will block BUs until user
has been authenticatedhas been authenticated Stateful Firewall at CN site may Stateful Firewall at CN site may
block traffic from MNblock traffic from MN– new CoA not recognisednew CoA not recognised
IPv4 / IPv6 CoexistenceIPv4 / IPv6 Coexistence
How does MIPv6 work with How does MIPv6 work with transition mechanisms?transition mechanisms?– Provided MN obtains a globally Provided MN obtains a globally
routable CoA things ‘should’ workroutable CoA things ‘should’ work What about IPv4 What about IPv4 onlyonly networks? networks?
– Possibilities:Possibilities: CN is in an IPv4 only networkCN is in an IPv4 only network HA is in an IPv4 only networkHA is in an IPv4 only network MN moves into an IPv4 only networkMN moves into an IPv4 only network
Other IssuesOther Issues
DHCPv6 vs SLAACDHCPv6 vs SLAAC– SLAAC fasterSLAAC faster
can even fine tune RA intervalscan even fine tune RA intervals
– DHCPv6 gives more controlDHCPv6 gives more control SSIDs should be broadcastedSSIDs should be broadcasted
– how else can MN seamlessly associate how else can MN seamlessly associate with new AP?with new AP?
– any manual intervention affects HO times!any manual intervention affects HO times! The CN problem!The CN problem!
– not mandated in IPv6 stacks!not mandated in IPv6 stacks!– thus non-optimised routingthus non-optimised routing
SummarySummary
MIPv6 allows IPv6 hosts to be MIPv6 allows IPv6 hosts to be mobile without breaking mobile without breaking applicationsapplications
Mobile Nodes can perform RO to Mobile Nodes can perform RO to avoid triangular routing problemavoid triangular routing problem
RR test provides protection against RR test provides protection against 33rdrd party attacks party attacks
Handover latencies do not support Handover latencies do not support real-time services (yet)real-time services (yet)
Further problems to be solved!Further problems to be solved!
Questions?Questions?