View
218
Download
0
Category
Preview:
Citation preview
Spring 2004
Mobile IPMobile IP
School of Electronics and InformationKyung Hee University
Choong Seon HONGcshong@khu.ac.kr
http://networking.khu.ac.kr
2Spring 2004
IntroductionIntroduction
The most fundamental is the way the Internet Protocol, the protocol that connects the networks of today's Internet, routes packets to their destinations according to IP addresses.
These addresses are associated with a fixed network location much as a nonmobile phone number is associated with a physical jack in a wall.
When the packet's destination is a mobile node, this means that each new point of attachment made by the node is associated with a new network number and, hence, a new IP address, making transparent mobility impossible
3Spring 2004
BackgroundBackground
Problems in legacy of IP routing can’t route if hosts migrate Loose of TCP connection if IP address is changed
Move between different networks without changing host IP address Need of new IP protocol
IP Mobility Support for IPv4 (RFC3344) Requirements of a Quality of Service (QoS) Solution for Mobi
le IP (RFC3583) Mobile IP Security
Spring 2004
MobileMobile IPv4IPv4
5Spring 2004
IETF Base Mobile IP(1)IETF Base Mobile IP(1)
allows IP hosts to move between different networks without changing their IP addresses IP Mobility Transport layer session
RFC3344
uses two IP address Home address COA(Care-of address)
6Spring 2004
Two IP AddressesTwo IP Addresses
Mobile IP has been designed to solve this problem by allowing the mobile node to use two IP addresses .
In Mobile IP, the home address is static and is used, for instance, to identify TCP connections.
The care-of address changes at each new point of attachment and can be thought of as the mobile node's topologically significant address.
7Spring 2004
EntitiesEntities
Mobile Node(MN) A host or router that changes its point of attachment from o
ne network or subnetwork to another.
Home Agent(HA) A router on a mobile node's home network tunnels datagrams for delivery to the mobile node when it is
away from home maintains current location information for the mobile node.
Foreign Agent(FA) A router on a mobile node's visited network provides routing services to the mobile node while registere
d detunnels and delivers datagrams to the mobile node
Network
FA
CN
HA
MN MN
8Spring 2004
Terminology (1)Terminology (1)
Home Address An IP address that is assigned for an extended period of time
to a mobile node. It remains unchanged regardless of where the node is
attached to the Internet. Care-of Address(COA)
The termination point of a tunnel toward a mobile node “foreign agent care-of address"
• an address of a foreign agent with which the mobile node is registered,
“co-located care-of address”• an externally obtained local address (such as DHCP)• Applications use home address, and lower layer software uses
the care-of address to receive the datagram itself
Correspondent Node(CN) A peer with which a mobile node is communicating.
9Spring 2004
Terminology (2)Terminology (2)
Home Network (HN) A network having a network prefix matching that of a mobile
node's home address.
Foreign Network (FN) Any network other than the mobile node's Home Network
Agent Advertisement An advertisement message constructed by attaching a special
extension to a router advertisement message.
Visitor List The list of mobile nodes visiting a foreign agent
10Spring 2004
1. Agent Discovery
2. Registering the Care-of address
3. Tunneling to the Care-of address
Mobile IP OperationMobile IP Operation
11Spring 2004
Agent Advertisements Use Router Advertisement, specified in RFC 1256 Simply extend Router Advertisement to associate mobility
functions Carry information about default routers and COA
HA, FA typically broadcast Agent Advertisement message at regular interval
MN can know whether the agent is a HA or a FA , therefore, whether it is on its HN or a FN.
MN gets a COA while it is away from HN.
Agent DiscoveryAgent Discovery
12Spring 2004
Once a MN has a COA, MN sends registration request with the COA information to HA
HA receives request, it adds the necessary information to its routing table, approves the request and sends a registration reply.
Mobile IP Registration Process
Registering the COA (1)Registering the COA (1)
FA
FA
FA
HA
MN
FA advertises service
MN request serviceFA relay request to HA
HA accepts or deniesFA relays status to MN
13Spring 2004
Registration procedure
1. Agent advertisement message
2. Registration request
3. Registration request message relay
4. Registration reply
5. Registration reply message relay
Registering the COA (2)Registering the COA (2)
14Spring 2004
Tunneling to the Care-of address (1)Tunneling to the Care-of address (1)
Network
FAFA
CNCN
MN
HAHA
MN
Data Transmission of Mobile IP
15Spring 2004
Tunneling to the Care-of address (2)Tunneling to the Care-of address (2)
HA
FA
MN
X MH ? PayloadSrc Dest Proto
HA COA 4 or 55Src Dest Proto
X MH ? PayloadSrc Dest Proto
Encapsulated Datagram
X MH ? PayloadSrc Dest Proto
16Spring 2004
A Security in Mobile IP Registration Protocol (1)A Security in Mobile IP Registration Protocol (1)
Current base Mobile IP protocol Relies on the use of secret key with manual key
distribution
The problem while using of secret key Scalability problem in key management and will
become a major hindrance for wide scale deployment
Replay attack• illegitimate MN or HA
Denial of service• illegitimate FA
17Spring 2004
A Security in Mobile IP Registration Protocol (2)A Security in Mobile IP Registration Protocol (2)
Reply, ResultHA
MN
FA
Request
Reply, ResultHA
MN
FA
Request
Reply, ResultHA
MN
FA
Request
Normal Mobile IP Registration Protocol
Replay Attack Denial of Service
: normal entity : Attacker
18Spring 2004
A Security in Mobile IP Registration Protocol(3)A Security in Mobile IP Registration Protocol(3)
Replay attack processing1. The attacker obtains a valid request message
and its corresponding reply2. Some time later, the attacker spoofs HA and
replays recorded request to FA3. The attacker spoofs MN and sends the
corresponding reply to FA
The result of this attack is that FA still believes that the registration is indeed a valid
The attacker’s bogus MN can get a connection through FA and enjoy resources on foreign network for free
19Spring 2004
A Security in Mobile IP Registration Protocol (4)A Security in Mobile IP Registration Protocol (4)
Prevent replay attack on registration Uses timestamp
• MN and HA includes its estimated current time of the day in the request and reply
• There is problem that synchronize between MN and HA
Uses nonce• MN includes a new pseudo-random number as
nonce in every request to HA and requires HA to return this same nonce in its reply
20Spring 2004
A Security in Mobile IP Registration Protocol(5)A Security in Mobile IP Registration Protocol(5)
Public Key Based Authentication Jacobs proposed, in 1998 Use of public key cryptography Provide scalability and non-repudiation
Drawbacks of Jacobs’ proposal MN is normally limited in its computing power Low bandwidth to get the current CRL(Certificate
Revocation List) MN requires additional hardware or software that
might add the complexity of its system
21Spring 2004
A Security in Mobile IP Registration Protocol (6)A Security in Mobile IP Registration Protocol (6)
An alternative one of Jacobs’ proposal Using a hybrid cryptography
• Use of secret key cryptography at MN• Use of public key cryptography at HA and FA
Each entities generate its certificate to authentication of each others
Need of construction of M-PKI(Mobile Public Key Infrastructure)
22Spring 2004
Performance Problems in Mobile IPPerformance Problems in Mobile IP
Performance Problems in Mobile IP
Mobile IP’s tunneling scheme creates a triangle routing• Mobile IP route optimization
Overhead• Use VHA (regional agent)
• Hierarchical Local Registration Mobile IP (HLRM-IP)
Network
HAHA
FAFA
MN
FAFA
MN
FAFA
MN
Data latency of Mobile IP
Network
FAFA
CNCN
MN
HAHA
MN
Triangle Routing
Spring 2004
Mobile IP Route OptimizationMobile IP Route Optimization
24Spring 2004
Mobile IP route Optimization (1)Mobile IP route Optimization (1)
CN has a binding cache which is used to hold the binding for MN
CN can deliver packet directly to the MN without any assistance from the HA
25Spring 2004
Mobile IP route Optimization (2)Mobile IP route Optimization (2)
HAFA
Tunneling
Tunneling
①②
③
④ ⑤
MNCN
Binding update message
26Spring 2004
Current Issues for Mobile IPv4Current Issues for Mobile IPv4
Low latency Handoffs in Mobile IPv4 draft-ietf-mobileip-lowlatency-handoffs-v4-08.txt
Security Issues Mobile IPv4 Traversal Across IPsec-based VPN
Gateways : draft-ietf-mobileip-vpn-problem-solution-03 Mobile IPv4 Extension for carrying Network Acces
s Identifiers : draft-ietf-mip4-aaa-nai-02.txt AAA Registration Keys for Mobile IPv4 : draft-ietf-mi
p4-aaa-key-03.txt
Mobile IPv4 Dynamic Home Agent Assignment draft-ietf-mip4-dynamic-assignment-00.txt
Spring 2004
Mobile IP using VHAMobile IP using VHA
28Spring 2004
Mobile IP Using VHA (1) Mobile IP Using VHA (1)
Providing Virtual Home Agent(VHA) to reduce Overhead and Latency
Clustering several networks into an administrative domain and placing VHA
29Spring 2004
Network
VHAVHA
FA FA FA
VHAVHA
FA FA FA
VHAVHA
FA FA FA
Domain A Domain B Domain C
HAHA CNCN
Mobile IP Using VHA (2) Mobile IP Using VHA (2)
The configuration of VHAs
30Spring 2004
MN detects the change of attachment point through the Agent Advertisement message broadcast periodically from the FA
appends a Domain registration extension to the Agent Advertisement message to declare the router information (FA) and identify the domain (VHA)
MN checks the extension to determine whether or not the movement is a handoff within domain
Mobile IP Using VHA (3) Mobile IP Using VHA (3)
31Spring 2004
VHAVHA
FA1 FA2 FA3
MN
1
2
3 4
Domain A
HAHA
5
6
Registration Process using VHA
Mobile IP Using VHA (4) Mobile IP Using VHA (4)
32Spring 2004
VHAVHA
FA1 FA2 FA3
MN MN
1
2 3
4
Domain A
Local Handoff
Mobile IP Using VHA (5) Mobile IP Using VHA (5)
Recommended