Upload
medge-moore
View
35
Download
1
Tags:
Embed Size (px)
DESCRIPTION
CCM 4300 Lecture 8 Computer Networks: Wireless and Mobile Communication Systems Dr E. Ever School of Computing Science. Mobility and IP …… more information. Mobile Wireless Internet Forum • http://www.ipv6forum.com/ http://playground.sun.com/pub/ipng/html/ipng-main.html - PowerPoint PPT Presentation
Citation preview
1
CCM 4300 Lecture 8Computer Networks: Wireless and Mobile Communication
Systems
Dr E. EverSchool of Computing Science
2
Mobility and IP …… more information
Mobile Wireless Internet Forum
• http://www.ipv6forum.com/
http://playground.sun.com/pub/ipng/html/ipng-main.html
IPv6 work including mobility support
•"The 3G IP Multimedia Subsystem" by Gonzalo Camarillo and Miguel A. Garcia Martin (available in google books)
3
Facts about Mobile IP• More than 2 billion subscribers
•More than 70% of all digital mobile phones use GSM
•7.3 million people accesses the net via their mobile phones, during the second and third quarters of 2008. (BBC news channel)
•An increase of 25% compared to growth of juts 3% for the PC based net audience-(BBC news channel)
• IPv4 can do it all, it will be at a tremendous (unimaginable) cost and complexity
•Only IPv6 offers enough addresses •IPv6 offers features needed for mobile networking
•IPv6 utilises features to offer seamless roaming
•Network layer roaming enables cost reduction and improve deploy ability
4
Lesson objectives To acquire a basic understanding of the basics of Mobile IPv4 and IPv6, you will:
- Understand principles of network MIP and HMIP: HA, CN, MN, FN, HN, FA, binding updates, CoA, RCoA.Triangular ruleRoute optimisation Availability and access control.
-Security in MIPKey distribution
Home Agent (HA)
Correspondent Node (CN)
Mobile Node (MN)
Foreign Network(FN)
Home Network(HN)
Foreign Agent (FA)
Care-of Address (COA)
5
Mobile Network layer
• Mobile phone
• Mobile IP (Internet Protocol)
• Hand-off effects:
• addressing and routing
• operation of upper layer protocols
• Mobile IPv6
6
Why Mobile IP• Routing
– Both ends of TCP (connection) need to keep the same IP address for the life of the session (home address, end-end)
– change of physical subnet implies change of IP address to have a topological correct address (standard IP) or needs special entries in the routing tables (care-of-address, routing
• Specific routes to end-systems?– change of all routing table entries to forward
packets to the right destination– does not scale with the number of mobile hosts and
frequent changes in the location, security problems• Changing the IP-address?
– adjust the host IP address depending on the current location (managing a binding)
– almost impossible to find a mobile system, DNS updates take a long time (dynamic tunnel between CoA & HA)
– TCP connections break, security problems!!!!
7
Requirements for Mobile IP• Transparency
– mobile end-systems keep their IP address– continuation of communication after interruption of link
possible– point of connection to the fixed network can be changed
• Compatibility– support of the same layer 2 protocols as IP– no changes to current end-systems and routers required– mobile end-systems can communicate with fixed systems
• Security– authentication of all registration messages
• Efficiency and scalability– only little additional messages to the mobile system required
(connection typically via a low bandwidth radio link)– world-wide support of a large number of mobile systems in
the whole Internet
8
Mobile IP: TerminologyMobile Node (MN)
system (node) that can change the point of connection to the network without changing its IP address
Home Agent (HA)system in the home network of the MN, typically a router
registers the location of the MN, tunnels IP datagrams to the COA
Foreign Agent (FA)system in the current foreign network of the MN, typically a router
forwards the tunneled datagrams to the MN, typically the default router for the MN
Care-of Address (COA)address of the current tunnel end-point for the MN (at FA or MN)temporary IP address for a mobile deviceallows a home agent to forward messages to the mobile device. separate address is required because the IP address of the device that is used as host identification is topologically incorrect
actual location of the MN from an IP point of view, can be chosen, e.g., via DHCP
Correspondent Node (CN)communication partner
9
Key Question
How do mobile hosts maintain IP connectivity
when mobility is supported at layer 3?
Here we investigate two extensions to IPv4.
•As mobile computing devices increase in capability mobile communication becomes increasingly wide-spread.
THE BIG QUESTION IS: How can IP support mobile connectivity?
Mobile IP: An Overview
CN
routerHA
routerFA
Internet
router
1.
2.
3.home
networkMN
foreignnetwork
4.
CN
routerHA
routerFA
Internet
router
homenetwork
MN
foreignnetwork
COA
11
Mobile Phone network routingCall set-up
• MS emits beacon:
• IMSI/IMEI unique ID
• beacon heard by BTS
• BTS BSC MSC
• MSC:
• HLR
• VLR• updates HLR/VLR• if VLR updated, sends info
to home network for MS
• Network always knows location of MS
During call
• Hand-off:
• within area: BTS BTS
• between areas: BSC BSC, MSC informed of move to different area
• MSC MSC: updates to
HLR/VLR
• Call maintained during hand-off:
• only last-hop link
• Transparent to user:
• momentary signal loss(?)
IMSI: international mobile subscriber identity
IMEI: international mobile equipment identity
12
Data transfer to the mobile system
Internethome network
foreignnetwork
FA
HA
MN
receiver
1
2
3
sender
CN
1. Sender sends to the IP address of MN, HA intercepts packet2. HA tunnels packet to COA, here FA, by encapsulation3. FA forwards the packet to the MN
Triangular
13
foreignnetwork
home network
Data transfer from the mobile system
Internet
HA
MN
sender
receiver
CN
1. Sender sends to the IP address of the receiver as usual, FA works as default router
FA
1
14
Internet
sender
FA
HA
MN
home network
foreignnetwork
receiver
1
2
3
1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP)2. HA tunnels packet to COA, here FA, by encapsulation3. FA forwards the packet to the MN
CN
Mobile phone network routing
15
Mobile IP (1)• Need to support mobile users:
• Transparency:
• to upper layers
• to remote end-systems
• IPv4: IP address indicates
point of attachment to Network
• Movement of host means:
• new IPv4 address?
• update routing information?
• Mobile host (MH):
• home network (HN), home agent (HA)
• foreign network (FN),
foreign agent (FA)
• care-of-address (CoA)
• Communication:
• HA sends packets to CoA:
IP-in-IP encapsulation
• must reply to ARP for MH
• CoA:
• may be new IP address
• foreign agent
16
Mobile IP (2)1) MH arrives at FN, and locates FA (using agent advertisements from FA or by solicitation).
2) MH completes registration procedure with FA.
3) MH updates HA with its new CoA (i.e. the FA).4) Host A now tries to contact MH. Packets for MH are intercepted by HA
5) HA tunnels the packets from Host A to the CoA for MH (i.e. the FA)
6) The FA de-encapsulates the inner IP packet and transmits the packet locally to MH.
7) The packets from MH to Host A are sent directly from the FN.
17
Mobile IP (2)
HA
home network
Host A
remote network
FA
foreign network
Internet
MH 1
23
45
6
7
Data src = Host A
dst = MH
Data src = Host A
dst = MH
src = Host A
dst = MN
IP-in-IP encapsulation
Encapsulation
original IP headeroriginal data
new datanew IP header
outer headerinner headeroriginal data
19
Mobile IP (3)X Security:
• firewalls have to be (dynamically) configured
• authentication:
MH FN(?), FA HA(?)
MH HA
• end-to-end security?
X Hand-off between FAs or FA/HA:
• lost packets(?)
Transparent to non-mobile hosts
Does not break/change existing IP addressing and routing
Can be introduced into the network as required
Normal (unicast) routers do not need to be modified
X Asymmetric routing:
Packets flowing in i.e. TCP connections flow through different routes to different directions.
• could be inefficient
• QoS
• higher layer protocol operation (e.g. TCP)
20
Registration
t
MN HAregistrationrequest
registration
reply
t
MN FA HAregistrationrequest
registrationrequest
registration
reply
registration
reply
21
Handoffs: layer 2 versus Layer 3 Layer 2
• No global changes:
• only local last hop
• No routing at layer 2
• No global addressing
significance at layer 2
• Need to have same layer 2
technology across network
• Mobility within network:
• no hand-off between network technologies
Layer 3 • Global, end-system to end-system connectivity
• Addresses have global significance
• Change in layer 3 address is change to network
• Layer 3 address valid across different layer 2 technologies
• Mobility across networks:
• internetworking!
Register an FA only
Register a new IP
22
TCP behaviour (1)
Problems• Layer 2 cell hand-off:
• data loss /corruption (also due to high BER in general)
• no ACK for data
• TCP:
• no ACK slow start
• TCP has degraded performance
• High BER on wireless link (~10-3 - ~10-4 common):
• corrupt data requires end-to-end re-tx (use layer 2 FEC)
• Affects other transport-layer or application-layer protocols:
• real-time applications – errors and packet loss are harmful
23
TCP behaviour (2)Possible solutions• TCP SACK option: (selective acknowledgment)
• retransmission of missing “holes” in byte stream
• not always implemented
• Use ECN in IP: (explicit congestion notification)
• need to modify TCP interface and applications
• Link-local re-tx:
• on wireless hop
• need to hold TCP, e.g. at base station
• need re-tx protocol
• Soft hand-off at layer 2: (a cell phone is simultaneously connected to two or more cells during a call.)
• need to use CDMA, which has its own problems
Network integration Agent Advertisement
HA and FA periodically send advertisement messages into their physical subnets
MN listens to these messages and detects, if it is in the home or a foreign network (standard case for home network)
MN reads a COA from the FA advertisement messages Registration (always limited lifetime!)
MN signals COA to the HA via the FA, HA acknowledges via FA to MN
these actions have to be secured by authentication Advertisement
HA advertises the IP address of the MN (as for fixed systems), i.e. standard routing information
routers adjust their entries, these are stable for a longer time (HA responsible for a MN over a longer period of time)
packets to the MN are sent to the HA, independent of changes in COA/FA
Encapsulation I Encapsulation of one packet into another as payload
e.g. IPv6 in IPv4 (6Bone), Multicast in Unicast (Mbone) here: e.g. IP-in-IP-encapsulation, minimal encapsulation or GRE (Generic
Record Encapsulation) IP-in-IP-encapsulation (mandatory, RFC 2003)
tunnel between HA and COA
Encapsulation II Minimal encapsulation (optional)
avoids repetition of identical fields e.g. TTL, IHL, version, DS (RFC 2474, old:
TOS) only applicable for unfragmented packets,
no space left for fragment identification
Generic Routing Encapsulation
originalheader
original data
new datanew header
outer headerGRE
headeroriginal data
originalheader
Care-of address COAIP address of HA
TTLIP identification
GRE IP checksumflags fragment offset
lengthDS (TOS)ver. IHL
IP address of MNIP address of CN
TTLIP identification
lay. 4 prot. IP checksumflags fragment offset
lengthDS (TOS)ver. IHL
TCP/UDP/ ... payload
routing (optional)sequence number (optional)
key (optional)offset (optional)checksum (optional)
protocolrec. rsv. ver.CRK S s
RFC 1701
RFC 2784
reserved1 (=0)checksum (optional)protocolreserved0 ver.C
An example:
Optimisation of packet forwarding Triangular Routing
sender sends all packets via HA to MN higher latency and network load (for each RTT)
“Solutions” sender learns the current location of MN (give away your
position!) direct tunneling to this location HA informs a sender about the location of MN big security problems!
Change of FA packets on-the-fly during the change can be lost new FA informs old FA to avoid packet loss (chaining), old FA
now forwards remaining packets to new FA this information also enables the old FA to release resources for the MN
29
Change of the foreign agent with the optimized mobile IP
CN HA FAold FAnew MN
t
requestupdate
ACKdata data
MN changeslocationregistration
updateACKdata
data datawarning
update
ACKdata
data
registration
Direct tunneling is used. HA only provides information about FA
Change of foreign agent
CN HA FAold FAnew MN
MN changeslocation
t
Data Data DataUpdateACK
Data Data
RegistrationUpdateACK
Data Data DataWarningRequest
UpdateACK
Data Data
Reverse Tunneling (RFC 2344)
•Mobile Internet Protocol (IP) uses tunneling from the home agent to the mobile node's care-of address, but rarely in the reverse direction.
•Usually, a mobile node sends its packets through a router on the foreign network, and assumes that routing is independent of source address.
•When this assumption is not true (it is not feasible or desired to have the mobile node send datagrams directly to the internetwork using FA), it is convenient to establish a topologically correct reverse tunnel from the care-of address to the home agent.
32
Reverse tunneling:
Internet
receiver
FA
HA
MN
home network
foreignnetwork
sender
3
2
1
3. HA forwards the packet to the receiver (standard case)
CN
1. MN sends to FA
2. FA tunnels packets to HA by encapsulation
Reverse tunneling (RFC 3024, was: 2344)
Internet
receiver
FA
HA
MN
home network
foreignnetwork
sender
3
2
1
1. MN sends to FA2. FA tunnels packets to HA by encapsulation3. HA forwards the packet to the receiver (standard case)
CN
Mobile IP with reverse tunneling Router accept often only “topological correct“
addresses (firewall!) a packet from the MN encapsulated by the FA is now
topological correct furthermore multicast and TTL problems solved (TTL in the
home network correct, but MN is to far away from the receiver) Reverse tunneling does not solve
problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking)
optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing)
The standard is backwards compatible the extensions can be implemented easily and cooperate with
current implementations without these extensions Agent Advertisements can carry requests for reverse tunneling
Mobile IP and IPv6 Mobile IP was developed for IPv4, but IPv6 simplifies
the protocols security is integrated and not an add-on, authentication of
registration is included COA can be assigned via auto-configuration (DHCPv6 is one
candidate), every node has address auto configuration no need for a separate FA, all routers perform router
advertisement which can be used instead of the special agent advertisement; addresses are always co-located (any router can act like an FA)
MN can signal a sender directly the COA, sending via HA not needed in this case (automatic path optimsation)
“soft“ hand-over, i.e. without packet loss, between two subnets is supported
MN sends the new COA to its old router the old router encapsulates all incoming packets for the MN and
forwards them to the new COA authentication is always granted
Once a MN moves into a foreign network, acquiring a new IP address - (CoA)
The MN is required to register this address with its HA via a binding update.
This binding update is issued over an IPSec tunnel, using an IPv6 security association, to protect its integrity and authenticity.
Mobile IP and IPv6 (2)
Advertisement from local router contains routing prefix•Seamless Roaming: MN always uses home address•Address configuration for care-of-address•Binding Updates sent to home agent & correspondent nodes (home address, care-of address, binding life time)•Mobile node ALWAYS ON by way of Home agent
Mobile IPv6 Protocol: an overview Home agent
Local router
Correspondent node
Correspondent node with binding
• Enough address (340 undecillion 1036 addresses)•Addresses in IPv6 are 128 bits long, compared to 32-bit addresses in IPv4.The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses340,282,366,920,938,463,463,374,607,431,768,211,456In China alone, there are 8 million IPv4 addresses and 70+ million handsets •Enough security (almost, not quite!)
• KDC, symmetric key, managing 10 million security associates, authentication header, security payload
•Address Autoconfiguration • Movement detection, Monitoring advertisement
•Route Optimisation (binding updates part of IPv6)•Destination Options (binding updates and acks) no reg and reg reply
Mobile IPv6 Design Points (why?)
•Seamless Mobility • Paging, context transfer, micro-mobility (localised
binding management)•Robust Header Compression
• Reducing 40/60 bytes of header overhead to 2-3 byte
•Authentication, Authorisation, and Accounting (AAA)•Smooth handover == low loss•Fast handover == low delay (approx 30 ms)•Seamless handover == smooth and fast
Other relevant issues with IP
•Scenario I: mobile sends special Router Solicitation (RS)
• Previous Access Router replies with proxy Router Advert (RA)
• Previous Access Router sends Handover Initiate (HI)• New Access Router sends Handover Acknowledge
(HACK)
• kjhasj
Mobile-controlled seamless handover
RS
RA
HI
HAck
•Previous access router sends Proxy Router Advertisement on behalf of the new access router – contains prefix and lifetime information …•Previous access router sends Handover Initiate message to new access router•Mobile node May finalise context transfer at new access router
Network Controlled Handover
Proxy router adv
HI
HAck
Problems with mobile IP Security
authentication with FA problematic, for the FA typically belongs to another organisation
no protocol for key management and key distribution has been standardised in the Internet
patent and export restrictions Firewalls
typically mobile IP cannot be used together with firewalls, special set-ups are needed (such as reverse tunneling)
QoS many new reservations in case of RSVP tunneling makes it hard to give a flow of packets a special
treatment needed for the QoS Security, firewalls, QoS etc. are topics of current research and
discussions!
RSVP (Resource reSerVation Protocol)
Security in Mobile IP Security requirements (Security Architecture for the
Internet Protocol, RFC 1825) Integrity: any changes to data between sender and
receiver can be detected by the receiver Authentication: sender address is really the address
of the sender and all data received is really data sent by this sender
Confidentiality: only sender and receiver can read the data
Non-Repudiation: sender cannot deny sending of data Traffic Analysis: creation of traffic and user profiles
should not be possible Replay Protection: receivers can detect replay of
messages
not encrypted encrypted
IP security architecture I Two or more partners have to negotiate
security mechanisms to setup a security association typically, all partners choose the same
parameters and mechanisms Two headers have been defined for
securing IP packets: Authentication-Header
guarantees integrity and authenticity of IP packets if asymmetric encryption schemes (Public, Private
Keys) are used, non-repudiation can also be guaranteed
Encapsulation Security Payload protects confidentiality between communication
partners
Authentification-HeaderIP-Header UDP/TCP-Paketauthentication headerIP header UDP/TCP data
ESP headerIP header encrypted data
Mobile Security Association for registrations parameters for the mobile host (MH), home agent
(HA), and foreign agent (FA) Extensions of the IP security architecture
extended authentication of registration
prevention of replays of registrations time stamps: 32 bit time stamps + 32 bit random number Nonces (number for once pseudo random number): 32 bit
random number (MH) + 32 bit random number (HA)
registration reply
registration requestregistration request
IP security architecture II
MH FA HAregistration reply
MH-HA authenticationMH-FA authentication FA-HA authentication
Key distribution
Home agent distributes session keys
foreign agent has a security association with the home agent
mobile host registers a new binding at the home agent
home agent answers with a new session key for foreign agent and mobile node
FA MH
HA
response:EHA-FA {session key}EHA-MH {session key}
IP Micro-mobility support Micro-mobility support (Change FA):
Efficient local handover inside a foreign domainwithout involving a home agent
Reduces control traffic on backbone Especially needed in case of route optimisation
Example approaches: Cellular IP HAWAII Hierarchical Mobile IP (HMIP)
Important criteria: Security Efficiency, Scalability, Transparency, Manageability
48
Support for Mobility in IPv6 • Route optimisation:
• send CoA to remote end-system
• Security:
• authentication and privacy
• Stateless address auto-configuration:
• find an address (CoA) for use at the FN
• Neighbour discovery:
• find default router
• No FA required to support mobility:
• MH takes care of home
address and foreign address
• Need dynamic DNS update support
Cellular IP (CIP) Operation:
“CIP Nodes“ maintain routing entries (soft state) for MNs
Multiple entries possible Routing entries updated
based on packets sent by MN CIP Gateway:
Mobile IP tunnel endpoint Initial registration processing
Security provisions: all CIP Nodes share
„network key“ MN key: MD5(net key, IP addr) MN gets key upon registration
CIP Gateway
Internet
BS
MN1
data/controlpackets
from MN 1
Mobile IP
BSBS
MN2
packets fromMN2 to MN 1
Cellular IP: Security Advantages:
Initial registration involves authentication of MNsand is processed centrally by CIP Gateway
All control messages by MNs are authenticated Replay-protection (using timestamps)
Potential problems: MNs can directly influence routing entries Network key known to many entities
(increases risk of compromise) No re-keying mechanisms for network key No choice of algorithm (always MD5, prefix+suffix mode) Message-Digest algorithm 5 is a widely used cryptographic hash function
Cellular IP: Other issues Advantages:
Simple and elegant architecture Mostly self-configuring (little management needed) Integration with firewalls / private address support
possible
Potential problems: Not transparent to MNs (additional control messages) Public-key encryption of MN keys may be a problem
for resource-constrained MNs Multiple-path forwarding may cause inefficient use of
available bandwidth
HAWAII
Operation: MN obtains co-located COA
and registers with HA Handover: MN keeps COA,
new BS answers Reg. Requestand updates routers
MN views BS as foreign agent Security provisions:
MN-FA authentication mandatory
Challenge/Response Extensions mandatory
BS
12
BackboneRouter
Internet
BS
MN
BS
MN
CrossoverRouter
DHCPServer
HA
DHCP
Mobile IP
Mobile IP
1
2
3
4
HAWAII: Security Advantages:
Mutual authentication and Challenge/Response extensions mandatory
Only infrastructure components can influence routing entries Potential problems:
Co-located COA raises DHCP security issues(DHCP has no strong authentication)
Decentralised security-critical functionality(Mobile IP registration processing during handover)in base stations (BS)
Authentication of HAWAII protocol messages unspecified(potential attackers: stationary nodes in foreign network)
MN authentication requires PKI or AAA infrastructure
PKI: Public Key InfrastructureAAA: authentication, authorization and accounting
HAWAII: Other issues Advantages:
Mostly transparent to MNs(MN sends/receives standard Mobile IP messages)
Explicit support for dynamically assigned home addresses
Potential problems: Mixture of co-located COA and FA concepts may not be
supported by some MN implementations
No private address support possiblebecause of co-located COA
Hierarchical Mobile IPv6 (HMIPv6) Operation:
Network contains mobility anchor point (MAP)
mapping of regional COA (RCOA) to link COA (LCOA)
Upon handover, MN informsMAP only
gets new LCOA, keeps RCOA HA is only contacted if MAP
changes Security provisions:
no Hierarchical Mobile IPv6 -specific security provisions
binding updates should be authenticated
MAP
Internet
AR
MN
AR
MN
HA
bindingupdate
RCOA
LCOAoldLCOAnew
Problem: how to reduce latency due to signalling Agent
Solution: localise signalling to visited Domain
How, "method": Regional Registration/Regional Binding Update
Hierarchical Mobility Agents
Hierarchical Mobile IP: Security Advantages:
Local COAs can be hidden,which provides some location privacy
Direct routing between CNs sharing the same link is possible (but might be dangerous)
Potential problems: Decentralised security-critical functionality
(handover processing) in mobility anchor points MNs can (must!) directly influence routing entries
via binding updates (authentication necessary)
Hierarchical Mobile IP: Other issues Advantages:
Handover requires minimum number of overall changes to routing tables
Integration with firewalls / private address support possible
Potential problems: Not transparent to MNs
Handover efficiency in wireless mobile scenarios: Complex MN operations
All routing reconfiguration messages sent over wireless link
Other features (for IPv6 or seamless h/o)
• integration of Regional Registration with GPRS•Header compression•Buffer management•UDP Lite•AAA HLR adaptation layer•Challenge generation (optionally from HLR)•Privacy considerations•QoS handover•Smooth handover mechanisms for keys