Lecture6 Notes 4up(1)

7/30/2019 Lecture6 Notes 4up(1)

1/21

32118

Mobile Communications and

Computing

Lecture 6Lecturer: Dr. Daniel R. Franklin

Notes originally by Doan Hoang

32118 Mobile Communications and Computing Lecture 6 p. 1

Notes:

This Weeks Lecture

Radio-Frequency Identification (RFID)

Mobility in IP networks - Mobile IP and VPNs


Notes:


2/21

Radio Frequency ID

RFID is an extremely compact, asymmetric,low-power, low-data-rate communicationstechnology with a multitude of industrial andcommercial applications:

Tracking pallets or cases of product

Vehicle identification, tracking and tolling

Tracking company assets or personnel

Security tags in stores for high-value products

Routing of luggage through transport systems

Authentication tokens (ID) for people, livestock, orpets


Notes:

RFID Tag Types

Two types of RFID tags are available: active andpassive

Active:

The tag transmits a radio signal

Battery powered memory, radio & circuitryLong read range (max 1 km)

Passive

Tag reflects radio signal from reader

Memory is non-volatile

Reader powered

Shorter read range (10 cm - 5 m)


Notes:


3/21

RFID Characteristics

Source: ScientificAmerican

Tags can be read-only or read-write

Tag memory can be factory or field programmed

Bytes left unlocked can be rewritten more than100000 times


Notes:

RFID Characteristics


Notes:


4/21

RFID Operation

1. Reader issues commands

2. Carrier signal generated by the reader

3. Carrier signal sent out through the antennas via RFsignal

4. Carrier signal hits tag(s)5. Tag receives and modifies carrier signal - it sends

back a modulated signal

6. Antennas receive the modulated signal and sendthem to the Reader

7. Reader decodes the data - results returned to thehost application


Notes:

Internet Protocol (IP)

So far we have talked about a number of differentphysical layer technologiesand medium accesscontrolprotocols.

These are perfectly fine for delivering data from onestation within a given type of network to anotherstation on the same network

What happens when we want to transfer databetweentwo different networks?

What if they are not directly connected? How do wefind a route between the stations?

What if they use totally differenttechnologies (e.g.Ethernet and GPRS, or WiFi and Bluetooth)?


Notes:


5/21

The Protocol Stack

The problem of interconnecting different networks isthe responsibility of the network layerof the OSI orIP protocol stack.

The network layer builds on the functionality of thephysical and MAC layers, providing an (unreliable)

end-to-end service.

If reliability is required, an additional transport layer(generally either TCP or UDP) is added on top.


Notes:

The Protocol Stack

Each successive layer means the addition of anotherset of headers INSIDE the payload of the previous:

A MAC-layer frames payload is an IP datagram;

An IP datagrams payload is part or all of a TCP

segment or UDP datagram;The TCP segment or UDP datagrams payload isthe applications actual data!


Notes:


6/21

The Protocol Stack

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport TCP, UDP

e.g. HTTP, SMTP,SSH, Skype, NFS,Jabber, FTP etc.

Network Internet Protocol

Data Link e.g. 802.11,Ethernet, Bluetooth

Physical

ApplicationDataAH

Data

Data UnitPH

Data UnitSH

Data UnitTH

Data UnitNH

Data UnitDH DT

BITS

Outgoing Construction Incoming Reduction


Notes:

The Protocol Stack

It is important to realise that as an IP datagramtraverses the Internet, its source and destination IPaddresses will remain the same across each hop

However, the source and destination MAC layeraddresses are only meaningful within each

individual network- and they change as the IPdatagram is transferred from one network to another.

Depending on the supported payload sizes in eachdifferent network, an IP datagram may end up beingfragmentedas it passes through the network; it willbe reassembledwhen it arrives at its destination


Notes: Actually there is an exception to the second-last point; if network address

translation is being used, the source and/or destination IP address may be re-

written by a router. This is an increasingly common occurrence - your home net-

work router is almost certainly doing this. If you want to know more about this, ask

your lecturer or read about NAT online :-)


7/21

Internet Protocol

IP solves the problem of global trans-networkcommunications by structuring the payload of aMAC-layer packet in such a way that it find a paththrough different networks

A station A that supports IP (everything these days!)

must have at least one IP address, which may bepermanent (static) or temporary (dynamic).

An IPv4 address is 32 bits long, normally written asfour 8-bit numbers (e.g. 138.25.47.163) - and it isglobally unique.

If it wishes to talk to another host somewhere on theInternet, it firstly needs to know the destinationaddressB 32118 Mobile Communications and Computing Lecture 6 p. 13

Notes: Actually there are certain IP addresses which are not globally unique -

special ranges which are reserved for private IP addresses. It is also possible for

a host to have multiple IP addresses, or for multiple hosts to shareone IP address

(e.g. for load balancing) - however these are rather specialised use cases! Some

special addresses are also reserved for multicast communication.

IPv6 addresses are much larger - 128 bits. This is needed because the IPv4

address space only supports about 4 billion addresses... which have now been

exhausted. There are some techniques (NAT) which allow networks to do more

with the limited pool of IP addresses, but the ultimate solution is IPv6.

Internet Protocol

It also needs to know its own network mask, which itcan use to determine whether the destinationaddress is local(i.e. on the same network as A) orremote(in a different network). This is a simplemathematical operation - bitwise AND.

The netmask is also 32 bits, with a certain numberof the high-order bits set to one (and the rest equalto zero). This can be written as /N (e.g. /23, which is11111111 11111111 11111110 00000000 or255.255.254.0).

If we calculate the bitwise AND between my IPaddress and the netmask we have my local networkaddressor prefix


Notes:


8/21

Internet Protocol

Example:

IP 11111111 11111111 11111110 00000000 (255.255.254.0) AND

Netmask 10001010 00011001 00101111 10100011 (138.25.47.163) =

Prefix 10001010 00011001 00101110 00000000 (138.25.46.0)

If the results are the same when we do this to thesource and destination IP address, the destination islocal; otherwise it is remote.


Notes:

Internet Protocol

Local: the packet is delivered locally by determiningthe MAC address associated with the destination IPaddress, encapsulating the IP datagram in aMAC-layer frame and forwarding it to the destination.The IP datagram is then removed and processed by

the destination host.Remote: the packet is instead sent to a special hoston the network called a router- typically there is justone on each network, known as the default gateway.The process is very similar to a local delivery - butthe destination MAC address is for the router, not forthe destination.


Notes: Mapping IP addresses (either of the destination or the default gateway)

to a MAC address so the IP datagram can be delivered in a MAC-layer frame to

the intended recipient is performed using a protocol called the Address Resolution

Protocol (ARP). Hosts send a broadcastto all hosts in the network asking what is

the MAC address for this IP address? Only one host should reply saying thats

me!; after this the datagram may be packaged up in a MAC-layer frame and sent

to the recipient.


9/21

Internet Protocol

By examining the destination IP address, the routerknows that this packet is not intended for itself. Ithas one or more connections to other networks, andby exchanging information with the routers in thosenetworks, knows where to forward the packet in

order to get it closer to its destination.The router chooses which next-hop router to forwardthe packet to, it encapsulates it in a NEW MAC-layerframe, and forwards it on to the next router.

A packet may be forwarded many times as ittraverses the Internet, before finally arriving at itsdestination network, where it will be delivered to thedestination node and decapsulated for processing.


Notes:

An IP Network

Network 1 (Ethernet)



Network 4 (Fibre Link) Network 5 (Fibre Link)

Network 6 (Wireless)

Network 7 (Wireless)Logical Path (4 hops)

RB RD

RCRA

Hop 1: Host A to Router A

Hop 2: Router A to Router C

Hop 3: Router C to Router D

Hop 4: Router D to Host B

IP destination: Host B

IP source: Host A

Host A

Host B

tux@ linux#

t ux@linux#

Switch

Ethernet

Switch

Ethernet

Switch

Ethernet


Notes: The source and destination IP address will always be the same for packets

going from Host A to Host B. However, the MAC-layer source/destination headers

are added and removed as the IP datagram is encapsulated in an Ethernet, WiFi

or optical frame, sent out from one network interface on either a host or router, then

removed at the other end of the hop. Thus the MAC source/destination addresses

(and probably most of the other fields in the MAC header) will be differenton each

network hop.

The routers maintain a list of which networks are reachable via each of their net-

workinterfaces; theyforwardpacketsout of the interfacewhich will allow thepacketto reach its destination most efficiently (e.g. least number of hops or lowest cost).

The measure of efficiency depends on the routing protocol.


10/21

Mobility and IP

Mobile IP is an extension to IP which enables a hostto roam from their home network to any otherforeign network, while maintaining the sameIPaddress

Thus a host running some given service can move

around while remaining reachable from anywhere onthe Internet

This should be accomplished without breakingcompatibility with non-mobile IP networks


Notes:

Mobile IP Terminology

Mobile Node (MN) - the mobile users device

Correspondent Node (CN) - another IP peer withwhom the MN is communicating

Home Network (HN) - the usual network where the

MN residesForeign Network (FN) - the network that the MN iscurrently visiting

Home Agent (HA) - MIP service facilitator in the HN

Foreign Agent (FA) - MIP service facilitator in the FN

Care-of-Address (CoA) - transient address in the FN

Tunnel - Path followed by an encapsulated datagram32118 Mobile Communications and Computing Lecture 6 p. 20

Notes:


11/21

Mobile IP Components


Notes:

How it Works

MIP allows a MN to use two IP addresses: A staticHome Address is used to identify the endpoint ofTCP or UDP connections and a Care-of-Address(CoA) which is the MNs temporary point ofattachment in the foreign network. This IP address

changes at each new point of attachment.Whenever the MN is not attached to its homenetwork, the Home Agentreceives all the packetsdestined for the MN and arranges to deliver them tothe MNs current CoA


Notes:


12/21

How it Works

Whenever the MN moves, it registers its new CoAwith its HA.

To get a packet to a MN from its home network, thehome agent tunnelsthe packet from the homenetwork to the CoA

When the packet arrives at the CoA (the MNstemporary foreign IP address), the packet isremoved from the tunnel and passed to the MNs IPstack

It will then be processed by the transport andapplication layers exactly as if the MN was in itshome network


Notes:

Tunnelling

In MIP, the HA redirects packets arriving in the homenetwork but intended for the MN to the MNs CoA byconstructing a new IP header that contains the CoAas the destination IP address.

The packet to be redirected is now placed in this

new packet as the payload; therefore, thedestination address of the inner packetwill have noeffect on the routing of the container packet until itarrives at the CoA.

When the outer packetarrives at the FN, the innerpacket is removed and delivered to the appropriatetransport and application layers on the MN.


Notes:


13/21

Tunnelling - Illustration


Notes: CN sends an IP datagram to the IP address of the MN (1); the home agent

intercepts this, encapsulates it into another IP datagram (fragmenting into multiple

datagrams if needed) with source = HA and dest = CoA, and sends it to the FA (2)

which forwards it to the CoA of the MN (3); The inner packet is decapsulated by

the MN (4); we now have a logical tunnel from the CN to the MN.

MIP Mechanisms

Mobile IP requires 3 separate mechanisms to beimplemented in the home and foreign networks andthe mobile node

Discovering the care-of-address;

Registering the care-of-address; and

Tunneling to the care-of-address.


Notes:


14/21

Agent Advertisement/Discovery

These mechanisms make it possible for a MN to

Determine whether it is connected to its homenetwork or to a foreign network;

Determine whether it has changed its position interms of network recently; and

Obtain a care-of address when it changes to adifferent foreign network.


Notes:

Discovering the CoA

How does an MN find a foreign agent after it movesto another location?

Foreign Agents and Home Agents advertise theirpresence periodically using special agentadvertisement messages.

For advertisements, ICMP messages are usedwith some mobility extensions.

How does it discover at all that it has moved?

The MN must compare the network prefixes of therouters IP address with network portion of its ownaddress. If these differ then the MN has moved toa foreign network.


Notes:


15/21

Registration

The registrationprocedure involves four steps:

1. The mobile node requests the forwarding serviceby sending a registration requestto the foreignagent that the mobile node wants to use

2. The foreign agent relays this request to the

mobile nodes home agent3. The home agent either accepts or rejects the

request and sends a registration reply to theforeign agent.

4. The foreign agent relays this reply to the mobilenode.

Once these steps are complete, tunnelling will occuras needed 32118 Mobile Communications and Computing Lecture 6 p. 29

Notes:

Security in Mobile IP

Mobile IP provides a limited amount of security

Registration requests and replies are timestampedand securely checksummedusing a securemessage digest algorithm

A shared secret must be present on both the HA andthe MN

Messages which have been delayed or altered bya third party not in possession of the secret keywill not have a valid checksum

Replay attacks are thus defeated

None of this protects confidential contentfrominterception


Notes:


16/21

Mobile IPv6

IPv6 includes many features for streamlining mobilitysupport that are missing in IPv4.

A COA acquisition mechanism is built in to IPv6

A neighbour discoverymechanism is mandatory in

every node, so FAs are no longer needed.Every IPv6 node can send binding updatestoanother node, thus the MN can send its current COAto the CN and HA directly

Soft handover: the MN sends its new COA to the oldrouter servicing the MN at the old COA, and the oldrouter encapsulates any incoming packets for theMN and forwards them to the new COA.


Notes: Dont hold your breath waiting for Mobile IPv6! IPv6 itself is still a negligible

fraction of the global Internet.

Where is MIP Used?

There actually is one place where MIP does seesome use - inside GPRS and 3G/LTE networks!

GPRS networks provide IP mobility for clients; this isrelatively easy to do as the service provider controlsthe network where both the FA and HA reside.

For this reason the lack of encryption is notaproblem

However this is very far from the use caseenvisioned by the creators of Mobile IP!


Notes:


17/21

Mobile IPs Irrelevance

Mobile IP dates from an era where it actuallymatteredthat a host was reachable via a constant IPaddress

However, IP addresses are now consideredtransient and dynamic in any case, and applications

have adapted to deal with this

For example, two-way services such as Skype makeuse of a stable externalserver for negotiatingend-to-end connections

In this case, your IP address is irrelevant


Notes:

Mobile IPs Irrelevance

The other major fault with Mobile IP is that it datesfrom an era when the Internet was consideredtrustworthyand benign

It includes limited security features - although thereis an authenticationmechanism, there is no

encryption mechanism

It is therefore extremely vulnerable to eavesdroppingand interception

This will be improved in Mobile IPv6; however it isprobably too late.


Notes: Never rule anything out in the world of technology! Maybe someone will

find a compelling use case for Mobile IPv6.


18/21

Virtual Private Networks

The preferred solution to providing Mobile IP-likefunctionality is the Virtual Private Network(VPN)

A VPN includes strong encryption and securetwo-way authentication mechanisms

It provides a mechanism for you to access yourhome network as if you were locally connected

You can even use a static VPN IP address as well ifyou need to be reachable from your home network


Notes:

Virtual Private Networks

VPNs share some similarities with Mobile IP, butrequire no additional supportfrom the foreignnetwork as all traffic is carried over a bidirectionaltunnelestablished between the roaming user andthe VPN server in the home network

VPNs can operate over the network layer (such asIPsec - essentially an encrypted IP-over-IP tunnel),the transport layer (such as OpenVPN, which can betransported over either TCP or UDP, or L2TPv3), ora hybrid of the network and transport layers such as(PPTP).


Notes: PPTP is not the best VPN protocol - it suffers from a number of architectural

security vulnerabilities. IPsec is very secure, but rather cumbersome to configure.

Many commercial VPN solutions (e.g. from Cisco) are based on IPsec. OpenVPN

is probably the easiest VPN solution available today.

Although theseprotocolsprovide security forthe payloads,they can still be blocked

by hostile networks. For example, Iran employs deep packet inspection to identify

encrypted OpenVPN traffic; the connection cannot be intercepted, but it can be

easily broken via a malicious TCP reset injection, added by a router inside the

government-controlled parts of the network. Thus as soon as your VPN comesup, it is disconnected. There are various work-arounds to this problem, but it is a

never-ending arms race.


19/21

Case Study: OpenVPN

OpenVPN is a free and open source VPN solutionwhich encapsulates encrypted IP or MAC-layertraffic (depending on the VPN configuration) over atransport-layer protocol (either TCP or UDP)

It may be configured as a point-to-point,

point-to-network or network-to-network VPN

Routing and DNS information may be pushed to theclient on connection - you can even set up the clientso that all (non-VPN) traffic is routed over the VPN(the encrypted data itself must still be sent throughthe default route!)


Notes:

OpenVPN Operation

An OpenVPN client firstly establishes a secureconnection to the VPN server (somewhere on theInternet - e.g. at a company HQ). This occurs overeither a TCP connection or UDP datagram flow, to aknown port on the server

It validates the identity of the server (using one of anumber of secure mechanisms), and the servervalidates the identity of the client (normally using anSSL certificate issued by the VPN administrator)

A virtual network device is now created on the client(one must already exist on the server), and it isgiven an IP address (typically a non-routeableprivate IP address) by the VPN server


Notes:


20/21

OpenVPN Operation

Routes added on the client host selectively directcertain traffic (or even all non-VPN traffic) to thevirtual network device instead of the physicalnetwork device

This traffic is delivered to the OpenVPN service

running on the client via an operating system levelhook

It then encrypts the packets, encapsulates them inthe transport-layer connection or datagram stream,and forwards them over the physical networkinterface to the appropriate port on the remote VPNserver (somewhere on the Internet)


Notes: The operating system hook varies depending on the client operating sys-

tem; Linux uses a dynamically allocated tun/tap virtual network device, which

behaves exactly like a standard network interface (it can be given an IP address,

may listen to DHCP requests etc.) and can be connected to a normal Unix process

via a character device file /dev/tun. This process is the OpenVPN daemon.

MacOS and Windows use a port of the Linux tun/tap device driver.

OpenVPN Operation

The VPN server then receives the data, decrypts thecontents, and delivers them to the virtual networkdevice (as if they have just arrived on the wire of areal network device).

The normal routing tables on the VPN server then

direct the incoming (unencrypted) packets to theirdestination.

The VPN typically adds an additional latency of lessthan one millisecond. Throughput is reduced slightlycompared to an unencrypted connection due to theadditional overhead of the tunnelling process


Notes:


21/21

OpenVPN Transport Protocol

The choice of underlying transport-layer protocoldepends on the requirements of the clients:

Using UDP is more efficient (less overhead), butis difficult or even impossible if network addresstranslation is being used (the reverse path must

be port-forwarded to the client if it doesnt have apublic IP address)

Using TCP is simpler as it is connection-orientedand bidirectional, since no port forwarding isrequired - but it may suffer from strangetcp-over-tcp interactions when the payload trafficis TCP and the underlying network connection iscongested or suffering from high latency.


Notes:

Next Week

Wireless Network Security


Notes:

References

[1] Jochen Schiller. Mobile Communications, chapter 7.6, 8.1, pages 296, 304

328. Addison Wesley, 2nd edition, 2002.

Documents

Lecture6 Notes 4up(1)