Spring 2004 Mobile IP School of Electronics and Information Kyung Hee University Choong Seon HONG [email protected]

Spring 2004

Mobile IPMobile IP

School of Electronics and InformationKyung Hee University

Choong Seon [email protected]

http://networking.khu.ac.kr

2Spring 2004

IntroductionIntroduction

The most fundamental is the way the Internet Protocol, the protocol that connects the networks of today's Internet, routes packets to their destinations according to IP addresses.

These addresses are associated with a fixed network location much as a nonmobile phone number is associated with a physical jack in a wall.

When the packet's destination is a mobile node, this means that each new point of attachment made by the node is associated with a new network number and, hence, a new IP address, making transparent mobility impossible

3Spring 2004

BackgroundBackground

Problems in legacy of IP routing can’t route if hosts migrate Loose of TCP connection if IP address is changed

Move between different networks without changing host IP address Need of new IP protocol

IP Mobility Support for IPv4 (RFC3344) Requirements of a Quality of Service (QoS) Solution for Mobi

le IP (RFC3583) Mobile IP Security

Spring 2004

MobileMobile IPv4IPv4

5Spring 2004

IETF Base Mobile IP(1)IETF Base Mobile IP(1)

allows IP hosts to move between different networks without changing their IP addresses IP Mobility Transport layer session

RFC3344

uses two IP address Home address COA(Care-of address)

6Spring 2004

Two IP AddressesTwo IP Addresses

Mobile IP has been designed to solve this problem by allowing the mobile node to use two IP addresses .

In Mobile IP, the home address is static and is used, for instance, to identify TCP connections.

The care-of address changes at each new point of attachment and can be thought of as the mobile node's topologically significant address.

7Spring 2004

EntitiesEntities

Mobile Node(MN) A host or router that changes its point of attachment from o

ne network or subnetwork to another.

Home Agent(HA) A router on a mobile node's home network tunnels datagrams for delivery to the mobile node when it is

away from home maintains current location information for the mobile node.

Foreign Agent(FA) A router on a mobile node's visited network provides routing services to the mobile node while registere

d detunnels and delivers datagrams to the mobile node

Network

FA

CN

HA

MN MN

8Spring 2004

Terminology (1)Terminology (1)

Home Address An IP address that is assigned for an extended period of time

to a mobile node. It remains unchanged regardless of where the node is

attached to the Internet. Care-of Address(COA)

The termination point of a tunnel toward a mobile node “foreign agent care-of address"

• an address of a foreign agent with which the mobile node is registered,

“co-located care-of address”• an externally obtained local address (such as DHCP)• Applications use home address, and lower layer software uses

the care-of address to receive the datagram itself

Correspondent Node(CN) A peer with which a mobile node is communicating.

9Spring 2004

Terminology (2)Terminology (2)

Home Network (HN) A network having a network prefix matching that of a mobile

node's home address.

Foreign Network (FN) Any network other than the mobile node's Home Network

Agent Advertisement An advertisement message constructed by attaching a special

extension to a router advertisement message.

Visitor List The list of mobile nodes visiting a foreign agent

10Spring 2004

1. Agent Discovery

2. Registering the Care-of address

3. Tunneling to the Care-of address

Mobile IP OperationMobile IP Operation

11Spring 2004

Agent Advertisements Use Router Advertisement, specified in RFC 1256 Simply extend Router Advertisement to associate mobility

functions Carry information about default routers and COA

HA, FA typically broadcast Agent Advertisement message at regular interval

MN can know whether the agent is a HA or a FA , therefore, whether it is on its HN or a FN.

MN gets a COA while it is away from HN.

Agent DiscoveryAgent Discovery

12Spring 2004

Once a MN has a COA, MN sends registration request with the COA information to HA

HA receives request, it adds the necessary information to its routing table, approves the request and sends a registration reply.

Mobile IP Registration Process

Registering the COA (1)Registering the COA (1)

FA

FA

FA

HA

MN

FA advertises service

MN request serviceFA relay request to HA

HA accepts or deniesFA relays status to MN

13Spring 2004

Registration procedure

1. Agent advertisement message

2. Registration request

3. Registration request message relay

4. Registration reply

5. Registration reply message relay

Registering the COA (2)Registering the COA (2)

14Spring 2004

Tunneling to the Care-of address (1)Tunneling to the Care-of address (1)

Network

FAFA

CNCN

MN

HAHA

MN

Data Transmission of Mobile IP

15Spring 2004

Tunneling to the Care-of address (2)Tunneling to the Care-of address (2)

HA

FA

MN

X MH ? PayloadSrc Dest Proto

HA COA 4 or 55Src Dest Proto


Encapsulated Datagram


16Spring 2004

A Security in Mobile IP Registration Protocol (1)A Security in Mobile IP Registration Protocol (1)

Current base Mobile IP protocol Relies on the use of secret key with manual key

distribution

The problem while using of secret key Scalability problem in key management and will

become a major hindrance for wide scale deployment

Replay attack• illegitimate MN or HA

Denial of service• illegitimate FA

17Spring 2004


Reply, ResultHA

MN

FA

Request

Reply, ResultHA

MN

FA

Request

Reply, ResultHA

MN

FA

Request

Normal Mobile IP Registration Protocol

Replay Attack Denial of Service

: normal entity : Attacker

18Spring 2004

A Security in Mobile IP Registration Protocol(3)A Security in Mobile IP Registration Protocol(3)

Replay attack processing1. The attacker obtains a valid request message

and its corresponding reply2. Some time later, the attacker spoofs HA and

replays recorded request to FA3. The attacker spoofs MN and sends the

corresponding reply to FA

The result of this attack is that FA still believes that the registration is indeed a valid

The attacker’s bogus MN can get a connection through FA and enjoy resources on foreign network for free

19Spring 2004


Prevent replay attack on registration Uses timestamp

• MN and HA includes its estimated current time of the day in the request and reply

• There is problem that synchronize between MN and HA

Uses nonce• MN includes a new pseudo-random number as

nonce in every request to HA and requires HA to return this same nonce in its reply

20Spring 2004

A Security in Mobile IP Registration Protocol(5)A Security in Mobile IP Registration Protocol(5)

Public Key Based Authentication Jacobs proposed, in 1998 Use of public key cryptography Provide scalability and non-repudiation

Drawbacks of Jacobs’ proposal MN is normally limited in its computing power Low bandwidth to get the current CRL(Certificate

Revocation List) MN requires additional hardware or software that

might add the complexity of its system

21Spring 2004


An alternative one of Jacobs’ proposal Using a hybrid cryptography

• Use of secret key cryptography at MN• Use of public key cryptography at HA and FA

Each entities generate its certificate to authentication of each others

Need of construction of M-PKI(Mobile Public Key Infrastructure)

22Spring 2004

Performance Problems in Mobile IPPerformance Problems in Mobile IP

Performance Problems in Mobile IP

Mobile IP’s tunneling scheme creates a triangle routing• Mobile IP route optimization

Overhead• Use VHA (regional agent)

• Hierarchical Local Registration Mobile IP (HLRM-IP)

Network

HAHA

FAFA

MN

FAFA

MN

FAFA

MN

Data latency of Mobile IP

Network

FAFA

CNCN

MN

HAHA

MN

Triangle Routing

Spring 2004

Mobile IP Route OptimizationMobile IP Route Optimization

24Spring 2004

Mobile IP route Optimization (1)Mobile IP route Optimization (1)

CN has a binding cache which is used to hold the binding for MN

CN can deliver packet directly to the MN without any assistance from the HA

25Spring 2004

Mobile IP route Optimization (2)Mobile IP route Optimization (2)

HAFA

Tunneling

Tunneling

①②

③

④ ⑤

MNCN

Binding update message

26Spring 2004

Current Issues for Mobile IPv4Current Issues for Mobile IPv4

Low latency Handoffs in Mobile IPv4 draft-ietf-mobileip-lowlatency-handoffs-v4-08.txt

Security Issues Mobile IPv4 Traversal Across IPsec-based VPN

Gateways : draft-ietf-mobileip-vpn-problem-solution-03 Mobile IPv4 Extension for carrying Network Acces

s Identifiers : draft-ietf-mip4-aaa-nai-02.txt AAA Registration Keys for Mobile IPv4 : draft-ietf-mi

p4-aaa-key-03.txt

Mobile IPv4 Dynamic Home Agent Assignment draft-ietf-mip4-dynamic-assignment-00.txt

Spring 2004

Mobile IP using VHAMobile IP using VHA

28Spring 2004

Mobile IP Using VHA (1) Mobile IP Using VHA (1)

Providing Virtual Home Agent(VHA) to reduce Overhead and Latency

Clustering several networks into an administrative domain and placing VHA

29Spring 2004

Network

VHAVHA

FA FA FA

VHAVHA

FA FA FA

VHAVHA

FA FA FA

Domain A Domain B Domain C

HAHA CNCN


The configuration of VHAs

30Spring 2004

MN detects the change of attachment point through the Agent Advertisement message broadcast periodically from the FA

appends a Domain registration extension to the Agent Advertisement message to declare the router information (FA) and identify the domain (VHA)

MN checks the extension to determine whether or not the movement is a handoff within domain


31Spring 2004

VHAVHA

FA1 FA2 FA3

MN

1

2

3 4

Domain A

HAHA

5

6

Registration Process using VHA


32Spring 2004

VHAVHA

FA1 FA2 FA3

MN MN

1

2 3

4

Domain A

Local Handoff


Documents

Spring 2004 Mobile IP School of Electronics and Information Kyung Hee University Choong Seon HONG [email protected]