1 / 65

Module E Mobile Network Layer

Mobile Networks. Module E Mobile Network Layer . J.-P. Hubaux, N. Vratonjic, M. Poturalski, I. Bilogrevic. http://mobnet.epfl.ch. Some slides addapted from Jochen H. Schiller ( www.jochenschiller.de ). Enablers of IP mobility. Mobile end systems Laptops PDAs Smart-phones …

aya
Download Presentation

Module E Mobile Network Layer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Networks Module E Mobile Network Layer J.-P. Hubaux, N. Vratonjic, M. Poturalski, I. Bilogrevic http://mobnet.epfl.ch Some slides addapted from Jochen H. Schiller (www.jochenschiller.de)

  2. Enablers of IP mobility • Mobile end systems • Laptops • PDAs • Smart-phones • … • Wireless technologies • Wireless LANs (IEEE 802.11) • Bluetooth (www.bluetooth.com) • Improved batteries (longer lifetime)

  3. Problem with IP mobility IP1 mail.epfl.ch IP2 Need to establish a new TCP connection, old connection broken Assign a new IP address via DHCP

  4. IP mobility and cellular networks • Assign a new IP address via DHCP • Assign IP address • Tunnel IP packets • Always in the path GPRS (or EDGE or UMTS) tunnel IP link IP1 IP1 mail.epfl.ch IP1 IP2 See also Generic Network Access (GAN) a.k.a. Unlicensed Mobile Access (UMA) Possible solution: http://www.smart-wi-fi.com

  5. TCP/IP was not designed for mobility • Change of IP address means disconnection of the application • TCP interprets dropped packets (channel errors, disconnections) as congestion • More in Module F • Limitations due to a fundamental design problem The IP address (network layer) has a dual role • Network locator (topological point of attachment) for routing purposes • Host identifier (unique for a host and TCP/IP stack)

  6. Routing in the Internet • Routing is based on the destination IP address • Network prefix (e.g. 129.13.42) determines physical subnet • Change of physical subnet implies change of IP address (standard IP) • The new IP address needs to be topologically correct (belong to the new subnet) to be routable • Changing the IP address according to the current location • DHCP provides plug-and-play address update • Number of drawbacks: • Almost impossible to locate a mobile system; long delays for DNS updates • TCP connections break • Security problems

  7. Update routing tables? • Quick ‘solution’ • Keep IP address constant • Update routing tables to forward packets to the right location • Not feasible • Does not scale with number of mobile hosts and frequent changes in location • Routers are designed for fast forwarding, not fast updates • Routers have limited memory (cannot store separate entry for every mobile host) • Route updates consume network throughput • Security problems

  8. Two main solutions • Mobile IP • Support mobility transparently to TCP and applications • Rely on existing protocols • Host Identity Protocol (HIP) • A new layer between IP and transport layers • Architectural change to TCP/IP structure

  9. Mobile IP

  10. Requirements to Mobile IP • Transparency • Mobile end-systems (hosts) keep their IP address • Maintain communication in spite of link breakage • Enable change of point of connection to the fixed network • Compatibility • Support the same Layer 2 protocols as IP • No changes to current end-systems and routers • Mobile end-systems can communicate with fixed systems • Security • Authentication of all registration messages • Efficiency and scalability • Only little additional messages to the mobile system required (connection may be over a low-bandwidth radio link) • World-wide support of a large number of mobile systems

  11. Terminology • Mobile Node (MN) • Entity (node) that can change its point of connection to the network without changing its IP address • Home Agent (HA) • Entity in the home network of the MN, typically a router • Registers the MN location, encapsulates and tunnels IP packets to the COA • Foreign Agent (FA) • System in the current foreign network of the MN, typically a router • Decapsulates and forwards the tunneled packets to the MN • Care-of Address (COA) • Address of the current tunnel end-point for the MN • Foreign Agent COA or • Co-located COA (no FA, MN performs decapsulation) • Actual location of the MN from an IP point of view • Co-located COA typically acquired via DHCP • Correspondent Node (CN) • Communication partner

  12. Data transfer to the mobile node: HA 2 MN Internet home network 3 receiver foreign network FA 1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP) 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN 1 CN sender

  13. Data transfer with co-located COA HA Internet 2 MN home network receiver 3 foreign network 1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP) 2. HA tunnels packet to co-located COA (MN) by encapsulation 3. MN decapsulates and (internally) delivers packet to home address 1 CN sender

  14. Data transfer from the mobile node HA 4 MN Internet home network sender FA foreignnetwork 4. Sender sends to the IP address of the receiver as usual, FA works as default router CN receiver

  15. Mobile IP mechanisms • Agent Discovery • MN discovers its location (home network, foreign network) • MN learns a COA • Registration • MN securely signals the COA to the HA (via the FA) • Tunneling • HAencapsulates IP packets from CN and sends them to the COA • FA (or MN) decapsulates these packets and sends them to the MN

  16. Agent discovery • Agent Advertisement • HA and FA periodically send advertisement messages into their physical subnets • MN listens to these messages and detects, if it is in the home or a foreign network (standard case for home network) • MN reads a COA from the FA advertisement messages • Agent Solicitation • MN can request an Agent Advertisement message with a Agent Solicatation message • Helps decrease disconnection time • Simple extension of ICMP Router Discovery(ICMP: Internet Control Message Protocol) • Other mechanisms can be used to discover the network and the COA (e.g. DHCP)

  17. Agent advertisement 0 7 8 15 16 23 24 31 type code checksum #addresses addr. size lifetime router address 1 RFC 1256 preference level 1 router address 2 preference level 2 . . . type = 16 length = 6 + 4 * #COAs R: registration required B: busy, no more registrations H: home agent F: foreign agent M: minimal encapsulation G: GRE (Generic Routing Encapsulation) r: =0, ignored (former Van Jacobson compression) T: FA supports reverse tunneling reserved: =0, ignored type = 16 length sequence number T registration lifetime R B H F M G r reserved COA 1 COA 2 . . .

  18. Registration Mobility Binding Home address COARegistration lifetime 2. Registration request 4. Registration reply 1. Registration request 5. Registration reply Note: with co-located COA, MN sends registation request directly to HA Foreign Agent Home Agent 3. If OK, sets up the binding Note: HA can allow for multiple simultanous mobilty bindings. In that case, a packet from CN is forwarded to all active COAs Mobile Node (COA)

  19. Mobile IP registration request S B D M G r 0 7 8 15 16 23 24 31 type = 1 T x lifetime home address home agent UDP message COA identification extensions . . . S: simultaneous bindings B: broadcast datagrams D: decapsulation by MN M: mininal encapsulation G: GRE encapsulation r: =0, ignored T: reverse tunneling requested x: =0, ignored identification:generated by MN, used for matching requests with replies and preventing replay attacks (must contain a timestame and/or a nonce) extensions: mobile-home authentication extension (mandatory) mobile-foreign authentication extension (optional) foreign-home authentication extension (optional)

  20. Mobile IP registration reply 0 7 8 15 16 31 type = 3 code lifetime home address UDP message home agent identification Example codes: registration successful 0 registration accepted 1 registration accepted, but simultaneous mobility bindings unsupported registration denied by FA 65 administratively prohibited 66 insufficient resources 67 mobile node failed authentication 68 home agent failed authentication 69 requested Lifetime too long registration denied by HA 129 administratively prohibited 131 mobile node failed authentication 133 registration Identification mismatch 135 too many simultaneous mobility bindings extensions . . .

  21. Security associations and registration keys Foreign Agent Home Agent • Usually, thereis a security association (SA) between the home agent (HA) and the mobile node (MN) • Possible techniques to establish a registration keybetween the mobile node and the foreign agent (FA): • Make use of Internet Key Exchange (IKE), if available • If HA and FA share a SA, the HA can provide the registration • Make use of the public key of the FA or of the MN • Diffie-Hellman key exchange protocol between FA and MN Mobile Node

  22. Tunneling SrcDestPayload SrcDestPayload SrcDestPayload CN CN CN MN MN MN abcdefghij abcdefghij abcdefghij 1 2 SrcDest COA HA Encapsulated datagram 3 Correspondent Node Binding Foreign Agent Home Agent Mobile Node

  23. IP-in-IP encapsulation • IP-in-IP-encapsulation • (RFC 2003, updated by RFCs 3168, 4301, 6040) ver. IHL DS (TOS) length IP identification flags fragment offset TTL IP-in-IP IP checksum IP address of HA Care-of address COA ver. IHL DS (TOS) length IP identification flags fragment offset TTL lay. 4 prot. IP checksum IP address of CN IP address of MN TCP/UDP/ ... payload IHL: Internet Header Length TTL: Time To Live DS: Differentiated Service TOS: Type of Service

  24. Minimal encapsulation • Minimal encapsulation (optional) • avoids repetition of identical fields • e.g. TTL, IHL, version, DS (RFC 2474, old: TOS) • only applicable for non fragmented packets, no space left for fragment identification ver. IHL DS (TOS) length IP identification flags fragment offset TTL min. encap. IP checksum IP address of HA care-of address COA lay. 4 protoc. S reserved IP checksum IP address of MN original sender IP address (if S=1) TCP/UDP/ ... payload

  25. Generic Routing Encapsulation original header original data outer header GRE header originalheader original data new header new data RFC 1701 ver. IHL DS (TOS) length IP identification flags fragment offset TTL GRE IP checksum RFC 2784 (updated by 2890) IP address of HA Care-of address COA C R K S s rec. rsv. ver. protocol C reserved0 ver. protocol checksum (optional) offset (optional) checksum (optional) reserved1 (=0) key (optional) sequence number (optional) routing (optional) ver. IHL DS (TOS) length IP identification flags fragment offset TTL lay. 4 prot. IP checksum IP address of CN IP address of MN TCP/UDP/ ... payload

  26. “Triangle” routing Correspondent Node • Drawbacks • Inefficiency • MN sends IP packets with topologically incorrect source • For security reasons, router can be configured to drop topologically incorrect packets (ingress filtering) Home Agent Mobile Node Foreign Agent

  27. Route Optimization in Mobile IP • Route optimization • HA provides the CN with the current location of MN (FA) • CN sends tunneled traffic directly to FA • Optimization of FA handover • Packets on-the-fly during FA change can be lost • New FA informs old FA to avoid packet loss, old FA now forwards remaining packets to new FA • This information also enables the old FA to release resources for the MN • Extension: not part of the core Mobile IP (RFC 3344) • Violates compatibility (CN needs to be Mobile-IP-aware) • Security problems

  28. Route and FA handover optimizations FAnew CN HA FA MN Request Update ACK Data Data MN changeslocation Registration Update ACK Data Data Data Data Warning Warning Data Request Update Newrequest ACK Data Data

  29. Reverse tunneling HA 2 MN Internet home network 1 sender FA foreignnetwork 1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case) 3 CN receiver

  30. Mobile IP with reverse tunneling • Reverse tunneling solves ingress filtering problem • A packet from the MN encapsulated by the FA is now topologically correct • Can cope with mobile routers • Protects MN location privacy • Multicast and TTL problems solved • Reverse tunneling does not solve • Optimization of data paths • Double triangular routing • Problems with firewalls • The reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking)

  31. Firewalls Filtering of incomingpackets: Discardpacketsthatseem to emanatefrom an addressinternal to the domain (even if they are tunneled) Correspondent Domain Correspondent Node FW Home Domain Global Internet FW Home Agent FW Foreign Domain Filtering of outgoingpackets: discardpacketsthatseem to emanatefrom an addressexternal to the domain (even if they are tunneled) Foreign Agent • Possible solutions: • Manual configuration • Isolation of Mobile Nodes (pockets) Mobile Node

  32. Mobile IP and IPsec • Security in Mobile IP • Authentication in registration messages • No protection of data transmission (tunneling) • IPsec provides general IP layer security • Can be used to protect data transmission • Can also be used in addition/in place of default registration messages authentication

  33. IPsec: Brief reminder Application Application TCP or UDP TCP or UDP IP IP Data link Data link • Provides confidentiality, authentication and integrity • IPsec support is optional in IPv4, mandatory in IPv6 • Security Association (SA) consists of a suite of cryprographic algorithms and keys • Security Parameter Index (SPI) is used for indexing SAs Security Association IP Data link Data link Router IPsec mechanisms

  34. IPsec: Authentication Header Input IP packet: - authenticated with auth ... src IP dst IP payload • Provides authentication and integrity • Cannot traverse NATs • IP addresses authenticated IP header AH transport mode: src IP dst IP ... SPI seq auth payload AH IP header AH tunnel mode: src IP’ dst IP’ ... SPI seq auth IP header payload AH new IP header input IP packet

  35. IPsec: Encapsulating Security Payload Input IP packet: - encrypted ... src IP dst IP payload • Provides confidentiality, authentication and integrity • Outer IP header not authenticated - authenticated with auth IP header ESP transport mode: ... src IP dst IP SPI seq payload auth ESP IP header ESP tunnel mode: ... src IP’ dst IP’ SPI seq input IP packet auth ESP IP header

  36. Mobile IPv6 • Mobile IPv6 introduces several modifications based on new IPv6 functionality and experiences with Mobile IPv4 • No FA, COA is always co-located • Two modes of operation: • Bidirectional tunnel (between HA and COA) • Route optimization (MN informs CN about the COA) • Security integrated with IPsec (mandatory support in IPv6) • “Soft“ hand-over, i.e. without packet loss, between two subnets is supported • MN sends the new COA to its old router • The old router encapsulates all incoming packets for the MN and forwards them to the new COA

  37. IP Micro-mobility support • Micro-mobility support: • Efficient local handover inside a foreign domainwithout involving a home agent • Reduces control traffic on backbone • Especially needed in case of route optimization • Example: • Hierarchical Mobile IP (HMIP) • Important criteria:Security Efficiency, Scalability, Transparency, Manageability

  38. Hierarchical Mobile IPv6 Internet • Operation: • Network contains mobility anchor point (MAP) • mapping of regional COA (RCOA) to link COA (LCOA) • Upon handover, MN informsMAP only • gets new LCOA, keeps RCOA • HA is only contacted if MAPchanges • Security provisions: • No HMIP-specificsecurity provisions • Binding updates should be authenticated (AR: Access Router) HA RCOA MAP binding update AR AR LCOAold LCOAnew MN MN

  39. Hierarchical Mobile IP: Security • Advantages: • Local COAs can be hidden,which provides at least some location privacy • Direct routing between CNs sharing the same link is possible (but might be dangerous) • Potential problems: • Decentralized security-critical functionality(handover processing) in mobility anchor points • MNs can (must!) directly influence routing entries via binding updates (authentication necessary)

  40. Hierarchical Mobile IP: Other issues • Advantages: • Handover requires minimum numberof overall changes to routing tables • Integration with firewalls / private address support possible • Potential problems: • Not transparent to MNs • Handover efficiency in wireless mobile scenarios: • Complex MN operations • All routing reconfiguration messagessent over wireless link

  41. Mobile IP summary • A mobile network layer compatible with the current deployed Internet protocol stack • Issues with Mobile IP • Security • Authentication with FA problematic, for the FA typically belongs to another organization • Firewalls • Typically mobile IP cannot be used together with firewalls, special set-ups are needed • QoS • Tunneling makes it hard to give a flow of packets a special treatment needed for the QoS

  42. Host Identity Protocol (HIP)

  43. Architectural background • Two global name spaces in the current Internet: • Domain names • IP addresses • Recall: IP addresses have a dual role • Identifiers • Locators • Duality makes many things difficult

  44. New requirements to Internet addressing • Mobile Hosts • Need to change IP address dynamically • Multi-interface hosts • Have multiple independent addresses • Challenge: Mobile and multi-interface hosts • Multiple dynamically changing addresses

  45. HIP: A new global Internet name space • Decouples the name and locator roles of IP addresses • Architectural change to TCP/IP structure • A new layer between IP and transport layers • Introduces cryptographic Host Identifiers • Integrates security, mobility and multi-homing • Opportunistic host-to-host IPsec ESP • End-host mobility, across IPv4 and IPv6 • End-host multi-address multi-homing, IPv4/v6 • IPv4/v6 interoperability for applications

  46. HIP: A new layer Process • Sockets bound to Host Identities (HIs), not to IP addresses <IP addr, port> Transport <Host ID, port> Host Identity Host ID IP layer IP address Link Layer

  47. HIP bindings

  48. HIP overview • HIP identifiers • Establishing a shared context between two host • HIP base exchange • Data communication • By default protected with IPsec ESP • Mobility during data communication • HIP locator update • Finding a host • HIP DNS extensions • HIP Rendezvous extension • Multihoming

  49. HIP identifiers • Host Identifiers (HIs) • A host holds a key pair (private and public key) • Host Identifier (HI) = public key • HI representation: Host Identity Tag (HIT) • HIT = h(HI) (h – cryptographic hash function, 128bits) • Advantages: • Fixed length makes for easier protocol coding and better manages the packet size cost • Independent of cryptographic protocols used for public private keys • Collision probability (birthday paradox) • With 1012 hosts P(collision) < 1.5∙10-15

  50. HIP base exchange Initiator (I) Responder (R) I1: IPI, IPR, HITI, HITR • Establishes HIP association (addressing part)HII ↔ IPI ↔ IPR ↔ HIR • Used by the HIP layer to map between HIs and IPs R1: IPI, IPR, HITI, HITR, DHR, HIR, sig, ESPtransform, puzzle I2: IPI, IPR, HITI, HITR, DHI, HII, sig, ESPtransform, ESPinfo, solution R2: IPI, IPR, HITI, HITR, sig, ESPinfo

More Related