ipv4 v6 mobility n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IPv4/v6 Mobility PowerPoint Presentation
Download Presentation
IPv4/v6 Mobility

Loading in 2 Seconds...

play fullscreen
1 / 45

IPv4/v6 Mobility - PowerPoint PPT Presentation


  • 151 Views
  • Uploaded on

IPv4/v6 Mobility. Youn-Hee Han yhhan@kut.ac.kr Korea University of Technology and Education Internet Computing Laboratory http://icl.kut.ac.kr. Why IPv6 and Mobile IPv6. New Message and Options of Mobile IPv6. New Signal Message related with Binging Management Binding Update (BU)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IPv4/v6 Mobility' - felix


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ipv4 v6 mobility

IPv4/v6 Mobility

Youn-Hee Han

yhhan@kut.ac.kr

Korea University of Technology and EducationInternet Computing Laboratory

http://icl.kut.ac.kr

why ipv6 and mobile ipv6
Why IPv6 and Mobile IPv6

New Message and Options of Mobile IPv6

  • New Signal Message related with Binging Management
    • Binding Update (BU)
    • Binding Acknowledgement (BAck)
    • Binding Refresh Request (BRR)
    • Binding Error (BE)
  • New Signal Message related with Binding Authentication
    • Home Test Init (HoTI)
    • Care-of Test Init (CoTI)
    • Home Test (HoT)
    • Care-of Test (CoT)
  • New Destination Option
    • Home Address Destination Option
  • New Routing Header Type
    • Routing Header Type 2

KT 세미나

mobility header
Extension Header for mobility related Signalling (p.80)

The total number of the Mobility Header is a multiple of 8 bytes

Payload Proto

IP_PROTO_NONE

MH Type

BRR: 0, HoTI: 1, CoTI: 2, HoT: 3, CoT: 4, BU: 5, BAck.: 6, BERR: 7

Mobility Header

KT 세미나

processing mobility headers
Processing Mobility Headers
  • MUST observe the following rules
    • Otherwise, the node MUST discard the messageand issue a BE(Binding Error) with status=2
    • Otherwise, the node MUST discard the message and SHOULD send ICMP Parameter Problem (Code 0)
    • Otherwise, the node MUST silently discard the message
    • Otherwise, the node MUST discard the message and SHOULD send ICMP Parameter Problem (Code 0)

1. MH Type MUST be one of {0,1,…,7}

2. Paload_Proto MUST be IPPROTO_NONE

3. Checksum MUST be verified

4. Header Len MUST NOT be less than the length required

KT 세미나

pad1 and padn
Pad1(p.97)

PadN(p.97)

Pad1 and PadN

KT 세미나

pad1 and padn1
Pad1 and PadN
  • Padding Example

KT 세미나

binding update 1 2
Binding Update(1/2)
  • Binding HoA & CoA
    • Lifetime
      • It indicates how long the CoA is to be associated with MN’s HoA.
    • Sequence #
      • It enables a CN to put incoming BU in proper chronological order.
    • Four flags (p.83, 89)
      • A: MN wants to get BAck. (when it is set)
      • H: MN considers the recipient to be its HA (when it is set)
      • L: MN’s HoA shares the same IID as its link-local address (when it is set)
        • HA can protect MN’s link-local address when MN does not locates in the home
      • K: MN has a (strong) security association with the recipient
    • CoA in src. addr field(or Alternative CoA option)
    • HoA in HAOpt

KT 세미나

binding update 2 2
Binding Update(2/2)
  • Binding HoA & CoA
    • Possible Options
      • Alternative CoA option (p.86, 96)
        • If BU contains this option, HA no longer uses the Source IP addr. as the CoA and instead uses the address supplied in this option
      • Binding Authorization Data option (P.89)

KT 세미나

binding acknowledgement
Binding Acknowledgement
  • Acknowledging Binding Update
  • Notify the current status of Binding

KT 세미나

binding error
Binding Error
  • used by the correspondent node to signal an error related to mobility

KT 세미나

binding refresh request
Binding Refresh Request
  • used by the correspondent node to request amobile node's binding from the mobile node

KT 세미나

home test init hoti
Home Test Init (HoTI)
  • Initiate Return Routability
  • request a home keygen token from a correspondent node
  • Carrying Home Init Cookie

KT 세미나

care of test init coti
Care-of Test Init (CoTI)
  • Initiate Return Routability
  • request a care-of keygen token from a correspondent node
  • Carrying care-of Init Cookie

KT 세미나

home test hot
Home Test (HoT)
  • Responding to HoTI
  • Provide home keygen token
  • Carrying Home Init Cookie & Home Nonce Index

KT 세미나

care of test cot
Care-of Test (CoT)
  • Responding to CoTI
  • Provide care-of keygen token
  • Carrying Care-of Init Cookie & Care-of Nonce Index

KT 세미나

home address destination option 1 2
Home Address Destination Option (1/2)
  • Home Address Destination Option
    • within BU message and packets sent by MN to CN
    • Carrying Home Addr.to inform the recipient (CN) of that packet of the MN's home address
    • In every packet from MN, the followings are included
      • CoA in Source Addr. field
      • Home Addr. in Home Address Destination Option
    • making mobility transparent to upper layer
    • Ingress filtering (p.78)
      • It is not free to transmit packets with its Home Addr. As the Source Addr. field

201 (0xC9)

16 (0x10)

KT 세미나

home address destination option 1 21
Home Address Destination Option (1/2)
  • The meaning of top 2 bits of option type (p.72)
    • 00: skip over this option and continue processing the header
    • 01: discard the packet and take no further action
    • 10, 11: discard the packet and send an ICMP parameter problem message to the packet’s source address.
  • The meaning of the third bit of option type (p.72)
    • 0: the option data is not mutable in transit
    • 1: the option data is mutable in transit

201 (0xC9)

16 (0x10)

KT 세미나

home address destination option 2 2
Home Address Destination Option (2/2)
  • Home Address Destination Option
    • within BU message and packets sent by MN to CN
    • Carrying Home Addr.to inform the recipient (CN) of that packet of the MN's home address
    • In every packet from MN, the followings are included
      • CoA in Source Addr. field
      • Home Addr. in Home Address Destination Option
    • making mobility transparent to upper layer
    • Ingress filtering (p.78)
      • It is not free to transmit packets with its Home Addr. As the Source Addr. field

201 (0xC9)

16 (0x10)

KT 세미나

type 2 routing header
Type 2 Routing Header
  • Type 2 Routing Header
    • Carrying Home Addr to inform the recipient of that packet of the mobile node's home address
    • In packet destined to MN, the followings are included
      • CoA in Destination Address field
      • Home Address in Routing Header
    • making mobility transparent to upper layer

KT 세미나

bu processing intercepting packets destined to mn
BU Processing & Intercepting Packets destined to MN

HA

MN

Binding Update (Initial)

Binding Cache Entry

MN’s HoA

MN’s CoA

H bit

Lifetime

A

1

t

P.87

Neighbor Advertisement (dest. addr. is FF02::1)

001

HoA=A

Target Link-Layer Address Option

HA’s Link-Layer Addr.

KT 세미나

bu processing intercepting packets destined to mn1
BU Processing & Intercepting Packets destined to MN

Binding Cache Entry

HA

Lifetime

MN’s HoA

MN’s CoA

H bit

t

A

1

HoA=A

Neighbor Solicitation

Neighbor Advertisement (dest. addr. is the address of soliciting node)

011

HoA=A

Target Link-Layer Address Option

HA’s Link-Layer Addr.

KT 세미나

bu processing at cn

Routing Header

MIPv6 Header

MIPv6 Header

Home Address Destination Option

Next Routing Addr.

Source Addr.

Destination Addr.

Other Fields…

Segment

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

BU

CN’s Addr.

1

MN A’s COA

CN’s Addr.

MN A’s Home Addr.

BAck

MN A’s Home Addr.

MN A’s COA

Foreign Link A

Foreign Link B

MN A’s Home Addr.

AP

MN A’s COA

BU

CN

MN A

BAck

BU Processing at CN
  • CN returns BAck accepting BU…

Binding Cache

KT 세미나

bu processing at cn1

Routing Header

MIPv6 Header

MIPv6 Header

Home Address Destination Option

Next Routing Addr.

Source Addr.

Destination Addr.

Other Fields…

Segment

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

BU

CN’s Addr.

1

MN A’s COA

CN’s Addr.

MN A’s Home Addr.

BAck

MN A’s Home Addr.

MN A’s COA

BU

BAck

BU Processing at CN
  • CN returns BAck rejecting BU…

Foreign Link A

Foreign Link B

AP

CN

MN A

KT 세미나

returning home

MN

MN

Returning Home

Home Link

Foreign Link

AP

1. Using the movement

detection algorithm

HA

2. Send BU

5. Multicast own link-layer MAC Address to the own home link (Neighbor Advertisement)

3. HA removes the Proxy Neighbor Cache entry

4. Send BAck

Deregistration BU

Home Address Destination Option

Binding Update Option

IPv6 Header

Lifetime

Source Addr.

Destination Addr.

Home Addr.

A bit

H bit

MN A’s Home Addr.

Home Agent’s Addr.

MN A’s Home Addr.

1

1

0

KT 세미나

return routability
Return Routability
  • Return Routability
    • 배경요약
      • MN이 자신의 임시 위치를 CN에게 알리려고 할 때 발생할 수 있는 인증, 기밀성 보장, DoS에 관련된 보안 문제를 좀 더 유연하고 확실하게 보장하기 위해 개발되었다.
      • MIPv6 version 15 드래프트가 RFC를 위한 사실상의 최종 버전이 되려고 했었는데, 그렇지 못한 이유가 바인딩 업데이트 부분에서 보안의 취약성이 문제로 제기되었기 때문에다. 기존에는 IPsec을 이용하여 바인딩 업데이트 메시지를 보호하도록 하였는데, 바인딩 업데이트를 강력하게 인증하기 위해 이 방법을 사용하려면 글로벌 PKI(Public Key Infrastructure) 구조를 구축해야 하고, 이것은 현재 인터넷 상황에서 가능하지도 강조되지도 않는다.

KT 세미나

return routability1
Return Routability
  • Return Routability
    • BU 에 대한 보안 문제
      • 1. MN이 HA로 BU 메시지를 전송할 때, attacker는 어떤 MN에 대해 현재 위치한 곳과 다른 곳에 위치해 있다는 정보(다른 CoA) 를 줄 수 있고, HA가 이 정보를 받아들인다면, MN은 패킷을 받지 못하는 반면 다른 노드가 원하지 않는 패킷을 수신하게 된다.
        • Attacker가 자신의 CoA(Care-of Address)를 거짓으로 알리는 경우 CN은 이동단말로 보내는 패킷을 모두 거짓 CoA로 전송하여 DoS 공격을 할 수 있다.
      • 2. Attacker가 CN으로BU 메시지를 전송할 때자신의 주소를 victimMN의 HoA로서 (Home Address destination option) 설정하여 거짓 정보를 알릴 경우, CN이 이 정보를 받아들인다면 CN에서 victimMN으로 전송하고자 하는 패킷은 attacker로 오게 되므로 availability와 confidentiality를 모두 위협한다.
      • 3. Attacker는 오래된 BU 메시지를 replay 하여 패킷들을 MN의 예전 위치로 전달시켜 MN이 패킷을 수신하지 못하게 만들 수 있다.

KT 세미나

return routability2
Return Routability
  • Return Routability
    • BU 보안에 대한 대응책
      • 이런 공격들을 막기 위해서 MN이 BU 메시지를 전달할 때 HA로는 IPsec ESP(Encapsulation Security Payload)를 사용하여 패킷을 보호하고, CN으로 BU 메시지를 전송할 때에는 기본 메커니즘으로 RR을 이용하여 HoA와 CoA가 도달가능한지를 확인한 후 메시지를 전송하는 방식을 적용하였다.
    • RR의 설명요약
      • MN이 자신의 임시 위치를 CN에게 알리고자 할 때 MN은 자신이 만든 Random Value(쿠키값)을 두 개의 경로를 통하여 CN에게 보낸다 (하나는 HA를 거쳐서 가는 경로, 다른 하나는 직접 가는 경로).
      • CN은 각각의 경로로 도착한 두 개의 메시지에 대하여 MN에게 응답 메시지를 보낼 때, CN 자신이 생성한 서로 다른 Random Value 및 Nonce를 알려 준다. 이후에 서로 교환한 Random Value 및 Nonce 값들을 이용하여 MN과 CN은 공통의 Session Key를 생성하고 이 Key를 이용하여 CN은 MN이 자신의 임시 위치를 보내주는 메시지를 인증하게 된다.

KT 세미나

why return routability
Why Return Routability?
  • Authentication for both BU and BA
    • Ver.15 assumes that authentication of both BU and BA is based on the IPsec.
      • “Authentication Data assuring the integrity of Binding Updates and Binding Acknowledgement MAY, in some cases, instead be supplied by other authentication mechanisms outside the scope of this document (e.g., IPsec [13]). ” [Mobile IPv6, Ver.15, Section 4.4]
    • Not all CNs can have the strong security association (e.g., IPsec) with a MN
      • It is ‘Not Global Scale’
    • It is requried to develop a universal method for the authentication for both BU and BA
    • Solution : Return Routability(ver.18)

KT 세미나

attack using home address destination option
Attack using Home Address Destination Option
  • DoS Attack using Home Address Destination Option
    • Hide the attacker’s identity
    • Scenario

Home AddressDestination Option

MIPv6 Header

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

CN(reflector)

Attacker’s CoA

CN addr.

Victim’s HoA

Unexpected Traffic

Attacker

Victim

KT 세미나

attack using home address destination option1
Attack using Home Address Destination Option
  • Solution about DoS Attack using Home Address Destination Option
    • CN checks the validity of the home address
    • CN MUST process Home Address Destination Option If…
      • CN retains the binding cache for the MN’s home address, or
      • CN retains IPSec SA(Security Association) with the MN’s home address
    • It is requried to develop a scheme for defending the DoS attack
    • Solution : If the CN does not have a correct binding cache corresponding to a HoA, the CN does not process the data packets and sends Binding Error.

KT 세미나

how to process binding error
How to process Binding Error
  • Binding Error : Sending Packets While Away from Home
    • CN does not have a binding cache for the sender

IPv6 Packet Header

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

CN addr.

MN

Home AddressDestination Option

IPv6 Packet Header

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

COA

CN addr.

Home Addr.

Check : there is a binding cache

Binding Error

CN

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

CN addr

CoA

Home Addr.

KT 세미나

short communication
Short Communication
  • Sending Packets While Away from Home
    • For short-term communication (ex. : DNS Query)

DNS

MIPv6 Header

Source Addr.

Destination Addr.

Other Fields…

COA

CN addr.

KT 세미나

conceptual data structure
Conceptual Data Structure
  • Binding Cache
    • Cache of bindings for other nodes
    • Maintained by each IPv6 node for each of its IPv6 addresses
      • CNs, HA, and
      • HA on the link on which the MN’s previous COA is located
    • Implemented in any manner
      • being combined with the node's Destination Cache as maintained by Neighbor Discovery
      • Destination Cache : mapping a destination IP address to IP address of the next-hop neighbor
      • Search Sequence : Binding Cache Destination Cache
    • Fields in Binding Cache entry

Home Address

(key value)

COA

Remaining Lifetime

Flag 1

Maximum value of SN

Recent usage info.

KT 세미나

conceptual data structure1
Conceptual Data Structure
  • Fields in Binding Cache Entry
    • Home Address : Searching key, If the destination address of the packet matches a home address, the matching COA SHOULD be used in routing that packet
    • COA : The COA for the MN indicated by the home address field in this Binding Cache entry
    • Remaining Lifetime : Once the lifetime expires, the entry MUST be deleted from the Binding Cache
    • Flag: indicate whether or not this Binding Cache entry is a "home registration" entry
      • "home registration" entry : An entry in a node’s Binding Cache for which the node is serving as a home agent
    • Maximum value of the SN : value of Sequence Number field received in previous BU (8 bits long)
    • Recent usage information for this Binding Cache entry: related to implement cache replacement policy, and to assist determining whether a BR should be sent when the lifetime on this entry nears expiration

KT 세미나

conceptual data structure2
Conceptual Data Structure
  • Binding Update List
    • List recording information for each BU sent by this MN
      • The Lifetime sent in that BU has not yet expired
    • Maintained by each MN
    • For multiple BUs sent to the same destination address, the Binding Update List contains only the most recent BU(with the greatest Sequence Number value)
    • Fields in Binding Update List Entry

IP address (key value)

Home Address

COA

Initial Value of Lifetime

Remaining lifetime

Maximum value of SN

The time of last BU sent

The state of retransmission

Flag

KT 세미나

conceptual data structure3
Conceptual Data Structure
  • Fields in Binding Update List Entry
    • IP Address : The IP address of the node to which a BU was sent.
    • Home Address: the mobile node's home addresses
    • COA: necessary for MN to determine if it has sent a BU giving its new COA to this destination after changing its COA
    • Initial value of lifetime: The initial value of the Lifetime field sent in BU
    • Remaining lifetime: decremented until it reaches zero, at which time this entry MUST be deleted from the Binding Update List
    • Maximum value of SN: The maximum value of the Sequence Number field sent in previous BUs to this destination
    • The time of last BU sent: needed to implement the rate limiting restriction for sending BUs
    • The state of retransmission: the time remaining until the next retransmission attempt for the Binding Update (the exponential back-off)
    • Flag: indicates that future BUs should not be sent to this destination
      • The MN sets this flag in the Binding Update List entry when it receives an ICMP Parameter Problem, Code 1, error message in response to a BU sent to this destination

KT 세미나

tunneling intercepted packets

Source

Destination

HA’s Address

MN’s Primary CoA

Tunneling Intercepted Packets
  • In order to forward each intercepted packet to the MN, HA MUST tunnel the packet to the MN using IPv6 encapsulation
  • When a HA encapsulates an intercepted packet…
  • When received by the MN, normal processing of the tunnel header will result in decapsulation and processing of the original packet by the MN

Source

Destination

CN’s Address

MN’s HoA

KT 세미나

handling reverse tunneled packets

Source

Destination

MN’s Promary CoA

HA’s Address

Handling Reverse Tunneled Packets
  • Unless a binding has been established between the MN and CN, traffic from MN to CN goes through a reverse tunnel
    • The tunneled traffic arrives to HA using IPv6 encapsulation
    • The tunnel entry point is the primary CoA as registered with HA
    • The tunnel exit point is the HA

Source

Destination

MN’s HoA

CN’s Address

KT 세미나

why reverse tunneling
Why Reverse Tunneling?
  • Processing HoA and Reverse Tunneling
    • If the MN directly sends data packets to a CN (without help of a HA)
    • But, the CN does not have a correct binding cache corresponding to the HoA included in the packets

Home Agent

CN

CN discards the data packets

CN sends Binding Error to MN

MN

MN sends BU to CN

For some time, MN send the packets through the reverse tunnel

MN continually sends the packet usingthe reverse tunnel

CN rejects the BU ?

MN directly sends

the packets to CN

NO

YES

KT 세미나

packets from mn to cn
Mobility is transparent over IP layer.

The packets to and from MN (almost) always carries Home Address.

Internet

Packets from MN to CN

HA

CN

Home N/W

CN receives the packet and

Extract HoA from Home Address Option

Put HoA in Src addr field.

Foreign N/W

Sends the packet to upper layer for process

AR

MN sends CN the packet with

- CN’s IP addr as destn addr &

- CoA as src addr &

MN

- HoA in Home Address Option

KT 세미나

packets from mn to cn1
Mobility is transparent over IP layer.

The packets to and from MN (almost) always carries Home Address.

Internet

Packets from MN to CN

HA

CN

Home N/W

CN sends MN the packet with

- CN’s IP addr as src addr &

- CoA as desn addr &

- HoA in Routing Header

Foreign N/W

AR

MN receives the packet and

Extract HoA from Routing Header

Put HoA in Desn addr field.

Sends the packet to upper layer for process

MN

KT 세미나

how to process routing header type 2

MN’s COA

Looping Back

How to process Routing Header Type 2
  • Packet Delivery Method from CN to MN using Routing Type 2

Routing Header

IPv6 Header

Next Routing Addr.

Source Addr.

Destination Addr.

Other Fields…

Type

Segment

CN’s Addr.

MN’s COA

2

1

MN’s Home Addr.

Next Routing Addr.

Source Addr.

Destination Addr.

Other Fields…

Type

Segment

CN’s Addr.

MN’s Home Addr.

2

0

MN’s COA

Foreign Link A

Foreign Link B

AP

CN

MN

KT 세미나

why routing header type 2
Why Routing Header Type 2?
  • Problem of Routing Header
    • Go through firewall using Routing Header
    • It is required to discriminate between routing header for general usage and routing header for mobility
    • Solution
      • in addition to Routing Header Type 0, add Routing Header Type 2
      • Firewall executes a different process for the routing type with type 2

Src = attackerDst = victimRoutingHeder addr = Web ServerSegment = 0

Src = attackerDst = Web serverRoutingHeder addr = victimSegment = 1

Web Server

MN(Victim)

CN(Attacker)

Firewall

KT 세미나

home address option

CN Addr.

Home Addr.

Home Address Option
  • Home Address Option Processing
    • The Home Address destination option is used in a packet sent by a MN while away from home, to inform the recipient of that packet of the MN's home address

Foreign Link B

Foreign Link A

AP

MN

Home AddressDestination Option

MIPv6 Header

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

COA

Home Addr.

KT 세미나

how to process home address dest option

CN’s transport layer

CN Addr.

Home Addr.

How to process Home Address Dest. Option
  • Packet Delivery from MN to CN by using Home AddressDestination Option

IPv6 Packet Header

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

CN addr.

MN

Home AddressDestination Option

IPv6 Packet Header

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

COA

CN addr.

Home Addr.

Check : there is a binding cache

CN

Source Addr.

Destination Addr.

Other Fields…

Home Addr.

Home Addr.

COA

KT 세미나