slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
CCM 4300 Lecture 8 Computer Networks: Wireless and Mobile Communication Systems Dr E. Ever PowerPoint Presentation
Download Presentation
CCM 4300 Lecture 8 Computer Networks: Wireless and Mobile Communication Systems Dr E. Ever

Loading in 2 Seconds...

play fullscreen
1 / 59
Download Presentation

CCM 4300 Lecture 8 Computer Networks: Wireless and Mobile Communication Systems Dr E. Ever - PowerPoint PPT Presentation

Download Presentation

CCM 4300 Lecture 8 Computer Networks: Wireless and Mobile Communication Systems Dr E. Ever

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CCM 4300 Lecture 8 Computer Networks: Wireless and Mobile Communication Systems Dr E. Ever School of Computing Science

  2. Mobility and IP …… more information • Mobile Wireless Internet Forum • • • • IPv6 work including mobility support • "The 3G IP Multimedia Subsystem" by Gonzalo Camarillo and Miguel A. Garcia Martin (available in google books)

  3. Facts about Mobile IP • More than 2 billion subscribers • More than 70% of all digital mobile phones use GSM • 7.3 million people accesses the net via their mobile phones, during the second and third quarters of 2008. (BBC news channel) • An increase of 25% compared to growth of juts 3% for the PC based net audience-(BBC news channel) • IPv4 can do it all, it will be at a tremendous (unimaginable) cost and complexity • Only IPv6 offers enough addresses • IPv6 offers features needed for mobile networking • IPv6 utilises features to offer seamless roaming • Network layer roaming enables cost reduction and improve deploy ability

  4. Lesson objectives • To acquire a basic understanding of the basics of Mobile IPv4 and IPv6, you will: - Understand principles of network MIP and HMIP: • HA, CN, MN, FN, HN, FA, binding updates, CoA, RCoA. • Triangular rule • Route optimisation • Availability and access control. -Security in MIP • Key distribution Home Agent (HA) Correspondent Node (CN) Mobile Node (MN) Foreign Network(FN) Home Network(HN) Foreign Agent (FA) Care-of Address (COA)

  5. Mobile Network layer • • Mobile phone • • Mobile IP (Internet Protocol) • • Hand-off effects: • • addressing and routing • • operation of upper layer protocols • Mobile IPv6

  6. Why Mobile IP • Routing • Both ends of TCP (connection) need to keep the same IP address for the life of the session (home address, end-end) • change of physical subnet implies change of IP address to have a topological correct address (standard IP) or needs special entries in the routing tables (care-of-address, routing • Specific routes to end-systems? • change of all routing table entries to forward packets to the right destination • does not scale with the number of mobile hosts and frequent changes in the location, security problems • Changing the IP-address? • adjust the host IP address depending on the current location (managing a binding) • almost impossible to find a mobile system, DNS updates take a long time (dynamic tunnel between CoA & HA) • TCP connections break, security problems!!!!

  7. Requirements for Mobile IP • Transparency • mobile end-systems keep their IP address • continuation of communication after interruption of link possible • point of connection to the fixed network can be changed • Compatibility • support of the same layer 2 protocols as IP • no changes to current end-systems and routers required • mobile end-systems can communicate with fixed systems • Security • authentication of all registration messages • Efficiency and scalability • only little additional messages to the mobile system required (connection typically via a low bandwidth radio link) • world-wide support of a large number of mobile systems in the whole Internet

  8. Mobile IP: Terminology Mobile Node (MN) • system (node) that can change the point of connection to the network without changing its IP address Home Agent (HA) • system in the home network of the MN, typically a router • registers the location of the MN, tunnels IP datagrams to the COA Foreign Agent (FA) • system in the current foreign network of the MN, typically a router • forwards the tunneled datagrams to the MN, typically the default router for the MN Care-of Address (COA) • address of the current tunnel end-point for the MN (at FA or MN) • temporary IP address for a mobile device • allows a home agent to forward messages to the mobile device. • separate address is required because the IP address of the device that is used as host identification is topologically incorrect • actual location of the MN from an IP point of view, can be chosen, e.g., via DHCP Correspondent Node (CN) • communication partner

  9. Key Question How do mobile hosts maintain IP connectivity when mobility is supported at layer 3? • Here we investigate two extensions to IPv4. • As mobile computing devices increase in capability • mobile communication becomes increasingly wide-spread. • THE BIG QUESTION IS: • How can IP support mobile connectivity?

  10. Mobile IP: An Overview COA foreign network router FA MN home network router HA Internet CN router foreign network 3. router FA MN home network router HA 2. 4. Internet 1. CN router

  11. Mobile Phone network routing During call • Hand-off: • within area: BTS BTS • between areas: BSC  BSC, MSC informed of move to different area • MSC MSC: updates to HLR/VLR • Call maintained during hand-off: • only last-hop link • Transparent to user: • momentary signal loss(?) • Call set-up • • MS emits beacon: • • IMSI/IMEI unique ID • • beacon heard by BTS • • BTS BSC MSC • • MSC: • • HLR • • VLR • • updates HLR/VLR • • if VLR updated, sends info • to home network for MS • • Network always knowslocation of MS IMSI: international mobile subscriber identity IMEI: international mobile equipment identity

  12. HA 2 MN home network 3 receiver foreign network FA 1 CN sender Data transfer to the mobile system Triangular Internet 1. Sender sends to the IP address of MN, HA intercepts packet 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN

  13. HA 1 MN home network sender FA foreignnetwork CN receiver Data transfer from the mobile system Internet 1. Sender sends to the IP address of the receiver as usual, FA works as default router

  14. HA 2 MN Internet home network 3 receiver foreign network FA 1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP) 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN 1 CN sender Mobile phone network routing

  15. Mobile IP (1) • • Mobile host (MH): • • home network (HN), homeagent (HA) • • foreign network (FN), • foreign agent (FA) • • care-of-address (CoA) • • Communication: • • HA sends packets to CoA: • IP-in-IP encapsulation • • must reply to ARP for MH • • CoA: • • may be new IP address • • foreign agent • • Need to support mobileusers: • • Transparency: • • to upper layers • • to remote end-systems • • IPv4: IP address indicates • point of attachment toNetwork • • Movement of host means: • • new IPv4 address? • • update routing information?

  16. Mobile IP (2) 1) MH arrives at FN, and locates FA (using agent advertisements from FA or by solicitation). 2) MH completes registration procedure with FA. 3) MH updates HA with its new CoA (i.e. the FA). 4) Host A now tries to contact MH. Packets for MH are intercepted by HA 5) HA tunnels the packets from Host A to the CoA for MH (i.e. the FA) 6) The FA de-encapsulates the inner IP packet and transmits the packet locally to MH. 7) The packets from MH to Host A are sent directly from the FN.

  17. HA FA Host A remote network 4 5 Internet home network foreign network IP-in-IP encapsulation Data Data src = Host A dst = MH src = Host A dst = MH 7 2 3 src = Host A dst = MN 6 MH 1 Mobile IP (2)

  18. Encapsulation original IP header original data new IP header new data outer header inner header original data

  19. Mobile IP (3) • Transparent to non-mobilehosts • Does not break/changeexisting IP addressing androuting • Can be introduced into thenetwork as required • Normal (unicast) routers do not need to be modified • X Asymmetric routing: • Packets flowing in i.e. TCP connections flow through different routes to different directions. • • could be inefficient • • QoS • • higher layer protocol operation(e.g. TCP) • XSecurity: • • firewalls have to be (dynamically) configured • • authentication: • MH FN(?), FA HA(?) • MH HA • • end-to-end security? • XHand-off between FAs orFA/HA: • • lost packets(?)

  20. MN FA HA MN HA registration request registration request registration request registration reply registration reply t registration reply t Registration

  21. Handoffs: layer 2 versus Layer 3 • Layer 2 • • No global changes: • • only local last hop • • No routing at layer 2 • • No global addressing • significance at layer 2 • • Need to have same layer 2 • technology across network • • Mobility within network: • • no hand-off betweennetwork technologies Register a new IP Layer 3 • Global, end-system toend-system connectivity • Addresses have globalsignificance • Change in layer 3 addressis change to network • Layer 3 address validacross different layer 2technologies • Mobility across networks: • internetworking! Register an FA only

  22. TCP behaviour (1) Problems • Layer 2 cell hand-off: • data loss /corruption (also due to high BER in general) • no ACK for data • TCP: • no ACKslow start • TCP has degraded performance • High BER on wireless link (~10-3 - ~10-4 common): • corrupt data requires end-to-end re-tx (use layer 2 FEC) • Affects other transport-layer or application-layer protocols: • real-time applications – errors and packet loss are harmful

  23. TCP behaviour (2) Possible solutions • TCP SACK option: (selective acknowledgment) • retransmission of missing “holes” in byte stream • not always implemented • Use ECN in IP: (explicit congestion notification) • need to modify TCP interface and applications • Link-local re-tx: • on wireless hop • need to hold TCP, e.g. at base station • need re-tx protocol • Soft hand-off at layer 2: (a cell phone is simultaneously connected to two or more cells during a call.) • need to use CDMA, which has its own problems

  24. Network integration • Agent Advertisement • HA and FA periodically send advertisement messages into their physical subnets • MN listens to these messages and detects, if it is in the home or a foreign network (standard case for home network) • MN reads a COA from the FA advertisement messages • Registration (always limited lifetime!) • MN signals COA to the HA via the FA, HA acknowledges via FA to MN • these actions have to be secured by authentication • Advertisement • HA advertises the IP address of the MN (as for fixed systems), i.e. standard routing information • routers adjust their entries, these are stable for a longer time (HA responsible for a MN over a longer period of time) • packets to the MN are sent to the HA, • independent of changes in COA/FA

  25. Encapsulation I • Encapsulation of one packet into another as payload • e.g. IPv6 in IPv4 (6Bone), Multicast in Unicast (Mbone) • here: e.g. IP-in-IP-encapsulation, minimal encapsulation or GRE (Generic Record Encapsulation) • IP-in-IP-encapsulation (mandatory, RFC 2003) • tunnel between HA and COA

  26. Encapsulation II • Minimal encapsulation (optional) • avoids repetition of identical fields • e.g. TTL, IHL, version, DS (RFC 2474, old: TOS) • only applicable for unfragmented packets, no space left for fragment identification

  27. original header original data outer header GRE header originalheader original data new header new data Generic Routing Encapsulation An example: RFC 1701 ver. IHL DS (TOS) length IP identification flags fragment offset TTL GRE IP checksum RFC 2784 IP address of HA Care-of address COA C R K S s rec. rsv. ver. protocol C reserved0 ver. protocol checksum (optional) offset (optional) checksum (optional) reserved1 (=0) key (optional) sequence number (optional) routing (optional) ver. IHL DS (TOS) length IP identification flags fragment offset TTL lay. 4 prot. IP checksum IP address of CN IP address of MN TCP/UDP/ ... payload

  28. Optimisation of packet forwarding • Triangular Routing • sender sends all packets via HA to MN • higher latency and network load (for each RTT) • “Solutions” • sender learns the current location of MN (give away your position!) • direct tunneling to this location • HA informs a sender about the location of MN • big security problems! • Change of FA • packets on-the-fly during the change can be lost • new FA informs old FA to avoid packet loss (chaining),old FA now forwards remaining packets to new FA • this information also enables the old FA to release resources for the MN

  29. CN HA FAold FAnew MN request update ACK data data registration registration update data ACK data data warning update ACK data data t Change of the foreign agent with the optimized mobile IP Direct tunneling is used. HA only provides information about FA MN changeslocation

  30. Change of foreign agent CN HA FAold FAnew MN Data Data Data Update ACK Data Data MN changeslocation Registration Update ACK Data Data Data Warning Request Update ACK Data Data t

  31. Reverse Tunneling (RFC 2344) • Mobile Internet Protocol (IP) uses tunneling from the home agent to the mobile node's care-of address, but rarely in the reverse direction. • Usually, a mobile node sends its packets through a router on the foreign network, and assumes that routing is independent of source address. • When this assumption is not true (it is not feasible or desired to have the mobile node send datagrams directly to the internetwork using FA), it is convenient to establish a topologically correct reverse tunnel from the care-of address to the home agent.

  32. Reverse tunneling: HA 2 MN Internet home network 1 sender FA foreignnetwork 1. MN sends to FA 3 2. FA tunnels packets to HA by encapsulation CN 3. HA forwards the packet to the receiver (standard case) receiver

  33. Reverse tunneling (RFC 3024, was: 2344) HA 2 MN Internet home network 1 sender FA foreignnetwork 1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case) 3 CN receiver

  34. Mobile IP with reverse tunneling • Router accept often only “topological correct“ addresses (firewall!) • a packet from the MN encapsulated by the FA is now topological correct • furthermore multicast and TTL problems solved (TTL in the home network correct, but MN is to far away from the receiver) • Reverse tunneling does not solve • problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) • optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing) • The standard is backwards compatible • the extensions can be implemented easily and cooperate with current implementations without these extensions • Agent Advertisements can carry requests for reverse tunneling

  35. Mobile IP and IPv6 • Mobile IP was developed for IPv4, but IPv6 simplifies the protocols • security is integrated and not an add-on, authentication of registration is included • COA can be assigned via auto-configuration (DHCPv6 is one candidate), every node has address auto configuration • no need for a separate FA, all routers perform router advertisement which can be used instead of the special agent advertisement; addresses are always co-located (any router can act like an FA) • MN can signal a sender directly the COA, sending via HA not needed in this case (automatic path optimsation) • “soft“ hand-over, i.e. without packet loss, between two subnets is supported • MN sends the new COA to its old router • the old router encapsulates all incoming packets for the MN and forwards them to the new COA • authentication is always granted

  36. Mobile IP and IPv6 (2) • Once a MN moves into a foreign network, acquiring a new IP address - (CoA) • The MN is required to register this address with its HA via a binding update. • This binding update is issued over an IPSec tunnel, using an IPv6 security association, to protect its integrity and authenticity.

  37. Mobile IPv6 Protocol: an overview Correspondent node Home agent Advertisement from local router contains routing prefix Seamless Roaming: MN always uses home address Address configuration for care-of-address Binding Updates sent to home agent & correspondent nodes (home address, care-of address, binding life time) Mobile node ALWAYS ON by way of Home agent Correspondent node with binding Local router

  38. Mobile IPv6 Design Points (why?) Enough address (340 undecillion 1036 addresses) Addresses in IPv6 are 128 bits long, compared to 32-bit addresses in IPv4. The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses 340,282,366,920,938,463,463,374,607,431,768,211,456 In China alone, there are 8 million IPv4 addresses and 70+ million handsets Enough security (almost, not quite!) KDC, symmetric key, managing 10 million security associates, authentication header, security payload Address Autoconfiguration Movement detection, Monitoring advertisement Route Optimisation (binding updates part of IPv6) Destination Options (binding updates and acks) no reg and reg reply

  39. Other relevant issues with IP Seamless Mobility Paging, context transfer, micro-mobility (localised binding management) Robust Header Compression Reducing 40/60 bytes of header overhead to 2-3 byte Authentication, Authorisation, and Accounting (AAA) Smooth handover == low loss Fast handover == low delay (approx 30 ms) Seamless handover == smooth and fast

  40. Mobile-controlled seamless handover Scenario I: mobile sends special Router Solicitation (RS) Previous Access Router replies with proxy Router Advert (RA) Previous Access Router sends Handover Initiate (HI) New Access Router sends Handover Acknowledge (HACK) kjhasj RS HI RA HAck

  41. Network Controlled Handover Previous access router sends Proxy Router Advertisement on behalf of the new access router – contains prefix and lifetime information … Previous access router sends Handover Initiate message to new access router Mobile node May finalise context transfer at new access router HI Proxy router adv HAck

  42. Problems with mobile IP • Security • authentication with FA problematic, for the FA typically belongs to another organisation • no protocol for key management and key distribution has been standardised in the Internet • patent and export restrictions • Firewalls • typically mobile IP cannot be used together with firewalls, special set-ups are needed (such as reverse tunneling) • QoS • many new reservations in case of RSVP • tunneling makes it hard to give a flow of packets a special treatment needed for the QoS • Security, firewalls, QoS etc. are topics of current research and discussions! RSVP (Resource reSerVation Protocol)

  43. Security in Mobile IP • Security requirements (Security Architecture for the Internet Protocol, RFC 1825) • Integrity: any changes to data between sender and receiver can be detected by the receiver • Authentication: sender address is really the address of the sender and all data received is really data sent by this sender • Confidentiality: only sender and receiver can read the data • Non-Repudiation: sender cannot deny sending of data • Traffic Analysis: creation of traffic and user profiles should not be possible • Replay Protection: receivers can detect replay of messages

  44. IP security architecture I IP-Header IP header Authentification-Header authentication header UDP/TCP-Paket UDP/TCP data not encrypted encrypted • Two or more partners have to negotiate security mechanisms to setup a security association • typically, all partners choose the same parameters and mechanisms • Two headers have been defined for securing IP packets: • Authentication-Header • guarantees integrity and authenticity of IP packets • if asymmetric encryption schemes (Public, Private Keys) are used, non-repudiation can also be guaranteed • Encapsulation Security Payload • protects confidentiality between communication partners IP header ESP header encrypted data

  45. IP security architecture II • Mobile Security Association for registrations • parameters for the mobile host (MH), home agent (HA), and foreign agent (FA) • Extensions of the IP security architecture • extended authentication of registration • prevention of replays of registrations • time stamps: 32 bit time stamps + 32 bit random number • Nonces (number for once pseudo random number): 32 bit random number (MH) + 32 bit random number (HA) MH-FA authentication FA-HA authentication MH-HA authentication registration request MH FA HA registration request registration reply registration reply

  46. Key distribution • Home agent distributes session keys • foreign agent has a security association with the home agent • mobile host registers a new binding at the home agent • home agent answers with a new session key for foreign agent and mobile node FA MH response: EHA-FA {session key} EHA-MH {session key} HA

  47. IP Micro-mobility support • Micro-mobility support (Change FA): • Efficient local handover inside a foreign domainwithout involving a home agent • Reduces control traffic on backbone • Especially needed in case of route optimisation • Example approaches: • Cellular IP • HAWAII • Hierarchical Mobile IP (HMIP) • Important criteria: Security Efficiency, Scalability, Transparency, Manageability

  48. Support for Mobility in IPv6 • • Route optimisation: • • send CoA to remote end-system • • Security: • • authentication and privacy • • Stateless address auto-configuration: • • find an address (CoA) foruse at the FN • • Neighbour discovery: • • find default router • • No FA required to support mobility: • • MH takes care of home • address and foreign address • • Need dynamic DNS update support

  49. Cellular IP (CIP) Internet Mobile IP CIP Gateway data/control packets from MN 1 BS BS BS packets from MN2 to MN 1 MN1 MN2 • Operation: • “CIP Nodes“ maintain routing entries (soft state) for MNs • Multiple entries possible • Routing entries updated based on packets sent by MN • CIP Gateway: • Mobile IP tunnel endpoint • Initial registration processing • Security provisions: • all CIP Nodes share„network key“ • MN key: MD5(net key, IP addr) • MN gets key upon registration

  50. Cellular IP: Security • Advantages: • Initial registration involves authentication of MNsand is processed centrally by CIP Gateway • All control messages by MNs are authenticated • Replay-protection (using timestamps) • Potential problems: • MNs can directly influence routing entries • Network key known to many entities(increases risk of compromise) • No re-keying mechanisms for network key • No choice of algorithm (always MD5, prefix+suffix mode) • Message-Digest algorithm 5 is a widely used cryptographic hash function