Mobile IP

Miae Woo

By Miae Woo 2

Motivation for Mobile IP

• Routing based on IP destination address, network prefix (e.g. 129.13.42) determines

physical subnet change of physical subnet implies change of IP address to have a

topological correct address (standard IP) or needs special entries in the routing tables

• Specific routes to end-systems? change of all routing table entries to forward packets to the right destination does not scale with the number of mobile hosts and frequent changes in the

location, security problems

• Changing the IP-address? adjust the host IP address depending on the current location almost impossible to find a mobile system, DNS updates take to long time TCP connections break, security problems

By Miae Woo 3

What is Mobile IP?

• A modification to IP that allows nodes to continue to receive datagrams no matter where they happen to be attached to the Internet

• Topics Advertisement - Agent discovery Registration Tunneling Route optimization

By Miae Woo 4

Functional Entities

• Mobile node (MN) a host or router that changes its point of attachment without changing its IP address

• Home agent (HA) a router on a mobile node’s home network delivers datagrams to departed MNs maintains current location information for each departed MN

• Foreign agent (FA) a router on a mobile node’s visited network coorporates with the the HA to complete the delivery of datagrams to the departed MN

• Correspondent Node (CN) Communication partner

CN

Internet

MN

HA

FA

Subnet A - a physical network for mobile hosts

Subnet C

Subnet B

FA

FA

MN

By Miae Woo 5

Protocol Overview

• Agent discovery HAs and FAs advertise their availability

• Registration Request / Reply Registers MN’s care-of address (COA) to the HA

• authentication

• registration lifetime

Registration response and binding

• Tunneling To deliver datagram to the MN, the HA tunnels the datagram to the COA

• IP-in-IP Encapsulation

• Minimal Encapsulation

• Generic Record Encapsulation (GRE)

By Miae Woo 6

Protocol Procedures

Internet

Subnet A

Subnet C

Subnet B

FA

1. Agent Advertisement

0. MN moves to subnet B

2. Determine whether it is on its home network or a foreign network3. Obtain a care-of address4. Registration Request

5. Registration Response and binding

CorrespondentNode

6. Datagram to MN arrive on home network via standard IP routing

7. Datagram is intercepted by HA and tunneled to care-of address

HA

By Miae Woo 7

IP Datagram Flow

Internet

Subnet A

Subnet C

Subnet B

FA1. A datagram to the MN arrives on the home network via standard IP routing.

CorrespondentNode

4. Standard IP routing delivers each datagram sent by the MN to its destination.

HA2. The datagram is intercepted by the HA and is tunneled to the care-of address.

3. The datagram is detunneled and delivered to the MN.

By Miae Woo 8

Care-of Address Acquisition

• A FA care-of address a care-of address provided by a FA through its agent advertisement messa

ges. The care-of address is an IP address of the FA. FA :

• the endpoint of the tunnel

• decapsulates tunneled datagrams and delivers the inner datagram to the MN

Advantage : no demand for IPv4 address space

• A colocated care-of address a care-of address acquired by the MN as a local IP address through some e

xternal means, which the mobile node then associate with one of its own network interfaces.

Advantage • MN : serves as the end point of the tunnel and performs decapsulation of the dat

agram

• No need for the service of any HA.

By Miae Woo 9

Agent Discovery

• The method by which a MN determines whether it is currently connected to its home network or to a fore

ign network detects when it has moved from one network to another

• Agent advertisement formed by including a mobility agent advertisement extension in an ICMP (I

nternet Control Message Protocol) Router Advertisement message• A mobility agent transmits agent advertisements to advertise its services on a lin

k. (max : 1/sec)

• MNs use these advertisement to determine their current point of attachment to the Internet.

• No authentication required

By Miae Woo 10

Mobility Agent Extension Format

• type : type to distinguish between various kinds of extensions; 16

• length : length of this single extension; (6+4*N), where N is the number of COA advertised

• sequence number : count of agent advertisement messages sent since the agent was initialized

• lifetime : the longest lifetime that this agent is willing to accept in any registration request

• R : registration required (rather than using a colocated COA)

• B : FA is busy

• H : Home agent

• F : Foreign agent

• M : Minimal encapsulation

• G : generic record encapsulation (GRE)

• V : Van Jacobson header compression

• care-of address : the advertised foreign agent care-of address provided by this FA

By Miae Woo 11

Agent Discovery by MN

• Registration required when MN receives an agent advertisement with the R bit set Intended to allow sites to enforce visiting policies, which require exchange

of authorization

• Returning home when it receives an agent advertisement from its own HA configure its routing table appropriately for its home network deregister with its HA

By Miae Woo 12

Registration

• Provides a flexible and reliable mechanism for MNs to communicate their current reachability information to their HA

• Method used by MN to request forwarding services when visiting a foreign network inform its home agent of its current care-of address renew a binding that is due to expire deregister when it returns home

• Registration messages exchange the MN’s current binding information among a MN, its HA, and possibly a FA to create/modify a mobility binding at the HA associate the MN’s home address with its care-of address for the registratio

n lifetime

By Miae Woo 13

Registration Overview

FAadvertises

service

MN FA HA

MNrequestservice FA relays

request to HA

HA acceptsor denies

FA relaysstatus to MN

MN HA

MNrequestservice

HA acceptsor denies

without intermediaryby means of a foreign agent

if a MN uses a colocated COA if a MN is deregistering with its HA if a MN is registering a foreign agent COA

By Miae Woo 14

Registration Messages

• Types registration request registration reply

• Use UDP

Mobile IP defines its own retransmission to handle cases of dropped packets.

By Miae Woo 15

Registration Request Fields

• Type : 1 (registration request)

• S : Simultaneous bindings; If set, the MN is requesting that the HA retain its prior mobility bindings

• B : Broadcast datagrams; If set, the MN request that the HA tunnel to it any broadcast datagrams that it receives on the home network

• D : Decapsulation; If set, the MN informs the HA that it will decapsulate datagram that are sent to the care-of address

• Lifetime : The number of seconds remaining before the registration is considered expired

• Identification : used for matching registration requests/replies and for preventing against replay attacks

By Miae Woo 16

Authentication

• Registration messages between a MN and its HA are required to be authenticated with the mobile-home authentication extension.

• Type of authentication extensions The mobile-home authentication extension : require in all registration request/reply The mobile-foreign authentication extension The foreign-home authentication extension

• SPI (Security parameter index) select the authentication algorithm and mode, and secret used to compute the

authenticator 0 ~ 255 : reserved

• Authenticator : variable length, depending on the SPI

By Miae Woo 17

Tunneling

• Encapsulation

• General tunneling

• Generally useful for multicast and multiprotocol operation, security, privacy

• Available methods IP-in-IP encapsulation Minimal encapsulation GRE

Decapsulation

Source

Encapsulation

Destination

By Miae Woo 18

IP-in-IP Encapsulation

• The outer IP header source and destination addresses identify the end-points of the tunnel.

• The inner IP header source and destination addresses identify the original sender and recipient of the datagram.

• No change in the inner IP header except to decrement the TTL by 1• Other headers

IP authentication header

• Allows fragmentation at the HA when needed to deal with tunnels with smaller path MTUs.

Original IP Header Original IP Payload

Inner IP Header Original IP PayloadOuter IP Header

TunnelEndpoints

Other headers(optional)

By Miae Woo 19

Minimal Encapsulation

• To eliminate the duplication occurred in IP-in-IP encapsulation

• Restriction on fragmentation

• Header format

Original IP Header Original IP Payload

Original IP PayloadMinimal Encapsulator HeaderOuter IP Header

TunnelEndpoints

Destination IPaddress

By Miae Woo 20

Generic Record Encapsulation

• Can encapsulate numerous other protocols besides IP

originalheader

original data

new datanew header

outer headerGRE

headeroriginal data

originalheader

By Miae Woo 21

ARP, Proxy ARP, Gratuitous ARP

• The HA is required to broadcast gratuitous ARPs as soon as the MN moves away from its home network and register a new care-of address.

• The HA will continue to proxy ARP for MN until MN returns home.• After returning home, MN broadcasts gratuitous ARPs before deregistration.• The HA broadcasts gratuitous ARPs after accepting deregistration request.

Router

HomeAgent

X YZ

ARP Reply: Z_IP Z_MAC

Router

HomeAgent

X Y

ARP Reply: Z_IP HA_MAC

By Miae Woo 22

Route Optimization

• To eliminate triangle routing problem

• Route optimization extensions Objective : route datagrams from a correspondent node to a MN without goi

ng to the HA first Allow datagrams in flight when a MN moves and datagrams sent based on

an out-of-date cached binding to be forwarded directly to the MN’s new care-of address

• Authentication

By Miae Woo 23

Route Optimization Overview

• Update binding caches

• Managing smooth handoffs between FAs

• Acquiring registration keys for smooth handoffs

• Using special tunnels

• Concerned areas Supplying a binding update to any correspondent node that needs one Providing the means to create the needed authentication and replay protecti

on so that the recipient of a binding update message can believe it Allowing for the MN and FA to create a registration key for later use in maki

ng a smooth transition to a new point of attachment

By Miae Woo 24

Foreign Agent Smooth Handoff

• Make the transition as smooth as possible as MN moves from one point of attachment to the next Achievable by delivering datagrams correctly even though they may arrive a

t the old care-of address

• The new FA sends a binding update message to the previous FA as part of registration, requesting an ack from the previous FA.

• The previous FA creates a binding cache entry for the MN to serve as a forwarding pointer.

• MN and FA need to establish a new registration key

By Miae Woo 25

Route Optimization Scenario

FA1Internet

Subnet A

Subnet DSubnet C

FA2

Host

HA

Subnet B

By Miae Woo 26

Route Optimization Procedure

Internet Host HA FA1 MN FA2

Registration requestRegistration request

Registration reply Registration replyPacket to MN

TunnelingDeliveryBinding Update

Packet to MN Delivery

MNMoved Registration request

Registration request

Binding Update

Binding Ack

Registration reply

Packet to MNDelivery

Binding WarningBinding Update

Registration reply

By Miae Woo 27

Reverse tunneling (RFC 2344)

Internet

receiver

FA

HAMN

home network

foreignnetwork

sender

3

2

1

1. MN sends to FA2. FA tunnels packets to HA by encapsulation3. HA forwards the packet to the receiver (standard case)

CN

By Miae Woo 28

Mobile IP with reverse tunneling

• Router accept often only “topological correct“ addresses (firewall!) a packet from the MN encapsulated by the FA is now topological correct furthermore multicast and TTL problems solved (TTL in the home network

correct, but MN is to far away from the receiver)

• Reverse tunneling does not solve problems with firewalls, the reverse tunnel can be abused to circumvent

security mechanisms (tunnel hijacking) optimization of data paths, i.e. packets will be forwarded through the tunnel

via the HA to a sender (double triangular routing)

• The new standard is backwards compatible the extensions can be implemented easily and cooperate with current

implementations without these extensions

By Miae Woo 29

Mobile IP and IPv6

• Mobile IP was developed for IPv4, but IPv6 simplifies the protocols security is integrated and not an add-on, authentication of registration is incl

uded (?) COA can be assigned via auto-configuration (DHCPv6 is one candidate), ev

ery node has address autoconfiguration no need for a separate FA, all routers perform router advertisement which c

an be used instead of the special agent advertisement MN can signal a sender directly the COA, sending via HA not needed in this

case (automatic path optimization) ”soft“ hand-over, i.e. without packet loss, between two subnets is supported MN sends the new COA to its old router the old router encapsulates all incoming packets for the MN and forwards th

em to the new COA authentication is always granted

By Miae Woo 30

Problems with mobile IP

• Security authentication with FA problematic, for the FA typically belongs to another o

rganization no protocol for key management and key distribution has been standardized

in the Internet patent and export restrictions

• Firewalls typically mobile IP cannot be used together with firewalls, special set-ups ar

e needed (such as reverse tunneling)

• QoS many new reservations in case of RSVP tunneling makes it hard to give a flow of packets a special treatment needed

for the QoS

• Security, firewalls, QoS etc. are topics of current research and discussions!

By Miae Woo 31

• Application simplification of installation and maintenance of networked computers supplies systems with all necessary information, such as IP address, DNS

server address, domain name, subnet mask, default router etc. enables automatic integration of systems into an Intranet or the Internet,

can be used to acquire a COA for Mobile IP

• Client/Server-Model the client sends via a MAC broadcast a request to the DHCP server (might

be via a DHCP relay)

DHCP: Dynamic Host Configuration Protocol

client relay

clientserver

DHCPDISCOVER

DHCPDISCOVER

By Miae Woo 32

DHCP - protocol mechanismsclient

time

server(not selected)

server(selected)initialization

collection of replies

selection of configuration

initialization completed

release

confirmation ofconfiguration

delete context

determine theconfiguration

DHCPDISCOVER

DHCPOFFER

DHCPREQUEST(reject)

DHCPACK

DHCPRELEASE

DHCPDISCOVER

DHCPOFFER

DHCPREQUEST(options)

determine theconfiguration

By Miae Woo 33

DHCP characteristics

• Server several servers can be configured for DHCP, coordination not yet

standardized (i.e., manual configuration)

• Renewal of configurations IP addresses have to be requested periodically, simplified protocol

• Options available for routers, subnet mask, NTP (network time protocol) timeserver,

SLP (service location protocol) directory, DNS (domain name system)

• Big security problems! no authentication of DHCP information specified