MobileNAT (Mobility across Heterogeneous Address Spaces)
description
Transcript of MobileNAT (Mobility across Heterogeneous Address Spaces)
MobileNAT(Mobility across Heterogeneous
Address Spaces)
Presented by Kundan Singh(Columbia University)
Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
Agenda Motivation Architecture Implementation Comparison with
current approaches Summary
(30 slides, 60 min)
13-Oct-03 MobileNAT/IRT group meeting 2
Current Trends
Explosive growth in connected devices
Heterogeneity• Access: 802.11, 3G,
Ethernet
• Provider; billing
• Address space IPv4 vs IPv6 Public vs Private
802.11
3G
Private address
13-Oct-03 MobileNAT/IRT group meeting 3
Project IOTO
http://www.bell-labs.com/~mbuddhikot/IOTAProject/IOTA.htm
13-Oct-03 MobileNAT/IRT group meeting 4
NATPublic Addr A
The goal
Private Address Space
Internet
NAT
802.11802.11 Ethernet
PDSN/3G
NAT
RoutedIP Network
www.cnn.com
(1) (2)
(3)
(4)
(5)
Preserve session for1. inter access-point2. inter sub-net3. inter-NAT4. to 3G network5. to public network
Access-point
Router
Router with NAT
MobileNAT(Mobility across Heterogeneous
Address Spaces)
Presented by Kundan Singh(Columbia University)
Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
Agenda Motivation Architecture Implementation Comparison with
current approaches Summary
13-Oct-03 MobileNAT/IRT group meeting 6
Problem with IP address
IP address overloaded• Host identification
• Routing information
Change in IP address breaks TCP/socket connection
128.59.16.149
135.180.32.4
128.59.16.149135.180.32.480 1733
135.180.32.4128.59.16.1491733 80
TCP association
MN(mobile node)
CN (corresponding node)
135.180.54.7
135.180.54.7128.59.16.1491733 80
movesMN
Source IPDestination IPSP DP
Convention:
13-Oct-03 MobileNAT/IRT group meeting 7
Two addresses
Two IP addresses• Virtual IP (fixed host-id)
• Actual IP (routable; changes)
128.59.16.149
135.180.32.6 A=135.180.54.7
128.59.16.149135.180.32.480 1733
135.180.32.4128.59.16.1491733 80
135.180.32.4128.59.16.1491733 80
moves
V=135.180.32.4
Actual IP
Virtual IP
MN MN
CN
Application
Socket
TCP/UDP
IP
Addr “A”
Shim Layer
Addr “V”
Net IF
Anchor node (AN)
13-Oct-03 MobileNAT/IRT group meeting 8
Packet forwarding mechanisms:tunneling or translation
Tunneling• Outer: CN=>A or HA=>A
• Inner: CN=>V
• Header overhead
128.59.16.149
A=135.180.54.7
moves
V=135.180.32.4
128.59.16.149
A=135.180.54.7
moves
V=135.180.32.4
128.59.16.149135.180.32.4
128.59.16.149135.180.32.4
128.59.16.149135.180.54.7
128.59.16.149135.180.32.4
128.59.16.149135.180.54.7
MN
CN
MN
CN
AN AN
Translation• More processing overhead
• Not an issue if NAT1 is already present
1NAT is described later
13-Oct-03 MobileNAT/IRT group meeting 9
Address allocation using DHCP
Virtual and actual IP allocated using DHCP
New DHCP options• MN sends current virtual IP
address (or 0.0.0.0 if none) in the request
• Server sends the allocated actual and virtual IP addresses in the response
• Actual IP is allocated based on relay agent IP
10.0.1.5
10.0.1.x
DHCP server
DHCP relay agent
10.0.2.9
10.0.2.x
10.0.2.2
13-Oct-03 MobileNAT/IRT group meeting 10
Overview of NA(P)T
NAT
Public Addr135.180.32.1-7
Private Address Space(10.0.0.0-10.255.255.255)
Internet
128.59.16.149
CN
10.0.1.5
10.0.1.x 10.0.2.x
10.0.7.x
Packet processing rules need to be changed in the event of mobility
10.0.1.5128.59.16.1491756 80
135.180.32.4128.59.16.1497088 80
out
In-1
Packet processing rule
13-Oct-03 MobileNAT/IRT group meeting 11
Mobility manager and MIDCOM
NAT
Internet
10.0.1.5
10.0.1.x 10.0.2.x
MIDCOM to control NAT rules
Mobility manager IP in DHCP response
relay relay
relay
DHCP server
Mobility manager
Change of leaseNAT rules
13-Oct-03 MobileNAT/IRT group meeting 12
Example
Address assignment Packet flow when MN is private and CN is public MN moves to a new subnet Packet flow after mobility to a new subnet Packet flow when MN and CN are in the same NAT domain Packet flow when MN is private and CN is public and MN
moves to new NAT domain
13-Oct-03 MobileNAT/IRT group meeting 13
Address assignment
NAT
Internet
DHCP server
DHCP request(my virtual IP = 0.0.0.0)(my Mac address)
DHCP response(your virtual IP = 10.128.0.2)(your actual IP = 10.0.1.5)
DHCP server
Mobility manager
NAT
13-Oct-03 MobileNAT/IRT group meeting 14
Packet flow
NAT picks up an external IP and port
NAT
(1)
(2)(3)
135.180.32.4:708810.0.1.5:1756
CN
Internet
Application
Socket
TCP/UDP
IP
Addr “A”
SHIM LayerAddr “V”
Net IF
10.0.1.5:1756
10.128.0.2:1756
10.128.0.2128.59.16.1491756 80
10.0.1.5128.59.16.1491756 80
135.180.32.4128.59.16.1497088 80
128.59.16.14910.128.0.280 1756
128.59.16.14910.0.1.580 1756
128.59.16.149135.180.32.480 7088
Shim
Shim NAT
NAT
13-Oct-03 MobileNAT/IRT group meeting 15
Inter-subnet mobility
NAT
CN
Internet
DHCP server
DHCP request(my virtual IP = 10.128.0.2)(my Mac address)
DHCP response(your virtual IP = 10.128.0.2)(your actual IP = 10.0.2.7)
DHCP server
Mobility manager
10.0.1.x
10.0.2.x
S:10.0.1.5:1756 D:128.59.16.149:80S:135.180.32.4:7088 D:same
change
10.0.2.7
NAT rules
13-Oct-03 MobileNAT/IRT group meeting 16
Packet flow after the node moves
MN application or CN do not know about change in actual IP
NAT
(1)
(2)
(3)
135.180.32.4:708810.0.2.7:1756
CN
Internet
10.128.0.2128.59.16.1491756 80
Application
Socket
TCP/UDP
IP
Addr “A”
SHIM LayerAddr “V”
Net IF
10.0.2.7128.59.16.1491756 80
135.180.32.4128.59.16.1497088 80
128.59.16.14910.128.0.280 1756
128.59.16.14910.0.2.780 1756
128.59.16.149135.180.32.480 7088
Shim
Shim NAT
NAT
13-Oct-03 MobileNAT/IRT group meeting 17
Intra-domain sessions
Optimization: new signaling message between two MobileNAT clients to route the packets directly
NAT
V=10.128.0.2A=10.0.1.5
A=10.0.4.9
MN
CN
V=10.128.0.2A=10.0.2.7
MN
Moves
13-Oct-03 MobileNAT/IRT group meeting 18
Inter-domain mobility
Mobility manager of visited NAT fetches the existing connection mapping from mobility manager of the home NAT
If MN moves to public address space, Shim layer acts as visited NAT Dynamic home agent: use visited NAT as home NAT for new session Tunneling between visited and home NAT
Home NATCN
Internet
Visited NAT
MN
MN
moves
MobileNAT(Mobility across Heterogeneous
Address Spaces)
Presented by Kundan Singh(Columbia University)
Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
Agenda Motivation Architecture Implementation Comparison with
current approaches Summary
13-Oct-03 MobileNAT/IRT group meeting 20
Implementation: client (Win XP/2000)
Shim-layer driver to capture DHCP packets and translate IP addresses
MobileNAT client application acting as DHCP client and server Handles ARP for nodes in other sub-nets
Application
Socket
TCP/UDP
IP
Addr “A”
Shim Layer
Addr “V”
Net IF
MobileNATClient
Server Client
10.128.0.2 /255.0.0.0
10.0.1.5 /255.255.255.0
MobileNATClient
MobileIP Client
Network and interface selector
DHCP server - client
Unified mobility client (on-going work)
13-Oct-03 MobileNAT/IRT group meeting 21
Client architecture
New code developed,
Specifically for3G-802.11 integration
VPN/IPSec integration(e.g. Lucent IPSecClient)
Interaction withExisting WindowsOS modules
TCP/IP Protocol Stack
Virtual MobileIPAdaptor
VPN/IPSecControl
OS
PP
P S
upport
Graphical User Interface & Monitoring
Ethernet
MIP State Machine
Interface Abstraction Layer/API
Network Detection
Network Selection
MobileNATClient
802.11 PPPCDMA2000
Sierra 3G1xRTT
VPN/IPSec Client Driver
Multi-interface Mobility Client Driver
EthernetInterface
802.11Interface
PPP Interface
IS-835 Shim
Serial D
riverA
T C
omm
and Set
Us
er L
ev
el
OS
Ke
rne
l Le
ve
l
13-Oct-03 MobileNAT/IRT group meeting 22
User interface
Approximately 45,000 lines of code, 13,000 of which are Windows NDIS kernel networking code
13-Oct-03 MobileNAT/IRT group meeting 23
Implementation: DHCP server and NAT (Linux)
DHCP server
PRE-ROUTINGDestination NAT
POST-ROUTINGSource NAT
NAT connectiontrackingVirtual IP range
Actual IP range
DHCP server to allocate virtual and actual IP Actual IP is based on subnet of DHCP relay agent MM is integrated into DHCP server NAT using netfilter, iptables, ip_conntrack and ip_nat modules
MobileNAT(Mobility across Heterogeneous
Address Spaces)
Presented by Kundan Singh(Columbia University)
Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
Agenda Motivation Architecture Implementation Comparison with
current approaches Summary
13-Oct-03 MobileNAT/IRT group meeting 25
Similarities/Differences with current proposals Translation mode vs. tunneling
• Packet size vs processing overhead
• Two addresses per MN; can afford since private addresses
• No external FA needed
Signaling• Using DHCP (new options) and a per-domain Mobility Manager (MM)
Routing path• No change in routers or CN; but change in MN, NAT and DHCP server
• Dynamic home agent (I.e., the NAT)
13-Oct-03 MobileNAT/IRT group meeting 26
Comparison to existing schemes
Schemes considered in following chart Mobile IP
• Extensions: Location Register (MIP-LR), Route Optimization (MIP-RO)
Micro-mobility schemes Cellular IP Hawaii Intra-Domain Mobility Protocol (IDMP) Hierarchical Mobile IP (HMIP)
IPv6 Application level mobility mechanism
• SIP
Virtual NAT• Similar address translation in the client stack
• Targeted for connection migration where both end-points implements vNAT
13-Oct-03 MobileNAT/IRT group meeting 27
Comparison chart
MIP CIP Hawaii HMIP (RR)
IDMP TeleMIP
MIP LR
MIP RO
SIP IPv6 Mobile NAT
Virtual NAT
MIP messaging Y N Y Y Y - - N Y N N
Inter-tunnel Y Y Y Y Y N Y N O O N
Intra-tunnel - N N Y Y - - - O O N
Paging O Y Y Y Y - - N Y UD N
Host ID HA HA CoA CoA LCoA - - SIP HA CoA virtual
signaling Y Data Y Y Y Y Y Y Y DHCP/MM
Y
CN modify? N N N N N Y Y - N N Y
MN modify? Y Y Y Y Y Y Y - Y Y Y
Router modify? FA Y Y FA FA - - - O N N
NAT support Y1 Y Y Y Y IN IN Y IN Y IN
Non-mobile IP nodes
Y N Y Y Y - - - Y Y IN
Triangular route Y Y Y Y Y N N N N N/Y N
Y: yes N: no - :N/A O: optional IN:independent UD: Under Development1: We assume Mobile IP with UDP tunneling for NAT
13-Oct-03 MobileNAT/IRT group meeting 28
Mobile NAT Advantages
Problems in existing approaches• Huge infrastructure change (CIP, IPv6, routers, even deploying FA)• Not much discussion on optimizing intra-domain sessions• Require tunneling overhead, inter, intra or both• Triangular routing• Modification in CN
MobileNAT approach• Addresses rapid growth in end-devices, which most likely will have private
addresses due to slow deployment of IPv6• Assume the presence of NA(P)T in a domain
Roaming and services across heterogeneous address spaces Reduce problem space to only private address space
• Choice between tunneling and address translation Addresses bandwidth limitations of wireless links
• Use existing protocols (DHCP, ICMP) for signaling• Discourage changing routing infrastructure• Can co-exist with MobileIP
13-Oct-03 MobileNAT/IRT group meeting 29
On-going work
Scalability:• Subdivide domains into smaller NAT-ed domains• Multiple NATs per domain
Security• DHCP authentication and Access-point authentication/encryption• Works with IP-sec (AH mode and UDP tunnel) and SSL
Paging: • Re-use of existing IP-multicast based paging
Possible deployment issues• Changing every MN driver (similar to Mobile IP)• Mobility to 3G network• Location information distribution• Allow incremental deployment
Other issues• Does not solve NAT problems where application layer message uses IP address
(FTP, SIP, RTSP)• Fast hand-off for micro-mobility• Intra-domain sessions on inter-domain mobility• Combined MobileIP and MobileNAT client
13-Oct-03 MobileNAT/IRT group meeting 30
Summary
Main Ideas• Virtual IP for host identification; actual IP for routing
• Address translation in client as well as in NAT
• Existing protocols like DHCP for signaling
• Mobility manager to handle nodes in a domain
• NAT acts as a dynamic home agent
• Inter-NAT packet flow for inter-domain mobility
No change in routers or no need for FA• Change In MN, NAT and DHCP server
Demonstrated a simple inter-subnet mobility
Survey of existing mobility approaches for private/public addresses
BACKUP SLIDES
13-Oct-03 MobileNAT/IRT group meeting 32
Mobile IP for macro mobility
Triangular routing• Route optimization
Slow handoff• Hierarchical mobility
• Tunneling (HMIP)
• Mobile specific routing (CIP, Hawaii)
Signaling overhead• Paging (CIP, Hawaii,
HMIP)
Firewall, etc.• Reverse tunneling
MN
Internet
CN HA
FA
MN
(1)
(2)(4)
(1) CN=>HA(2) HA=>FA
CN=>HA(3) CN=>HA(4) HA=>CN
(3)
13-Oct-03 MobileNAT/IRT group meeting 33
Mobile IP with NAT
UDP port mapping created during register
HA finds that FA is behind NAT
HA uses IP in UDP tunnel
NAT
Internet
CN HA
FA
MN
(2) CN=>HA
(3) HA=>NAT (UDP) CN=>HA (IP)
Oubound traffic
(4) NAT=>FA (UDP)CN=>HA (IP)
(1) register; establish port mapping
13-Oct-03 MobileNAT/IRT group meeting 34
Micro mobility: Cellular IP
CoA is of gateway (FA) No change in CoA
within domain Gateway converts
cellular IP to IP Network elements
snoop on data packets from MN to GW; set the reverse route from GW to MN
Paging to discover idle MN
NAT can be at gateway
Internet
CN HA
gateway
MN
MN
Intra-domain cellular IP (non-IP) cloud
Id = HA
13-Oct-03 MobileNAT/IRT group meeting 35
Micro mobility: Hawaii
CoA is of root router (FA)
Host specific route in IP
Path setup tradeoff• Explicit signal from MN to
update route
• Packet loss, reorder, handoff latency
Paging (IP multicast) to discover idle MN if no routing information
NAT can be at root router
Internet
CN HA
root router
MN
MN
IP cloud
HA=>CoACN=>HA
CN=>HA
HA=>CoACN=>HA
Id=CoA
13-Oct-03 MobileNAT/IRT group meeting 36
Micro mobility: Hierarchical mobile IP
Two levels Works with non-mobile
(but) IP traffic in domain
Paging Two IP addresses
(GFA and FA) per MN NAT can be at GFA High level network of
FA (preferably tree) above IP; registration updates at optimal point in the tree
Internet
CN HA
GFA
MN
MN
FA
FA
HA=>GFACN=>HA
CN=>HA
GFA=>FACN=>HA
13-Oct-03 MobileNAT/IRT group meeting 37
Micro mobility: IDMP/TeleMIP
MA acts as gateway to internet
Subnet agent (e.g., DHCP or FA) sends domain info
MN registers GCoA=MA @ HA; LCoA=FA @ MA; two level addressing
Similar to HMIP except multiple MA allowed for load balancing
MA does NAT
Internet
CN HA
MA
MN
MN
FA
FA
HA=>MA (GCoA)CN=>HA
CN=>HA
MA=>FA (LCoA)CN=>HA
13-Oct-03 MobileNAT/IRT group meeting 38
MIP Location Registers
Avoids encapsulation Modify CN New VLR deregisters
old VLR If VLR runs out of
address inform HLR; which informs CN to use tunnel from CN to VLR
If MN moves before TTL, (1) inform VLR, HLR that informs CN (2) inform CN directly (3) old VLR relays to new
Internet
CN HLR
VLR
MN
Get and cache CoA of MN for given TTL
(4)
(3)
13-Oct-03 MobileNAT/IRT group meeting 39
SIP application level mobility
Only for VoIP/multimedia calls
No change in existing infrastructure
NAT traversal (next slide)
Internet
CN Home SIP server
MN
Initial INVITE
MN
Re-INVITE
Re-REGISTER Initial INVITE
13-Oct-03 MobileNAT/IRT group meeting 40
Middle box communication (midcom)
Application specific proxy server controls NAT/firewall port binding/hole
Separate NAT/ALG functionality
Proxy snoops or modifies signaling
Signaling traffic allowed on fixed port; media on dynamic port
Works with SIP No incentive to install
Internet
CN
server NAT
host
signaling
signaling
media
midcom
13-Oct-03 MobileNAT/IRT group meeting 41
Simple Traversal of UDP through NAT (STUN)
Host sends a packet to stun server
NAT converts internal IP to external IP
Responds with source IP of packet (i.e., external)
Host knows that its external IP is not same as internal
It uses external IP/port when advertising in SDP
Does not work for symmetric NAT • external IP for same host different
for connection to different external host
Internet
CN
stunserver
NAT
host
(4)(1)
(2)
(3)
(5)
(6)
13-Oct-03 MobileNAT/IRT group meeting 42
Realm Specific IP (RSIP)
Get an external address from NAT for this private host
Tunnel packets between NAT and private host
Works for various combinations of multiple RSIP gateway, NAT, NAT with RSIP, and RSIP hosts.
Need RSIP aware host
Internet
CN
NAT
host
CNNAT
NAThost<CNNAT>
13-Oct-03 MobileNAT/IRT group meeting 43
Mobility in IPv6
Address auto-configuration• Always obtain a CoA in FN
• Net part+local part
• No FA needed
Route optimization • IPv6 Destination option to
CN and HA
• CN caches CoA of MN and sends directly
Hierarchical MIPv6 • Global address = mobile
server’s network; allow change in MS
• Local address known to mobile server
Internet
CN HA
MN
(1) First IPv6 packet CN=>HA
(3) IPv6 destination option
(2) TunneledHA=>CoACN=>HA
(4) subsequent packets
13-Oct-03 MobileNAT/IRT group meeting 44
Mobile NAT: motivation
Problems in existing approaches• Not much discussion on optimizing intra-domain sessions
• Require tunneling overhead, inter, intra or both
• Triangular routing or modification in CN
• Huge infrastructure change (CIP, IPv6, even deploying FA)
• . . .
What MobileNAT does?• Reduce problem space to only private address space MN
• Assume the presence of NA(P)T in a domain
• Choice between tunneling and address translation
• Use existing protocols (DHCP, ICMP) for signaling mobility
• Discourage changing routing infrastructure
• Can co-exist with MobileIP, Hawaii and IPv6 (?)
• Provide roaming and services across heterogeneous address spaces demarked by address translation devices
13-Oct-03 MobileNAT/IRT group meeting 45
Mobile NAT: intra-domain
No explicit HA or FA• HA is in NAT (MN is private)
• FA is in MN (driver, kernel)
Virtual vs routable address• Virtual: fixed private address “a”
exposed to application on MN
• Routable: dynamic private address “a” or “b” using DHCP
• Transport sessions between CNA (external), CNa (internal)
Address translation• NAT (Aab), MN (ba)
Tunneling• NATMN
Internet
CN
NAT
MN
MN
IP cloud
CN<=>b
Id=Private
a/a
a/b
A=a
CN<=>A
13-Oct-03 MobileNAT/IRT group meeting 46
Mobile NAT: inter-domain
Inter-NAT tunnel or relay MN moves a/a=>a/c NAT1 and NAT informed Translation
• NAT1: AaB
• NAT2: Bac
• MN: ca
Issues• Multiple “a” in NAT2
But unique map Ba
• Does IP security work (?)
Like Mobile IP • FA=NAT2,HA=NAT1
• At most two level of NATs
Internet
CN
NAT1
MN
CN<=>b
a/a
A=a
CN<=>ANAT2
MN a/c
B=a
13-Oct-03 MobileNAT/IRT group meeting 47
Mobile NAT: intra-domain sessions
MN1 MN2 active session• MN2 sends to NAT; destination “a”
• NAT responds router redirect “b” (?)
• MN2 now sends to MN1
MN1 moves a/b=>a/c• MN1 gets “c”
• DHCP server (or MN1) informs NAT
• MN2 gets ICMP host unreachable
• Starts sending to NAT
• NAT responds router redirect “c”
MN1 moves out of domain• Path MN1visited NAT home
NATMN2
Internet
CN
NAT
MN1
MN1
a/b
a/c
A=a
MN2
d/e
active session
(?) ICMP Redirect message is expected from router in the same sub-net to which packet is being sent. It is vulnerable to attacks (confirm?) Cisco routers don’t forward ICMP redirect from another network. We may use proprietary IP options if allowed.
13-Oct-03 MobileNAT/IRT group meeting 48
TODO
Can MobileNAT co-exist with MIP, Hawaii and non-mobile but IP clients?• If MIP MN discovers no FA, switches to MobileNAT
• If MobileNAT MN discovers FA, enables both MIP and MobileNAT
• If MobileNAT MN goes out of domain and gets a public address
• If a public MN moves within the domain and gets private address
• For intra-domain session between MN and fixed IP host, route optimization does not work
• Does route optimization work if both MN move at the same time?
• Does MobileNAT work with multicast?
• Write a simulation program for MobileNAT, MobileIP and Hawaii network
13-Oct-03 MobileNAT/IRT group meeting 49
TODO
Can part of it be implemented using existing protocols like Mobile IPv6 (destination option for route optimization), IDMP (for public/private addresses), RSIP)?• Intra-domain Route optimization is similar to IPv6 destination option; can
we use IPv6 within domain – need to change all routers (?)
• Assuming IPv6 domain with NAT as IPv4IPv6 converter. What changes we need in NAT/IOTA so that it works with Mobile IP? For IPv6 do we need private address domain? How do we minimize changes in IPv6 MN?
• IDMP supports multiple MA. Can we install multiple NAT/IOTA for load balancing?
• Does tunnel mode MobileNAT reduce to IDMP, when HA is outside of NAT and FA is in MN? (yes) Why can’t MobileNAT be proposed as an extension to IDMP? IDMP does not describe intra-domain session optimization.
13-Oct-03 MobileNAT/IRT group meeting 50
TODO
Windows related issues• Check if TCP connections are dropped when ipconfig /release is done
• Check what happens when CONNECTED status is indicated on already connected state
• Check if TCP connections are dropped even if DISCONNECTED status is not propagated to higher layer
Possible deployment hindrances• Changing every MN driver (similar to Mobile IP)
• Should allow incremental deployment
• Processing overhead on NAT/IOTA
• What happens to domain/sub-net specific options that are not indicated to the higher layer when domain/sub-net change? Need to write a controlling application also that does DhcpIpRenewAddress when driver finds a different options field.
13-Oct-03 MobileNAT/IRT group meeting 51
TODO
Basic design issues• Does DHCP security/authentication work?
• Can we use ICMP router redirect from NAT to private host?
• Can IP security work in all scenarios?
• Fast handoff applicability
• Since anyway we are modifying MN driver, can it be made more extensible or more auto-configurable. E.g., if IOTA/NAT is moved to sub-net routers then can modification in MN be
avoided? What if multiple hierarchical IOTA/NAT in a domain?