Motivation for a Mobility-supported Network

Routing:
– Based on an IP destination address, the network prefix (e.g., 137.193.63) determines the physical subnet – Change of physical subnet implies change of IP address to obtain a topological correct address (standard IP) or needs special entries in routing tables

8. Network Protocols and Mobile IP
Ad-hoc Networks, Routing Micro-mobility: Cellular IP, HAWAII Macro-mobility: DHCP, Mobile IP Registration, Encapsulation, Tunneling, Security IPv4 versus IPv6

Specific routes to end-systems?
– Change of all routing table entries to forward packets to the right destination required – Does not scale with the number of mobile hosts and frequent changes in the location – Security problems

Changing the IP address?
– Adjust the host IP address depending on the current location – Almost impossible to find a mobile system, DNS updates take a too long time – TCP connections break, security problems
© 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 2

© 2005 Burkhard Stiller and Jochen Schiller FU Berlin

M8 – 1

Mobile ad-hoc Networks
Standard Mobile IP (cf. later) needs an infrastructure:
– Home Agent/Foreign Agent in the fixed network – DNS, routing are not designed for mobility

Manet: Mobile Ad-hoc Networking

Sometimes there is no infrastructure!
– Remote areas, ad-hoc meetings, disaster areas – Cost can also be an argument against an infrastructure!

Mobile Router Manet Mobile Devices Mobile IP, DHCP Fixed Network

Main topic is routing:
– No default router available – Every node should be able to forward

Router
A
© 2005 Burkhard Stiller and Jochen Schiller FU Berlin

End system
M8 – 4

B
M8 – 3

C
© 2005 Burkhard Stiller and Jochen Schiller FU Berlin

Routing Examples for an Ad-hoc Network

Traditional Routing Algorithms
Distance Vector (IP example RIP):
– Periodic exchange of messages with all physical neighbors that contain information about who can be reached at what distance – Selection of the shortest path if several paths available

N1 N2 N3 N4

N1 N2

N3

Link State (IP example OSPF):
– Periodic notification of all routers about the current state of all physical links – Routers get a complete picture of the network

N5 good link weak link

N4

N5 time = t2

Example:
– – – – ARPA packet radio network (1973), DV-Routing Every 7.5 s exchange of routing tables including link quality Updating of tables also by reception of packets Routing problems solved with limited flooding

time = t1

© 2005 Burkhard Stiller and Jochen Schiller FU Berlin

M8 – 5

© 2005 Burkhard Stiller and Jochen Schiller FU Berlin

M8 – 6

1

e. i. . Scalability. if it seems to be unstable (based on the stored time values) Key problem: – Protocols have been designed for fixed networks with infrequent changes and typically assume symmetric links! © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 7 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 8 Dynamic Source Routing (1) Split routing into discovering a path and maintaining a path Discover a path: – Only if path for packets to a certain destination is needed and no path available Dynamic Source Routing (2) Optimizations: – Limit broadcasting if maximum diameter of the network is known – Caching of address lists (i. has the correct destination address) then return the packet to the sender (path was collected in the packet) • If the packet has already been received earlier (identified via ID) then discard the packet • Otherwise. Fast Handoff.. Manageability © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 13 Cellular IP Operation: – “CIP Nodes“ maintain routing entries (soft state) for Mobile Nodes (MN) – Multiple entries possible – Routing entries updated based on packets sent by MN Internet Mobile IP CIP Gateway Data/Control Packets from MN 1 CIP Gateway: – Mobile IP tunnel endpoint – Initial registration processing Security provisions: – All CIP Nodes share “network key“ – MN key: MD5 (net key.e. – Macro mobility: • Mobile nodes move between domains.. Transparency.. paths) with help of passing packets: • Stations can use the cached information for path discovery (own paths or paths for other hosts) Maintaining a path: – Only while path is in use one has to make sure that it can be used continuously No periodic updates needed! Path discovery: – Broadcast a packet with destination address and unique ID – If a station receives a broadcast packet • If the station is the receiver (i. connection quality. participants DSDV (Destination Sequenced Distance Vector) Early work: – On-demand version: AODV (Ad-hoc On-demand Distance Vector) Limited performance of mobile systems: – Periodic updates of routing tables need energy without contributing to the transmission of user data.Problems of Traditional Routing Algorithms Dynamic of the topology: – Frequent changes of connections. append own address and broadcast packet – Sender receives packet with the current path (address list) © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 9 Maintaining paths: – After sending a packet: • Wait for a layer 2 acknowledgement (if applicable) • Listen into the medium to detect if other stations forward the packet (if possible) • Request an explicit acknowledgement – If a station encounters problems it can inform the sender of a packet or look-up a new path locally © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 10 Mobility on the Network Layer User mobility and device mobility Distance-driven mobility dimensions: – Micro mobility: • Mobile nodes move within a single domain (determined by a logical view of sub-networks managed by a single administration) • Support of fast and seamless hand-over between access points • Reduction of traffic load in backbone network • Examples: Cellular IP.e. HAWAII. Hierarchical Mobile IP. Mobile IP (MIP) – Distinction not completely clear: • Two networks in which a node moves (macro mobility) may be concatenated to achieve a single logical network (micro mobility) – Important criteria: Security.. sleep modes difficult to implement – Limited bandwidth of the system is reduced even more due to the exchange of routing information – Links can be asymmetric. Efficiency. where each domain is concatenated by an IP network • Examples: Dynamic Host Configuration Protocol (DHCP). they can have a direction-dependent transmission quality Expansion of distance vector routing Sequence numbers for all routing update packets: – Assures in-order execution of all updates – Avoids loops and inconsistencies Decrease of update frequency: – Store time between first and best announcement of a path – Inhibit update. IP address) – MN gets key upon registration BS BS BS Packets from MN2 to MN 1 MN1 MN2 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 14 2 .

IPSec AH) Potential problems: – Not transparent to MNs (additional control messages) – Public-key encryption of MN keys may be a problem for resource-constrained MNs – Multiple-path forwarding may cause inefficient use of available bandwidth © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 15 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 16 HAWAII Operation: – MN obtains co-located COA 1 and registers with HA 2 – Handover: MN keeps COA. prefix+suffix mode) – Proprietary mechanisms (not. new BS answers Reg.. keeps RCOA – HA is only contacted if MAP changes Internet RCOA MAP HA Potential problems: – Mixture of co-located COA and FA concepts may not be supported by some MN implementations – No private address support possible because of co-located COA Security provisions: – No HMIP-specific security provisions – Binding updates should be authenticated binding update AR AR LCOAold MN LCOA new MN © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 19 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 20 3 . e.Cellular IP: Security Advantages: – Initial registration involves authentication of MNs and is processed centrally by CIP Gateway – All control messages by MNs are authenticated – Replay-protection (using timestamps) Cellular IP: Other Issues Advantages: – Simple and elegant architecture – Mostly self-configuring (little management needed) – Integration with firewalls / private address support possible Potential problems: – MNs can directly influence routing entries – Network key known to many entities (increases risk of compromise) – No re-keying mechanisms for network key – No choice of algorithm (always MD5. Request 3 and updates routers 4 – MN views BS as foreign agent Internet HA Backbone Router Crossover Router 2 4 BS BS Mobile IP BS DHCP Server 1 DHCP HAWAII: Security Advantages: – Mutual authentication and C/R extensions mandatory – Only infrastructure components can influence routing entries Potential problems: – Co-located COA raises DHCP security issues (DHCP has no strong authentication) – Decentralized security-critical functionality (Mobile IP registration processing during handover) in base stations – Authentication of HAWAII protocol messages unspecified (potential attackers: stationary nodes in foreign network) – MN authentication requires PKI or AAA infrastructure Security provisions: – MN-FA authentication mandatory – Challenge/Response Extensions mandatory HAWAII (Hand-off-aware Wireless Access Internet Infrastructure) © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 17 Mobile IP 3 MN MN © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 18 HAWAII: Other Issues Advantages: – Mostly transparent to MNs (MN sends/receives standard Mobile IP messages) – Explicit support for dynamically assigned home addresses Hierarchical Mobile IPv6 (HMIPv6) Operation: – Network contains mobility anchor point (MAP) • Mapping of regional COA (RCOA) to link COA (LCOA) – Upon handover.g. MN informs MAP only • Gets new LCOA.

subnet mask. simplified protocol Compatibility: – Support of the same layer 2 protocols as IP – No changes to current end-systems and routers required – Mobile end-systems can communicate with fixed systems Options: – Available for routers. NTP (network time protocol) timeserver.Hierarchical Mobile IP: Security Advantages: – Local COAs can be hidden. domain name. DNS server address. old 2002) Transparency: – Mobile end-systems keep their IP address – Continuation of communication after interruption of link possible – Point of connection to the fixed network can be changed Renewal of configurations: – IP addresses have to be requested periodically. such as IP address.e. coordination not yet standardized (i. can be used to acquire a COA for Mobile IP server (not selected) determine the configuration DHCP Protocol Mechanisms client initialization DHCPDISCOVER DHCPDISCOVER server (selected) determine the configuration DHCPOFFER DHCPOFFER Client/Server-Model time collection of replies selection of configuration DHCPREQUEST (reject) DHCPREQUEST (options) DHCPACK server client initialization completed release DHCPRELEASE © 2005 Burkhard Stiller and Jochen Schiller FU Berlin – The client sends via a MAC broadcast a request to the DHCP server (might be via a DHCP relay) DHCPDISCOVER DHCPDISCOVER confirmation of configuration client relay delete context © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 23 M8 – 24 DHCP Characteristics Server: – Several servers can be configured for DHCP. SLP (service location protocol) directory. subnet mask. default router – Enables automatic integration of systems into an Intranet or the Internet. manual configuration) Requirements to Mobile IP (RFC 3220.. which provides some location privacy – Direct routing between CNs sharing the same link is possible (but might be dangerous) Hierarchical Mobile IP: Other Issues Advantages: – Handover requires minimum number of overall changes to routing tables – Integration with firewalls / private address support possible Potential problems: – Decentralized security-critical functionality (handover processing) in mobility anchor points – MNs can (must!) directly influence routing entries via binding updates (authentication necessary) Potential problems: – Not transparent to MNs – Handover efficiency in wireless mobile scenarios: • Complex MN operations • All routing reconfiguration messages sent over wireless link © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 21 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 22 DHCP: Dynamic Host Configuration Protocol Application – Simplification of installation and maintenance of networked computers – Supplies systems with all necessary information. DNS (domain name system) Security: – Authentication of all registration messages Efficiency and scalability: Big security problems: – No authentication of DHCP information specified – Only little additional messages to the mobile system required (connection typically via a low bandwidth radio link) – World-wide support of a large number of mobile systems in the whole Internet © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 25 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 26 4 .

Foreign Network Advertisement: – HA advertises the IP address of the MN (as for fixed systems). Sender sends to the IP address of the receiver as usual. tunnels IP datagrams to the COA Router Home Network Internet (Physical Home Network for the MN) Router (Current Physical Network for the MN) Mobile End-system Foreign Agent (FA): – System in the current foreign network of the MN. standard routing information – Routers adjust their entries. Internet Router FA 3. typically a router – Forwards the tunneled datagrams to the MN. by encapsulation 3. HA tunnels packet to COA. CN Router © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 31 5 . MN 4. via DHCP Foreign Network CN End-system Router M8 – 28 Correspondent Node (CN): – Communication partner © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 27 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin Data Transfer to the Mobile System HA Data Transfer from the Mobile System HA MN 2 1 MN Home Network Internet 3 FA Receiver Foreign Network Home Network Internet Sender FA Foreign Network CN Sender 1 1.g. if it is in the home or a foreign network (standard case for home network) – MN reads a COA from the FA advertisement messages Registration (always limited lifetime!): CN Router – MN signals COA to the HA via the FA. FA works as default router © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 30 Overview COA Home Network Router HA Internet Router FA MN Foreign Network Network Integration Agent Advertisement: – HA and FA periodically send advertisement messages into their physical sub-nets – MN listens to these messages and detects. FA forwards the packet to the MN M8 – 29 CN Receiver © 2005 Burkhard Stiller and Jochen Schiller FU Berlin 1. these are stable for a longer time (HA responsible for a MN over a longer period of time) – Packets to the MN are sent to the HA. typically a router – Registers the location of the MN. typically the default router for MN FA Care-of Address (COA): – Address of the current tunnel end-point for the MN (at FA or MN) – Actual location of the MN from an IP point of view – Can be chosen. i.. Sender sends to the IP address of MN. HA acknowledges via FA to MN – These actions have to be secured by authentication 2.e. here FA. – Independent of changes in COA/FA © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 32 Home Network Router HA 1. e. HA intercepts packet (proxy ARP) 2.Terminology Mobile Node (MN): – System (node) that can change the point of connection to the network without changing its IP address Example Network HA MN Home Agent (HA): – System in the home network of the MN.

Agent Advertisement 0 7 8 15 16 23 24 type code checksum #addresses addr.g. ignored T: reverse tunneling requested x: =0. 0 registration accepted 1 registration accepted. ignored t t © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 33 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 34 Mobile IP Registration Request 0 type = 1 7 8 15 16 home address home agent COA identification extensions . . IHL DS (TOS) length IP identification flags fragment offset TTL lay..g. ignored identification Example codes: registration successful extensions .. IP-in-IP-encapsulation. 4 prot.... . size lifetime router address 1 preference level 1 router address 2 preference level 2 31 MN FA Registration HA MN HA regis requ tration est regis requ tration est regis requ tration est on trati regis reply on trati regis reply on trati regis reply type = 16 . Multicast in Unicast (Mbone) – Here: e. no more registrations type = 16 length sequence number RB H FMG r T H: home agent registration lifetime reserved COA 1 F: foreign agent COA 2 M: minimal encapsulation G: GRW encapsulation . r: =0. but simultaneous mobility bindings unsupported registration denied by FA 65 administratively prohibited 66 insufficient resources 67 mobile node failed authentication 68 home agent failed authentication 69 requested Lifetime too long registration denied by HA 129 administratively prohibited 131 mobile node failed authentication 133 registration Identification mismatch 135 too many simultaneous mobility bindings © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 36 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 35 Encapsulation Principle Encapsulation (1) Encapsulation of one packet into another as payload: – E. IPv6 in IPv4 (6Bone). payload © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 37 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 38 6 . . IHL DS (TOS) length IP identification flags fragment offset TTL IP-in-IP IP checksum IP address of HA Care-of address COA ver.. IP checksum IP address of CN IP address of MN TCP/UDP/ . RFC 2003): New IP Header Outer Header New Data Inner Header Original Data – Tunnel between HA and COA ver. length = 6 + 4 * #COAs R: registration required B: busy. minimal encapsulation or GRE (Generic Record Encapsulation) Original IP Header Original Data IP-in-IP-encapsulation (mandatory... . ignored (former Van Jacobson compression) T: FA supports reverse tunneling reserved: =0. S B DMG r T x Mobile IP Registration Reply 0 type = 3 7 8 15 16 code home address home agent 31 lifetime 23 24 lifetime 31 S: Simultaneous bindings B: Broadcast datagrams D: De-capsulation by MN M: Minimal encapsulation G: GRE encapsulation r: =0.

. version. rsv.. TTL. RFC 2004): – Avoids repetition of identical fields – E. S reserved IP checksum IP address of MN original sender IP address (if S=1) TCP/UDP/ . MN sends to FA 2. IP checksum IP address of HA care-of address COA lay. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing) CN Receiver 3 1. DS (RFC 2474.g. 4 prot.e. old: 2344) HA Mobile IP with Reverse Tunneling Router accept often only “topological correct“ addresses (firewall!): MN – A packet from the MN encapsulated by the FA is now topological correct – Furthermore multicast and TTL problems solved (TTL in the home network correct. old FA now forwards remaining packets to new FA – This information also enables the old FA to release resources for the MN © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 41 Request Update ACK Data Data t © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 42 Reverse Tunneling (RFC 3024. protocol checksum (optional) offset (optional) key (optional) sequence number (optional) routing (optional) ver. 4 protoc. FA tunnels packets to HA by encapsulation 3. but MN is too far away from the receiver) 2 Home Network Internet Reverse tunneling does not solve: 1 FA Sender Foreign Network – Problems with firewalls. Generic Routing Encapsulation Original Header Outer Header GRE Header Original Header New Data Original Data Original data RFC 1701 IHL DS (TOS) length IP identification flags fragment offset TTL GRE IP checksum IP address of HA Care-of address COA C R K S s rec. IP checksum IP address of CN IP address of MN TCP/UDP/ . the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) – Optimization of data paths. checksum (optional) protocol reserved1 (=0) © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 39 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 40 Optimization of Packet Forwarding Triangular Routing: – Sender sends all packets via HA to MN – Higher latency and network load CN Data Update Change of Foreign Agent HA Data ACK FAold FAnew Data MN “Solutions”: – – – – Sender learns the current location of MN Direct tunneling to this location HA informs a sender about the location of MN Big security problems! Warning Data Data MN Changes Location Update ACK Registration Data Data Data Change of FA: – Packets on-the-fly during the change can be lost – New FA informs old FA to avoid packet loss. IHL.Encapsulation (2) Minimal encapsulation (optional. HA forwards the packet to the receiver (standard case) M8 – 43 The standard is backwards compatible: – Those extensions can be implemented easily and cooperate with current implementations without these extensions – Agent Advertisements can carry requests for reverse tunneling © 2005 Burkhard Stiller and Jochen Schiller FU Berlin © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 44 7 . i.. no space left for fragment identification IHL DS (TOS) length IP identification flags fragment offset TTL min. encap. ver. payload ver. ver. old: TOS) – Only applicable for not fragmented packets.. IHL DS (TOS) length IP identification flags fragment offset TTL lay. payload New Header RFC 2784 C reserved0 ver..

RFC 1825): – Integrity: any changes to data between sender and receiver can be detected by the receiver – Authentication: sender address is really the address of the sender and all data received is really data sent by this sender – Confidentiality: only sender and receiver can read the data – Non-Repudiation:sender cannot deny sending of data – Traffic Analysis: creation of traffic and user profiles should not be possible – Replay Protection: receivers can detect replay of messages IP Security Architecture (1) Two or more partners have to negotiate security mechanisms to setup a security association: – Typically. i. and foreign agent (FA) Key Distribution Home agent distributes session keys Extensions of the IP security architecture: – Extended authentication of registration MH-FA Authentication FA-HA Authentication MH-HA Authentication registration request registration request FA MH HA HA Response: EHA-FA {session key} EHA-MH {session key} MH registration reply FA registration reply – Prevention of replays of registrations: • Time stamps: 32 bit time stamps + 32 bit random number • Nonces: 32 bit random number (MH) + 32 bit random number (HA) Foreign agent has a security association with the home agent Mobile host registers a new binding at the home agent Home agent answers with a new session key for foreign agent and mobile node © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 50 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 49 8 . between two subnets is supported: • MN sends the new COA to its old router • The old router encapsulates all incoming packets for the MN and forwards them to the new COA • Authentication is always granted © 2005 Burkhard Stiller and Jochen Schiller FU Berlin Problems with Mobile IP Security: – Authentication with FA problematic. all partners choose the same parameters and mechanisms Two headers have been defined for securing IP packets: – Authentication-Header: • Guarantees integrity and authenticity of IP packets • If asymmetric encryption schemes are used. without packet loss.e. for the FA typically belongs to another organization – No protocol for key management and key distribution has been standardized in the Internet – Patent and export restrictions Firewalls: – Typically mobile IP cannot be used together with firewalls. all routers perform router advertisement which can be used instead of the special agent advertisement. firewalls. special set-ups are needed (such as reverse tunneling) QoS: – Many new reservations in case of RSVP – Tunneling makes it hard to give a flow of packets a special treatment needed for the QoS Security.Mobile IP and IPv6 Mobile IP was developed for IPv4. every node has address auto-configuration – No need for a separate FA. authentication of registration is included – COA can be assigned via auto-configuration (DHCPv6 is one candidate). but IPv6 simplifies the protocols: – Security is integrated and not an add-on. non-repudiation can also be guaranteed IP-Header IP Header Authentication Header Authentication-Header UDP/TCP-Packet UDP/TCP Data – Encapsulation Security Payload • protects confidentiality between communication partners Not Encrypted Encrypted IP Header ESP Header Encrypted Data © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 47 © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 48 IP Security Architecture (2) Mobile Security Association for registrations: – Parameters for the mobile host (MH). QoS are topics of current research and discussions! © 2005 Burkhard Stiller and Jochen Schiller FU Berlin M8 – 46 M8 – 45 Security in Mobile IP Security requirements (Security Architecture for the Internet Protocol. addresses are always colocated – MN can signal a sender directly the COA. home agent (HA). sending via HA not needed in this case (automatic path optimization) – “Soft“ hand-over.

Sign up to vote on this title
UsefulNot useful