Advanced Course on Networking

Mobile IPv4 10.2.2010

Karri Huhtanen <karri.huhtanen@tut.fi>

Contents
! !

1. Mobile IPv4 Architecture 2. Mobile IPv4 Functionality

" " " "

2.1 Functionality in the Home Network 2.2 Moving to the Foreign Network 2.3 Registration 2.4 Functionality in the Foreign Network
! !

2.4.1 Routing, version 1 2.4.2 Routing, version 2

! !

3. Issues in Mobile IPv4 4. Mobile IPv4 Status

2

1. Mobile IPv4 Architecture

Internet Correspondent Node (CN)

TUT network
Home Agent (HA) Home network 130.230.52.0/24 Foreign Agent (FA) Mobile-IP enabled foreign network 130.230.144.0/24

Mobile Node (MN) Home address: 130.230.52.82

Visiting Mobile Node (MN) Care Of Address (CoA): 130.230.144.247 Home address: 130.230.52.82

- The Mobile Node (MN) roams between home and foreign networks - MN registers its address to home agent (HA) - While visiting in the foreign network, the MN may acquire an IP address from foreign Network. This is called Care of Address (CoA). - The Home Agent (HA) resides in home network and takes care of the registration and pairing of home addresses and care of addresses. It also handles the routing of the mobile node traffic from home address to care of address. - The Foreign Agent (FA) is an additional component, which can be used for routing and mobility optimisation - its main purpose is to relay registration and CoA address update messages to home agent - it can also function as a component removing the encapsulation from the traffic flowing to and from the terminal. - A Correspondent Node (CN) can be any host in the Internet corresponding with the mobile node's home address.

2.1 Functionality in the Home Network

Internet Correspondent Node (CN)

TUT network
Home Agent (HA) Home network 130.230.52.0/24 Foreign Agent (FA) Mobile-IP enabled foreign network 130.230.144.0/24

Mobile Node (MN) Home address: 130.230.52.82

- The Home Agent (HA) sends agent advertisements, which are extended router advertisements sent with periodically with unicast, broadcast or multicast. - The agent advertisement contains information such as: - sequence number - lifetime of the registration - flags to indicate if the advertisement was sent by FA or HA - supported IP encapsulations - one or more care of addresses (CoA) - the length of prefixes advertised in the standard part - The Mobile Node (MN) listens the agent advertisements to determine if it is in its home network or in a foreign network - In the home network the MN cancels the home agent registration to ensure normal routing - In the slide MN has already started exchanging traffic (using its home address 130.230.52.82) with a correspondent node somewhere in Internet.

2.2 Moving to the Foreign Network

Internet Correspondent Node (CN)

TUT network
Home Agent (HA) Home network 130.230.52.0/24 Foreign Agent (FA) Mobile-IP enabled foreign network 130.230.144.0/24

Mobile Node (MN) Home address: 130.230.52.82

Visiting Mobile Node (MN) DHCP address: 130.230.144.247

- MN leaves the home network, moving to foreign network and receiving a new IP address from the foreign network with DHCP. - The traffic from Correspondent Node to Mobile Node's home address is still routed to the home network router but no further since no one admits having the MN's home address. - MN can detect the change of network from various indicators like wireless signal strength, different IP network or FA agent advertisements, these indicators are however such that they vary from implementation to another - When the MN itself detects the change of network, it sends a router ICMP router solicitation request which triggers the possibly existing Mobile IPv4 agent component (such as FA) to respond with a agent advertisement directed at MN. - The detected agent advertisement trigger MN to start registration to the home agent (HA)

2.3 Registration
Mobile Node
Prepares registration Registration request (RequestID, MN home Process address, HA address, COA address, auth. Info etc.)

Foreign Agent

Home Agent

Relayed registration request Grant / Deny

Registration reply (RequestID, Grant/Deny, lifetime, MN home address, HA address, auth. Info etc.) Process Registration reply (RequestID, Grant/Deny, lifetime, MN home address, HA address, auth. Info etc.)

- the diagram from Huitema: Routing in the Internet, page 319-320, the book also has the more exact details of the packets send - in this case the foreign network has a FA, which means that the MN communicates directly with it instead of the Home Agent as in most common case - First the MN send UDP-registration request to FA port 434 - The FA sends the request forward to HA, which approves or denies request - The response is transmitted via FA back to MN, which makes it possible for FA still to accept/deny MN request - If the request is denied, in the response also reason for rejection is included in the message and also if the decision was made in FA or HA - To protect the architecture from man-in-the-middle or replay attacks, security associations are created between MN, FA and HA and in the protocol NTP-timestamps and nonces (a pseudorandom number, which is used only once) are used. - After successful registration, the HA now knows in which address the MN is currently using and can route the traffic destined to MN home address to MN's actual care of address with the use of methods such as proxy-ARP and IP-IP tunneling.

2.4 Functionality in the Foreign Network

Internet Correspondent Node (CN)

Home address: 130.230.52.82

TUT network
Home Agent (HA) Home network 130.230.52.0/24 Foreign Agent (FA) Traffic to MN's home address encapsulated in IP-IP or GRE tunnel directed to FA handling MN. Mobile-IP enabled foreign network 130.230.144.0/24 Traffic with the HA-FA -encapsulation removed by FA encapsulated in FA-MN IP-IP tunnel

Visiting Mobile Node (MN) Care Of Address(COA): 130.230.144.247 Home address: 130.230.52.82

- MN has now registered to the HA and HA knows the MN care-of-address (CoA) - MN still listens agent advertisements. If a certain sequence number (below 256) is detected or the lifetime of advertisement/registration has expired, the MN starts a new registration. - After registration, HA can now advertise it knows MN and the traffic from CN to MN's home address can continue to HA. - The HA encapsulates the CN-MN traffic into a IP-IP (RFC2003, RFC2004) or GRE (RFC1701) tunnel, which is created between HA and FA or between HA and MN if FAs are not used. - In the HA-FA-MN scenario the FA removes the encapsulation from the traffic and sends the payload traffic either as it is or encapsulated with a method negotiated between FA and MN. In HA-MN scenario, the tunnel is created directly between HA-MN. - In the rare HA-FA-MN scenario the MN does not actually even need CoA if it is able to negotiate a mutually compatible connection with the FA without IP level connectivity. - Now the CN-MN traffic is received by MN, but for the returning traffic from MN to CN, there exists two different versions presented in the following slides.

2.4.1 Routing, version 1

Internet Correspondent Node (CN)

Home address: 130.230.52.82

TUT network
Home Agent (HA) Home network 130.230.52.0/24 Foreign Agent (FA) Bi-directional IP-IP tunnel between FA and HA Mobile-IP enabled foreign network 130.230.144.0/24 Bi-directional IP-IP tunnel between MN and FA

Visiting Mobile Node (MN) Care Of Address(COA): 130.230.144.247 Home address: 130.230.52.82

- Routing, Version 1: a fully bidirectional tunneling is the most common and in practice the easiest way to handle routing of the traffic from MN back to CN. - In this version all traffic returns via home agent back to CN. This is of course inefficient when the CN is near to MN and the HA far way from both of them. - To solve this problem, an another version of routing of MN-CN return traffic was defined.

2.4.2 Routing, version 2

Internet Correspondent Node (CN)

Home address: 130.230.52.82 MN's return traffic to CN

TUT network
Home Agent (HA) Home network 130.230.52.0/24 Foreign Agent (FA) Traffic to MN's home address encapsulated in IP-IP or GRE tunnel directed to FA handling MN. Mobile-IP enabled foreign network 130.230.144.0/24 IP-IP tunnel between MN and FA

Visiting Mobile Node (MN) Care Of Address(COA): 130.230.144.247 Home address: 130.230.52.82

- In routing version 2 (which is called usually triangle routing) the traffic from CN to MN still travel via HA, but the return traffic is sent directly from MN to CN (RFC2002). - However, usually the firewalls and routers between the CN and MN filter and drop the traffic which is (by its headers) sent from the networks, which are not actually connected to them. Because of this problem, this way of routing the return traffic has become obsolete. - The problem still remains and in the design of Mobile IPv6 this kind of situation was already covered in the design phase of the protocol. - Also Huitema's book suggest a similar kind of solution, which is used in Mobile IPv6, which is that a redirection message would be sent from MN to CN to get the CN to transfer traffic to MN's new care of address. This kind of signaling however raises serious security issues in addition to the extending the Mobile IPv4 implementation to the every host in the Internet.

3. Issues in Mobile IPv4

!

The problems of full bidirectional tunneling

"

What if the Home agent is far away but the correspondent node is near?

Multicast / Broadcast
"

Multicast loses its usefulness. Mobile node may subscribe to multicast traffic, but this converted to unicast traffic to be forwarded over tunnel to be used just for that mobile node. Broadcast in the home network must be also tunnelled as unicast traffic directly to mobile node to get service discovery and other local home network services working.

"

Location dependent services, using local services

"

Often retrieved with multicast, DNS service discovery. Where does the mobile node search services? From its home network? How does the mobile node utilise the local services in the foreign network?

"
!

Combining with other technologies

" "

How to combine IPSEC ja Mobile IPv4 authentication and tunnel handling How to authenticate a large amount of mobile nodes securely?

10

- The issues in Mobile IPv4 are mainly being solved in designing and defining Mobile IPv6 such as CN and MN close to each other but far away from HA. - Some work is done with Mobile IPv4 such as optimizations in registration, foreign agent hierarchy and so on. - Combining Mobile IPv4 and IPSEC has been done and has proven very useful when trying to secure session continuation while switching from wireless technology to other. There exists few implementations but the technology has not reached wide-spread use.

4. Mobile IPv4 Status

!

Standardisation
"

Mobile IPv4 is an IETF standard.

Operating System Support

"

No official operating system support (with the exception of Solaris), free or commercial Mobile IPv4 stacks available for Linuxille, *BSD and Windows. For Symbian there exists Birdstep Mobile IPv4 client. A commercial combined Mobile-IP IPSEC stack available for Linux, Windows Xp/Vista, Mac OS X from Birdstep (bought it partially from SecGo) No native Microsoft operating system support

"

"
!

Device Support
"

Routers and wireless access points already include support for some Mobile IPv4 features, but the amount of implemented features varies.

Mobile IPv4 in the real world

"

Mobile IPv4 is used in moving networks, corporate mobile VPNs and other applications requiring for example seamless roaming from WiFi to 3G or other networks. There are also rumors that Mobile IPv4 is used to implement the terminal mobility for example in the CDMA2000 networks.

11