Professional Documents
Culture Documents
MOBILE –
–
–
Encapsulation
Problems
DHCP
• Routing • Compatibility
– based on IP destination address, network prefix (e.g. 129.132.13) – support of the same layer 2 protocols as IP
determines physical subnet – no changes to current end-systems and routers required
– change of physical subnet implies change of IP address to have a – mobile end-systems can communicate with fixed systems
topological correct address (standard IP) or needs special entries in the
• Transparency
routing tables
– mobile end-systems keep their IP address
• Changing the IP-address?
– continuation of communication after interruption of link possible
– adjust the host IP address depending on the current location
– point of connection to the fixed network can be changed
– almost impossible to find a mobile system, DNS updates are too slow
• Efficiency and scalability
– TCP connections break
– only little additional messages to the mobile system required
– security problems
(connection typically via a low bandwidth radio link)
• Change/Add routing table entries for mobile hosts? – world-wide support of a large number of mobile systems
– worldwide!
• Security
– does not scale with the number of mobile hosts and frequent changes in
– authentication of all registration messages
their location
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/3 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/4
Example network Data transfer to the mobile system
HA HA
2
MN MN
router
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/5 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/6
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/7 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/8
Overview Network integration
COA
• Agent Advertisement
router
home router
FA
MN – HA and FA periodically send advertisement messages into their
network HA
physical subnets
foreign
Internet network
– MN listens to these messages and detects, if it is in the home or a
foreign network (standard case for home network)
– MN reads a COA from the FA advertisement messages
CN router • Registration (always limited lifetime!)
– MN signals COA to the HA via the FA, HA acknowledges via FA to MN
– these actions have to be secured by authentication
3.
router
home router
2. FA
MN • Advertisement
network HA
4.
– HA advertises the IP address of the MN (as for fixed systems), i.e.
foreign
Internet network
standard routing information
– routers adjust their entries, these are stable for a longer time (HA
1. responsible for a MN over a longer period of time)
CN router – packets to the MN are sent to the HA,
– independent of changes in COA/FA
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/9 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/10
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/11 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/12
Mobile IP registration request & reply Tunneling and Encapsulation
0 7 8 15 16 23 24 31
type = 1 S B DMG V rsv lifetime
home address
home agent original IP header original data
COA
identification
new IP header new data
extensions . . .
outer header inner header original data
0 7 8 15 16 31
type = 3 code lifetime
home address
home agent
identification
extensions . . .
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/13 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/14
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/15 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/16
Generic Routing Encapsulation Optimization of packet forwarding
original
original data
header
• Triangular Routing
outer header
GRE original
original data – sender sends all packets via HA to MN
header header
– higher latency and network load
new header new data • “Solutions”
ver. IHL TOS length – sender learns the current location of MN
IP identification flags fragment offset
TTL GRE IP checksum
– direct tunneling to this location
IP address of HA – HA informs a sender about the location of MN
Care-of address COA
C R K S s rec. rsv. ver. protocol – big security problems
checksum (optional) offset (optional)
key (optional) • Change of FA
sequence number (optional)
routing (optional) – packets on-the-fly during the change can be lost
ver. IHL TOS length
IP identification flags fragment offset – new FA informs old FA to avoid packet loss, old FA now forwards
TTL lay. 4 prot. IP checksum remaining packets to new FA
IP address of CN
IP address of MN – this information also enables the old FA to release resources for the MN
TCP/UDP/ ... payload
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/17 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/18
data data
MN changes
location
registration home network sender
registration
Internet
update
ACK FA foreign
data network
data data
warning
update Problems:
ACK • Firewall at CN
CN
data
data
• TTL
t receiver • Multicast
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/19 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/20
Reverse tunneling (RFC 2344) Mobile IP with reverse tunneling
HA
• Router accept often only “topologically correct“ addresses (firewall!)
2
MN – a packet from the MN encapsulated by the FA is now topologically
correct
– furthermore multicast and TTL problems solved (TTL in the home
network correct, but MN is too far away from the receiver)
home network sender • Reverse tunneling does not solve
1
Internet – problems with firewalls, the reverse tunnel can be abused to circumvent
security mechanisms (tunnel hijacking)
FA foreign
network – optimization of data paths, i.e. packets will be forwarded through the
tunnel via the HA to a sender (double triangular routing)
1. MN sends to FA • Reverse tunneling is backwards compatible
3 2. FA tunnels packets to HA – the extensions can be implemented easily and cooperate with current
CN by encapsulation implementations without these extensions
3. HA forwards the packet to the
receiver (standard case)
receiver
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/21 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/22
• Mobile IP was developed for IPv4, but IPv6 simplifies the protocols • Security
– security is integrated and not an add-on, authentication of registration is – authentication with FA problematic, for the FA typically belongs to
included another organization
– COA can be assigned via auto-configuration (DHCPv6 is one – no protocol for key management and key distribution has been
candidate), every node has address auto-configuration standardized in the Internet
– no need for a separate FA, all routers perform router advertisement – patent and export restrictions
which can be used instead of the special agent advertisement • Firewalls
– MN can signal a sender directly the COA, sending via HA not needed in – typically mobile IP cannot be used together with firewalls, special set-
this case (automatic path optimization) ups are needed (such as reverse tunneling)
– „soft“ hand-over, i.e. without packet loss, between two subnets is • QoS
supported – many new reservations in case of RSVP
• MN sends the new COA to its old router
– tunneling makes it hard to give a flow of packets a special treatment
• the old router encapsulates all incoming packets for the MN and forwards needed for the QoS
them to the new COA
• authentication is always granted • Security, firewalls, QoS etc. are topics of current research and
discussions!
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/23 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/24
IP Micro-mobility support Cellular IP
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/25 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/26
• Advantages: • Advantages:
– Initial registration involves authentication of MNs
– Simple and elegant architecture
and is processed centrally by CIP Gateway
– All control messages by MNs are authenticated – Mostly self-configuring (little management needed)
– Replay-protection (using timestamps) – Integration with firewalls / private address support possible
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/27 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/28
HAWAII HAWAII: Security
• Operation: • Advantages:
– MN obtains co-located COA 1 Internet – Mutual authentication and C/R extensions mandatory
and registers with HA 2 HA
– Only infrastructure components can influence routing entries
– Handover: MN keeps COA,
Backbone
new BS answers Reg. Request 3
Router • Potential problems:
and updates routers 4
– MN views BS as foreign agent – Co-located COA raises DHCP security issues
Crossover (DHCP has no strong authentication)
Router
– Decentralized security-critical functionality
• Security provisions: 2 (Mobile IP registration processing during handover)
– MN-FA authentication mandatory 4 Mobile IP in base stations
– Challenge/Response Extensions – Authentication of HAWAII protocol messages unspecified
BS BS BS DHCP
mandatory (potential attackers: stationary nodes in foreign network)
Server
Mobile IP – MN authentication requires PKI or AAA infrastructure
3
MN MN DHCP
1
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/29 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/30
• Operation:
• Advantages:
– Network contains mobility anchor point Internet
– Mostly transparent to MNs (MAP) HA
(MN sends/receives standard Mobile IP messages) • mapping of regional COA (RCOA) to link
COA (LCOA) RCOA
– Explicit support for dynamically assigned home addresses – Upon handover, MN informs
MAP only MAP
• gets new LCOA, keeps RCOA
• Potential problems: – HA is only contacted if MAP
changes binding AR AR
– Mixture of co-located COA and FA concepts may not be update
supported by some MN implementations LCOAnew LCOAold
• Security provisions:
– No private address support possible – no HMIP-specific
because of co-located COA MN MN
security provisions
– binding updates should be
authenticated
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/31 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/32
Hierarchical Mobile IP: Security Hierarchical Mobile IP: Other issues
• Advantages: • Advantages:
– Local COAs can be hidden, – Handover requires minimum number
which provides some location privacy of overall changes to routing tables
– Direct routing between CNs sharing the same link is possible (but might – Integration with firewalls / private address support possible
be dangerous)
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/33 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/34
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/35 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/36
DHCP characteristics TCP Overview
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/37 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/38
• sender calculates a congestion window for a receiver • TCP sends an acknowledgement only after receiving a packet
• start with a congestion window size equal to one segment • If a sender receives several acknowledgements for the same
• exponential increase* of the congestion window up to the packet, this is due to a gap in received packets at the receiver
congestion threshold, then linear increase • Sender can retransmit missing packets (fast retransmit)
• missing acknowledgement causes the reduction of the congestion
threshold to one half of the current congestion window • Also, the receiver got all packets up to the gap and is actually
• congestion window starts again with one segment receiving packets
• Therefore, packet loss is not due to congestion, continue with
current congestion window (fast recovery)
*slow-start vs. exponential increase: window is increased by one for
each acknowledgement, that is, 1 ! 2 ! 4 ! 8 … In other words, the • In the following simplied analysis, we do consider neither fast
slow-start mechanism is rather a “quick-start”. retransmit nor fast recovery.
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/39 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/40
TCP on lossy (wireless) link Simple analysis model for lossy TCP
[Lakshman/Madhow]
• If there are no losses (and all ACKs are received in time):
– Number of segments S first doubles up to threshold W
(slow start phase)
– Number of segments S is incremented after S successful ACKs
– At some point we reach the bandwidth of the channel B
• If there is a loss
– We go back to S = 1
Very high loss probability High loss probability
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/41 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/42
• For not too high error probability q we are usually in the congestion •
mode (that is: not the slow start mode).
• The expected number of successful transmission E before we get • Plot of T(p), with B = 50
an error is
• Note that 1% faulty
transmissions is enough to
• In the equilibrium, we are in the states 1, 2, 3, …, S-1, S, and then degrade the throughput to
back to 1 because we have a missing ACK, that is, we have about 14% of the bandwidth.
1+2+…+S ¼ S 2/2 successful transmissions. • 10% error rate gives about
4% of possible bandwidth.
• • The higher the bandwidth,
the worse the relative loss.
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/43 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/44
Mobility and TCP Early Approach: Indirect TCP (I-TCP)
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/45 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/46
I-TCP socket and state migration Indirect TCP Advantages and Disadvantages
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/47 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/48
Early Approach: Snooping TCP Snooping TCP
• Transparent extension of TCP within the foreign agent • Data transfer to the mobile host
– buffering of packets sent to the mobile host – FA buffers data until it receives ACK of the MH, FA detects packet loss
– lost packets on the wireless link (both directions!) will be retransmitted via duplicated ACKs or time-out
immediately by the mobile host or foreign agent, respectively (so called – fast retransmission possible, transparent for the fixed network
“local” retransmission) • Data transfer from the mobile host
– the foreign agent therefore “snoops” the packet flow and recognizes – FA detects packet loss on the wireless link via sequence numbers, FA
acknowledgements in both directions, it also filters ACKs answers directly with a NACK to the MH
– changes of TCP only within the foreign agent – MH can now retransmit data with only a very short delay
• Integration of the MAC layer
local retransmission – MAC layer often has similar mechanisms to those of TCP
foreign
agent – thus, the MAC layer can already detect duplicated packets due to
„wired“ Internet retransmissions and discard them
• Problems
snooping of ACKs buffering of data
correspondent
– snooping TCP does not isolate the wireless link as good as I-TCP
mobile
host host – snooping might be useless depending on encryption schemes
end-to-end TCP connection
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/49 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/50
+ maintains end-to-end semantics, supports disconnection, no + simple changes result in significant higher performance
buffer forwarding – what a hack…
– does not solve problem of bad wireless link, only disconnections
– adapted TCP on wireless link; new software needed
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/51 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/52
Transmission/time-out freezing Selective retransmission
• Mobile hosts can be disconnected for a longer time • TCP acknowledgements are often cumulative
– no packet exchange possible, e.g., in a tunnel, disconnection due to – ACK n acknowledges correct and in-sequence receipt of packets up to n
overloaded cells or multiplex with higher priority traffic – if single packets are missing quite often a whole packet sequence
– TCP disconnects after time-out completely beginning at the gap has to be retransmitted (go-back-n), thus wasting
bandwidth, especially if the bandwidth-delay product is high.
• TCP freezing
– MAC layer is often able to detect interruption in advance • Selective retransmission as one solution
– MAC can inform TCP layer of upcoming loss of connection – RFC2018 allows for acknowledgements of single packets, not only
– TCP stops sending, but does now not assume a congested link acknowledgements of in-sequence packet streams without gaps
– MAC layer signals again if reconnected – sender can now retransmit only the missing packets
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/53 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/54
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/55 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/56
Recent work Recent work
Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/57 Distributed Computing Group MOBILE COMPUTING R. Wattenhofer 6/58