Chris Meullion Preston Burden Dwight Philpotts John C. Jones-Walker TCP Migrate Chris Meullion Preston Burden Dwight Philpotts John C. Jones-Walker

Introduction MIT Lab for CS – A. Snoeren & H. Balakrishnan End-to-end architecture for host mobility Dynamic updates to DNS Supports all mobile applications New TCP option Multiple mobility modes “Pure” routing solution Objective – mechanism for delivering data to mobile host across network address changes DNS update – sent to name server in home domain which updates host current location Classes of applications = (1) host originates connection, (2) server or other host originate connection, (3) application-level tries when unexpected address changes TCP option – suspension of connection and reactivation from another IP address, while remaining transparent to application Pure routing = no changes to higher layer of IP stack

Motivation Alternative to Mobile IP Handle mobility on an end-to-end basis Mobile IP – home agent intercepts packets destined for host and delivers to foreign agent in foreign network Handling mobility end-to-end allows higher level layers like TCP and HTTTP to learn about mobility and adapt to it

End-to-End Architecture Addressing Locating a mobile host Connection migration

Addressing Supports all methods of allocation Manual assignment Dynamic Host Configuration Protocol (DHCP) Autoconfiguration protocol In foreign networks, host uses locally obtained interface address as source address

Mobile Host Location Mobile Host acting as client Mobile Servers No special host location performed If host moves, new address obtained Mobile Servers DNS provides indirection Exploits hostname lookup at initialization of connection Host name lookup is done by applications that originate communications with a network host, and use the DNS name as the invariant DNS name identifies a host and doesn’t assume anything abut the network Indirection occurs only when the initial lookup is done via a DNS lookup In essence when the mobile host changes its attachment point, it must detect this and change the hostname-to-address mapping in the DNS

TCP Connection Migration A TCP Connection identified by a 4-tuple A new Migrate TCP option included in SYN packet A token negotiated between source and destination hosts

Example of TCP Migration

Migrate-Permitted Option Migrate-Permitted Option used to initiate a migrateable TCP connection Option comes in an insecure and secure version Secure version includes an 8-bit curve name, 136-bit ECDH Public Key and Timestamp

Migrate Option Used to request the migration of a currently open TCP connection Two 64-bit fields included: a token and a request Token values of mobile host and fixed host are compared, then R is computed

Security Issues Possible Attacks include Denial of Service (DoS) Migrating connections away from original hosts TCP Migrate is either not vulnerable or no more vulnerable than ordinary TCP

Denial of Service SYN flooding 263 probability of cracking the pre- computable token This is no more vulnerable than regular TCP

Connection Hijacking Migrate Request ignores source address and port in duplicate packets New Migrate Permitted option in mobile host Decreases window of opportunity of hijacking connection

Experiments Network Topology for migration experiments

Results Migration open network Migration using SACK sequence

Deployment Issues Simultaneous movement Address caching Proxies and NATs Non-transactional UDP applications Host disconnectivity

Questions?