Dealing with Mobility -- Mobile IP

References r J. Kurose and K. Ross, Computer Networking: A Top-Down Approach Featuring the Internet, 2 nd edition C. Perkins and A. Myles, " Mobile IP. " technical report." Mobile IP. " Alex C. Snoeren and Hari Balakrishnan, " An End-to-End Approach to Host Mobility." Proc. 6th ACM MOBICOM, August 2000." An End-to-End Approach to Host Mobility."

Network protocol stack r application: supporting network applications m FTP, SMTP, STTP r transport: host-host data transfer m TCP, UDP r network: routing of datagrams from source to destination m IP, routing protocols r link: data transfer between neighboring network elements m PPP, Ethernet r physical: bits “on the wire” application transport network link physical

What is mobility? r spectrum of mobility, from the network perspective: no mobility high mobility mobile user, using same access point mobile user, passing through multiple access point while maintaining ongoing connections ( like cell phone) mobile user, connecting/ disconnecting from network using DHCP.

Accommodating Mobility r A user might want to turn off an office laptop, bring the laptop home, power up and work from home. The user is primarily interested in , web browsing. r Not an issue. DHCP provides this functionality. r DHCP only allows for a limited form of mobility since it can’t run networked applications while moving between points of attachment. r In fact, DHCP requires the rebooting of the mobile device.

Accommodating Mobility r If you want to maintain an uninterrupted TCP connection to a remote application while zipping along the autobahn, it would be convenient to maintain the same IP address. m Remember that an Internet application needs to know the IP address and port number of the remote entity with which it is communicating with. r Mobility should be invisible from the application’s viewpoint.

Mobility: Vocabulary home network: permanent “home” of mobile (e.g., /24) Permanent address(PA): address in home network, can always be used to reach mobile e.g., home agent(ha): entity that will perform mobility functions on behalf of mobile, when mobile is remote wide area network Correspondent

Mobility: more vocabulary Care-of-address(CoA): address in visited network. (e.g., 79, ) wide area network visited network: network in which mobile currently resides (e.g., /24) Permanent address: remains constant ( e.g., ) foreign agent(FA): entity in visited network that performs mobility functions on behalf of mobile. Correspondent node (CN): wants to communicate with mobile

I wonder where Alice moved to? Consider friend frequently changing addresses, how do you find her?

Mobility at Which Layer r Where can you manage mobility? m Application m Transport m Network m Data-link r Mobile-IP: an extension to current IP architecture m To manage mobility at the IP layer m To hide mobility from the upper layers r Alternatively, we can also look at the transport layer.

Mobility approaches r Let routing handle it: routers advertise permanent address of mobile-nodes-in-residence via usual routing table exchange. m Routing tables indicate where each mobile located m No changes to end-systems m Scalability is a problem m The routers potentially would have to maintain forwarding table entries for millions of mobile nodes.

Mobility approaches r Let end-systems handle it: m indirect routing: communication from correspondent to mobile goes through home agent, then forwarded to remote m direct routing: correspondent gets foreign address of mobile, sends directly to mobile node

Mobility: registration End result: r Foreign agent knows about mobile r Home agent knows location of mobile wide area network home network visited network 1 mobile contacts foreign agent on entering visited network 2 foreign agent contacts home agent home: “this mobile is resident in my network”

Mobility via Indirect Routing wide area network home network visited network correspondent addresses packets using home address of mobile home agent intercepts packets, forwards to foreign agent foreign agent receives packets, forwards to mobile mobile replies directly to correspondent

Indirect Routing: comments r Mobile uses two addresses: m permanent address: used by correspondent (hence mobile location is transparent to correspondent) m care-of-address: used by home agent to forward datagrams to mobile r Routing is based on tunneling r Triangle routing: correspondent-home-network-mobile m inefficient when correspondent, mobile are in same network

Forwarding datagrams to remote mobile Permanent address: Care-of address: dest: packet sent by correspondent dest: dest: packet sent by home agent to foreign agent: a packet within a packet dest: foreign-agent-to-mobile packet

Indirect Routing: moving between networks r Suppose mobile user moves to another network m Registers with new foreign agent m New foreign agent registers with home agent m Home agent update care-of-address for mobile m Packets continue to be forwarded to mobile (but with new care-of-address) r Mobility, changing foreign networks transparent: on going connections can be maintained!

Mobility via Direct Routing wide area network home network visited network correspondent requests, receives foreign address of mobile correspondent forwards to foreign agent foreign agent receives packets, forwards to mobile mobile replies directly to correspondent 3

Mobility via Direct Routing: comments r Overcome triangle routing problem r non-transparent to correspondent: correspondent must get care-of-address from home agent m What happens if mobile changes networks? m What about security? This approach is not considered secure enough by the IETF.

Mobile IP r RFC 3220 r Has many features we’ve seen: m home agents, foreign agents, foreign-agent registration, care-of-addresses, encapsulation (packet-within-a-packet) r Three components to standard: m agent discovery m registration with home agent m indirect routing of datagrams

Mobile IP: Agent Discovery r Agent advertisement: foreign/home agents advertise service by broadcasting ICMP messages R bit: registration required H,F bits: home and/or foreign agent

Functions of Agent Advertisement r Allow for the detection of mobility agents r Let the mobile node know whether the agent is a host or foreign agent r List one or more available care-of addresses r Inform the MN about special features provided by FA m Example: Alternative encapsulation techniques (e.g., IP packet within IP packet, minimal encapsulation) r MN compares the network portion of the agent’s IP address with the network portion of its home address. If the network portion do not match, then the MN is on a foreign network.

Mobile IP: Registration example

Mobile IP: Registration r The registration process involves 4 steps: m The MN requests the forwarding service by sending a registration request to the foreign agent that the mobile node wants to use. m The FA relays this request to the mobile node’s home agent. m The HA either accepts or denies the request and sends a registration reply to the FA. m The FA relays this reply to the MN.

Mobile IP: Registration r Registration fields include: m Lifetime: The number of seconds before the registration is considered expired. A value of 0 is a request for deregistration. m Home address: The home IP address of the mobile node. m Home agent: The IP address of the mobile node’s home agent. m Care of Address: The home agent should forward IP datagrams that it receives with MN’s home address to this destination address. m Identification: Generated by MN; used for matching registration requests to registration replies (for security). Should be unique for each registration request.

Mobile IP: Registration r The registration reply message includes the following fields: m Home address: The home IP address of the mobile node. m Home agent: The IP address of the MN’s home agent. m Identification: Used for matching registration requests to registration replies.

Mobile IP: Securing Registration r Mobile IP is designed to resist two types of attacks: m A node may pretend to be a FA and send a registration request to a home agent so as to divert traffic intended for a MN to itself. m A node may replay old registration messages, effectively cutting the MN from the network.

Mobile IP: Securing Registration r Each registration request and reply contains an authentication extension with the following fields: m Type: Used to designate the type of authentication extension (mobile-home, mobile-foreign, foreign-home). m Length: 4 + the number of bytes in the authenticator m Security parameter index (SPI): An index that identifies a security context between a pair of nodes. The security context is configured so that the two nodes share a secret key and parameters (e.g. algorithm for computing the Authenticator field) relevant to this association. m Authenticator: A variable length string calculated by computing a MD5 message over the shared secret key, the fixed length portion, and all extensions without the Authenticator field

Resisting Denial-of-Service Attack r A Bad Guy generates a bogus Registration Request specifying his own IP address as the COA address for a mobile node. All packets sent by correspondent nodes would be tunneled by the node’s HA to the Bad Guy. r The HA checks the authenticity of the received message by comparing the value of the Authenticator value it computes with the Authenticator value received.

Resisting Replay Attacks r A Bad Guy could obtain a copy of a valid Registration Request message, store and then “replay” at a later time, thereby registering a bogus COA address for the mobile node. r To prevent that the Identification field is generated in such a way as to allow the home agent to determine what the next value should be. m Timestamps m Pseudorandom numbers (at least 32 bits) r If the Bad Guy uses the intercepted message, the Home Agent will recognize it as being out of date.

Security Issues r Can’t deal with a Bad Guy sending a tremendous number of packets to a host that brings the host’s CPU to its knees. r The current standard uses a similar approach for FA/HA authentication but this is not required. r Traffic between HA and MN can be eavesdropped on. r Key distribution r No data privacy r Firewalls

Home Network r Where Can We Put the Home Agent? m At the router? m As a separate server? r At the router m What if there are multiple routers for the home network? r As a separate server m How can it pick up a packet

Foreign Network r Where is FA? (Router or Separated Server?) r How Can FA deliver MN the packet [CN  MN] m Normally, [CN  MN] would go straight to a router (because MN is foreign) r Is There Adequate Support at A Foreign Network m What if there is no FA at the network you visit? m Co-located FA

Problems r Routing inefficiencies r Firewalls m Firewalls filter those packets whose source address is not part of the network; MNs fall into this category. r Users perceptions of reliability m Users expect failures; why bother?

Alternative to Mobile IP

Why an alternative? r Mobile IP was designed under the principle that fixed Internet hosts and applications were to remain unmodified and only the underlying IP substrate should change. r An alternative is to require no changes to the IP substrate. Instead, we should modify transport protocols and applications and the end hosts. r Not a hindrance; rather should make it easy to deploy r The alternative discussed was developed by Snoerent and Balakrishnan (MIT)

Characteristics r Similar to Mobile IP in that the issues of obtaining an IP address in a foreign domain from locating and seamlessly communicating with mobile hosts are separated. r The use of DHCP can be assumed. r No tunneling is required r DNS is used to provide a level of indirection between a host’s current location and an invariant end-point identifier.

DNS Based Solution r In Mobile IP, a host’s home address is the invariant. r The DNS name is the invariant since a DNS name identifies a host and does not assume anything about the network attachment point to which it may currently be attached. r When the mobile node changes its attachment point, it must detect this and change the hostname to address mapping in the DNS.

DNS based solution r Detecting changes in an attachment point is similar to Mobile IP and is done through a daemon process r Changing the hostname to address mapping (Arecord) is done through the secure DNS update protocol

DNS based solution r DNS provides a mechanism by which name resolvers can cache name mappings for some period of time (specified in TTL field of the Arecord). This can be avoided by setting the TTL field of zero. r Not considered a problem by authors since name lookups for an uncached Arecord do not have to start from a root name server. r What to do if binding changes after connection?

TCP Connection Migration r TCP connection identified by m m Need an ID that is address independent During initial connection establishment a token is determined. Now connection identified by – m Moving end can send migrate SYN message to other end With connection ID and new address m This message not acked Next message from stationary end to new address implicitly acks migrate message

Migrate Architecture DNS Server Mobile Host foo.bar.edu Location Query (DNS Lookup) Connection Initiation Location Update (Dynamic DNS Update) Connection Migration xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy Correspondent Host From snoeren’00

TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data) (Note typo in proceedings) From snoeren’00

Race Conditions r Occurs when a mobile host moves between when a corresponding host receives the result of its its DNS query and when it initiates a TCP connection r The failure of the corresponding host to open a connection to the mobile host will result in another DNS lookup. r Both end points migrate at same time m Solution assumes one fixed host

Security Issues r Third party can change DNS mapping m Secure DNS needed r Third party can move connection m Token prevents this r Replay attack m Sequence number of request prevents this r Denial of service m SYN Flooding possible since token is known on all hosts on the route of the migrate message. This can be handled using a timeout period for a token.

Deployment Issues r Problem: Both peers cannot move simultaneously r Problem: System requires changes to the transport protocol