Presentation is loading. Please wait.

Presentation is loading. Please wait.

An End-to-End Approach to Host Mobility By, Alex C. Snoeren and Prof. Hari Balakrishnan MIT Laboratory for Computer Science Presented by, Parag Namjoshi.

Published byOpal Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "An End-to-End Approach to Host Mobility By, Alex C. Snoeren and Prof. Hari Balakrishnan MIT Laboratory for Computer Science Presented by, Parag Namjoshi."— Presentation transcript:

1 An End-to-End Approach to Host Mobility By, Alex C. Snoeren and Prof. Hari Balakrishnan MIT Laboratory for Computer Science Presented by, Parag Namjoshi

2 A Moving Target Internet hosts are increasingly mobile  Changing physical media or attachment points often requires changing IP address Mobile hosts need to remain locatable  Packets are routed by IP address Preserve transport service model  Connection-oriented protocols provide reliable end-to-end connectivity

3 Schizophrenic IP addresses. IP addresses can be considered as being semantically equivalent to FQDNs. They are used to keep track of internal state in upper layers. (e.g. TCP, NFS) The Contradiction  On one hand, mobile host needs a stable IP address so that it can be identified (and reached) by other hosts.  On the other hand stable address implies stable routing; thus no mobility.

4 The competition… Mobility-aware routing (Mobile IP)  Completely transparent to end hosts  Requires a home agent  Often inefficient packet routes Endpoint ID (EID) schemes (Huitema)  Retains standard unicast routes, but…  Yet another level of indirection  Also requires changes to transport layer

5 Lets talk about the competition… Mobile IP  All traffic to a mobile host may travel via the home agent. The necessity of a home agent can be a significant burden.  Mobile IP requires that the home address continue to be allocated to the mobile host. If the available address space is small, such a restriction may make re-addressing prohibitive.  Ingress filtering may cause “reverse tunneling”.

6 The Migrate Approach Locate hosts through existing DNS  Secure, dynamic DNS is currently deployed and widely available (RFC 2137)  Maintains standard IP addressing model IP address are topological addresses, not Ids Fundamental to Internet scaling properties Ensure seamless connectivity through connection migration  Notify only the current set of correspondent hosts  Follows from the end-to-end argument

7 Migrate Architecture DNS Server Mobile Host foo.bar.edu Location Query (DNS Lookup) Connection Initiation Location Update (Dynamic DNS Update) Connection Migration xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy Correspondent Host

8 Migration Approach Join together two separate connections  By unifying the context space  Reference previous connection with token  Requires minimal transport state machine changes Preserve semantics, both internal and external to the connection  Implicit address assignment  Works with NATs, PEPs, all middle boxes

9 TCP connection migration Provide special Migrate option  Sent on SYN packets of new connection  Indicates new connection should be joined to a previous one Use previous sequence space  Works with SACK, FACK, Snoop… Preserve three-way SYN handshake  Works with statefull firewalls

10 TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

11 TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

12 TCP Connection Migration 1.Initial SYN 2.SYN/ACK 3.ACK (with data) 4.Normal data transfer 5.Migrate SYN 6.Migrate SYN/ACK 7.ACK (with data)

13 TCP State Machine Changes MIGRATE_WAIT 2MSL timeout recv: SYN (migrate T, R) send: SYN, ACK recv: RST appl: migrate send: SYN (migrate T, R) recv: SYN (migrate T, R) send: SYN, ACK 2 new transitions between existing states - and - 1 new state handles pathological race condition

14 Experimental Topology Fixed Basestation Fixed Server 100Mbps Ethernet Mobile Location 1 19.2Kbps Modem Mobile Location 2 19.2Kbps Modem …then moves to a new location Mobile client initiates a transfer…

15 Migration Trace SYN/ACK Buffered Packets (old address) Migrate SYN

16 A Lossy Trace with SACK SYN/ACK Migrate SYN Buffered Packets (old address) ACK w/SACK

17 Securing the Migration Problem: Increased vulnerability to hijacking  Ingress filtering doesn’t help  Attacker only needs token and sequence space Solution: Keep the token secret  Negotiate it using Diffie-Hellman exchange  Use sequence numbers to prevent replay Resulting connections are as secure as standard TCP (not very)  Use IPsec or SSH for real security

18 Preventing DoS Attacks Migrate SYNs are heavyweight  Require real computation (SHA-1 hash)  Thus Migrate SYN floods are more dangerous than standard SYN floods A pre-computable token guards against frivolous computation  Refreshing tokens after each successful migration makes replay window very small

19 Performance Implications Migration takes a round-trip time  No dependence on previous location or “home” location Congestion state is tricky  In general, restart from scratch (slow-start)  However, if paths are similar, could trigger fast retransmit (Cáceres & Iftode ’95)  Congestion state may be available elsewhere (Balakrishnan et al. ’99)

20 Limitations End hosts can’t move “simultaneously”  Relatively rare in non ad-hoc environments DNS caching  Today’s load-balancing techniques are pushing clients to be more agile Smooth handoffs not possible.

21 Benefits Exposes address changes to end hosts  Agile applications can adapt to changing conditions for better performance (Invoke end-to- end argument.)  Mobility per connection, not just per host Preserves IP addressing semantics  No changes to the routing infrastructure  No additional entities like home agent & foreign agent come into picture. (Invoke Occam’s razor.) Minimal penalty for mobility support  Obtain optimal unicast packet routing

22 Conclusion. The architecture is compatible with the current routing infrastructure. Does not add additional levels of indirection. Does not change TCP headers, instead using a new TCP option. End hosts are notified of the mobility, upper layers can use this knowledge. May even be deployed.May even be deployed.

23 Any questions ?

24 Migrate Options Kind Token Token (cont) Request Request (cont) LenReqNo ECDH Key Material (cont) KindLenCurveECDH ECDH Key Material (cont) Migrate-PermittedMigrate 8 bit curve domain specifier 136 (+64) bits of key material Request Number 64 bit pre-computed token SHA-1(N i,N j,Key) 64 bit signed request SHA-1(N i,N j,Key,S,ReqNo)

25 A Note on Key Strength 200 bits of Elliptic Curve Crypto is a lot  Cracking a 193 bit ECC key would take 8.52*10 14 MIPS years [Lenstra ’99]  Or 1.89*10 12 years on an Intel 450Mhz PII TCP hijacking with IP spoofing is easier TCP alone is inherently insecure  Real security requires end host authentication and strong session keys

Download ppt "An End-to-End Approach to Host Mobility By, Alex C. Snoeren and Prof. Hari Balakrishnan MIT Laboratory for Computer Science Presented by, Parag Namjoshi."

Similar presentations

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.
An End-to-End Approach to Host Mobility Alex C. Snoeren and Hari Balakrishnan MIT Laboratory for Computer Science.

An End-to-End Approach to Host Mobility Alex C. Snoeren and Hari Balakrishnan MIT Laboratory for Computer Science.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
ConnectionMigration 818L Network Centric Computing Spring 2002 Ishan Banerjee.

ConnectionMigration 818L Network Centric Computing Spring 2002 Ishan Banerjee.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.

Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.
CS 268: Project Suggestions Ion Stoica February 6, 2003.

CS 268: Project Suggestions Ion Stoica February 6, 2003.
1 Link Layer & Network Layer Some slides are from lectures by Nick Mckeown, Ion Stoica, Frans Kaashoek, Hari Balakrishnan, and Sam Madden Prof. Dina Katabi.

1 Link Layer & Network Layer Some slides are from lectures by Nick Mckeown, Ion Stoica, Frans Kaashoek, Hari Balakrishnan, and Sam Madden Prof. Dina Katabi.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.

Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.

Similar presentations

Ads by Google