Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 5273 Computer Networks Mobile Internet Protocol The Basics Dirk Grunwald Assoc. Professor Dept. of Computer Science University of Colorado, Boulder.

Published byJohnathan Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCI 5273 Computer Networks Mobile Internet Protocol The Basics Dirk Grunwald Assoc. Professor Dept. of Computer Science University of Colorado, Boulder."— Presentation transcript:

1 CSCI 5273 Computer Networks Mobile Internet Protocol The Basics Dirk Grunwald Assoc. Professor Dept. of Computer Science University of Colorado, Boulder

2 References u 2.1: C. Perkins and A. Myles, "Mobile IP," technical report. u 2.2: B. Lancki, A. Dixit, V. Gupta, "Mobile-IP: Supporting Transparent Host Migration on the Internet," Linux Journal, June 1996. u 2.3: D. Johnson and D. Maltz. "Protocols for Adaptive Wireless and Mobile Networking", IEEE Personal Communication, 3(1), February 1996 u 2.4: C. Perkins and D. Johnson. "Mobility Support in IPv6," Proceedings of the Second Annual International Conference on Mobile Computing and Networking (MobiCom'96), November 1996. u 2.5: M. Baker, X. Zhao, S. Cheshire, J. Stone, Stanford University, "Supporting Mobility in MosquitoNet", USENIX Winter 1996

3 Mobile IP Basics u The problem l Mobility vs. Portability u Proposed Solution l Terminology l Registration & maintaince l Tunnels l Security

4 Basic Goal of Portable Networking Wireless Router The Internet Node

5 Important Problems in Portable Networking u Wireless media has different properties than wired medias l Packet loss may not indicate contention u IEEE 802.11 is the “wireless ethernet” standard l 1 & 11 Mb/s u HomeRF (www.homerf.org) is designed for home networking u Bluetooth (www.bluetooth.org) is designed as “cable replacement”

6 Some Solutions in Portable/Wireless Networking u 802.11 implementations use a MAC addresses and “SSIDS” to identify nodes and networks u Hand-off protocol transfers control from one base station to another u This provides “MAC (L2) Layer Mobility” u Mobile IP provides network layer mobility

7 Node Mobility In Mobile Networking Wireless Router The Internet Wired Router Node

8 Router Mobility (e.g. Airplane Network) Wireless Router The Internet Wireless Router Wired Router Wired Router

9 What are the problems? u Nodes in the Internet are identified by a specified IP address l Routing is performed using that same IP address u Some alternatives l The node must change its IP address whenever it changes its point of attachment Requires upper-level protocols to handle address changes l Host specific routes must be propagated through the network Requires significant routing tables & doesn’t scale well l Use another level of indirection...

10 Mobile IP Design Goals u A mobile node must be able to communicate with other nodes after changing it’s link-layer attachment, yet without changing its IP address u A mobile node must be able to communicate with other nodes that do not implement mobile IP u Mobile IP must use authentication to offer security against redirectment attacks u The number of administrative messages should be small to save bandwidth & power u Mobile IP must impose no additional constraints on the assignment of IP addresses

11 Terminology u Mobile node - a host or router that changes its point of attachment from one network or subnetwork to another. A mobile node may change its location without changing its IP address. It may continue to communicate with other Internet nodes at any location using its (constant) IP address u Home Agent - a router on a mobile nodes home network that tunnels datagrams to the mobile node when it is away from home u Foreign Agent - a router on a mobile nodes visited network that provides routing services to the mobile node while registered

12 Terminology u The mobile node is assigned a “care-of address” on the foreign network. This address is used to deliver the datagrams for the mobile node. l This can either be the foreign agent ( e.g. a route) l Or, it can be “co-located” with the mobile node

13 Terminology Internet Home Network A Home Agent (HA) Visited Network A Foreign Agent (FA)

14 Solution In A Nutshell Internet Home Network A Home Agent (HA) Visited Network A Foreign Agent (FA) Source

15 Solution In A Nutshell Internet Home Network A Home Agent (HA) Visited Network A Foreign Agent (FA) Source

16 Solution In A Nutshell Internet Home Network A Home Agent (HA) Visited Network A Foreign Agent (FA) Source Tunnel

17 Solution In A Nutshell Internet Home Network A Home Agent (HA) Visited Network A Foreign Agent (FA) Source Tunnel

18 Solution In A Nutshell Internet Home Network A Home Agent (HA) Visited Network A Foreign Agent (FA) Source Tunnel

19 More Abstractly HA FA Node Source

20 Protocol Overview u Advertisement l Mobility Agents (Foreign Agents and Home Agents) should advertise their services l A mobile node can solicit for mobility agents u Registration - when a mobile node is away from home, it must register its care-of address with it’s home agent u Delivering Datagrams l Datagrams must be forwarded by the Home Agent to the Foreign Agent for delivery to the care-of address. l The delivery mechanism must handle all packets (including broadcast and multicast) l A tunnel is used for this

21 Advertisement & Solicitation u The router discovery ICMP protocol was adapted for advertisement and solicitation u Routers broadcast or multicast every few seconds l Uses limited (255.255.255.255) bcast or all-systems-on-this-link multicast (224.0.0.1) u Mobile nodes also send out solicitation messages, which will cause a router to broadcast or multicast their advertisement

22 Registration u Request forwarding services when visiting a foreign network l This allocates a local (foreign) node address u Inform home agent of their current care-of address l This creates a binding of the foreign node address to the home address u Renew a binding that’s about to expire l Bindings have lifetimes u De-register when they return home

23 Registration and Security u The home node and the mobile node have conducted some form of prior key exchange l This defines a “secret” between the two nodes l The authentication mechanism must defend against replay attacks u The mobile node uses the keys to authenticate the redirection request l This is not the same as encrypting the communication channel

24 Replay Attacks & Signatures u A replay attack occurs when a 3rd party can capture your packets and then “replay” them, fooling you into thinking they are correctly authenticated. l E.g., sending an encrypted password over a network leaves you open to a replay attack. Note that attack didn’t decrypt u Two methods are used l Timestamps: the sender includes a timestamp, and receiver must find that timestamp is close to their local time. l Nonces: Each message from A -> B includes a new random number. When B replies to A, it must include that same random number. Likewise, each B->A message includes a new random number generated by B and echoed by A.

25 MD5 & Secure Hashes u A secure hash function is a one-way encoding of a document to a particular hash value. u Knowing the hash value provides no information about the document, but you can repeatedly generate the hash value from the document u Probability of collision should be small l MD5 (128 bit hash value) l SHA-1 l RIPEMD-160 doc1 doc2 hash1 hash2 MD5

26 Public Key Cryptography u Public key cryptography is way of “signing” a encoding (M) using a private or secret key (sk) yielding a modified document (M’) that can be decoded using a public key (pk). u The public key can decrypt messages encrypted using the secret key u The secret key can decrypt messages encrypted using the public key gen crypt decrypt M M’ sk pk M

27 Digital Signatures u A digital signature is an electronic way of “signing” a document such that l Both you and the sender agree that only the sender could send the doucment l Both you and the sender agree the contents haven’t been modified u Notice that the message doesn’t need to be encrypted Message MD5 encrypt md5 Message smd5 Message smd5 decrypt MD5 md5 Compare

28 Authenticating Registration In Mobile IP Uses Private-Key Cryptography HA A Key Exchange HA A Datagramkey MD5MD5 Datagrammd5ip Datagrammd5 Datagramkey Compare

29 Diffie-Hellman Public Key Exchange u Public key cryptosystem that allows two parties to establish a shared secret key, such that the secret key cannot be determined by other parties overhearing the public message exchange. l Two public numbers known by both parties, but not kept secret: a prime (p) and a generator (g) l Each side chooses a private random number (x) l Computes c = g x, and then computes & sends “c mod p” l Each party then computes the shared same secret key using its own private random number, x and it’s own p. l The secret is “c y mod p” where “y” is own private random # l Since g x(y) =g y(x), both know a specific value and knowing “c mod p” doesn’t let you determine g x(y)

30 Diffie-Hellman u Once you have established the shared key, you can use digital signature mechanisms to authenticate future communication between the parties u Entire process is anonymous u Subject to a “man in the middle” attack mobileFA

31 Authentication in Mobile IP u You need to use signatures for timestamp based methods because the encoded value used to defeat replay attacks (time) is easily predictable u Nonce based systems are based on pseudo-random number sequences. As long as the sequence is not predictable ( I.e. it’s heavily influenced by the private key), then you may not need to authenticate it l This is the level of authentication provided by DSS / Frequency hopping

32 Delivering datagrams u Once a mobile agent has registered a care-of address, datagrams must be delivered to that address. u Many options to get messages there... l Have source redirect messages l Use forwarding with loose source routing l Use forward tunnels u And other options to get messages back.. l Have node directly contact source with spoofed header l Use reverse tunnels HA FA Node Source

33 Tunneling Basics HA FA Node Source

34 Tunneling u IP-in-IP encapsulation u Minimal encapsulation u GRE -- Generic Routing Encapsulation u PPTP -- Point to Point Tunnel Protocol [RFC2637] u L2TP -- Layer 2 Tunneling Protocol [RFC2661]

35 IP in IP IP HeaderOPTS Inner IP Header Datagram IP HeaderDatagram Tunnel Endpoints

36 IP-in-IP Encapsulation

37 IP in IP u The outer IP header source & destination address identify the tunnel endpoints (I.e., HA & FA). u Outer protocol is ‘4’ (IP protocol) u The inner IP header source address and destination address identify the original sender & recipient l Not changed by the encapsulator, except to change TTL u Other headers for authentication might be added to outer header. u Some outer IP header fields are copied from the inner IP fields (TOS), most are re-computed (checksum, length) based on new datagram

38 Minimal Encapsulation Outer IP Header Minimal Header Datagram IP HeaderDatagram Tunnel Endpoints Dest IP Address

39 Minimal Encapsulation u We can save some space by recognizing that much of the inner header can be derived from the outer header l Copy inner header l Modify protocol field to be 55, for the minimal encapsulation protocol l Destination address replaced by tunnel exit l If encapsulator isn’t originator of message, replace source address with address of encapsulator l Increment total length by the size of the additional header (either 12 or 8 octets) l Recompute checksum

40 Minimal Encapsulation Header Header ChecksumProtocolResvS Original Destination Address Original Source Address Specifies if source address provided

41 GRE u Generic Routing Encapsulation (RFC2784)RFC2784 l Implemented in e.g. Linux, Cisco routers, etc u Generalized IP format that can route any protocol over IP l Multiple source routes specified by source route records u Formats specified for IP, AppleTalk, IPX, etc l Also used for Ethernet bridging

42 Handling Broadcast & Multicast u HA should forward everything (but not ARP packets) u Broadcast packets are either sent directly to co-located nodes or “double encapsulated” u Mobile nodes can join multicast routes on the foreign network l But, this doesn’t handle link-level or administratively scoped multicast u Or, it can set up a “bi-directional tunnel” with HA IP Dest (care of) IP Dest (mobile) Datagram

43 Lastly, ARP u When a mobile node is on a foreign net, its HA used proxy ARP to get any messages directed to it l When a mobile node leaves home, the HA used gratuitous ARP to update all ARP tables on the subnet l When a mobile node returns home, it uses gratuitous ARP to recapture its messages u When a mobile node is away from home, it can’t transmit any broadcast ARP or ARP reply messages u This means that even “local” traffic destined for the mobile node on the foreign network goes to the HA and then the FA and then the mobile node!

44 The need for reverse tunnels HA FA Node Source 128.138. 241.10 161.145.65.58 Ingress filtering discards datagrams that appear to originate from outside the domain 128.138. 241.10

45 Reverse Tunnel In Action HA FA NodeSource

46 Alternate Reverse Tunnel HA FA NodeSource

47 Route Optimization u Obviously, all this indirection has a performance penalty l Solution: remove that indirection! u Route optimization tackles three areas l Supply a binding update to a correspondent node that needs one (and has a chance of processing it correctly) l Provide a way to create the authenticated so that the recipient of a binding update can believe it l Allow the mobile node and foreign agent to create a registration key for later use in making a smooth transition to a new point of attachement.

48 Route Optimization HA FA NodeSource 1 2 3 5 Binding Update

49 Route Optimization

50 Foreign Agent Smooth Handoff u When a mobile node moves & registers with a new foreign agent, the base Mobile IP protocol does not notify the previous FA. l New messages tunneled to new care-of address l In-flight datagrams are lost & upper-level layers ( e.g. TCP) should handle that u As part of registration, the mobile node can have the new FA contact the previous FA l New FA builds a binding update message with a “forwarding pointer” to its new location u The new FA and the mobile node need a shared secret, the registration key, used to authenticate the notification sent to the previous foreign agent

51 Registration Keys u Need to have a way to have an anonymous foreign agent to establish a registration key with the mobile node l Use the mobility “security association” they share if it exists or can be established l Use the mobile nodes public key, if it exists l Use the FA public key, if it exists, to enable the HA to create public keys for both entities (transitive trust) l Use the security association between the FA and HA to create keys for both entities l Use the Diffie-Hellman key exchange algorithm

52 Route Optimizations u Binding warning: Used by old foreign agent, to request the home agent to send current binding to a correspondent host. u When a host moves: l Old foreign agent may cache a forwarding pointer to the new foreign agent: packets re-tunneled along the forwarding pointer + binding warning sent to home agent to update the correspondent with the new binding l Old foreign agent may not cache (or purge) the forwarding pointer: packets forwarded to home agent. Home agent tunnels it to current care-of-address + sends binding update to correspondent

53 MosquitoNet u No foreign agent u Visiting mobile host is assigned a temporary IP address corresponding to the foreign subnet. u Packets are tunneled directly to the mobile host (without having to go through a foreign agent)

54 MosquitoNet -- Advantages u Mobile hosts can visit networks that do not have home agents u Foreign agent is no more a single point of failure u Scalability: Foreign agent not needed on every network that a mobile may visit. Home agents only needed on networks with mobile clients u Simpler protocol: Only part of foreign agent functionality needed

55 MosquitoNet -- Disadvantages u Mobile host needs to acquire a temporary IP on foreign subnet u Security: If a temporary IP address is re-assigned to another mobile too soon, the new mobile agent may receive packets intended for the previous mobile. l But shouldn’t security / authentication issues remove this? u Packet loss: Foreign agents can forward packets destined for a mobile host that has moved to another foreign subnet. Without foreign agents, the packets will simply be lost. u Mobile host is more complex, as it must incorporate some of the functionality of a foreign agent.

56 Other Protocols: CDPD u CDPD: Cellular Digital Packet Data u Similarity to Mobile IP: l Triangular routing approach between mobile host and home and foreign agents u Differences: l User IP assigned by CDPD service provider l Uses prop. Tunneling, not IP-in-IP or GRE l Not strictly above the data link layer

57 Other Protocols: GPRS 4 GPRS: General Packet Radio Data GSN: GPRS Support Node MSC: Mobile Switching Center BTS: Base Transciever Station BSC: Base Station Controller

58 Mobile IP vs. CDPD vs. GPRS u CDPD is slowing down (Jan 1999) u Mobile IP is big in the US. IETF is behind it u US industry just started adapting Mobile IP u Motorola’s iDEN network is Mobile IP based.

Download ppt "CSCI 5273 Computer Networks Mobile Internet Protocol The Basics Dirk Grunwald Assoc. Professor Dept. of Computer Science University of Colorado, Boulder."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile Networking through Mobile IP

Mobile Networking through Mobile IP
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Mobile Communications-Network Protocols/Mobile IP

Mobile Communications-Network Protocols/Mobile IP
IP Mobility Support Basic idea of IP mobility management

IP Mobility Support Basic idea of IP mobility management
1 Mobile IP Why mobile IP? How mobile IP works –Introduction –Agent discovery/Advertisement –Registration –Routing considerations –Security Mobility management.

1 Mobile IP Why mobile IP? How mobile IP works –Introduction –Agent discovery/Advertisement –Registration –Routing considerations –Security Mobility management.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.

Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Mobile IP.

Mobile IP.
IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.

IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.
Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.

Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.
Mobile IP Polytechnic University Anthony Scalera Heine Nzumafo Duminda Wickramasinghe Edited by: Malathi Veeraraghavan 12/05/01.

Mobile IP Polytechnic University Anthony Scalera Heine Nzumafo Duminda Wickramasinghe Edited by: Malathi Veeraraghavan 12/05/01.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.

1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Similar presentations

Ads by Google