1 mohamed m khalil mobile ipv4 & mobile ipv6. 2 mohamed m khalil mobile ip- why ? ip based...
TRANSCRIPT
1Mohamed M Khalil
Mobile IPv4 & Mobile IPv6
2Mohamed M Khalil
Mobile IP- Why ?
IP based NetworkSub-network A Sub-network B
Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network.
Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network.
Mobile IPv4- Why ?
3Mohamed M Khalil
Mobile IP- The Problem
IP based NetworkForeign Subnetwork Home Subnetwork
IP based NetworkForeign Subnetwork Home Subnetwork
When Mobile Node (MN) moves across subnetwork it changes its point of attachment.
When Mobile Node (MN) moves across subnetwork it changes its point of attachment.
host
host
4Mohamed M Khalil
Mobile IP- Mobility Model
Interne Routing
Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment.
Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment.
F-1F
LD
Distention NodeSource Node
An Address Translation Agent (ATA).F-1: Forwarding Agent.
Location Directory
5Mohamed M Khalil
Mobile IPv4 - Design Requirements
No modification for IP based routing
128.5.64.46
Compatibility with IP based Addressing
Application transparencyNo modification for host operating system
Network-wide mobility scalability
Compatibility with existing IP based network computers and applications.
Compatibility with existing IP based network computers and applications.
6Mohamed M Khalil
Mobile Node At Foreign Link
Home Link
Mobile IPv4- IETF Architecture
Home Network
Foreign Link
Mobile node At Home link
Mobile IP entities and relationships
IP Based Network
Foreign Network
• Home Agent is doing the functionality of LD and ATA.
• Foreign Agent is doing the functionality of Forwarding Agent.
• Home Agent is doing the functionality of LD and ATA.
• Foreign Agent is doing the functionality of Forwarding Agent.
ATA & LDFA
Foreign Agent Home Agent
Host
Mobile IPv4-IETF Architecture
7Mohamed M Khalil
Mobile Agent
Host Host
Mobile NodeAgent Advertisement
Mobile IPv4-Agent Advertisements
• Mobile Agents advertise their presence.
• MN determines if it is in a home or foreign link.
• MN acquire a care-of address and default router.
• Mobile Agents advertise their presence.
• MN determines if it is in a home or foreign link.
• MN acquire a care-of address and default router.
8Mohamed M Khalil
Mobile IPv4-Registration
Foreign Link
Home Agent
IP based network
Foreign AgentHome Link
1
2
3
4
1- MN send a request for service.
2- FA relays a request to HA.
3- HA accepts or denies.
4- FA relays status to MN
1- MN send a request for service.
2- FA relays a request to HA.
3- HA accepts or denies.
4- FA relays status to MN
HostRouter
Gratuitous ARP
9Mohamed M Khalil
Mobile IPv4-Data Transfer
Foreign Link
Home Agent
IP based network
Foreign Agent
Home Link
. Host data packets are tunneled by HA to MN.
. MN sends information directly to host.
. Host data packets are tunneled by HA to MN.
. MN sends information directly to host.
Host
10Mohamed M Khalil
Mobile IPv4- Broadcast packet from MN
Foreign Link
Home Agent
IP based network
Foreign Agent
Home Link
Broadcast packets from MN MUST be tunneled to HA Broadcast packets from MN MUST be tunneled to HA
Host
Host
Host
Host
11Mohamed M Khalil
IPsrc = Original Sender
IPdst = Ultimate Destination
original IP packet Header payload
Header payloadOuter Header
IPsrc = Tunnel Entry-Point (Home Agent)
IPdst= Tunnel Exit-Point (care of address)
Encapsulating IP Packet
A tunnel from a home agent to a foreign agent
Home AgentMobile Node Foreign Agent
Mobile IPv4- IP-in-IP Tunneling
12Mohamed M Khalil
Mobile IPv4- Broadcast Packet to MN
Foreign Link
Home Agent
IP based network
Foreign Agent
Home Link
The HA MUST tunnel broadcast packets destined for MN. The HA MUST tunnel broadcast packets destined for MN.
13Mohamed M Khalil
Mobile IPv4- Nested Tunneling
Src Addr 255.255.255.255 Data network prefix.111….
Home Agent COA IP
Home Agent
Mobile Node IP
The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link
The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link
14Mohamed M Khalil
Mobile IPv4- Registration Message Format
IP header fields UDP header Mobile IP message header Extension
After the IP and UDP header, the registration message header is found, then any necessary always including an authentication
extension.
After the IP and UDP header, the registration message header is found, then any necessary always including an authentication
extension.
15Mohamed M Khalil
IHL Type of Service Total Length
identification Flags Fragment offset
Time to Live= 1 Protocol= UDP Header check sum
Source Address
Destination address
Source Port Destination Port = 434
Length Check sum
Type=1 S B D M G Y res Lifetime
Mobile Node’s Home Address
Home Agent Address
Care of Address
Optional Extension
Type = 32 Length Security Parameter
Index (SPI)
Authentication (Default equal keyed MD5)
IP Header (RFC791)
UDP Header (RFC768
Fixed length portion of Registration Required (RFC2002)
Mobile Home Authentication Extension (RFC2002) Mandatory
Mobile IPv4- Registration Request
16Mohamed M Khalil
Registration Reply
Type = 3 Code Lifetime
Mobile Node’s Home Address
Home Agent Address
Identification
Fixed length portion of Registration Reply (RFC2002)
Mobile IPv4-Registration Reply
17Mohamed M Khalil
Mobile IPv4-Route Optimization
1- Binding Update
2- Binding Acknowledgment
3- Binding Warning
1- Binding Update
2- Binding Acknowledgment
3- Binding Warning
18Mohamed M Khalil
Mobile IPv4-Route Optimization
Foreign Link
Home AgentNFAHome Link
1 2
5
5
1- FA relays a request to HA.
2- Send BU to OFA and RR to HA
3- Send Binding Update as a result of receiving Binding Warning Ext
4- Binding Acknowledgment back 5- Registration Reply back
1- FA relays a request to HA.
2- Send BU to OFA and RR to HA
3- Send Binding Update as a result of receiving Binding Warning Ext
4- Binding Acknowledgment back 5- Registration Reply back
Host
OFA
2
4
3
19Mohamed M Khalil
Mobile IPv4-Route Optimization (continue)
Foreign Link
Home AgentNFAHome Link
4
1- data is sent from Host to the NFA through HA.
2- HA tunnels data to MN
3- Binding Update is sent from HA to host
4- data is tunneled from host to NFA
1- data is sent from Host to the NFA through HA.
2- HA tunnels data to MN
3- Binding Update is sent from HA to host
4- data is tunneled from host to NFA
Host
1
2
4
3
20Mohamed M Khalil
Mobile IPv4-Route Optimization (continue)
Foreign Link
Home AgentNFAHome Link
4
1- data is tunneled to the old FA.
2- Warning Update message is sent to the HA,
3-HA will send Binding Update to Host
4- data is tunneled to the new FA
1- data is tunneled to the old FA.
2- Warning Update message is sent to the HA,
3-HA will send Binding Update to Host
4- data is tunneled to the new FA
Host
OFA
3
2
1
2
4
21Mohamed M Khalil
Mobile Node At Foreign Link
Home Link
Mobile IPv6-IETF Architecture
Home Network
Foreign Link
Mobile node At Home link
Mobile IP entities and relationships
IP Based Network
Foreign Network
• Home Agent is doing the functionality of LD and ATA.
• Correspondent node may forward packets directly to the MN using source base routing.
• Home Agent is doing the functionality of LD and ATA.
• Correspondent node may forward packets directly to the MN using source base routing.
ATA & LD
Foreign Agent Home Agent
Host
22Mohamed M Khalil
Mobile IPv6-Registration
Foreign Link
Home Agent
IP based networkForeign AgentHome Link
3
1- MN-DHCPv6 Request for collocated IP address
2- HM-DHCPv6 Reply.
3- MN sends a Binding Update message.
4- MN receives Binding Acknowledgement
1- MN-DHCPv6 Request for collocated IP address
2- HM-DHCPv6 Reply.
3- MN sends a Binding Update message.
4- MN receives Binding Acknowledgement
HostRouter
Gratuitous Neighbor
Advertisement
4
1
2
23Mohamed M Khalil
Mobile IPv6-Data Transfer
Foreign Link
Home Agent
IP based network
Foreign Agent
Home Link
1. MN Host data packets are tunneled by HA to MN.
2. sends a Binding Update to MN
3. Send data directly to MN using source header routing.
1. MN Host data packets are tunneled by HA to MN.
2. sends a Binding Update to MN
3. Send data directly to MN using source header routing.
Host
1
2
3
24Mohamed M Khalil
Mobile IPv6-Update MN Location
Foreign Link
Home Agent
IP based network
Foreign Agent
Home Link
1. When Binding Cache entry expires send Binding Request to MN
2. Continue sending data directly to MN using source header routing.
1. When Binding Cache entry expires send Binding Request to MN
2. Continue sending data directly to MN using source header routing.
Host
1
2
25Mohamed M Khalil
IP Security
26Mohamed M Khalil
Loss Of Privacy
m-y-p-a-s-s-w-o-r-d
A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to
login to the system and pretend that he is the real person.
A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to
login to the system and pretend that he is the real person.
telnet foo.bar.org
username: dan
password:
27Mohamed M Khalil
Loss Of Data Integrity
You may not care if someone sees your business transaction but care if somebody modified your business transaction .
You may not care if someone sees your business transaction but care if somebody modified your business transaction .
Deposit $1000
$$$$
Deposit $100
$$$
28Mohamed M Khalil
Man In The Middle Attack
Bad Guy replay the same business transaction message. Bad Guy replay the same business transaction message.
Withdraw $1000
Withdraw $1000
Withdraw $1000
BAD GUY
Withdraw $1000
29Mohamed M Khalil
Denial-Of-Service
Bad Guy floods the system with messages or viruses which crash the system
Bad Guy floods the system with messages or viruses which crash the system
virus
30Mohamed M Khalil
Where Should We Implement Security ?
link-layerEncryption
link-layerEncryption
Network Layer
Application Layer
Security May Be implemented in:1- Application Layer (Secure Sockets Layer).2- Network Layer (IPSec).3- Data Link Layer.
Security May Be implemented in:1- Application Layer (Secure Sockets Layer).2- Network Layer (IPSec).3- Data Link Layer.
31Mohamed M Khalil
IPSec : Security Protocol
IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.
IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.
32Mohamed M Khalil
IPSec : Session Establishment
1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association.
2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.
1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association.
2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.
33Mohamed M Khalil
IPSec : Connection
Each IPSec Connection can provide the following:
1- Encryption.
2- Integrity and Authenticity.
3- Or both.
Each IPSec Connection can provide the following:
1- Encryption.
2- Integrity and Authenticity.
3- Or both.
34Mohamed M Khalil
IPSec : Security Association
IPSec uses Security Associations to establish secure connections between nodes. Security Association defines
1- algorithms to use for encryption/decryption
2- algorithms to use for integrity check and authentication.
3- shared session keys
Each security association is identified by an SPI.
IPSec uses Security Associations to establish secure connections between nodes. Security Association defines
1- algorithms to use for encryption/decryption
2- algorithms to use for integrity check and authentication.
3- shared session keys
Each security association is identified by an SPI.
35Mohamed M Khalil
IPSec : Authentication Header
The Authentication Header provides support for data integrity and authentication of IP packet.
The Authentication Header provides support for data integrity and authentication of IP packet.
Next Header Payload Length RSV
SPI
Sequence Number
Authentication Data
36Mohamed M Khalil
IPSec : Encrypting Security Payload
The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH
The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH
Next Header Payload Length RSV
Sequence Number
Payload Data (variable)
Next Header
Authentication Data (variable)
37Mohamed M Khalil
IPSec : Operation Modes
Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header.
Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.
Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header.
Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.
38Mohamed M Khalil
IPSec : Transport Mode
In transport mode the data is encrypted only.In transport mode the data is encrypted only.
IP HDR DATA
DATAIP HDR IPSEC HDR
39Mohamed M Khalil
IPSec : Tunnel Mode
In tunnel mode the the entire packet is encrypted, including the header.
In tunnel mode the the entire packet is encrypted, including the header.
IP HDR DATA
DATA + HDRNew IP HDR IPSEC HDR
40Mohamed M Khalil
IKE : Phase I and II
Two phases in IKE are necessary to establish SA:
1- Phase I : to establish a secure channel to negotiate SA.
2- Phase II : SA is negotiated between two nodes using the previously secured established channel.
Two phases in IKE are necessary to establish SA:
1- Phase I : to establish a secure channel to negotiate SA.
2- Phase II : SA is negotiated between two nodes using the previously secured established channel.
41Mohamed M Khalil
IKE : SA Establishment Using IKE
Two phases in IKE are necessary to establish SA:
1- Phase1 : to establish a secure channel to negotiate SA.
2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.
Two phases in IKE are necessary to establish SA:
1- Phase1 : to establish a secure channel to negotiate SA.
2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.
42Mohamed M Khalil
IKE : Authentication Methods For Phase I
Three types of authentication methods are used to authenticate phase I.
1- Pre-Shared Secret Key.
2- Public key cryptography.
3- Digital Signature.
Three types of authentication methods are used to authenticate phase I.
1- Pre-Shared Secret Key.
2- Public key cryptography.
3- Digital Signature.
43Mohamed M Khalil
IKE : Phase II
Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.
Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.
44Mohamed M Khalil
IKE : Example
IPSec Alice IPSec Bob
2 Outbound packet from Alic to Bob.
No IPSec SA.
4 Packets from Alice to Bob
protected by IPSec
ISAKMP
Alice
ISAKMP
BobISAKMP Tunnel
1 Alice’s ISAKMP begins negotiation
with Bpb
3 Negotiation complete Alice and
Bob now have complete IPSec
SAs in place
45Mohamed M Khalil
Mobile Node At Foreign Link
Home Link
Mobile
Home Network
Foreign Link
Mobile node At Home link
Mobile IP entities and relationships
Foreign Network
1- MN-HA (mandatory)
2- MN-FA (optional)
3- FA-HA (optional)
1- MN-HA (mandatory)
2- MN-FA (optional)
3- FA-HA (optional)
HAFA
Foreign Agent Home Agent
Host
Mobile IPv4 Security
SA(mandatory)
SA(optional)
SA(optional)
46Mohamed M Khalil
Mobile IPv6
Foreign Link
Home Agent
Foreign AgentHome Link
IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA.
IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA.
IPSec Tunnel
Mobile IPv6 Security
47Mohamed M Khalil
BACKUP
48Mohamed M Khalil
• General increase in usage of laptop/notebook computers
• More access to Intranet
• Acceptance of Telecommuting
• Increase in mobility based workforce (sales, delivery etc.)
Mobile IP - Introduction
There is a need for mobile computers to communicate with other computers - fixed or mobile.
There is a need for mobile computers to communicate with other computers - fixed or mobile.
49Mohamed M Khalil
Mobile IP - Design Requirements
• Communicate with other nodes while changing its Link-layer point of attachment
• Use its home (permanent) IP address to communicate with other computers
• Communicate with non-Mobile IP based computers
• Provide as much security as the fixed computers
Provide end-to-end mobility as well as basic quality of service
Provide end-to-end mobility as well as basic quality of service