csci 5273 computer networks mobile internet protocol the basics dirk grunwald assoc. professor dept....
TRANSCRIPT
CSCI 5273Computer Networks
Mobile Internet ProtocolThe Basics
Dirk GrunwaldAssoc. Professor
Dept. of Computer ScienceUniversity of Colorado, Boulder
References
2.1: C. Perkins and A. Myles, "Mobile IP," technical report. 2.2: B. Lancki, A. Dixit, V. Gupta, "Mobile-IP: Supporting Transparent Host
Migration on the Internet," Linux Journal, June 1996. 2.3: D. Johnson and D. Maltz. "Protocols for Adaptive Wireless and Mobile
Networking", IEEE Personal Communication, 3(1), February 1996 2.4: C. Perkins and D. Johnson. "Mobility Support in IPv6," Proceedings of the
Second Annual International Conference on Mobile Computing and Networking (MobiCom'96), November 1996.
2.5: M. Baker, X. Zhao, S. Cheshire, J. Stone, Stanford University, "Supporting Mobility in MosquitoNet", USENIX Winter 1996
Mobile IP Basics
The problem Mobility vs. Portability
Proposed Solution Terminology Registration & maintaince Tunnels Security
Basic Goal of Portable Networking
WirelessRouter
The Internet
Node
Node
Important Problems in Portable Networking
Wireless media has different properties than wired medias
Packet loss may not indicatecontention
IEEE 802.11 is the “wireless ethernet”standard
1 & 11 Mb/s
HomeRF (www.homerf.org) is designed for home networking
Bluetooth (www.bluetooth.org) is designed as “cable replacement”
Some Solutions in Portable/Wireless Networking
802.11 implementations use a MAC addresses and “SSIDS” to identify nodes and networks
Hand-off protocol transferscontrol from one basestation to another
This provides“MAC (L2) LayerMobility”
Mobile IP providesnetwork layer mobility
Node Mobility In Mobile Networking
WirelessRouter
The Internet
WiredRouter
Node
Node
Router Mobility (e.g. Airplane Network)
WirelessRouter
The Internet
WirelessRouter
WiredRouter
WiredRouter
What are the problems?
Nodes in the Internet are identified by a specified IP address
Routing is performed using that same IP address
Some alternatives The node must change its IP address whenever it changes its
point of attachment• Requires upper-level protocols to handle address changes
Host specific routes must be propagated through the network• Requires significant routing tables & doesn’t scale well
Use another level of indirection...
Mobile IP Design Goals
A mobile node must be able to communicate with other nodes after changing it’s link-layer attachment, yet without changing its IP address
A mobile node must be able to communicate with other nodes that do not implement mobile IP
Mobile IP must use authentication to offer security against redirectment attacks
The number of administrative messages should be small to save bandwidth & power
Mobile IP must impose no additional constraints on the assignment of IP addresses
Terminology
Mobile node - a host or router that changes its point of attachment from one network or subnetwork to another. A mobile node may change its location without changing its IP address. It may continue to communicate with other Internet nodes at any location using its (constant) IP address
Home Agent - a router on a mobile nodes home network that tunnels datagrams to the mobile node when it is away from home
Foreign Agent - a router on a mobile nodes visited network that provides routing services to the mobile node while registered
Terminology
The mobile node is assigned a “care-of address” on the foreign network. This address is used to deliver the datagrams for the mobile node.
This can either be the foreign agent (e.g. a route) Or, it can be “co-located” with the mobile node
Terminology
Internet
Home Network
A
HomeAgent(HA)
Visited Network
A
ForeignAgent(FA)
Solution In A Nutshell
Internet
Home Network
A
HomeAgent(HA)
Visited Network
A
ForeignAgent(FA)
Source
Solution In A Nutshell
Internet
Home Network
A
HomeAgent(HA)
Visited Network
A
ForeignAgent(FA)
Source
Solution In A Nutshell
Internet
Home Network
A
HomeAgent(HA)
Visited Network
A
ForeignAgent(FA)
Source
Tunnel
Solution In A Nutshell
Internet
Home Network
A
HomeAgent(HA)
Visited Network
A
ForeignAgent(FA)
Source
Tunnel
Solution In A Nutshell
Internet
Home Network
A
HomeAgent(HA)
Visited Network
A
ForeignAgent(FA)
Source
Tunnel
More Abstractly
HA FA
NodeSource
Protocol Overview
Advertisement Mobility Agents (Foreign Agents and Home Agents) should
advertise their services A mobile node can solicit for mobility agents
Registration - when a mobile node is away from home, it must register its care-of address with it’s home agent
Delivering Datagrams Datagrams must be forwarded by the Home Agent to the
Foreign Agent for delivery to the care-of address. The delivery mechanism must handle all packets (including
broadcast and multicast) A tunnel is used for this
Advertisement & Solicitation
The router discovery ICMP protocol was adapted for advertisement and solicitation
Routers broadcast or multicast every few seconds Uses limited (255.255.255.255) bcast or all-systems-on-this-link
multicast (224.0.0.1)
Mobile nodes also send out solicitation messages, which will cause a router to broadcast or multicast their advertisement
Registration
Request forwarding services when visiting a foreign network
This allocates a local (foreign) node address
Inform home agent of their current care-of address This creates a binding of the foreign node address to the home
address
Renew a binding that’s about to expire Bindings have lifetimes
De-register when they return home
Registration and Security
The home node and the mobile node have conducted some form of prior key exchange
This defines a “secret” between the two nodes The authentication mechanism must defend against replay
attacks
The mobile node uses the keys to authenticate the redirection request
This is not the same as encrypting the communication channel
Replay Attacks & Signatures
A replay attack occurs when a 3rd party can capture your packets and then “replay” them, fooling you into thinking they are correctly authenticated.
E.g., sending an encrypted password over a network leaves you open to a replay attack. Note that attack didn’t decrypt
Two methods are used Timestamps: the sender includes a timestamp, and receiver
must find that timestamp is close to their local time. Nonces: Each message from A -> B includes a new random
number. When B replies to A, it must include that same random number. Likewise, each B->A message includes a new random number generated by B and echoed by A.
MD5 & Secure Hashes
A secure hash function is a one-way encoding of a document to a particular hash value.
Knowing the hash value provides no information about the document, but you can repeatedly generate the hash value from the document
Probability of collision should be small
MD5 (128 bit hash value) SHA-1 RIPEMD-160
doc1
doc2
hash1
hash2
MD5
Public Key Cryptography
Public key cryptography is way of “signing” a encoding (M) using a private or secret key (sk) yielding a modified document (M’) that can be decoded using a public key (pk).
The public key can decrypt messages encrypted using the secret key
The secret key can decrypt messages encrypted using the public key
gen
crypt decryptM
M’
skpk
M
Digital Signatures
A digital signature is an electronic way of “signing” a document such that
Both you and the sender agree that only the sender could send the doucment
Both you and the sender agree the contents haven’t been modified
Notice that the message doesn’t need to be encrypted
Message MD5 encryptmd5Message
smd5
Message
smd5decrypt
MD5md5
md5
Compare
Authenticating Registration In Mobile IP Uses Private-Key Cryptography
HAA
Key Exchange
HA
A
Datagramkey
MD5
key
Datagrammd5ipDatagrammd5
Datagramkey key
Compare
Diffie-Hellman Public Key Exchange
Public key cryptosystem that allows two parties to establish a shared secret key, such that the secret key cannot be determined by other parties overhearing the public message exchange.
Two public numbers known by both parties, but not kept secret: a prime (p) and a generator (g)
Each side chooses a private random number (x) Computes c = gx, and then computes & sends “c mod p” Each party then computes the shared same secret key using its
own private random number, x and it’s own p. The secret is “cy mod p” where “y” is own private random # Since gx(y)=gy(x), both know a specific value and knowing “c mod
p” doesn’t let you determine gx(y)
Diffie-Hellman
Once you have established the shared key, you can use digital signature mechanisms to authenticate future communication between the parties
Entire process is anonymous
Subject to a “man in the middle” attack
mobile FA
Authentication in Mobile IP
You need to use signatures for timestamp based methods because the encoded value used to defeat replay attacks (time) is easily predictable
Nonce based systems are based on pseudo-random number sequences. As long as the sequence is not predictable (I.e. it’s heavily influenced by the private key), then you may not need to authenticate it
This is the level of authentication provided by DSS / Frequency hopping
Delivering datagrams
Once a mobile agent has registered a care-of address, datagrams must be delivered to that address.
Many options to get messages there... Have source redirect messages Use forwarding with loose source routing Use forward tunnels
And other options to getmessages back..
Have node directly contactsource with spoofed header
Use reverse tunnels
HA FA
NodeSource
Tunneling Basics
HA FA
NodeSource
Tunneling
IP-in-IP encapsulation Minimal encapsulation GRE -- Generic Routing Encapsulation PPTP -- Point to Point Tunnel Protocol [RFC2637] L2TP -- Layer 2 Tunneling Protocol [RFC2661]
IP in IP
IP Header OPTS InnerIP Header Datagram
IP Header DatagramTunnelEndpoints
IP-in-IP Encapsulation
IP in IP
The outer IP header source & destination address identify the tunnel endpoints (I.e., HA & FA).
Outer protocol is ‘4’ (IP protocol) The inner IP header source address and destination
address identify the original sender & recipient Not changed by the encapsulator, except to change TTL
Other headers for authentication might be added to outer header.
Some outer IP header fields are copied from the inner IP fields (TOS), most are re-computed (checksum, length) based on new datagram
Minimal Encapsulation
Outer IP Header Minimal Header Datagram
IP Header DatagramTunnelEndpoints
Dest IP Address
Minimal Encapsulation
We can save some space by recognizing that much of the inner header can be derived from the outer header
Copy inner header Modify protocol field to be 55, for the minimal encapsulation
protocol Destination address replaced by tunnel exit If encapsulator isn’t originator of message, replace source
address with address of encapsulator Increment total length by the size of the additional header
(either 12 or 8 octets) Recompute checksum
Minimal Encapsulation Header
Header ChecksumProtocol ResvS
Original Destination Address
Original Source Address
Specifies if sourceaddress provided
GRE
Generic Routing Encapsulation (RFC2784) Implemented in e.g. Linux, Cisco routers, etc
Generalized IP format that can route any protocol over IP Multiple source routes specified by source route records
Formats specified for IP, AppleTalk, IPX, etc Also used for Ethernet bridging
Handling Broadcast & Multicast
HA should forward everything (but not ARP packets) Broadcast packets are either sent directly to co-located
nodes or “double encapsulated”
Mobile nodes can join multicast routes on the foreign network
But, this doesn’t handle link-level or administratively scoped multicast
Or, it can set up a “bi-directional tunnel” with HA
IP Dest(care of)
IP Dest(mobile)
Datagram
Lastly, ARP
When a mobile node is on a foreign net, its HA used proxy ARP to get any messages directed to it
When a mobile node leaves home, the HA used gratuitous ARP to update all ARP tables on the subnet
When a mobile node returns home, it uses gratuitous ARP to recapture its messages
When a mobile node is away from home, it can’t transmit any broadcast ARP or ARP reply messages
This means that even “local” traffic destined for the mobile node on the foreign network goes to the HA and then the FA and then the mobile node!
The need for reverse tunnels
HA FA
NodeSource
128.138. 241.10
161.145.65.58
Ingress filtering discardsdatagrams that appear to
originate from outsidethe domain
128.138. 241.10
128.138. 241.10
Reverse Tunnel In Action
HA FA
NodeSource
Alternate Reverse Tunnel
HA FA
NodeSource
Route Optimization
Obviously, all this indirection has a performance penalty Solution: remove that indirection!
Route optimization tackles three areas Supply a binding update to a correspondent node that needs
one (and has a chance of processing it correctly) Provide a way to create the authenticated so that the recipient
of a binding update can believe it Allow the mobile node and foreign agent to create a registration
key for later use in making a smooth transition to a new point of attachement.
Route Optimization
HA FA
NodeSource
1
2
3
5
BindingUpdate
Route Optimization
Foreign Agent Smooth Handoff
When a mobile node moves & registers with a new foreign agent, the base Mobile IP protocol does not notify the previous FA.
New messages tunneled to new care-of address In-flight datagrams are lost & upper-level layers (e.g. TCP)
should handle that
As part of registration, the mobile node can have the new FA contact the previous FA
New FA builds a binding update message with a “forwarding pointer” to its new location
The new FA and the mobile node need a shared secret, the registration key, used to authenticate the notification sent to the previous foreign agent
Registration Keys
Need to have a way to have an anonymous foreign agent to establish a registration key with the mobile node
Use the mobility “security association” they share if it exists or can be established
Use the mobile nodes public key, if it exists Use the FA public key, if it exists, to enable the HA to create
public keys for both entities (transitive trust) Use the security association between the FA and HA to create
keys for both entities Use the Diffie-Hellman key exchange algorithm
Route Optimizations
Binding warning: Used by old foreign agent, to request the home agent to send current binding to a correspondent host.
When a host moves: Old foreign agent may cache a forwarding pointer to the new
foreign agent: packets re-tunneled along the forwarding pointer + binding warning sent to home agent to update the correspondent with the new binding
Old foreign agent may not cache (or purge) the forwarding pointer: packets forwarded to home agent. Home agent tunnels it to current care-of-address + sends binding update to correspondent
MosquitoNet
No foreign agent Visiting mobile host is assigned a temporary IP address
corresponding to the foreign subnet. Packets are tunneled directly to the mobile host (without
having to go through a foreign agent)
MosquitoNet -- Advantages
Mobile hosts can visit networks that do not have home agents
Foreign agent is no more a single point of failure Scalability: Foreign agent not needed on every network
that a mobile may visit. Home agents only needed on networks with mobile clients
Simpler protocol: Only part of foreign agent functionality needed
MosquitoNet -- Disadvantages
Mobile host needs to acquire a temporary IP on foreign subnet
Security: If a temporary IP address is re-assigned to another mobile too soon, the new mobile agent may receive packets intended for the previous mobile.
But shouldn’t security / authentication issues remove this?
Packet loss: Foreign agents can forward packets destined for a mobile host that has moved to another foreign subnet. Without foreign agents, the packets will simply be lost.
Mobile host is more complex, as it must incorporate some of the functionality of a foreign agent.
Other Protocols: CDPD
CDPD: Cellular Digital Packet Data Similarity to Mobile IP:
Triangular routing approach between mobile host and home and foreign agents
Differences: User IP assigned by CDPD service provider Uses prop. Tunneling, not IP-in-IP or GRE Not strictly above the data link layer
Other Protocols: GPRS
GPRS: General Packet Radio Data
GSN: GPRS Support NodeMSC: Mobile Switching CenterBTS: Base Transciever StationBSC: Base Station Controller
Mobile IP vs. CDPD vs. GPRS
CDPD is slowing down (Jan 1999) Mobile IP is big in the US. IETF is behind it US industry just started adapting Mobile IP Motorola’s iDEN network is Mobile IP based.