mobile ipv4 & mobile ipv6

1Mohamed M Khalil

Mobile IPv4 & Mobile IPv6

2Mohamed M Khalil

Mobile IP- Why ?

IP based NetworkSub-network A Sub-network B

Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network.

Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network.

Mobile IPv4- Why ?

3Mohamed M Khalil

Mobile IP- The Problem

IP based NetworkForeign Subnetwork Home Subnetwork

IP based NetworkForeign Subnetwork Home Subnetwork

When Mobile Node (MN) moves across subnetwork it changes its point of attachment.

When Mobile Node (MN) moves across subnetwork it changes its point of attachment.

host

host

4Mohamed M Khalil

Mobile IP- Mobility Model

Interne Routing

Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment.

Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment.

F-1F

LD

Distention NodeSource Node

An Address Translation Agent (ATA).F-1: Forwarding Agent.

Location Directory

5Mohamed M Khalil

Mobile IPv4 - Design Requirements

No modification for IP based routing

128.5.64.46

Compatibility with IP based Addressing

Application transparencyNo modification for host operating system

Network-wide mobility scalability

Compatibility with existing IP based network computers and applications.

Compatibility with existing IP based network computers and applications.

6Mohamed M Khalil

Mobile Node At Foreign Link

Home Link

Mobile IPv4- IETF Architecture

Home Network

Foreign Link

Mobile node At Home link

Mobile IP entities and relationships

IP Based Network

Foreign Network

• Home Agent is doing the functionality of LD and ATA.

• Foreign Agent is doing the functionality of Forwarding Agent.


• Foreign Agent is doing the functionality of Forwarding Agent.

ATA & LDFA

Foreign Agent Home Agent

Host

Mobile IPv4-IETF Architecture

7Mohamed M Khalil

Mobile Agent

Host Host

Mobile NodeAgent Advertisement

Mobile IPv4-Agent Advertisements

• Mobile Agents advertise their presence.

• MN determines if it is in a home or foreign link.

• MN acquire a care-of address and default router.

• Mobile Agents advertise their presence.

• MN determines if it is in a home or foreign link.

• MN acquire a care-of address and default router.

8Mohamed M Khalil

Mobile IPv4-Registration

Foreign Link

Home Agent

IP based network

Foreign AgentHome Link

1

2

3

4

1- MN send a request for service.

2- FA relays a request to HA.

3- HA accepts or denies.

4- FA relays status to MN

1- MN send a request for service.


3- HA accepts or denies.

4- FA relays status to MN

HostRouter

Gratuitous ARP

9Mohamed M Khalil

Mobile IPv4-Data Transfer

Foreign Link

Home Agent

IP based network

Foreign Agent

Home Link

. Host data packets are tunneled by HA to MN.

. MN sends information directly to host.

. Host data packets are tunneled by HA to MN.

. MN sends information directly to host.

Host

10Mohamed M Khalil

Mobile IPv4- Broadcast packet from MN

Foreign Link

Home Agent

IP based network

Foreign Agent

Home Link

Broadcast packets from MN MUST be tunneled to HA Broadcast packets from MN MUST be tunneled to HA

Host

Host

Host

Host

11Mohamed M Khalil

IPsrc = Original Sender

IPdst = Ultimate Destination

original IP packet Header payload

Header payloadOuter Header

IPsrc = Tunnel Entry-Point (Home Agent)

IPdst= Tunnel Exit-Point (care of address)

Encapsulating IP Packet

A tunnel from a home agent to a foreign agent

Home AgentMobile Node Foreign Agent

Mobile IPv4- IP-in-IP Tunneling

12Mohamed M Khalil

Mobile IPv4- Broadcast Packet to MN

Foreign Link

Home Agent

IP based network

Foreign Agent

Home Link

The HA MUST tunnel broadcast packets destined for MN. The HA MUST tunnel broadcast packets destined for MN.

13Mohamed M Khalil

Mobile IPv4- Nested Tunneling

Src Addr 255.255.255.255 Data network prefix.111….

Home Agent COA IP

Home Agent

Mobile Node IP

The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link

The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link

14Mohamed M Khalil

Mobile IPv4- Registration Message Format

IP header fields UDP header Mobile IP message header Extension

After the IP and UDP header, the registration message header is found, then any necessary always including an authentication

extension.

After the IP and UDP header, the registration message header is found, then any necessary always including an authentication

extension.

15Mohamed M Khalil

IHL Type of Service Total Length

identification Flags Fragment offset

Time to Live= 1 Protocol= UDP Header check sum

Source Address

Destination address

Source Port Destination Port = 434

Length Check sum

Type=1 S B D M G Y res Lifetime

Mobile Node’s Home Address

Home Agent Address

Care of Address

Optional Extension

Type = 32 Length Security Parameter

Index (SPI)

Authentication (Default equal keyed MD5)

IP Header (RFC791)

UDP Header (RFC768

Fixed length portion of Registration Required (RFC2002)

Mobile Home Authentication Extension (RFC2002) Mandatory

Mobile IPv4- Registration Request

16Mohamed M Khalil

Registration Reply

Type = 3 Code Lifetime

Mobile Node’s Home Address

Home Agent Address

Identification

Fixed length portion of Registration Reply (RFC2002)

Mobile IPv4-Registration Reply

17Mohamed M Khalil

Mobile IPv4-Route Optimization

1- Binding Update

2- Binding Acknowledgment

3- Binding Warning

1- Binding Update

2- Binding Acknowledgment

3- Binding Warning

18Mohamed M Khalil

Mobile IPv4-Route Optimization

Foreign Link

Home AgentNFAHome Link

1 2

5

5


2- Send BU to OFA and RR to HA

3- Send Binding Update as a result of receiving Binding Warning Ext

4- Binding Acknowledgment back 5- Registration Reply back


2- Send BU to OFA and RR to HA

3- Send Binding Update as a result of receiving Binding Warning Ext

4- Binding Acknowledgment back 5- Registration Reply back

Host

OFA

2

4

3

19Mohamed M Khalil

Mobile IPv4-Route Optimization (continue)

Foreign Link


4

1- data is sent from Host to the NFA through HA.

2- HA tunnels data to MN

3- Binding Update is sent from HA to host

4- data is tunneled from host to NFA

1- data is sent from Host to the NFA through HA.

2- HA tunnels data to MN

3- Binding Update is sent from HA to host

4- data is tunneled from host to NFA

Host

1

2

4

3

20Mohamed M Khalil

Mobile IPv4-Route Optimization (continue)

Foreign Link


4

1- data is tunneled to the old FA.

2- Warning Update message is sent to the HA,

3-HA will send Binding Update to Host

4- data is tunneled to the new FA

1- data is tunneled to the old FA.

2- Warning Update message is sent to the HA,

3-HA will send Binding Update to Host

4- data is tunneled to the new FA

Host

OFA

3

2

1

2

4

21Mohamed M Khalil


Home Link

Mobile IPv6-IETF Architecture

Home Network

Foreign Link



IP Based Network

Foreign Network


• Correspondent node may forward packets directly to the MN using source base routing.


• Correspondent node may forward packets directly to the MN using source base routing.

ATA & LD


Host

22Mohamed M Khalil

Mobile IPv6-Registration

Foreign Link

Home Agent

IP based networkForeign AgentHome Link

3

1- MN-DHCPv6 Request for collocated IP address

2- HM-DHCPv6 Reply.

3- MN sends a Binding Update message.

4- MN receives Binding Acknowledgement

1- MN-DHCPv6 Request for collocated IP address

2- HM-DHCPv6 Reply.

3- MN sends a Binding Update message.

4- MN receives Binding Acknowledgement

HostRouter

Gratuitous Neighbor

Advertisement

4

1

2

23Mohamed M Khalil

Mobile IPv6-Data Transfer

Foreign Link

Home Agent

IP based network

Foreign Agent

Home Link

1. MN Host data packets are tunneled by HA to MN.

2. sends a Binding Update to MN

3. Send data directly to MN using source header routing.

1. MN Host data packets are tunneled by HA to MN.

2. sends a Binding Update to MN

3. Send data directly to MN using source header routing.

Host

1

2

3

24Mohamed M Khalil

Mobile IPv6-Update MN Location

Foreign Link

Home Agent

IP based network

Foreign Agent

Home Link

1. When Binding Cache entry expires send Binding Request to MN

2. Continue sending data directly to MN using source header routing.

1. When Binding Cache entry expires send Binding Request to MN

2. Continue sending data directly to MN using source header routing.

Host

1

2

25Mohamed M Khalil

IP Security

26Mohamed M Khalil

Loss Of Privacy

m-y-p-a-s-s-w-o-r-d

A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to

login to the system and pretend that he is the real person.

A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to

login to the system and pretend that he is the real person.

telnet foo.bar.org

username: dan

password:

27Mohamed M Khalil

Loss Of Data Integrity

You may not care if someone sees your business transaction but care if somebody modified your business transaction .

You may not care if someone sees your business transaction but care if somebody modified your business transaction .

Deposit $1000

$$$$

Deposit $100

$$$

28Mohamed M Khalil

Man In The Middle Attack

Bad Guy replay the same business transaction message. Bad Guy replay the same business transaction message.

Withdraw $1000

Withdraw $1000

Withdraw $1000

BAD GUY

Withdraw $1000

29Mohamed M Khalil

Denial-Of-Service

Bad Guy floods the system with messages or viruses which crash the system

Bad Guy floods the system with messages or viruses which crash the system

virus

30Mohamed M Khalil

Where Should We Implement Security ?

link-layerEncryption

link-layerEncryption

Network Layer

Application Layer

Security May Be implemented in:1- Application Layer (Secure Sockets Layer).2- Network Layer (IPSec).3- Data Link Layer.

Security May Be implemented in:1- Application Layer (Secure Sockets Layer).2- Network Layer (IPSec).3- Data Link Layer.

31Mohamed M Khalil

IPSec : Security Protocol

IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.

IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.

32Mohamed M Khalil

IPSec : Session Establishment

1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association.

2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.

1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association.

2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.

33Mohamed M Khalil

IPSec : Connection

Each IPSec Connection can provide the following:

1- Encryption.

2- Integrity and Authenticity.

3- Or both.

Each IPSec Connection can provide the following:

1- Encryption.

2- Integrity and Authenticity.

3- Or both.

34Mohamed M Khalil

IPSec : Security Association

IPSec uses Security Associations to establish secure connections between nodes. Security Association defines

1- algorithms to use for encryption/decryption

2- algorithms to use for integrity check and authentication.

3- shared session keys

Each security association is identified by an SPI.

IPSec uses Security Associations to establish secure connections between nodes. Security Association defines

1- algorithms to use for encryption/decryption

2- algorithms to use for integrity check and authentication.

3- shared session keys

Each security association is identified by an SPI.

35Mohamed M Khalil

IPSec : Authentication Header

The Authentication Header provides support for data integrity and authentication of IP packet.

The Authentication Header provides support for data integrity and authentication of IP packet.

Next Header Payload Length RSV

SPI

Sequence Number

Authentication Data

36Mohamed M Khalil

IPSec : Encrypting Security Payload

The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH

The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH

Next Header Payload Length RSV

Sequence Number

Payload Data (variable)

Next Header

Authentication Data (variable)

37Mohamed M Khalil

IPSec : Operation Modes

Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header.

Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.

Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header.

Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.

38Mohamed M Khalil

IPSec : Transport Mode

In transport mode the data is encrypted only.In transport mode the data is encrypted only.

IP HDR DATA

DATAIP HDR IPSEC HDR

39Mohamed M Khalil

IPSec : Tunnel Mode

In tunnel mode the the entire packet is encrypted, including the header.

In tunnel mode the the entire packet is encrypted, including the header.

IP HDR DATA

DATA + HDRNew IP HDR IPSEC HDR

40Mohamed M Khalil

IKE : Phase I and II

Two phases in IKE are necessary to establish SA:

1- Phase I : to establish a secure channel to negotiate SA.

2- Phase II : SA is negotiated between two nodes using the previously secured established channel.


1- Phase I : to establish a secure channel to negotiate SA.

2- Phase II : SA is negotiated between two nodes using the previously secured established channel.

41Mohamed M Khalil

IKE : SA Establishment Using IKE


1- Phase1 : to establish a secure channel to negotiate SA.

2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.


1- Phase1 : to establish a secure channel to negotiate SA.

2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.

42Mohamed M Khalil

IKE : Authentication Methods For Phase I

Three types of authentication methods are used to authenticate phase I.

1- Pre-Shared Secret Key.

2- Public key cryptography.

3- Digital Signature.

Three types of authentication methods are used to authenticate phase I.

1- Pre-Shared Secret Key.

2- Public key cryptography.

3- Digital Signature.

43Mohamed M Khalil

IKE : Phase II

Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.

Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.

44Mohamed M Khalil

IKE : Example

IPSec Alice IPSec Bob

2 Outbound packet from Alic to Bob.

No IPSec SA.

4 Packets from Alice to Bob

protected by IPSec

ISAKMP

Alice

ISAKMP

BobISAKMP Tunnel

1 Alice’s ISAKMP begins negotiation

with Bpb

3 Negotiation complete Alice and

Bob now have complete IPSec

SAs in place

45Mohamed M Khalil


Home Link

Mobile

Home Network

Foreign Link



Foreign Network

1- MN-HA (mandatory)

2- MN-FA (optional)

3- FA-HA (optional)

1- MN-HA (mandatory)

2- MN-FA (optional)

3- FA-HA (optional)

HAFA


Host

Mobile IPv4 Security

SA(mandatory)

SA(optional)

SA(optional)

46Mohamed M Khalil

Mobile IPv6

Foreign Link

Home Agent

Foreign AgentHome Link

IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA.

IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA.

IPSec Tunnel

Mobile IPv6 Security

47Mohamed M Khalil

BACKUP

48Mohamed M Khalil

• General increase in usage of laptop/notebook computers

• More access to Intranet

• Acceptance of Telecommuting

• Increase in mobility based workforce (sales, delivery etc.)

Mobile IP - Introduction

There is a need for mobile computers to communicate with other computers - fixed or mobile.

There is a need for mobile computers to communicate with other computers - fixed or mobile.

49Mohamed M Khalil

Mobile IP - Design Requirements

• Communicate with other nodes while changing its Link-layer point of attachment

• Use its home (permanent) IP address to communicate with other computers

• Communicate with non-Mobile IP based computers

• Provide as much security as the fixed computers

Provide end-to-end mobility as well as basic quality of service

Provide end-to-end mobility as well as basic quality of service

mobile ipv4 & mobile ipv6

Documents