MOBILE NETWORK LAYERMOBILE NETWORK LAYER Mobile IPMobile IP

Mobile IP (I)Mobile IP (I) Mobile IP adds mobility support to the Internet network layer Mobile IP adds mobility support to the Internet network layer

protocol IP.protocol IP.– The Internet started at a time when no-one had a concept of mobile The Internet started at a time when no-one had a concept of mobile

computers.computers.» The Internet of today lacks mechanisms for the support of users traveling through The Internet of today lacks mechanisms for the support of users traveling through

the world.the world. IP is the common base for thousands of applications and runs over dozens of different IP is the common base for thousands of applications and runs over dozens of different

networks; this is the reason for supporting mobility at the IP layer. networks; this is the reason for supporting mobility at the IP layer.

Motivation for Mobile IP:Motivation for Mobile IP:– RoutingRouting

» based on IP destination address, network prefix determines physical subnetbased on IP destination address, network prefix determines physical subnet» Change of physical subnet implies change of IP address to have a topological Change of physical subnet implies change of IP address to have a topological

correct address (standard IP) or needs special entries in the routing tablescorrect address (standard IP) or needs special entries in the routing tables

Mobile IP (II)Mobile IP (II)

– Create specific routes to end-systems – mobile nodes?Create specific routes to end-systems – mobile nodes?» change of all routing table entries to forward packets to the change of all routing table entries to forward packets to the

right destinationright destination

» does not scale with the number of mobile hosts and frequent does not scale with the number of mobile hosts and frequent changes in the locationchanges in the location

– Changing the IP address?Changing the IP address?» adjust the host IP address depending on the current locationadjust the host IP address depending on the current location

» almost impossible to find a mobile host, DNS has not been almost impossible to find a mobile host, DNS has not been built for frequent updatesbuilt for frequent updates

» TCP connection breakTCP connection break

Mobile IP (III)Mobile IP (III)

Requirements to Mobile IP:Requirements to Mobile IP:– TransparencyTransparency

» mobile end-systems keep their IP addressmobile end-systems keep their IP address» continuation of communication after interruption of link continuation of communication after interruption of link

possiblepossible» point of connection to the fixed network can be changedpoint of connection to the fixed network can be changed

– CompatibilityCompatibility» support of the same layer 2 protocols as IP doessupport of the same layer 2 protocols as IP does» no changes to current end-systems and routers requiredno changes to current end-systems and routers required» Mobile end-systems can communicate with fixed systemsMobile end-systems can communicate with fixed systems

Mobile IP (IV)Mobile IP (IV)

– SecuritySecurity» authentication of all registration messagesauthentication of all registration messages

– Efficiency and scalabilityEfficiency and scalability» only little additional messages to the mobile system required only little additional messages to the mobile system required

(connection typically via a low bandwidth radio link)(connection typically via a low bandwidth radio link)

» world-wide support of a large number of mobile systems in world-wide support of a large number of mobile systems in the whole Internetthe whole Internet

Mobile IP (V)Mobile IP (V)

Terminology:Terminology:– Mobile Node (MN)Mobile Node (MN)

» system (node) that can change the point of connection to the network system (node) that can change the point of connection to the network without changing its IP addresswithout changing its IP address

– Home Agent (HA)Home Agent (HA)» system in the home network of the MN, typically a routersystem in the home network of the MN, typically a router

» registers the location of the MN, tunnels IP datagrams to the COAregisters the location of the MN, tunnels IP datagrams to the COA

– Foreign Agent (FA)Foreign Agent (FA)» system in the current foreign network of the MN, typically a routersystem in the current foreign network of the MN, typically a router

» forwards the tunneled datagrams to the MN, typically also the default forwards the tunneled datagrams to the MN, typically also the default router of the MNrouter of the MN

Mobile IP (VI)Mobile IP (VI)

– Care-of Address (COA)Care-of Address (COA)» address of the current tunnel end-point for the MN (at FA or address of the current tunnel end-point for the MN (at FA or

MN)MN)

» actual location of the MN from an IP point of viewactual location of the MN from an IP point of view

» can be chosen, e.g., via DHCPcan be chosen, e.g., via DHCP

– Correspondent Node (CN)Correspondent Node (CN)» communication partner communication partner

(current physical network for the MN)

home network

(physical home networkfor the MN)

Mobile IP (VII)Mobile IP (VII)

Example networkExample network

Internet

router

HAMN

router

FA foreign network

routerend-system

CN

Mobile IP (VIII)Mobile IP (VIII)

Data transfer to the mobile systemData transfer to the mobile system

Internethome network

foreignnetwork

FA

HA

MN

receiver

1

2

3

sender

CN

1. Sender sends to the IP address of MN, HA intercepts packet2. HA tunnels packet to COA, here FA, by encapsulation3. FA forwards the packet to the MN

foreignnetwork

home network

Mobile IP (IX)Mobile IP (IX)

Data transfer from the mobile systemData transfer from the mobile system

Internet

HA

MN

sender

receiver

CN

1. Sender sends to the IP address of the receiver as usual, FA works as default router

FA

1

Mobile IP (X)Mobile IP (X)

Network integration:Network integration:– Agent Advertisement Agent Advertisement

» HA and FA periodically send advertisement messages into HA and FA periodically send advertisement messages into their physical subnetstheir physical subnets

» MN listens to these messages and detects, if it is in the home MN listens to these messages and detects, if it is in the home or a foreign networkor a foreign network

» MN reads a COA from the FA advertisement messagesMN reads a COA from the FA advertisement messages

– RegistrationRegistration» MN signals COA to the HA via the FA, HA acknowledges MN signals COA to the HA via the FA, HA acknowledges

via FA to MNvia FA to MN» these actions have to be secured by authenticationthese actions have to be secured by authentication

Mobile IP (XI)Mobile IP (XI)– RegistrationRegistration

t

MN FA HAregistrationrequest

registrationrequest

registration

reply

registration

reply

Mobile IP (XII)Mobile IP (XII)

– AdvertisementAdvertisement» HA advertises the IP address of the MN (as for fixed HA advertises the IP address of the MN (as for fixed

systems), i.e. standard routing informationsystems), i.e. standard routing information

» routers adjust their entries, these are stable for a longer time routers adjust their entries, these are stable for a longer time (HA responsible for a MN over a longer period of time)(HA responsible for a MN over a longer period of time)

» packets to the MN are sent to HApackets to the MN are sent to HA

» Independent of changes in COA/FA Independent of changes in COA/FA

Mobile IP (XIII)Mobile IP (XIII)

Optimization of packet forwarding:Optimization of packet forwarding:– Triangular routingTriangular routing

» sender sends all packets via HA to MNsender sends all packets via HA to MN

» higher latency and network loadhigher latency and network load

– Solutions – optimizationSolutions – optimization» HA informs a sender about the location of MN HA informs a sender about the location of MN

» sender learns the current location of MNsender learns the current location of MN

» direct tunneling to this locationdirect tunneling to this location

» big security problems!big security problems!

Mobile IP (XIV)Mobile IP (XIV)

– Change of FAChange of FA» Packets on-the-fly during the change can be lostPackets on-the-fly during the change can be lost

» new FA informs old FA to avoid packet loss, old FA forwards new FA informs old FA to avoid packet loss, old FA forwards remaining packets to new FAremaining packets to new FA

» this information also enables the old FA to release resources this information also enables the old FA to release resources for the MN for the MN

Mobile IP (XV)Mobile IP (XV)

– Change of the foreign agent with the optimized mobile Change of the foreign agent with the optimized mobile IPIP

CN HA FAold FAnew MN

t

requestupdate

ACKdata data

MN changeslocationregistration

updateACKdata

data datawarning

update

ACKdata

data

registration

Mobile IP (XVI)Mobile IP (XVI) Reverse tunneling:Reverse tunneling:

Internet

receiver

FA

HA

MN

home network

foreignnetwork

sender

3

2

1

1. MN sends to FA2. FA tunnels packets to HA by encapsulation3. HA forwards the packet to the receiver (standard case)

CN

Mobile IP (XVII)Mobile IP (XVII)

Mobile IP with reverse tunnelingMobile IP with reverse tunneling– Router accept often only “topological correct“ addresses (firewall!)Router accept often only “topological correct“ addresses (firewall!)

» a packet from the MN encapsulated by the FA is now topological correcta packet from the MN encapsulated by the FA is now topological correct

» furthermore multicast and TTL problems solved (TTL in the home furthermore multicast and TTL problems solved (TTL in the home network correct, but MN is to far away from the receiver)network correct, but MN is to far away from the receiver)

– Reverse tunneling does not solveReverse tunneling does not solve» problems with problems with firewallsfirewalls, the reverse tunnel can be abused to circumvent , the reverse tunnel can be abused to circumvent

security mechanisms (tunnel hijacking)security mechanisms (tunnel hijacking)

» optimization of data paths, i.e. packets will be forwarded through the optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing)tunnel via the HA to a sender (double triangular routing)

– The standard is backwards compatibleThe standard is backwards compatible» the extensions can be implemented easily and cooperate with current the extensions can be implemented easily and cooperate with current

implementations without these extensions implementations without these extensions

» Agent Advertisements can carry requests for reverse tunnelingAgent Advertisements can carry requests for reverse tunneling

Mobile IP and IPv6Mobile IP and IPv6 Mobile IP was developed for IPv4, but IPv6 simplifies the protocolsMobile IP was developed for IPv4, but IPv6 simplifies the protocols

– security is integrated and not an add-on, authentication of registration is security is integrated and not an add-on, authentication of registration is includedincluded

– COA can be assigned via auto-configuration (DHCPv6 is one candidate), COA can be assigned via auto-configuration (DHCPv6 is one candidate), every node has address autoconfigurationevery node has address autoconfiguration

– no need for a separate FA, no need for a separate FA, allall routers perform router advertisement which routers perform router advertisement which can be used instead of the special agent advertisement; addresses are always can be used instead of the special agent advertisement; addresses are always co-locatedco-located

– MN can signal a sender directly the COA, sending via HA not needed in this MN can signal a sender directly the COA, sending via HA not needed in this case (automatic path optimization)case (automatic path optimization)

– „„soft“ hand-over, i.e. without packet loss, between two subnets is supportedsoft“ hand-over, i.e. without packet loss, between two subnets is supported» MN sends the new COA to its old routerMN sends the new COA to its old router» the old router encapsulates all incoming packets for the MN and forwards them to the old router encapsulates all incoming packets for the MN and forwards them to

the new COAthe new COA» authentication is always grantedauthentication is always granted

Problems with mobile IPProblems with mobile IP SecuritySecurity

– authentication with FA problematic, for the FA typically belongs to another authentication with FA problematic, for the FA typically belongs to another organization organization

– no protocol for key management and key distribution has been standardized in the no protocol for key management and key distribution has been standardized in the InternetInternet

– patent and export restrictionspatent and export restrictions

FirewallsFirewalls– typically mobile IP cannot be used together with firewalls, special set-ups are typically mobile IP cannot be used together with firewalls, special set-ups are

needed (such as reverse tunneling)needed (such as reverse tunneling)

QoSQoS– many new reservations in case of RSVPmany new reservations in case of RSVP

– tunneling makes it hard to give a flow of packets a special treatment needed for tunneling makes it hard to give a flow of packets a special treatment needed for the QoSthe QoS

Security, firewalls, QoS etc. are topics of current research and Security, firewalls, QoS etc. are topics of current research and discussions!discussions!

Security in Mobile IPSecurity in Mobile IP Security requirements (Security Architecture for the Internet Security requirements (Security Architecture for the Internet

Protocol, RFC 1825)Protocol, RFC 1825)– IntegrityIntegrity

any changes to data between sender and receiver can be detected by the receiverany changes to data between sender and receiver can be detected by the receiver

– AuthenticationAuthenticationsender address is really the address of the sender and all data received is really sender address is really the address of the sender and all data received is really data sent by this senderdata sent by this sender

– ConfidentialityConfidentialityonly sender and receiver can read the dataonly sender and receiver can read the data

– Non-RepudiationNon-Repudiationsender cannot deny sending of datasender cannot deny sending of data

– Traffic AnalysisTraffic Analysiscreation of traffic and user profiles should not be possiblecreation of traffic and user profiles should not be possible

– Replay ProtectionReplay Protectionreceivers can detect replay of messagesreceivers can detect replay of messages

IP Micro-mobility supportIP Micro-mobility support Micro-mobility support:Micro-mobility support:

– Efficient local handover inside a foreign domainEfficient local handover inside a foreign domainwithout involving a home agentwithout involving a home agent

– Reduces control traffic on backboneReduces control traffic on backbone

– Especially needed in case of route optimizationEspecially needed in case of route optimization

Example approaches:Example approaches:– Cellular IPCellular IP

– HAWAIIHAWAII

– Hierarchical Mobile IP (HMIP)Hierarchical Mobile IP (HMIP)

Important criteria:Important criteria: Security Efficiency, Scalability, Transparency, Manageability Security Efficiency, Scalability, Transparency, Manageability

Cellular IPCellular IP Operation:Operation:

– „„CIP Nodes“ maintain routing CIP Nodes“ maintain routing entries (soft state) for MNsentries (soft state) for MNs

– Multiple entries possibleMultiple entries possible

– Routing entries updated based on Routing entries updated based on packets sent by MNpackets sent by MN

CIP Gateway:CIP Gateway:– Mobile IP tunnel endpointMobile IP tunnel endpoint

– Initial registration processingInitial registration processing

Security provisions:Security provisions:– all CIP Nodes shareall CIP Nodes share

„network key“„network key“

– MN key: MD5(net key, IP addr)MN key: MD5(net key, IP addr)

– MN gets key upon registrationMN gets key upon registration

CIP Gateway

Internet

BS

MN1

data/controlpackets

from MN 1

Mobile IP

BSBS

MN2

packets fromMN2 to MN 1

Cellular IP: SecurityCellular IP: Security Advantages:Advantages:

– Initial registration involves authentication of MNsInitial registration involves authentication of MNsand is processed centrally by CIP Gatewayand is processed centrally by CIP Gateway

– All control messages by MNs are authenticatedAll control messages by MNs are authenticated– Replay-protection (using timestamps)Replay-protection (using timestamps)

Potential problems:Potential problems:– MNs can directly influence routing entriesMNs can directly influence routing entries– Network key known to many entitiesNetwork key known to many entities

(increases risk of compromise)(increases risk of compromise)– No re-keying mechanisms for network keyNo re-keying mechanisms for network key– No choice of algorithm (always MD5, prefix+suffix mode)No choice of algorithm (always MD5, prefix+suffix mode)– Proprietary mechanisms (not, e.g., IPSec AH)Proprietary mechanisms (not, e.g., IPSec AH)

Cellular IP: Other issuesCellular IP: Other issues Advantages:Advantages:

– Simple and elegant architectureSimple and elegant architecture

– Mostly self-configuring (little management needed)Mostly self-configuring (little management needed)

– Integration with firewalls / private address support possibleIntegration with firewalls / private address support possible

Potential problems:Potential problems:

– Not transparent to MNs (additional control messages)Not transparent to MNs (additional control messages)

– Public-key encryption of MN keys may be a problemPublic-key encryption of MN keys may be a problemfor resource-constrained MNsfor resource-constrained MNs

– Multiple-path forwarding may cause inefficient use of Multiple-path forwarding may cause inefficient use of available bandwidthavailable bandwidth

HAWAIIHAWAII Operation:Operation:

– MN obtains co-located COAMN obtains co-located COAand registers with HAand registers with HA

– Handover: MN keeps COA,Handover: MN keeps COA,new BS answers Reg. Requestnew BS answers Reg. Requestand updates routersand updates routers

– MN views BS as foreign agentMN views BS as foreign agent

Security provisions:Security provisions:– MN-FA authentication mandatoryMN-FA authentication mandatory– Challenge/Response Extensions Challenge/Response Extensions

mandatorymandatory BS

1

2

3

BackboneRouter

Internet

BS

MN

BS

MN

CrossoverRouter

DHCPServer

HA

DHCP

Mobile IP

Mobile IP

1

24

3

4

HAWAII: SecurityHAWAII: Security Advantages:Advantages:

– Mutual authentication and C/R extensions mandatoryMutual authentication and C/R extensions mandatory

– Only infrastructure components can influence routing entriesOnly infrastructure components can influence routing entries

Potential problems:Potential problems:– Co-located COA raises DHCP security issuesCo-located COA raises DHCP security issues

(DHCP has no strong authentication)(DHCP has no strong authentication)

– Decentralized security-critical functionalityDecentralized security-critical functionality(Mobile IP registration processing during handover)(Mobile IP registration processing during handover)in base stationsin base stations

– Authentication of HAWAII protocol messages unspecifiedAuthentication of HAWAII protocol messages unspecified(potential attackers: stationary nodes in foreign network)(potential attackers: stationary nodes in foreign network)

– MN authentication requires PKI or AAA infrastructureMN authentication requires PKI or AAA infrastructure

HAWAII: Other issuesHAWAII: Other issues Advantages:Advantages:

– Mostly transparent to MNsMostly transparent to MNs(MN sends/receives standard Mobile IP messages)(MN sends/receives standard Mobile IP messages)

– Explicit support for dynamically assigned home addressesExplicit support for dynamically assigned home addresses

Potential problems:Potential problems:

– Mixture of co-located COA and FA concepts may not beMixture of co-located COA and FA concepts may not besupported by some MN implementationssupported by some MN implementations

– No private address support possibleNo private address support possiblebecause of co-located COAbecause of co-located COA

Hierarchical Mobile IPv6 Hierarchical Mobile IPv6 (HMIPv6)(HMIPv6) Operation:Operation:

– Network contains mobility anchor point (MAP)Network contains mobility anchor point (MAP)» mapping of regional COA (RCOA) to link COA mapping of regional COA (RCOA) to link COA

(LCOA)(LCOA)

– Upon handover, MN informsUpon handover, MN informsMAP onlyMAP only

» gets new LCOA, keeps RCOAgets new LCOA, keeps RCOA

– HA is only contacted if MAPHA is only contacted if MAPchangeschanges

Security provisions:Security provisions:– no HMIP-specificno HMIP-specific

security provisionssecurity provisions– binding updates should be binding updates should be

authenticatedauthenticated

MAP

Internet

AR

MN

AR

MN

HA

bindingupdate

RCOA

LCOAoldLCOAnew

Hierarchical Mobile IP: SecurityHierarchical Mobile IP: Security Advantages:Advantages:

– Local COAs can be hidden,Local COAs can be hidden,which provides some location privacywhich provides some location privacy

– Direct routing between CNs sharing the same link is possible (but Direct routing between CNs sharing the same link is possible (but might be dangerous)might be dangerous)

Potential problems:Potential problems:

– Decentralized security-critical functionalityDecentralized security-critical functionality(handover processing) in mobility anchor points(handover processing) in mobility anchor points

– MNs can (must!) directly influence routing entries via binding updates MNs can (must!) directly influence routing entries via binding updates (authentication necessary)(authentication necessary)

Hierarchical Mobile IP: Other Hierarchical Mobile IP: Other issuesissues

Advantages:Advantages:

– Handover requires minimum numberHandover requires minimum numberof overall changes to routing tablesof overall changes to routing tables

– Integration with firewalls / private address support possibleIntegration with firewalls / private address support possible

Potential problems:Potential problems:

– Not transparent to MNsNot transparent to MNs

– Handover efficiency in wireless mobile scenarios:Handover efficiency in wireless mobile scenarios:

» Complex MN operationsComplex MN operations

» All routing reconfiguration messages sent over wireless linkAll routing reconfiguration messages sent over wireless link