8. Mobile IP Flashcards
Mobile Internet Protocol / Mobile IP / MIP
is an Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address.
- allows location-independent routing of IP datagrams on the internet
- each mobile node is id’d by its home address regardless of its current location in the internet
- when away from ‘home’ a mobile node is associated with a care-of-address identifying its current location and its home address is associated with the local endpoint of a tunnel to its home agent.
Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through the tunnel
Mobile IP addresses scenario:
Solution to enable a host to migrate btwn subnets while retaining a static/fixed IP address.
In a WLAN, different access points might use different subnets. A device’s IP address might change when it transfers btwn APs, causing persistent or new incoming connections to the old IP address to fail.
Mobile IP two key functions
- To keep a persistent connection when moving btwn different wireless IP subnets
- To be addressable via a single, globally reachable (DNS-advertised) IP address while away from ‘home’ network
Two alternative solutions to MIP
Dynamic DNS and Non-MIP mobility (Cisco WLAN controllers)
Dynamic DNS
Allows updating of a host’s IP address in the DNS
- this however places some load on DNS infrastructure
- needs own authentication
(Dynamic DNS is used on home DSL networks where the ISP does not provide a static IP address)
Cisco/Trapeze WLAN controllers
Provide intra site mobility
Controller manages all AP configurations
(Avoids having to configure each AP explicitly)
Controller manages any host mobility
Uses some combo of proxy ARP/proxy ND/host-based routes
Supported in the Cisco WLCs at soton
Works well within a campus but not scalable beyond
Not interoperable
MIP vs DynDNS vs WLC
MIP provides a common mobility platform at the IP layer, has the benefit of being a common standard
WLC
Wireless LAN Controller
Components of Mobile IPv6
MN - Mobile Node CN - Correspondent Node HA - Home Agent HoA - Home Address CoA - Care of Address BU - Binding Update BUA - Binding Update Acknowledgement
Home Agent (HA)
Home Agent (HA) resides on a node's home network - The HA function may typically be embedded in a router
Home Address (HoA)
Home Address (HoA) is assigned from its home IP subnet
- this is the node’s persistent IP address; it is allocated by the HA as a part of initial mobility bootstrapping
- bootstrapping may also include some IPsec configuration
Care of Address (CoA)
Care of Address (CoA) is obtained while roaming
- can be obtained by IPv6 stateless autoconfiguration, or DHCPv6
- the mobile node always has a primary care-of-address; the address it has from the local visited network
Router advertisements
IPv6 hosts see or solicit Router Advertisements (RAs)
- the RA carries network prefix to use
- RA source address implies the default router
- host generates 128-bit address based on 64-bit prefix and 64-bit host part of address (based on MAC address, or random)
Home Agent forwarding
When away from home hetwork, MN registers any new CoA with its HA using a special message called Binding Update (BU)
- HA replies with a BU Acknowledgement
The HA operation then depends on whether the MN is resident in the home subnet or not
- If the MN is in its home network (subnet), operation is normal
- If the MN is not resident in its home network, the HA acts as a ‘proxy’, tunnelling IP traffic to CoA
How does the HA proxy work
The CN sends traffic to MN’s home address
- HA needs to ‘intercept’ traffic for the MN ti be able to forward it when MN is absent
Traffic directed to the MN’s HoA wil reach the router serving the subnet where the MN’s HA resides
IPv6 uses Neighbour Discovery (ND) to map to/from IP/Ethernet addresses (rather like IPv4 ARP)
The HA provides a proxy ND function for the MN while it is absent (off link)
- HA responds to ND requests from the router for the node’s HoA so the router sends traffic for the MN to the HA instead
Triangular Routing
CN snds IP packets to the MN’s HoA
If the MN is on its home subnet, it receives the traffic normally
If the MN is resident in another network then the HA forwards (tunnels) packets to the MN’s CoA
By default replies also go via the HA-MN tunnel, but this means we have ‘triangular’ routing
Route optimisation
MN can also send a BU directly to the CN
- only if the CN supports MIPv6 (not just plain IPv6)
- thus CN can learn and exchange IPv6 traffic with the CoA directly, with no routing via the HA
This removes the triangular routing, improving efficiency
Very useful when two mobile nodes are visiting the same local subnet
- eg in the same (remote) conference venue/room
Problem with BU - whether to HA or CN, is how it can be secured (we need to avoid session hijacking)
MIPv6 Security
Main issue is trusting the BU message
- from MN to HA
- from MN to CN
MN to HA
- use IPsec - can be established because both systems can be trusted (under same admin control)
MN to CN
- usually an ad-hoc relationship - no prior trust
- uses Return Routability Test (RRT) - it ensures the CN is reachable via both the HA and directly, sharing ‘secrets’ on both paths
IPsec
Protocol suite for securing IP comms by authenticating and encrypting each IP packet of a comm session. Incl protocols for establishing mutual authentication btwn agents at the beginning of the session and negotiation of crypto keys to be used during the session. Can be used for protecting data flows; - host-to-host - network-to-network - sec gateway-to host (network-to-host) Supports: - network-level peer auth - data origin auth - data integrity - data confidentiality (encryption) - replay protection End to end sec scheme in Internet Layer
Return Routability Test
Procedure designed to allow a CN to detect whether the MN is reachable at its CoA as well as at its HA.
Only then allows route optimisation
Summary MIPv6
Two important functions
- support for session continuity when devices/nodes roam
- addressability by a fixed (home) IP address wherever a node is
MIPv6 model had core comonents, addresses and messages;
- HA, MN, CN; HA, CoA; BU
Biggest threat to BU is BU spoofing
MN -> HA - mitigated by IPsec
MN -> CN - mitigated by RRT
Currently not widely used, more interest in mobile networks (whole subnets)
