Mobile IP Petr Grygárek rek 1
Basic principle Picture from IOS IP and IP Routing Configuration Guide Mobile node maintains the same IP address even while roaming in foreign networks even if it s address does not match address prefix of the foreign network 2
Mobile IP usage and advantages User can move between subnets without a need to set IP address and subnet mask as corresponds to individual subnets User can act as server (with constant IP address registered in DNS) Sessions may be maintained while roaming IP telephony calls not interrupted TCP connections not broken Because user still maintains the same IP address, the same traffic filtering rules (ACLs) apply regardless of it s current subnet Roaming user can access resources on Home network as if he/she were there Packets from roaming node can reach home network even if TTL=1 3
MoIP Implemenation tunnel Visitors table Bindings table Uses tunneling and triangular routing Uses tunneling and triangular routing Only selected routers of home/remote network and mobile devices needs software upgrade 4
Mobile IP Components (1) Mobile node (MN) Notebook, PDA, intelligent mobile phone Still maintains the same home IP address Requires operating system support Home agent HA Agent running on router at home network Redirects (tunnels) packet for the mobile node to foreign agent at the network the mobile node is roaming in. or to the MD directly Foreign agent FA Agent running on router at foreign network that supports MN roaming Accepts packets tunneled for MN by HA and forwards them directly to MN Borrows some of it s interface addresses as Care of address dress for MNs currently roaming in it s network CoAC CoA is an endpoint of tunnel from HA to MN 5
Mobile IP Components (2) Correspondent node (CN) node somewhere on the Internet which sends packets to MN knows nothing about Mobile IP (CN may also be mobile) 6
Bindings table Maintained on home agent Maps addresses of mobile nodes to addresses where they can be currently reached (Care-of addresses) Commonly addresses of foreign agents Additional parameters for every MN may be also maintained tunneling encapsulation Broadcast forwarding support setting Registration lifetime 7
Visitor table Maintains visitors correctly registered in foreign networks (at Foreign Agent) Contains connections between tunnel endpoints and MN addresses 8
FA care-of address Care-of address types Obtained from FA (agent advertisement) Address of some FA interface Tunnel from HA ends at FA Collocated care-of address placed to MN network interface MN operating system must support multiple addresses on network interface Assigned by foreign network DHCP server or manually ally (public addresses). Most commonly, FA CoA is used because it does not require OS to support multiple addresses on network interface 9
Mobile IP functionality mechanisms Agent Discovery Discovery of HA/FA Allows MN to determine whether it is on home or foreign network Registration registration of MN with HA when roaming on foreign network deregistration after return to home network registration of MN with foreign agent of particular foreign network FA commonly act as a proxy to forward MN s registration requests to HA Routing HA forwards packets for registered MNs to their Care-of addresses (triangular routing) FA optionally forwards packets from MN to correspondent node using reverse tunnel to HA HA forwards to CN as if packets originated in home network Used to avoid source address direction validity check failures 10
Agent Discovery 11
ICMP Router Discovery Protocol (IRDP) Defined in RFC 1256 Enables a host to determine the address of a router that it can use as a default gateway Router advertisement periodic multicast (224.0.0.1-All-systems) Default advertisement period about 10 minutes with some variance timers may be changed May carry additional flags announcing HA/FA presence and capabilities Mobility Agent Advertisement extensions Router solicitation multicast sent by host to ask for immediate router advertisement(s) (224.0.0.2-All routers) IP TTL = 1 Extensible using TLV (Type-Length-Value) options 12
Mobility agent advertisement extensions Home/Foreign agent functionality indication Prefix length allows MNs to determine whether agent MN heard before and agent it hears now are on the same network (i.e. whether MN has moved) FA: used together with advertised router IP address Registration required (even if using collocated CoA) Busy: maximum limit of visitors reached Reverse tunnelling support Care-of Address HA & FA: Tunneling encapsulation supported The longest registration lifetime that the agent is willing to accept 13
Registrations 14
Purpose of MN registration MN requests forwarding services of HA when visiting a foreign network MN informs home agent of it s current care-of address Renewal of registration before expiration indicates that MN is still in foreign network Deregistration ration informs HA that MN returned ed to home network 15
Registration lifetime Registration time is limited registration automatically deleted after lifetime expiration Protects against MN failures and improper MN behavior Mobile IP supposes that MN changes (foreign) network change not more often than once per second 16
When MN registers/deregisters? After arrival to foreign network Registration with HA Optional registration with FA Registration refresh before registration lifetime expiration is needed After return to home network Deregistration with HA No explicit deregistration with FA needed when leaving foreign network (expires automatically) 17
How MN detects movement? Lifetime of previous IRDP Router advertisement message expired and no one was heard from that router since then Network number of routers advertised by IRDP changed requires prefix length extension to be sent in IRDP router advertisement 18
Registration option: MN-HA Directly from MN to HA only if MN uses co-located address 19
Registration option: MN-FA-HA FA may act as proxy FA may enforce MN to send registration via itself by setting appropriate flag of FA IRDP advertisement Decreases number of tunnels from HA required single tunnel may be utilized by multiple MNs Foreign network routers deny direct registration requests allow sites to enforce policies (e.g. accounting) Advantages: FA knows current visitors (visitors table), may check for visitor identity (IP address) and optionally enforce visitor s authentication FA may limit number of visitors connected simultaneously Busy bit set in FA advertisement if maximum number of visitors reached FA may impose ACL on Home agents whose visitors are allowed to register with the FA 20
Registration protocol Uses UDP Request Destination port: 434 Source port: dynamic Reply Destination port: copies port of corresponding request Source port: dynamic 21
Registration request Type: Registration request MN Home address, Home agent address, Care-of Address Lifetime (required) - 0xffff=infinity Identification used to match requests with replies Flags: Simultaneous binding (retain prior bindings) Broadcast datagrams (HA tunnels broadcasts it receives for the home network to MN) Decapsulation by mobile node (not by FA, used with collocated CoA) Encapsulation type: IP over IP, Minimum IP, GRE Reverse tunneling requested Extensions Authentication data, Deregistration accomplished by registration request with lifetime=0 Deregistration with FA not needed (expires automatically) 22
Registration reply Type: Registration reply MN Home address may be used to pass IP address to MN Home agent address Lifetime (granted) Identification used to match requests with replies Code: registration processing status (accepted/error code) Extensions Authentication data, 23
Optional capabilities of registration process discovery y of MN s home address and address of HA,, if the mobile node is not configured with it MN identifies itself by authentication data maintain multiple simultaneous registrations used to handover when moving between networks copy of each datagram will be tunneled to each active care-of address possible to deregister specific care-of addresses while retaining other mobility bindings 24
Mobile IP routing 25
HA to CoA From HA to FA Tunnel endpoints Care-of-Address is some address of FA interfaces From HA directly to MN Care-of-Address is secondary address of MN ( co-located care-of address ) Operating system must support it Single tunnel to HA may be shared by multiple nodes on the same foreign network 26
HA to FA tunneling Picture from Raj Jain, Ohio State University 27
Tunneling encapsulation options Must match on both tunnel endpoints IP within IP Minimal encapsulation within IP saves header space by omitting support for IP fragmentation Generic Routing Encapsulation (GRE) RFC 1701 originally by Cisco, commonly used to tunnel routing updates Various MoIP implementations supports various subset of encapsulations Particular encapsulation is negotiated in registration requests Tunnel MTU discovery + periodic rediscovery Special handling of ICMP messages (need to forward them from encapsulator to original packet source (MN)) 28
Dynamic tunnel creation on HA (Cisco IOS) Tunnel interface created after successful MN registration Creates host route for roaming MN directed to tunnel interface Sends gratuitous ARP on home network announcing binding of MN IP address to router s MAC address and responds with its MAC address to ARP requests for MN IP address from MN home network Route packets for MN coming from home network or another interface via appropriate tunnel interface to the MN in foreign network Accept reverse-tunelled packets from MN on foreign network and route them normally as if they came from home network 29
Dynamic tunnel creation on FA (Cisco IOS) Tunnel interface created after successful registration reply received from HA Creates host route for roaming MN directed to interface where MN currently resides Static ARP entry created for MN (home) IP address so that it can be reached even on foreign network with prefix different from MN s home address prefix ARP entry contains MAC address and interface name Presence of MN on foreign network periodically tested by ARP request host route and static ARP record removed if MN disappears from foreign network 30
Default gateway for MN on foreign network FA acts as default gateway for all MNs in the foreign network MN obtains it s MAC address from IRDP agent advertisement 31
Reverse tunnel Optional feature Packets from MN to CN are first tunneled to home network and then forwarded to CN address Normally, they are sent directly from foreign network to CN Avoids asymmetric traffic flow (better for some QoS-sensitive applications) MN may request reverse tunneling in registration requests FA advertises it s capability to provide reverse tunneling in IRDP Reverse tunnel uses the same encapsulation as forward tunnel 32
Reverse tunnel advantages Needed to pass source interface check if performed by intermediate routers Needed for multicast (correct creation of multicast tree) Needed when MN communicates with peers on its home network with TTL set to 1 33
Mobile IP security 34
Authentication in Mobile IP Mobile-Home Authentication Extension (required) If not authenticated, everyone could redirect traffic for any MNs to itself Registration/deregistration of MN at Home Agent and replies are authenticated Mobile-Foreign Authentication Extension (optional) Registration/deregistration of MN at Foreign Agent and replies are authenticated Foreign-Home Authentication Extension (optional) Authentication of FA at HA when forwarding registration requests from MN to HA (replies also authenticated) 35
Authentication method Both sides use shared key, hash calculated from message+shared key and appended to message Messages carry security parameter index (SPI) + authentication data (MD5 hash) Keys configured manually at individual MNs HA and FA may have keys for all MNs configured manually or consult authentication server maintaining keys for all MNs when there is a need to calculate or verify authentication data Optional timestamp in registration messages protects against replay attack (requires time synchronization between mobile agents and MNs OS with reasonable precision) 36
Mobile agent redundancy HA: multiple HAs must share binding table (stateful failover) FA: MN can re-register using another FA if previously used FA fails 37
Mobile IP Standards 38
Mobile IP in IPv4 and IPv6 IPv4: optional support RFC 3344: IP Mobility Support for IPv4 RFC2344 - Reverse Tunneling for Mobile IP (optional) RFC2003 - IP Encapsulation within IP RFC2004 - Minimal Encapsulation within IP IPv6 built-in utilizes IPv6 authentication support 39
Mobile IP in IPv6 The same principle as for IPv4 Mobile IP uses IPv6 routing header instead of tunnels reverse tunnel not needed to pass incoming interface check at intermediate routers MN can also signal it s care of address to correspondent node so that correspondent node may send (encapsulated) packet directly to MN avoids triangular routing even in direction from CN to MN 40
Mobile IP special features 41
Non-homed MNs Non-homed MNs = MNs that are always roaming (homeless) Some router chosen to act as HA for non- homed MNs Virtual network serving as home network for non-homed MNs configured on that HA Virtual network has to be advertised into routing protocol 42
Proxy mobile agent Implemented in some types of WiFi APs (e.g. Cisco Aironet) Allows roaming for nodes without MobileIP support MobileIP client functionality implemented in AP for all addresses of wireless clients AP obtains CoA for wireless clients unaware of Mobile IP AP intercepts all packets from the visiting client and sends them to the foreign agent 43
Proxy mobile agent (Cisco): Basic principle Uses Authoritative AP (AAP) supporting MobileIP proxy Located somewhere in the network, other APs have IP address of AAP configured Maintains subnet map of home-subnet to HA address mappings When the visiting client associates to AP, the access point compares the client s IP address with that of its own IP network and detects that the client is a visitor from another network. For visitors client, AP registers with HA on behalf of the visiting client AP gets HA of the visiting client by looking it up on a subnet map table stored at AAP 44
Proxy mobile agent (Cisco): Subnet map creation Subnet map creation AP obtains its own home agent information using the agent discovery mechanism. It sends this information to AAP AAP adds the new access point to its list of access points and the home agent information to its subnet map table. AAP then updates all the other access points with this additional piece of information. each AP maintains it s own copy of subnet map 45
Proxy mobile agent (Cisco): AAP redundancy Up to three AAPs can be designated The AAPs compare their subnet map tables periodically to make sure they have the same subnet map table. If an access point fails to reach the first AAP, it tries the next configured AAP. 46
Proxy mobile agent (Cisco): Registration security associations AP is configured with the mobility security association (shared key) of all potential visiting clients with their corresponding home agents (in AP memory or using RADIUS) AP sends the registration request on behalf of visiting client to the visiting client s home agent through the foreign agent FA relays to HA The access point re-registers on behalf of the visiting client before its registration lifetime expires Access points participating in proxy mobile IP should be configured with gateway addresses to communicate with FA/HA Otherwise, AP can be pure L2 device 47
Mobile IP Configuration 48
Home agent configuration Global Mobile IP activation HA functionality activation Optional creation of virtual network(s) if HA supports non- homed MNs Specification of nodes allowed to roam by IP addresses or by interface (or virtual network) ACL specifying foreign networks (CoA of their FAs) where MNs are allowed to roam Authentication information for individual MNs or authentication server which provides it Authentication information for supported FAs (optional) Enable IDRP on home network interfaces and possibly adjust timers Set correct router time and specify allowed time variance to deny replay attacks 49
Foreign agent configuration Global Mobile IP activation FA functionality activation FA activation for interfaces supporting roaming Care-of Address to propagate in IRDP advertisements Authentication information for individual visitor MNs (optional) Authentication information for HAs (optional) Specification of home networks (HAs) where visiting nodes are allowed to register ACL (optional) Enable IRDP on foreign network interfaces and possibly adjust timers 50
Mobile Node Configuration IPv4 MobileIP client implementations for various platforms: http://www.mip4.org/2004/implementations/ Commercial or GPL-style Configuration: Security association MN home address, Home agent address If not configured, MN may obtains it s home address from registration reply HA gives IP address based on authentication key used 51