* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Mobile IP
Survey
Document related concepts
Wireless security wikipedia , lookup
Computer network wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Airborne Networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
Mobile Networks Module E Mobile Network Layer J.-P. Hubaux, N. Vratonjic, M. Poturalski, I. Bilogrevic http://mobnet.epfl.ch Some slides addapted from Jochen H. Schiller (www.jochenschiller.de) 1 Enablers of IP mobility Mobile end systems Laptops PDAs Smart-phones … Wireless technologies Wireless LANs (IEEE 802.11) Bluetooth (www.bluetooth.com) Improved batteries (longer lifetime) 2 Problem with IP mobility IP1 WLAN 802.11 mail.epfl.ch IP2 WLAN 802.11 Need to establish a new TCP connection, old connection broken Assign a new IP address via DHCP 3 IP mobility and cellular networks GSM Network 2G • Assign IP address • Tunnel IP packets • Always in the path GPRS (or EDGE or UMTS) tunnel IP link IP1 BTS GGSN BSC GPRS Access SGSN IP1 IP1 Core Network mail.epfl.ch BSC BTS WLAN 802.11 CN Internet IP2 • Assign a new IP address via DHCP Possible solution: Generic Access Network (GAN) a.k.a. Unlicensed Mobile Access (UMA) 4 TCP/IP was not designed for mobility Change of IP address means disconnection of the application TCP interprets dropped packets (channel errors, disconnections) as congestion More on this issue in Module F Limitations due to a fundamental design problem The IP address (network layer) has a dual role Network locator (topological point of attachment) for routing purposes Host identifier (unique for a host and TCP/IP stack) 5 Routing in the Internet Routing is based on the destination IP address Network prefix (e.g. 129.13.42) determines physical subnet Change of physical subnet implies change of IP address (standard IP) The new IP address needs to be topologically correct (belong to the new subnet) to be routable Changing the IP address according to the current location DHCP provides plug-and-play address update Number of drawbacks: Almost impossible to locate a mobile system; long delays for DNS updates TCP connections break Security problems 6 Update routing tables? Quick ‘solution’ Keep IP address constant Update routing tables to forward packets to the right location Not feasible Does not scale with number of mobile hosts and frequent changes in location Routers are designed for fast forwarding, not fast updates Routers have limited memory (cannot store separate entry for every mobile host) Route updates consume network throughput Security problems 7 Two main solutions Mobile IP Support mobility transparently to TCP and applications Rely on existing protocols Host Identity Protocol (HIP) A new layer between IP and transport layers Architectural change to TCP/IP structure 8 Mobile IP Requirements to Mobile IP Transparency Mobile end-systems (hosts) keep their IP address Maintain communication in spite of link breakage Enable change of point of connection to the fixed network Compatibility Support the same Layer 2 protocols as IP No changes to current end-systems and routers Mobile end-systems can communicate with fixed systems Security Authentication of all registration messages Efficiency and scalability Only little additional messages to the mobile system required (connection may be over a low-bandwidth radio link) World-wide support of a large number of mobile systems 10 Terminology Mobile Node (MN) Entity (node) that can change its point of connection to the network without changing its IP address Home Agent (HA) Entity in the home network of the MN, typically a router Registers the MN location, encapsulates and tunnels IP packets to the COA Foreign Agent (FA) System in the current foreign network of the MN, typically a router Decapsulates and forwards the tunneled packets to the MN Care-of Address (COA) Address of the current tunnel end-point for the MN Foreign Agent COA or Co-located COA (no FA, MN performs decapsulation) Actual location of the MN from an IP point of view Co-located COA typically acquired via DHCP Correspondent Node (CN) Communication partner 11 Data transfer to the mobile node: HA 2 MN home network Internet receiver 3 FA 1 CN sender foreign network 1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP) 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN 12 Data transfer with co-located COA HA 2 MN Internet home network receiver 3 1 CN sender foreign network 1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP) 2. HA tunnels packet to co-located COA (MN) by encapsulation 3. MN decapsulates and (internally) delivers packet to home address 13 Data transfer from the mobile node HA 4 home network MN sender Internet FA foreign network 4. Sender sends to the IP address of the receiver as usual, FA works as default router CN receiver 14 Mobile IP mechanisms Agent Discovery MN discovers its location (home network, foreign network) MN learns a COA Registration MN securely signals the COA to the HA (via the FA) Tunneling HA encapsulates IP packets from CN and sends them to the COA FA (or MN) decapsulates these packets and sends them to the MN 15 Agent discovery Agent Advertisement HA and FA periodically send advertisement messages into their physical subnets MN listens to these messages and detects, if it is in the home or a foreign network (standard case for home network) MN reads a COA from the FA advertisement messages Agent Solicitation MN can request an Agent Advertisement message with a Agent Solicatation message Helps decrease disconnection time Simple extension of ICMP Router Discovery (ICMP: Internet Control Message Protocol) Other mechanisms can be used to discover the network and the COA (e.g. DHCP) 16 Agent advertisement 0 7 8 type #addresses RFC 1256 15 16 23 24 checksum lifetime 31 code addr. size router address 1 preference level 1 router address 2 preference level 2 ... type = 16 type = 16 length sequence number length = 6 + 4 * #COAs R B H F M G r T reserved registration lifetime R: registration required COA 1 B: busy, no more registrations COA 2 H: home agent F: foreign agent ... M: minimal encapsulation G: GRE (Generic Routing Encapsulation) r: =0, ignored (former Van Jacobson compression) T: FA supports reverse tunneling reserved: =0, ignored 17 Registration Mobility Binding Home address COA Registration lifetime Note: with co-located COA, MN sends registation request directly to HA Foreign Agent 2. Registration request Home Agent 4. Registration reply 3. If OK, sets up the binding 1. Registration request 5. Registration reply Note: HA can allow for multiple simultanous mobilty bindings. In that case, a packet from CN is forwarded to all active COAs Mobile Node (COA) 18 Mobile IP registration request 0 7 8 type = 1 UDP message 15 16 S B DMG r T x home address home agent COA 23 24 lifetime 31 identification extensions . . . S: simultaneous bindings B: broadcast datagrams D: decapsulation by MN M: mininal encapsulation G: GRE encapsulation r: =0, ignored T: reverse tunneling requested x: =0, ignored identification: generated by MN, used for matching requests with replies and preventing replay attacks (must contain a timestame and/or a nonce) extensions: mobile-home authentication extension (mandatory) mobile-foreign authentication extension (optional) foreign-home authentication extension (optional) 19 Mobile IP registration reply 0 7 8 type = 3 UDP message 15 16 code home address home agent 31 lifetime identification Example codes: extensions . . . registration successful 0 registration accepted 1 registration accepted, but simultaneous mobility bindings unsupported registration denied by FA 65 administratively prohibited 66 insufficient resources 67 mobile node failed authentication 68 home agent failed authentication 69 requested Lifetime too long registration denied by HA 129 administratively prohibited 131 mobile node failed authentication 133 registration Identification mismatch 135 too many simultaneous mobility bindings 20 Security associations and registration keys Foreign Agent Home Agent Mobile Node Usually, there is a security association (SA) between the home agent (HA) and the mobile node (MN) Possible techniques to establish a registration key between the mobile node and the foreign agent (FA): Make use of Internet Key Exchange (IKE), if available If HA and FA share a SA, the HA can provide the registration Make use of the public key of the FA or of the MN Diffie-Hellman key exchange protocol between FA and MN 21 Tunneling Correspondent Node Src Dest Payload CN MN abcdefghij 1 Binding 2 Foreign Agent Src Dest Src Dest Payload HA COA CN MN abcdefghij Home Agent Encapsulated datagram 3 Src Dest Payload CN MN abcdefghij Mobile Node 22 IP-in-IP encapsulation IP-in-IP-encapsulation (RFC 2003, updated by RFCs 3168, 4301, 6040) ver. IHL DS (TOS) length IP identification flags fragment offset TTL IP-in-IP IP checksum IP address of HA Care-of address COA ver. IHL DS (TOS) length IP identification flags fragment offset TTL lay. 4 prot. IP checksum IP address of CN IP address of MN TCP/UDP/ ... payload IHL: Internet Header Length TTL: Time To Live DS: Differentiated Service TOS: Type of Service 23 Minimal encapsulation Minimal encapsulation (optional) avoids repetition of identical fields e.g. TTL, IHL, version, DS (RFC 2474, old: TOS) only applicable for non fragmented packets, no space left for fragment identification ver. IHL DS (TOS) length IP identification flags fragment offset TTL min. encap. IP checksum IP address of HA care-of address COA lay. 4 protoc. S reserved IP checksum IP address of MN original sender IP address (if S=1) TCP/UDP/ ... payload 24 Generic Routing Encapsulation outer header new header RFC 1701 IHL DS (TOS) length IP identification flags fragment offset TTL GRE IP checksum IP address of HA Care-of address COA C R K S s rec. rsv. ver. protocol checksum (optional) offset (optional) key (optional) sequence number (optional) routing (optional) ver. IHL DS (TOS) length IP identification flags fragment offset TTL lay. 4 prot. IP checksum IP address of CN IP address of MN GRE header original header original data original header original data new data ver. RFC 2784 (updated by 2890) C reserved0 ver. checksum (optional) protocol reserved1 (=0) TCP/UDP/ ... payload 25 “Triangle” routing Correspondent Node Home Agent Mobile Node Foreign Agent Drawbacks Inefficiency MN sends IP packets with topologically incorrect source For security reasons, router can be configured to drop topologically incorrect packets (ingress filtering) 26 Route Optimization in Mobile IP Route optimization HA provides the CN with the current location of MN (FA) CN sends tunneled traffic directly to FA Optimization of FA handover Packets on-the-fly during FA change can be lost New FA informs old FA to avoid packet loss, old FA now forwards remaining packets to new FA This information also enables the old FA to release resources for the MN 27 Route and FA handover optimizations CN HA FAnew FA MN Request Update ACK Data Data Update ACK Data Warning Warning Data Data New request Registration MN changes location Data Data Request Update ACK Data Data 28 Reverse tunneling HA 2 MN home network Internet sender 1 FA 3 CN receiver foreign network 1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case) 29 Mobile IP with reverse tunneling Reverse tunneling solves ingress filtering problem A packet from the MN encapsulated by the FA is now topologically correct Can cope with mobile routers Protects MN location privacy Multicast and TTL problems solved Reverse tunneling does not solve Optimization of data paths Double triangular routing Problems with firewalls The reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) 30 Firewalls Correspondent Domain Correspondent Node Filtering of incoming packets: Discard packets that seem to emanate from an address internal to the domain (even if they are tunneled) FW Home Domain Global Internet FW Home Agent FW Foreign Domain Foreign Agent Mobile Node Filtering of outgoing packets: discard packets that seem to emanate from an address external to the domain (even if they are tunneled) Possible solutions: • Manual configuration • Isolation of Mobile Nodes (pockets) 31 Mobile IP and IPsec Security in Mobile IP Authentication in registration messages No protection of data transmission (tunneling) IPsec provides general IP layer security Can be used to protect data transmission Can also be used in addition/in place of default registration messages authentication 32 IPsec: Brief reminder Application Application TCP or UDP TCP or UDP Security Association IP Data link IPsec mechanisms IP Data link Data link IP Data link Router Provides confidentiality, authentication and integrity IPsec support is optional in IPv4, mandatory in IPv6 Security Association (SA) consists of a suite of cryprographic algorithms and keys Security Parameter Index (SPI) is used for indexing SAs 33 IPsec: Authentication Header Input IP packet: ... src IP dst IP - authenticated with auth payload IP header AH transport mode: src IP dst IP ... SPI seq auth payload auth IP header AH IP header AH tunnel mode: src IP’ dst IP’ ... new IP header SPI seq AH Provides authentication and integrity Cannot traverse NATs IP addresses authenticated payload input IP packet 34 IPsec: Encapsulating Security Payload Input IP packet: ... src IP dst IP - encrypted payload - authenticated with auth IP header ESP transport mode: ... src IP dst IP SPI seq payload auth ESP IP header ESP tunnel mode: ... src IP’ dst IP’ SPI IP header seq input IP packet auth ESP Provides confidentiality, authentication and integrity Outer IP header not authenticated 35 Mobile IPv6 Mobile IPv6 introduces several modifications based on new IPv6 functionality and experiences with Mobile IPv4 No FA, COA is always co-located Two modes of operation: Bidirectional tunnel (between HA and COA) Route optimization (MN informs CN about the COA) Security integrated with IPsec (mandatory support in IPv6) “Soft“ hand-over, i.e. without packet loss, between two subnets is supported MN sends the new COA to its old router The old router encapsulates all incoming packets for the MN and forwards them to the new COA 36 IP Micro-mobility support Micro-mobility support: Efficient local handover inside a foreign domain without involving a home agent Reduces control traffic on backbone Especially needed in case of route optimization Example: Hierarchical Mobile IP (HMIP) Important criteria: Security Efficiency, Scalability, Transparency, Manageability 37 Hierarchical Mobile IPv6 Operation: Network contains mobility anchor point (MAP) mapping of regional COA (RCOA) to link COA (LCOA) Upon handover, MN informs Internet HA MAP only gets new LCOA, keeps RCOA HA is only contacted if MAP RCOA changes Security provisions: No HMIP-specific security provisions Binding updates should be authenticated (AR: Access Router) MAP binding update AR AR LCOAnew LCOAold MN MN 38 Hierarchical Mobile IP: Security Advantages: Local COAs can be hidden, which provides at least some location privacy Direct routing between CNs sharing the same link is possible (but might be dangerous) Potential problems: Decentralized security-critical functionality (handover processing) in mobility anchor points MNs can (must!) directly influence routing entries via binding updates (authentication necessary) 39 Hierarchical Mobile IP: Other issues Advantages: Handover requires minimum number of overall changes to routing tables Integration with firewalls / private address support possible Potential problems: Not transparent to MNs Handover efficiency in wireless mobile scenarios: Complex MN operations All routing reconfiguration messages sent over wireless link 40 Mobile IP summary A mobile network layer compatible with the current deployed Internet protocol stack Issues with Mobile IP Security Authentication with FA can be problematic, because the FA typically belongs to another organization Firewalls Typically mobile IP cannot be used together with firewalls, special set-ups are needed QoS Tunneling makes it hard to give a flow of packets a special treatment needed for the QoS 41 Host Identity Protocol (HIP) 42 Architectural background Two global name spaces in the current Internet: Domain names IP addresses Recall: IP addresses have a dual role 1. Identifiers 2. Locators Duality makes many things difficult 43 New requirements to Internet addressing Mobile Hosts Need to change IP address dynamically Multi-interface hosts Have multiple independent addresses Challenge: Mobile and multi-interface hosts Multiple dynamically changing addresses 44 HIP: A new global Internet name space Decouples the name and locator roles of IP addresses Architectural change to TCP/IP structure A new layer between IP and transport layers Introduces cryptographic Host Identifiers Integrates security, mobility and multi-homing Opportunistic host-to-host IPsec ESP End-host mobility, across IPv4 and IPv6 End-host multi-address multi-homing, IPv4/v6 IPv4/v6 interoperability for applications 45 HIP: A new layer Process Transport Host Identity IP layer <IP addr, port> <Host ID, port> Sockets bound to Host Identities (HIs), not to IP addresses Host ID IP address Link Layer 46 HIP bindings 47 HIP overview HIP identifiers Establishing a shared context between two host HIP base exchange Data communication By default protected with IPsec ESP Mobility during data communication HIP locator update Finding a host HIP DNS extensions HIP Rendezvous extension Multihoming 48 HIP identifiers Host Identifiers (HIs) A host holds a key pair (private and public key) Host Identifier (HI) = public key HI representation: Host Identity Tag (HIT) HIT = h(HI) (h – cryptographic hash function, 128bits) Advantages: Fixed length makes for easier protocol coding and better manages the packet size cost Independent of cryptographic protocols used for public private keys Collision probability (birthday paradox) With 1012 hosts P(collision) < 1.5∙10-15 49 HIP base exchange Initiator (I) Responder (R) I1: IPI, IPR, HITI, HITR R1: IPI, IPR, HITI, HITR, DHR, HIR, sig, ESPtransform, puzzle I2: IPI, IPR, HITI, HITR, DHI, HII, sig, ESPtransform, ESPinfo, solution R2: IPI, IPR, HITI, HITR, sig, ESPinfo Establishes HIP association (addressing part) HII ↔ IPI ↔ IPR ↔ HIR Used by the HIP layer to map between HIs and IPs 50 HIP base exchange Initiator (I) Responder (R) I1: IPI, IPR, HITI, HITR R1: IPI, IPR, HITI, HITR, DHR, HIR, sig, ESPtransform, puzzle I2: IPI, IPR, HITI, HITR, DHI, HII, sig, ESPtransform, ESPinfo, solution R2: IPI, IPR, HITI, HITR, sig, ESPinfo DHI/R – Diffie-Hellman key material sig – signature generated with private key of HII/R Diffie-Hellman generates a shared secret Signatures protect message integrity prove that hosts possess private keys corresponding to their declared HIs 51 HIP base exchange Initiator (I) Responder (R) I1: IPI, IPR, HITI, HITR R1: IPI, IPR, HITI, HITR, DHR, HIR, sig, ESPtransform, puzzle I2: IPI, IPR, HITI, HITR, DHI, HII, sig, ESPtransform, ESPinfo, solution R2: IPI, IPR, HITI, HITR, sig, ESPinfo ESPtransform – supported cryptographic suites ESPinfo – contains the Security Parameter Index (SPI) ESP Full keys are generated from the Diffie-Hellman secret HIP association (basic case): HII SPIIR SPIRI IPI IPR SPIIR SPIRI HIR 52 HIP base exchange Initiator (I) Responder (R) I1: IPI, IPR, HITI, HITR R1: IPI, IPR, HITI, HITR, DHR, HIR, sig, ESPtransform, puzzle I2: IPI, IPR, HITI, HITR, DHI, HII, sig, ESPtransform, ESPinfo, solution R2: IPI, IPR, HITI, HITR, sig, ESPinfo Cryptographic puzzle mitigates DoS against R Makes HIP base exchange more costly for I than for R R remains stateless until correct I2 arrives R1: R chooses puzzle from a pre-computed pool I computes solution based on puzzle challenge and HITs I2: R verifies solution and only then allocates state for I 53 Mobile Host Mobility with HIP IP Address 1 Correspondent Host Mobile Host UPDATE(ESP_INFO, LOCATOR, SEQ) IP Address 2 UPDATE(ESP_INFO, SEQ, ACK, ECHO_REQUEST) UPDATE(ACK, ECHO_RESPONSE) LOCATOR indicates the new IP address and its lifetime ESP_INFO contains old and new SPIs (can be the same) HIP association is updated accordingly: HIM SPIMC SPICM new IP1 ... HIM SPIMC new SPICM IP2 ... 54 Mobile Host Mobility with HIP IP Address 1 Correspondent Host Mobile Host IP Address 2 UPDATE(ESP_INFO, LOCATOR, SEQ) UPDATE(ESP_INFO, SEQ, ACK, ECHO_REQUEST) UPDATE(ACK, ECHO_RESPONSE) UPDATE is protected by HMAC and HIP_SIGNATURE UPDATE is explicitly acknowledged (SEQ and ACK numbers) ECHO_REQUEST and ECHO_RESPONSE verify that MH is reachable at the new address No data is sent to new IP if this verification fails Mitigates DoS attacks against new IP 55 HIP DNS extensions Traditionally DNS maps domain names to IP addresses HIP-enabled DNS in addition can map a domain name to: Host Identifier (HI) Host Identifier Tag (HIT) Rendezvous Server (RVS) 56 HIP and DNS: static case DNS FQDNSH HISH, HITSH, IPSH I1: IPCH, IPSH, HITCH, HITSH R1: IPCH, IPSH, HITCH, HITSH Correspondent Host I2: IPCH, IPSH, HITCH, HITSH R2: IPCH, IPSH, HITCH, HITSH Static Host 57 FQDN: Fully Qualified Domain Name HIP and DNS: mobile case DNS RVS (details in RFC 5203) UPDATE IP FQDNMH Mobile Host new IP address HIMH, HITMH, IPRVS I1: IPCH, IPRVS, HITCH, HITMH I1: IPRVS, IPMH, HITCH, HITMH R1: IPCH, IPMH, HITCH, HITMH Correspondent Host I2: IPCH, IPMH, HITCH, HITMH R2: IPCH, IPMH, HITCH, HITMH Mobile Host 58 FQDN: Fully Qualified Domain Name Multihoming with HIP Multihoming: a host has multiple IP interfaces Increases reliability HIP locator update mechanism enables multihoming Multihomed host provides Correspondent with multiple IP adresses (can also idicate a prefered one) More complex HIP associations RFC recommends separate SPI per physical interface HI SPI pairA IPA (preferred) SPI pairB IPB SPI pairC IPC IPD 59 HIP summary New namespace for the Internet between IP and domain names Integrates security, mobility, and multihoming Main disadvantage: Requires update of the transport layer stack on all end hosts Transparent and scalable Applications for HIP Mobile VPN user VoIP (notably handover) Search in peer-to-peer systems Faster WLAN access control Device peering 60 Generic Access Network (GAN) Access to cellular networks over unlicensed spectrum technologies (WiFi, Bluetooth) Unlicensed Mobile Access (UMA) is the commercial name 61 http://www.umatechnology.org/overview/ GAN Deployment Initial specifications published in 2004 Written by operators and equipment manufacturers Alcatel, British Telecom, Ericsson, Motorola, Nokia, BlackBerry (ex RIM), Siemens, Sony Ericsson, T-Mobile US Today Some major operators use it 62 GAN Characteristics Advantages • • Subscribers • • • • Operators • Disadvantages Better indoor coverage No roaming charges on WiFi when abroad Single “phone” number, single device Seamless handovers WiFi <-> cellular • • Hassle of initial setup Higher battery usage (WiFi enabled) Increase coverage at modest cost Reduce load on macrocells Re-use of existing hotspots • Extra infrastructure required Cost of support to costumers • 63 References on Mobile IP RFC 1701 - Generic Routing Encapsulation (GRE) RFC 2003 - IP encapsulation within IP RFC 2004 - Minimal encapsulation within IP RFC 3024 - Reverse Tunneling for Mobile IP (revised) RFC 4721 – Mobile IPv4 Challenge/Response Extensions RFC 5944 – IP Mobility Support for IPv4, Revised RFC 6275 – Mobility support for IPv6 64 References on HIP http://www.openhip.org/ RFC 4423 - Host Identity Protocol (HIP) Architecture RFC 5201 - Host Identity Protocol RFC 5202 - Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP) RFC 5203 - Host Identity Protocol (HIP) Registration Extension RFC 5204 - Host Identity Protocol (HIP) Rendezvous Extension RFC 5206 - End-Host Mobility and Multihoming with the Host Identity Protocol RFC 5207 – NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication RFC 6092 – Basic requirements for IPv6 Customer Edge Routers 65 66