Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Piggybacking (Internet access) wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Internet protocol suite wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda Motivation Architecture Implementation Comparison with current approaches Summary (30 slides, 60 min) Current Trends Explosive growth in connected devices Heterogeneity 802.11 • Access: 802.11, 3G, • • Private address 3G 13-Oct-03 MobileNAT/IRT group meeting Ethernet Provider; billing Address space IPv4 vs IPv6 Public vs Private 2 Project IOTO 13-Oct-03 http://www.bell-labs.com/~mbuddhikot/IOTAProject/IOTA.htm MobileNAT/IRT group meeting 3 The goal NAT (5) Routed IP Network www.cnn.com Preserve session for 1. inter access-point 2. inter sub-net 3. inter-NAT 4. to 3G network 5. to public network PDSN/3G Internet (4) NAT Public Addr A NAT Private Address Space (3) 802.11 802.11 (1) Ethernet Access-point (2) Router Router with NAT 13-Oct-03 MobileNAT/IRT group meeting 4 MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda Motivation Architecture Implementation Comparison with current approaches Summary Problem with IP address TCP association 128.59.16.149 135.180.32.4 80 1733 • Host identification • Routing information CN (corresponding node) 128.59.16.149 moves Change in IP address breaks TCP/socket connection MN MN (mobile node) 135.180.32.4 135.180.54.7 135.180.32.4 128.59.16.149 1733 80 135.180.54.7 128.59.16.149 1733 80 13-Oct-03 IP address overloaded MobileNAT/IRT group meeting Convention: Source IP Destination IP SP DP 6 Two addresses 128.59.16.149 135.180.32.4 80 1733 Two IP addresses • Virtual IP (fixed host-id) • Actual IP (routable; changes) CN 128.59.16.149 Application Socket TCP/UDP IP V=135.180.32.4 Anchor node (AN) MN moves Addr “V” MN Shim Layer 135.180.32.6 A=135.180.54.7 135.180.32.4 128.59.16.149 1733 80 135.180.32.4 128.59.16.149 1733 80 13-Oct-03 Actual IP Virtual IP MobileNAT/IRT group meeting Addr “A” Net IF 7 Packet forwarding mechanisms: tunneling or translation CN 128.59.16.149 CN 128.59.16.149 135.180.32.4 128.59.16.149 128.59.16.149 135.180.32.4 128.59.16.149 135.180.54.7 V=135.180.32.4 AN 128.59.16.149 135.180.32.4 moves V=135.180.32.4 AN 128.59.16.149 135.180.54.7 moves MN A=135.180.54.7 MN A=135.180.54.7 Translation Tunneling • Outer: CN=>A or HA=>A • Inner: CN=>V • Header overhead • More processing overhead • Not an issue if NAT1 is already present 1NAT is described later 13-Oct-03 MobileNAT/IRT group meeting 8 Address allocation using DHCP Virtual and actual IP allocated using DHCP New DHCP options • MN sends current virtual IP DHCP server • DHCP relay agent 10.0.1.x 10.0.2.2 • address (or 0.0.0.0 if none) in the request Server sends the allocated actual and virtual IP addresses in the response Actual IP is allocated based on relay agent IP 10.0.1.5 10.0.2.x 10.0.2.9 13-Oct-03 MobileNAT/IRT group meeting 9 Overview of NA(P)T CN Packet processing rules need to be changed in the event of mobility 128.59.16.149 Internet Public Addr 135.180.32.1-7 Packet processing rule 135.180.32.4 128.59.16.149 7088 80 out 10.0.1.5 128.59.16.149 1756 80 In-1 NAT Private Address Space (10.0.0.0-10.255.255.255) 10.0.7.x 10.0.1.x 10.0.2.x 10.0.1.5 13-Oct-03 MobileNAT/IRT group meeting 10 Mobility manager and MIDCOM MIDCOM to control NAT rules Mobility manager IP in DHCP response Internet Change of lease DHCP server Mobility manager NAT rules NAT relay relay relay 10.0.1.x 10.0.2.x 10.0.1.5 13-Oct-03 MobileNAT/IRT group meeting 11 Example Address assignment Packet flow when MN is private and CN is public MN moves to a new subnet Packet flow after mobility to a new subnet Packet flow when MN and CN are in the same NAT domain Packet flow when MN is private and CN is public and MN moves to new NAT domain 13-Oct-03 MobileNAT/IRT group meeting 12 Address assignment Mobility manager DHCP request (my virtual IP = 0.0.0.0) (my Mac address) DHCP server NAT DHCP response (your virtual IP = 10.128.0.2) (your actual IP = 10.0.1.5) DHCP server NAT Internet 13-Oct-03 MobileNAT/IRT group meeting 13 Packet flow 10.128.0.2 128.59.16.149 1756 80 128.59.16.149 10.128.0.2 80 1756 Applicatio n Socket TCP/UDP Shim 10.0.1.5 128.59.16.149 1756 80 Shim 128.59.16.149 10.0.1.5 80 1756 NAT 135.180.32.4 128.59.16.149 7088 80 NAT 128.59.16.149 135.180.32.4 80 7088 (1) IP 10.128.0.2:1756 Addr “V” SHIM Layer 10.0.1.5:1756 Addr “A” 10.0.1.5:1756 135.180.32.4:7088 (2) (3) Internet Net IF NAT 13-Oct-03 MobileNAT/IRT group meeting CN NAT picks up an external IP and port 14 Inter-subnet mobility Mobility manager change DHCP request (my virtual IP = 10.128.0.2) DHCP server (my Mac address) NAT rules 10.0.2.7 S:10.0.1.5:1756 D:128.59.16.149:80 S:135.180.32.4:7088 D:same DHCP response (your virtual IP = 10.128.0.2) (your actual IP = 10.0.2.7) 10.0.2.x DHCP server NAT Internet CN 10.0.1.x 13-Oct-03 MobileNAT/IRT group meeting 15 Packet flow after the node moves 10.128.0.2 128.59.16.149 1756 80 128.59.16.149 10.128.0.2 80 1756 Applicatio n Socket Shim 10.0.2.7 128.59.16.149 1756 80 Shim 128.59.16.149 10.0.2.7 80 1756 NAT 135.180.32.4 128.59.16.149 7088 80 NAT 128.59.16.149 135.180.32.4 80 7088 (1) TCP/UDP IP 10.0.2.7:1756 135.180.32.4:7088 Addr “V” SHIM Layer Addr “A” (3) Net IF (2) NAT 13-Oct-03 MobileNAT/IRT group meeting Internet CN MN application or CN do not know about change in actual IP 16 Intra-domain sessions CN A=10.0.4.9 V=10.128.0.2 A=10.0.2.7 NAT MN Moves V=10.128.0.2 A=10.0.1.5 MN Optimization: new signaling message between two MobileNAT clients to route the packets directly 13-Oct-03 MobileNAT/IRT group meeting 17 Inter-domain mobility Mobility manager of visited NAT fetches the existing connection mapping from mobility manager of the home NAT If MN moves to public address space, Shim layer acts as visited NAT Dynamic home agent: use visited NAT as home NAT for new session Tunneling between visited and home NAT MN Visited NAT moves Internet MN Home NAT 13-Oct-03 MobileNAT/IRT group meeting CN 18 MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda Motivation Architecture Implementation Comparison with current approaches Summary Implementation: client (Win XP/2000) 10.128.0.2 / 255.0.0.0 Application MobileNAT Client Server Client Socket TCP/UDP MobileNAT Client MobileIP Client IP Addr “V” Shim Layer 10.0.1.5 / 255.255.255.0 DHCP server - client Addr “A” Net IF Network and interface selector Unified mobility client (on-going work) Shim-layer driver to capture DHCP packets and translate IP addresses MobileNAT client application acting as DHCP client and server Handles ARP for nodes in other sub-nets 13-Oct-03 MobileNAT/IRT group meeting 20 Client architecture Graphical User Interface & Monitoring OS PPP Support User Level MIP State Machine Network Detection Network Selection Mobile NATClient Interface Abstraction Layer/API Ethernet 802.11 PPP CDMA2000 Sierra 3G1xRTT OS Kernel Level Serial Driver AT Command Set TCP/IP Protocol Stack VPN/IPSec Client Driver Multi-interface Mobility Client Driver IS-835 Shim PPP Interface 13-Oct-03 Ethernet Interface 802.11 Interface Virtual MobileIP Adaptor MobileNAT/IRT group meeting VPN/ IPSec Control New code developed, Specifically for 3G-802.11 integration VPN/IPSec integration (e.g. Lucent IPSec Client) Interaction with Existing Windows OS modules 21 User interface Approximately 45,000 lines of code, 13,000 of which are Windows NDIS kernel networking code 13-Oct-03 MobileNAT/IRT group meeting 22 Implementation: DHCP server and NAT (Linux) Virtual IP range Actual IP range NAT connection tracking DHCP server PRE-ROUTING Destination NAT POST-ROUTING Source NAT DHCP server to allocate virtual and actual IP Actual IP is based on subnet of DHCP relay agent MM is integrated into DHCP server NAT using netfilter, iptables, ip_conntrack and ip_nat modules 13-Oct-03 MobileNAT/IRT group meeting 23 MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda Motivation Architecture Implementation Comparison with current approaches Summary Similarities/Differences with current proposals Translation mode vs. tunneling • Packet size vs processing overhead • Two addresses per MN; can afford since private addresses • No external FA needed Signaling • Using DHCP (new options) and a per-domain Mobility Manager (MM) Routing path • No change in routers or CN; but change in MN, NAT and DHCP server • Dynamic home agent (I.e., the NAT) 13-Oct-03 MobileNAT/IRT group meeting 25 Comparison to existing schemes Schemes considered in following chart Mobile IP • Extensions: Location Register (MIP-LR), Route Optimization (MIP-RO) Micro-mobility schemes Cellular IP Hawaii Intra-Domain Mobility Protocol (IDMP) Hierarchical Mobile IP (HMIP) IPv6 Application level mobility mechanism • SIP Virtual NAT • Similar address translation in the client stack • Targeted for connection migration where both end-points implements vNAT 13-Oct-03 MobileNAT/IRT group meeting 26 Comparison chart MIP Mobile NAT CIP Hawaii HMIP (RR) IDMP TeleMIP MIP LR MIP RO SIP IPv6 MIP messaging Y N Y Y Y - - N Y N N Inter-tunnel Y Y Y Y Y N Y N O O N Intra-tunnel - N N Y Y - - - O O N Paging O Y Y Y Y - - N Y UD N Host ID HA HA CoA CoA LCoA - - SIP HA CoA virtual signaling Y Data Y Y Y Y Y Y Y DHCP/ Y MM CN modify? N N N N N Y Y - N N Y MN modify? Y Y Y Y Y Y Y - Y Y Y Router modify? FA Y Y FA FA - - - O N N NAT support Y1 Y Y Y Y IN IN Y IN Y IN Non-mobile IP nodes Y N Y Y Y - - - Y Y IN Triangular route Y Y Y Y Y N N N N N/Y N Y: yes N: no - :N/A O: optional IN:independent UD: Under Development 1: We assume Mobile IP with UDP tunneling for NAT MobileNAT/IRT group meeting 13-Oct-03 Virtual NAT 27 Mobile NAT Advantages Problems in existing approaches • • • • • Huge infrastructure change (CIP, IPv6, routers, even deploying FA) Not much discussion on optimizing intra-domain sessions Require tunneling overhead, inter, intra or both Triangular routing Modification in CN MobileNAT approach • Addresses rapid growth in end-devices, which most likely will have private • addresses due to slow deployment of IPv6 Assume the presence of NA(P)T in a domain Roaming and services across heterogeneous address spaces Reduce problem space to only private address space • Choice between tunneling and address translation Addresses bandwidth limitations of wireless links • Use existing protocols (DHCP, ICMP) for signaling • Discourage changing routing infrastructure • Can co-exist with MobileIP 13-Oct-03 MobileNAT/IRT group meeting 28 On-going work Scalability: • Subdivide domains into smaller NAT-ed domains • Multiple NATs per domain Security • DHCP authentication and Access-point authentication/encryption • Works with IP-sec (AH mode and UDP tunnel) and SSL Paging: • Re-use of existing IP-multicast based paging Possible deployment issues • Changing every MN driver (similar to Mobile IP) • Mobility to 3G network • Location information distribution • Allow incremental deployment Other issues • Does not solve NAT problems where application layer message uses IP address • • • 13-Oct-03 (FTP, SIP, RTSP) Fast hand-off for micro-mobility Intra-domain sessions on inter-domain mobility Combined MobileIP and MobileNAT client MobileNAT/IRT group meeting 29 Summary Main Ideas • • • • • • Virtual IP for host identification; actual IP for routing Address translation in client as well as in NAT Existing protocols like DHCP for signaling Mobility manager to handle nodes in a domain NAT acts as a dynamic home agent Inter-NAT packet flow for inter-domain mobility No change in routers or no need for FA • Change In MN, NAT and DHCP server Demonstrated a simple inter-subnet mobility 13-Oct-03 MobileNAT/IRT group meeting 30 Survey of existing mobility approaches for private/public addresses BACKUP SLIDES Mobile IP for macro mobility (1) CN Triangular routing HA Internet • Route optimization Slow handoff • Hierarchical mobility • Tunneling (HMIP) • Mobile specific routing (4) (2) MN FA (1) CN=>HA (2) HA=>FA CN=>HA (3) CN=>HA (4) HA=>CN (CIP, Hawaii) (3) MN Signaling overhead • Paging (CIP, Hawaii, HMIP) Firewall, etc. • Reverse tunneling 13-Oct-03 MobileNAT/IRT group meeting 32 Mobile IP with NAT (2) CN=>HA CN Internet Oubound traffic NAT (1) register; establish port mapping UDP port mapping HA created during register HA finds that FA is behind NAT (3) HA=>NAT (UDP) CN=>HA (IP) HA uses IP in UDP tunnel (4) NAT=>FA (UDP) CN=>HA (IP) FA MN 13-Oct-03 MobileNAT/IRT group meeting 33 Micro mobility: Cellular IP CoA is of gateway (FA) No change in CoA within domain Gateway converts cellular IP to IP Network elements snoop on data packets from MN to GW; set the reverse route from GW to MN Paging to discover idle MN NAT can be at gateway CN HA Internet gateway Intra-domain cellular IP (non-IP) cloud MN MN Id = HA 13-Oct-03 MobileNAT/IRT group meeting 34 Micro mobility: Hawaii CN=>HA CoA is of root router (FA) Host specific route in IP Path setup tradeoff CN HA Internet HA=>CoA CN=>HA root router IP cloud • Explicit signal from MN to HA=>CoA CN=>HA • MN update route Packet loss, reorder, handoff latency Paging (IP multicast) to discover idle MN if no routing information NAT can be at root router MN Id=CoA 13-Oct-03 MobileNAT/IRT group meeting 35 Micro mobility: Hierarchical mobile IP CN=>HA HA Internet HA=>GFA CN=>HA GFA GFA=>FA CN=>HA FA MN FA MN 13-Oct-03 Two levels Works with non-mobile (but) IP traffic in domain Paging Two IP addresses (GFA and FA) per MN NAT can be at GFA High level network of FA (preferably tree) above IP; registration updates at optimal point in the tree CN MobileNAT/IRT group meeting 36 Micro mobility: IDMP/TeleMIP CN=>HA CN Internet MA FA MN FA MN 13-Oct-03 MA acts as gateway to HA internet Subnet agent (e.g., HA=>MA (GCoA) DHCP or FA) sends CN=>HA domain info MN registers MA=>FA (LCoA) GCoA=MA @ HA; CN=>HA LCoA=FA @ MA; two level addressing Similar to HMIP except multiple MA allowed for load balancing MA does NAT MobileNAT/IRT group meeting 37 MIP Location Registers CN Get and cache CoA of MN for given TTL HLR Internet (4) VLR (3) MN 13-Oct-03 Avoids encapsulation Modify CN New VLR deregisters old VLR If VLR runs out of address inform HLR; which informs CN to use tunnel from CN to VLR If MN moves before TTL, (1) inform VLR, HLR that informs CN (2) inform CN directly (3) old VLR relays to new MobileNAT/IRT group meeting 38 SIP application level mobility Initial INVITE CN Home SIP server Internet Re-INVITE Re-REGISTER MN 13-Oct-03 Only for VoIP/multimedia calls No change in existing infrastructure NAT traversal (next slide) Initial INVITE MN MobileNAT/IRT group meeting 39 Middle box communication (midcom) Internet signaling midcom NAT server signaling media host 13-Oct-03 Application specific proxy server controls NAT/firewall port binding/hole Separate NAT/ALG functionality Proxy snoops or modifies signaling Signaling traffic allowed on fixed port; media on dynamic port Works with SIP No incentive to install CN MobileNAT/IRT group meeting 40 Simple Traversal of UDP through NAT (STUN) stun server CN (2) Internet (6) (3) NAT (5) (4) (1) host Host sends a packet to stun server NAT converts internal IP to external IP Responds with source IP of packet (i.e., external) Host knows that its external IP is not same as internal It uses external IP/port when advertising in SDP Does not work for symmetric NAT • external IP for same host different for connection to different external host 13-Oct-03 MobileNAT/IRT group meeting 41 Realm Specific IP (RSIP) CN Internet CNNAT NAT NAThost <CNNAT> Get an external address from NAT for this private host Tunnel packets between NAT and private host Works for various combinations of multiple RSIP gateway, NAT, NAT with RSIP, and RSIP hosts. Need RSIP aware host host 13-Oct-03 MobileNAT/IRT group meeting 42 Mobility in IPv6 CN (1) First IPv6 packet CN=>HA (3) IPv6 (4) destination subsequent option packets HA Address autoconfiguration • Always obtain a CoA in FN • Net part+local part • No FA needed Internet (2) Tunneled HA=>CoA CN=>HA Route optimization • IPv6 Destination option to • MN CN and HA CN caches CoA of MN and sends directly Hierarchical MIPv6 • Global address = mobile • 13-Oct-03 MobileNAT/IRT group meeting server’s network; allow change in MS Local address known to mobile server 43 Mobile NAT: motivation Problems in existing approaches • • • • • Not much discussion on optimizing intra-domain sessions Require tunneling overhead, inter, intra or both Triangular routing or modification in CN Huge infrastructure change (CIP, IPv6, even deploying FA) ... What MobileNAT does? • • • • • • • 13-Oct-03 Reduce problem space to only private address space MN Assume the presence of NA(P)T in a domain Choice between tunneling and address translation Use existing protocols (DHCP, ICMP) for signaling mobility Discourage changing routing infrastructure Can co-exist with MobileIP, Hawaii and IPv6 (?) Provide roaming and services across heterogeneous address spaces demarked by address translation devices MobileNAT/IRT group meeting 44 Mobile NAT: intra-domain CN • HA is in NAT (MN is private) • FA is in MN (driver, kernel) Internet CN<=>A Virtual vs routable address • Virtual: fixed private address “a” A=a NAT • IP cloud CN<=>b a/b No explicit HA or FA • MN exposed to application on MN Routable: dynamic private address “a” or “b” using DHCP Transport sessions between CNA (external), CNa (internal) Address translation • NAT (Aab), MN (ba) a/a MN Id=Private 13-Oct-03 Tunneling • NATMN MobileNAT/IRT group meeting 45 Mobile NAT: inter-domain Inter-NAT tunnel or relay MN moves a/a=>a/c NAT1 and NAT informed Translation CN Internet B=a CN<=>A NAT2 • NAT1: AaB • NAT2: Bac • MN: ca A=a NAT1 CN<=>b a/c MN Issues • Multiple “a” in NAT2 But unique map Ba • Does IP security work (?) a/a 13-Oct-03 MN Like Mobile IP • FA=NAT2,HA=NAT1 • At most two level of NATs MobileNAT/IRT group meeting 46 Mobile NAT: intra-domain sessions CN • MN2 sends to NAT; destination “a” • NAT responds router redirect “b” (?) • MN2 now sends to MN1 Internet A=a NAT MN2 MN1 a/b active session MN1 MN1 moves a/b=>a/c • • • • • d/e a/c MN1 MN2 active session MN1 gets “c” DHCP server (or MN1) informs NAT MN2 gets ICMP host unreachable Starts sending to NAT NAT responds router redirect “c” MN1 moves out of domain • Path MN1visited NAT home NATMN2 (?) ICMP Redirect message is expected from router in the same sub-net to which packet is being sent. It is vulnerable to attacks (confirm?) Cisco routers don’t forward ICMP redirect from another network. We may use proprietary IP options if allowed. 13-Oct-03 MobileNAT/IRT group meeting 47 TODO Can MobileNAT co-exist with MIP, Hawaii and non-mobile but IP clients? • • • • • • • • 13-Oct-03 If MIP MN discovers no FA, switches to MobileNAT If MobileNAT MN discovers FA, enables both MIP and MobileNAT If MobileNAT MN goes out of domain and gets a public address If a public MN moves within the domain and gets private address For intra-domain session between MN and fixed IP host, route optimization does not work Does route optimization work if both MN move at the same time? Does MobileNAT work with multicast? Write a simulation program for MobileNAT, MobileIP and Hawaii network MobileNAT/IRT group meeting 48 TODO Can part of it be implemented using existing protocols like Mobile IPv6 (destination option for route optimization), IDMP (for public/private addresses), RSIP)? • Intra-domain Route optimization is similar to IPv6 destination option; can • • • 13-Oct-03 we use IPv6 within domain – need to change all routers (?) Assuming IPv6 domain with NAT as IPv4IPv6 converter. What changes we need in NAT/IOTA so that it works with Mobile IP? For IPv6 do we need private address domain? How do we minimize changes in IPv6 MN? IDMP supports multiple MA. Can we install multiple NAT/IOTA for load balancing? Does tunnel mode MobileNAT reduce to IDMP, when HA is outside of NAT and FA is in MN? (yes) Why can’t MobileNAT be proposed as an extension to IDMP? IDMP does not describe intra-domain session optimization. MobileNAT/IRT group meeting 49 TODO Windows related issues • Check if TCP connections are dropped when ipconfig /release is done • Check what happens when CONNECTED status is indicated on already • connected state Check if TCP connections are dropped even if DISCONNECTED status is not propagated to higher layer Possible deployment hindrances • • • • 13-Oct-03 Changing every MN driver (similar to Mobile IP) Should allow incremental deployment Processing overhead on NAT/IOTA What happens to domain/sub-net specific options that are not indicated to the higher layer when domain/sub-net change? Need to write a controlling application also that does DhcpIpRenewAddress when driver finds a different options field. MobileNAT/IRT group meeting 50 TODO Basic design issues • • • • • Does DHCP security/authentication work? Can we use ICMP router redirect from NAT to private host? Can IP security work in all scenarios? Fast handoff applicability Since anyway we are modifying MN driver, can it be made more extensible or more auto-configurable. E.g., if IOTA/NAT is moved to sub-net routers then can modification in MN be avoided? What if multiple hierarchical IOTA/NAT in a domain? 13-Oct-03 MobileNAT/IRT group meeting 51