Transcript Document

Mobility Support in IPv6
(MIPv6)
Chun-Chuan Yang
Dept. Computer Science & Info. Eng.
National Chi Nan University
1
Outline

MIPv6 Features

MIPv6 Basic Operations

MIPv6 Security

MIPv6 vs. MIPv4
2
Mobile IPv6 Features (1)


IPv6 Mobility is based on core features of IPv6

The base IPv6 was designed to support Mobility

Mobility is not an “Add-on” features

All IPv6 Networks are IPv6-Mobile Ready

All IPv6 nodes are IPv6-Mobile Ready

All IPv6 LANs/Subnets are IPv6 Mobile Ready
IPv6 Neighbor Discovery and Address
Autoconfiguration allow hosts to operate in
any location without any special support
3
Mobile IPv6 Features (2)

No Foreign Agent



In Mobile IPv4, an MN registers to a foreign node and
borrows its’ address to build an IP tunnel so that the
HA can deliver the packets to the MN. But in Mobile
IPv6, the MN can get a new IPv6 address, which can
be only used by the MN and thus the FA no longer
exists
IPv6 Address auto-configuration: MN can obtain a CoA
in foreign network without any help of foreign agent
More Scalable : Better Performance


Less traffic through Home Link
Less redirection/re-routing (Traffic Optimization)
4
Mobile IPv6 Features (3)

Bi-directional tunneling mode



Does not require for the CN to support Mobile IPv6
Use of Reverse tunneling (for ingress filtering)
Route Optimization (RO) mode


Requires to register the MN’s current binding at the CN
Uses a new type of IPv6 routing header




Type-2 routing header = home address (Dest Addr = MN’s CoA)
Shortest communications path
Eliminates congestion at the MN’s HA and home link
Impact of any possible failure of the HA or networks on
the path to or from it is reduced
5
Mobile IPv6 Features (4)

Dynamic Home Agent Address Discovery


Allows a MN to dynamically discover the IP
address of a home agent on its home link
ICMP Home Agent Address Discovery Request
Message


Destination address: Home Agent anycast address
for its own home subnet prefix
Reply message


HA list (with preferences) in the home link
Each HA maintains the home agent lists
6
New IPv6 Protocol (1)

Mobility Header

Home Test Init, Home Test, Care-of Test Init,
Care-of Test





Perform the return routability procedure from MN
to CN for ensuring authorization of subsequent
Binding Updates
Binding
Binding
Binding
Binding
Update
Acknowledgement
Refresh Request
Error
7
New IPv6 Protocol (2)

New IPv6 Destination Option

Home Address destination option

Type-2 Routing header: route optimization

New ICMPv6 Messages

Home Agent Address Discovery Request

Home Agent Address Discovery Reply

Mobile Prefix Solicitation

Mobile Prefix Advertisement
8
Mobility Header
Payload Proto: Same as IPv6 Next Header
MH Type: Identifies the particular mobility message
Message Data: the data specific to the indicated MH type
9
Binding Update Message


MH Type=5
Message Data:
A: Acknowledge
H: Home Registration
L: Link-Local Address Compatibility
K: Key Management Mobility Capability
10
Binding Acknowledgement Message


MH Type=6
Message Data:
K:Key Management Mobility Capability
11
MIPv6 Basic Operation (1)
IP Header
PayLoad
CN
S: MN’s Home Address
D: CN’s IP Address
Home Network
Internet
HA
Foreign Network
IP Header
PayLoad
S: CN’s IP Address
D: MN’s Home Address
Mobile Node
12
MIPv6 Basic Operation (2)
CN
Home
Network
IP Header Mobility Header
Internet
PayLoad
MH=5
Foreign Network
HA
IP Header Mobility Header
MH=6
PayLoad
Binding Update
Binding Ack
Mobile Node
13
MIPv6 Basic Operation (3)
IP Header
S: CN’s IP Address
D: MN’s Home Address
PayLoad
CN
Internet
Home
Network
HA
Tunneled packets
New IP Header Old IP Header
PayLoad
S: HA’s Address
D: MN’s COA
Mobile Node
14
MIPv6 Basic Operation (4)
CN
Home
Network
Internet
HA
IP Header Mobility Header
PayLoad
MH=5
Binding Ack
IP Header Mobility Header
Binding Update
PayLoad
MH=6
Mobile Node
15
MIPv6 Basic Operation (5)
CN
Home Network
Internet
S: CN’s Address
D: MN’s COA
IP Header Routing Header
HA
(Type 2, MN’s
Home Address)
S: MN’s COA
D: CN’s Address
IP Header
HA Dest Opt
Payload
Payload
(includes MN’s
Home Address)
Mobile Node
16
Movement

Movement Detection: Detect L3 handovers

Neighbor Unreachability Detection (NUD)

Default router is no longer bi-directionally reachable

Router Discovery: select a new default router

Prefix Discovery: form new care-of address

Home registration

Correspondent registration
17
Home Registration (1)

Set H-bit & A-bit in the Binding Updates sent to the HA

MN’s home address in Home Address destination option

Source address = Care-of address


Set L-bit if the MN’s link-local address (for the new careof-address) has the same interface ID as the home
address
Set K-bit if the IPsec SAs between the MN and the HA
have been established dynamically, and the mobile node
has the capability to update its endpoint in the used key
management protocol to the new care-of address every
time it moves
18
Home Registration (2)

Sequence #


Used by the receiving node to sequence BUs and by
the sending node to match a returned BACK with this
BU
Lifetime


The number of time units remaining before the
binding must be considered expired
One time unit is 4 seconds
19
Correspondent Registration (1)





Allowing the CN to cache the MN’s current care-of
address
Return Routability procedure + registration
After home registration, the MN should initiate a
correspondent registration for each node that
already appears in the MN’s Binding Update List
The initiated procedures can be used to either
update or delete binding information in the CN
In addition, MN initiate the registration in response
to receiving a packet tunneled using IPv6
encapsulation
20
Correspondent Registration (2)





A Binding Update is created as follows
1. Source address of the IPv6 header = the current
care-of address
2. Destination address = the address of the CN
3. Mobility header with MH type = 5, including the
Binding Authorization Data and the Nonce Indices
mobility options
4. Home Address destination option = MN’s home
address
21
Conceptual Data Structures

CN: Binding Cache


HA: Binding Cache and Home Agents List


When sending a packet, the Binding Cache is searched
before the Neighbor Discovery conceptual Destination
Cache
The Home Agents List is used by the dynamic home
agent address discovery mechanism
MN: Binding Update List


It records information for each BU sent by this MN, in
which the lifetime of the binding has not yet expired
The Binding Update List includes all bindings sent by
the MN either to its HA or CNs
22
MIPv6 Security


Binding Updates to HA

IPsec and ESP between MN and HA

Key Distribution (IKE, Internet Key Exchange)
Binding Updates to CN


Return Routability Procedure to assure that
the right MN is sending the message
Binding management key (Kbm) for integrity
and authenticity of the BU messages
23
IPsec Security Association





An SA is a cryptographically protected connection
There MUST be a SA between the MN and HA
Provides integrity and autentication of BU and BACK
An SA is defined by: <SPI, destination adress, flag>
One SA per home-address
IPsec Authentication
Header
(authentication only
service)
24
Encapsulating Security Payload

ESP: authentication + encryption
25
IPsec: AH vs. ESP
26
Binding Updates to CN

Return Routability Procedure



It enables CN to obtain some reasonable assurance
that MN is in fact addressable at its claimed care-of
address as well as at its home address
Done by testing whether packets addressed to the two
claimed addresses are routed to MN
MN can pass the test only if it is able to supply proof
that it received certain data (the “keygen tokens”)
which CN sends to those addresses. These data are
combined by MN into Kbm
27
Return Routability Procedure
28
RR Procedure Terminology (1)

Node Key: a secret key (20 octets), Kcn, at CN

Nonce: CN also generates nonces at regular intervals

Cookie: Random number used by MN


Home init cookie


To prevent spoofing by a bogus CN in the RR procedure
A cookie sent to the CN in the Home Test Init message, to be
returned in the Home Test message
Care-of init cookie

A cookie sent to the CN in the Care-of Test Init message, to be
returned in the Care-of Test message
29
RR Procedure Terminology (2)

Keygen Token


Number supplied by CN to enable MN to compute the
necessary binding management key for authorizing a BU

Care-of keygen token: Care-of Test message

Home keygen token: Home Test message
Cryptographic Functions

SHA: Secure Hash Standard

HMAC_SHA1: Keyed-Hashing for Message Authentication

MAC: Message Authentication Codes
30
Return Routability Test: step 1
Secret Key: <Kcn> Temporary Nonces:
1 - <nonce1>
Correspondent Node
2 - <nonce2>
...
<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64]
<home init cookie>
<Correspondent Address>
Home Agent
Home Test:
src=<correspondent address>
dst=<home address>
<home init cookie>
<home keygen token>
home nonce index: 1
Home Test Init:
src=<home address>
dst=<correspondent address>
<home init cookie>
<Care-Of Address>
Cookies: <home init cookie>
<home keygen token>
home nonce index: 1
Mobile Node
31
Return Routability Test: step 2
Secret Key: <Kcn> Temporary Nonces:
1 - <nonce1>
Correspondent Node
2 - <nonce2>
...
<care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]
<care-of init cookie>
<Correspondent Address>
Home Agent
Care-of Test Init:
src=<care-of address>
dst=<correspondent address>
<care-of init cookie>
Care-of Test:
src=<correspondent address>
dst=<care-of address>
<care-of init cookie>
<care-of keygen token>
care-of nonce index: 1
<Care-Of Address> Cookies: <care-of init cookie>
<care-of keygen token>
care-of nonce index: 1
Mobile Node
32
Secure Binding Update to CN
Secret Key: <Kcn> Temporary Nonces:
1 - <nonce1>
Correspondent Node
2 - <nonce2>
...
<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64]
<care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]
<Correspondent Address>
Once the correspondent node has verified the MAC, it
can create a Binding Cache entry for the mobile.
Kbm = SHA1 (<home-keygen-token> | <care-of keygen token>)
MAC = HMAC_SHA1Kbm(<care-of-address>|<correspondent address>|BU) [1:96]
Binding Update
src=<care-of address>
dst=<correspondent address>
option: Home Address = <home address>
<sequence number>
<home nonce index = 1>
<care-of nonce index = 1>
<MAC>
Cookies:
<Care-Of Address> <care-of init cookie>
<care-of keygen token>
care-of nonce index: 1
<home init cookie>
<home keygen token>
home nonce index: 1
Mobile Node
33
Mobile IPv4 vs. Mobile IPv6
Mobile IPv4
Mobile IPv6
Mobile node, home agent, home link,
foreign link
(same)
Mobile node’s home address
Globally routable home address and link-local
home address
Foreign agent
Collocated care-of address
A “plain” IPv6 router on the foreign link
(foreign agent no longer exists)
Care-of address obtained via Agent
Discovery, DHCP, or manually
Care-of address obtained via Stateless Address
Autoconfiguration, DHCP, or manually
Agent Discovery
Router Discovery
Authenticated registration with home
agent
Authenticated notification of home agent and
other correspondent nodes
Routing to mobile nodes via tunneling Routing to mobile nodes via tunneling and
source routing
Route optimization via separate
protocol specification
Integrated support for route optimization
34
MIPv6 References

RFC 3775: Mobility Support in IPv6

RFC 4443: ICMPv6

RFC 3776: Using IPsec for MIPv6

RFC 2408: The Internet Key Exchange
35