Mobile Networks in IPv6 - Grenoble

Download Report

Transcript Mobile Networks in IPv6 - Grenoble 

Mobile Networks Support in IPv6
- Draft Update draft-ernst-mobileip-v6-01.txt -
Thierry Ernst - MOTOROLA Labs
Ludovic Bellier - INRIA (Planete project)
Claude Castelluccia - INRIA (Planete project)
Hong-Yon Lach - MOTOROLA Labs
49th IETF - San Diego - 1
Definition and Terminology
Mobile
 by
Node = a node that changes its point of attachment
means of Mobile IPv6
Mobile
Network = an entire network that changes its point of attachment
A
IP subnet or a collection of IP subnets
 Mobile Router (MR) + its attached Nodes and Routers.
 SNs = all stationary nodes located in mobile network ( SNs are not Mobile Nodes !)
 Future needs require to consider (potentially large) mobile networks
CNs
= all nodes communicating with SNs
Aim
of this work is to:
 Provide
continuous Internet connectivity to SNs
 Offer optimal routing between CNs and SNs
Mobile
IPv6 specification:
 Mobile
IPv6 nodes may either be Mobile Hosts or
Mobile Routers.
 But no explicit mention of mobile networks.
Ernst Thierry - 49th IETF San Diego - 2
Experimentation: Test Bed

Francis Dupont INRIA IPv6 Implementation under FreeBSD 3.3

MR has two interfaces
 One
on the home / foreign link in the home / foreign network
 One on the internal link in the mobile network

Mobile Network attaches to foreign link :
 MR
obtains a care-of address on the foreign link
 MR registers care-of address with HA.
 HA opens an IPv6-in-IPv6 tunnel to MR’s careof address
 HA adds a host-specific route for MR’s home address to MR’s careof address
Ernst Thierry - 49th IETF San Diego - 3
Experimentation: Ping between CN and MR
 Packet
is routed to BR
 BR sends NDP messages to discover MR’s MAC address
 BR HA replies with HA’s address on behalf of MR
 HA intercepts packets addressed to MR
 HA routes the packet to the IPv6-in-IPv6 tunnel
 HA tunnels the packet to MR’s care-of address
=> Redirection works fine whether Mobile Node is a Host or a Router
I ’m MR
MR ?
No problem, MR
receives the packet
Ernst Thierry - 49th IETF San Diego - 4
Experimentation: Ping between CN and SN
 Packet
is routed to BR
 In BR’s routing table, MR' home address is the next hop towards SN
 BR sends NDP messages to discover MR’s MAC address
 HA replies with HA’s address on behalf of MR
 HA intercepts but does not have an entry for SN’s address
 HA sends the packet to its default route, i.e. the BR
 The packet enters in a routing loop
=> Redirection to SNs impossible
I ’m MR
MR ?
Routing Loop
Problem, SN never
receives the packet
Ernst Thierry - 49th IETF San Diego - 5
Our Solution: Network Scope Binding Updates
 Assumption: all nodes in the mobile network share a common IP prefix = Mobile Network Prefix
only one subnet -> internal link ’s prefix
 If several subnets -> a common prefix identifying (sub-SLA) all subnets in the mobile network
 if
 Our
solution: all packets with a destination address corresponding to the Mobile Network Prefix
are routed to the MR ’s careof address.
 Means:
A
Binding between the Mobile Network Prefix and the MR’s careof address.
 a new Sub-Option to carry the Mobile Network Prefix + a ‘P’ flag
 Prefix and flag are recorded in the binding cache
 Binding Cache is searched for a Prefix for those records showing the ‘P’ flag.
 BUs containing the Mobile Network Prefix are sent:


To the HA to allow redirection
To all CNs to allow optimal routing
 BUs


are sent by the MR, not by individual SNs:
mobility of network is transparent to SNs
mobility management is aggregated (a given CN only gets 1 BU whatever # SNs)
Ernst Thierry - 49th IETF San Diego - 6
Our Solution: Security Issues
 Existing
Mobile IPv6 for Mobile Nodes:
 Authentication of BU’s sender:
 MN authenticated thanks to IPSec
 Authorization of MN = allowing MN to send BUs
 no explicit authorization
 If sender is authenticated, the Mobile IPv6 policy is to accept, record, and use whatever
received careof address
 Mobile
IPv6 extensions to support Mobile Networks:
 Authentication of BU’s sender:
 MR is authenticated thanks to IPSec - (same as for a single MN)
 Authorization of MR = allowing the MR to manage mobility of an entire network
 If the Mobile IPv6 policy says that a careof-address can be registered for a prefix, then MR
has the right to register a binding between the Mobile Network Prefix and its address.
 Authorization may be provided by a certificate:
 exchanged during SA negociation
 to guarantee that MR actually serves the mobile network with the specified Prefix.
 Our
solution is a matter of Authorization, not a matter of Authentication
Ernst Thierry - 49th IETF San Diego - 7
Mobile IP Working Group Item ?

Does the Mobile IP WG agree that:
 HA
is unable to redirect packets sent to nodes in the mobile network ?
(if the final destination is not the Mobile Router itself)
 CN
is unable to directly route packets to nodes in the mobile network)
(if the final destination is not the Mobile Router itself)
=> no redirection + no optimal routing = SNs are unreachable

This should be addressed by the Mobile IP WG
=> Add « Support of Mobile Networks » as a work item of the Mobile IP WG and include it in the
charter.
Ernst Thierry - 49th IETF San Diego - 8
For More Information
draft-ernst-mobileip-v6-network-01.txt
Thierry Ernst
[email protected]
http:// www.inrialpes.fr/planete
This is a joint work between
and
Ernst Thierry - 49th IETF San Diego - 9