Mobility - University of North Carolina at Chapel Hill

Download Report

Transcript Mobility - University of North Carolina at Chapel Hill 

Mobile Networking
Prasun Dewan
Department of Computer Science
University of North Carolina
[email protected]
Problem

How to provide mobility-transparent
network access?
2
INS Support for Mobility

Client never sees physical address



Query serves as intentional name for source and
destination
Discovery infrastructure also does message routing
Conventional model
Get address from query
 Use address to send message


INS model
Send message with query
 What if multiple services


Anycast
• Send to service with least value of metric

Multicast
• Send to all matching services
• Cannot use internet multicast!
3
INS Problem

New communication paradigm
 Implemented
on top of existing transport layer
 Not as efficient?


Designed for interaction with mobile
appliances
Not traditional applications on mobile nodes
 No
support for stream-based interaction
4
Link-Level Support
Migrating station
5
Handoff Schemes

Some central server/router per wireless LAN knows MH
and base station mapping
Old base station buffers messages and forwards to new
one
 Adjacent base stations join a multicast group and buffer
messages



Works only for migration within a wireless LAN
Can build on the multicast and forwarding ideas?
6
Building on Multicast Idea


Each mobile host has an associated unique internet
multicast group
Moving from internet address A to B 
A leaves multicast group
 B joins it



Multicast group provides the indirection.
Use of multicast here different from traditional multicast


Sparse groups
Efficient wide area multicast not available anyway
7
Building on Forwarding Idea


A permanent home address assigned to a
mobile host.
An agent able to intercept messages sent to
that address keeps track of current location
of host and forwards it to the new location.
8
Excerpt from Zhang’00

Start of excerpt
9
Mobility at the Network Layer

Where can you manage mobility?
Application
 Session
 Transport
 Network
 Data-link
 Physical


Mobile-IP: an extension to current IP
architecture
To manage mobility at the IP layer
 To hide mobility from the upper layers

10
Terminology




Mobile Node (MN or MH)
Correspondent Node (CN or CH)
Home Network and Foreign Network
Mobility Agent
 Home Agent
(HA) and Foreign Agent
(FA)


Home Address (HoA) and Care-of
Address (CoA)
Binding and Binding Update
11
IETF Mobile-IP: Basic Concept


MN always uses its home address HoA
When MN visits a foreign network,
 Registration
 Discover
mobile agents and CoA
 Registration
 Binding


with FA
with HA
update (HoA -> CoA)
When CN communicates with MN, it
uses HoA
HA forwards packet from HoA to CoA
12
Agent Discovery


Through Agent Discovery Process
Agent advertisement (beaconing):


Mobile agent broadcast agent advertisement at
regular intervals (“I am here”)
Agent solicitation:
MN can solicit advertisement (“anyone here?”)
 Mobile agent respond to agent solicitation


Question:

why agent solicitation?
13
Functions of Agent
Advertisement




Allow for the detection of mobility agents
Let the MN know whether the agent is a HA, or
a FA
List one or more available care-of addresses
Inform the MN about special features provided
by FA


Example: Alternative encapsulation techniques
Let MN determine the network number and
status of their link to the Internet
14
CoA

Two types of CoA:
 FA’s
IP address
 MN’s temporary address
 Locally-assigned
address in the foreign
network
 E.g., DHCP address

Depends on foreign network
configuration
 Foreign
network may or may not hand
out addresses to visitors
15
Implementing Agent Discovery

Protocol details
 Built
on top of an existing standard
protocol: Router Advertisement (RFC
1256)
 Simply extends the fields of existing
router advertisements
16
Registering CoA


HA must know a MH’s CoA (binding update)
Binding: (HoA->CoA)


Binding has a lifetime (can expire)
Registration process
MH sends a registration request with CoA
information
 HA authenticate the request
 HA approves or disapproves the request
 HA adds the necessary information to its routing
table
 HA sends a registration reply back to MH

17
Registration Operations
18
Authentication


A malicious node could cause remote
redirect
Authentication and protection against
replay attacks, and need for unique
identification field
 Timestamp
and Pseudorandom Number
19
Automatic Home Agent Discovery

Problem: what if MH never knew its HA?
 Example:
MH reboots and losses all
states

Subnet-wise broadcast packet is sent to
the home network
 Subnet-wise


broadcast: cell-cast
HA responds
If more than one, other HAs on the home
network send rejection notice
20
Forwarding to CoA

Encapsulation
 Sending
the original packet (CH->MH) in
another packet (HA->CoA)

Default encapsulation mechanism:
 IP-within-IP
(tunnel)
 Tunnel header: A new IP header inserted
by the tunnel source (home agent)
 Destination IP: CoA

Alternative encapsulation mechanism:
 Minimal
encapsulation
21
Tunneling Operations in Mobile IP
22
The Triangle Routing Problem

MH->CH: direct; CH->MH: CH->HA->MH
 Inefficient

Solution: Route optimization in Mobile-IP
 Deliver
binding updates directly to CH
23
Discussion

System issues
24
Home Network

Where Can We Put the Home Agent?
 At
the router?
 As a separate server?

At the router
 What
if there is multiple routers for the
home network?

As a separate server
 How
can it pick up a packet [CHMH]?
25
Foreign Network


Where is FA? (Router or Separated Server?)
How Can FA deliver MH the packet [CHMH]


Normally, [CHMH] would go straight to a router
(because MH is foreign)
Is There Adequate Support at A Foreign
Network
What if there is no FA at the network you visit?
 Co-located FA


What is the Minimum Requirement from the
Foreign Network?

Keep it as small as possible
26
Security Issues

Visitors Are Threats!
How to provision your LAN to support nomadic
users
 And to protect your LAN from nomadic users


Foreign Network Firewall Traversal
Can firewall allows inbound [HAFA] tunnel?
 Can [MHCH] pass through an egress filter?



Bi-directional tunneling
Mutual Authentication
Can you trust MH?
 Can you trust FA?

27
Mobile Computing Model

What is the binding in IETF Mobile-IP?
 HoA ->

CoA (one level of indirection)
Where is the binding being managed?
 HA
 In

the route optimization case: CH
Scale of mobility?
 Internet-wide

What is a cell in Mobile-IP?
 Subnet
28
Further Discussions

Variants of IETF Mobile-IP


Implementation issues
Mobility Scope
Macro-mobility: Mobile-IP
 Micro-mobility: Hierarchical Mobile-IP, Cellular-IP,
HAWAII, TeleMIP, EMA, …

Combining network-layer mobility with link-layer
mobility
 Features: fast handoff, paging, etc.


Mobility in a higher layer

Transport layer, session layer
29
Excerpt from Zhang’00

End of excerpt
30
Triangle routing from MH to SH




Needed to send messages to MH
Also for sending messages from MH
Mobile Host source address needs to be home
address
But for security reasons, local network will not
route messages with non- local submet mask





Like mail severs not forwarding messages if
reply-to address is not local
So MH sends message to Home Agent with
local care of address
Home Agent changes it to home address
Reverse tunneling
Thus triangle routing from and to MH
31
Key Mobile Networking Ideas/Issues
Location-independent ID


Home IP address, Multicast address
Dynamic binding of EID to location
Foreign agent contacting home agent
 Joining/leaving multicast group


Binding may be stored remote and/or local to communicating
party
Home agent stores it remote
 Multicast groups stored remote and cached?



Cache refresh problem – need to determine where cached
Remote Binding may be accessed at

Connection time
What to do if binding changes after connection
 Does not work for non connection-oriented communication (UDP)


Message delivery time
Mobile IP
 Performance problem

32
DNS based Solution
Location-independent ID


DNS name
Dynamic binding of ID to location
MH gets IP address from local network (DHCP server)
 DNS system of (home domain) informed about it



By DHCP server or MH
Binding may be stored remote and/or local to communicating
party
DNS bindings replicated and cached
 Time to live of cache 0 to avoid cache update

Of MH, not the name server holding the mapping
 Search does not have to start at root


What if MH moves after address fetched from NS
Try again if TCP connection fails
 Address is hint rather than absolute

33
DNS based Solution

Remote Binding accessed at
 Connection
 What
time
to do if binding changes after connection
• Mobile TCP/IP
34
Mobile TCP/IP

TCP connection identified by
<source address, source port, source port, destination
address, dest port>
 Need an ID that is address independent

Connection time, token returned
 Now connection identified by

• <address, port, token>

Moving end can send migrate message to other end


with connection ID and new address
This message not acked

Next message from stationary end to new address
implicitly acks migrate message
35
Migrate Architecture
Location Query
(DNS Lookup)
Location Update
(Dynamic DNS Update)
DNS Server
Connection Initiation
Connection Migration
Correspondent
Host
From snoeren’00
Mobile Host
foo.bar.edu
yyy.yyy.yyy.yyy
xxx.xxx.xxx.xxx
36
TCP
Connection
Migration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
From snoeren’00
TCP
Connection
Migration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
From snoeren’00
TCP
Connection
Migration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
(Note typo in proceedings)
From snoeren’00
7. ACK (with data)
Race Conditions

Both end points migrate at same time
 Solution


assumes one fixed host
Migrating host’s old address reassigned
before it has issued Migrate request
That would issue an RST message
 Wait
for migrate request before closing
connection
40
• 2 new transitions
between existing states
- and • 1 new state
handles pathological
race condition
From snoeren’00
recv: SYN (migrate T, R)
send: SYN, ACK
TCP
State
Machine
Changes
MIGRATE_WAIT
2MSL timeout
Security Issues

Third part can change DNS mapping


Third party can move connection


Token prevents this
Replay attack


Secure DNS needed
Sequence number of request prevents this
Denial of service
SYN Flooding
 Token validation can be expensive
 A simpler to validate token sent with actual token

42