Post on 11-Jan-2016
Mobile Networking
Prasun Dewan
Department of Computer Science University of North Carolina
dewan@unc.edu
2
Problem
How to provide mobility-transparent network access?
3
INS Support for Mobility Client never sees physical address
Query serves as intentional name for source and destination
Discovery infrastructure also does message routing Conventional model
Get address from query Use address to send message
INS model Send message with query What if multiple services
Anycast• Send to service with least value of metric
Multicast• Send to all matching services• Cannot use internet multicast!
4
INS Problem New communication paradigm
Implemented on top of existing transport layer Not as efficient?
Designed for interaction with mobile appliances
Not traditional applications on mobile nodes No support for stream-based interaction
5
Link-Level Support
Migrating station
6
Handoff Schemes Some central server/router per wireless LAN knows MH
and base station mapping Old base station buffers messages and forwards to new
one Adjacent base stations join a multicast group and buffer
messages Works only for migration within a wireless LAN Can build on the multicast and forwarding ideas?
7
Building on Multicast Idea Each mobile host has an associated unique internet
multicast group Moving from internet address A to B
A leaves multicast group B joins it
Multicast group provides the indirection. Use of multicast here different from traditional multicast
Sparse groups Efficient wide area multicast not available anyway
8
Building on Forwarding Idea
A permanent home address assigned to a mobile host.
An agent able to intercept messages sent to that address keeps track of current location of host and forwards it to the new location.
9
Excerpt from Zhang’00
Start of excerpt
10
Mobility at the Network Layer
Where can you manage mobility? Application Session Transport Network Data-link Physical
Mobile-IP: an extension to current IP architecture To manage mobility at the IP layer To hide mobility from the upper layers
11
Terminology
Mobile Node (MN or MH) Correspondent Node (CN or CH) Home Network and Foreign Network Mobility Agent
Home Agent (HA) and Foreign Agent (FA)
Home Address (HoA) and Care-of Address (CoA)
Binding and Binding Update
12
IETF Mobile-IP: Basic Concept
MN always uses its home address HoA When MN visits a foreign network,
Registration with FA Discover mobile agents and CoA
Registration with HA Binding update (HoA -> CoA)
When CN communicates with MN, it uses HoA
HA forwards packet from HoA to CoA
13
Agent Discovery
Through Agent Discovery Process Agent advertisement (beaconing):
Mobile agent broadcast agent advertisement at regular intervals (“I am here”)
Agent solicitation: MN can solicit advertisement (“anyone here?”) Mobile agent respond to agent solicitation
Question: why agent solicitation?
14
Functions of Agent Advertisement
Allow for the detection of mobility agents Let the MN know whether the agent is a HA, or
a FA List one or more available care-of addresses Inform the MN about special features provided
by FA Example: Alternative encapsulation techniques
Let MN determine the network number and status of their link to the Internet
15
CoA
Two types of CoA: FA’s IP address MN’s temporary address
Locally-assigned address in the foreign network
E.g., DHCP address Depends on foreign network
configuration Foreign network may or may not hand
out addresses to visitors
16
Implementing Agent Discovery
Protocol details Built on top of an existing standard
protocol: Router Advertisement (RFC 1256)
Simply extends the fields of existing router advertisements
17
Registering CoA
HA must know a MH’s CoA (binding update) Binding: (HoA->CoA)
Binding has a lifetime (can expire) Registration process
MH sends a registration request with CoA information
HA authenticate the request HA approves or disapproves the request HA adds the necessary information to its routing
table HA sends a registration reply back to MH
18
Registration Operations
19
Authentication
A malicious node could cause remote redirect
Authentication and protection against replay attacks, and need for unique identification field Timestamp and Pseudorandom Number
20
Automatic Home Agent Discovery
Problem: what if MH never knew its HA? Example: MH reboots and losses all
states Subnet-wise broadcast packet is sent to
the home network Subnet-wise broadcast: cell-cast
HA responds If more than one, other HAs on the home
network send rejection notice
21
Forwarding to CoA
Encapsulation Sending the original packet (CH->MH) in
another packet (HA->CoA) Default encapsulation mechanism:
IP-within-IP (tunnel) Tunnel header: A new IP header inserted
by the tunnel source (home agent) Destination IP: CoA
Alternative encapsulation mechanism: Minimal encapsulation
22
Tunneling Operations in Mobile IP
23
The Triangle Routing Problem
MH->CH: direct; CH->MH: CH->HA->MH Inefficient
Solution: Route optimization in Mobile-IP Deliver binding updates directly to CH
24
Discussion
System issues
25
Home Network
Where Can We Put the Home Agent? At the router? As a separate server?
At the router What if there is multiple routers for the
home network? As a separate server
How can it pick up a packet [CHMH]?
26
Foreign Network
Where is FA? (Router or Separated Server?) How Can FA deliver MH the packet [CHMH]
Normally, [CHMH] would go straight to a router (because MH is foreign)
Is There Adequate Support at A Foreign Network What if there is no FA at the network you visit? Co-located FA
What is the Minimum Requirement from the Foreign Network? Keep it as small as possible
27
Security Issues
Visitors Are Threats! How to provision your LAN to support nomadic
users And to protect your LAN from nomadic users
Foreign Network Firewall Traversal Can firewall allows inbound [HAFA] tunnel? Can [MHCH] pass through an egress filter?
Bi-directional tunneling Mutual Authentication
Can you trust MH? Can you trust FA?
28
Mobile Computing Model
What is the binding in IETF Mobile-IP? HoA -> CoA (one level of indirection)
Where is the binding being managed? HA In the route optimization case: CH
Scale of mobility? Internet-wide
What is a cell in Mobile-IP? Subnet
29
Further Discussions
Variants of IETF Mobile-IP Implementation issues
Mobility Scope Macro-mobility: Mobile-IP Micro-mobility: Hierarchical Mobile-IP, Cellular-
IP, HAWAII, TeleMIP, EMA, … Combining network-layer mobility with link-layer
mobility Features: fast handoff, paging, etc.
Mobility in a higher layer Transport layer, session layer
30
Excerpt from Zhang’00
End of excerpt
31
Triangle routing from MH to SH
Needed to send messages to MH Also for sending messages from MH Mobile Host source address needs to be home
address But for security reasons, local network will not
route messages with non- local submet mask Like mail severs not forwarding messages if
reply-to address is not local So MH sends message to Home Agent with
local care of address Home Agent changes it to home address Reverse tunneling Thus triangle routing from and to MH
32
Key Mobile Networking Ideas/IssuesLocation-independent ID
Home IP address, Multicast address Dynamic binding of EID to location
Foreign agent contacting home agent Joining/leaving multicast group
Binding may be stored remote and/or local to communicating party Home agent stores it remote Multicast groups stored remote and cached?
Cache refresh problem – need to determine where cached Remote Binding may be accessed at
Connection time What to do if binding changes after connection Does not work for non connection-oriented communication (UDP)
Message delivery time Mobile IP Performance problem
33
DNS based SolutionLocation-independent ID
DNS name Dynamic binding of ID to location
MH gets IP address from local network (DHCP server) DNS system of (home domain) informed about it
By DHCP server or MH Binding may be stored remote and/or local to communicating
party DNS bindings replicated and cached Time to live of cache 0 to avoid cache update
Of MH, not the name server holding the mapping Search does not have to start at root
What if MH moves after address fetched from NS Try again if TCP connection fails Address is hint rather than absolute
34
DNS based Solution Remote Binding accessed at
Connection time What to do if binding changes after connection
• Mobile TCP/IP
35
Mobile TCP/IP
TCP connection identified by <source address, source port, source port, destination
address, dest port> Need an ID that is address independent
Connection time, token returned Now connection identified by
• <address, port, token> Moving end can send migrate message to other end
with connection ID and new address This message not acked
Next message from stationary end to new address implicitly acks migrate message
36
Migrate Architecture
DNS Server
Mobile Hostfoo.bar.edu
Location Query(DNS Lookup)
Connection Initiation
Location Update(Dynamic DNS Update)
Connection Migration
xxx.xxx.xxx.xxxyyy.yyy.yyy.yyy
CorrespondentHost
From snoeren’00
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
From snoeren’00
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
From snoeren’00
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)(Note typo in proceedings)
From snoeren’00
40
Race Conditions
Both end points migrate at same time Solution assumes one fixed host
Migrating host’s old address reassigned before it has issued Migrate request
That would issue an RST message Wait for migrate request before closing
connection
TCP State
MachineChanges
MIGRATE_WAIT2MSL timeout
recv
: SY
N (
mig
rate
T, R
)se
nd: S
YN
, AC
K
recv:
RST
appl:
migrate
send:
SYN (migr
ate T, R
)recv: SYN (migrate T, R)
send: SYN, ACK
• 2 new transitions between existing states
- and -• 1 new state
handles pathological race condition
From snoeren’00
42
Security Issues Third part can change DNS mapping
Secure DNS needed Third party can move connection
Token prevents this Replay attack
Sequence number of request prevents this Denial of service
SYN Flooding Token validation can be expensive A simpler to validate token sent with actual token