Mobile Networking

Prasun Dewan

Department of Computer Science University of North Carolina

dewan@unc.edu

2

Problem

How to provide mobility-transparent network access?

3

INS Support for Mobility Client never sees physical address

Query serves as intentional name for source and destination

Discovery infrastructure also does message routing Conventional model

Get address from query Use address to send message

INS model Send message with query What if multiple services

Anycast• Send to service with least value of metric

Multicast• Send to all matching services• Cannot use internet multicast!

4

INS Problem New communication paradigm

Implemented on top of existing transport layer Not as efficient?

Designed for interaction with mobile appliances

Not traditional applications on mobile nodes No support for stream-based interaction

5

Link-Level Support

Migrating station

6

Handoff Schemes Some central server/router per wireless LAN knows MH

and base station mapping Old base station buffers messages and forwards to new

one Adjacent base stations join a multicast group and buffer

messages Works only for migration within a wireless LAN Can build on the multicast and forwarding ideas?

7

Building on Multicast Idea Each mobile host has an associated unique internet

multicast group Moving from internet address A to B

A leaves multicast group B joins it

Multicast group provides the indirection. Use of multicast here different from traditional multicast

Sparse groups Efficient wide area multicast not available anyway

8

Building on Forwarding Idea

A permanent home address assigned to a mobile host.

An agent able to intercept messages sent to that address keeps track of current location of host and forwards it to the new location.

9

Excerpt from Zhang’00

Start of excerpt

10

Mobility at the Network Layer

Where can you manage mobility? Application Session Transport Network Data-link Physical

Mobile-IP: an extension to current IP architecture To manage mobility at the IP layer To hide mobility from the upper layers

11

Terminology

Mobile Node (MN or MH) Correspondent Node (CN or CH) Home Network and Foreign Network Mobility Agent

Home Agent (HA) and Foreign Agent (FA)

Home Address (HoA) and Care-of Address (CoA)

Binding and Binding Update

12

IETF Mobile-IP: Basic Concept

MN always uses its home address HoA When MN visits a foreign network,

Registration with FA Discover mobile agents and CoA

Registration with HA Binding update (HoA -> CoA)

When CN communicates with MN, it uses HoA

HA forwards packet from HoA to CoA

13

Agent Discovery

Through Agent Discovery Process Agent advertisement (beaconing):

Mobile agent broadcast agent advertisement at regular intervals (“I am here”)

Agent solicitation: MN can solicit advertisement (“anyone here?”) Mobile agent respond to agent solicitation

Question: why agent solicitation?

14

Functions of Agent Advertisement

Allow for the detection of mobility agents Let the MN know whether the agent is a HA, or

a FA List one or more available care-of addresses Inform the MN about special features provided

by FA Example: Alternative encapsulation techniques

Let MN determine the network number and status of their link to the Internet

15

CoA

Two types of CoA: FA’s IP address MN’s temporary address

Locally-assigned address in the foreign network

E.g., DHCP address Depends on foreign network

configuration Foreign network may or may not hand

out addresses to visitors

16

Implementing Agent Discovery

Protocol details Built on top of an existing standard

protocol: Router Advertisement (RFC 1256)

Simply extends the fields of existing router advertisements

17

Registering CoA

HA must know a MH’s CoA (binding update) Binding: (HoA->CoA)

Binding has a lifetime (can expire) Registration process

MH sends a registration request with CoA information

HA authenticate the request HA approves or disapproves the request HA adds the necessary information to its routing

table HA sends a registration reply back to MH

18

Registration Operations

19

Authentication

A malicious node could cause remote redirect

Authentication and protection against replay attacks, and need for unique identification field Timestamp and Pseudorandom Number

20

Automatic Home Agent Discovery

Problem: what if MH never knew its HA? Example: MH reboots and losses all

states Subnet-wise broadcast packet is sent to

the home network Subnet-wise broadcast: cell-cast

HA responds If more than one, other HAs on the home

network send rejection notice

21

Forwarding to CoA

Encapsulation Sending the original packet (CH->MH) in

another packet (HA->CoA) Default encapsulation mechanism:

IP-within-IP (tunnel) Tunnel header: A new IP header inserted

by the tunnel source (home agent) Destination IP: CoA

Alternative encapsulation mechanism: Minimal encapsulation

22

Tunneling Operations in Mobile IP

23

The Triangle Routing Problem

MH->CH: direct; CH->MH: CH->HA->MH Inefficient

Solution: Route optimization in Mobile-IP Deliver binding updates directly to CH

24

Discussion

System issues

25

Home Network

Where Can We Put the Home Agent? At the router? As a separate server?

At the router What if there is multiple routers for the

home network? As a separate server

How can it pick up a packet [CHMH]?

26

Foreign Network

Where is FA? (Router or Separated Server?) How Can FA deliver MH the packet [CHMH]

Normally, [CHMH] would go straight to a router (because MH is foreign)

Is There Adequate Support at A Foreign Network What if there is no FA at the network you visit? Co-located FA

What is the Minimum Requirement from the Foreign Network? Keep it as small as possible

27

Security Issues

Visitors Are Threats! How to provision your LAN to support nomadic

users And to protect your LAN from nomadic users

Foreign Network Firewall Traversal Can firewall allows inbound [HAFA] tunnel? Can [MHCH] pass through an egress filter?

Bi-directional tunneling Mutual Authentication

Can you trust MH? Can you trust FA?

28

Mobile Computing Model

What is the binding in IETF Mobile-IP? HoA -> CoA (one level of indirection)

Where is the binding being managed? HA In the route optimization case: CH

Scale of mobility? Internet-wide

What is a cell in Mobile-IP? Subnet

29

Further Discussions

Variants of IETF Mobile-IP Implementation issues

Mobility Scope Macro-mobility: Mobile-IP Micro-mobility: Hierarchical Mobile-IP, Cellular-

IP, HAWAII, TeleMIP, EMA, … Combining network-layer mobility with link-layer

mobility Features: fast handoff, paging, etc.

Mobility in a higher layer Transport layer, session layer

30

Excerpt from Zhang’00

End of excerpt

31

Triangle routing from MH to SH

Needed to send messages to MH Also for sending messages from MH Mobile Host source address needs to be home

address But for security reasons, local network will not

route messages with non- local submet mask Like mail severs not forwarding messages if

reply-to address is not local So MH sends message to Home Agent with

local care of address Home Agent changes it to home address Reverse tunneling Thus triangle routing from and to MH

32

Key Mobile Networking Ideas/IssuesLocation-independent ID

Home IP address, Multicast address Dynamic binding of EID to location

Foreign agent contacting home agent Joining/leaving multicast group

Binding may be stored remote and/or local to communicating party Home agent stores it remote Multicast groups stored remote and cached?

Cache refresh problem – need to determine where cached Remote Binding may be accessed at

Connection time What to do if binding changes after connection Does not work for non connection-oriented communication (UDP)

Message delivery time Mobile IP Performance problem

33

DNS based SolutionLocation-independent ID

DNS name Dynamic binding of ID to location

MH gets IP address from local network (DHCP server) DNS system of (home domain) informed about it

By DHCP server or MH Binding may be stored remote and/or local to communicating

party DNS bindings replicated and cached Time to live of cache 0 to avoid cache update

Of MH, not the name server holding the mapping Search does not have to start at root

What if MH moves after address fetched from NS Try again if TCP connection fails Address is hint rather than absolute

34

DNS based Solution Remote Binding accessed at

Connection time What to do if binding changes after connection

• Mobile TCP/IP

35

Mobile TCP/IP

TCP connection identified by <source address, source port, source port, destination

address, dest port> Need an ID that is address independent

Connection time, token returned Now connection identified by

• <address, port, token> Moving end can send migrate message to other end

with connection ID and new address This message not acked

Next message from stationary end to new address implicitly acks migrate message

36

Migrate Architecture

DNS Server

Mobile Hostfoo.bar.edu

Location Query(DNS Lookup)

Connection Initiation

Location Update(Dynamic DNS Update)

Connection Migration

xxx.xxx.xxx.xxxyyy.yyy.yyy.yyy

CorrespondentHost

From snoeren’00

TCP ConnectionMigration

1. Initial SYN

2. SYN/ACK

3. ACK (with data)

4. Normal data transfer

5. Migrate SYN

6. Migrate SYN/ACK

7. ACK (with data)

From snoeren’00

TCP ConnectionMigration

1. Initial SYN

2. SYN/ACK

3. ACK (with data)

4. Normal data transfer

5. Migrate SYN

6. Migrate SYN/ACK

7. ACK (with data)

From snoeren’00

TCP ConnectionMigration

1. Initial SYN

2. SYN/ACK

3. ACK (with data)

4. Normal data transfer

5. Migrate SYN

6. Migrate SYN/ACK

7. ACK (with data)(Note typo in proceedings)

From snoeren’00

40

Race Conditions

Both end points migrate at same time Solution assumes one fixed host

Migrating host’s old address reassigned before it has issued Migrate request

That would issue an RST message Wait for migrate request before closing

connection

TCP State

MachineChanges

MIGRATE_WAIT2MSL timeout

recv

: SY

N (

mig

rate

T, R

)se

nd: S

YN

, AC

K

recv:

RST

appl:

migrate

send:

SYN (migr

ate T, R

)recv: SYN (migrate T, R)

send: SYN, ACK

• 2 new transitions between existing states

- and -• 1 new state

handles pathological race condition

From snoeren’00

42

Security Issues Third part can change DNS mapping

Secure DNS needed Third party can move connection

Token prevents this Replay attack

Sequence number of request prevents this Denial of service

SYN Flooding Token validation can be expensive A simpler to validate token sent with actual token