MobileNAT - Bell Labs€¦ · MobileNAT Network Architecture NAT Internet 10.0.1.5 10.0.1.x...
Transcript of MobileNAT - Bell Labs€¦ · MobileNAT Network Architecture NAT Internet 10.0.1.5 10.0.1.x...
MobileNAT:A New Technique for Mobility
across Heterogeneous Address Spaces
Milind M. [email protected]
(Lucent Bell Labs)
Joint work with Adiseshu Hari, Kundan Singh, Scott Miller
AgendaMotivationArchitectureImplementationComparison with current approachesSummary
23-Sep-03 Milind Buddhikot 2
Current Trends
Heterogeneity• Access: 802.11, 3G• Large number of
providers• Address space
IPv4 vs IPv6Public vs Private
Explosive growth in connected devicesSeamless high performance roaming • Customer relationship
with one provider• One bill
Multi-radiocapable client
802.11Hotspot
airport.com
802.11Hotspotabc.net
WLANGateway
WLANGateway
AWSUMTS
GGSNPDSN
CINGULARGSM/GPRS
GGSN
VerizonCDMA2000
Internet
23-Sep-03 Milind Buddhikot 3
MobileNAT: A part of Project IOTA
http://www.bell-labs.com/~mbuddhikot/IOTAProject/IOTA.htm
MobileNAT : Basic Ideas
23-Sep-03 Milind Buddhikot 5
Basic Model
Three kinds of user sessions:• S1: Internet sessions• S2: Intra-domain sessions• S3: Inter-domain sessions
End nodes may offer services
Common case: PDAs, laptops, phones do not offer long lived internet services but access services on the net• Exception: VOIP
NATed domain can be a • Layer-3 routed domain or• Layer-2 switched domain
Private Addr a
Services(messaging, VoIP call)
Private Address SpaceNATed Domain
MN Mobility
PubAddr D
ANS1
Wired
MN
ANAddr A
MNWireless
ANAddr B Addr C
Wired
MN
Public Address SpaceRouted DomainCNN.com Internet
Public Addr A
MN2
S2MN3
S3
23-Sep-03 Milind Buddhikot 6
NATPublic Addr A
Goal
Private AddressSpace
Internet
NAT
802.11802.11 Ethernet
PDSN
NAT
RoutedIP Network
www.cnn.com
(1) (2)
(3)
(4)
(5)
Preserve sessions for1. inter access-point2. inter sub-net3. inter-NAT4. to 3G network5. to public networkMovement of end
devices
Access-point
Router
Router with NAT
23-Sep-03 Milind Buddhikot 7
Problem with IP address
IP address overloaded• Host identification• Routing information
TCP connection characterized by a 5-tuple <SA, DA, SP, DP, TCP>Change in IP address breaks TCP/socket connection
DA = d
TCP association
moves
NAT
SA=s DA=d
SP=a DP=b
SA=x DA=d
SP=a DP=b
SA=d DA=sSP=b DP=a
MN MN
CN
23-Sep-03 Milind Buddhikot 8
Using Two Addresses
Two IP addresses• Virtual IP (fixed host-id)• Actual IP (routable; changes)
Two types of IP addresses• Private: 192.168.*, 10.*,
172.16.*• Public
Four cases:• <Private Ap , Private Av> • <Private Ap , Public Av>• <Public Ap , Private Av>• <Public Ap , Public Av>
MN
CN
AN
Actual IP
Virtual IP
ApplicationSocket
TCP/UDPIP
Addr “Ap”
Shim Layer
Addr “Av”
Net IF
Ap = x
Av = a DASP DP
23-Sep-03 Milind Buddhikot 9
Intra-domain Mobility for Internet Sessions
MN maintains Av Ap1 ruleAN maintains Av , Ap1 AAN rule. May change SPWhen MN moves to a new subnet, rules need to be changed• MN: Av Ap2• AN: Av , Ap2 AAN
Ap, SP
AAN
New subnetDomain moved to
Mobile
Ap1, SP
Ap2, SP
CNN
AN Internet
SHIM Layer
App
Socket
TCPIP
Av , SP
NetIF
OLD Flow
<AAN ,CNN, SP, 80>
<CNN, Av , 80, SP>NEW Flow
23-Sep-03 Milind Buddhikot 10
Mapping Rules for Four Cases
Policy P1: Expose MN’s Av if possiblePolicy P2: Never expose Av
Case I: <Private Ap , Private Av> • P1: Ap AAN
• P2: Ap AAN
Case II: <Private Ap , Public Av> • P1: Ap Av
• P2: Ap AAN
Case III: <Public Ap , Private Av> • P1: Ap AAN
• P2: Ap AAN
Case IV: <Public Ap , Public Av> • P1: Ap Av
• P2: Ap AAN
23-Sep-03 Milind Buddhikot 11
Packet forwarding mechanisms:tunneling or translation
CNN
<Av , Ap2 >
moves
AvCNNAp2AN
ANCNN
<Av , Ap1 >
MN MN
CN
AN
moves
ANCNN
CNN
AvCNN
<Av , Ap1 >
MN MN
CN
AN
<Av , Ap2 >
AvCNNAp1AN
TranslationTunneling
Tunneling involves less processing overhead but higher header overhead• Ex: 8Kbps codec with 20ms packetization 20B payload, 12B RTP, 8B UDP, 20B
IP 60B in translate mode vs. 80B in tunnel mode
Translate mode better for bandwidth constrained linksTunnel mode simpler to implement as most OS support IP-in-IP tunnels
23-Sep-03 Milind Buddhikot 12
Intra-domain mobility for Intra-domain Sessions
All virtual addresses configured to be routed to ANCN has Av,CN configured in DNSAN applies DNAT rule: Av,CN Ap,CN and SNAT: Ap,MN Av,MN
Av1 = 10.128.0.2Ap1= 10.0.1.5
MN
Ap =10.0.4.9Av =10.128.0.5
1
CN
2
Moves
Av1 = 10.128.0.2Ap2 = 10.0.2.7
MN
4
3 AN
23-Sep-03 Milind Buddhikot 13
Inter-domain mobility
Mobility manager of visited NAT fetches the existing connection mapping from mobility manager of the home NATIf MN moves to public address space, Shim layer acts as visited NATDynamic home agent: use visited NAT as home NAT for new sessionTunneling between visited and home NAT
Home NATCN
Internet
Visited NAT
MN
MN
moves
23-Sep-03 Milind Buddhikot 14
MobileNAT Network Architecture
NAT
Internet
10.0.1.5
10.0.1.x 10.0.2.x
New network element Mobility Manager (MM)DHCP server and relays• Change of address signifies
need to change NAT rules• Change conveyed to MM
MM employs MIDCOM to control NAT rules
relay relay
relay
DHCP server
Mobility manager
Change of leaseNAT rules
MobileNAT Implementation
23-Sep-03 Milind Buddhikot 16
Implementation: Client (Win XP/2000)
Shim-layer driver to capture DHCP packets and translate IP addressesMobileNAT client application acting as DHCP client and serverHandles ARP for nodes in other sub-nets
Application
Socket
TCP/UDP
IP
Addr “A”
Shim Layer
Addr “V”
Net IF
MobileNATClient
Server Client
10.128.0.2 /255.0.0.0
10.0.1.5 /255.255.255.0
MobileNATClient
MobileIP Client
Network and interface selector
DHCP server -client
Unified mobility client (on-going work)
23-Sep-03 Milind Buddhikot 17
Mobility Client Architecture
Software runs on Windows 2000/XP operating systemApproximately 45,000 lines of code, 13,000 of which are Windows NDIS kernel networking code
New code developed,Specifically for3G-802.11 integration
VPN/IPSec integration(e.g. Lucent IPSecClient)
Interaction withExisting WindowsOS modules
TCP/IP Protocol Stack
Virtual MobileIPAdaptor
VPN/IPSecControl
OS
PPP Support
Graphical User Interface & Monitoring
Ethernet
MIP State Machine
Interface Abstraction Layer/API
Network Detection
Network Selection
MobileNATClient
802.11 PPPCDMA2000
Sierra 3G1xRTT
VPN/IPSec Client Driver
Multi-interface Mobility Client Driver
EthernetInterface
802.11Interface
PPP Interface
IS-835 Shim
Serial Driver
AT Com
mand Set
User Level
OS K
ernel Level
23-Sep-03 Milind Buddhikot 18
Implementation: DHCP server and NAT (Linux)
DHCP server
PRE-ROUTINGDestination NAT
POST-ROUTINGSource NAT
NAT connectiontrackingVirtual IP range
Actual IP range
DHCP server to allocate virtual and actual IPActual IP is based on subnet of DHCP relay agentMM is integrated into DHCP serverNAT using netfilter, iptables, ip_conntrack and ip_nat modules
Comparison to Existing Mobility Scheme
23-Sep-03 Milind Buddhikot 20
Similarities/Differences with current proposals
Translation mode vs. tunneling• Packet size vs processing overhead• Two addresses per MN; can afford since private addresses• No external FA needed
Co-located mode MIP uses two public IP addresses! Wasteful
Signaling• Using DHCP (new options) and a per-domain Mobility Manager (MM)
Even more lightweight signaling possible
Routing path• No change in routers or CN; but change in MN, NAT and DHCP server• Dynamic home agent (I.e., the NAT)
23-Sep-03 Milind Buddhikot 21
Comparison to existing schemes
Schemes considered in following chartMobile IP• Extensions: Location Register (MIP-LR), Route Optimization (MIP-RO)
Micro-mobility schemes Cellular IPHawaiiIntra-Domain Mobility Protocol (IDMP)Hierarchical Mobile IP (HMIP)
IPv6• Fast handoff
Application level mobility mechanism• SIP
Virtual NAT• Similar address translation in the client stack• Targeted for connection/process migration where both end-points
implements vNAT
23-Sep-03 Milind Buddhikot 22
Comparison chart
N
IN
IN
N
Y
Y
Y
virtual
N
N
N
N
Virtual NAT
N
-
IN
-
Y
Y
Y
-
-
-
Y
-
MIP RO
N/YNNNYYYYYTriangular route
YY--YYYNYNon-mobile IP nodes
YINYINYYYYY1NAT support
NO--FAFAYYFARouter modify?
YY-YYYYYYMN modify?
OO--YYNN-Intra-tunnel
N
DHCP/MM
CoA
UD
O
N
Mobile NAT
N
Y
HA
Y
O
Y
IPv6
-
Y
SIPN
N
N
SIP
Y
Y
-
-
N
-
MIP LR
NNNNNCN modify?
YYYDataYsignaling
LCoACoACoAHAHAHost ID
YYYYOPaging
YYYYYInter-tunnel
YYYNYMIP messaging
IDMP TeleMIP
HMIP (RR)
HawaiiCIPMIP
Y: yes N: no - :N/A O: optional IN:independent UD: Under Development1: We assume Mobile IP with UDP tunneling for NAT
23-Sep-03 Milind Buddhikot 23
Mobile NAT Advantages
Problems in existing approaches• Huge infrastructure change (CIP, IPv6, routers, even deploying FA)• Not much discussion on optimizing intra-domain sessions• Require tunneling overhead, inter, intra or both• Triangular routing even in common case• Modification in CN
MobileNAT approach• Addresses rapid growth in end-devices, which most likely will have private
addresses due to slow deployment of IPv6• Assume the presence of NA(P)T in a domain
Roaming and services across heterogeneous address spacesReduce problem space to only private address space
• Choice between tunneling and address translationAddresses bandwidth limitations of wireless links
• Use existing protocols (DHCP, ICMP) for signaling• Discourage changing routing infrastructure• Can co-exist with MobileIP
23-Sep-03 Milind Buddhikot 24
Summary
New technique called MobileNAT for Intra- and Inter-domain mobility • Virtual IP for host identification; actual IP for routing• Address translation in client as well as in NAT• Existing protocols like DHCP for signaling• Mobility manager to handle nodes in a domain• NAT acts as a dynamic home agent • Inter-NAT packet flow for inter-domain mobility
No change in routers or no need for FA• Change In MN, NAT and DHCP server
Demonstrated a inter-subnet mobility through a complete implementation
23-Sep-03 Milind Buddhikot 25
On-going work
Scalability:• Subdivide domains into smaller NAT-ed domains• Multiple NATs per domain
Security• DHCP authentication and Access-point authentication/encryption• Works with IP-sec (AH mode and UDP tunnel) and SSL
Paging: • Re-use of existing IP-multicast based paging
Possible deployment issues• Changing every MN driver (similar to Mobile IP)• Mobility to 3G network• Location information distribution• Allow incremental deployment
Other issues• Does not solve NAT problems where application layer message uses IP address
(FTP, SIP, RTSP)• Fast hand-off for micro-mobility• Intra-domain sessions on inter-domain mobility• Combined MobileIP and MobileNAT client
Backup
Packet Flow Example
23-Sep-03 Milind Buddhikot 28
Example
Address assignmentPacket flow when MN is private and CN is publicMN moves to a new subnetPacket flow after mobility to a new subnetPacket flow when MN and CN are in the same NAT domainPacket flow when MN is private and CN is public and MN moves to new NAT domain
23-Sep-03 Milind Buddhikot 29
Address assignment
NAT
Internet
DHCP server
DHCP request(my virtual IP = 0.0.0.0)(my Mac address)
DHCP response(your virtual IP = 10.128.0.2)(your actual IP = 10.0.1.5)
DHCP server
Mobility manager
NAT
23-Sep-03 Milind Buddhikot 30
Packet flow
NAT picks up an external IP and port
NAT
(1)
(2) (3)
135.180.32.4:708810.0.1.5:1756
CN
Internet
Application
Socket
TCP/UDP
IP
Addr “A”
SHIM LayerAddr “V”
Net IF
10.0.1.5:1756
10.128.0.2:1756
10.128.0.2128.59.16.1491756 80
10.0.1.5128.59.16.1491756 80
135.180.32.4128.59.16.1497088 80
128.59.16.14910.128.0.280 1756
128.59.16.14910.0.1.580 1756
128.59.16.149135.180.32.480 7088
Shim
Shim NAT
NAT
23-Sep-03 Milind Buddhikot 31
Inter-subnet mobility
NAT
CN
Internet
DHCP server
DHCP request(my virtual IP = 10.128.0.2)(my Mac address)
DHCP response(your virtual IP = 10.128.0.2)(your actual IP = 10.0.2.7)
DHCP server
Mobility manager
10.0.1.x
10.0.2.x
S:10.0.1.5:1756 D:128.59.16.149:80S:135.180.32.4:7088 D:same
change
10.0.2.7
NAT rules
23-Sep-03 Milind Buddhikot 32
Packet flow after the node moves
MN application or CN do not know about change in actual IP
NAT
(1)
(2)
(3)
135.180.32.4:708810.0.2.7:1756
CN
Internet
10.128.0.2128.59.16.1491756 80
Application
Socket
TCP/UDP
IP
Addr “A”
SHIM LayerAddr “V”
Net IF
10.0.2.7128.59.16.1491756 80
135.180.32.4128.59.16.1497088 80
128.59.16.14910.128.0.280 1756
128.59.16.14910.0.2.780 1756
128.59.16.149135.180.32.480 7088
Shim
Shim NAT
NAT
23-Sep-03 Milind Buddhikot 33
Using Two addresses
Two IP addresses• Virtual IP (fixed host-id)• Actual IP (routable; changes)
Actual IP
Virtual IP
ApplicationSocket
TCP/UDPIP
Addr “Ap”
Shim Layer
Addr “Av”
Net IF
128.59.16.149
movesMN MN
CN
Ap = x
Av = a DASP DP
Av = a DASP DP
Ap = y
Av = a DASP DP
AN
23-Sep-03 Milind Buddhikot 34
Details of the NAT Domain
NATed domain can be a • layer-3 routed domain or• Layer-2 switched domain
Kinds of mobilityIntra-domain
• Layer-2 within same subnet• Layer-3 across subnets
Inter-domain• Layer-3 mobility across adjacent
domains
MN
NAT
Router
NATed Domain
Router
AP AP AP
Router
AP AP AP
Router
AP AP AP
Stub Domain
Public Addr A
23-Sep-03 Milind Buddhikot 35
Address allocation using DHCP
Virtual and actual IP allocated using DHCPNew DHCP options• MN sends current virtual IP
address (or 0.0.0.0 if none) in the request
• Server sends the allocated actual and virtual IP addresses in the response
• Actual IP is allocated based on relay agent IP
10.0.1.5
10.0.1.x
DHCP server
DHCP relay agent
10.0.2.9
10.0.2.x
10.0.2.2
23-Sep-03 Milind Buddhikot 36
Overview of NA(P)T
NATPublic Addr135.180.32.1-7
Private Address Space(10.0.0.0-10.255.255.255)
Internet
128.59.16.149
CN
10.0.1.5
10.0.1.x 10.0.2.x
10.0.7.x
Packet processing rules need to be changed in the event of mobility
10.0.1.5128.59.16.1491756 80
135.180.32.4128.59.16.1497088 80
out
In-1
Packet processing rule
23-Sep-03 Milind Buddhikot 37
Intra-domain sessions
Optimization: new signaling message between two MobileNAT clients to route the packets directly
NAT
V=10.128.0.2A=10.0.1.5
A=10.0.4.9
MN
CN
V=10.128.0.2A=10.0.2.7
MNMoves
23-Sep-03 Milind Buddhikot 38
Multi-interface Mobility Client Software
Unique client software not available today on the marketSeamless intra- and inter- technology handoffs using MobileIP, MobileNATManagement of multiple physical interfaces (802.11, 3G/PPP, Ethernet, GPRS)Automated network selection algorithm based on priority, signal strength, and preferred network listMobile VPN capability: IPSec over MobileIP, MobileNAT