Mobility Support in IPv6

Mobility Support in IPv6

Advanced Internet, 2004 Fall

8 November 2004

Sangheon Pack

Content

• IP Mobility

• Mobile IPv6• Basic Operation• Mobile IPv6 Security

• Optimization of Mobile IPv6• Hierarchical Mobile IPv6 (HMIPv6)• Fast Handover of Mobile IPv6 (FMIPv6)

• Conclusion

IP Mobility (1/2)

• Routing• Nodes communicate using IP: All IP Network• IP packets are routed by their address• When a mobile node moves, it needs to change IP

address to match its current network

• Identification• Connections/sessions between nodes are mostly

identified by endpoint IP’s• When the node moves, and is assigned a new IP, all

existing connections/sessions must be terminated and reestablished!

• Need of IP Mobility Protocol!

IP Mobility (2/2)

Correspondent Node

<IP-B>

Mobile Node

<IP-A>

Mobile Node

<IP-C>

<IP-A> <-> <IP-B>

<IP-B> <-> <IP-C>

Mobile IPv6 (1/3)

• Overview• Home network, HA, CoA as the same as Mobile IPv4• Address auto-configuration

• MN can obtain a CoA in foreign network without any help of foreign agent (FA)

• Packet interception at the HA• By Neighbor Discovery (cf. Proxy ARP in Mobile IPv4)

• Binding update option• Between MN and HA/MN and CN• Route optimization between MN and CN

• New extension headers• Type-2 Routing header: for route optimization• Destination Options header: for MN originated packets

Mobile IPv6 (2/3)

• Bi-directional tunneling mode• Does not require for the CN to support Mobile IPv6 • Use of Reverse tunneling

• Route Optimization (RO) mode• Requires to register the MN’s current binding at the CN• Uses a new type of IPv6 routing header

• Destination Address = current CoA• Type-2 routing header = home address

• Shortest communications path• Eliminates congestion at the MN’s HA and home link• Impact of any possible failure of the HA or networks on

the path to or from it is reduced

Mobile IPv6 (3/3)

• Dynamic Home Agent Address Discovery• Allows a MN to dynamically discover the IP address of a

home agent on its home link• ICMP Home Agent Address Discovery Request Message

• Destination address: Home Agent anycast address for its own home subnet prefix

• Reply message• HA address list in home link• HA maintains the home agent lists

Mobile IPv6 Terminology

• Terminology• Home Address (HoA)

• the permanent IP for identifying the Mobile Node. The Mobile Node should always be reachable at this IP.

• Care-of Address (CoA)• the temporary, network-spesific IP for routing

messages to the Mobile Nodes current location• Home Agent (HA)

• the entity acting on behalf of the Mobile Node in it’s home network

• Correspondent Node (CN)• any other host connected to Mobile Node (not

necessarily mobile itself)

Mobile IPv4 Mobile IPv6

Mobile node, home agent, home link, foreign link

(same)

Mobile node’s home address Globally routable home address and link-local home address

Foreign agent A “plain” IPv6 router on the foreign link (foreign agent no longer exists)Collocated care-of address

Care-of address obtained via Agent Discovery, DHCP, or manually

Care-of address obtained via Stateless Address Autoconfiguration, DHCP, or manually

Agent Discovery Router Discovery

Authenticated registration with home agent

Authenticated notification of home agent and other correspondent nodes

Routing to mobile nodes via tunneling Routing to mobile nodes via tunneling and source routing

Route optimization via separate protocol specification

Integrated support for route optimization

Mobile IPv4 vs. Mobile IPv6

Binding Update

• Binding Update • An MN informs the HA and CNs of its CoA when the MN is

located in a foreign network• The HA/CN send “Binding Acknowledgement” option to

the MN

• Requirements• Source address in IP header = MN’s CoA

• To avoid ingress filtering• IPv6 authentication header (AH)

• For secure binding update

Packet Delivery

• Packet delivery from CN to MN• The CN check whether there is the MN’s binding

information at its binding cache. • If there is a matched entry

• The CN sends packets to the cached MN’s CoA using IPv6 routing header option

• No IPv6 encapsulation• Otherwise

• Normal packet routing to the MN’s home address• The HA intercepts and tunnels packets.• The MN receiving packets from tunneled by the HA

sends a binding update message to the CN

Requirements

• Correspondent Nodes• Processing of binding update message• Update its binding cache whenever it receives a new

binding update message with a new CoA

• Mobile Nodes• When a new CoA is needed• Sending of binding update message• Maintain a Binding Update List• Packet encapsulation/decapsulation: No FA

• Home Agents• Packet encapsulation/decapsulation• Proxy neighbor advertisements

Binding Messages

• Binding Update• Used by a mobile node to notify other nodes of a new

care-adress.• Can also be used to delete old bindings.

• Binding Acknowledgement• Used to acknowledge receipt of a Binding Update

• Binding Refresh Request• Used by the correspondent node to inform the mobile

node that the binding is (or is going) stale

• Binding Error• Used by the corresponedent node to signal an error.

Mobile IPv6 Basic Operation

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Home Agent

Bidirectionaltunnelling

Routeoptimization

<correspondent address> <-> <home address>

Mobile Node

<Home Address>

IP tu

nnelRouting option

Binding Updates to HA

Mobile Node

Home Agent

Home Agent map:<home address>:<care-of address>

Binding Update<home address>

<care-of address>

Binding Update ACK(BACK)

• MN needs to update the HA on it’s current location (CoA): Binding Update message

• The HA keeps this binding for future use

Mobile Node

Binding Update<home address>

<new care-of address>

Home Agent map:<home address>:<new care-of address>

BACK

Binding Updates to CN

Mobile Node

Home Agent

Home Agent map:<home address>:<care-of address>

Correspondent Node

BU<home address>

<care-of address>

BACK

Correspondent Node map:<home address>:<care-of address>

IPv6 src=<care-of address>dst=<correspondent address>Destination Option:Home Address = <home address>

IPv6 src=<correspondent address>dst=<care-of address>Routing Option (type 2)Home Address = <home address>

IPv6 src=<correspondent address>dst=<home address>

IPv6 tunnel:src=<home agent>dst=<care-of address><original packet encapsulated>

Mobile IPv6 Security

BU to HA: Security Issues (1/2)

• Man-in-the-middle attack

Mobile Node

Binding

Malicious Node

False BUBACK

By means of false BU’s, the traffic can be redirected through a malicious node

Home Agent

BU to HA: Security Issues (2/2)

• Hijacking• By means of false BU’s• By replaying old BU’s

• Confidentiality breach• By eavesdropping: the MN is often connected to a WLAN

• Denial-of-Service (DoS)• By means of false BU’s

• An attacker might claim that the MN is at another location.

• By replaying old BU’s• Packets for the MN would be sent to its old location.

• False BU’s can be used for DoS attacks against victim nodes!• All packets destined to the MN’s home adress would be

redirected to the victim node

Mobile IPv6 Security

• Protection of BU both to HA and CN• By the use of IPSec extension headers

• Home address in BU message: Security association based on the MN’s home address

• Security key distribution– Manual or automatic key management with IKE

• By the use of the Binding Authorization Data Option• Protection of BU message to CN

– No security association– No authentication infrastructure between MN and

CN• Return Routability

– Binding management key and kbm: assure the right MN is sending message

– keyed-hash algorithm using kbm

IPsec SA

• IPsec Security Assocation (SA)• An SA is a cryptographically protected connection• There MUST be a SA between the MN and HA• Provides integrity and autentication of BU and BACK• An SA is defined by: <SPI, destination adress, flag> • One SA per home-address

• ESP: Encapsulating Security Payload

• AH: Authentication Header

ESP and AH

• Encapsulating Security Payload (ESP)• Integrity & autenticity• Correct packet ordering

• By means of sequence numbers in BU messages• Anti-replay protection

• Only if dynamic keying is used • Confidentiality

• ”Replay” and ”reordering packets”• Attacks possible if static keys are used

• Authentication Header (AH) is an alternative to ESP

Mobile Node

Home AgentBinding Update

Binding ACK

IPv6 headersource = care-of adress

destination = home agentESP header

Dest. op. headerHome adress option

home adress

Mobility headerBinding update

Alt. care-of adress option

• The ”mobility header” is used in Mobile IPv6 when managing binding• The ”source adress” avoids ingress filtering• The ”home adress option” is used to identify the SA• The ”alt. care-of adress option” is used to protect the care-of adress

Packet Format (1/2)

Mobile Node

Home AgentBinding Update

Binding ACK

IPv6 headersource = home agent

destination = care-of adressESP header

Routing Header (2)

Home adress

Mobility header

Binding ACK

•The ”home adress” in the ”type 2 routing header” helps the mobile node to identify the SA.•Note that the ”Binding ACK” is encrypted

Packet Format (2/2)

BU to Home Agents: Summary

• IPsec SA: Mobile Node <-> Home Agent• Integrity & authentication• Protection against replay and reordering attacks

(dynamic keying) • Confidentiality (optional)

• Problems• Static SA between Mobile Node and Home Agent• If the 16 bit Mobile IPv6 seq.number is cycled through or

the HA reboots and looses state, replay and reordering attacks are possible.

• IPsec doesn’t fully prevent an MN to do a DoS attack• However, he will be identified by means of his SA with

the Home Agent.

• Binding Updating the Correspondent Node• Same issues as with updating the Home Agent

• Spoofing• Man-in-the-middle• Confidentiality• Replay

• In addition• Need to verify successful routing before switching to

route optimization mode• Problem

• Not feasible to have security association including all potential mobile and correspondent nodes

• No security association between MN and CNs

Security Issues: BU to CN

Return Routability (1/4)

• Return Routability• Authorizes binding procedure by the use of a cryptographic

token exchange

• Terminologies• Cookie

• random number used by a mobile nodes• To prevent spoofing by a bogus CN in the RR procedure

• Care-of init cookie• a cookie sent to the CN in the Care-of Test Init

message, to be returned in the Care-of Test message• Home init cookie

• a cookie sent to the CN in the Home Test Init message, to be returned in the Home Test message

Return Routability (2/4)

• Terminologies• Keygen Token

• number supplied by a CN in the RR procedure to enable the MN to compute the necessary binding management key for authorizing a BU

• Care-of keygen token: Care-of Test message• Home keygen token: Home Test message

• Nonce• random numbers used internally by the CN in the

creation of keygen tokens related to the RR procedure• Binding management key (kbm)

• Key used for authorizing a binding cache management message (e.g., BU and BACK messages)

• RR provides a way to create a binding management key

Return Routability (3/4)

• Home Test Init (HoTI)• MN sends a Home Test Init message to the CN to acquire

the home keygen token• Source Address = home address• Destination Address = CN• Parameters

• Home init cookie• This message is reverse tunneled through the HA

• Care-of Test Init (CoTI)• MN sends a Care-of Test Init message to the CN to

acquire the care-of keygen token• Source Address = CoA• This message is sent directly to the CN

Return Routability (4/4)

• Home Test (HoT)• Sent in response to a Home Test Init message• Source Address = CN• Destination Address = home address• Parameters

• Home init cookie• Home keygen token

– First(64, HMAC_SHA1 (Kcn, (home address|nonce|0) ) )

• Home nonce index

• Care-of Test (CoT)

• kbm = SHA1(home keygen token|care-of keygen token)• BU: HMAC_SHA1(kbm, (care-of address|CN address |BU) )

Return Routability Test (1/3)

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Home Agent

Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...

Care-of Test Init:src=<care-of address>dst=<correspondent address><care-of init cookie>

<care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]<care-of init cookie>

Care-of Test:src=<correspondent address>dst=<care-of address><care-of init cookie><care-of keygen token> care-of nonce index: 1

Cookies:<care-of init cookie><care-of keygen token> care-of nonce index: 1

Return Routability Test (2/3)

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Home Agent

Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...

Home Test Init:src=<home address>dst=<correspondent address><home init cookie>

<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64] <home init cookie>

Home Test:src=<correspondent address>dst=<home address><home init cookie><home keygen token> home nonce index: 1

Cookies:<care-of init cookie><care-of keygen token> care-of nonce index: 1<home init cookie><home keygen token> home nonce index: 1

Return Routability Test (3/3)

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Home Agent

Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...

Cookies:<care-of init cookie><care-of keygen token> care-of nonce index: 1<home init cookie><home keygen token> home nonce index: 1

Kbm = SHA1 (<home-keygen-token> | <care-of keygen token>)MAC = HMAC_SHA1Kbm(<care-of-address>|<correspondent address>|BU) [1:96]

Binding Updatesrc=<care-of address>dst=<correspondent address>option: Home Address = <home address><sequence number><home nonce index = 1><care-of nonce index = 1><MAC>

<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64] <care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]

Mobile IPv6 Optimization

Drawbacks of Mobile IPv6

• Mobile IPv6• Reacts after L2 movement• Introduces a period of service disruption after L2

movement until signaling is completed• Performance depends on Mobile IP registration time and

MH-HA distance

• Optimization Schemes• Fast Handover for Mobile IPv6

• Anticipates Mobile IP messaging (before L2 movement)• Hierarchical Mobile IPv6

• Reduces MN to HA round trip delay• Reduces the number of messages (ratio transmission

efficiency)

Standardization (1/2)

• Recent trend in IETF…• New working groups

• MIP4: Mobility for IPv4• MIP6: Mobility for IPv6• MIPSHOP: MIPv6 Signaling and Handoff Optimization

• IP Mobility Optimizations (Mob Opts) in IRTF• Analysis of Mobile IP Route Optimization considering such

parameters as traffic pattern, link conditions, topology etc• Alternative mechanisms for discovering a Mobility Anchor

Point (MAP) in Hierarchical Mobile IP (HMIP)• Evaluation of existing and new mechanisms for

discovering, and selecting a target base station and/or router for handover

Standardization (2/2)

• IETF Mobile IP WG• Mobile IPv4

• Low latency handoff– draft-ietf-mobileip-lowlatency-handoffs-v4-09.txt,

June 2004.• Regional registration

– draft-ietf-mobileip-reg-tunnel-06.txt, March 2002.

• Mobile IPv6• Fast Handover

– draft-ietf-mipshop-fast-mipv6-03.txt , October 2003.

• Hierarchical Mobile IPv6– draft-ietf-mipshop-hmipv6-02.txt , June 2004.

Hierarchical Mobile IPv6

HMIPv6

• Motivation• Reduce the number of Bus when MNs move within a MAP

domain• Transparency of the MN’s mobility to CNs• Location Privacy

• HMIPv6• Mobility anchor point (MAP): Local HA• MN acquires two addresses

• On-link CoA: LCoA• Regional CoA: RCoA

• Reduce Mobile IPv6 signaling load• Improve Handoff delay

HMIPv6 Operation

MAP

HACN

Internet

MAP

oldAR

newAR

MAP domain

MN

Local BU

(Home address, RCoA)

(RCoA, LCoA)

Home BU

HMIPv6 Operation

MAP

HACN

Internet

MAP

oldAR

newAR

MAP domain

MN

Local BU

(Home address, RCoA)

(RCoA, LCoA’)

HMIPv6 Operation

MAP

HACN

Internet

MAP

oldAR

newAR

MAP domain

Local BU

(Home address, RCoA’)

(RCoA’, LCoA’)

MN

Home BU

Fast Handover for Mobile IPv6

FMIPv6

• Fast Handover for Mobile IPv6• Minimize packet loss and latency due to handoffs

• Critical for real-time services• MN acquires a new CoA and registers with previous AR before

get link to new AR• As soon as MN leaves the current link, old AR starts

forwarding traffic to new AR

• Operation• Detect movement in anticipation (L2 Trigger)

• Update old AR (before L2 movement)• Traffic is then forwarded from Old AR to New AR (non-optimal)• The MN must then also update HA and CNs (for optimal

routing)• Bicasting can improve performance

New Message Format

• Neighbor Discovery Message• Router Solicitation for Proxy Advertisement (RtSolPr)• Proxy Router Advertisement (PrRtAdv)

• Inter-Access Router Message• Handover Initiate (HI)• Handover Acknowledge (HACK)

• New Mobility Header Message• Fast Binding Update (FBU)• Fast Binding Acknowledgement (FACK)• Fast Neighbor Advertisement (FNA)

Message Flow - Predictive

MN PAR NAR

RtSolPr

PrRtAdv

FBU HI

HACK

FBACK FBACK

forward packets

FNA

deliver packets

L2 trigger

Disconnect

Connect

Message Flow - Reactive

MN PAR NAR

RtSolPr

PrRtAdv

FNA[FBU]

FBU

FBACK

forward packets

deliver packets

L2 trigger

Disconnect

Connect

Timing Diagram (1/2)

Time

Handoverstart epoch

Neighbor Discovery is completedMN transmission capable; sends

Binding Update

Packets begin arriving at the new IP address

New link informationBinding Update received

by mobility agent/CN

Link switching delay (tL)

IP connectivitylatency (tI)

Packet receptionlatency (tP)

tBU tNew

[MIPv6]

Timing Diagram (2/2)

Time

L2 trigger(RtSolPr/PrRtAdv,

HI/HACK)

Neighbor Discovery is completedMN transmission capable; sends

Binding UpdatePackets begin arriving

directly at the new IP address

New link information

Binding Update received by mobility agent/CN

Link switching delay (tL)

Handoverstart epoch

: Forwarding from PAR to NAR

(F-BU/F-BACK)

IP connectivityand packet reception latency (tI =tP)

tNew

tBU

tL2

[FMIPv6: Predictive]

Research Issue

• HMIPv6• MAP Selection• Scalability and Fault-tolerant Service

• FMIPv6• Implementation over IEEE 802.11/16/20• Buffer management

• HMIPv6 + FMIPv6• Integration of HMIPv6 with FMIPv6