Mobile IPv6 - Gruppo Telecomunicazioni e Tecnologie dell

Servizi Applicativi su Internet
MIPv6
Mobile IPv6
Ing. Pierluigi Gallo
Mobile IP
2
  Si mantiene il medesimo indirizzo IP per la durata
della sessione consente di mantenere le
connessioni TCP running
  Home Address (HA)
  usato per le comunicazioni end to end
  viene assegnato un nuovo indirizzo IPv6 della rete
visitata dal mobile node
  Care-of Address (CoA)
  indirizzo usato per il routing
  MobileIP trasforma un problema di mobilita’ in un
problema di routing
  associazione dinamica tra HA and CoA known as a
Binding
Ing. Pierluigi Gallo
a.a. 2010/2011
3
Definizioni
  Mobile node (MN)
  il nodo che si muove spostandosi tra reti differenti
  Home network (HN)
  rete all’interno della quale il nodo mobile riceve il suo indirizzo IPv6 statico Home Address. .
  Home address (HoA)
  Indirizzo statico IPv6 assegnato al mobile node dalla home network (e mantenuto anche
quando si é fuori da tale rete)
  Foreign network (FN)
  rete straniera rispetto alla propria home
  Care-of address (CoA)
  é l’indirizzo IPv6 rilasciato al MN quando visita una rete straniera
  Home agent (HA)
  é un router che si trova nella home network del mobile node
  quando il MN é in una rete straniera, l’HA gli invia I pacchetti attraverso tunnels
Ing. Pierluigi Gallo
a.a. 2010/2011
Obiettivi
4
  Always on IP connectivity
  Roaming between different L2 technologies
WLAN, WiMAX, UMTS, fixed
  Roaming between different (sub)networ ks Huge
WLAN deployments mostly use different L3
subnets
  Application continuity (Session persistence)
  Static IP Adresses for mobile nodes
  Mobile devices may act as servers
Ing. Pierluigi Gallo
a.a. 2010/2011
MIPv6: il funzionamento
5
  il router pubblicizza I routing prefix: 2001:618:6:f1::
  Il MN si autoconfigura il CoA
2001:618:6:f1::
=
+
2d0:b7ff:fe91:5c0c
2001:618:6:f1:2d0:b7ff:fe91:5c0c
  Il Mobile Node invia Binding Updates all’Home
Agent ed ai Correspondent nodes per informarli
del suo nuovo CoA
  Tramite l’Home Agent il mobile node é sempre
raggiungibile
Ing. Pierluigi Gallo
a.a. 2010/2011
MobileIPv6 Technical
Overview(2)
6
2001:618:6:f1::
2001:618:6:f1:2d0:b7ff:fe91:5c0c
2d0:b7ff:fe91:5c0c
Visited Net
Internet
Bin
di
Mobile Node
ng U
pda
te
Correspondent
e
atn
nnUepcdtio
og
Pdcin
TBCin
Home Net
Home Agent
Mobile Node
Ing. Pierluigi Gallo
a.a. 2010/2011
Mobility Header
7
  I Binding Update e gli altri messaggi sono contenuti nel Mobility Header (é
un extension header)
  Payload Proto: Next Header
  Header Len: lunghezza del Mobility Header in multipli di 8ottetti, esclusi i
primi 8 ottetti.
  MH Type: identifica il particolare messaggio.
  Reserved: riservati per uso futuro.
  Checksum: campo contenente il checksum del MH.
  Message Data: contenuto informativo del MH.
Ing. Pierluigi Gallo
a.a. 2010/2011
MobileIPv6 vs. MobileIPv4
8
  Binding Updates permettono al mobile node di
notificare la propria posizione ai correspondent
nodes
  no ‘dog-leg’ routes
  Routing Headers rimuove l’overhead associato
all’incapsulamento
  sicurezza
  route optimization
  In MIPv6 non esiste il Foreign Agent
  minimizza l’uso dei tunnel usando gli extension
headers
Ing. Pierluigi Gallo
a.a. 2010/2011
Gli indirizzi
9
  L’HA é quello registrato nel DNS
  il CoA é l’indirizzo acquisito nella rete ospitante
  un nodo puo’ avere piu’ CoA ma uno solo puo’
essere registrato presso l’Home Agent (primary
CoA)
Ing. Pierluigi Gallo
a.a. 2010/2011
Nodi MIPv6 compliant
10
  Tutti I nodi devono supportare IPv6
  Gli unici nodi che devono supportare MIPv6
sono:
  Home Agent
  Correnspondent Node
  Mobile Node
  I router intermedi non devono supportare MIPv6
  non tutti gli extension header non vengono elaborati
dai router
Ing. Pierluigi Gallo
a.a. 2010/2011
MobileIPv6 – miglioramenti
11
  Hierarchical MobileIPv6
  interazioni con AAA
  miglioramento dell’handover
  velocita’
  continuita’ del servizio (seamless handover)
  Riduzione della dimensione dell’header
  tecnologia di mobilita’ all’interno e tra reti
cellulari
  Reti cellulari All-IP
Ing. Pierluigi Gallo
a.a. 2010/2011
Home networking & Mobile
IPv6
  Miglioramento del routing
tramite MIPv6
  Solo il traffico inizialie é inviato
attraverso I punti di accesso
degli ISP
  Il restante traffico avviene
direttamente tra I CoA
User
A
12
User
B
ISP B
  Migliore scalabilita’
ISP A
Ing. Pierluigi Gallo
a.a. 2010/2011
13
3G and MobileIPv6
  MobileIPv6 consente il roaming in continuita’ tra
rete 3G/cellulare e reti fisse o Wi-Fi
SIP
v6 v4
PSTN
Call State
Control
(CSCF)
3G IM Domain
IPv6 Network
Media Gateway
(MGW)
Media Gateway
Control Function
SIP
v6 v4
v6 v4
E-SGSN
E-GGSN
IPv4
IPv4 or &
IPv6
Internet
Internet
/ intranet
Intranets
IPv6 Backbone for
Tunnelling Layer
Ing. Pierluigi Gallo
a.a. 2010/2011
NAT un protocollo semi-“protocolaware”
14
  alcuni protocolli (e.g. H.323 o MIPv6) inseriscono gli indirizzi IP all’interno
del payload dei loro pacchetti
  Il NAT riscrive gli indirizzi IP sorgente e destinatario, esso deve sapere
come ogni protocollo inserisce gli indirizzi IP all’interno dei pacchetti.
  Pertanto i NAT devono essere “protocol aware,” e le reti che usano il
NAT non sono trasparenti “end-to-end.”
  I pacchetti devono essere modificati non solo nell’header ma anche
nel payloadT)
  se viene inventato un nuovo protocollo che un NAT esistente non é
capace di supportare, esso non puo’ modificare I pacchetti e quindi
quel protocollo e quella applicazione non funzioneranno attraverso il
NAT.
  le reti nattate ritardano lo sviluppo di nuove applicazioni a livello
applicativo.
  La mobilita’ su IPv6 sfrutta I benefici di avere indirizzi IPv6 pubblici (non
c’é il NAT).
Ing. Pierluigi Gallo
a.a. 2010/2011
Route Optimization
Data Path: Mobile Node to Correspondent Node in Route Optimization
Data Path: Correspondent Node to Mobile Node in Route Optimization
Vantaggi della Route
Optimization
 uso del percorso piu’ conveniente
 elimina la congestione agli Home
Agent e nella Home network
 Elimina l’home agent come point-offailure
Messages supported by Mobility
Header
 Home Test Init
 Home Test
Return Routability Procedure
 Care-of Test Init
 Care-of Test
 Binding Update
 Binding Acknowledgement
 Binding Refresh Request
 Binding Error
Registration
Return Routability Procedure
  Tramite questa procedura il CN si
assicura che il MN sia effettivamente
raggiungibile al suo CoA (verifica il
percorso di ritorno nel routing)
  Questa é una condizione che deve
essere verificata affinche’ il CN possa
accettare i BU dal MN
Return Routability Flow diagram
Home Test init
  Source Address = home address
  Destination Address = correspondent
  Parameters: home init cookie
Home Test
 
Source Address = correspondent
 
Destination Address = home address
 
Parameters:
home init cookie
home keygen token
home nonce index
Care-of Test Init
  Source Address = care-of address
  Destination Address = correspondent
  Parameters: care-of init cookie
Care-of Test
  Source Address = correspondent
  Destination Address = care-of address
  Parameters: care-of init cookie
care-of keygen token
care-of nonce index
Binding Message Flow Diagram
Binding Update
  Source Address = care-of address
  Destination Address = correspondent
  Parameters: home address
sequence number
home nonce index
A Binding Update is used by a mobile node
to notify a
correspondent node or the
mobile node's home agent of its current
binding. The Binding Update sent to the
mobile node's home agent
to register its
primary care-of address is marked as a
"home
registration".
care-of nonce index
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BU)))
Binding Acknowledgement
  Source Address = correspondent
  Destination Address = care-of address
  Parameters: sequence number
A Binding Acknowledgement is used to
acknowledge receipt of a
Binding
Update, if an acknowledgement was
requested in the Binding
Update, the
binding update was sent to a home agent,
or an error
occurred.
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BA)))
Binding
  Binding Refresh Request
  is used by a correspondent node to
request a
mobile node to re-establish its binding with the
correspondent node. This message is typically used
when the
cached binding is in active use but the
binding's lifetime is
close to expiration. The
correspondent node may use, for
instance,
recent traffic and open transport layer connections
as
an indication of active use.
  Binding Error
  The Binding Error is used by the correspondent node
to signal an
error related to mobility, such as an
inappropriate attempt to use
the Home Address
destination option without an existing binding.
27
Prefix Discovery
  allows a Mobile Node to get network prefix
information about its Home Network
  Sends a Mobile Prefix Solicitation message to the
Home Agent.
Dynamic Home Agent
Discovery
  When attached to a Foreign Network, a Mobile
Node might not know the address of its Home
Agent
  With DHAAD, Mobile Node only needs a home
network prefix configured and it can dynamically
find the address of a Home Agent on its home
network
Returning Home and Deregistering
  Mobile Node determines whether it is attached
to its home network based on the network prefix
information
  Deregisters by sending a special Binding Update
to its Home Agent
Neighbor/Router Discovery
  Provides IPv6 nodes with a means to discover the
presence and link –layer addresses of other
nodes
  Provides methods for discovering routers
  Detecting when a local node becomes
unreachable
  Resolving duplicate addresses
Stateless Autoconfiguration
Purpose: Enables nodes to decide how to
autoconfigure its interfaces in IPv6
Steps:
1. 
Generate a link-local address for the
interface.
2. 
Obtain a Router Advertisement which
specify the sort of autoconfiguration the
host should do.
MIPv6 vs MIPv4
 No Foreign Agents
 Route Optimization is a fundamental part unlike
Mobile IPv4
  Bi-directional tunneling is part of the core protocol
unlike Mobile IPv4
 Uses Neighbor Discovery to find Link layer
Addresses of neighbors unlike Mobile IPv4 which
uses ARP . Hence more robust
MIPv6 vs MIPv4
  Dynamic Home Agent Address Discovery uses
anycast addressing and returns a single reply to
the mobile node unlike Mobile IPv4 which uses a
directed broadcast approach and returns
separate replies from each Home Agent
  Mobile Nodes can obtain Care-of Addresses via
Stateless Address Auto-configuration unlike
Mobile Ipv4 which uses Agent discovery
Sicurezza in MIPv6
 autorizzazione dei Binding Updates
 Firewalls e Mobile IPv6 non funzionano
bene assieme
 Il processo di neighbor discovery
presenta vulnerabilita’
 Problem arises when roaming
 problemi di sicurezza con una
architettura dual-stack che supporti
MIPv4 e MIPv6.
Sicurezza in MIPv6
36
  Insider Attacks
  Denial of Service Attack (DOS)
  Replay Attacks
  Furto delle informazioni
  Passive
Eavesdropping
  Session-Stealing
  autenticazione
  confidenzialita’
  integrita’
  protezione da ‘replay attacks’
Ing. Pierluigi Gallo
a.a. 2010/2011
IPSEC (from Wikipedia)
37
  Authentication Headers (AH)
  provide connectionless integrity and data origin authentication for
IP datagrams and provides protection against replay attacks.
  Encapsulating Security Payloads (ESP)
  provide confidentiality, data origin authentication, connectionless
integrity, an anti-replay service (a form of partial sequence
integrity), and limited traffic flow confidentiality.
  Security associations (SA)
  provide the bundle of algorithms and data that provide the
parameters necessary to operate the AH and/or ESP operations.
The Internet Security Association and Key Management Protocol
(ISAKMP) provides a framework for authentication and key
exchange,
  manual configuration with pre-shared keys,
  Internet Key Exchange (IKE and IKEv2),
  Kerberized Internet Negotiation of Keys (KINK),
  IPSECKEY DNS records.
Ing. Pierluigi Gallo
a.a. 2010/2011
References
38
  http://tldp.org/HOWTO/html_single/Mobile-IPv6HOWTO/
  http://en.wikipedia.org/wiki/Mipv6
  http://lg.he.net/
  RFC3775: Mobility Support in IPv6 (June 2004)
  RFC3776: Using IPsec to Protect Mobile IPv6
Signaling between Mobile Nodes and Home
Agents
Ing. Pierluigi Gallo
a.a. 2010/2011