EE579S Computer Security
Download
Report
Transcript EE579S Computer Security
ECE537 Advanced and High
Performance Networks
3: Mobile Networking
Professor Richard A. Stanley, P.E.
Spring 2009
© 2000-2009, Richard A. Stanley
ECE537/3 #1
Overview of Tonight’s Class
• What do we mean by mobile networking?
• How does the cellular telephone network
deal with mobility?
• What about mobile data users?
• Are there protocols to facilitate mobile
networking under IP?
• What is ad hoc networking?
• How can we implement ad hoc networking?
ECE537/3 #2
What Do We Mean by Mobile
Networking?
• Telephone network designed to route calls
to fixed sockets, always at the same location
• Mobile refers to the ability of users to join
or leave a network more or less at will,
whether it is their “home” or not
• Mobile does not necessarily refer to
physical movement of the user while
communicating
ECE537/3 #3
The Way it Was
ECE537/3 #4
Cellular Architecture (GSM)
ECE537/3 #5
GSM Nomenclature
•
•
•
•
•
•
•
•
Home Location Register (HLR)
Visitor Location Register (VLR)
Equipment Identity Register (EIR)
Authentication Center (AuC)
SMS Serving Center (SMS SC)
Gateway MSC (GMSC)
Chargeback Center (CBC)
Transcoder and Adaptation Unit (TRAU)
ECE537/3 #6
What is Going On Here?
• Many steps to set up, conduct, and break
down a call
• More steps to locate the handset and
connect to it, without user input
• Driving force?
ECE537/3 #7
Mobile Networking
• How does the cellular model relate to data
networking?
–
–
–
–
Addressing
Authentication
Host location
Billing
• Could we use a similar model to achieve
mobile data networking?
ECE537/3 #8
Mobile IP
• Why?
– Increasing numbers of mobile (i.e. peripatetic)
computers seeking network access
– Manual network updates to accommodate this
are not feasible
• How?
– What about the cellular approach?
– Could we do this with IP?
ECE537/3 #9
The Problem
• A mobile node must change its IP address
whenever it changes its point of attachment,
so that packets destined for the node are
routed correctly
• But to maintain existing TCP/UDP
connections, the mobile node has to keep
the same IP address
– Changing the IP address will cause the
connection to be disrupted and lost
ECE537/3 #10
Mobile IP: A Solution
• Each mobile node has two IP addresses:
– One IP address is the permanent home address that is
assigned at the home network and is used to identify
communication endpoints
– The other IP address is a temporary care-of address that
represents the current location of the host
• Objective of Mobile IP is to make mobility
transparent to higher level protocols and to make
minimum changes to the existing network
infrastructure
ECE537/3 #11
Mobile IP Architecture
ECE537/3 #12
Concepts
• Home network
– The network within which the device
receives its identifying IP address (home
address).
• Home address
– The IP address assigned to the device
within its home network.
• Foreign network
– Network in which a mobile node ECE537/3
is
#13
operating when away from its home
Mobility Agents
• Two sorts:
– Home agents
– Foreign agents
ECE537/3 #14
Home Agent
• Designated router in the home network of
the mobile node
• Maintains the mobility binding in a
mobility binding table
– each entry is identified by the tuple <permanent
home address, temporary care-of address,
association lifetime>
ECE537/3 #15
Mobility Binding Table
ECE537/3 #16
Foreign Agent
• Specialized routers on the foreign network
where the mobile node is currently visiting
– Maintains a visitor list which contains
information about the mobile nodes currently
visiting that network
– Each entry in the visitor list is identified by the
tuple: < permanent home address, home agent
address, media address of the mobile node,
association lifetime>
ECE537/3 #17
Visitor List
ECE537/3 #18
Stages in Mobile IP
•
•
•
•
Agent discovery
Registration
In-service
Deregistration
ECE537/3 #19
Agent Discovery
• Mobility agents advertise their presence by periodically
broadcasting Agent Advertisement messages
– Agent Advertisement message lists one or more care-of addresses
and a flag indicating whether it is a home agent or a foreign agent.
• The mobile node receiving the Agent Advertisement
message observes whether the message is from its own
home agent and determines whether it is on the home
network or a foreign network
• If a mobile node does not wish to wait for the periodic
advertisement, it can send out Agent Solicitation messages
that will be responded by a mobility agent
ECE537/3 #20
Registration
• If a mobile node discovers that it is on
the home network, it operates without
any mobility services
• If the mobile node is on a new
network, it registers with the foreign
agent by sending a Registration
Request message which includes the
permanent IP address of the mobile
host and the IP address of its home
ECE537/3 #21
Registration Process
ECE537/3 #22
In-service
• When a correspondent node wants
to communicate with the mobile
node, it sends an IP packet
addressed to the permanent IP
address of the mobile node
• The home agent intercepts this
packet and consults the mobility
binding table to find out if the
mobile node is currently visiting
ECE537/3 #23
In-service Tunneling
ECE537/3 #24
Deregistration
• If a mobile node wants to drop its care-of address, it has to
deregister with its home agent
• This is done by sending a Registration Request with the
lifetime set to zero
• No need for deregistering with the foreign agent as
registration automatically expires when lifetime becomes
zero
• However if the mobile node visits a new network while the
old care-of address is still valid, the old foreign network
does not know the new care-of address of the mobile node.
Thus datagrams already forwarded by the home agent to
the old foreign agent of the mobile node are lost.
ECE537/3 #25
Security Issues
• During registration, home agent should
be convinced that it is getting a
Registration Request from authentic
mobile node and not receiving
information from a bogus node
• Mobile IP deals with this problem by
specifying a security association
between the home agent and the
ECE537/3 #26
Basic Mobile IP: Triangle
Routing
ECE537/3 #27
Route Optimization
• Extension to the basic Mobile IP protocol
• Messages from the correspondent node are routed
directly to the mobile node's care-of address
without having to go through the home agent
• Route Optimization provides four main
operations:
–
–
–
–
Updating binding caches
Managing smooth handoffs between foreign agents
Acquiring registration keys for smooth handoffs
Using special tunnels
ECE537/3 #28
Updating binding caches
• Binding caches are maintained by correspondent nodes for
associating the home address of a mobile node with its
care-of address. A binding cache entry also has an
associated lifetime after which the entry has to be deleted
from the cache. If the correspondent node has no binding
cache entry for a mobile node, it sends the message
addressed to the mobile node's home address. When the
home agent intercepts this message, it encapsulates it and
sends it to the mobile node's care-of address. It then sends
a Binding Update message to the correspondent node
informing it of the current mobility binding.
ECE537/3 #29
Managing smooth handoffs
between foreign agents
• When a mobile node registers with a new foreign
agent, basic Mobile IP does not specify a method
to inform the previous foreign agent. Thus the
datagrams in flight which had already tunneled to
the old care-of address of the mobile node are lost.
• Problem is solved in Route Optimization by
introducing smooth handoffs. Smooth handoff
provides a way to notify the previous foreign
agent of the mobile node's new mobility binding
ECE537/3 #30
Smooth Handoffs
• If a foreign agent supports smooth
handoffs, it indicates this in its
Agent Advertisement message
• When the mobile node moves to a
new location, it requests the new
foreign agent to inform its previous
foreign agent about the new
location as part of the registration
procedure
ECE537/3 #31
Acquiring registration keys for
smooth handoffs
• For managing smooth handoffs,
mobile nodes need to communicate
with the previous foreign agent.
This communication needs to be
done securely as any careful
foreign agent should require
assurance that it is getting
authentic handoff information and
ECE537/3 #32
Using special tunnels
• When a foreign agent receives a
tunneled datagram for which it has no
visitor list entry, it concludes that the
node sending the tunneled datagram
has an out-of-date binding cache entry
for the mobile node
• If the foreign agent has a binding cache
entry for the mobile node, it re-tunnels
ECE537/3 #33
Minimal Encapsulaton
• Encapsulation in Mobile IP is done by
putting the original datagram (=IP
header+payload) inside another IP
envelope
• Fields in the outer IP header add
overhead to the final datagram -several fields are duplicated from the
inner IP header
ECE537/3 #34
Minimal Encapsulaton
ECE537/3 #35
Mobile IP in IPv6
• Exploits the larger address space
• Route Optimization is a
fundamental part of Mobile IPv6
unlike Mobile IPv4 where it is an
optional set of extensions that may
not be supported by all nodes.
• Foreign Agents are not needed in
ECE537/3 #36
Goals of IPv6 Mobility
• Always on IP connectivity
• Roaming between different L2 technologies
WLAN, WiMAX, UMTS, fixed
• Roaming between different (sub)networks
– huge WLAN deployments mostly use different L3
subnets
• Application continuity (Session persistence)
• Static IP Adresses for mobile nodes
• Mobile devices may act as servers
ECE537/3 #37
Bidirectional Tunnel Mode (1)
ECE537/3 #38
Bidirectional Tunnel Mode (2)
ECE537/3 #39
Triangle Routing?
ECE537/3 #40
Route Optimization (1)
ECE537/3 #41
Route Optimization (2)
ECE537/3 #42
Secure Binding
ECE537/3 #43
Return Routeability Procedure (1)
ECE537/3 #44
Return Routeability Procedure (2)
ECE537/3 #45
Coming Up
• Bootstrapping MIPv6
– No static configuration of HA address and HoA on mobile nodes
• Network mobility (NEMO) (Instead of node mobility)
– IETF working group with focus on mobile networks (e.g. prefix
delegation)
• Mobile ad hoc networks (MANET)
– Interworking of Mobile Ad-hoc networks and Mobile IPv6 Networks
– Mobile node roaming in between MIPv6 and MANET
– MANET roaming as a MIPv6 client
• Signaling and Handoff Optimization
– Fast Handovers for Mobile IPv6 (FMIPv6, RFC4068)
– Hierarchical MIPv6 mobility management (HMIPv6, RFC4140)
• Cryptographically generated (IPv6) addresses (RFC 3972)
– MN can prove that it owns its HoA by including its public key in the
binding update and by signing the resulting message (No PKI needed)
ECE537/3 #46
Mobile IP Standards
• Mobile IPv4: RFC3344
• Mobile IPv6: RFC3775
• Mobile IPv4 Challenge/Response
Extensions: RFC 4721
• Reverse Tunneling for Mobile IP: RFC
3024
• Using IPsec to Protect Mobile IPv6
Signaling between Mobile Nodes and Home
Agents: RFC3776
ECE537/3 #47
Mobile Ad Hoc Networking
• MANET
• Allows self-configuration of network
– Wireless links
– Handles arrival/departure of nodes
• Topology generally a mesh
• Traffic passed by multiple relay
ECE537/3 #48
Formal Definition
• “An ad hoc network is a collection of wireless
mobile hosts forming a temporary network
without the aid of any centralized administration
or standard support services regularly available on
the wide-area network to which the host may
normally be connected.”
» David B. Johnson, “Routing in Ad Hoc Networks of Mobile
Hosts,” Proceedings of the IEEE Workshop on Mobile
Computing Systems and Applications, pages 158-163,
December 1994
ECE537/3 #49
Simple MANET
ECE537/3 #50
Airport Scenario
ECE537/3 #51
Characteristics of MANETs
• Dynamic Network Topology
• Bandwidth-Limited and Fluctuating
Capacity Links
• Low-Power and Resource-Limited
Operation
• Constrained Physical Security
• Decentralized Network Control
ECE537/3 #52
MANET Challenges
•
•
•
•
•
Route discovery from source to target
Minimizing network management overhead
Dealing with constantly changing topology
Assured packet delivery
Security
ECE537/3 #53
Summary
• Mobile networking needs are growing
• Two basic networking needs:
– Mobile nodes in established networks
– Ad hoc networking
• Coexistence of IPv4 and IPv6 complicates
sharing of data across different mobile
protocols
ECE506/4 #54
Homework
• Research mobile ad hoc networking. How is the
network organized? How is a path for datagrams
discovered and established? What challenges
exist if one network is on IPv6 and wishes to
communicate with one on IPv4? Other issues?
• Be prepared to discuss your findings with the class
for 5-10 minutes next week. You may use slides
if you desire.
Spring 2009
© 2000-2009, Richard A. Stanley
ECE506/4 #55
Disclaimer
Parts of the lecture slides contain original
work of Tarmo Anttalainen, Wikipedia,
Debalina Ghosh, Holger Zuleger, and JinHee Cho and remain copyrighted materials
by the original owner(s). The slides are
intended for the sole purpose of instruction
of computer networks at Worcester
Polytechnic Institute.
Spring 2009
© 2000-2009, Richard A. Stanley
ECE506/4 #56