510 likes | 530 Views
MobileNAT (Mobility across Heterogeneous Address Spaces). Agenda Motivation Architecture Implementation Comparison with current approaches Summary (30 slides, 60 min). Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller.
E N D
MobileNAT(Mobility across Heterogeneous Address Spaces) Agenda • Motivation • Architecture • Implementation • Comparison with current approaches • Summary (30 slides, 60 min) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
802.11 Private address 3G Seamless roaming Current Trends • Explosive growth in connected devices • Heterogeneity • Access: 802.11, 3G, Ethernet • Provider; billing • Address space • IPv4 vs IPv6 • Public vs Private MobileNAT/IRT group meeting
Project IOTO http://www.bell-labs.com/~mbuddhikot/IOTAProject/IOTA.htm MobileNAT/IRT group meeting
Internet Routed IP Network The goal NAT (5) www.cnn.com PDSN/3G • Preserve session for • inter access-point • inter sub-net • inter-NAT • to 3G network • to public network (4) NAT Public Addr A NAT Private Address Space (3) 802.11 Ethernet 802.11 Access-point (2) (1) Router Router with NAT MobileNAT/IRT group meeting
MobileNAT(Mobility across Heterogeneous Address Spaces) Agenda • Motivation • Architecture • Implementation • Comparison with current approaches • Summary Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
128.59.16.149 135.180.32.4 80 1733 135.180.32.4 128.59.16.149 1733 80 135.180.54.7 128.59.16.149 1733 80 Source IP Destination IP SP DP moves MN 135.180.54.7 Problem with IP address TCP association • IP address overloaded • Host identification • Routing information • Change in IP address breaks TCP/socket connection CN (corresponding node) 128.59.16.149 MN (mobile node) 135.180.32.4 Convention: MobileNAT/IRT group meeting
128.59.16.149 135.180.32.4 80 1733 135.180.32.4 128.59.16.149 1733 80 135.180.32.4 128.59.16.149 1733 80 Addr “V” Application Socket TCP/UDP IP Addr “A” moves Shim Layer Actual IP Virtual IP Net IF Two addresses • Two IP addresses • Virtual IP (fixed host-id) • Actual IP (routable; changes) CN 128.59.16.149 V=135.180.32.4 Anchor node (AN) MN MN A=135.180.54.7 135.180.32.6 MobileNAT/IRT group meeting
128.59.16.149 135.180.32.4 128.59.16.149 135.180.32.4 128.59.16.149 135.180.32.4 Packet forwarding mechanisms:tunneling or translation Tunneling • Outer: CN=>A or HA=>A • Inner: CN=>V • Header overhead CN CN 128.59.16.149 128.59.16.149 128.59.16.149 135.180.54.7 128.59.16.149 135.180.54.7 AN AN V=135.180.32.4 V=135.180.32.4 moves moves MN MN A=135.180.54.7 A=135.180.54.7 Translation • More processing overhead • Not an issue if NAT1 is already present 1NAT is described later MobileNAT/IRT group meeting
Address allocation using DHCP • Virtual and actual IP allocated using DHCP • New DHCP options • MN sends current virtual IP address (or 0.0.0.0 if none) in the request • Server sends the allocated actual and virtual IP addresses in the response • Actual IP is allocated based on relay agent IP DHCP server DHCP relay agent 10.0.1.x 10.0.2.2 10.0.1.5 10.0.2.x 10.0.2.9 MobileNAT/IRT group meeting
10.0.1.5 128.59.16.149 1756 80 135.180.32.4 128.59.16.149 7088 80 Packet processing rule Internet out In-1 Overview of NA(P)T • Packet processing rules need to be changed in the event of mobility CN 128.59.16.149 Public Addr 135.180.32.1-7 NAT Private Address Space (10.0.0.0-10.255.255.255) 10.0.7.x 10.0.1.x 10.0.2.x 10.0.1.5 MobileNAT/IRT group meeting
Internet NAT rules Change of lease Mobility manager Mobility manager and MIDCOM • MIDCOM to control NAT rules • Mobility manager IP in DHCP response NAT DHCP server relay relay relay 10.0.1.x 10.0.2.x 10.0.1.5 MobileNAT/IRT group meeting
Example • Address assignment • Packet flow when MN is private and CN is public • MN moves to a new subnet • Packet flow after mobility to a new subnet • Packet flow when MN and CN are in the same NAT domain • Packet flow when MN is private and CN is public and MN moves to new NAT domain MobileNAT/IRT group meeting
Mobility manager NAT Internet Address assignment DHCP request (my virtual IP = 0.0.0.0) (my Mac address) DHCP server DHCP response (your virtual IP = 10.128.0.2) (your actual IP = 10.0.1.5) DHCP server NAT MobileNAT/IRT group meeting
10.0.1.5 128.59.16.149 1756 80 135.180.32.4 128.59.16.149 7088 80 128.59.16.149 10.128.0.2 80 1756 128.59.16.149 10.0.1.5 80 1756 128.59.16.149 135.180.32.4 80 7088 10.128.0.2 128.59.16.149 1756 80 Application Internet Socket TCP/UDP IP Addr “V” SHIM Layer Net IF Addr “A” Packet flow • NAT picks up an external IP and port Shim NAT Shim NAT (1) 10.128.0.2:1756 135.180.32.4:7088 10.0.1.5:1756 10.0.1.5:1756 (2) (3) NAT CN MobileNAT/IRT group meeting
change 10.0.2.7 Internet Inter-subnet mobility Mobility manager DHCP request (my virtual IP = 10.128.0.2) (my Mac address) NAT rules DHCP server S:10.0.1.5:1756 D:128.59.16.149:80 S:135.180.32.4:7088 D:same DHCP response (your virtual IP = 10.128.0.2) (your actual IP = 10.0.2.7) 10.0.2.x DHCP server NAT CN 10.0.1.x MobileNAT/IRT group meeting
10.0.2.7 128.59.16.149 1756 80 10.128.0.2 128.59.16.149 1756 80 128.59.16.149 135.180.32.4 80 7088 128.59.16.149 10.0.2.7 80 1756 128.59.16.149 10.128.0.2 80 1756 135.180.32.4 128.59.16.149 7088 80 Application Internet Socket TCP/UDP IP Addr “V” SHIM Layer Net IF Addr “A” Packet flow after the node moves • MN application or CN do not know about change in actual IP Shim NAT Shim NAT (1) 135.180.32.4:7088 10.0.2.7:1756 (3) (2) NAT CN MobileNAT/IRT group meeting
V=10.128.0.2 A=10.0.2.7 MN Moves Intra-domain sessions • Optimization: new signaling message between two MobileNAT clients to route the packets directly CN A=10.0.4.9 NAT V=10.128.0.2 A=10.0.1.5 MN MobileNAT/IRT group meeting
Internet MN Visited NAT moves MN Home NAT CN Inter-domain mobility • Mobility manager of visited NAT fetches the existing connection mapping from mobility manager of the home NAT • If MN moves to public address space, Shim layer acts as visited NAT • Dynamic home agent: use visited NAT as home NAT for new session • Tunneling between visited and home NAT MobileNAT/IRT group meeting
MobileNAT(Mobility across Heterogeneous Address Spaces) Agenda • Motivation • Architecture • Implementation • Comparison with current approaches • Summary Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
Application MobileNAT Client ServerClient 10.128.0.2 / 255.0.0.0 Socket MobileNAT Client MobileIP Client TCP/UDP IP Shim Layer Network and interface selector DHCP server - client Addr “V” 10.0.1.5 / 255.255.255.0 Net IF Unified mobility client (on-going work) Addr “A” Implementation: client (Win XP/2000) • Shim-layer driver to capture DHCP packets and translate IP addresses • MobileNAT client application acting as DHCP client and server • Handles ARP for nodes in other sub-nets MobileNAT/IRT group meeting
Graphical User Interface & Monitoring VPN/ IPSec Control User Level Mobile NATClient Network Selection MIP State Machine Network Detection Interface Abstraction Layer/API OS PPP Support Ethernet 802.11 PPP CDMA2000 Sierra 3G1xRTT TCP/IP Protocol Stack New code developed, Specifically for 3G-802.11 integration VPN/IPSec Client Driver Serial Driver AT Command Set Multi-interface Mobility Client Driver VPN/IPSec integration (e.g. Lucent IPSec Client) OS Kernel Level IS-835 Shim Virtual MobileIP Adaptor 802.11 Interface Ethernet Interface PPP Interface Interaction with Existing Windows OS modules Client architecture MobileNAT/IRT group meeting
User interface • Approximately 45,000 lines of code, 13,000 of which are Windows NDIS kernel networking code MobileNAT/IRT group meeting
Implementation: DHCP server and NAT (Linux) NAT connection tracking Virtual IP range Actual IP range DHCP server POST-ROUTING Source NAT PRE-ROUTING Destination NAT • DHCP server to allocate virtual and actual IP • Actual IP is based on subnet of DHCP relay agent • MM is integrated into DHCP server • NAT using netfilter, iptables, ip_conntrack and ip_nat modules MobileNAT/IRT group meeting
MobileNAT(Mobility across Heterogeneous Address Spaces) Agenda • Motivation • Architecture • Implementation • Comparison with current approaches • Summary Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller
Similarities/Differences with current proposals • Translation mode vs. tunneling • Packet size vs processing overhead • Two addresses per MN; can afford since private addresses • No external FA needed • Signaling • Using DHCP (new options) and a per-domain Mobility Manager (MM) • Routing path • No change in routers or CN; but change in MN, NAT and DHCP server • Dynamic home agent (I.e., the NAT) MobileNAT/IRT group meeting
Comparison to existing schemes Schemes considered in following chart • Mobile IP • Extensions: Location Register (MIP-LR), Route Optimization (MIP-RO) • Micro-mobility schemes • Cellular IP • Hawaii • Intra-Domain Mobility Protocol (IDMP) • Hierarchical Mobile IP (HMIP) • IPv6 • Application level mobility mechanism • SIP • Virtual NAT • Similar address translation in the client stack • Targeted for connection migration where both end-points implements vNAT MobileNAT/IRT group meeting
Comparison chart Y: yes N: no - :N/A O: optional IN:independent UD: Under Development 1: We assume Mobile IP with UDP tunneling for NAT MobileNAT/IRT group meeting
Mobile NAT Advantages • Problems in existing approaches • Huge infrastructure change (CIP, IPv6, routers, even deploying FA) • Not much discussion on optimizing intra-domain sessions • Require tunneling overhead, inter, intra or both • Triangular routing • Modification in CN • MobileNAT approach • Addresses rapid growth in end-devices, which most likely will have private addresses due to slow deployment of IPv6 • Assume the presence of NA(P)T in a domain • Roaming and services acrossheterogeneous address spaces • Reduce problem space to only private address space • Choice between tunneling and address translation • Addresses bandwidth limitations of wireless links • Use existing protocols (DHCP, ICMP) for signaling • Discourage changing routing infrastructure • Can co-exist with MobileIP MobileNAT/IRT group meeting
On-going work • Scalability: • Subdivide domains into smaller NAT-ed domains • Multiple NATs per domain • Security • DHCP authentication and Access-point authentication/encryption • Works with IP-sec (AH mode and UDP tunnel) and SSL • Paging: • Re-use of existing IP-multicast based paging • Possible deployment issues • Changing every MN driver (similar to Mobile IP) • Mobility to 3G network • Location information distribution • Allow incremental deployment • Other issues • Does not solve NAT problems where application layer message uses IP address (FTP, SIP, RTSP) • Fast hand-off for micro-mobility • Intra-domain sessions on inter-domain mobility • Combined MobileIP and MobileNAT client MobileNAT/IRT group meeting
Summary • Main Ideas • Virtual IP for host identification; actual IP for routing • Address translation in client as well as in NAT • Existing protocols like DHCP for signaling • Mobility manager to handle nodes in a domain • NAT acts as a dynamic home agent • Inter-NAT packet flow for inter-domain mobility • No change in routers or no need for FA • Change In MN, NAT and DHCP server • Demonstrated a simple inter-subnet mobility MobileNAT/IRT group meeting
Survey of existing mobility approaches for private/public addresses BACKUP SLIDES
Internet CN HA FA MN MN Mobile IP for macro mobility • Triangular routing • Route optimization • Slow handoff • Hierarchical mobility • Tunneling (HMIP) • Mobile specific routing (CIP, Hawaii) • Signaling overhead • Paging (CIP, Hawaii, HMIP) • Firewall, etc. • Reverse tunneling (1) (4) (2) (3) • CN=>HA • HA=>FA • CN=>HA • CN=>HA • HA=>CN MobileNAT/IRT group meeting
Internet CN HA FA NAT MN Mobile IP with NAT • UDP port mapping created during register • HA finds that FA is behind NAT • HA uses IP in UDP tunnel (2) CN=>HA Oubound traffic (3) HA=>NAT (UDP) CN=>HA (IP) (1) register; establish port mapping (4) NAT=>FA (UDP) CN=>HA (IP) MobileNAT/IRT group meeting
Internet CN HA gateway MN MN Micro mobility: Cellular IP • CoA is of gateway (FA) • No change in CoA within domain • Gateway converts cellular IP to IP • Network elements snoop on data packets from MN to GW; set the reverse route from GW to MN • Paging to discover idle MN • NAT can be at gateway Intra-domain cellular IP (non-IP) cloud Id = HA MobileNAT/IRT group meeting
Internet CN HA root router MN MN Micro mobility: Hawaii • CoA is of root router (FA) • Host specific route in IP • Path setup tradeoff • Explicit signal from MN to update route • Packet loss, reorder, handoff latency • Paging (IP multicast) to discover idle MN if no routing information • NAT can be at root router CN=>HA HA=>CoA CN=>HA IP cloud HA=>CoA CN=>HA Id=CoA MobileNAT/IRT group meeting
Internet FA FA CN HA GFA MN MN Micro mobility: Hierarchical mobile IP • Two levels • Works with non-mobile (but) IP traffic in domain • Paging • Two IP addresses (GFA and FA) per MN • NAT can be at GFA • High level network of FA (preferably tree) above IP; registration updates at optimal point in the tree CN=>HA HA=>GFA CN=>HA GFA=>FA CN=>HA MobileNAT/IRT group meeting
Internet FA FA CN HA MA MN MN Micro mobility: IDMP/TeleMIP • MA acts as gateway to internet • Subnet agent (e.g., DHCP or FA) sends domain info • MN registers GCoA=MA @ HA; LCoA=FA @ MA; two level addressing • Similar to HMIP except multiple MA allowed for load balancing • MA does NAT CN=>HA HA=>MA (GCoA) CN=>HA MA=>FA (LCoA) CN=>HA MobileNAT/IRT group meeting
Internet CN HLR VLR MN MIP Location Registers • Avoids encapsulation • Modify CN • New VLR deregisters old VLR • If VLR runs out of address inform HLR; which informs CN to use tunnel from CN to VLR • If MN moves before TTL, (1) inform VLR, HLR that informs CN (2) inform CN directly (3) old VLR relays to new Get and cache CoA of MN for given TTL (4) (3) MobileNAT/IRT group meeting
Internet Home SIP server CN MN MN SIP application level mobility • Only for VoIP/multimedia calls • No change in existing infrastructure • NAT traversal (next slide) Initial INVITE Re-INVITE Re-REGISTER Initial INVITE MobileNAT/IRT group meeting
Internet CN server NAT host Middle box communication (midcom) • Application specific proxy server controls NAT/firewall port binding/hole • Separate NAT/ALG functionality • Proxy snoops or modifies signaling • Signaling traffic allowed on fixed port; media on dynamic port • Works with SIP • No incentive to install signaling midcom signaling media MobileNAT/IRT group meeting
stun server Internet CN NAT host Simple Traversal of UDP through NAT (STUN) • Host sends a packet to stun server • NAT converts internal IP to external IP • Responds with source IP of packet (i.e., external) • Host knows that its external IP is not same as internal • It uses external IP/port when advertising in SDP • Does not work for symmetric NAT • external IP for same host different for connection to different external host (2) (6) (3) (5) (4) (1) MobileNAT/IRT group meeting
Internet CN NAT host Realm Specific IP (RSIP) • Get an external address from NAT for this private host • Tunnel packets between NAT and private host • Works for various combinations of multiple RSIP gateway, NAT, NAT with RSIP, and RSIP hosts. • Need RSIP aware host CNNAT NAThost <CNNAT> MobileNAT/IRT group meeting
Internet CN HA MN Mobility in IPv6 • Address auto-configuration • Always obtain a CoA in FN • Net part+local part • No FA needed • Route optimization • IPv6 Destination option to CN and HA • CN caches CoA of MN and sends directly • Hierarchical MIPv6 • Global address = mobile server’s network; allow change in MS • Local address known to mobile server (1) First IPv6 packet CN=>HA (3) IPv6 destination option (4) subsequent packets (2) Tunneled HA=>CoA CN=>HA MobileNAT/IRT group meeting
Mobile NAT: motivation • Problems in existing approaches • Not much discussion on optimizing intra-domain sessions • Require tunneling overhead, inter, intra or both • Triangular routing or modification in CN • Huge infrastructure change (CIP, IPv6, even deploying FA) • . . . • What MobileNAT does? • Reduce problem space to only private address space MN • Assume the presence of NA(P)T in a domain • Choice between tunneling and address translation • Use existing protocols (DHCP, ICMP) for signaling mobility • Discourage changing routing infrastructure • Can co-exist with MobileIP, Hawaii and IPv6 (?) • Provide roaming and services across heterogeneous address spaces demarked by address translation devices MobileNAT/IRT group meeting
Internet NAT CN MN MN Mobile NAT: intra-domain • No explicit HA or FA • HA is in NAT (MN is private) • FA is in MN (driver, kernel) • Virtual vs routable address • Virtual: fixed private address “a” exposed to application on MN • Routable: dynamic private address “a” or “b” using DHCP • Transport sessions between CNA (external), CNa (internal) • Address translation • NAT (Aab), MN (ba) • Tunneling • NATMN CN<=>A A=a IP cloud CN<=>b a/b a/a Id=Private MobileNAT/IRT group meeting
Internet NAT1 NAT2 CN MN MN Mobile NAT: inter-domain • Inter-NAT tunnel or relay • MN moves a/a=>a/c • NAT1 and NAT informed • Translation • NAT1: AaB • NAT2: Bac • MN: ca • Issues • Multiple “a” in NAT2 • But unique map Ba • Does IP security work (?) • Like Mobile IP • FA=NAT2,HA=NAT1 • At most two level of NATs B=a CN<=>A A=a a/c CN<=>b a/a MobileNAT/IRT group meeting
Internet NAT CN MN1 MN1 MN2 Mobile NAT: intra-domain sessions • MN1 MN2 active session • MN2 sends to NAT; destination “a” • NAT responds router redirect “b” (?) • MN2 now sends to MN1 • MN1 moves a/b=>a/c • MN1 gets “c” • DHCP server (or MN1) informs NAT • MN2 gets ICMP host unreachable • Starts sending to NAT • NAT responds router redirect “c” • MN1 moves out of domain • Path MN1visited NAT home NATMN2 A=a d/e a/c active session a/b (?) ICMP Redirect message is expected from router in the same sub-net to which packet is being sent. It is vulnerable to attacks (confirm?) Cisco routers don’t forward ICMP redirect from another network. We may use proprietary IP options if allowed. MobileNAT/IRT group meeting
TODO • Can MobileNAT co-exist with MIP, Hawaii and non-mobile but IP clients? • If MIP MN discovers no FA, switches to MobileNAT • If MobileNAT MN discovers FA, enables both MIP and MobileNAT • If MobileNAT MN goes out of domain and gets a public address • If a public MN moves within the domain and gets private address • For intra-domain session between MN and fixed IP host, route optimization does not work • Does route optimization work if both MN move at the same time? • Does MobileNAT work with multicast? • Write a simulation program for MobileNAT, MobileIP and Hawaii network MobileNAT/IRT group meeting
TODO • Can part of it be implemented using existing protocols like Mobile IPv6 (destination option for route optimization), IDMP (for public/private addresses), RSIP)? • Intra-domain Route optimization is similar to IPv6 destination option; can we use IPv6 within domain – need to change all routers (?) • Assuming IPv6 domain with NAT as IPv4IPv6 converter. What changes we need in NAT/IOTA so that it works with Mobile IP? For IPv6 do we need private address domain? How do we minimize changes in IPv6 MN? • IDMP supports multiple MA. Can we install multiple NAT/IOTA for load balancing? • Does tunnel mode MobileNAT reduce to IDMP, when HA is outside of NAT and FA is in MN? (yes) Why can’t MobileNAT be proposed as an extension to IDMP? IDMP does not describe intra-domain session optimization. MobileNAT/IRT group meeting
TODO • Windows related issues • Check if TCP connections are dropped when ipconfig /release is done • Check what happens when CONNECTED status is indicated on already connected state • Check if TCP connections are dropped even if DISCONNECTED status is not propagated to higher layer • Possible deployment hindrances • Changing every MN driver (similar to Mobile IP) • Should allow incremental deployment • Processing overhead on NAT/IOTA • What happens to domain/sub-net specific options that are not indicated to the higher layer when domain/sub-net change? Need to write a controlling application also that does DhcpIpRenewAddress when driver finds a different options field. MobileNAT/IRT group meeting