500 likes | 1.28k Views
Mobile IP. Presented by: SecureNet Jayanthi Jayaraman Meenakshi Mittal Prachi Albal Sirisha Maturi Vineet Mittal. Talk Overview. Introduction to Mobile IP Working of Mobile IP Security Issues Mobile IP in IPV6. Mobile IP: An Introduction. An IP based standard defined by IETF
E N D
Mobile IP Presented by: SecureNet Jayanthi Jayaraman Meenakshi Mittal Prachi Albal Sirisha Maturi Vineet Mittal
Talk Overview • Introduction to Mobile IP • Working of Mobile IP • Security Issues • Mobile IP in IPV6
Mobile IP: An Introduction • An IP based standard defined by IETF • Mechanism for accommodating host mobility within the Internet • Useful in cellular environments as well as wireless LAN,require roaming. • Works with GSM, CDMA, TDMA, GPRS, AMPS, NAMPS.
Why Mobile IP? • Mobility within the Internet • Communicate with other hosts after moving from home network without changing IP address • Mobility must not require changes to other host’s/router’s software
Mobile IP Functional Entities • Mobile Node -that moves from home n\w to foreign n\w. • Home Network-having n\w prefix matching with mobile node's home address. • Foreign Network-other network. • Home Agent-router in home n\w which tunnels the datagram to Mobile Node. • Foreign Agent-foreign n\w router for Mobile Node.
Mobile IP Functional Entities • Correspondent node:Mobile node communicates with this peer node. • Mobility binding: It is association of a home address with a care-of address, along with the remaining lifetime of that association
Mobile IP Functional Entities Care-of addresses Whenever a mobile node has moved to a foreign network, a care-of address is obtained in one of the following modes: • Foreign agent Care-of Address • Co-located Care-of Address
Mobile IP Architecture To retain the IP address, a mobile node can have two IP addresses: • Home address: Permanent address used by higher layer protocols (TCP, UDP). • Care-Of Address: Associated with foreign n\w and it is different for different foreign networks. In IPV4 care-of-address management is achieved by foreign agent.
Mobile IP Architecture Home agent maintains mobility binding table where each entry is identified by tuple <permanent home address, temp care-of address, association lifetime>
Mobile IP Architecture Foreign agent maintains visitor list where, each entry is identified by tuple: < permanent home address, home agent address, media address of the mobile node, association lifetime>.
Mobile IP Architecture • When a mobile node enters a foreign network, it should obtain the care-of-address through foreign agent. • Foreign network registers the new care-of-address with the home agent • Home agent delivers a mobile node’s packet to mobile node’s care-of-address by redirecting or tunneling the packet by placing care-of-address in the destination IP address.
Mobile IP Architecture • Foreign agent de-capsulate the received packet such that mobile node’s home address will be in the destination IP address and forwards the packet to the mobile node.
Mobile IP Architecture Minimal Encapsulation
Mobile IP Architecture Triangle routing: When acting as sender, mobile node simply sends packets directly to the other communicating node through the foreign agent
Mobile IP Operation • Agent Advertisement • Determine network • Registration • On home network • Moved to foreign network • Exchange of Data
Phase 1: Agent Discovery • Method by which a mobile node determines • whether it is currently connected to its home network or to a foreign network • and by which a mobile node can detect when it has moved from one network to another • Mobile IP extends ICMP Router Discovery as its primary mechanism for Agent Discovery. • An Agent Advertisement is formed by including a Mobility Agent Advertisement Extension in an ICMP Router Advertisement message.
Phase 1: Agent Discovery • ICMP Router Discovery Protocol (IRDP) advertisements. • Specify whether home agent, foreign agent or both. • Care-of address • Types of services it provides(reverse tunneling, GRE) • Allowed registration lifetime
Algorithm 2 Mobile Node checks if newly received agent advertisement is on same subnet as its current care-of address. If network prefix different assumes it has moved Algorithm 1 Mobile node starts timer based on lifetime field when it receives advertisement from foreign agent If it does not receive another advertisement before lifetime has expired it assumes it has lost contact Phase 1: Agent DiscoveryMove detection
Phase 2 : Registration • Mechanism for mobile nodes to communicate their current reachability information to their home agent. • Used to • request forwarding services when visiting a foreign network • inform their home agent of their current care-of address • renew a registration which is due to expire • deregister when they return home
Phase 2 : Registration • Mobile node uses • IP address and mobility security association (including shared key) • Information from foreign agent advertisement
Phase 2 : Registration (cont’d) • Foreign agent checks validity of registration reply • adds the mobile node to its visitor list • establishes tunnel to home agent • Creates routing entry for forwarding packets to home address • Relays registration reply to mobile node
Phase 3: Tunneling • IP in IP encapsulation • Alternate methods • Minimal encapsulation • Generic Routing Encapsulation (GRE)
Security Issues in Mobile IP • Features exploited by attackers • Wireless communication is inherently less secure. Provides easier means for attacker to intercept as well as disrupt operation. • Registration and data forwarding mechanism of Mobile IP
Types of attacks • Denial of service • Resource Exhaustion • Packet capture • Prevention: Mobile IP supports MD5 (by default) to provide secret key authentication and integrity checking • Replay Attack • Prevention: Identification field in Registration Request and Registration Reply messages • Use of timestamps (mandatory) and noonces (optional) • Theft of Information • Passive eavesdropping • Session stealing
Mobility support for IPv6 • Mobile IPV6 doesn’t require special foreign agents as mobile IPV4. • Support for route optimization. • Ensure symmetric reachability between mobile nodes and its router at current location • Most packets sent to a mobile node while away from home in Mobile IPv6 are sent using an IPv6 routing header rather than IP encapsulation.
Mobility support for IPv6 • Mobile IPv6 is decoupled from any particular link layer, as it uses IPv6 Neighbor Discovery instead of ARP.
Mobility support for IPv6 Mobility IPv6 Protocol header structure:
Mobility support for IPv6 • Next Header - Identifies the protocol following this header. • Length - 8 bits unsigned. Size of the header in units of 8 bytes excluding the first 8 bytes. • Type - Mobility message types. • reserved - MUST be cleared to zero by the sender and MUST be ignored by the receiver. • Checksum - The 16 bit one's complement checksum of the Mobility Header. • Data - Variable length.
Return Routability Flow diagram • Mobile Node Home Agent Correspondent Node • | | • | Home test Init | • |-------------------------------|---------------------------------------| • | Care of test init | • |-------------------------------------------------------------------------> | • | home test | • |<----------------------------------|<------------------------------------ | • | Care of Test | • |-------------------------------------------------------------------------|
Binding message flow Mobile Node Correspondent Node | Binding Update | |-----------------------------------------------------------| | (Seq no. , nonce indices , care of address) | | | | | | Binding ACK | |----------------------------------------------------------- | (Seq no. , status) Source Address = care-of address Destination Address = correspondent Parameters: home address sequence number home nonce index care-of nonce index First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BU)))
Route Optimization Route Optimization provides three main operations: • Updating binding caches • Managing smooth handoffs between foreign agents. • Acquiring registration keys for smooth handoffs.
Conclusion • Enables network mobility. • It is scalable. • It is transparent. • And it is secure.
References • http://www.ietf.org/rfc/rfc3344.txt • http://www.ietf.org/rfc/rfc3775.txt • http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800c9906.shtml • http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf • http://www.tcpipguide.com/free/t_MobileIPSecurityConsiderations.htm • http://www.javvin.com/protocolMIP.html