90 likes | 226 Views
Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt -. Thierry Ernst - MOTOROLA Labs Ludovic Bellier - INRIA (Planete project) Claude Castelluccia - INRIA (Planete project) Hong-Yon Lach - MOTOROLA Labs. Definition and Terminology.
E N D
Mobile Networks Support in IPv6- Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier - INRIA (Planete project) Claude Castelluccia - INRIA (Planete project) Hong-Yon Lach - MOTOROLA Labs
Definition and Terminology • Mobile Node = a node that changes its point of attachment • by means of Mobile IPv6 • Mobile Network = an entire network that changes its point of attachment • A IP subnet or a collection of IP subnets • Mobile Router (MR) + its attached Nodes and Routers. • SNs = all stationary nodes located in mobile network ( SNs are not Mobile Nodes !) • Future needs require to consider (potentially large) mobile networks • CNs = all nodes communicating with SNs • Aim of this work is to: • Provide continuous Internet connectivity to SNs • Offer optimal routing between CNs and SNs • Mobile IPv6 specification: • Mobile IPv6 nodes may either be Mobile Hosts or Mobile Routers. • But no explicit mention of mobile networks.
Experimentation: Test Bed • Francis Dupont INRIA IPv6 Implementation under FreeBSD 3.3 • MR has two interfaces • One on the home / foreign link in the home / foreign network • One on the internal link in the mobile network • Mobile Network attaches to foreign link : • MR obtains a care-of address on the foreign link • MR registers care-of address with HA. • HA opens an IPv6-in-IPv6 tunnel to MR’s careof address • HA adds a host-specific route for MR’s home address to MR’s careof address
Experimentation: Ping between CN and MR I ’m MR MR ? • Packet is routed to BR • BR sends NDP messages to discover MR’s MAC address • BR HA replies with HA’s address on behalf of MR • HA intercepts packets addressed to MR • HA routes the packet to the IPv6-in-IPv6 tunnel • HA tunnels the packet to MR’s care-of address => Redirection works fine whether Mobile Node is a Host or a Router No problem, MR receives the packet
Experimentation: Ping between CN and SN I ’m MR Routing Loop MR ? • Packet is routed to BR • In BR’s routing table, MR' home address is the next hop towards SN • BR sends NDP messages to discover MR’s MAC address • HA replies with HA’s address on behalf of MR • HA intercepts but does not have an entry for SN’s address • HA sends the packet to its default route, i.e. the BR • The packet enters in a routing loop => Redirection to SNs impossible Problem, SN never receives the packet
Our Solution: Network Scope Binding Updates • Assumption: all nodes in the mobile network share a common IP prefix = Mobile Network Prefix • if only one subnet -> internal link ’s prefix • If several subnets -> a common prefix identifying (sub-SLA) all subnets in the mobile network • Our solution: all packets with a destination address corresponding to the Mobile Network Prefix are routed to the MR ’s careof address. • Means: • A Binding between the Mobile Network Prefix and the MR’s careof address. • a new Sub-Option to carry the Mobile Network Prefix + a ‘P’ flag • Prefix and flag are recorded in the binding cache • Binding Cache is searched for a Prefix for those records showing the ‘P’ flag. • BUs containing the Mobile Network Prefix are sent: • To the HA to allow redirection • To all CNs to allow optimal routing • BUs are sent by the MR, not by individual SNs: • mobility of network is transparent to SNs • mobility management is aggregated (a given CN only gets 1 BU whatever # SNs)
Our Solution: Security Issues • Existing Mobile IPv6 for Mobile Nodes: • Authentication of BU’s sender: • MN authenticated thanks to IPSec • Authorization of MN = allowing MN to send BUs • no explicit authorization • If sender is authenticated, the Mobile IPv6 policy is to accept, record, and use whatever received careof address • Mobile IPv6 extensions to support Mobile Networks: • Authentication of BU’s sender: • MR is authenticated thanks to IPSec - (same as for a single MN) • Authorization of MR = allowing the MR to manage mobility of an entire network • If the Mobile IPv6 policy says that a careof-address can be registered for a prefix, then MR has the right to register a binding between the Mobile Network Prefix and its address. • Authorization may be provided by a certificate: • exchanged during SA negociation • to guarantee that MR actually serves the mobile network with the specified Prefix. • Our solution is a matter of Authorization, not a matter of Authentication
Mobile IP Working Group Item ? • Does the Mobile IP WG agree that: • HA is unable to redirect packets sent to nodes in the mobile network ? (if the final destination is not the Mobile Router itself) • CN is unable to directly route packets to nodes in the mobile network) (if the final destination is not the Mobile Router itself) => no redirection + no optimal routing = SNs are unreachable • This should be addressed by the Mobile IP WG => Add « Support of Mobile Networks » as a work item of the Mobile IP WG and include it in the charter.
For More Information draft-ernst-mobileip-v6-network-01.txt Thierry Ernst thierry.ernst@inrialpes.fr http:// www.inrialpes.fr/planete This is a joint work between and