1 / 42

Overview of Mobility Protocols

Overview of Mobility Protocols. Md. Shohrab Hossain July 12, 2013. Why M obility Protocols. Satellites with IP-enabled devices capture videos, images and send them to control centers on earth Need to maintain continuous connectivity with remote computer

teige
Download Presentation

Overview of Mobility Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview ofMobility Protocols Md. Shohrab Hossain July 12, 2013

  2. Why Mobility Protocols • Satellites with IP-enabled devices capture videos, images and send them to control centers on earth • Need to maintain continuous connectivity with remote computer • Mobility protocols are required to ensure session continuity

  3. IETF Solution to IP Mobility: Mobile IP Correspondent Node (CN) • Employs mechanism similar to postal service mail forwarding • Problems: • Inefficient routing • High handover latency • Packet loss Home Agent Packets from CN to MH Internet Encapsulated Packets Location Update Foreign Agent Home Network Decapsulated Packets Home Address Acquires CoA Visiting Network

  4. Network Mobility (NEMO) • A collection of nodes moving as a unit (Example: airplanes, trains, ships) • Mobility can be managed in an aggregated way in NEMO • Mobile Router acts as default gateway and manages mobility on behalf of mobile network nodes HA

  5. NEMO Architecture • Inside NEMO • MR: Mobile Router • LFN: Local Fixed Node • LMN: Local Mobile node • VMN: Visiting Mobile Node • Problems: • Routing through HA • Heavy load on HA • Drop in throughput during handover Data path NEMO

  6. SIGMA • Transport layer solution proposed by the researchers at the TNRL lab • Exploits IP-diversity (having multiple IP addresses) of a mobile host • Benefits: • Establishes a new connection before disconnecting the old one • Decouples location management from data transmission • Less handover delay and packet loss, Optimal routing between MH-CN CN LocationManager

  7. SINEMO • SIGMA-based seamless mobility solution for mobile networks • Exploits IP-diversity of the MR • The MR maintains a translation table for all the mobile network nodes • MNN’s private IPs do not change Default gateway

  8. Hierarchical Mobility Protocols: HMIPv6 • For high mobility of nodes, frequent location updates for HA • Bandwidth wastage • Overhead for HA • Hierarchical Mobile IPv6 attempts to reduce signaling by introducing new Mobility agent: MAP Local HA Local HA

  9. Hierarchical Mobility Protocols: HiSIGMA Micro Mobility Macro Mobility

  10. Network-based Mobility Protocols

  11. Terminal-based Mobility Protocol: Mobile IP Correspondent Node (CN) • Employs mechanism similar to postal service mail forwarding • Problems: • MH must send updates to HA • CoA changes in every handoff • High handover latency • Packet loss Home Agent Packets from CN to MH Internet Encapsulated Packets Location Update Foreign Agent Home Network Decapsulated Packets Home Address Acquires CoA Visiting Network

  12. Problems of Terminal-based Mobility Protocols • Problems: • Requires low-end mobile devices to perform all kinds of mobility signaling to maintain connectivity • New CoA after each handoff, so the cache entry needs to be changed • Wireless bandwidth wastage due to mobility signaling • High handover latency • Sub-optimal routing and tunneling • Solution: Network-based Mobility Management • Network takes care of all the mobility signaling • Network entities are responsible to track the mobile device • Network entities send required signaling messages on behalf the mobile devices

  13. Proxy Mobile IP: Network-based Mobility Management • Local Mobility Anchor • Local HA for the MH in a PMIPv6 domain • All traffic destined to are routed through LMA • Mobility Anchor Gateway • Access router that tracks MH’s movement in its access link • Informs the LMA through Proxy BU Local Home Agent Access Router that detects node mobility PMIPv6domain

  14. PMIPv6 Operation Binding Cache entry for MH Proxy BU AAA procedure Proxy BA PMIPv6domain Router Solicitation

  15. Proxy Mobile IP Signaling AAA: Authentication, Authorization and Accounting BCE: Binding Cache Entry PBU: Proxy Binding Update PBA: Proxy Binding Ack

  16. Benefits of Network-based Mobility Management • Battery power saving • No modification in end devices • Unique IP address in the whole LMA-domain • Movement detection by the network • Reduced signaling in the wireless access network • Low handover latency • Efficient tunneling • Less signaling in each handoff • No Duplicate Address Detection (DAD) in each handoff • No return routability

  17. Security Issues of Mobility Protocols

  18. Route optimization in Mobile IPv6 Correspondent Node • After moving to new location, MH informs CN about its location though binding update • Improved performance Home Agent Internet Location Update Binding update to CN Optimized route without any encapsulation Home Network Visiting Network

  19. Major Security Threats • Man-in-the-middle attack • Traffic redirection attack • Bombing Attack • Replay Attack • Home Agent poisoning • Blocking legitimate BU • Resource exhaustion • Forcing sub-optimal route • Exploitation of routing headers

  20. Traffic Redirection Attack Correspondent Node Redirected Traffic Home Agent Node B Binding Ack accepted by CN Ongoing communication Spoofed binding update (MH’s ID, Node B’s IP) MH Attacker

  21. Man-in-the-middle (MITM) Attack Correspondent Node Home Agent Binding Ack accepted by CN TrafficRedirected to the Attacker Ongoing Communication Spoofed binding update (MH’s ID, Attacker’s IP) MH Attacker learns and modify packets Modified packets received

  22. Bombing Attack Streaming server Connection Setup with server Unwanted streaming data Spoofed binding update involving MH’s address MH

  23. Replay Attack CN Home Agent MH sends BU from Subnet B Recorded BU replayed to CN MH sends BU from subnet A CN sends packets to MH’s previous location ???? Attacker records BU for future attack Moving to subnet B Subnet B Subnet A

  24. Reflection Attack Correspondent Node Home Agent False initial message MH receives every packet sent by the attacker twice

  25. Home Agent Poisoning Location information corrupted Reply (Wrong IP) Query for MH Spoofed BU Binding ACK

  26. Resource Depletion Home Agent Subnet B Attacker establishes many connections with fake IPs MH sends BUs to all those fake hosts Memory and transmission power wasted Subnet A

  27. Exploitation of Routing Header • Attack traffic sent to node B with a Routing Header (RH) • Node B overwrites destination field with RH • Traffic is then sent to victim node • Difficult to find source of attack

  28. Exploitation of HoA Option • Attack traffic to V • Node V replaces source IP with HoA field (B) • It appears to be an attack from Node B

  29. Defense Mechanisms

  30. Defense Mechanisms • Goals • Simple enough to be implemented in mobile devices • Requiring low processing power • Low latency solutions • Infrastructure-less approach: No such global infrasturcture • Existing defense mechanisms for Mobile IPv6 • IP Security protocol • Internet Key Exchange (IKE)-based schemes • Return Routability protocol • Protection for routing headers • Other general measures

  31. IP Security Protocols • A suite of protocols to provide security in IP networks • Authentication Header (AH) protocol • Encapsulating Security Payload (ESP) protocol • In IPsec, a preconfigured Security Associations (SA) is established between MH and HA / CN to choose security parameters / algorithms • Advantage: • Very strong authentication • Difficult to break • Limitations: • High CPU requirement • Does not protect against misbehaving MH

  32. IPsec: Authentication Header (AH) protocol • AH guarantees data origin authentication of IP packets • Use of such AH ensures that any attacker cannot deceive HA or CN with spoofed BU • As a result, traffic redirection attacks can be avoided • Limitations: • Cannot ensure data confidentiality

  33. IPsec: AH Operation Correspondent Node Home Agent Securing BU with AH Security Association

  34. IPSec: Encapsulating Security Payload (ESP) protocol • ESP protocol can ensure data confidentiality in addition to authentication • ESP ensures privacy of data by encryption • An encryption algorithm combines data in the datagram with a key to transform it into an encrypted form

  35. IPsec: Securing Data using ESP Correspondent Node Home Agent Securing data from inconsistency Security Association Securing BU with ESP

  36. IKE-based Schemes • Commonly used for mutual authentication and establishing and maintaining security associations for IPSec protocol suite • Ensures confidentiality, data integrity, access control, and data source authentication • IKE helps to dynamically exchange the secret key that is used as the input to the cryptographic algorithms • Limitations: • Require existence of a certification authority • Very complex and power consuming operations

  37. Return Routability Protocol • Proposed to secure binding updates between CN-MH • A node sending a binding update must prove its right to redirect the traffic • RR messages are exchanged among MH, CN and HA before binding updates are sent

  38. Message Exchange in RR protocol • MH initiates RR by sending HoTI and CoTImsg to the CN • The CN then sends corresponding challenge packets (HoT and CoT) destined to MH • If successful, CN accepts BU from MH • Advantages • Infrastructure-less • Low CPU required • Limitations • Weak authentication • Does not protect against attackers on the path between HA and CN HoTI CoTI HoT CoT HoT HoTI

  39. Protection against Routing Header (RH) issues • To protect misuse of routing headers, following restrictions are applied while processing RH: • Only one RH per packet • All IPv6 nodes must verify that the address contained within RH is the node’s own HoA • The IP address must be a unicast routable address since it is the MH’s HoA • A node must drop the packet if any of these are NOT met

  40. Other possible approaches • Keeping nodes stateless: To avoid resource exhaustion • Keeping short lifetime for binding entry: To avoid replay attack • Use of Cryptographically Generated Address: To avoid redirection / MTIM attacks

  41. Comparison among the Schemes

  42. Thank You

More Related