owned this note
owned this note
Published
Linked with GitHub
# MIT6: IP and Mobility
- **Extend of mobility**
- **Intra-cell mobility:**
- PHY layer
- **Inter-cell but Intra-network mobility: (micro mobility)**
- local routing / switching
- No change of IP
- **Inter-network mobility: (macro mobility)**
- change of IP
- handled by special mobility signaling protocols
## Mobile IP (MIP)
- TCP/IP: developed for non-mobile, single-homed host
- IP: location, identity
- *no secure*
$\Rightarrow$ Mobility: mobile IP
$\Rightarrow$ Security: IPSec
- **Mobility**
- IP: determines physical subnet
- routing tables not scalable
- IP changes $\Rightarrow$ breaks transport layer connections
- **Requirement**
- *Transparency:* mobile device keeps IP
- *compatibility:* No change in existing routing / devices
- *Security:* authenticated
- *Efficiency and scalability*
> *Concepts:* $\text{basic ID + location ID}$
- **components**
- **Mobile Node(MN)**
- **Home Agent (HA)**
- home network router
- manages MN
- tunnels IP packets to this locatoin (COA)
- **Foreign Agent (FA)**
- foreign network router
- forwarding tunneled IP packet to MN
- provides COA
- **Care-of Address (COA)**
- valid address of MN
- managed by FA
- assigned by MN (co-located COA) (via DHCP)
- **Correspondent Node (CN)**
- **CN$\rightarrow$ MN**
- CN$\rightarrow$ HA $\xrightarrow[to\ COA]{\text{encapsulation}}$ FA $\rightarrow$ MN
- **MN$\rightarrow$ CN**
- MN $\rightarrow$ FA $\rightarrow$ CN
- **Network Integration**
- *Agent Advertisement:* HA, FA periodically announce their existence
- *Registration:* MN $\xrightarrow[\text{via FA}]{\text{COA}}$ HA
(protected by anthentication)
- *Local Advertisement:* HA $\xrightarrow[\text{as its own addr.}]{\text{IP addr. of MN}}$ access router
- packet to MN: sent to HA
- independent of changes in COA
- HA $\xrightarrow[]{\text{packet}}$ COA
$\Rightarrow$ simpler interaction
- **Encapsulation:**
- $(\text{2}^{\text{nd}} \text{ payload}(\text{1}^{\text{st}} \text{ packet}))$
- **IP-in-IP-encapsulation**
- tunnel between HA and COA
- **minimal encapsulation**
- avoid repetition of identical fields
- only for unfragmented packets
- **most flexible encapsulation**
- **Optimization of Data Path**
- **Problem: Triangular Routing**
- CN $\xrightarrow[]{\text{all packets}}$ HA $\rightarrow$ MN
- especially: MN $\leftrightarrow$ MN
- **Solution: Change of FA**
- CN learns (from HA) current location of MN (*route optimization*)
- (MN registers to new FA new COA)
New FA informs old FA about new COA
- old FA: forwards packets, can delete the MN's registration information
- **Further problem**
1. **firewall**
- often enforce topologically correct addresses
2. **multicast**
- MN cannot answer
3. **TTL**
- TTL varies from different locations
4. **security**
- CN can learn address of FA
- CN can track MN
- **Solution: Reverse Tunneling**
MN$\rightarrow$ FA $\require{extpfeil}\Newextarrow{\xRightarrow}{5,5}{0x21D2}\xRightarrow[]{\text{encapsulation}}$ HA $\rightarrow$ CN
- Solves Problems 1.2.3.
- new problems:
- double triangular routing
- Security: FA intrudes home network
- **Mobile IP and IPv6**
- IPv6 can **simplify mobility** support
- Security
- *Automatic path optimization:*
- IPv6 extension headers
- *"Soft" handover*
- without packet loss
- **IPv6 extension header**
- Routing
- Destination
- **Route optimization is mandatory in MIPv6**
- CN, MN: *binding update*
> **MIP is designed to deal with user mobility**
> but security, performance
## Host Identity Protocol (HIP)
- **MIP v.s. HIP**
- **MIP:**
- support for un-modified CN
- insfrastructure support (FA,HA)
- *indirect mobility management*
- *Triangular routing*
- **HIP:**
- *end-to-en* association
- HIP-aware end-host
- *direct mobility management*
- *Authentication, end-to-end security*
- no infrastructure support needed
- **HIP:**
- **Signaling and key exchange protocol**
$\text{control channel + payload channel}$
- **namespace:** cryptographic $\Rightarrow$ mobility, multi-homing
- **Identifier / locator split**
- *Problem:* tight coupling between network / transport layers
$\Rightarrow$ **seperation of location (IPv4, IPv6) and identity (HIP)**
- applications see stable identity
- routing: locator
- $$\text{IP}\xleftarrow[control]{\text{IP}}\text{HIP}\xrightarrow[payload]{\text{HI}}\text{TCP/UDP}$$
- IP can change
- HI (Host Identity) is static
- Network changes hidden from TCP layer
- **Cryptographic namespace**
- *Host authentication*
- Self-generate *private / public key pair*
- HI: public key
- **Globally unique / locally unique Identifiers**
- **Host Identity Tag (HIT)**
- $\text{HIT = hash (HI)}$
- IPv6
- **Local Scope Identity (LSI)**
- $\text{LSI = Last digits (HIT)}$
- IPv4
- Restricted to local scope
### IPSec: Internet Protocol Security
- **Encryption**
- Encapsulated Security Payload (ESP)
- Authentication Header (AH)
- **mode**
- Transport mode
- Tunnel mode
- **replay protection:** sequence number
- No key exchange protocol
- **IPSec transport mode with ESP**
- end-to-end
- create secure tunnel between two hosts
- **ESP header:**
- **Security Parameter Index (SPI):** required for multiplexing
- suquence number
- **IPSec tunnel mode with ESP**
- gateways
- possible to combine with HIP
- Inner header: communiting end-hosts
Outer header: tunnel end-points
- **IPSec Bound End-to-end Tunnel (BEET) mode with ESP**
- IPSec mode + HIP
- Syntactics (表面上): transport mode
Semantics (意義上): tunnel mode
- **address translation defined by HIP**
- Inner IP: HIP host ID
- Outer IP: routable IP address
- *Mobility $\leftrightarrow$ Security*
- authentication
- re-authentication
- DoS
$\rightarrow$ careful protocol design
- **Information in HIP message**
- Host Identity
- Sig
- Diffie-Hellman
- HMAC
- IPSec info
- **Puzzle:** cryptographic puzzle parameter
### Update
1. Ubtain new IP address
2. Transmit new address to peers
3. Peer varifies routability
4. Peers adjust IPSec tunnel
5. Payload uses adjusted tunnel
> IPSec rekeying, mobility, multi-homing
- **Locator:** generalization of a network address
- **Credit-based authentication**
- Mobility $\rightarrow$ redirection-based flooding attacks
$\Rightarrow$ Credit-based authentication (CBA)
- Idea: limit data rate
- credit = number of bytes received from IP address of the peer
- only send packet if credit suffices
- credit aging decreases
### Multi-homing
- extension of mobility
- host connected through **two or more interfaces**
- multi-homing $\xrightarrow[]{corresponds}$ mobility signaling
- inform peers locator parameter
- peer runs reachability check
- Multi-homed host can also send locator during BEX
- **Infrastructure:**
- Original: Direct
- **middleboxes:** indirect
- NAT: compensation for lack of IPv4 addresses
- Firewall: security
- QoS and Proxy: performance
- **Legacy Middleboxes and HIP**
- Strong (theoretical) advantage of HIP architecture
$\Rightarrow$ But middleboxes can **affect HIP packet delivery**
- support only limited set of protocols
$\Rightarrow$ need to create support for *lagacy middlebox traversal*
- **HIP strategy for lagacy middlebox traversal**
- **UDP encapsulation for HIP and payload**
- UDP understood by majority of middleboxes
$\Rightarrow$ but header overhead, more complex solutions needed
### PISA
- **WiFi drawback**
- Threats to mobile node:
- AP MITM attacks, eavesdropping
- Threats to AP:
- illegal mobile node
- Access AP's LAN
- No roaming between APs
- WiFi: trust relations
- Transitive trust relation
- Mobile guest
- Community Operator
- Host AP
> Home AP not included
- **PISA: Peer-to-peer-based Wi-Fi Internet Sharing Architecture**
- *Securely relocate internet access $\rightarrow$ MN's home*
$$\text{AP provider}\require{extpfeil}\Newextarrow{\xLeftrightarrow} {5,5}{0x21D4}\xLeftrightarrow[]{\text{encrypted tunnel}}\text{mobile guest}$$
- security, privacy
- transparent moibility support
- Solve legal liability (法律責任) problem
- Scalable, decentralized solution
- **Global mobility and security by**
- HIP
- Indirection via "Trusted host"
- Encrypted tunnel
- **PISA: trust relations**
- $\text{community}\require{mhchem}\ce{<=>[\text{trust}][\text{attest membership (certificate)}]}\xRightleftharpoons[\text{trust}]{\text{attest membership (certificate)}}\text{Host AP}$
- $\text{Host AP}\require{extpfeil}\Newextarrow{\xLeftrightarrow} {5,5}{0x21D4}\xLeftrightarrow[\text{trust}]{\text{transitive}}\text{Home AP}$
- $\text{Home AP}\require{extpfeil}\Newextarrow{\xLeftrightarrow} {5,5}{0x21D4}\xLeftrightarrow[\text{trust}]{\text{strong}}\text{Mobile guest}$
- $\text{Host AP}\dashrightarrow\text{Mobile guest}$
No trust necessary between Host AP and Mobile guest $\Rightarrow$ data encryption
- **Authentication of Trust Point**
- $\text{Initiator}\require{extpfeil}\Newextarrow{\xLeftrightarrow} {5,5}{0x21D4}\xLeftrightarrow[\text{Authentication}]{\text{Mutual}}\text{Responder}$
- PISA extends HIP handshake
- no seperate handshake protocol
- fewer packet, low latency, less complexity
- **Mobility with PISA**
- PISA extends HIP mobility
- Authentication towards TP
- Host AP can *inject nonce and puzzle* to enforce Home AP to proof its identification
- **Roaming $\Rightarrow$ Delay**
- AP discovery
- DHCP
- authentication
- mobility signaling
- **Parallel scanning $\Rightarrow$ detecting APs on adjacent channels**
- **Neighbour detection and coordination**
- Handover optimization
- Load balancing
- Channel assignments
- **Pre-authentication / Pre-configuration**
- Neighbour APs
- Enable TP and AP to assist handovers
- **MOBIKE**
- Mobility and Multihoming extension for IKEv2
- VPN: remotely connect to home network, protected by IPSec in tunnel mode
- **Problem:** change of access network $\Rightarrow$ change of IPSec SAs
- **Solution:** MOBIKE