RFC 3775 IPv6 Mobility Support Geller Bedoya Joe Contreras Stephen Ward Michael Yue
Why is Mobile IPv6 Needed? Mobile devices with Internet connectivity increasingly common Mobile phones are becoming Internet capable Global Internet Mobility All in
Mobile IPv6 IPv6 Mobility is based on core features of IPv6 The base IPv6 was designed to support Mobility Minimal changes from IPv6 to Mobile IPv6: A new Type 2 Routing header A set of mobility options to include in mobility messages New Internet Control Message Protocol for IPv6 (ICMPv6) messages Changes to router discovery messages and options and additional Neighbor Discovery options A new Home Address option for the Destination Options header Main bullets
Terminology Mobile node (MN) is a mobile device with an IPv6 home address Correspondent node (CN) is a computer with which mobile node communicates using its home address Home Agent (HA) helps MN to manage its mobility Mobile node can always be reached at its home address Bullet by bullet
Correspondent and Mobile node Communications There are two ways to handle packet forwarding between CNs and MNs: Bidirectional mode (Triangular Routing) Route optimization mode
Uses type 2 routing header Requires MIPv6 functionality on the CN Initial packets are routed from the CN to the MN via the HA MN replies to CN directly, and CN does a binding cache update for MN's new CoA Subsequent packets between CN and MN are routed directly with no interaction needed on the HA
Type-2 Routing Header Allows for routing directly from Corresponding Node to Mobile Node Care-of Address Home Address is kept in routing header until retrieval by Mobile Node Different Header type from traditional IPv6 routing type allows for different firewall rules The general idea is following: some mobile node having a permanent address (so called home address) is travelling at present. It is connected to some strange network and obtained a temporary (care-of) address. The goal is to deliver datagrams to the care-of address, but to hide its existence from the upper layers. So when a datagram is sent to the mobile node, the care-of address is used as the destination in basic IPv6 header. However, a routing header Type 2 is attached containing the home (permanent) address of the mobile node. When the datagram arrives at the target, the addresses are swapped and the home address is presented as the destination to upper layers.
Mobility Header Used for communications between the Corresponding Node, Home Agent, and Mobile Node Ensures all binding commands are taken care of Attaches onto the IPv6 Option header
Mobility Options Option types 6-27 are defined in later RFCs Option types that are not understood by the receiver are ignored, but the receiver must still process the mobility header.
Mobility Header Types Binding Refresh Request Binding Error Message Binding Update/Binding Acknowledgement Care-of Test initialization message/Care-of Test Message Home Test initialization message/Home test message Triangular routing employs only BU/BA/BE messages
Dynamic Home Agent Address Discovery (DHAAD) Router on a link acting as a Home Agent maintains a Home Agents List Building a Home Agents List DHAAD Exchange starts Request Reply Mobile Prefix Solicitation Mobile Prefix Advertisement Process on page 100 Neighbor discovery, IPv6 equivalent of proxy ARP in IPv4
Dynamic Home Agent Address Discovery (DHAAD) Home Agents listen for DHAAD Request on a subnet anycast address with identifier 0x7E (decimal 126) Mobile Nodes then listen for DHAAD Reply with a message containing a Home Agent Preference value(s) Mobile node then sends Binding Update and Care-of-address to the Home Agent Process on page 100 Anycast is one at a time Neighbor discovery, IPv6 equivalent of proxy ARP in IPv4
Dynamic Home Agent Address Discovery (DHAAD) CN Process on page 100 Anycast is one at a time Neighbor discovery, IPv6 equivalent of proxy ARP in IPv4 DHAAD Request DHAAD Reply
New ICMP Messages Home Agent Address Discovery Request Implementation of Dynamic Home Agent Address Discovery Home Agent Address Discovery Request Home Agent Address Discovery Reply Mobile Prefix Solicitation Mobile Prefix Advertisement
Home Agent Address Discovery Request Source IP = MN's CoA Destination IP = anycast address Type = 144 Code = 0 ICMPv6 Checksum Identifier = aid in matching a future Reply to this Request Reserved = 0 (unused) Mobile node requests Home Agent addresses
Home Agent Address Discover Reply Source IP = HA's IP Destination IP = MN's CoA Type = 145 Code = 0 ICMPv6 Checksum Identifier = same one used in Request message Reserved = 0 (unused) List of Home Agent Addresses The number of addresses presented in the list is indicated by the remaining length of the IPv6 packet carrying the Home Agent Address Discovery Reply message.
Mobile Prefix Solicitation Source IP = MN's CoA Destination IP = HA's IP Type = 146 Code = 0 ICMPv6 Checksum Identifier = aid in matching a future Advertisement to this solicitation Reserved = 0 (unused) Mobile node solicits Advertisement Purpose: solicit advertisement. HA should be on link to learn Prefix Info
Mobile Prefix Advertisement Source IP = HA's IP Destination IP = soliciting MN's CoA Type = 147 Code = 0 ICMPv6 Checksum Identifier = same one used in Solicitation message Reserved = 0 (unused) M = 1 bit Managed Address Configuration flag O = 1 bit Other Stateful Configuration flag Prefix Information of Home Network With Prefix Info, update and configure stored Home Network info : Home Addresses. Unsolicited messages can only be sent to MN's registered on the network M=1 then address autoconfiguration is done by host O=1 then non-address autocnfiguration done by host
Binding Messages Binding Update Message - used by a mobile node to notify other nodes of a new care-of address for itself Binding Acknowledgement Message - used to acknowledge receipt of a Binding Update Binding Error Message - used by the correspondent node to signal an error related to mobility, such as an inappropriate attempt to use the Home Address destination option without an existing binding
Mobile IPv6 Security Overview
Security with Mobile IPv6 Security Threats: Route Optimization INCREASES the number of Binding Updates (BU) Malicious or unauthenticated BUs can cause: False Binding Update Attacks Man-in-the-Middle Attacks Denial of Service Attacks Mitigation Techniques Mitigation Techniques: RFC 3776 - Using IPsec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents The return routability procedure authorizes registrations by the use of a cryptographic token exchange Return Routability Protocol: The Return Routability pro- tocol (RR protocol) presented in [2] enables a correspondent node (CN) to obtain some reasonable assurance that a mobile node (MN) is in fact addressable at its claimed care-of address (CoA) as well as at its home address (HA). Only with this assurance is the correspondent node able to accept Binding Updates from the mobile node which would then instruct the correspondent node to direct that mobile node’s data traffic to its claimed care-of address. In the RR protocol, the two cookies are exchanged to verify that a valid mobile node is alive at its home address HoA and care-of address CoA.The eventual binding update messages are protected using a keyed hash function with the session key kBU obtained by hashing the concatenation of the two cookies CH and CC.
IPsec Primer
Binding Updates Protection BU/BA to Home Agents MUST be secured through IPsec ESP encapsulation of Binding Updates and Acknowledgements between the mobile node and home agent MUST be supported and MUST be used ESP encapsulation of the Home Test Init and Home Test messages tunneled between the mobile node and home agent MUST be supported and SHOULD be used ESP encapsulation of the ICMPv6 messages related to prefix discovery MUST be supported and SHOULD be used
Mobile Prefix Discovery Mobile Node and the Home Agent SHOULD use an IPsec security association to protect the integrity and authenticity of the Mobile Prefix Solicitations and Advertisements
Payload Packets Payload packets exchanged with NM can follow the same protection as other IPv6 hosts For traffic tunneled via the HA, additional IPsec ESP encapsulation may be supported
Conclusion IPv6 mobility support has been on the list of required features from the beginning The Mobile IPv6 specification is on its way to becoming a standard so it is expected that virtually all IPv6 deployments will include at least the minimal mobile IP An efficient and deployable protocol for handling mobility with IPv6
Questions?