Mobility Support in IPv6 Advanced Internet, 2004 Fall 8 November 2004 Sangheon Pack

Content IP Mobility Mobile IPv6 Basic Operation Mobile IPv6 Security Optimization of Mobile IPv6 Hierarchical Mobile IPv6 (HMIPv6) Fast Handover of Mobile IPv6 (FMIPv6) Conclusion

IP Mobility (1/2) Routing Nodes communicate using IP: All IP Network IP packets are routed by their address When a mobile node moves, it needs to change IP address to match its current network Identification Connections/sessions between nodes are mostly identified by endpoint IP’s When the node moves, and is assigned a new IP, all existing connections/sessions must be terminated and reestablished! Need of IP Mobility Protocol!

IP Mobility (2/2) Correspondent Node Mobile Node Mobile Node

Mobile IPv6 (1/3) Overview Home network, HA, CoA as the same as Mobile IPv4 Address auto-configuration MN can obtain a CoA in foreign network without any help of foreign agent (FA) Packet interception at the HA By Neighbor Discovery (cf. Proxy ARP in Mobile IPv4) Binding update option Between MN and HA/MN and CN Route optimization between MN and CN New extension headers Type-2 Routing header: for route optimization Destination Options header: for MN originated packets

Mobile IPv6 (2/3) Bi-directional tunneling mode Does not require for the CN to support Mobile IPv6 Use of Reverse tunneling Route Optimization (RO) mode Requires to register the MN’s current binding at the CN Uses a new type of IPv6 routing header Destination Address = current CoA Type-2 routing header = home address Shortest communications path Eliminates congestion at the MN’s HA and home link Impact of any possible failure of the HA or networks on the path to or from it is reduced

Mobile IPv6 (3/3) Dynamic Home Agent Address Discovery Allows a MN to dynamically discover the IP address of a home agent on its home link ICMP Home Agent Address Discovery Request Message Destination address: Home Agent anycast address for its own home subnet prefix Reply message HA address list in home link HA maintains the home agent lists

Mobile IPv6 Terminology Terminology Home Address (HoA) the permanent IP for identifying the Mobile Node. The Mobile Node should always be reachable at this IP. Care-of Address (CoA) the temporary, network-spesific IP for routing messages to the Mobile Nodes current location Home Agent (HA) the entity acting on behalf of the Mobile Node in it’s home network Correspondent Node (CN) any other host connected to Mobile Node (not necessarily mobile itself)

Mobile IPv4Mobile IPv6 Mobile node, home agent, home link, foreign link (same) Mobile node’s home address Globally routable home address and link-local home address Foreign agent A “plain” IPv6 router on the foreign link (foreign agent no longer exists) Collocated care-of address Care-of address obtained via Agent Discovery, DHCP, or manually Care-of address obtained via Stateless Address Autoconfiguration, DHCP, or manually Agent DiscoveryRouter Discovery Authenticated registration with home agent Authenticated notification of home agent and other correspondent nodes Routing to mobile nodes via tunneling Routing to mobile nodes via tunneling and source routing Route optimization via separate protocol specification Integrated support for route optimization Mobile IPv4 vs. Mobile IPv6

Binding Update An MN informs the HA and CNs of its CoA when the MN is located in a foreign network The HA/CN send “Binding Acknowledgement” option to the MN Requirements Source address in IP header = MN’s CoA To avoid ingress filtering IPv6 authentication header (AH) For secure binding update

Packet Delivery Packet delivery from CN to MN The CN check whether there is the MN’s binding information at its binding cache. If there is a matched entry The CN sends packets to the cached MN’s CoA using IPv6 routing header option No IPv6 encapsulation Otherwise Normal packet routing to the MN’s home address The HA intercepts and tunnels packets. The MN receiving packets from tunneled by the HA sends a binding update message to the CN

Requirements Correspondent Nodes Processing of binding update message Update its binding cache whenever it receives a new binding update message with a new CoA Mobile Nodes When a new CoA is needed Sending of binding update message Maintain a Binding Update List Packet encapsulation/decapsulation: No FA Home Agents Packet encapsulation/decapsulation Proxy neighbor advertisements

Binding Messages Binding Update Used by a mobile node to notify other nodes of a new care- adress. Can also be used to delete old bindings. Binding Acknowledgement Used to acknowledge receipt of a Binding Update Binding Refresh Request Used by the correspondent node to inform the mobile node that the binding is (or is going) stale Binding Error Used by the corresponedent node to signal an error.

Mobile IPv6 Basic Operation Correspondent Node Mobile Node Home Agent Bidirectional tunnelling Route optimization Mobile Node IP tunnel Routing option

Binding Updates to HA Mobile Node Home Agent Home Agent map: : Binding Update Binding Update ACK (BACK) MN needs to update the HA on it’s current location (CoA): Binding Update message The HA keeps this binding for future use Mobile Node Binding Update Home Agent map: : BACK

Binding Updates to CN Mobile Node Home Agent Home Agent map: : Correspondent Node BU BACK Correspondent Node map: : IPv6 src= dst= Destination Option: Home Address = IPv6 src= dst= Routing Option (type 2) Home Address = IPv6 src= dst= IPv6 tunnel: src= dst=

Mobile IPv6 Security

BU to HA: Security Issues (1/2) Man-in-the-middle attack Mobile Node Binding Malicious Node False BU BACK By means of false BU’s, the traffic can be redirected through a malicio us node Home Agent

BU to HA: Security Issues (2/2) Hijacking By means of false BU’s By replaying old BU’s Confidentiality breach By eavesdropping: the MN is often connected to a WLAN Denial-of-Service (DoS) By means of false BU’s An attacker might claim that the MN is at another location. By replaying old BU’s Packets for the MN would be sent to its old location. False BU’s can be used for DoS attacks against victim nodes! All packets destined to the MN’s home adress would be redirected to the victim node

Mobile IPv6 Security Protection of BU both to HA and CN By the use of IPSec extension headers Home address in BU message: Security association based on the MN’s home address Security key distribution –Manual or automatic key management with IKE By the use of the Binding Authorization Data Option Protection of BU message to CN –No security association –No authentication infrastructure between MN and CN Return Routability –Binding management key and kbm: assure the right MN is sending message –keyed-hash algorithm using kbm

IPsec SA IPsec Security Assocation (SA) An SA is a cryptographically protected connection There MUST be a SA between the MN and HA Provides integrity and autentication of BU and BACK An SA is defined by: One SA per home-address ESP: Encapsulating Security Payl oad AH: Authentication Header

ESP and AH Encapsulating Security Payl oad (ESP) Integrity & autenticity Correct packet ordering By means of sequence numbers in BU messages Anti-replay protection Only if dynamic keying is used Confidentiality ”Replay” and ”reordering packets” Attacks possible if static keys are used Authentication Header (AH) is an alternative to ESP

Mobile Node Home Agent Binding Update Binding ACK IPv6 header source = care-of adress destination = home agent ESP header Dest. op. header Home adress option home adress Mobility header Binding update Alt. care-of adress option The ”mobility header” is used in Mobile IPv6 when managing binding The ”source adress” avoids ingress filtering The ”home adress option” is used to identify the SA The ”alt. care-of adress option” is used to protect the care-of adress Packet Format (1/2)

Mobile Node Home Agent Binding Update Binding ACK IPv6 header source = home agent destination = care-of adress ESP header Routing Header (2) Home adress Mobility header Binding ACK The ”home adress” in the ”type 2 routing header” helps the mobile node to identify the SA. Note that the ”Binding ACK” is encrypted Packet Format (2/2)

BU to Home Agents: Summary IPsec SA: Mobile Node Home Agent Integrity & authentication Protection against replay and reordering attacks (dynamic keying) Confidentiality (optional) Problems Static SA between Mobile Node and Home Agent If the 16 bit Mobile IPv6 seq.number is cycled through or the HA reboots and looses state, replay and reordering attacks are possible. IPsec doesn’t fully prevent an MN to do a DoS attack However, he will be identified by means of his SA with the Home Agent.

Binding Updating the Correspondent Node Same issues as with updating the Home Agent Spoofing Man-in-the-middle Confidentiality Replay In addition Need to verify successful routing before switching to route optimization mode Problem Not feasible to have security association including all potential mobile and correspondent nodes No security association between MN and CNs Security Issues: BU to CN

Return Routability (1/4) Return Routability Authorizes binding procedure by the use of a cryptographic token exchange Terminologies Cookie random number used by a mobile nodes To prevent spoofing by a bogus CN in the RR procedure Care-of init cookie a cookie sent to the CN in the Care-of Test Init message, to be returned in the Care-of Test message Home init cookie a cookie sent to the CN in the Home Test Init message, to be returned in the Home Test message

Return Routability (2/4) Terminologies Keygen Token number supplied by a CN in the RR procedure to enable the MN to compute the necessary binding management key for authorizing a BU Care-of keygen token: Care-of Test message Home keygen token: Home Test message Nonce random numbers used internally by the CN in the creation of keygen tokens related to the RR procedure Binding management key (kbm) Key used for authorizing a binding cache management message (e.g., BU and BACK messages) RR provides a way to create a binding management key

Return Routability (3/4) Home Test Init (HoTI) MN sends a Home Test Init message to the CN to acquire the home keygen token Source Address = home address Destination Address = CN Parameters Home init cookie This message is reverse tunneled through the HA Care-of Test Init (CoTI) MN sends a Care-of Test Init message to the CN to acquire the care-of keygen token Source Address = CoA This message is sent directly to the CN

Return Routability (4/4) Home Test (HoT) Sent in response to a Home Test Init message Source Address = CN Destination Address = home address Parameters Home init cookie Home keygen token –First(64, HMAC_SHA1 (Kcn, (home address|nonce|0) ) ) Home nonce index Care-of Test (CoT) kbm = SHA1(home keygen token|care-of keygen token) BU: HMAC_SHA1(kbm, (care-of address|CN address |BU) )

Return Routability Test (1/3) Correspondent Node Mobile Node Home Agent Secret Key: Temporary Nonces: Care-of Test Init: src= dst= = HMAC_SHA1 Kcn ( | | 1) [1:64] Care-of Test: src= dst= care-of nonce index: 1 Cookies: care-of nonce index: 1

Return Routability Test (2/3) Correspondent Node Mobile Node Home Agent Secret Key: Temporary Nonces: Home Test Init: src= dst= = HMAC_SHA1 Kcn ( | | 0) [1:64] Home Test: src= dst= home nonce index: 1 Cookies: care-of nonce index: 1 home nonce index: 1

Return Routability Test (3/3) Correspondent Node Mobile Node Home Agent Secret Key: Temporary Nonces: Cookies: care-of nonce index: 1 home nonce index: 1 Kbm = SHA1 ( | ) MAC = HMAC_SHA1 Kbm ( | |BU) [1:96] Binding Update src= dst= option: Home Address = = HMAC_SHA1 Kcn ( | | 0) [1:64] = HMAC_SHA1Kcn ( | | 1) [1:64]

Mobile IPv6 Optimization

Drawbacks of Mobile IPv6 Mobile IPv6 Reacts after L2 movement Introduces a period of service disruption after L2 movement until signaling is completed Performance depends on Mobile IP registration time and MH-HA distance Optimization Schemes Fast Handover for Mobile IPv6 Anticipates Mobile IP messaging (before L2 movement) Hierarchical Mobile IPv6 Reduces MN to HA round trip delay Reduces the number of messages (ratio transmission efficiency)

Standardization (1/2) Recent trend in IETF… New working groups MIP4: Mobility for IPv4 MIP6: Mobility for IPv6 MIPSHOP: MIPv6 Signaling and Handoff Optimization IP Mobility Optimizations (Mob Opts) in IRTF Analysis of Mobile IP Route Optimization considering such parameters as traffic pattern, link conditions, topology etc Alternative mechanisms for discovering a Mobility Anchor Point (MAP) in Hierarchical Mobile IP (HMIP) Evaluation of existing and new mechanisms for discovering, and selecting a target base station and/or router for handover

Standardization (2/2) IETF Mobile IP WG Mobile IPv4 Low latency handoff –draft-ietf-mobileip-lowlatency-handoffs-v4-09.txt, June Regional registration –draft-ietf-mobileip-reg-tunnel-06.txt, March Mobile IPv6 Fast Handover –draft-ietf-mipshop-fast-mipv6-03.txt, October Hierarchical Mobile IPv6 –draft-ietf-mipshop-hmipv6-02.txt, June 2004.

Hierarchical Mobile IPv6

HMIPv6 Motivation Reduce the number of Bus when MNs move within a MAP domain Transparency of the MN’s mobility to CNs Location Privacy HMIPv6 Mobility anchor point (MAP): Local HA MN acquires two addresses On-link CoA: LCoA Regional CoA: RCoA Reduce Mobile IPv6 signaling load Improve Handoff delay

HMIPv6 Operation MAP HA CN Internet MAP old AR new AR MAP domain MN Local BU (Home address, RCoA) (RCoA, LCoA) Home BU

HMIPv6 Operation MAP HA CN Internet MAP old AR new AR MAP domain MN Local BU (Home address, RCoA) (RCoA, LCoA’)

HMIPv6 Operation MAP HA CN Internet MAP old AR new AR MAP domain Local BU (Home address, RCoA’) (RCoA’, LCoA’) MN Home BU

Fast Handover for Mobile IPv6

FMIPv6 Fast Handover for Mobile IPv6 Minimize packet loss and latency due to handoffs Critical for real-time services MN acquires a new CoA and registers with previous AR before get link to new AR As soon as MN leaves the current link, old AR starts forwarding traffic to new AR Operation Detect movement in anticipation (L2 Trigger) Update old AR (before L2 movement) Traffic is then forwarded from Old AR to New AR (non-optimal) The MN must then also update HA and CNs (for optimal routing) Bicasting can improve performance

New Message Format Neighbor Discovery Message Router Solicitation for Proxy Advertisement (RtSolPr) Proxy Router Advertisement (PrRtAdv) Inter-Access Router Message Handover Initiate (HI) Handover Acknowledge (HACK) New Mobility Header Message Fast Binding Update (FBU) Fast Binding Acknowledgement (FACK) Fast Neighbor Advertisement (FNA)

Message Flow - Predictive MNPARNAR RtSolPr PrRtAdv FBU HI HACK FBACK forward packets FNA deliver packets L2 trigger Disconnect Connect

Message Flow - Reactive MNPARNAR RtSolPr PrRtAdv FNA[FBU] FBU FBACK forward packets deliver packets L2 trigger Disconnect Connect

Timing Diagram (1/2) Time Handover start epoch Neighbor Discovery is completed MN transmission capable; sends Binding Update Packets begin arriving at the new IP address New link information Binding Update received by mobility agent/CN Link switching delay (t L ) IP connectivity latency (t I ) Packet reception latency (t P ) t BU t New [MIPv6]

Timing Diagram (2/2) Time L2 trigger (RtSolPr/PrRtAdv, HI/HACK) Neighbor Discovery is completed MN transmission capable; sends Binding Update Packets begin arriving directly at the new IP address New link information Binding Update received by mobility agent/CN Link switching delay (t L ) Handover start epoch : Forwarding from PAR to NAR (F-BU/F-BACK) IP connectivity and packet reception latency (t I =t P ) t New t BU t L2 [FMIPv6: Predictive]

Research Issue HMIPv6 MAP Selection Scalability and Fault-tolerant Service FMIPv6 Implementation over IEEE /16/20 Buffer management HMIPv6 + FMIPv6 Integration of HMIPv6 with FMIPv6