1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6

2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network. Mobile IPv4- Why ?

3 Mohamed M Khalil Mobile IP- The Problem IP based Network Foreign Subnetwork Home Subnetwork IP based Network Foreign Subnetwork Home Subnetwork When Mobile Node (MN) moves across subnetwork it changes its point of attachment. host

4 Mohamed M Khalil Mobile IP- Mobility Model Interne Routing Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment. F -1 F LD Distention Node Source Node An Address Translation Agent (ATA). F -1 : Forwarding Agent. Location Directory

5 Mohamed M Khalil Mobile IPv4 - Design Requirements No modification for IP based routing Compatibility with IP based Addressing Application transparency No modification for host operating system Network-wide mobility scalability Compatibility with existing IP based network computers and applications.

6 Mohamed M Khalil Mobile Node At Foreign Link Home Link Mobile IPv4- IETF Architecture Home Network Foreign Link Mobile node At Home link Mobile IP entities and relationships IP Based Network Foreign Network Home Agent is doing the functionality of LD and ATA. Foreign Agent is doing the functionality of Forwarding Agent. Home Agent is doing the functionality of LD and ATA. Foreign Agent is doing the functionality of Forwarding Agent. ATA & LD FA Foreign Agent Home Agent Host Mobile IPv4-IETF Architecture

7 Mohamed M Khalil Mobile Agent Host Mobile Node Agent Advertisement Mobile IPv4-Agent Advertisements Mobile Agents advertise their presence. MN determines if it is in a home or foreign link. MN acquire a care-of address and default router. Mobile Agents advertise their presence. MN determines if it is in a home or foreign link. MN acquire a care-of address and default router.

8 Mohamed M Khalil Mobile IPv4-Registration Foreign Link Home Agent IP based network Foreign Agent Home Link MN send a request for service. 2- FA relays a request to HA. 3- HA accepts or denies. 4- FA relays status to MN 1- MN send a request for service. 2- FA relays a request to HA. 3- HA accepts or denies. 4- FA relays status to MN Host Router Gratuitous ARP

9 Mohamed M Khalil Mobile IPv4-Data Transfer Foreign Link Home Agent IP based network Foreign Agent Home Link. Host data packets are tunneled by HA to MN.. MN sends information directly to host.. Host data packets are tunneled by HA to MN.. MN sends information directly to host. Host

10 Mohamed M Khalil Mobile IPv4- Broadcast packet from MN Foreign Link Home Agent IP based network Foreign Agent Home Link Broadcast packets from MN MUST be tunneled to HA Host

11 Mohamed M Khalil IPsrc = Original Sender IPdst = Ultimate Destination original IP packet Header payload Header payload Outer Header IPsrc = Tunnel Entry-Point (Home Agent) IPdst= Tunnel Exit-Point (care of address) Encapsulating IP Packet A tunnel from a home agent to a foreign agent Home Agent Mobile Node Foreign Agent Mobile IPv4- IP-in-IP Tunneling

12 Mohamed M Khalil Mobile IPv4- Broadcast Packet to MN Foreign Link Home Agent IP based network Foreign Agent Home Link The HA MUST tunnel broadcast packets destined for MN.

13 Mohamed M Khalil Mobile IPv4- Nested Tunneling Src Addr Data network prefix.111…. Home Agent COA IP Home Agent Mobile Node IP The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link

14 Mohamed M Khalil Mobile IPv4- Registration Message Format IP header fields UDP header Mobile IP message header Extension After the IP and UDP header, the registration message header is found, then any necessary always including an authentication extension.

15 Mohamed M Khalil IHL Type of ServiceTotal Length identificationFlags Fragment offset Time to Live= 1 Protocol= UDP Header check sum Source Address Destination address Source Port Destination Port = 434 LengthCheck sum Type=1S B D M G Y resLifetime Mobile Node’s Home Address Home Agent Address Care of Address Optional Extension Type = 32 Length Security Parameter Index (SPI) Authentication (Default equal keyed MD5) IP Header (RFC791) UDP Header (RFC768 Fixed length portion of Registration Required (RFC2002) Mobile Home Authentication Extension (RFC2002) Mandatory Mobile IPv4- Registration Request

16 Mohamed M Khalil Registration Reply Type = 3 CodeLifetime Mobile Node’s Home Address Home Agent Address Identification Fixed length portion of Registration Reply (RFC2002) Mobile IPv4-Registration Reply

17 Mohamed M Khalil Mobile IPv4-Route Optimization 1- Binding Update 2- Binding Acknowledgment 3- Binding Warning 1- Binding Update 2- Binding Acknowledgment 3- Binding Warning

18 Mohamed M Khalil Mobile IPv4-Route Optimization Foreign Link Home AgentNFA Home Link FA relays a request to HA. 2- Send BU to OFA and RR to HA 3- Send Binding Update as a result of receiving Binding Warning Ext 4- Binding Acknowledgment back 5- Registration Reply back 1- FA relays a request to HA. 2- Send BU to OFA and RR to HA 3- Send Binding Update as a result of receiving Binding Warning Ext 4- Binding Acknowledgment back 5- Registration Reply back Host OFA 2 4 3

19 Mohamed M Khalil Mobile IPv4-Route Optimization (continue) Foreign Link Home AgentNFA Home Link 4 1- data is sent from Host to the NFA through HA. 2- HA tunnels data to MN 3- Binding Update is sent from HA to host 4- data is tunneled from host to NFA 1- data is sent from Host to the NFA through HA. 2- HA tunnels data to MN 3- Binding Update is sent from HA to host 4- data is tunneled from host to NFA Host

20 Mohamed M Khalil Mobile IPv4-Route Optimization (continue) Foreign Link Home AgentNFA Home Link 4 1- data is tunneled to the old FA. 2- Warning Update message is sent to the HA, 3-HA will send Binding Update to Host 4- data is tunneled to the new FA 1- data is tunneled to the old FA. 2- Warning Update message is sent to the HA, 3-HA will send Binding Update to Host 4- data is tunneled to the new FA Host OFA

21 Mohamed M Khalil Mobile Node At Foreign Link Home Link Mobile IPv6-IETF Architecture Home Network Foreign Link Mobile node At Home link Mobile IP entities and relationships IP Based Network Foreign Network Home Agent is doing the functionality of LD and ATA. Correspondent node may forward packets directly to the MN using source base routing. Home Agent is doing the functionality of LD and ATA. Correspondent node may forward packets directly to the MN using source base routing. ATA & LD Foreign Agent Home Agent Host

22 Mohamed M Khalil Mobile IPv6-Registration Foreign Link Home Agent IP based network Foreign Agent Home Link 3 1- MN-DHCPv6 Request for collocated IP address 2- HM-DHCPv6 Reply. 3- MN sends a Binding Update message. 4- MN receives Binding Acknowledgement 1- MN-DHCPv6 Request for collocated IP address 2- HM-DHCPv6 Reply. 3- MN sends a Binding Update message. 4- MN receives Binding Acknowledgement Host Router Gratuitous Neighbor Advertisement 4 1 2

23 Mohamed M Khalil Mobile IPv6-Data Transfer Foreign Link Home Agent IP based network Foreign Agent Home Link 1.MN Host data packets are tunneled by HA to MN. 2.sends a Binding Update to MN 3.Send data directly to MN using source header routing. 1.MN Host data packets are tunneled by HA to MN. 2.sends a Binding Update to MN 3.Send data directly to MN using source header routing. Host 1 2 3

24 Mohamed M Khalil Mobile IPv6-Update MN Location Foreign Link Home Agent IP based network Foreign Agent Home Link 1.When Binding Cache entry expires send Binding Request to MN 2.Continue sending data directly to MN using source header routing. 1.When Binding Cache entry expires send Binding Request to MN 2.Continue sending data directly to MN using source header routing. Host 1 2

25 Mohamed M Khalil IP Security

26 Mohamed M Khalil Loss Of Privacy m-y-p-a-s-s-w-o-r-d A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to login to the system and pretend that he is the real person. telnet foo.bar.org username: dan password:

27 Mohamed M Khalil Loss Of Data Integrity You may not care if someone sees your business transaction but care if somebody modified your business transaction. Deposit $1000 $$$$ Deposit $100 $$$

28 Mohamed M Khalil Man In The Middle Attack Bad Guy replay the same business transaction message. Withdraw $1000 BAD GUY Withdraw $1000

29 Mohamed M Khalil Denial-Of-Service Bad Guy floods the system with messages or viruses which crash the system virus

30 Mohamed M Khalil Where Should We Implement Security ? link-layer Encryption link-layer Encryption Network Layer Application Layer Security May Be implemented in: 1- Application Layer (Secure Sockets Layer). 2- Network Layer (IPSec). 3- Data Link Layer. Security May Be implemented in: 1- Application Layer (Secure Sockets Layer). 2- Network Layer (IPSec). 3- Data Link Layer.

31 Mohamed M Khalil IPSec : Security Protocol IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.

32 Mohamed M Khalil IPSec : Session Establishment 1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association. 2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol. 1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association. 2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.

33 Mohamed M Khalil IPSec : Connection Each IPSec Connection can provide the following: 1- Encryption. 2- Integrity and Authenticity. 3- Or both. Each IPSec Connection can provide the following: 1- Encryption. 2- Integrity and Authenticity. 3- Or both.

34 Mohamed M Khalil IPSec : Security Association IPSec uses Security Associations to establish secure connections between nodes. Security Association defines 1- algorithms to use for encryption/decryption 2- algorithms to use for integrity check and authentication. 3- shared session keys Each security association is identified by an SPI. IPSec uses Security Associations to establish secure connections between nodes. Security Association defines 1- algorithms to use for encryption/decryption 2- algorithms to use for integrity check and authentication. 3- shared session keys Each security association is identified by an SPI.

35 Mohamed M Khalil IPSec : Authentication Header The Authentication Header provides support for data integrity and authentication of IP packet. Next Header Payload Length RSV SPI Sequence Number Authentication Data

36 Mohamed M Khalil IPSec : Encrypting Security Payload The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH Next Header Payload Length RSV Sequence Number Payload Data (variable) Next Header Authentication Data (variable)

37 Mohamed M Khalil IPSec : Operation Modes Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header. Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis. Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header. Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.

38 Mohamed M Khalil IPSec : Transport Mode In transport mode the data is encrypted only. IP HDRDATA IP HDR IPSEC HDR

39 Mohamed M Khalil IPSec : Tunnel Mode In tunnel mode the the entire packet is encrypted, including the header. IP HDR DATA DATA + HDR New IP HDR IPSEC HDR

40 Mohamed M Khalil IKE : Phase I and II Two phases in IKE are necessary to establish SA: 1- Phase I : to establish a secure channel to negotiate SA. 2- Phase II : SA is negotiated between two nodes using the previously secured established channel. Two phases in IKE are necessary to establish SA: 1- Phase I : to establish a secure channel to negotiate SA. 2- Phase II : SA is negotiated between two nodes using the previously secured established channel.

41 Mohamed M Khalil IKE : SA Establishment Using IKE Two phases in IKE are necessary to establish SA: 1- Phase1 : to establish a secure channel to negotiate SA. 2- Phase2 : SA is negotiated between two nodes using the previously secured established channel. Two phases in IKE are necessary to establish SA: 1- Phase1 : to establish a secure channel to negotiate SA. 2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.

42 Mohamed M Khalil IKE : Authentication Methods For Phase I Three types of authentication methods are used to authenticate phase I. 1- Pre-Shared Secret Key. 2- Public key cryptography. 3- Digital Signature. Three types of authentication methods are used to authenticate phase I. 1- Pre-Shared Secret Key. 2- Public key cryptography. 3- Digital Signature.

43 Mohamed M Khalil IKE : Phase II Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.

44 Mohamed M Khalil IKE : Example IPSec Alice IPSec Bob 2 Outbound packet from Alic to Bob. No IPSec SA. 4 Packets from Alice to Bob protected by IPSec ISAKMP Alice ISAKMP Bob ISAKMP Tunnel 1 Alice’s ISAKMP begins negotiation with Bpb 3 Negotiation complete Alice and Bob now have complete IPSec SAs in place

45 Mohamed M Khalil Mobile Node At Foreign Link Home Link Mobile Home Network Foreign Link Mobile node At Home link Mobile IP entities and relationships Foreign Network 1- MN-HA (mandatory) 2- MN-FA (optional) 3- FA-HA (optional) 1- MN-HA (mandatory) 2- MN-FA (optional) 3- FA-HA (optional) HA FA Foreign Agent Home Agent Host Mobile IPv4 Security SA(mandatory) SA(optional)

46 Mohamed M Khalil Mobile IPv6 Foreign Link Home Agent Foreign Agent Home Link IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA. IPSec Tunnel Mobile IPv6 Security

47 Mohamed M Khalil BACKUP

48 Mohamed M Khalil General increase in usage of laptop/notebook computers More access to Intranet Acceptance of Telecommuting Increase in mobility based workforce (sales, delivery etc.) Mobile IP - Introduction There is a need for mobile computers to communicate with other computers - fixed or mobile.

49 Mohamed M Khalil Mobile IP - Design Requirements Communicate with other nodes while changing its Link-layer point of attachment Use its home (permanent) IP address to communicate with other computers Communicate with non-Mobile IP based computers Provide as much security as the fixed computers Provide end-to-end mobility as well as basic quality of service