1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University
2 Outline MIPv6 Features MIPv6 Basic Operations MIPv6 Security MIPv6 vs. MIPv4
3 Mobile IPv6 Features (1) IPv6 Mobility is based on core features of IPv6 The base IPv6 was designed to support Mobility Mobility is not an “Add-on” features All IPv6 Networks are IPv6-Mobile Ready All IPv6 nodes are IPv6-Mobile Ready All IPv6 LANs/Subnets are IPv6 Mobile Ready IPv6 Neighbor Discovery and Address Autoconfiguration allow hosts to operate in any location without any special support
4 Mobile IPv6 Features (2) No Foreign Agent In Mobile IPv4, an MN registers to a foreign node and borrows its’ address to build an IP tunnel so that the HA can deliver the packets to the MN. But in Mobile IPv6, the MN can get a new IPv6 address, which can be only used by the MN and thus the FA no longer exists IPv6 Address auto-configuration: MN can obtain a CoA in foreign network without any help of foreign agent More Scalable : Better Performance Less traffic through Home Link Less redirection/re-routing (Traffic Optimization)
5 Mobile IPv6 Features (3) Bi-directional tunneling mode Does not require for the CN to support Mobile IPv6 Use of Reverse tunneling (for ingress filtering) Route Optimization (RO) mode Requires to register the MN’s current binding at the CN Uses a new type of IPv6 routing header Type-2 routing header = home address (Dest Addr = MN’s CoA) Shortest communications path Eliminates congestion at the MN’s HA and home link Impact of any possible failure of the HA or networks on the path to or from it is reduced
6 Mobile IPv6 Features (4) Dynamic Home Agent Address Discovery Allows a MN to dynamically discover the IP address of a home agent on its home link ICMP Home Agent Address Discovery Request Message Destination address: Home Agent anycast address for its own home subnet prefix Reply message HA list (with preferences) in the home link Each HA maintains the home agent lists
7 New IPv6 Protocol (1) Mobility Header Home Test Init, Home Test, Care-of Test Init, Care-of Test Perform the return routability procedure from MN to CN for ensuring authorization of subsequent Binding Updates Binding Update Binding Acknowledgement Binding Refresh Request Binding Error
8 New IPv6 Protocol (2) New IPv6 Destination Option Home Address destination option Type-2 Routing header: route optimization New ICMPv6 Messages Home Agent Address Discovery Request Home Agent Address Discovery Reply Mobile Prefix Solicitation Mobile Prefix Advertisement
9 Mobility Header Payload Proto: Same as IPv6 Next Header MH Type: Identifies the particular mobility message Message Data: the data specific to the indicated MH type
10 Binding Update Message MH Type=5 Message Data: A: Acknowledge H: Home Registration L: Link-Local Address Compatibility K: Key Management Mobility Capability
11 Binding Acknowledgement Message MH Type=6 Message Data: K:Key Management Mobility Capability
12 MIPv6 Basic Operation (1) HA Home Network Foreign Network Internet CN Mobile Node S: CN’s IP Address D: MN’s Home Address IP HeaderPayLoad S: MN’s Home Address D: CN’s IP Address IP HeaderPayLoad
13 MIPv6 Basic Operation (2) HA Foreign Network Internet CN Home Network Binding Update Binding Ack Mobile Node PayLoadIP HeaderMobility Header MH=5MH=6 PayLoadIP HeaderMobility Header
14 S: CN’s IP Address D: MN’s Home Address MIPv6 Basic Operation (3) HA Internet CN Home Network Mobile Node IP HeaderPayLoad Tunneled packets S: HA’s Address D: MN’s COA New IP Header PayLoad Old IP Header
15 MIPv6 Basic Operation (4) HA Internet CN Home Network Mobile Node Binding Update Binding Ack PayLoadIP HeaderMobility Header MH=5MH=6 PayLoadIP HeaderMobility Header
16 MIPv6 Basic Operation (5) HA Internet CN Home Network Mobile Node S: CN’s Address D: MN’s COA PayloadIP HeaderRouting Header (Type 2, MN’s Home Address) S: MN’s COA D: CN’s Address (includes MN’s Home Address) PayloadIP HeaderHA Dest Opt
17 Movement Movement Detection: Detect L3 handovers Neighbor Unreachability Detection (NUD) Default router is no longer bi-directionally reachable Router Discovery: select a new default router Prefix Discovery: form new care-of address Home registration Correspondent registration
18 Home Registration (1) Set H-bit & A-bit in the Binding Updates sent to the HA MN’s home address in Home Address destination option Source address = Care-of address Set L-bit if the MN’s link-local address (for the new care-of-address) has the same interface ID as the home address Set K-bit if the IPsec SAs between the MN and the HA have been established dynamically, and the mobile node has the capability to update its endpoint in the used key management protocol to the new care-of address every time it moves
19 Home Registration (2) Sequence # Used by the receiving node to sequence BUs and by the sending node to match a returned BACK with this BU Lifetime The number of time units remaining before the binding must be considered expired One time unit is 4 seconds
20 Correspondent Registration (1) Allowing the CN to cache the MN’s current care-of address Return Routability procedure + registration After home registration, the MN should initiate a correspondent registration for each node that already appears in the MN’s Binding Update List The initiated procedures can be used to either update or delete binding information in the CN In addition, MN initiate the registration in response to receiving a packet tunneled using IPv6 encapsulation
21 Correspondent Registration (2) A Binding Update is created as follows 1. Source address of the IPv6 header = the current care-of address 2. Destination address = the address of the CN 3. Mobility header with MH type = 5, including the Binding Authorization Data and the Nonce Indices mobility options 4. Home Address destination option = MN’s home address
22 Conceptual Data Structures CN: Binding Cache When sending a packet, the Binding Cache is searched before the Neighbor Discovery conceptual Destination Cache HA: Binding Cache and Home Agents List The Home Agents List is used by the dynamic home agent address discovery mechanism MN: Binding Update List It records information for each BU sent by this MN, in which the lifetime of the binding has not yet expired The Binding Update List includes all bindings sent by the MN either to its HA or CNs
23 MIPv6 Security Binding Updates to HA IPsec and ESP between MN and HA Key Distribution (IKE, Internet Key Exchange) Binding Updates to CN Return Routability Procedure to assure that the right MN is sending the message Binding management key (Kbm) for integrity and authenticity of the BU messages
24 IPsec Security Association An SA is a cryptographically protected connection There MUST be a SA between the MN and HA Provides integrity and autentication of BU and BACK An SA is defined by: One SA per home-address IPsec Authentication Header (authentication only service)
25 Encapsulating Security Payload ESP: authentication + encryption
26 IPsec: AH vs. ESP
27 Binding Updates to CN Return Routability Procedure It enables CN to obtain some reasonable assurance that MN is in fact addressable at its claimed care-of address as well as at its home address Done by testing whether packets addressed to the two claimed addresses are routed to MN MN can pass the test only if it is able to supply proof that it received certain data (the “keygen tokens”) which CN sends to those addresses. These data are combined by MN into Kbm
28 Return Routability Procedure
29 RR Procedure Terminology (1) Node Key: a secret key (20 octets), Kcn, at CN Nonce: CN also generates nonces at regular intervals Cookie: Random number used by MN To prevent spoofing by a bogus CN in the RR procedure Home init cookie A cookie sent to the CN in the Home Test Init message, to be returned in the Home Test message Care-of init cookie A cookie sent to the CN in the Care-of Test Init message, to be returned in the Care-of Test message
30 RR Procedure Terminology (2) Keygen Token Number supplied by CN to enable MN to compute the necessary binding management key for authorizing a BU Care-of keygen token: Care-of Test message Home keygen token: Home Test message Cryptographic Functions SHA: Secure Hash Standard HMAC_SHA1: Keyed-Hashing for Message Authentication MAC: Message Authentication Codes
31 Return Routability Test: step 1 Correspondent Node Mobile Node Secret Key: Temporary Nonces: Cookies: Home Test Init: Home Test Init: src= dst= Home Test: Home Test: src= dst= home nonce index: 1 home nonce index: 1 = HMAC_SHA1 Kcn ( | | 0) [1:64] Home Agent
32 Return Routability Test: step 2 Correspondent Node Mobile Node Home Agent Secret Key: Temporary Nonces: Care-of Test Init: Care-of Test Init: src= dst= = HMAC_SHA1 Kcn ( | | 1) [1:64] Care-of Test: Care-of Test: src= dst= care-of nonce index: 1 Cookies: care-of nonce index: 1
33 Secure Binding Update to CN Correspondent Node Mobile Node Secret Key: Temporary Nonces: Cookies: care-of nonce index: 1 home nonce index: 1 Kbm = SHA1 ( | ) MAC = HMAC_SHA1 Kbm ( | |BU) [1:96] Binding Update src= dst= option: Home Address = = HMAC_SHA1 Kcn ( | | 0) [1:64] = HMAC_SHA1 Kcn ( | | 1) [1:64] Once the correspondent node has verified the MAC, it can create a Binding Cache entry for the mobile.
34 Mobile IPv4 vs. Mobile IPv6 Mobile IPv4Mobile IPv6 Mobile node, home agent, home link, foreign link (same) Mobile node’s home addressGlobally routable home address and link-local home address Foreign agentA “plain” IPv6 router on the foreign link (foreign agent no longer exists) Collocated care-of address Care-of address obtained via Agent Discovery, DHCP, or manually Care-of address obtained via Stateless Address Autoconfiguration, DHCP, or manually Agent DiscoveryRouter Discovery Authenticated registration with home agent Authenticated notification of home agent and other correspondent nodes Routing to mobile nodes via tunnelingRouting to mobile nodes via tunneling and source routing Route optimization via separate protocol specification Integrated support for route optimization
35 MIPv6 References RFC 3775: Mobility Support in IPv6 RFC 4443: ICMPv6 RFC 3776: Using IPsec for MIPv6 RFC 2408: The Internet Key Exchange