1. MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda  Motivation  Architecture  Implementation  Comparison with current approaches  Summary (30 slides, 60 min)

2. 13-Oct-03 MobileNAT/IRT group meeting 2 Current Trends  Explosive growth in connected devices  Heterogeneity Access: 802.11, 3G, Ethernet Provider; billing Address space  IPv4 vs IPv6  Public vs Private 802.11 3G Private address

3. 13-Oct-03 MobileNAT/IRT group meeting 3 Project IOTO http://www.bell-labs.com/~mbuddhikot/IOTAProject/IOTA.htm

4. 13-Oct-03 MobileNAT/IRT group meeting 4 NAT Public Addr A The goal Private Address Space Internet NAT 802.11 Ethernet PDSN/3G NAT Routed IP Network www.cnn.com (1) (2) (3) (4) (5) Preserve session for 1.inter access-point 2.inter sub-net 3.inter-NAT 4.to 3G network 5.to public network Access-point Router Router with NAT

5. MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda  Motivation  Architecture  Implementation  Comparison with current approaches  Summary

6. 13-Oct-03 MobileNAT/IRT group meeting 6 Problem with IP address  IP address overloaded Host identification Routing information  Change in IP address breaks TCP/socket connection 128.59.16.149 135.180.32.4 128.59.16.149 135.180.32.4 80 1733 135.180.32.4 128.59.16.149 1733 80 TCP association MN (mobile node) CN (corresponding node) 135.180.54.7 128.59.16.149 1733 80 moves MN Source IP Destination IP SP DP Convention:

7. 13-Oct-03 MobileNAT/IRT group meeting 7 Two addresses  Two IP addresses Virtual IP (fixed host-id) Actual IP (routable; changes) 128.59.16.149 135.180.32.6 A=135.180.54.7 128.59.16.149 135.180.32.4 80 1733 135.180.32.4 128.59.16.149 1733 80 135.180.32.4 128.59.16.149 1733 80 moves V=135.180.32.4 Actual IP Virtual IP MN CN Application Socket TCP/UDP IP Addr “A” Shim Layer Addr “V” Net IF Anchor node (AN)

8. 13-Oct-03 MobileNAT/IRT group meeting 8 Packet forwarding mechanisms: tunneling or translation Tunneling Outer: CN=>A or HA=>A Inner: CN=>V Header overhead 128.59.16.149 A=135.180.54.7 moves V=135.180.32.4 128.59.16.149 A=135.180.54.7 moves V=135.180.32.4 128.59.16.149 135.180.32.4 128.59.16.149 135.180.32.4 128.59.16.149 135.180.54.7 128.59.16.149 135.180.32.4 128.59.16.149 135.180.54.7 MN CN MN CN AN Translation More processing overhead Not an issue if NAT 1 is already present 1 NAT is described later

9. 13-Oct-03 MobileNAT/IRT group meeting 9 Address allocation using DHCP  Virtual and actual IP allocated using DHCP  New DHCP options MN sends current virtual IP address (or 0.0.0.0 if none) in the request Server sends the allocated actual and virtual IP addresses in the response Actual IP is allocated based on relay agent IP 10.0.1.5 10.0.1.x DHCP server DHCP relay agent 10.0.2.9 10.0.2.x 10.0.2.2

10. 13-Oct-03 MobileNAT/IRT group meeting 10 Overview of NA(P)T NAT Public Addr 135.180.32.1-7 Private Address Space (10.0.0.0-10.255.255.255) Internet 128.59.16.149 CN 10.0.1.5 10.0.1.x 10.0.2.x 10.0.7.x  Packet processing rules need to be changed in the event of mobility 10.0.1.5 128.59.16.149 1756 80 135.180.32.4 128.59.16.149 7088 80 out In-1 Packet processing rule

11. 13-Oct-03 MobileNAT/IRT group meeting 11 Mobility manager and MIDCOM NAT Internet 10.0.1.5 10.0.1.x 10.0.2.x  MIDCOM to control NAT rules  Mobility manager IP in DHCP response relay DHCP server Mobility manager Change of lease NAT rules

12. 13-Oct-03 MobileNAT/IRT group meeting 12 Example  Address assignment  Packet flow when MN is private and CN is public  MN moves to a new subnet  Packet flow after mobility to a new subnet  Packet flow when MN and CN are in the same NAT domain  Packet flow when MN is private and CN is public and MN moves to new NAT domain

13. 13-Oct-03 MobileNAT/IRT group meeting 13 Address assignment NAT Internet DHCP server DHCP request (my virtual IP = 0.0.0.0) (my Mac address) DHCP response (your virtual IP = 10.128.0.2) (your actual IP = 10.0.1.5) DHCP server Mobility manager NAT

14. 13-Oct-03 MobileNAT/IRT group meeting 14 Packet flow  NAT picks up an external IP and port NAT (1) (2) (3) 135.180.32.4:7088 10.0.1.5:1756 CN Internet Applicatio n Socket TCP/UDP IP Addr “A” SHIM Layer Addr “V” Net IF 10.0.1.5:1756 10.128.0.2:1756 10.128.0.2 128.59.16.149 1756 80 10.0.1.5 128.59.16.149 1756 80 135.180.32.4 128.59.16.149 7088 80 128.59.16.149 10.128.0.2 80 1756 128.59.16.149 10.0.1.5 80 1756 128.59.16.149 135.180.32.4 80 7088 Shim NAT

15. 13-Oct-03 MobileNAT/IRT group meeting 15 Inter-subnet mobility NAT CN Internet DHCP server DHCP request (my virtual IP = 10.128.0.2) (my Mac address) DHCP response (your virtual IP = 10.128.0.2) (your actual IP = 10.0.2.7) DHCP server Mobility manager 10.0.1.x 10.0.2.x S:10.0.1.5:1756 D:128.59.16.149:80 S:135.180.32.4:7088 D:same change 10.0.2.7 NAT rules

16. 13-Oct-03 MobileNAT/IRT group meeting 16 Packet flow after the node moves  MN application or CN do not know about change in actual IP NAT (1) (2) (3) 135.180.32.4:7088 10.0.2.7:1756 CN Internet 10.128.0.2 128.59.16.149 1756 80 Applicatio n Socket TCP/UDP IP Addr “A” SHIM Layer Addr “V” Net IF 10.0.2.7 128.59.16.149 1756 80 135.180.32.4 128.59.16.149 7088 80 128.59.16.149 10.128.0.2 80 1756 128.59.16.149 10.0.2.7 80 1756 128.59.16.149 135.180.32.4 80 7088 Shim NAT

17. 13-Oct-03 MobileNAT/IRT group meeting 17 Intra-domain sessions  Optimization: new signaling message between two MobileNAT clients to route the packets directly NAT V=10.128.0.2 A=10.0.1.5 A=10.0.4.9 MN CN V=10.128.0.2 A=10.0.2.7 MN Moves

18. 13-Oct-03 MobileNAT/IRT group meeting 18 Inter-domain mobility  Mobility manager of visited NAT fetches the existing connection mapping from mobility manager of the home NAT  If MN moves to public address space, Shim layer acts as visited NAT  Dynamic home agent: use visited NAT as home NAT for new session  Tunneling between visited and home NAT Home NAT CN Internet Visited NAT MN moves

19. MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda  Motivation  Architecture  Implementation  Comparison with current approaches  Summary

20. 13-Oct-03 MobileNAT/IRT group meeting 20 Implementation: client (Win XP/2000)  Shim-layer driver to capture DHCP packets and translate IP addresses  MobileNAT client application acting as DHCP client and server  Handles ARP for nodes in other sub-nets Application Socket TCP/UDP IP Addr “A” Shim Layer Addr “V” Net IF MobileNAT Client Server Client 10.128.0.2 / 255.0.0.0 10.0.1.5 / 255.255.255.0 MobileNAT Client MobileIP Client Network and interface selector DHCP server - client Unified mobility client (on-going work)

21. 13-Oct-03 MobileNAT/IRT group meeting 21 Client architecture New code developed, Specifically for 3G-802.11 integration VPN/IPSec integration (e.g. Lucent IPSec Client) Interaction with Existing Windows OS modules TCP/IP Protocol Stack Virtual MobileIP Adaptor VPN/ IPSec Control OS PPP Support Graphical User Interface & Monitoring Ethernet MIP State Machine Interface Abstraction Layer/API Network Detection Network Selection Mobile NATClient 802.11PPP CDMA2000 Sierra 3G1xRTT VPN/IPSec Client Driver Multi-interface Mobility Client Driver Ethernet Interface 802.11 Interface PPP Interface IS-835 Shim Serial Driver AT Command Set User Level OS Kernel Level

22. 13-Oct-03 MobileNAT/IRT group meeting 22 User interface  Approximately 45,000 lines of code, 13,000 of which are Windows NDIS kernel networking code

23. 13-Oct-03 MobileNAT/IRT group meeting 23 Implementation: DHCP server and NAT (Linux) DHCP server PRE-ROUTING Destination NAT POST-ROUTING Source NAT NAT connection tracking Virtual IP range Actual IP range  DHCP server to allocate virtual and actual IP  Actual IP is based on subnet of DHCP relay agent  MM is integrated into DHCP server  NAT using netfilter, iptables, ip_conntrack and ip_nat modules

24. MobileNAT (Mobility across Heterogeneous Address Spaces) Presented by Kundan Singh (Columbia University) Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller Agenda  Motivation  Architecture  Implementation  Comparison with current approaches  Summary

25. 13-Oct-03 MobileNAT/IRT group meeting 25 Similarities/Differences with current proposals  Translation mode vs. tunneling Packet size vs processing overhead Two addresses per MN; can afford since private addresses No external FA needed  Signaling Using DHCP (new options) and a per-domain Mobility Manager (MM)  Routing path No change in routers or CN; but change in MN, NAT and DHCP server Dynamic home agent (I.e., the NAT)

26. 13-Oct-03 MobileNAT/IRT group meeting 26 Comparison to existing schemes Schemes considered in following chart  Mobile IP Extensions: Location Register (MIP-LR), Route Optimization (MIP-RO)  Micro-mobility schemes  Cellular IP  Hawaii  Intra-Domain Mobility Protocol (IDMP)  Hierarchical Mobile IP (HMIP)  IPv6  Application level mobility mechanism SIP  Virtual NAT Similar address translation in the client stack Targeted for connection migration where both end-points implements vNAT

27. 13-Oct-03 MobileNAT/IRT group meeting 27 Comparison chart MIPCIPHawaiiHMIP (RR) IDMP TeleMIP MIP LR MIP RO SIPIPv6 Mobile NAT Virtual NAT MIP messagingYNYYY--NYNN Inter-tunnelYYYYYNYNOON Intra-tunnel-NNYY---OON PagingOYYYY--NYUDN Host IDHA CoA LCoA--SIPHACoAvirtual signalingYDataYYYYYYYDHCP/ MM Y CN modify?NNNNNYY-NNY MN modify?YYYYYYY-YYY Router modify?FAYY ---ONN NAT supportY1Y1 YYYYIN Y Y Non-mobile IP nodes YNYYY---YYIN Triangular routeYYYYYNNNNN/YN Y: yes N: no - :N/A O: optional IN:independent UD: Under Development 1: We assume Mobile IP with UDP tunneling for NAT

28. 13-Oct-03 MobileNAT/IRT group meeting 28 Mobile NAT Advantages  Problems in existing approaches Huge infrastructure change (CIP, IPv6, routers, even deploying FA) Not much discussion on optimizing intra-domain sessions Require tunneling overhead, inter, intra or both Triangular routing Modification in CN  MobileNAT approach Addresses rapid growth in end-devices, which most likely will have private addresses due to slow deployment of IPv6 Assume the presence of NA(P)T in a domain  Roaming and services across heterogeneous address spaces  Reduce problem space to only private address space Choice between tunneling and address translation  Addresses bandwidth limitations of wireless links Use existing protocols (DHCP, ICMP) for signaling Discourage changing routing infrastructure Can co-exist with MobileIP

29. 13-Oct-03 MobileNAT/IRT group meeting 29 On-going work  Scalability: Subdivide domains into smaller NAT-ed domains Multiple NATs per domain  Security DHCP authentication and Access-point authentication/encryption Works with IP-sec (AH mode and UDP tunnel) and SSL  Paging: Re-use of existing IP-multicast based paging  Possible deployment issues Changing every MN driver (similar to Mobile IP) Mobility to 3G network Location information distribution Allow incremental deployment  Other issues Does not solve NAT problems where application layer message uses IP address (FTP, SIP, RTSP) Fast hand-off for micro-mobility Intra-domain sessions on inter-domain mobility Combined MobileIP and MobileNAT client

30. 13-Oct-03 MobileNAT/IRT group meeting 30 Summary  Main Ideas Virtual IP for host identification; actual IP for routing Address translation in client as well as in NAT Existing protocols like DHCP for signaling Mobility manager to handle nodes in a domain NAT acts as a dynamic home agent Inter-NAT packet flow for inter-domain mobility  No change in routers or no need for FA Change In MN, NAT and DHCP server  Demonstrated a simple inter-subnet mobility

31. Survey of existing mobility approaches for private/public addresses BACKUP SLIDES

32. 13-Oct-03 MobileNAT/IRT group meeting 32 Mobile IP for macro mobility  Triangular routing Route optimization  Slow handoff Hierarchical mobility Tunneling (HMIP) Mobile specific routing (CIP, Hawaii)  Signaling overhead Paging (CIP, Hawaii, HMIP)  Firewall, etc. Reverse tunneling MN Internet CN HA FA MN (1) (2) (4) (1)CN=>HA (2)HA=>FA CN=>HA (3)CN=>HA (4)HA=>CN (3)

33. 13-Oct-03 MobileNAT/IRT group meeting 33 Mobile IP with NAT  UDP port mapping created during register  HA finds that FA is behind NAT  HA uses IP in UDP tunnel NAT Internet CN HA FA MN (2) CN=>HA (3) HA=>NAT (UDP) CN=>HA (IP) Oubound traffic (4) NAT=>FA (UDP) CN=>HA (IP) (1) register; establish port mapping

34. 13-Oct-03 MobileNAT/IRT group meeting 34 Micro mobility: Cellular IP  CoA is of gateway (FA)  No change in CoA within domain  Gateway converts cellular IP to IP  Network elements snoop on data packets from MN to GW; set the reverse route from GW to MN  Paging to discover idle MN  NAT can be at gateway Internet CN HA gateway MN Intra-domain cellular IP (non-IP) cloud Id = HA

35. 13-Oct-03 MobileNAT/IRT group meeting 35 Micro mobility: Hawaii  CoA is of root router (FA)  Host specific route in IP  Path setup tradeoff Explicit signal from MN to update route Packet loss, reorder, handoff latency  Paging (IP multicast) to discover idle MN if no routing information  NAT can be at root router Internet CN HA root router MN IP cloud HA=>CoA CN=>HA HA=>CoA CN=>HA Id=CoA

36. 13-Oct-03 MobileNAT/IRT group meeting 36 Micro mobility: Hierarchical mobile IP  Two levels  Works with non-mobile (but) IP traffic in domain  Paging  Two IP addresses (GFA and FA) per MN  NAT can be at GFA  High level network of FA (preferably tree) above IP; registration updates at optimal point in the tree Internet CN HA GFA MN FA HA=>GFA CN=>HA GFA=>FA CN=>HA

37. 13-Oct-03 MobileNAT/IRT group meeting 37 Micro mobility: IDMP/TeleMIP  MA acts as gateway to internet  Subnet agent (e.g., DHCP or FA) sends domain info  MN registers GCoA=MA @ HA; LCoA=FA @ MA; two level addressing  Similar to HMIP except multiple MA allowed for load balancing  MA does NAT Internet CN HA MA MN FA HA=>MA (GCoA) CN=>HA MA=>FA (LCoA) CN=>HA

38. 13-Oct-03 MobileNAT/IRT group meeting 38 MIP Location Registers  Avoids encapsulation  Modify CN  New VLR deregisters old VLR  If VLR runs out of address inform HLR; which informs CN to use tunnel from CN to VLR  If MN moves before TTL, (1) inform VLR, HLR that informs CN (2) inform CN directly (3) old VLR relays to new Internet CN HLR VLR MN Get and cache CoA of MN for given TTL (4) (3)

39. 13-Oct-03 MobileNAT/IRT group meeting 39 SIP application level mobility  Only for VoIP/multimedia calls  No change in existing infrastructure  NAT traversal (next slide) Internet CN Home SIP server MN Initial INVITE MN Re-INVITE Re-REGISTER Initial INVITE

40. 13-Oct-03 MobileNAT/IRT group meeting 40 Middle box communication (midcom)  Application specific proxy server controls NAT/firewall port binding/hole  Separate NAT/ALG functionality  Proxy snoops or modifies signaling  Signaling traffic allowed on fixed port; media on dynamic port  Works with SIP  No incentive to install Internet CN server NAT host signaling media midcom

41. 13-Oct-03 MobileNAT/IRT group meeting 41 Simple Traversal of UDP through NAT (STUN)  Host sends a packet to stun server  NAT converts internal IP to external IP  Responds with source IP of packet (i.e., external)  Host knows that its external IP is not same as internal  It uses external IP/port when advertising in SDP  Does not work for symmetric NAT external IP for same host different for connection to different external host Internet CN stun server NAT host (4) (1) (2) (3) (5) (6)

42. 13-Oct-03 MobileNAT/IRT group meeting 42 Realm Specific IP (RSIP)  Get an external address from NAT for this private host  Tunnel packets between NAT and private host  Works for various combinations of multiple RSIP gateway, NAT, NAT with RSIP, and RSIP hosts.  Need RSIP aware host Internet CN NAT host CN  NAT NAT  host

43. 13-Oct-03 MobileNAT/IRT group meeting 43 Mobility in IPv6  Address auto- configuration Always obtain a CoA in FN Net part+local part No FA needed  Route optimization IPv6 Destination option to CN and HA CN caches CoA of MN and sends directly  Hierarchical MIPv6 Global address = mobile server’s network; allow change in MS Local address known to mobile server Internet CN HA MN (1) First IPv6 packet CN=>HA (3) IPv6 destination option (2) Tunneled HA=>CoA CN=>HA (4) subsequent packets

44. 13-Oct-03 MobileNAT/IRT group meeting 44 Mobile NAT: motivation  Problems in existing approaches Not much discussion on optimizing intra-domain sessions Require tunneling overhead, inter, intra or both Triangular routing or modification in CN Huge infrastructure change (CIP, IPv6, even deploying FA)...  What MobileNAT does? Reduce problem space to only private address space MN Assume the presence of NA(P)T in a domain Choice between tunneling and address translation Use existing protocols (DHCP, ICMP) for signaling mobility Discourage changing routing infrastructure Can co-exist with MobileIP, Hawaii and IPv6 (?) Provide roaming and services across heterogeneous address spaces demarked by address translation devices

45. 13-Oct-03 MobileNAT/IRT group meeting 45 Mobile NAT: intra-domain  No explicit HA or FA HA is in NAT (MN is private) FA is in MN (driver, kernel)  Virtual vs routable address Virtual: fixed private address “a” exposed to application on MN Routable: dynamic private address “a” or “b” using DHCP Transport sessions between CN  A (external), CN  a (internal)  Address translation NAT (A  a  b), MN (b  a)  Tunneling NAT  MN Internet CN NAT MN IP cloud CN b Id=Private a/a a/b A=a CN A

46. 13-Oct-03 MobileNAT/IRT group meeting 46 Mobile NAT: inter-domain  Inter-NAT tunnel or relay  MN moves a/a=>a/c  NAT1 and NAT informed  Translation NAT1: A  a  B NAT2: B  a  c MN: c  a  Issues Multiple “a” in NAT2  But unique map B  a Does IP security work (?)  Like Mobile IP FA=NAT2,HA=NAT1 At most two level of NATs Internet CN NAT1 MN CN b a/a A=a CN A NAT2 MN a/c B=a

47. 13-Oct-03 MobileNAT/IRT group meeting 47 Mobile NAT: intra-domain sessions  MN1  MN2 active session MN2 sends to NAT; destination “a” NAT responds router redirect “b” (?) MN2 now sends to MN1  MN1 moves a/b=>a/c MN1 gets “c” DHCP server (or MN1) informs NAT MN2 gets ICMP host unreachable Starts sending to NAT NAT responds router redirect “c”  MN1 moves out of domain Path MN1  visited NAT  home NAT  MN2 Internet CN NAT MN1 a/b a/c A=a MN2 d/e active session (?) ICMP Redirect message is expected from router in the same sub-net to which packet is being sent. It is vulnerable to attacks (confirm?) Cisco routers don’t forward ICMP redirect from another network. We may use proprietary IP options if allowed.

48. 13-Oct-03 MobileNAT/IRT group meeting 48 TODO  Can MobileNAT co-exist with MIP, Hawaii and non-mobile but IP clients? If MIP MN discovers no FA, switches to MobileNAT If MobileNAT MN discovers FA, enables both MIP and MobileNAT If MobileNAT MN goes out of domain and gets a public address If a public MN moves within the domain and gets private address For intra-domain session between MN and fixed IP host, route optimization does not work Does route optimization work if both MN move at the same time? Does MobileNAT work with multicast? Write a simulation program for MobileNAT, MobileIP and Hawaii network

49. 13-Oct-03 MobileNAT/IRT group meeting 49 TODO  Can part of it be implemented using existing protocols like Mobile IPv6 (destination option for route optimization), IDMP (for public/private addresses), RSIP)? Intra-domain Route optimization is similar to IPv6 destination option; can we use IPv6 within domain – need to change all routers (?) Assuming IPv6 domain with NAT as IPv4  IPv6 converter. What changes we need in NAT/IOTA so that it works with Mobile IP? For IPv6 do we need private address domain? How do we minimize changes in IPv6 MN? IDMP supports multiple MA. Can we install multiple NAT/IOTA for load balancing? Does tunnel mode MobileNAT reduce to IDMP, when HA is outside of NAT and FA is in MN? (yes) Why can’t MobileNAT be proposed as an extension to IDMP? IDMP does not describe intra-domain session optimization.

50. 13-Oct-03 MobileNAT/IRT group meeting 50 TODO  Windows related issues Check if TCP connections are dropped when ipconfig /release is done Check what happens when CONNECTED status is indicated on already connected state Check if TCP connections are dropped even if DISCONNECTED status is not propagated to higher layer  Possible deployment hindrances Changing every MN driver (similar to Mobile IP) Should allow incremental deployment Processing overhead on NAT/IOTA What happens to domain/sub-net specific options that are not indicated to the higher layer when domain/sub-net change? Need to write a controlling application also that does DhcpIpRenewAddress when driver finds a different options field.

51. 13-Oct-03 MobileNAT/IRT group meeting 51 TODO  Basic design issues Does DHCP security/authentication work? Can we use ICMP router redirect from NAT to private host? Can IP security work in all scenarios? Fast handoff applicability Since anyway we are modifying MN driver, can it be made more extensible or more auto-configurable.  E.g., if IOTA/NAT is moved to sub-net routers then can modification in MN be avoided? What if multiple hierarchical IOTA/NAT in a domain?