Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.

Published byLee Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry."— Presentation transcript:

1 1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6

2 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network. Mobile IPv4- Why ?

3 3 Mohamed M Khalil Mobile IP- The Problem IP based Network Foreign Subnetwork Home Subnetwork IP based Network Foreign Subnetwork Home Subnetwork When Mobile Node (MN) moves across subnetwork it changes its point of attachment. host

4 4 Mohamed M Khalil Mobile IP- Mobility Model Interne Routing Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment. F -1 F LD Distention Node Source Node An Address Translation Agent (ATA). F -1 : Forwarding Agent. Location Directory

5 5 Mohamed M Khalil Mobile IPv4 - Design Requirements No modification for IP based routing 128.5.64.46 Compatibility with IP based Addressing Application transparency No modification for host operating system Network-wide mobility scalability Compatibility with existing IP based network computers and applications.

6 6 Mohamed M Khalil Mobile Node At Foreign Link Home Link Mobile IPv4- IETF Architecture Home Network Foreign Link Mobile node At Home link Mobile IP entities and relationships IP Based Network Foreign Network Home Agent is doing the functionality of LD and ATA. Foreign Agent is doing the functionality of Forwarding Agent. Home Agent is doing the functionality of LD and ATA. Foreign Agent is doing the functionality of Forwarding Agent. ATA & LD FA Foreign Agent Home Agent Host Mobile IPv4-IETF Architecture

7 7 Mohamed M Khalil Mobile Agent Host Mobile Node Agent Advertisement Mobile IPv4-Agent Advertisements Mobile Agents advertise their presence. MN determines if it is in a home or foreign link. MN acquire a care-of address and default router. Mobile Agents advertise their presence. MN determines if it is in a home or foreign link. MN acquire a care-of address and default router.

8 8 Mohamed M Khalil Mobile IPv4-Registration Foreign Link Home Agent IP based network Foreign Agent Home Link 1 2 3 4 1- MN send a request for service. 2- FA relays a request to HA. 3- HA accepts or denies. 4- FA relays status to MN 1- MN send a request for service. 2- FA relays a request to HA. 3- HA accepts or denies. 4- FA relays status to MN Host Router Gratuitous ARP

9 9 Mohamed M Khalil Mobile IPv4-Data Transfer Foreign Link Home Agent IP based network Foreign Agent Home Link. Host data packets are tunneled by HA to MN.. MN sends information directly to host.. Host data packets are tunneled by HA to MN.. MN sends information directly to host. Host

10 10 Mohamed M Khalil Mobile IPv4- Broadcast packet from MN Foreign Link Home Agent IP based network Foreign Agent Home Link Broadcast packets from MN MUST be tunneled to HA Host

11 11 Mohamed M Khalil IPsrc = Original Sender IPdst = Ultimate Destination original IP packet Header payload Header payload Outer Header IPsrc = Tunnel Entry-Point (Home Agent) IPdst= Tunnel Exit-Point (care of address) Encapsulating IP Packet A tunnel from a home agent to a foreign agent Home Agent Mobile Node Foreign Agent Mobile IPv4- IP-in-IP Tunneling

12 12 Mohamed M Khalil Mobile IPv4- Broadcast Packet to MN Foreign Link Home Agent IP based network Foreign Agent Home Link The HA MUST tunnel broadcast packets destined for MN.

13 13 Mohamed M Khalil Mobile IPv4- Nested Tunneling Src Addr 255.255.255.255 Data network prefix.111…. Home Agent COA IP Home Agent Mobile Node IP The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link

14 14 Mohamed M Khalil Mobile IPv4- Registration Message Format IP header fields UDP header Mobile IP message header Extension After the IP and UDP header, the registration message header is found, then any necessary always including an authentication extension.

15 15 Mohamed M Khalil IHL Type of ServiceTotal Length identificationFlags Fragment offset Time to Live= 1 Protocol= UDP Header check sum Source Address Destination address Source Port Destination Port = 434 LengthCheck sum Type=1S B D M G Y resLifetime Mobile Node’s Home Address Home Agent Address Care of Address Optional Extension Type = 32 Length Security Parameter Index (SPI) Authentication (Default equal keyed MD5) IP Header (RFC791) UDP Header (RFC768 Fixed length portion of Registration Required (RFC2002) Mobile Home Authentication Extension (RFC2002) Mandatory Mobile IPv4- Registration Request

16 16 Mohamed M Khalil Registration Reply Type = 3 CodeLifetime Mobile Node’s Home Address Home Agent Address Identification Fixed length portion of Registration Reply (RFC2002) Mobile IPv4-Registration Reply

17 17 Mohamed M Khalil Mobile IPv4-Route Optimization 1- Binding Update 2- Binding Acknowledgment 3- Binding Warning 1- Binding Update 2- Binding Acknowledgment 3- Binding Warning

18 18 Mohamed M Khalil Mobile IPv4-Route Optimization Foreign Link Home AgentNFA Home Link 1 2 5 5 1- FA relays a request to HA. 2- Send BU to OFA and RR to HA 3- Send Binding Update as a result of receiving Binding Warning Ext 4- Binding Acknowledgment back 5- Registration Reply back 1- FA relays a request to HA. 2- Send BU to OFA and RR to HA 3- Send Binding Update as a result of receiving Binding Warning Ext 4- Binding Acknowledgment back 5- Registration Reply back Host OFA 2 4 3

19 19 Mohamed M Khalil Mobile IPv4-Route Optimization (continue) Foreign Link Home AgentNFA Home Link 4 1- data is sent from Host to the NFA through HA. 2- HA tunnels data to MN 3- Binding Update is sent from HA to host 4- data is tunneled from host to NFA 1- data is sent from Host to the NFA through HA. 2- HA tunnels data to MN 3- Binding Update is sent from HA to host 4- data is tunneled from host to NFA Host 1 2 4 3

20 20 Mohamed M Khalil Mobile IPv4-Route Optimization (continue) Foreign Link Home AgentNFA Home Link 4 1- data is tunneled to the old FA. 2- Warning Update message is sent to the HA, 3-HA will send Binding Update to Host 4- data is tunneled to the new FA 1- data is tunneled to the old FA. 2- Warning Update message is sent to the HA, 3-HA will send Binding Update to Host 4- data is tunneled to the new FA Host OFA 3 2 1 2 4

21 21 Mohamed M Khalil Mobile Node At Foreign Link Home Link Mobile IPv6-IETF Architecture Home Network Foreign Link Mobile node At Home link Mobile IP entities and relationships IP Based Network Foreign Network Home Agent is doing the functionality of LD and ATA. Correspondent node may forward packets directly to the MN using source base routing. Home Agent is doing the functionality of LD and ATA. Correspondent node may forward packets directly to the MN using source base routing. ATA & LD Foreign Agent Home Agent Host

22 22 Mohamed M Khalil Mobile IPv6-Registration Foreign Link Home Agent IP based network Foreign Agent Home Link 3 1- MN-DHCPv6 Request for collocated IP address 2- HM-DHCPv6 Reply. 3- MN sends a Binding Update message. 4- MN receives Binding Acknowledgement 1- MN-DHCPv6 Request for collocated IP address 2- HM-DHCPv6 Reply. 3- MN sends a Binding Update message. 4- MN receives Binding Acknowledgement Host Router Gratuitous Neighbor Advertisement 4 1 2

23 23 Mohamed M Khalil Mobile IPv6-Data Transfer Foreign Link Home Agent IP based network Foreign Agent Home Link 1.MN Host data packets are tunneled by HA to MN. 2.sends a Binding Update to MN 3.Send data directly to MN using source header routing. 1.MN Host data packets are tunneled by HA to MN. 2.sends a Binding Update to MN 3.Send data directly to MN using source header routing. Host 1 2 3

24 24 Mohamed M Khalil Mobile IPv6-Update MN Location Foreign Link Home Agent IP based network Foreign Agent Home Link 1.When Binding Cache entry expires send Binding Request to MN 2.Continue sending data directly to MN using source header routing. 1.When Binding Cache entry expires send Binding Request to MN 2.Continue sending data directly to MN using source header routing. Host 1 2

25 25 Mohamed M Khalil IP Security

26 26 Mohamed M Khalil Loss Of Privacy m-y-p-a-s-s-w-o-r-d A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to login to the system and pretend that he is the real person. telnet foo.bar.org username: dan password:

27 27 Mohamed M Khalil Loss Of Data Integrity You may not care if someone sees your business transaction but care if somebody modified your business transaction. Deposit $1000 $$$$ Deposit $100 $$$

28 28 Mohamed M Khalil Man In The Middle Attack Bad Guy replay the same business transaction message. Withdraw $1000 BAD GUY Withdraw $1000

29 29 Mohamed M Khalil Denial-Of-Service Bad Guy floods the system with messages or viruses which crash the system virus

30 30 Mohamed M Khalil Where Should We Implement Security ? link-layer Encryption link-layer Encryption Network Layer Application Layer Security May Be implemented in: 1- Application Layer (Secure Sockets Layer). 2- Network Layer (IPSec). 3- Data Link Layer. Security May Be implemented in: 1- Application Layer (Secure Sockets Layer). 2- Network Layer (IPSec). 3- Data Link Layer.

31 31 Mohamed M Khalil IPSec : Security Protocol IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.

32 32 Mohamed M Khalil IPSec : Session Establishment 1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association. 2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol. 1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association. 2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.

33 33 Mohamed M Khalil IPSec : Connection Each IPSec Connection can provide the following: 1- Encryption. 2- Integrity and Authenticity. 3- Or both. Each IPSec Connection can provide the following: 1- Encryption. 2- Integrity and Authenticity. 3- Or both.

34 34 Mohamed M Khalil IPSec : Security Association IPSec uses Security Associations to establish secure connections between nodes. Security Association defines 1- algorithms to use for encryption/decryption 2- algorithms to use for integrity check and authentication. 3- shared session keys Each security association is identified by an SPI. IPSec uses Security Associations to establish secure connections between nodes. Security Association defines 1- algorithms to use for encryption/decryption 2- algorithms to use for integrity check and authentication. 3- shared session keys Each security association is identified by an SPI.

35 35 Mohamed M Khalil IPSec : Authentication Header The Authentication Header provides support for data integrity and authentication of IP packet. Next Header Payload Length RSV SPI Sequence Number Authentication Data

36 36 Mohamed M Khalil IPSec : Encrypting Security Payload The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH Next Header Payload Length RSV Sequence Number Payload Data (variable) Next Header Authentication Data (variable)

37 37 Mohamed M Khalil IPSec : Operation Modes Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header. Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis. Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header. Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.

38 38 Mohamed M Khalil IPSec : Transport Mode In transport mode the data is encrypted only. IP HDRDATA IP HDR IPSEC HDR

39 39 Mohamed M Khalil IPSec : Tunnel Mode In tunnel mode the the entire packet is encrypted, including the header. IP HDR DATA DATA + HDR New IP HDR IPSEC HDR

40 40 Mohamed M Khalil IKE : Phase I and II Two phases in IKE are necessary to establish SA: 1- Phase I : to establish a secure channel to negotiate SA. 2- Phase II : SA is negotiated between two nodes using the previously secured established channel. Two phases in IKE are necessary to establish SA: 1- Phase I : to establish a secure channel to negotiate SA. 2- Phase II : SA is negotiated between two nodes using the previously secured established channel.

41 41 Mohamed M Khalil IKE : SA Establishment Using IKE Two phases in IKE are necessary to establish SA: 1- Phase1 : to establish a secure channel to negotiate SA. 2- Phase2 : SA is negotiated between two nodes using the previously secured established channel. Two phases in IKE are necessary to establish SA: 1- Phase1 : to establish a secure channel to negotiate SA. 2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.

42 42 Mohamed M Khalil IKE : Authentication Methods For Phase I Three types of authentication methods are used to authenticate phase I. 1- Pre-Shared Secret Key. 2- Public key cryptography. 3- Digital Signature. Three types of authentication methods are used to authenticate phase I. 1- Pre-Shared Secret Key. 2- Public key cryptography. 3- Digital Signature.

43 43 Mohamed M Khalil IKE : Phase II Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.

44 44 Mohamed M Khalil IKE : Example IPSec Alice IPSec Bob 2 Outbound packet from Alic to Bob. No IPSec SA. 4 Packets from Alice to Bob protected by IPSec ISAKMP Alice ISAKMP Bob ISAKMP Tunnel 1 Alice’s ISAKMP begins negotiation with Bpb 3 Negotiation complete Alice and Bob now have complete IPSec SAs in place

45 45 Mohamed M Khalil Mobile Node At Foreign Link Home Link Mobile Home Network Foreign Link Mobile node At Home link Mobile IP entities and relationships Foreign Network 1- MN-HA (mandatory) 2- MN-FA (optional) 3- FA-HA (optional) 1- MN-HA (mandatory) 2- MN-FA (optional) 3- FA-HA (optional) HA FA Foreign Agent Home Agent Host Mobile IPv4 Security SA(mandatory) SA(optional)

46 46 Mohamed M Khalil Mobile IPv6 Foreign Link Home Agent Foreign Agent Home Link IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA. IPSec Tunnel Mobile IPv6 Security

47 47 Mohamed M Khalil BACKUP

48 48 Mohamed M Khalil General increase in usage of laptop/notebook computers More access to Intranet Acceptance of Telecommuting Increase in mobility based workforce (sales, delivery etc.) Mobile IP - Introduction There is a need for mobile computers to communicate with other computers - fixed or mobile.

49 49 Mohamed M Khalil Mobile IP - Design Requirements Communicate with other nodes while changing its Link-layer point of attachment Use its home (permanent) IP address to communicate with other computers Communicate with non-Mobile IP based computers Provide as much security as the fixed computers Provide end-to-end mobility as well as basic quality of service

Download ppt "1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
IP Mobility Support Basic idea of IP mobility management

IP Mobility Support Basic idea of IP mobility management
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6

Similar presentations

Ads by Google