1 / 49

Mobile IPv4 & Mobile IPv6

Mobile IPv4 & Mobile IPv6. Mobile IP- Why ?. Mobile IPv4- Why ?. IP based Network. Sub-network A. Sub-network B. Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network. Mobile IP- The Problem. Foreign Subnetwork. Home Subnetwork.

africa
Télécharger la présentation

Mobile IPv4 & Mobile IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mobile IPv4 & Mobile IPv6

  2. Mobile IP- Why ? Mobile IPv4- Why ? IP based Network Sub-network A Sub-network B • Mobile workforce carry their laptops and wants to communicate with different hosts on the IP based network.

  3. Mobile IP- The Problem Foreign Subnetwork Home Subnetwork Foreign Subnetwork Home Subnetwork IP based Network IP based Network host host • When Mobile Node (MN) moves across subnetwork it changes its point of attachment.

  4. Mobile IP- Mobility Model Interne Routing Location Directory F-1: Forwarding Agent. An Address Translation Agent (ATA). LD F-1 F Distention Node Source Node • Solution should maintain all existing communications between MN and other hosts while MN is changing its point of attachment.

  5. Mobile IPv4 - Design Requirements No modification for host operating system Application transparency Network-wide mobility scalability 128.5.64.46 No modification for IP based routing Compatibility with IP based Addressing • Compatibility with existing IP based network computers and applications.

  6. Mobile IPv4- IETF Architecture Mobile IPv4-IETF Architecture Mobile Node At Foreign Link Mobile node At Home link Foreign Network Home Network Foreign Agent Home Agent FA ATA & LD Home Link Foreign Link IP Based Network Mobile IP entities and relationships Host • Home Agent is doing the functionality of LD and ATA. • Foreign Agent is doing the functionality of Forwarding Agent.

  7. Mobile IPv4-Agent Advertisements Agent Advertisement Mobile Node Mobile Agent Host Host • Mobile Agents advertise their presence. • MN determines if it is in a home or foreign link. • MN acquire a care-of address and default router.

  8. Mobile IPv4-Registration IP based network Gratuitous ARP Router Host 1 2 4 Foreign Link Home Link Foreign Agent Home Agent 3 • 1- MN send a request for service. • 2- FA relays a request to HA. • 3- HA accepts or denies. • 4- FA relays status to MN

  9. Mobile IPv4-Data Transfer Foreign Agent Home Agent IP based network Foreign Link Home Link Host • Host data packets are tunneled by HA to MN. • MN sends information directly to host.

  10. Mobile IPv4- Broadcast packet from MN Home Agent IP based network Host Host Foreign Agent Foreign Link Home Link Host Host • Broadcast packets from MN MUST be tunneled to HA

  11. Mobile IPv4- IP-in-IP Tunneling IPsrc = Original Sender IPdst = Ultimate Destination original IP packet Header payload IPsrc = Tunnel Entry-Point (Home Agent) IPdst= Tunnel Exit-Point (care of address) Header payload Outer Header Encapsulating IP Packet Mobile Node Foreign Agent Home Agent A tunnel from a home agent to a foreign agent

  12. Mobile IPv4- Broadcast Packet to MN Foreign Agent Home Agent IP based network Foreign Link Home Link • The HA MUST tunnel broadcast packets destined for MN.

  13. Mobile IPv4- Nested Tunneling Home Agent COA IP Src Addr 255.255.255.255 Data network prefix.111…. Home Agent Mobile Node IP • The MN should set the B bit to 1 request that the HA provide it (via a tunnel) a copy of broadcast packets that occur on a home link

  14. Mobile IPv4- Registration Message Format IP header fields Extension Mobile IP message header UDP header • After the IP and UDP header, the registration message header is found, then any necessary always including an authentication extension.

  15. Mobile IPv4- Registration Request • IHL Type of Service Total Length • identification Flags Fragment offset • Time to Live= 1 Protocol= UDP Header check sum • Source Address • Destination address • Source Port Destination Port = 434 • Length Check sum • Type=1 S B D M G Y res Lifetime • Mobile Node’s Home Address • Home Agent Address • Care of Address • Optional Extension • Type = 32 Length Security Parameter • Index (SPI) • Authentication (Default equal keyed MD5) IP Header (RFC791) UDP Header (RFC768 Fixed length portion of Registration Required (RFC2002) Mobile Home Authentication Extension (RFC2002) Mandatory

  16. Mobile IPv4-Registration Reply • Type = 3 Code Lifetime • Mobile Node’s Home Address • Home Agent Address • Identification Fixed length portion of Registration Reply (RFC2002) Registration Reply

  17. Mobile IPv4-Route Optimization • 1- Binding Update • 2- Binding Acknowledgment • 3- Binding Warning

  18. Mobile IPv4-Route Optimization Host 1 2 3 5 2 Foreign Link Home Link NFA Home Agent OFA 4 5 • 1- FA relays a request to HA. • 2- Send BU to OFA and RR to HA • 3- Send Binding Update as a result of receiving Binding Warning Ext • 4- Binding Acknowledgment back 5- Registration Reply back

  19. Mobile IPv4-Route Optimization (continue) Host 4 1 3 4 Foreign Link Home Link 2 NFA Home Agent • 1- data is sent from Host to the NFA through HA. • 2- HA tunnels data to MN • 3- Binding Update is sent from HA to host • 4- data is tunneled from host to NFA

  20. Mobile IPv4-Route Optimization (continue) Host 4 3 1 4 2 Foreign Link Home Link NFA Home Agent OFA 2 • 1- data is tunneled to the old FA. • 2- Warning Update message is sent to the HA, • 3-HA will send Binding Update to Host • 4- data is tunneled to the new FA

  21. Mobile IPv6-IETF Architecture Mobile Node At Foreign Link Mobile node At Home link Foreign Network Home Network Foreign Agent Home Agent ATA & LD Home Link Foreign Link IP Based Network Mobile IP entities and relationships Host • Home Agent is doing the functionality of LD and ATA. • Correspondent node may forward packets directly to the MN using source base routing.

  22. Mobile IPv6-Registration IP based network 1 Gratuitous Neighbor Advertisement 2 Router Host 3 4 Foreign Agent Foreign Link Home Link Home Agent • 1- MN-DHCPv6 Request for collocated IP address • 2- HM-DHCPv6 Reply. • 3- MN sends a Binding Update message. • 4- MN receives Binding Acknowledgement

  23. Mobile IPv6-Data Transfer Foreign Agent Home Agent IP based network 1 Foreign Link Home Link 3 2 Host • MN Host data packets are tunneled by HA to MN. • sends a Binding Update to MN • Send data directly to MN using source header routing.

  24. Mobile IPv6-Update MN Location Foreign Agent Home Agent IP based network Foreign Link Home Link 2 1 Host • When Binding Cache entry expires send Binding Request to MN • Continue sending data directly to MN using source header routing.

  25. IP Security

  26. Loss Of Privacy telnet foo.bar.org username: dan password: m-y-p-a-s-s-w-o-r-d • A perpetrator may observe confidential data, as it traverses the internet, such as password. The perpetrator may use this data to login to the system and pretend that he is the real person.

  27. Loss Of Data Integrity Deposit $100 $$$ Deposit $1000 $$$$ • You may not care if someone sees your business transaction but care if somebody modified your business transaction .

  28. Man In The Middle Attack BAD GUY Withdraw $1000 Withdraw $1000 Withdraw $1000 Withdraw $1000 • Bad Guy replay the same business transaction message.

  29. Denial-Of-Service virus • Bad Guy floods the system with messages or viruses which crash the system

  30. Where Should We Implement Security ? link-layer Encryption link-layer Encryption Application Layer Network Layer Security May Be implemented in: 1- Application Layer (Secure Sockets Layer). 2- Network Layer (IPSec). 3- Data Link Layer.

  31. IPSec : Security Protocol IPSec implements an end-to-end security solution at the network layer. Thus end systems and applications do not need to change to have the advantage of strong security.

  32. IPSec : Session Establishment 1- IPSec provides the data level processing. It assumes that the SA is established between two nodes. It does not have a mechanism to establish security association. 2-The negotiation and establishment of security association is done by the Internet Key Exchange protocol IKE build around the framework of ISAKMP (Internet Security association and Key Management Protocol.

  33. IPSec : Connection Each IPSec Connection can provide the following: 1- Encryption. 2- Integrity and Authenticity. 3- Or both.

  34. IPSec : Security Association IPSec uses Security Associations to establish secure connections between nodes. Security Association defines 1- algorithms to use for encryption/decryption 2- algorithms to use for integrity check and authentication. 3- shared session keys Each security association is identified by an SPI.

  35. IPSec : Authentication Header RSV Payload Length Next Header SPI Sequence Number Authentication Data The Authentication Header provides support for data integrity and authentication of IP packet.

  36. IPSec : Encrypting Security Payload RSV Payload Length Next Header Sequence Number Payload Data (variable) Next Header Authentication Data (variable) The Encryption Security Payload provides confidentiality. As an optional featire it provides the same authentication services as AH

  37. IPSec : Operation Modes Transport Mode: only the IP payload is encrypted, and the original IP headers are left intact. This mode allow attacker to perform traffic analysis, but it enable special processing such as QOS base on the information provided by the IP header. Tunnel Mode: The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows routers to act as IPsec proxy. The major advantage is that the end system does not need to be modified to enjoy IP Security. Also it protects against traffic analysis.

  38. IPSec : Transport Mode IP HDR DATA IP HDR DATA IPSEC HDR In transport mode the data is encrypted only.

  39. IPSec : Tunnel Mode DATA IP HDR New IP HDR DATA + HDR IPSEC HDR In tunnel mode the the entire packet is encrypted, including the header.

  40. IKE : Phase I and II Two phases in IKE are necessary to establish SA: 1- Phase I : to establish a secure channel to negotiate SA. 2- Phase II : SA is negotiated between two nodes using the previously secured established channel.

  41. IKE : SA Establishment Using IKE Two phases in IKE are necessary to establish SA: 1- Phase1 : to establish a secure channel to negotiate SA. 2- Phase2 : SA is negotiated between two nodes using the previously secured established channel.

  42. IKE : Authentication Methods For Phase I Three types of authentication methods are used to authenticate phase I. 1- Pre-Shared Secret Key. 2- Public key cryptography. 3- Digital Signature.

  43. IKE : Phase II Once the secure channel is established between two nodes as a result of phase I, one node (the initiator) will propose a set of set of algorithms of authentication and encryption and the other node (the responder) will accept one offer or reject all.

  44. IKE : Example IPSec Bob IPSec Alice 2 Outbound packet from Alic to Bob. No IPSec SA. 4 Packets from Alice to Bob protected by IPSec ISAKMP Bob ISAKMP Alice ISAKMP Tunnel 3 Negotiation complete Alice and Bob now have complete IPSec SAs in place 1 Alice’s ISAKMP begins negotiation with Bpb

  45. Mobile Mobile IPv4 Security Mobile Node At Foreign Link Mobile node At Home link SA(mandatory) Home Network SA(optional) Foreign Network Foreign Agent Home Agent FA HA SA(optional) Home Link Foreign Link Mobile IP entities and relationships 1- MN-HA (mandatory) 2- MN-FA (optional) 3- FA-HA (optional) Host

  46. Mobile IPv6 Mobile IPv6 Security IPSec Tunnel Foreign Agent Foreign Link Home Link Home Agent • IPSec tunnel between MN and HA is used to secure and authenticate the control messages between MN and HA.

  47. BACKUP

  48. Mobile IP - Introduction • General increase in usage of laptop/notebook computers • More access to Intranet • Acceptance of Telecommuting • Increase in mobility based workforce (sales, delivery etc.) There is a need for mobile computers to communicate with other computers - fixed or mobile.

  49. Mobile IP - Design Requirements • Communicate with other nodes while changing its Link-layer point of attachment • Use its home (permanent) IP address to communicate with other computers • Communicate with non-Mobile IP based computers • Provide as much security as the fixed computers Provide end-to-end mobility as well as basic quality of service

More Related