Mobility Support in IPv6 (MIPv6)

35
1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University

description

Mobility Support in IPv6 (MIPv6). Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University. Outline. MIPv6 Features MIPv6 Basic Operations MIPv6 Security MIPv6 vs. MIPv4. Mobile IPv6 Features (1). IPv6 Mobility is based on core features of IPv6 - PowerPoint PPT Presentation

Transcript of Mobility Support in IPv6 (MIPv6)

Page 1: Mobility Support in IPv6 (MIPv6)

1

Mobility Support in IPv6(MIPv6)

Chun-Chuan YangDept. Computer Science & Info.

Eng.National Chi Nan University

Page 2: Mobility Support in IPv6 (MIPv6)

2

Outline

MIPv6 Features MIPv6 Basic Operations MIPv6 Security MIPv6 vs. MIPv4

Page 3: Mobility Support in IPv6 (MIPv6)

3

Mobile IPv6 Features (1) IPv6 Mobility is based on core features of

IPv6 The base IPv6 was designed to support Mobility Mobility is not an “Add-on” features

All IPv6 Networks are IPv6-Mobile Ready All IPv6 nodes are IPv6-Mobile Ready All IPv6 LANs/Subnets are IPv6 Mobile Ready

IPv6 Neighbor Discovery and Address Autoconfiguration allow hosts to operate in any location without any special support

Page 4: Mobility Support in IPv6 (MIPv6)

4

Mobile IPv6 Features (2) No Foreign Agent

In Mobile IPv4, an MN registers to a foreign node and borrows its’ address to build an IP tunnel so that the HA can deliver the packets to the MN. But in Mobile IPv6, the MN can get a new IPv6 address, which can be only used by the MN and thus the FA no longer exists

IPv6 Address auto-configuration: MN can obtain a CoA in foreign network without any help of foreign agent

More Scalable : Better Performance Less traffic through Home Link Less redirection/re-routing (Traffic Optimization)

Page 5: Mobility Support in IPv6 (MIPv6)

5

Mobile IPv6 Features (3) Bi-directional tunneling mode

Does not require for the CN to support Mobile IPv6 Use of Reverse tunneling (for ingress filtering)

Route Optimization (RO) mode Requires to register the MN’s current binding at the

CN Uses a new type of IPv6 routing header

Type-2 routing header = home address (Dest Addr = MN’s CoA)

Shortest communications path Eliminates congestion at the MN’s HA and home link Impact of any possible failure of the HA or networks

on the path to or from it is reduced

Page 6: Mobility Support in IPv6 (MIPv6)

6

Mobile IPv6 Features (4) Dynamic Home Agent Address

Discovery Allows a MN to dynamically discover the IP

address of a home agent on its home link ICMP Home Agent Address Discovery

Request Message Destination address: Home Agent anycast

address for its own home subnet prefix Reply message

HA list (with preferences) in the home link Each HA maintains the home agent lists

Page 7: Mobility Support in IPv6 (MIPv6)

7

New IPv6 Protocol (1)

Mobility Header Home Test Init, Home Test, Care-of Test Init,

Care-of Test Perform the return routability procedure from M

N to CN for ensuring authorization of subsequent Binding Updates

Binding Update Binding Acknowledgement Binding Refresh Request Binding Error

Page 8: Mobility Support in IPv6 (MIPv6)

8

New IPv6 Protocol (2)

New IPv6 Destination Option Home Address destination option

Type-2 Routing header: route optimization

New ICMPv6 Messages Home Agent Address Discovery Request Home Agent Address Discovery Reply Mobile Prefix Solicitation Mobile Prefix Advertisement

Page 9: Mobility Support in IPv6 (MIPv6)

9

Mobility Header

Payload Proto: Same as IPv6 Next Header

MH Type: Identifies the particular mobility

message

Message Data: the data specific to the indicated

MH type

Page 10: Mobility Support in IPv6 (MIPv6)

10

Binding Update Message

MH Type=5 Message Data:

A: Acknowledge H: Home Registration

L: Link-Local Address Compatibility

K: Key Management Mobility Capability

Page 11: Mobility Support in IPv6 (MIPv6)

11

Binding Acknowledgement Message MH Type=6

Message Data:

K:Key Management Mobility Capability

Page 12: Mobility Support in IPv6 (MIPv6)

12

MIPv6 Basic Operation (1)

HAHome Network

Foreign Network

Internet

CN

Mobile Node

S: CN’s IP AddressD: MN’s Home Address

IP Header PayLoad

S: MN’s Home AddressD: CN’s IP Address

IP Header PayLoad

Page 13: Mobility Support in IPv6 (MIPv6)

13

MIPv6 Basic Operation (2)

HA Foreign NetworkInternet

CN

Home Network

Binding Update

Binding Ack

Mobile Node

PayLoadIP Header Mobility Header

MH=5

MH=6

PayLoadIP Header Mobility Header

Page 14: Mobility Support in IPv6 (MIPv6)

14

S: CN’s IP AddressD: MN’s Home Address

MIPv6 Basic Operation (3)

HA

Internet

CN

Home Network

Mobile Node

IP Header PayLoad

Tunneled packets

S: HA’s AddressD: MN’s COA

New IP Header PayLoadOld IP Header

Page 15: Mobility Support in IPv6 (MIPv6)

15

MIPv6 Basic Operation (4)

HA

Internet

CN

Home Network

Mobile Node

Binding UpdateBinding Ack

PayLoadIP Header Mobility Header

MH=5

MH=6

PayLoadIP Header Mobility Header

Page 16: Mobility Support in IPv6 (MIPv6)

16

MIPv6 Basic Operation (5)

HA

Internet

CN

Home Network

Mobile Node

S: CN’s AddressD: MN’s COA

PayloadIP Header Routing Header

(Type 2, MN’s Home Address)

S: MN’s COAD: CN’s Address

(includes MN’s Home Address)

PayloadIP Header HA Dest Opt

Page 17: Mobility Support in IPv6 (MIPv6)

17

Movement

Movement Detection: Detect L3 handovers Neighbor Unreachability Detection (NUD)

Default router is no longer bi-directionally reachable

Router Discovery: select a new default router Prefix Discovery: form new care-of address Home registration Correspondent registration

Page 18: Mobility Support in IPv6 (MIPv6)

18

Home Registration (1) Set H-bit & A-bit in the Binding Updates sent to the HA MN’s home address in Home Address destination opti

on Source address = Care-of address Set L-bit if the MN’s link-local address (for the new ca

re-of-address) has the same interface ID as the home address

Set K-bit if the IPsec SAs between the MN and the HA have been established dynamically, and the mobile node has the capability to update its endpoint in the used key management protocol to the new care-of address every time it moves

Page 19: Mobility Support in IPv6 (MIPv6)

19

Home Registration (2)

Sequence # Used by the receiving node to sequence BUs and by

the sending node to match a returned BACK with this BU

Lifetime The number of time units remaining before the bind

ing must be considered expired One time unit is 4 seconds

Page 20: Mobility Support in IPv6 (MIPv6)

20

Correspondent Registration (1) Allowing the CN to cache the MN’s current car

e-of address Return Routability procedure + registration After home registration, the MN should initiate a

correspondent registration for each node that already appears in the MN’s Binding Update List

The initiated procedures can be used to either update or delete binding information in the CN

In addition, MN initiate the registration in response to receiving a packet tunneled using IPv6 encapsulation

Page 21: Mobility Support in IPv6 (MIPv6)

21

Correspondent Registration (2) A Binding Update is created as follows

1. Source address of the IPv6 header = the current care-of address

2. Destination address = the address of the CN 3. Mobility header with MH type = 5, including

the Binding Authorization Data and the Nonce Indices mobility options

4. Home Address destination option = MN’s home address

Page 22: Mobility Support in IPv6 (MIPv6)

22

Conceptual Data Structures CN: Binding Cache

When sending a packet, the Binding Cache is searched before the Neighbor Discovery conceptual Destination Cache

HA: Binding Cache and Home Agents List The Home Agents List is used by the dynamic home a

gent address discovery mechanism MN: Binding Update List

It records information for each BU sent by this MN, in which the lifetime of the binding has not yet expired

The Binding Update List includes all bindings sent by the MN either to its HA or CNs

Page 23: Mobility Support in IPv6 (MIPv6)

23

MIPv6 Security

Binding Updates to HA IPsec and ESP between MN and HA Key Distribution (IKE, Internet Key Exchang

e) Binding Updates to CN

Return Routability Procedure to assure that the right MN is sending the message

Binding management key (Kbm) for integrity and authenticity of the BU messages

Page 24: Mobility Support in IPv6 (MIPv6)

24

IPsec Security Association An SA is a cryptographically protected connection There MUST be a SA between the MN and HA Provides integrity and autentication of BU and BACK An SA is defined by: <SPI, destination adress, flag> One SA per home-address

IPsec Authentication Header

(authentication only (authentication only service)service)

Page 25: Mobility Support in IPv6 (MIPv6)

25

Encapsulating Security Payload ESP: authentication + encryption

Page 26: Mobility Support in IPv6 (MIPv6)

26

IPsec: AH vs. ESP

Page 27: Mobility Support in IPv6 (MIPv6)

27

Binding Updates to CN

Return Routability Procedure It enables CN to obtain some reasonable assurance

that MN is in fact addressable at its claimed care-of address as well as at its home address

Done by testing whether packets addressed to the two claimed addresses are routed to MN

MN can pass the test only if it is able to supply proof that it received certain data (the “keygen tokens”) which CN sends to those addresses. These data are combined by MN into Kbm

Page 28: Mobility Support in IPv6 (MIPv6)

28

Return Routability Procedure

Page 29: Mobility Support in IPv6 (MIPv6)

29

RR Procedure Terminology (1)

Node Key: a secret key (20 octets), Kcn, at CN Nonce: CN also generates nonces at regular intervals Cookie: Random number used by MN

To prevent spoofing by a bogus CN in the RR procedure

Home init cookie A cookie sent to the CN in the Home Test Init message, to

be returned in the Home Test message

Care-of init cookie A cookie sent to the CN in the Care-of Test Init message,

to be returned in the Care-of Test message

Page 30: Mobility Support in IPv6 (MIPv6)

30

RR Procedure Terminology (2)

Keygen Token Number supplied by CN to enable MN to compute the

necessary binding management key for authorizing a BU

Care-of keygen token: Care-of Test message Home keygen token: Home Test message

Cryptographic Functions SHA: Secure Hash Standard HMAC_SHA1: Keyed-Hashing for Message Authentication

MAC: Message Authentication Codes

Page 31: Mobility Support in IPv6 (MIPv6)

31

Return Routability Test: step 1

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...

Cookies: <home init cookie>

Home Test Init:Home Test Init:src=<home address>dst=<correspondent address><home init cookie>

Home Test:Home Test:src=<correspondent address>dst=<home address><home init cookie><home keygen token> home nonce index: 1

<home keygen token> home nonce index: 1

<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64] <home init cookie>

Home Agent

Page 32: Mobility Support in IPv6 (MIPv6)

32

Return Routability Test: step 2

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Home Agent

Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...

Care-of Test Init:Care-of Test Init:src=<care-of address>dst=<correspondent address><care-of init cookie>

<care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]<care-of init cookie>

Care-of Test:Care-of Test:src=<correspondent address>dst=<care-of address><care-of init cookie><care-of keygen token> care-of nonce index: 1

Cookies: <care-of init cookie>

<care-of keygen token> care-of nonce index: 1

Page 33: Mobility Support in IPv6 (MIPv6)

33

Secure Binding Update to CN

Correspondent Node

<Correspondent Address>

Mobile Node

<Care-Of Address>

Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...

Cookies:<care-of init cookie><care-of keygen token> care-of nonce index: 1<home init cookie><home keygen token> home nonce index: 1

Kbm = SHA1 (<home-keygen-token> | <care-of keygen token>)MAC = HMAC_SHA1Kbm(<care-of-address>|<correspondent address>|BU) [1:96]

Binding Updatesrc=<care-of address>dst=<correspondent address>option: Home Address = <home address><sequence number><home nonce index = 1><care-of nonce index = 1><MAC>

<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64] <care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]

Once the correspondent node has verified the MAC, it can create a Binding Cache entry for the mobile.

Page 34: Mobility Support in IPv6 (MIPv6)

34

Mobile IPv4 vs. Mobile IPv6Mobile IPv4 Mobile IPv6

Mobile node, home agent, home link, foreign link

(same)

Mobile node’s home address Globally routable home address and link-local home address

Foreign agent A “plain” IPv6 router on the foreign link (foreign agent no longer exists)Collocated care-of address

Care-of address obtained via Agent Discovery, DHCP, or manually

Care-of address obtained via Stateless Address Autoconfiguration, DHCP, or manually

Agent Discovery Router Discovery

Authenticated registration with home agent

Authenticated notification of home agent and other correspondent nodes

Routing to mobile nodes via tunneling

Routing to mobile nodes via tunneling and source routing

Route optimization via separate protocol specification

Integrated support for route optimization

Page 35: Mobility Support in IPv6 (MIPv6)

35

MIPv6 References

RFC 3775: Mobility Support in IPv6 RFC 4443: ICMPv6 RFC 3776: Using IPsec for MIPv6 RFC 2408: The Internet Key Exchange