Mobile IP and VPN Overview
advertisement
Mobile IP and VPN Tarik Cicic University of Oslo December 2001 Overview • Concept of tunneling • Mobile IP concepts and deployment • Virtual Private Network principles 2 Tunneling • Technique for modifying data transport • Used to transport data – with inconsistent addresses – belonging to incompatible protocols • Packets belonging to Layer n are transported on Layer m, where n <= m • Examples: – IP in IP (L3 in L3) – ATM in IP (L2 in L3) 3 1 “Regular” Data Packets Header Payload • Information packed in the payload • Control information in the header • Each layer adds its header HTTP HTTP TCP HTTP IP HTTP TCP HTTP HTTP 4 ”n-in-n” HTTP IP2 HTTP TCP HTTP IP1 Tunneling HTTP TCP HTTP IP1 ”n-in-m” TCP HTTP HTTP TCP HTTP HTTP IP TCP HTTP HTTP HTTP HTTP HTTP IP IP IP (Not drawn to scale ☺) 5 Proc and Cons + Tunneling is essential for a range of new IP services - It adds overhead and complexity to the communications • We would prefer to not use it, whenever possible 6 2 Mobility Mobility Concepts • Work in office and at home (DHCP, dialup) • Home-network access wherever we are – VPN, IP-SEC, dialup • Switch networks without service interruption – Mobile IP • Other – WLAN roaming, protocol service discovery, cellular technologies 8 Mobile IP Terminology • Care-of-address: temporary address on a foreign network • Home Agent (HA): computer on the home network responsible for tracking the mobile node • Foreign agent (FA): computer on the remote network responsible for assigning the care-of addresses and informing HA about it 9 3 Basic Concept Sender Mobile node introduces itself to the FA Internet Receiver 129.240.64.135 Home agent Tunnel Local Address Care-of Address 129.240.64.135 158.9.13.15 129.240.64.97 192.4.69.3 Foreign agent FA sends Careof Address to the HA 158.9.13.15 10 Mobile IP Protocol Components • Agent discovery • Registration procedure • Handoff rules: – from one network to another – triggered by, e.g., traffic drop, retransmissions • Address binding 11 Route Optimization • Avoiding the “triangle” communication through binding updates Sender 129.240.64.135 is at 158.9.13.15 Receiver Home agent Internet 12 Foreign agent 4 Mobile IPv6 • Node autoconfiguration in foreign network • Secure binding updates • Source routing through the routing header Sender • No FA needed • No tunneling Receiver IPv6 Internet Home agent Foreign agent 13 Route Optimization in IPv6 • Routing header normally used • If a packet arrives to the HA, it is assumed that the source does not know the COA, and the packet is encapsulated to the mobile node: COA HA Dest Src Payload • Mobile node sends a routing update to the source 14 Mobile IP Summary • Mobile IP still not widely deployed: – IPv4 networks need substantial software to run Mobile IP (client protocol stack, FA, HA …) – IPv6 still on wait • We believe Mobile IP will become widespread • More work on – – – – dynamic (smooth) handover security compatibility merge between IP and telecom solutions 15 5 Virtual Private Networks Introduction • Technique to interconnect networks on geographically spread locations • Public network infrastructure is used instead of leased lines • The network looks private to the user, hence term “virtual” 17 VPN Advantages • Cost-saving, as it gains from statistical multiplexing • Flexibility (connecting new sites, contract modifications, points of presence etc.) • Transfer of servicing tasks to the network provider 18 6 VPN Challenges • Security • Reliability and QoS • Lack of standards 19 Security • Authentication (how to know that the data is really sent by the peer) • Policy enforcement (control lists, firewalls) • Transport of confidential data over public networks (encryption) • Monitoring network intrusions 20 VPN QoS • No QoS support in IP networks • Heavy requirements on ingress points in order to maintain the traffic contracts • Lesser efficiency 21 7 Where to Implement? • Layer 3 (IP SEC, GRE, L2TP, MPLS): + Flexibility, simplicity - IP only, poor standardization • Layer 2 (FR, ATM, PPP): + Multi-protocol, integration with access networks - Maintenance, complexity 22 Simple VNP Topology N1a 10.0.128/24 N2a 10.0.128/24 R1 VPN identifiers are needed: - to discriminate packets on destination - to perform policing on their way P1 R2 R3 P2 N1b 10.0.0/17 R4 23 N2b 10.0.0/17 Three VPN Categories • Access VPN: – remote, dial-in access to a “Point of Presence” in local area • Intranet VPN – site-to-site communication • Extranet VPN – business-to-business – mutual access policies enforced 24 8 Four VPN Implementation Methods • Virtual Leased Lines – intranet/extranet, L2 forwarding (e.g. AAL5/IP) • Virtual Private Dial Networks – access, L2 (e.g. PPP/L2TP/UDP/IP/PPP/L2) • Virtual Private Routed Networks – intranet/extranet, L3 • Virtual Private LAN Segments – intranet, L2 25 Virtual Leased Lines VLL is designed for companies with developed L2 (ATM) intranets Corporate Intranet III Corporate Intranet I IP AAL5 IP Link Backbone Corporate Intranet III 26 Virtual Dial Network Remote access with full functionality + cost reduction L2TP Server and Security Server Telephone PP Network P USA POP/ GW IP PPP L2TP UDP IP Link IP Backbone Corporate Intranet POP/ GW Telephone P Network PP Norway 27 9 Virtual Private Routed Networks Emulation of wide-area routed network Corporate Intranet III Corporate Intranet I IP IP IP IP Link IP • Most advanced Backbone • Complex • Virtual inter-domain routing (intra-VPRN reachability info) • Overlay/Piggybacked model 28 IP Corporate Intranet III Virtual Private LAN Segments Full virtual LAN implementation – complete protocol transparency Corporate Intranet III Corporate Intranet I IP L2 IP Link Backbone Backbone interconnect performs 29 as a L2 bridge Corporate Intranet III VPN Summary • • • • • “Suboptimal in theory, perfect in practice” Cost-saving technology Security issues VPN QoS issues Full IP standardization needed 30 10
