WhitePaper Mobile IP Overview December 2002
advertisement
White Paper Mobile IP Overview December 2002 Haakon VII's gate 5B, N-0161 Oslo, Norway Tel: +47 24 13 47 00 Fax: +47 24 13 47 01 hello@birdstep.com www.birdstep.com Preface Mobile IP, wireless LANs, Virtual Private Networks and seamless roaming are areas of increasing growth of interest these days. The increased reliance on the Internet as a business tool and the development of sophisticated wireless communications systems have freed employees from the need to remain at their desk when doing productive work. These trends make Mobile IP an important element in the network infrastructure. This White Paper contains an introduction to the concept of Mobile IP. Birdstep has worked for many years in the development of a Mobile IP client that follows the existing standards defined by the Internet Engineering Task Force (IETF). To understand how our client works we have written this White Paper, which describes the elements, included in Mobile IP and the mechanisms used to make Mobile IP possible. Detailed information on the Birdstep Intelligent Mobile IP Client can be found in our web (www.birdstep.com) Mobile IP Overview Page 2 of 13 Table of Contents Introduction........................................................................................... 4 Mobile IP ............................................................................................... 6 Usage scenarios ................................................................................... 10 IP zones/ hotspots ............................................................................ 10 Push services.................................................................................... 11 Conferencing .................................................................................... 12 VPN security ..................................................................................... 13 Mobile IP Overview Page 3 of 13 Introduction In order to communicate, all IP devices and IP-based end-systems must be configured with an IP address in accordance with the IP protocol and its addressing scheme. Otherwise, these end-systems cannot locate or access other end-systems inside or outside the local subnet. Unfortunately, for endusers to use IP addresses such as 193.71.196.92 to address services on other end-systems is non-intuitive and awkward. As a result, IETF has standardized a hierarchical domain name service (denoted DNS) that provides a mapping mechanism from canonical names such as www.birdstep.com to the corresponding IP address that incidentally is 193.71.196.92. The canonical name is more intuitive and identifies the endsystem as the web server of the commercial company Birdstep. IP-based networks rely on IP addresses and routing protocols to route IP packets from the source to the destination end-system. The user services built on top of IP rely on either the TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) transport layer protocol. UDP is an unreliable transport layer protocol that is mainly used for management traffic, audio and video transfer. TCP is the reliable transport layer protocol that is used for mail transfer, web traffic and other reliable data transfers. Since an endsystem can handle several TCP or UDP connections simultaneously, a TCP/UDP specific port number is used to identify each connection. These port numbers are not necessarily unique within an end-system, but the following invariant (shown in Figure 1) will always hold. Mobile IP Overview Page 4 of 13 The tuple < sou rce IP address, so urce po rt n um ber, destinatio n IP address, destin atio n port num ber> is unique for each connection during its lifetim e. Figure 1: Communication invariant This is useful for heavily loaded web server. All incoming connections can be addressed to the same port number (i.e. 80 is the default web server port number) of the web server and be handled simultaneously. Still, the different combinations of <source IP address, source port number> will identify each HTTP request uniquely. Without this capability, the web would not work at all. The invariant makes it also clear that if end-systems change their point-ofaccess and are reconfigured with a new IP address, all on-going connections must be terminated. The only solution that makes it possible for on-going connections to continue working is using Mobile IP. Although DNS makes it possible to alter the mapping of a canonical name to a new IP address to schemes such as Dynamic DNS, this will invalidate the invariant. Another problem is the extensive use of DNS caching on the Internet. DNS lookups are usually cached in clients and non-authorative DNS servers to prevent unnecessary DNS traffic. Usually, a DNS entry will have a 24-hour time-to-live period. Thus, Dynamic DNS is not meant for highly mobile users. Another drawback is that some end-systems will not even have DNS entries due to administrative or security restrictions. The only viable solution for an application is to terminate the ongoing connection and to reconnect to the remote end-system(s) automatically. This may not always be possible without the implementation of a highavailability, configuration and management server for that particular application. Otherwise, these systems will not be able to reach the mobile node. Although mobile nodes can access Internet services through gateways on the visited network (i.e. foreign sub-network), some of the services such as VPN services and mail transmission can be limited due to security issues on the Internet. Today’s myriad of networks and access methods combined with the ever increasing need to be always on requires the possibility to be able to seamlessly move from one connection to the other without application interruption. This is possible with Mobile IP. Mobile IP Overview Page 5 of 13 Mobile IP Connecting to the Internet from a laptop or PDA using PPP and GSM is straightforward. The laptop will be assigned an IP address from the dial-up server it uses, either via Dynamic Host Control Protocol (DHCP) or a similar proprietary protocol. Using this address, the laptop can visit web pages and download mail from centralized mail servers. However, no one will know the current address of the laptop, unless the mobile user registers the information in a centralized application-specific server, such as a video conferencing server. Whenever the mobile user is connected to another IP network, all the application-specific servers must be updated. This will make it harder for mobile users roaming different IP networks or zones to run applications with two-way information exchange such as Voice over IP (VoIP) connections or video conferencing. Mobile IP is one viable solution to this problem. Mobile IP is an open standard, defined by the Internet Engineering Task Force (IETF) that allows users to keep the same IP address, stay connected, and maintain ongoing applications while roaming between IP networks. Basically, Mobile IP will maintain the invariant discussed in the previous section by using a special address (denoted Home address) that always will be operational. As long as the mobile end-system has at least one operational network interface, it can be reached by other end-systems on the Internet through that interface. The Mobile IP standard is based on a few components described below: The Mobile Node (MN) is a device such as a laptop or PDA that has software that enables network-roaming capabilities. Home network is the network where the Mobile Node belongs. Home address is the IP address the Mobile Node is configured with whenever it is connected to its home network. Mobile IP Overview Page 6 of 13 Corresponding Nodes (CN) are the end-systems the Mobile Nodes communicate with. These nodes can of course communicate with other end-systems to. Care-of address is the IP address the Mobile Node is currently is using on the sub-network it is currently connected to. Home Agent (HA) is an entity on the home network that offers Home Agent services (i.e. packet interception and tunneling of packets to the Mobile Node) to one or more Mobile Nodes. Foreign Network is the network the Mobile Node currently is connected to. Foreign Agent (FA) is an entity in the foreign network that offers Foreign Agent services (i.e. packet decapsulation of packets from the Home Agent) to the Mobile Nodes that are connected to the Foreign Network. Mobile Nodes move between IP networks, changing their IP addresses correspondingly. Every Mobile Node will have a specific home address, and will request Home Agent services from one of the Home Agents on its own sub-network. The Mobile Nodes will also request forwarding services from Foreign Agents in the sub-networks they visit. These agents will advertise their Foreign Agent services by sending out agent advertisements regularly. In some situations, rather than waiting for agent advertisements, the Mobile Node can send a solicitation to Foreign Agents. This solicitation forces any agent on the link to immediately send an agent advertisement. These processes are illustrated in Figure 2. If several Foreign Agents advertise their services, the Mobile Node will choose one of them based on its own set of preferences. The same process is true for advertisements of potential Home Agents on the Home sub-network when the Mobile Node is connected to that network. Both these messages, i.e. agent solicitation and advertisement, are sent as part of an ICMP Router Advertisement message. Agent solicitation Home/Foreign Agent Agent advertisement (ICMP Router Advert.) Home/Foreign Agent Agent advertisement (ICMP Router Advert.) Figure 2: Agent advertisement and solicitation Mobile IP Overview Page 7 of 13 Corresponding Nodes are nodes that communicate with these Mobile Nodes irrespective of their current location. The Mobile Node will be assigned a care-of IP address by the foreign network it visits through DHCP or a proprietary mechanism. Mobile Nodes will always inform their Home Agent on the home sub-network about their current care-of address, enabling the Home Agent to intercept all packets destined for the Mobile Nodes through their home addresses, and to tunnel them to the Mobile Node via the Foreign Agent. Registration Request Registration Request Foreign Home Agent Agent Registration Reply (UDP message) Registration Reply (UDP message) Figure 3: Address registration via Foreign Agent The Foreign Agent will receive packets destined for the Mobile Nodes, and forward them via the Mobile Node’s current care-of address. The Foreign Agent can also participate in the address registration of the current care-ofaddress from the Mobile Node to the Home Agent. This is illustrated in Figure 3 where the Foreign Agent forwards the Registration Request and the corresponding Registration Reply from the Home Agent. This mandatory forwarding can be requested for authorization or accounting purposes. Mobile IP allows roaming between networks in different administrative domains that use separate solutions for Authentication, Authorization, and Accounting (AAA). Foreign Agents can use a local authority (AAAL) that may not have enough information stored locally to carry out the verification of the client’s credentials itself. However, the AAAL will have enough information to negotiate the verification of client credentials with external authorities in the Mobile Node’s home sub-network. The local and the external authorities should be configured with sufficient security relationships and access controls so that they can negotiate the necessary authorization. Different users may receive different access rights to different services based for instance on their specific customer subscription. The authorization will depend on secure authentication of each Mobile IP client. Mobile IP uses a strong authentication scheme for security purposes. All registration messages between a Mobile Node and Home Agent are required to contain the Mobile-Home Authentication Extension (MHAE). Mobile IP Overview Page 8 of 13 A pre-shared 128-bit key provided to both the Mobile Node and the Home Agent protects the integrity of the registration messages. The keyed message digest algorithm 5 (MD5) is used to compute the authenticator value in the appended MHAE, which is mandatory. Mobile IP also supports the hash-based message authentication code (HMAC-MD5). Other authentication codes can also be used, given that such support of other authentication codes are supported by the Mobile Node and the Home Agent. The receiver compares the authenticator value it computes over the message with the value in the extension to verify the authenticity. In certain situations, there will either be no Foreign Agents available or the Mobile Nodes do not wish to use them. In these situations, the Mobile Node can use co-located care-of addresses. With a co-located care-of address, the Mobile Node will operate as its own Foreign Agent and decapsulate all tunneled packets that are received from the Home Agent. The decapsulated packets will be forwarded internally to the home address of the Mobile Node. As illustrated in Figure 4 this will simplify the registration process at the expense of decapsulation in the Mobile Node. Registration Request Home Agent Registration Reply (UDP message) Figure 4: Direct address registrations Although Mobile IP uses tunneling from the Home Agent to the Mobile Node's care-of address, there is no tunneling in the reverse direction. Packets from the Mobile Node to peer nodes can go directly through the Internet from the Mobile Node to the Corresponding Node. This is true as long as the foreign sub-network allows packets from the Mobile Node with the home address as the IP source address to be routed towards the destination. This might be a security problem violating the strict ingress filtering in the foreign network routers and firewalls. In situations where this is the case, a topologically correct reverse tunnel should be established from the care-of address to the Home Agent. Compared to the cellular mobility of GSM and GPRS, Mobile IP can take advantage of any IP network including both cellular technologies such as GSM and GPRS and IP zones based on ISDN, ADSL, Ethernet, ATM, WLAN or Bluetooth. Mobile IP will also make it possible for users to choose the best access technology available at every moment. Mobile IP Overview Page 9 of 13 Usage scenarios The following are some general scenario descriptions where Mobile IP provides extra added value. Have a look at more specific user scenarios on the White Paper on user scenarios available on our web (www.birdstep.com). IP zones/ hotspots Mobile users will move between different IP networks with different access technologies and capabilities. An IP Zone is such an IP network that offers connectivity to mobile users. The connectivity or the available services will depend on the subscription the mobile user holds. Mobile users with several network interfaces can connect to IP Zones or cellular technologies using the optimal access technology from a cost-efficiency or performance viewpoint. In addition, application can take advantage of the different capabilities within different IP zones and the capabilities in the cellular coverage area. Fixed Network infrastructure IP zone 1. IP zone WLAN WLAN GPRS 3. 2. Figure 5: IP zone and Mobile IP Mobile IP Overview Page 10 of 13 When the Mobile Node is connected via GPRS, the application can adapt to the current conditions in order to reduce the cost of using the network. When the Mobile Node enter the IP zone, which offers high-bandwidth at a fraction of the cost of the cellular GPRS technology, Mobile IP will register a new Care-of-address at the home agent without disrupting the ongoing communication. Without Mobile IP, the communication will be terminated. Push services Some of the new services that emerge are based on push technology. With this technology, centralized servers could send different types of content information to subscribers that are located anywhere. Without Mobile IP, subscribers would not get the information unless the client distributes its point-of-access to the centralized server whenever the point-of-access changes. This behavior is clearly application dependent, and if several different applications. With Mobile IP, this is application independent and therefore not an issue for application developers. Fixed Network infrastructure IP zone 1. IP zone WLAN WLAN GPRS 3. 2. Figure 6: Push services utilizing Birdstep Mobile IP Everything passes through the Home Agent. Although this represents some overhead, it is the only way to reach a Mobile Node that moves between different IP networks utilizing access technologies from WLAN to cellular technologies. Mobile IP Overview Page 11 of 13 Conferencing Multimedia conferencing requires normally full-duplex, audio and/or video streaming between the two or more peers. If one or more of these peers are changing their point-of-access during the conference, these participants will lose their membership in the multimedia conference. If these participants support Mobile IP and are reconnected to a new IP network, Mobile IP can prevent their membership to be withdrawn. Figure 7 illustrates a multimedia conference that uses reverse tunneling for enhanced security. In this case, the traffic in both directions will pass through the high-performing Home Agent. If the only available connection is a GPRS connection, only the low bandwidth services will survive the change of access technology. Other solutions might adapt to the changing access bit rate and reduce the audio sampling rate and/or the video frame rate. Netmeeting Fixed Network infrastructure IP zone 1. IP zone WLAN Netmeeting WLAN GPRS 3. 2. Netmeeting Netmeeting Figure 7: Conferencing and Mobile IP Mobile IP Overview Page 12 of 13 VPN security In the recent years, employees have to a greater extent set up home offices with dial-up or fixed network connections to the Internet. Access to their company Intranet has been established by setting up Virtual Private Networks. VPNs are usually based on permanent tunnels and encryption scheme such as IPSEC to the company firewall where strict security rules will limit the access to company resources. These solutions have limitations when the Mobile Node has moved outside the home office. By combining VPN functionality with Mobile IP, the Mobile Node can maintain its VPN network by using a fixed IP address as the Home Address. Some applications such as SMTP mail have similar restrictions when it comes to mail transfers. All these solutions can benefit from using Mobile IP and a fixed Home address when communicating. Mobile IP Overview Page 13 of 13
