Case Study on Mobile Routing By Mehul Doshi doshim2@cs.rpi.edu Abstract: The availability of powerful mobile computing devices, wireless networking products and services is increasing dramatically. However internetworking protocols such as IP used in the Internet do not currently support host movement. Mobile Internet Protocol is a new recommended Internet Protocol designed to support the mobility of a user host. This paper describes and summarizes the characteristics of the current Internet draft for Mobile IP. In addition it also discusses alternative Mobile IP and it’s routing proposals so that the reader may understand the different design issues associated with it. It also points to some problems that may arise if the current draft were to be implemented and looks and suggests at solutions, which may solve them. Introduction: Mobility can be both with wireless and wired and conversely also. In all the four combinations we notice that wired or wireless are Data Link Layer issues while Mobility is a Network layer issue or in general a higher layer issue. Hence ‘mobility’ doesn’t require wired or wireless hosts. Hence there is a need for introducing newer protocols that can be used for internetworking with such mobile hosts. However this would require a monumental task of upgrading and configuring a large number of routers and hosts. Hence the designed protocols should be able to support incremental upgrades. This means that it should be able to talk to both hosts that aren’t yet configured with it along with the hosts, which are already upgraded. Mobile IP is most likely to be implemented in some form or other in the future. Why Mobile IP? IP version 4 (IPv4) assumes that a node’s IP address uniquely identifies the node’s point of attachment to the internet. In order to provide a scalable routing support, internetworking protocols use hierarchical addressing and routing schemes. Hence routers within the internet need to know only how to route packets based on network number and destination address in each packet and once the packet reaches that network, it is delivered to the correct individual host on that network. Hence a node must be located on the network indicated by its IP address in order to receive datagrams destined to it; otherwise they would be lost. This sort of aggregation oat each level of hierarchy also reduces the size of the routing tables that each of the routers maintain. However this hierarchy in addressing and routing prevents packets from being routed correctly to the mobile host when it is away from its home network. For a host to change its point of attachment without losing its ability to communicate, currently one of the two following mechanisms must typically be employed: Node must change its IP address whenever it changes its point of attachment. Host-specific routes must be propagated throughout the Internet routing fabric. We can see clearly that both of these alternatives are unacceptable. The first makes it impossible for a node to maintain transport and higher-layer connections when the node changes location. The second has obvious and severe scaling problems. Hence a new, scalable, mechanism is required for accommodating node mobility within the Internet. Mobile IP would have several features associated with it like: No geographical limitations: A user can take a palmtop or laptop computer anywhere without losing the connection to the home network. No physical connection required: Mobile IP finds local IP routers and connects automatically. Modifications to other routers and hosts are not required: Other than mobile nodes/routers, the remaining routers and hosts will still use current IP. Mobile IP leaves transport and higher protocols unaffected. No modifications to the current IP address and IP address format: The current IP address and address format remains the same. Supports security: Authentication is performed to ensure that rights are being protected. How does Mobile IP work? Mobile IP is the cooperation of three separable mechanisms: Discovering the care-of address Registering the care-of address Tunneling to the care-of address Discovering the Care of Address (COA) Either Agent Advertising or Solicitation methods can find out the COA. Mobile IP discovery does not modify the original fields of existing router advertisements but simply extends them to associate mobility functions. Thus, router advertisements can carry information about default routers, just as before, and in addition carry further information about one or more care-of addresses. When the router advertisements are extended to also contain the needed care-of address, they are known as agent advertisements. Home agents (HA) and foreign agents (FA) typically broadcast agent advertisements at regular intervals. If a mobile node needs to get a care-of address and does not wish to wait for the periodic advertisement, the mobile node can broadcast or multicast a solicitation that will be answered by any foreign agent or home agent that receives it. Home agents use agent advertisements to make themselves known, even if they do not offer any care-of addresses. However, it is not allowed to associate preferences to the various care-of addresses in the router advertisement, as is the case with default routers. Thus, an agent advertisement performs the following functions: Allows for the detection of mobility agents Lists one or more available care-of addresses Informs the mobile nodes bout special features provided by foreign agents, for example, alternative encapsulation techniques. Lets mobile nodes determine the network number and status of their link to the Internet and Lets the mobile node know whether the agent is a home agent, a foreign agent, or both, and therefore whether it is on its home network or a foreign network. Mobile nodes use router solicitations to detect any change in the set of mobility agents available at the current point of attachment. (In Mobile IP this is termed as agent solicitation.) If advertisements are no longer detectable from a foreign agent that previously had offered a care-of address to the mobile node, the mobile node should presume that foreign agent is no longer within range of the mobile node’s network interface. In this situation, the mobile node should begin to hunt for a new care-of address, or possibly use a care-of address known from advertisements it is still receiving. The mobile node may choose to wait for another advertisement if it has not received any recently advertised care-of address, or it may send an agent solicitation. Registering Care of Address Once a mobile node has a care-of address, its home agent must find out about it. The process begins when the mobile node, possibly with the assistance of a foreign agent, sends a registration request with the care-of address information. When the home agent receives this request, it adds the necessary information to its routing table, approves the request, and sends a registration reply back to the mobile node. Registration requests contain parameters and flags that characterize the tunnel through which the home agent will deliver packets to the care-of address. When a home agent accepts the request, it begins to associate the home address of the mobile node with the care-of address and maintains this association until the registration lifetime expires. The triplet that contains the home address, care-of address and registration lifetime is called a binding for the mobile node. A registration request can be considered a binding update sent by the mobile node. The home agent must be certain registration was originated by the mobile node and not by some other malicious node pretending to be the mobile node. A malicious node could cause the home agent to alter its routing table with erroneous care-of address information, and mobile node would be unreachable to all incoming communications from the Internet. Hence there arose a need to authenticate registration information. To secure the registration request, each request must contain unique data so that two different registrations will in practical terms never have the same tokens. Otherwise, the protocol would be susceptible to replay attacks, in which a malicious node could record valid registrations for later replay, effectively disrupting the ability of the home agent to tunnel to the current care-of address of the mobile node at that later time. To ensure this does not happen, Mobile IP includes within the registration message a special identification field that changes with every new registration. There are two main ways to make the identification field unique. One is to use a timestamp; then each new registration will have a later timestamp and thus differ from previous registrations. The other is to cause the identification to be a pseudorandom number; with enough bits of randomness, it is highly unlikely that two independently chosen values for the identification field will be the same. In Mobile IP foreign agents are mostly passive, relaying registration requests and replies back and forth between the home agent and the mobile node, doing mostly what they are told. The foreign agent also de-capsulate traffic from the home agent and forwards it to the mobile node. It should be noted that the mobile node will have a layer 2 address and not an IP address otherwise the foreign agent may again resend it to the home agent i.e. the foreign would strip off the IP headers and then put it on say the Ethernet connected to it and the mobile node would simply pick it up. It is quite possible for a bad foreign agent to impersonate a real one and simply by following protocol and offering agent advertisements to the mobile host. It could then refuse to de-capsulate the packets to the mobile host after they are received. This is possible since foreign agents don’t have to authenticate themselves to the mobile node. Automatic home agent discovery – When the mobile node cannot contact its home agent, Mobile IP has a mechanism that lets the mobile node try to register with another unknown home agent on its home network. This method of automatic home agent discovery works by using a broadcast IP address, instead of the home agents IP address as the target for the registration request. When the broadcast packets gets to the home network, other home agents on the network will send a rejection to the mobile node; however, their rejection notice will contain their address for the mobile node to use in a freshly attempted registration message. It is a directed broadcast that reaches only IP nodes on the home network. Tunneling to the Care of Address: The default encapsulation mechanism that must be supported by all mobility agents using Mobile IP is IP-within-IP. Using IP-within-IP, the home agent (tunnel source), inserts a new IP header, or tunnel header, in front of the IP header of any datagram addressed to the mobile node’s home address. The new tunnel header uses the mobile node’s care-of address as the destination IP address, or tunnel destination. The tunnel source IP address is the home agent, and the tunnel header uses 4 as the higher-level protocol number, indicating that the next protocol header is again an IP header. In IP-within-IP the entire original IP header is preserved as the first part of the payload of the tunnel header. Therefore to recover the original packet, the foreign agent merely has to eliminate the tunnel header and deliver the rest to the mobile node. Such routing tunnels need to be implemented with care because advertising explicit host routes into the wide area routing tables destroys routing scalability. Sometimes the tunnel header uses protocol number 55 as the inner header. This happens when the home agent uses minimal encapsulation instead of IP-within-IP. Processing for the minimal encapsulation header is slightly more complicated than that for IP-within-IP, because some of the information from the tunnel header is combined with the information in the inner minimal encapsulation header to reconstitute the original IP header. On the other hand, header overhead is reduced. Mobile IP uses a home agent physically attached to the mobile host’s home network to intercept and tunnel packets to the mobile host. Hence, packets undergo triangle routing, which is often longer than the optimal unicast path. Moreover adding to this problem is the widespread deployment of ingress filters (Border routers at the periphery of an administrative domain carefully discarded datagrams that seem to emanate from an address external to the administrative domain. This is known as Ingress Filtering) as a “Best Current Practice” to combat denial of service attacks. With this mechanism, a router does not forward packets with a source address foreign to the local network, which implies that a packet sent by a mobile host in a foreign network with its source address set to its home address will not be forwarded. The solution to this is to use reverse tunneling, which tunnels packets originating at the mobile host first to the host’s home agent (using the host’s care of address as a source address), then from there on to the destination using the home address as the source address. Thus, routing anomalies occur in both directions. Enhancements and Proposals Some recent and efficient proposals have suggested the design and implementation of an end to end architecture for Internet host mobility using dynamic updates to the Domain Name System (DNS) to track host location. In this the name updates are effected via the secure DNS update protocol, while the TCP connection migration uses a novel set of Migrate Options and provides a pure end system alternative to routing based approaches such as Mobile IP. We know that delivering data to a mobile host across a network address change without disrupting existing connections can be tackled by introducing a level of indirection in the routing system. This approach when taken deploys a home agent that intercepts packets destined for a host currently away from its home network, and delivers it to the mobile host via a foreign agent in the foreign network. It does not require any changes to the fixed (correspondent) hosts in the Internet, but does require changing the underlying IP substrate to affect this triangle routing, and an authentication protocol to ensure that a malicious party does not hijack connections. However there are many other applications wherein other hosts originate connections to a mobile host and can benefit from both host location and hand-off support or where the mobile host originates all connections which do not require host locations services but can benefit from the handoff support and those where an application level retry suffices if the network address changes unexpectedly during a short transaction, which need neither to work well. In all of the above situations an end-to-end system can meet the goals, Moreover in an end-to-end architecture the mobile host exercises explicit control over its mobility node and hence the need for an additional third party viz. the home agent in the packet routing is removed. Some network layer mobility techniques attempt to handle host relocation in a completely transparent fashion, hiding any changes in network structure from the end hosts while many other approaches attempt to handle relocation at a higher level in the end host. The current IETF standard (RFC 2002) for mobility support on the Internet provides transparent support for host mobility by inserting a level of indirection into the routing architecture. An interesting approach to network layer mobility was proposed by Mysore and Bharghavan wherein each mobile host is issued a permanent Class D IP multicast address that can serve as a unique EID. If multicast were widely deployed, this is a promising approach because a Class D EID has the benefit of being directly routable by the routing infrastructure it removes the need for an explicit care of address. However, this scheme requires a robust, scalable, and efficient multicast infrastructure for a large number of sparse groups. Addressing: The key to the scalability of the Internet architecture is that the IP address serves as a routing locator, reflecting the addressee’s point of attachment in the network topology. This enables aggregation based on address prefixes and allows routing to scale well. Using Migrate TCP, the mobility architecture preserves this crucial property of Internet addressing. While IP addresses fundamentally denote a point of attachment in the Internet topology and say nothing about the identity of the host that may be connected to that attachment point, they have implicitly become associated with other properties as well. For example, they are often used to specify security and access policies as in the case of ingress filtering to alleviate denial of service attacks. The end-to-end architecture works without violating this trust model and does not require any form of forward or reverse tunneling to maintain seamless connectivity. In a foreign network, a mobile host uses a locally obtained interface address valid in the foreign domain as its source address while communicating with the other Internet hosts. TCP connection migration: A new proposal is to have a Migrate TCP option, included in SYN segments, that identifies a SYN packet as part of a previously established connection, rather than a request for a new connection. This Migrate option contains a token that identifies a previously established connection on the same destination address-port pair. The token is negotiated during initial connection establishment through the use of Migrate Permitted Option. After a successful token negotiation, TCP connections may be uniquely identified by either their traditional source address, source port, destination address, destination port tuple, or a new source address, token triple on each host. A mobile host may restart a previously established TCP connection from a new address by sending a special Migrate SYN packet that contains the token identifying the previous connection. The fixed host will then resynchronize the connection with the mobile host at the new end point. A migrated connection maintains the same control block and state (with a different end point), including the sequence number space, so any necessary retransmissions can be requested in the standard fashion. This also ensures that SACK and any similar options continue to operate properly. Furthermore any options negotiated on the initial SYN exchange remain in effect after connection migration, and need not be resent in a Migrate SYN. Since SYN segments consume a byte in the TCP sequence number in space, Migrate SYN’s are issued with the same sequence number as the last transmitted byte of data. This results in two bytes of data in a migrated TCP connection with the same sequence number (the new SYN and the previously transmitted actual data), but this is not a problem since the Migrate SYN segment need never be explicitly acknowledged. Any packet received from the fixed host by a migrating host at the mobile host’s new address that has a sequence number in the appropriate window for the current connection implicitly acknowledges the Migrate SYN. They can be needed in case it’s useful to renegotiate a new maximum segment size (MSS) reflecting the properties of the new path. All of the options negotiated on the initial SYN except the Migrate Permitted Option need not be replicated in this or any subsequent migrations since they are always in effect. Securing the migration:: If an attacker can guess the sequence space being used by the connection, it is possible to partially hijack TCP connections. With the Migrate options, an attacker who can guess both the sequence space and the connection token can hijack the connection completely. Furthermore, the ability to generate a Migrate SYN from anywhere greatly increases the connection’s exposure. Hence care must be taken to secure the connection token. The problem would be relatively easy to solve if IP security (IPSec) were deployed. However it not being the case the authors suggests a non guessable connection token that is secured with a secret connection key. Since any host that obtains the connection key could fabricate the token and issue a Migrate request, the authors [2] have proposed to select the key with an Elliptic Curve Diffie Hellman Key exchange. Hosts using IPsec may choose to disable key negotiation to avoid excess computation. ECDH is preferred over other methods because of its high security to bit length ratio. Routing Issues: Source Routing: As opposed to the way in which router optimization is specified in IPv4, in IPv6 correspondent nodes do not tunnel packets to mobile nodes. Instead, they use IPv6 routing headers, which implement a variation of IPv4’s source routing option. A number of early proposals for supporting mobility in IPv4 specified a similar use of source routing options, but two main problems precluded their use: IPv4 source routing options require the receiver of source-routed packets to follow the reversed path to the sender back along the indicated intermediate nodes. This means that malicious nodes using source routes from remote locations within the Internet could impersonate other nodes, a problem exacerbated by the lack of authentication protocols. Existing routers exhibit terrible performance when handling source routes. Consequently, the results of deploying other protocols that use source routes have not been favorable. However the objections to the use of source routes do not apply to IPv6, because IPv6’s specifications eliminate the need for source-route reversal and lets routers ignore options. Consequently, correspondent nodes can use routing headers without penalty. This allows the mobile node to easily determine when a correspondent node can use routing headers without penalty. This allows the mobile node to easily determine when a correspondent node does not have the right care-of address. Correspondent nodes that need to receive binding updates from the mobile node must have sent packets delivered by encapsulation instead of by source routes in a routing header. It is a further point of contrast to route optimization in IPv4 that, in IPv6 mobility support, the mobile node delivers binding updates to correspondent nodes instead of to the home agent. There is a distinct possibility in IPv6 of the availability of key management between the mobile node and correspondent node will be implemented. Other features supported by IPv6 mobility include Coexistence with Internet Ingress filtering Smooth handoff, which in Mobile IPv4 is specified for foreign agents as part of route optimization. Renumbering of home networks and Automatic home agent discovery. Another way of routing for a mobile network that has been discussed is using a different hierarchy, which can be dynamically configured as compared to the cluster hierarchy in existence today. This is being termed as the ‘Landmark Hierarchy’. This has been shown by the author to have similar path lengths and routing tables as compared to the conventional area hierarchy. In this the routing known as ‘landmark routing’, a distributed set of algorithms is used for the purpose. It has been shown to optimize routing in very large networks as it dynamically configures the hierarchy on the fly allowing for very large and highly dynamic networks. In this type of routing each router has in its tables only those routers who are a certain number of hops away as compared to a cluster hierarchy wherein all routers in one area have routing entries of all other routers. This implies that each router has all information of local routes and information decreases as we move away from it. A full description of the same is in [4]. Ad-Hoc Network Routing protocols are another way of routing. In this an ad-hoc network, which is basically a collection of wireless mobile nodes, is formed dynamically without use of any existing network infrastructure or centralized administration. It could be particularly useful when used in areas where there is little or no communication infrastructure. In such a network each mobile node not only acts as a host but also as a router i.e. it forwards packets for other mobile nodes in the network that may not be in direct wireless transmission of each other. Hence the packets would be ultimately delivered via multiple hops. Security Issues: As put in by Perkins and Johnson [2] “One of the most difficult aspects of Route Optimization for Mobile IP in the Internet today is that of providing authentication for all messages that affect the routing of datagrams to a mobile node.” In IPv6 nodes are expected to implement strong authentication and encryption features to improve Internet security. This affords a major simplification for IPv6 mobility support, since all authentication procedures cane be assumed to exist when needed and do not have to be specified in the Mobile IPv6 protocol. However the current draft on Mobile IP yet specifies the use of authentication procedures as infrequently as possible on account of two things. They are basically that performance is affected with a very reliable authentication and hence it should be done infrequently and also the fact that questions about the availability of Internet-wide key management are far from resolved as of now. The issues are: Data Confidentiality: Is it possible for the attacker to monitor the confidential traffic of other users of the system? Data Authenticity: Traffic/Identity hijacking: Is it possible for the attacker to masquerade as a user? That is, to bypass the authentication and steal the identity of another user. Service Availability: Denial of Service: Is it possible for the attacker to prevent other users to use the services of the system? Signaling and Location Confidentiality: Is it possible for the attacker to monitor the movements of the mobile host and/or collect user data about the behavior of the user? In each case the level of security depends on the algorithms and keys used for countering the threat. The roles considered during the analysis were: Hostile mobile host or a host masquerading as a mobile host Hostile nodes in the serving network Hostile FA or a host masquerading as an FA. Hostile nodes in the home network Hostile HA or a host masquerading as an HA. Hostile nodes outside the home and serving networks. Data Confidentiality: The likelihood that the confidentiality of the transmitted packets will be compromised depends strongly on the route of the packets. Mobile IP does not encrypt the packets, and thus the whole route of the packets has to be trusted or IPSec should be used on these parts of the route. Another possibility as discussed by authors would be to use token systems as shown in [2]. Inside visited network: It is very demanding to make IP based network secure at the times of faulty TCP/IP protocols/applications. The need for additional encryption depends on the level of trust the roaming user has for the visited network’s ability and motivation to secure the network. Between the visited and home network: The level of security on this part of the route is very difficult to define. In practice IPSec tunneling should be used. Inside the home network: In client-server applications and when the reverse tunneling is used the route of the packets goes to the home network of the roaming user. In the scenario the mobile IP is an attractive target for a malicious host outside of firewalls as it could allow connection hijacking. After successful registration Mobile IP can be used to get around IP address based packet filters used in the firewalls. This requires that the attackers can fool the mobility agents to accept the registration either passing the mandatory authentication or finding a way to avoid it. A malicious host might try to register to the HA as a roaming mobile host. This is protected by the mandatory authentication of the register message (IPv4) and Binding update (IPv6). The scenario where a HA in a secure network accepts mobile-IP registrations originating outside the secure IP-network places very strict requirements on the authentication algorithm and the key management. The authentication of the mobile node by the FA is not mandatory in IPv4 Mobile-IP. A malicious host might try to register to the FA as a roaming mobile host. This could allow traffic stealing if the real host is roaming the same visited network. This could also be used for bypassing the charging if the access is charged. Malicious FA’s might try to attack the HA. Possible attack types against mobile-IP could be replay attacks and attacks that lead to false authentication. The mobile-IP protocol offers sufficient protection against these in the form of identification and authentication extensions. Reverse tunneling introduces additional threats: when using reverse tunneling the traffic seems to originate from the safe side of the firewall i.e. from the home agent. The legitimate use of Mobile IP can introduce problems with firewalls and IPSec Security Gateways; reverse tunneling can be used to avoid these problems (with a price of unoptimized routing). Reverse tunneling can also be used for enforcing location confidentiality. Service availability: Service availability is difficult for both IP-based network and wireless communications. The IP network can be flooded with techniques like SYNflooding with a non-existing source address, Domain Name Servers. TCP/IP stack of the host can be crippled with an illegal IP packet received from the network. The limited capacity of the system can be saturated. Signaling and location confidentiality: Also the signaling information should be tunneled when possible to prevent behavior information about the user to be collected. The optimized routing can compromise location confidentiality. The header information of the IP-packets can be used for tracking the mobile host, unless IPSec is used in tunneling mode. This is another good reason for IPSec tunneling all data through unsecured parts of the communication path. Other Changes in IPv6: Features like Stateless Address Auto configuration and Neighbor discovery that are missing in IPv4 are added in IPv6. It also attempts to simplify the process of renumbering, which could be critical to the future routing ability of the Internet. Mobility support in IPv6, as proposed by the Mobile IP working group, follows the design for Mobile IPv4. It retains the ideas of a home network, home agent, and the use of encapsulation to deliver packets from the home network to the mobile node’s current point of attachment. While discovery of a care-of address is still required, a mobile node can configure its care-of address by using Stateless Address Auto Configuration and Neighbor Discovery. Thus, foreign agents are not required to support mobility in IPv6. Moreover IPv6-within-IPv6 tunneling is also already specified. Complications and Possible Solutions: Zigzag routing: If a mobile node happens to move to the same sub-network as its correspondent node that wants to send it datagrams then what happens is that for the datagram to be received by the mobile node, based on the Mobile IP protocol, the correspondent node will send the datagram all the way to the mobile node’s home agent which can be anywhere. Then its home agent will then forward the datagram to its care-of address, which wastes time and network resources since the datagram could have been sent directly from the correspondent node. This kind of “indirectrouting” is inefficient and undesirable. A solution that can be done is to have some sort of binding between the mobile node and the correspondent node wherein an effective way is maintained by the correspondent node as to where the mobile node is. This would remove this indirect routing as the correspondent node would then optimize the path and send it directly to the foreign agent. Frequent reporting incase mobile node moves very fast and frequently: If a mobile host is in a moving vehicle and roaming around into neighboring communities, then, the mobile IP will have to constantly report to the home agent to change it’s address. This leads to degradation of the performance and delays the datagram transmission. A solution maybe similar to what is being used in GSM wherein only when the cell crosses cell boundaries and handoffs take place that it’s reported back to the home agent. However for this to work in case of mobile hosts, it would require dividing the whole area into a number of cell clusters. That would require quite a different amount of routing protocols also. Too many unwanted fields in “IP within IP”: We know that when the packets (datagrams) are encapsulated the original datagram is put inside another IP datagram where the whole packet is basically the IP header containing the care-of address and the original datagram. The fields in the outer IP header add too much overhead to the final datagram as several fields are duplicated from the inner IP header. This waste of unnecessary space is uneconomical. A solution proposed by IETF called the Minimal Encapsulation scheme is defined, and becomes another way to encapsulate the datagram. The approach to the encapsulation method is as follows: The original header is itself modified to point to the care-of address rather than inserting another IP header. Now instead of decapsulating the datagram, the foreign agent will do a fair amount of computation before it can be sent to the mobile host. This is the tradeoff with utilizing network resources versus fast delivery of messages to the mobile host. Ingress Filtering: Many border routers discard packets coming from within the enterprise if the packets do not contain a source IP address configured for one of the enterprise’s internal networks. Because mobile nodes would otherwise use their home address as the source IP address of the packets they transmit, this presents difficulty. A solution to this problem in Mobile IPv4 would be tunnel outgoing packets from the care-of address. However, then the difficulty is how to find a suitable target for the tunneled packet from the mobile node. The only universally agreed routing possibility is the home agent, but that target introduces yet another anomaly for communications between the mobile node and the rest of the internet. The use of reverse tunneling to the home agent to counter the restriction imposed by ingress filtering can help. Mobile IPv6 also offers a solution in the home address destination option. Security Issues: Mobile IP has to co-exist with the security features that are in use within the Internet like Firewalls. Firewalls cause difficulty for Mobile IP because they block all incoming packets that do not meet specified criteria. Many firewalls are typically configured to block packets from entering via the Internet, which appear to emanate from internal computers. It presents difficulties for mobile nodes wishing to communicate with other nodes within their home enterprise networks. Such communications, originating from the mobile node, carry the mobile node’s home address, and would thus be blocked by the firewall. A number of solutions are being developed which could allow traversal of firewalls without lowering security. Conclusions: Mobile IP is definitely going to be implemented sooner than later in spite of competing tunneling protocols like the PPP based PPTP and L2TP. These protocols though offer portability in operations and at best may be a short term solution to inter-network routing of mobile hosts. However in the long run Mobile IP would be definitely required in some form or the other with variety of solutions and fixes to the foreseen problems. It would in all probability have to include incremental upgrades so as to allow time for the entire protocol system to be upgraded. Moreover some sort of glitch less handoff from one agent to the another should also be deployed so as to make sure that erroneous data is not received or for that matter retransmissions don’t occur because of them since the amount of mobile hosts is slated to increase exponentially creating an unprecedented situation of number of retransmissions caused on account of handoffs. Ad-hoc routing schemes as proposed can be implemented alongside so as to increase efficiency and scalability. Bibliography: 1. D. Johnson, Scalable Support for Transparent Mobile Host Internetworking, in Mobile Computing, edited by T. Imielinski and H.Korth. 2. A.Snoeren and H. Balakrishnan, An End-to-End Approach to Host Mobility, Proc. MOBICOM 2000. 3. J. Broch, D. Maltz, D. Johnson, Y-C. Hu, J. Jetcheva, A Performance Comparison of Multi-Hop Wireless Ad Hoc Routing Protocols, Proc. ACM/IEEE MOBICOM, Dallas, TX, August 1998. 4. P. Tsuchiya, The Landmark Hierarchy: A New Hierarchy for Routing in Very Large Networks, Proc. SIGCOMM’88, pp. 35-42, Stanford, CA, August 1988. 5. RFC-2002 – IP Mobility Support. 6. C.E. Perkins, “Mobile IP: Design Principles and Practises.” 7. IETF Working Group on Mobile IP.