mobilenat (mobility across heterogeneous address spaces) presented by kundan singh (columbia...

MobileNAT(Mobility across Heterogeneous

Address Spaces)

Presented by Kundan Singh(Columbia University)

Joint work with Milind Buddhikot, Adiseshu Hari and Scott Miller

Agenda Motivation Architecture Implementation Comparison with

current approaches Summary

(30 slides, 60 min)

13-Oct-03 MobileNAT/IRT group meeting 2

Current Trends

Explosive growth in connected devices

Heterogeneity• Access: 802.11, 3G,

Ethernet

• Provider; billing

• Address space IPv4 vs IPv6 Public vs Private

802.11

3G

Private address


Project IOTO

http://www.bell-labs.com/~mbuddhikot/IOTAProject/IOTA.htm


NATPublic Addr A

The goal

Private Address Space

Internet

NAT

802.11802.11 Ethernet

PDSN/3G

NAT

RoutedIP Network

www.cnn.com

(1) (2)

(3)

(4)

(5)

Preserve session for1. inter access-point2. inter sub-net3. inter-NAT4. to 3G network5. to public network

Access-point

Router

Router with NAT


Address Spaces)






Problem with IP address

IP address overloaded• Host identification

• Routing information

Change in IP address breaks TCP/socket connection

128.59.16.149

135.180.32.4

128.59.16.149135.180.32.480 1733

135.180.32.4128.59.16.1491733 80

TCP association

MN(mobile node)

CN (corresponding node)

135.180.54.7

135.180.54.7128.59.16.1491733 80

movesMN

Source IPDestination IPSP DP

Convention:


Two addresses

Two IP addresses• Virtual IP (fixed host-id)

• Actual IP (routable; changes)

128.59.16.149

135.180.32.6 A=135.180.54.7

128.59.16.149135.180.32.480 1733

135.180.32.4128.59.16.1491733 80

135.180.32.4128.59.16.1491733 80

moves

V=135.180.32.4

Actual IP

Virtual IP

MN MN

CN

Application

Socket

TCP/UDP

IP

Addr “A”

Shim Layer

Addr “V”

Net IF

Anchor node (AN)


Packet forwarding mechanisms:tunneling or translation

Tunneling• Outer: CN=>A or HA=>A

• Inner: CN=>V

• Header overhead

128.59.16.149

A=135.180.54.7

moves

V=135.180.32.4

128.59.16.149

A=135.180.54.7

moves

V=135.180.32.4

128.59.16.149135.180.32.4

128.59.16.149135.180.32.4

128.59.16.149135.180.54.7

128.59.16.149135.180.32.4

128.59.16.149135.180.54.7

MN

CN

MN

CN

AN AN

Translation• More processing overhead

• Not an issue if NAT1 is already present

1NAT is described later


Address allocation using DHCP

Virtual and actual IP allocated using DHCP

New DHCP options• MN sends current virtual IP

address (or 0.0.0.0 if none) in the request

• Server sends the allocated actual and virtual IP addresses in the response

• Actual IP is allocated based on relay agent IP

10.0.1.5

10.0.1.x

DHCP server

DHCP relay agent

10.0.2.9

10.0.2.x

10.0.2.2


Overview of NA(P)T

NAT

Public Addr135.180.32.1-7

Private Address Space(10.0.0.0-10.255.255.255)

Internet

128.59.16.149

CN

10.0.1.5

10.0.1.x 10.0.2.x

10.0.7.x

Packet processing rules need to be changed in the event of mobility

10.0.1.5128.59.16.1491756 80

135.180.32.4128.59.16.1497088 80

out

In-1

Packet processing rule


Mobility manager and MIDCOM

NAT

Internet

10.0.1.5

10.0.1.x 10.0.2.x

MIDCOM to control NAT rules

Mobility manager IP in DHCP response

relay relay

relay

DHCP server

Mobility manager

Change of leaseNAT rules


Example

Address assignment Packet flow when MN is private and CN is public MN moves to a new subnet Packet flow after mobility to a new subnet Packet flow when MN and CN are in the same NAT domain Packet flow when MN is private and CN is public and MN

moves to new NAT domain


Address assignment

NAT

Internet

DHCP server

DHCP request(my virtual IP = 0.0.0.0)(my Mac address)

DHCP response(your virtual IP = 10.128.0.2)(your actual IP = 10.0.1.5)

DHCP server

Mobility manager

NAT


Packet flow

NAT picks up an external IP and port

NAT

(1)

(2)(3)

135.180.32.4:708810.0.1.5:1756

CN

Internet

Application

Socket

TCP/UDP

IP

Addr “A”

SHIM LayerAddr “V”

Net IF

10.0.1.5:1756

10.128.0.2:1756

10.128.0.2128.59.16.1491756 80

10.0.1.5128.59.16.1491756 80

135.180.32.4128.59.16.1497088 80

128.59.16.14910.128.0.280 1756

128.59.16.14910.0.1.580 1756

128.59.16.149135.180.32.480 7088

Shim

Shim NAT

NAT


Inter-subnet mobility

NAT

CN

Internet

DHCP server

DHCP request(my virtual IP = 10.128.0.2)(my Mac address)

DHCP response(your virtual IP = 10.128.0.2)(your actual IP = 10.0.2.7)

DHCP server

Mobility manager

10.0.1.x

10.0.2.x

S:10.0.1.5:1756 D:128.59.16.149:80S:135.180.32.4:7088 D:same

change

10.0.2.7

NAT rules


Packet flow after the node moves

MN application or CN do not know about change in actual IP

NAT

(1)

(2)

(3)

135.180.32.4:708810.0.2.7:1756

CN

Internet

10.128.0.2128.59.16.1491756 80

Application

Socket

TCP/UDP

IP

Addr “A”

SHIM LayerAddr “V”

Net IF

10.0.2.7128.59.16.1491756 80

135.180.32.4128.59.16.1497088 80

128.59.16.14910.128.0.280 1756

128.59.16.14910.0.2.780 1756

128.59.16.149135.180.32.480 7088

Shim

Shim NAT

NAT


Intra-domain sessions

Optimization: new signaling message between two MobileNAT clients to route the packets directly

NAT

V=10.128.0.2A=10.0.1.5

A=10.0.4.9

MN

CN

V=10.128.0.2A=10.0.2.7

MN

Moves


Inter-domain mobility

Mobility manager of visited NAT fetches the existing connection mapping from mobility manager of the home NAT

If MN moves to public address space, Shim layer acts as visited NAT Dynamic home agent: use visited NAT as home NAT for new session Tunneling between visited and home NAT

Home NATCN

Internet

Visited NAT

MN

MN

moves


Address Spaces)






Implementation: client (Win XP/2000)

Shim-layer driver to capture DHCP packets and translate IP addresses

MobileNAT client application acting as DHCP client and server Handles ARP for nodes in other sub-nets

Application

Socket

TCP/UDP

IP

Addr “A”

Shim Layer

Addr “V”

Net IF

MobileNATClient

Server Client

10.128.0.2 /255.0.0.0

10.0.1.5 /255.255.255.0

MobileNATClient

MobileIP Client

Network and interface selector

DHCP server - client

Unified mobility client (on-going work)


Client architecture

New code developed,

Specifically for3G-802.11 integration

VPN/IPSec integration(e.g. Lucent IPSecClient)

Interaction withExisting WindowsOS modules

TCP/IP Protocol Stack

Virtual MobileIPAdaptor

VPN/IPSecControl

OS

PP

P S

upport

Graphical User Interface & Monitoring

Ethernet

MIP State Machine

Interface Abstraction Layer/API

Network Detection

Network Selection

MobileNATClient

802.11 PPPCDMA2000

Sierra 3G1xRTT

VPN/IPSec Client Driver

Multi-interface Mobility Client Driver

EthernetInterface

802.11Interface

PPP Interface

IS-835 Shim

Serial D

riverA

T C

omm

and Set

Us

er L

ev

el

OS

Ke

rne

l Le

ve

l


User interface

Approximately 45,000 lines of code, 13,000 of which are Windows NDIS kernel networking code


Implementation: DHCP server and NAT (Linux)

DHCP server

PRE-ROUTINGDestination NAT

POST-ROUTINGSource NAT

NAT connectiontrackingVirtual IP range

Actual IP range

DHCP server to allocate virtual and actual IP Actual IP is based on subnet of DHCP relay agent MM is integrated into DHCP server NAT using netfilter, iptables, ip_conntrack and ip_nat modules


Address Spaces)






Similarities/Differences with current proposals Translation mode vs. tunneling

• Packet size vs processing overhead

• Two addresses per MN; can afford since private addresses

• No external FA needed

Signaling• Using DHCP (new options) and a per-domain Mobility Manager (MM)

Routing path• No change in routers or CN; but change in MN, NAT and DHCP server

• Dynamic home agent (I.e., the NAT)


Comparison to existing schemes

Schemes considered in following chart Mobile IP

• Extensions: Location Register (MIP-LR), Route Optimization (MIP-RO)

Micro-mobility schemes Cellular IP Hawaii Intra-Domain Mobility Protocol (IDMP) Hierarchical Mobile IP (HMIP)

IPv6 Application level mobility mechanism

• SIP

Virtual NAT• Similar address translation in the client stack

• Targeted for connection migration where both end-points implements vNAT


Comparison chart

MIP CIP Hawaii HMIP (RR)

IDMP TeleMIP

MIP LR

MIP RO

SIP IPv6 Mobile NAT

Virtual NAT

MIP messaging Y N Y Y Y - - N Y N N

Inter-tunnel Y Y Y Y Y N Y N O O N

Intra-tunnel - N N Y Y - - - O O N

Paging O Y Y Y Y - - N Y UD N

Host ID HA HA CoA CoA LCoA - - SIP HA CoA virtual

signaling Y Data Y Y Y Y Y Y Y DHCP/MM

Y

CN modify? N N N N N Y Y - N N Y

MN modify? Y Y Y Y Y Y Y - Y Y Y

Router modify? FA Y Y FA FA - - - O N N

NAT support Y1 Y Y Y Y IN IN Y IN Y IN

Non-mobile IP nodes

Y N Y Y Y - - - Y Y IN

Triangular route Y Y Y Y Y N N N N N/Y N

Y: yes N: no - :N/A O: optional IN:independent UD: Under Development1: We assume Mobile IP with UDP tunneling for NAT


Mobile NAT Advantages

Problems in existing approaches• Huge infrastructure change (CIP, IPv6, routers, even deploying FA)• Not much discussion on optimizing intra-domain sessions• Require tunneling overhead, inter, intra or both• Triangular routing• Modification in CN

MobileNAT approach• Addresses rapid growth in end-devices, which most likely will have private

addresses due to slow deployment of IPv6• Assume the presence of NA(P)T in a domain

Roaming and services across heterogeneous address spaces Reduce problem space to only private address space

• Choice between tunneling and address translation Addresses bandwidth limitations of wireless links

• Use existing protocols (DHCP, ICMP) for signaling• Discourage changing routing infrastructure• Can co-exist with MobileIP


On-going work

Scalability:• Subdivide domains into smaller NAT-ed domains• Multiple NATs per domain

Security• DHCP authentication and Access-point authentication/encryption• Works with IP-sec (AH mode and UDP tunnel) and SSL

Paging: • Re-use of existing IP-multicast based paging

Possible deployment issues• Changing every MN driver (similar to Mobile IP)• Mobility to 3G network• Location information distribution• Allow incremental deployment

Other issues• Does not solve NAT problems where application layer message uses IP address

(FTP, SIP, RTSP)• Fast hand-off for micro-mobility• Intra-domain sessions on inter-domain mobility• Combined MobileIP and MobileNAT client


Summary

Main Ideas• Virtual IP for host identification; actual IP for routing

• Address translation in client as well as in NAT

• Existing protocols like DHCP for signaling

• Mobility manager to handle nodes in a domain

• NAT acts as a dynamic home agent

• Inter-NAT packet flow for inter-domain mobility

No change in routers or no need for FA• Change In MN, NAT and DHCP server

Demonstrated a simple inter-subnet mobility

Survey of existing mobility approaches for private/public addresses

BACKUP SLIDES


Mobile IP for macro mobility

Triangular routing• Route optimization

Slow handoff• Hierarchical mobility

• Tunneling (HMIP)

• Mobile specific routing (CIP, Hawaii)

Signaling overhead• Paging (CIP, Hawaii,

HMIP)

Firewall, etc.• Reverse tunneling

MN

Internet

CN HA

FA

MN

(1)

(2)(4)

(1) CN=>HA(2) HA=>FA

CN=>HA(3) CN=>HA(4) HA=>CN

(3)


Mobile IP with NAT

UDP port mapping created during register

HA finds that FA is behind NAT

HA uses IP in UDP tunnel

NAT

Internet

CN HA

FA

MN

(2) CN=>HA

(3) HA=>NAT (UDP) CN=>HA (IP)

Oubound traffic

(4) NAT=>FA (UDP)CN=>HA (IP)

(1) register; establish port mapping


Micro mobility: Cellular IP

CoA is of gateway (FA) No change in CoA

within domain Gateway converts

cellular IP to IP Network elements

snoop on data packets from MN to GW; set the reverse route from GW to MN

Paging to discover idle MN

NAT can be at gateway

Internet

CN HA

gateway

MN

MN

Intra-domain cellular IP (non-IP) cloud

Id = HA


Micro mobility: Hawaii

CoA is of root router (FA)

Host specific route in IP

Path setup tradeoff• Explicit signal from MN to

update route

• Packet loss, reorder, handoff latency

Paging (IP multicast) to discover idle MN if no routing information

NAT can be at root router

Internet

CN HA

root router

MN

MN

IP cloud

HA=>CoACN=>HA

CN=>HA

HA=>CoACN=>HA

Id=CoA


Micro mobility: Hierarchical mobile IP

Two levels Works with non-mobile

(but) IP traffic in domain

Paging Two IP addresses

(GFA and FA) per MN NAT can be at GFA High level network of

FA (preferably tree) above IP; registration updates at optimal point in the tree

Internet

CN HA

GFA

MN

MN

FA

FA

HA=>GFACN=>HA

CN=>HA

GFA=>FACN=>HA


Micro mobility: IDMP/TeleMIP

MA acts as gateway to internet

Subnet agent (e.g., DHCP or FA) sends domain info

MN registers GCoA=MA @ HA; LCoA=FA @ MA; two level addressing

Similar to HMIP except multiple MA allowed for load balancing

MA does NAT

Internet

CN HA

MA

MN

MN

FA

FA

HA=>MA (GCoA)CN=>HA

CN=>HA

MA=>FA (LCoA)CN=>HA


MIP Location Registers

Avoids encapsulation Modify CN New VLR deregisters

old VLR If VLR runs out of

address inform HLR; which informs CN to use tunnel from CN to VLR

If MN moves before TTL, (1) inform VLR, HLR that informs CN (2) inform CN directly (3) old VLR relays to new

Internet

CN HLR

VLR

MN

Get and cache CoA of MN for given TTL

(4)

(3)


SIP application level mobility

Only for VoIP/multimedia calls

No change in existing infrastructure

NAT traversal (next slide)

Internet

CN Home SIP server

MN

Initial INVITE

MN

Re-INVITE

Re-REGISTER Initial INVITE


Middle box communication (midcom)

Application specific proxy server controls NAT/firewall port binding/hole

Separate NAT/ALG functionality

Proxy snoops or modifies signaling

Signaling traffic allowed on fixed port; media on dynamic port

Works with SIP No incentive to install

Internet

CN

server NAT

host

signaling

signaling

media

midcom


Simple Traversal of UDP through NAT (STUN)

Host sends a packet to stun server

NAT converts internal IP to external IP

Responds with source IP of packet (i.e., external)

Host knows that its external IP is not same as internal

It uses external IP/port when advertising in SDP

Does not work for symmetric NAT • external IP for same host different

for connection to different external host

Internet

CN

stunserver

NAT

host

(4)(1)

(2)

(3)

(5)

(6)


Realm Specific IP (RSIP)

Get an external address from NAT for this private host

Tunnel packets between NAT and private host

Works for various combinations of multiple RSIP gateway, NAT, NAT with RSIP, and RSIP hosts.

Need RSIP aware host

Internet

CN

NAT

host

CNNAT

NAThost<CNNAT>


Mobility in IPv6

Address auto-configuration• Always obtain a CoA in FN

• Net part+local part

• No FA needed

Route optimization • IPv6 Destination option to

CN and HA

• CN caches CoA of MN and sends directly

Hierarchical MIPv6 • Global address = mobile

server’s network; allow change in MS

• Local address known to mobile server

Internet

CN HA

MN

(1) First IPv6 packet CN=>HA

(3) IPv6 destination option

(2) TunneledHA=>CoACN=>HA

(4) subsequent packets


Mobile NAT: motivation

Problems in existing approaches• Not much discussion on optimizing intra-domain sessions

• Require tunneling overhead, inter, intra or both

• Triangular routing or modification in CN

• Huge infrastructure change (CIP, IPv6, even deploying FA)

• . . .

What MobileNAT does?• Reduce problem space to only private address space MN

• Assume the presence of NA(P)T in a domain

• Choice between tunneling and address translation

• Use existing protocols (DHCP, ICMP) for signaling mobility

• Discourage changing routing infrastructure

• Can co-exist with MobileIP, Hawaii and IPv6 (?)

• Provide roaming and services across heterogeneous address spaces demarked by address translation devices


Mobile NAT: intra-domain

No explicit HA or FA• HA is in NAT (MN is private)

• FA is in MN (driver, kernel)

Virtual vs routable address• Virtual: fixed private address “a”

exposed to application on MN

• Routable: dynamic private address “a” or “b” using DHCP

• Transport sessions between CNA (external), CNa (internal)

Address translation• NAT (Aab), MN (ba)

Tunneling• NATMN

Internet

CN

NAT

MN

MN

IP cloud

CN<=>b

Id=Private

a/a

a/b

A=a

CN<=>A


Mobile NAT: inter-domain

Inter-NAT tunnel or relay MN moves a/a=>a/c NAT1 and NAT informed Translation

• NAT1: AaB

• NAT2: Bac

• MN: ca

Issues• Multiple “a” in NAT2

But unique map Ba

• Does IP security work (?)

Like Mobile IP • FA=NAT2,HA=NAT1

• At most two level of NATs

Internet

CN

NAT1

MN

CN<=>b

a/a

A=a

CN<=>ANAT2

MN a/c

B=a


Mobile NAT: intra-domain sessions

MN1 MN2 active session• MN2 sends to NAT; destination “a”

• NAT responds router redirect “b” (?)

• MN2 now sends to MN1

MN1 moves a/b=>a/c• MN1 gets “c”

• DHCP server (or MN1) informs NAT

• MN2 gets ICMP host unreachable

• Starts sending to NAT

• NAT responds router redirect “c”

MN1 moves out of domain• Path MN1visited NAT home

NATMN2

Internet

CN

NAT

MN1

MN1

a/b

a/c

A=a

MN2

d/e

active session

(?) ICMP Redirect message is expected from router in the same sub-net to which packet is being sent. It is vulnerable to attacks (confirm?) Cisco routers don’t forward ICMP redirect from another network. We may use proprietary IP options if allowed.


TODO

Can MobileNAT co-exist with MIP, Hawaii and non-mobile but IP clients?• If MIP MN discovers no FA, switches to MobileNAT

• If MobileNAT MN discovers FA, enables both MIP and MobileNAT

• If MobileNAT MN goes out of domain and gets a public address

• If a public MN moves within the domain and gets private address

• For intra-domain session between MN and fixed IP host, route optimization does not work

• Does route optimization work if both MN move at the same time?

• Does MobileNAT work with multicast?

• Write a simulation program for MobileNAT, MobileIP and Hawaii network


TODO

Can part of it be implemented using existing protocols like Mobile IPv6 (destination option for route optimization), IDMP (for public/private addresses), RSIP)?• Intra-domain Route optimization is similar to IPv6 destination option; can

we use IPv6 within domain – need to change all routers (?)

• Assuming IPv6 domain with NAT as IPv4IPv6 converter. What changes we need in NAT/IOTA so that it works with Mobile IP? For IPv6 do we need private address domain? How do we minimize changes in IPv6 MN?

• IDMP supports multiple MA. Can we install multiple NAT/IOTA for load balancing?

• Does tunnel mode MobileNAT reduce to IDMP, when HA is outside of NAT and FA is in MN? (yes) Why can’t MobileNAT be proposed as an extension to IDMP? IDMP does not describe intra-domain session optimization.


TODO

Windows related issues• Check if TCP connections are dropped when ipconfig /release is done

• Check what happens when CONNECTED status is indicated on already connected state

• Check if TCP connections are dropped even if DISCONNECTED status is not propagated to higher layer

Possible deployment hindrances• Changing every MN driver (similar to Mobile IP)

• Should allow incremental deployment

• Processing overhead on NAT/IOTA

• What happens to domain/sub-net specific options that are not indicated to the higher layer when domain/sub-net change? Need to write a controlling application also that does DhcpIpRenewAddress when driver finds a different options field.


TODO

Basic design issues• Does DHCP security/authentication work?

• Can we use ICMP router redirect from NAT to private host?

• Can IP security work in all scenarios?

• Fast handoff applicability

• Since anyway we are modifying MN driver, can it be made more extensible or more auto-configurable. E.g., if IOTA/NAT is moved to sub-net routers then can modification in MN be

avoided? What if multiple hierarchical IOTA/NAT in a domain?

mobilenat (mobility across heterogeneous address spaces) presented by kundan singh (columbia...

Documents