mobility support in ipv6 (mipv6)
DESCRIPTION
Mobility Support in IPv6 (MIPv6). Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University. Outline. MIPv6 Features MIPv6 Basic Operations MIPv6 Security MIPv6 vs. MIPv4. Mobile IPv6 Features (1). IPv6 Mobility is based on core features of IPv6 - PowerPoint PPT PresentationTRANSCRIPT
1
Mobility Support in IPv6(MIPv6)
Chun-Chuan YangDept. Computer Science & Info.
Eng.National Chi Nan University
2
Outline
MIPv6 Features MIPv6 Basic Operations MIPv6 Security MIPv6 vs. MIPv4
3
Mobile IPv6 Features (1) IPv6 Mobility is based on core features of
IPv6 The base IPv6 was designed to support Mobility Mobility is not an “Add-on” features
All IPv6 Networks are IPv6-Mobile Ready All IPv6 nodes are IPv6-Mobile Ready All IPv6 LANs/Subnets are IPv6 Mobile Ready
IPv6 Neighbor Discovery and Address Autoconfiguration allow hosts to operate in any location without any special support
4
Mobile IPv6 Features (2) No Foreign Agent
In Mobile IPv4, an MN registers to a foreign node and borrows its’ address to build an IP tunnel so that the HA can deliver the packets to the MN. But in Mobile IPv6, the MN can get a new IPv6 address, which can be only used by the MN and thus the FA no longer exists
IPv6 Address auto-configuration: MN can obtain a CoA in foreign network without any help of foreign agent
More Scalable : Better Performance Less traffic through Home Link Less redirection/re-routing (Traffic Optimization)
5
Mobile IPv6 Features (3) Bi-directional tunneling mode
Does not require for the CN to support Mobile IPv6 Use of Reverse tunneling (for ingress filtering)
Route Optimization (RO) mode Requires to register the MN’s current binding at the
CN Uses a new type of IPv6 routing header
Type-2 routing header = home address (Dest Addr = MN’s CoA)
Shortest communications path Eliminates congestion at the MN’s HA and home link Impact of any possible failure of the HA or networks
on the path to or from it is reduced
6
Mobile IPv6 Features (4) Dynamic Home Agent Address
Discovery Allows a MN to dynamically discover the IP
address of a home agent on its home link ICMP Home Agent Address Discovery
Request Message Destination address: Home Agent anycast
address for its own home subnet prefix Reply message
HA list (with preferences) in the home link Each HA maintains the home agent lists
7
New IPv6 Protocol (1)
Mobility Header Home Test Init, Home Test, Care-of Test Init,
Care-of Test Perform the return routability procedure from M
N to CN for ensuring authorization of subsequent Binding Updates
Binding Update Binding Acknowledgement Binding Refresh Request Binding Error
8
New IPv6 Protocol (2)
New IPv6 Destination Option Home Address destination option
Type-2 Routing header: route optimization
New ICMPv6 Messages Home Agent Address Discovery Request Home Agent Address Discovery Reply Mobile Prefix Solicitation Mobile Prefix Advertisement
9
Mobility Header
Payload Proto: Same as IPv6 Next Header
MH Type: Identifies the particular mobility
message
Message Data: the data specific to the indicated
MH type
10
Binding Update Message
MH Type=5 Message Data:
A: Acknowledge H: Home Registration
L: Link-Local Address Compatibility
K: Key Management Mobility Capability
11
Binding Acknowledgement Message MH Type=6
Message Data:
K:Key Management Mobility Capability
12
MIPv6 Basic Operation (1)
HAHome Network
Foreign Network
Internet
CN
Mobile Node
S: CN’s IP AddressD: MN’s Home Address
IP Header PayLoad
S: MN’s Home AddressD: CN’s IP Address
IP Header PayLoad
13
MIPv6 Basic Operation (2)
HA Foreign NetworkInternet
CN
Home Network
Binding Update
Binding Ack
Mobile Node
PayLoadIP Header Mobility Header
MH=5
MH=6
PayLoadIP Header Mobility Header
14
S: CN’s IP AddressD: MN’s Home Address
MIPv6 Basic Operation (3)
HA
Internet
CN
Home Network
Mobile Node
IP Header PayLoad
Tunneled packets
S: HA’s AddressD: MN’s COA
New IP Header PayLoadOld IP Header
15
MIPv6 Basic Operation (4)
HA
Internet
CN
Home Network
Mobile Node
Binding UpdateBinding Ack
PayLoadIP Header Mobility Header
MH=5
MH=6
PayLoadIP Header Mobility Header
16
MIPv6 Basic Operation (5)
HA
Internet
CN
Home Network
Mobile Node
S: CN’s AddressD: MN’s COA
PayloadIP Header Routing Header
(Type 2, MN’s Home Address)
S: MN’s COAD: CN’s Address
(includes MN’s Home Address)
PayloadIP Header HA Dest Opt
17
Movement
Movement Detection: Detect L3 handovers Neighbor Unreachability Detection (NUD)
Default router is no longer bi-directionally reachable
Router Discovery: select a new default router Prefix Discovery: form new care-of address Home registration Correspondent registration
18
Home Registration (1) Set H-bit & A-bit in the Binding Updates sent to the HA MN’s home address in Home Address destination opti
on Source address = Care-of address Set L-bit if the MN’s link-local address (for the new ca
re-of-address) has the same interface ID as the home address
Set K-bit if the IPsec SAs between the MN and the HA have been established dynamically, and the mobile node has the capability to update its endpoint in the used key management protocol to the new care-of address every time it moves
19
Home Registration (2)
Sequence # Used by the receiving node to sequence BUs and by
the sending node to match a returned BACK with this BU
Lifetime The number of time units remaining before the bind
ing must be considered expired One time unit is 4 seconds
20
Correspondent Registration (1) Allowing the CN to cache the MN’s current car
e-of address Return Routability procedure + registration After home registration, the MN should initiate a
correspondent registration for each node that already appears in the MN’s Binding Update List
The initiated procedures can be used to either update or delete binding information in the CN
In addition, MN initiate the registration in response to receiving a packet tunneled using IPv6 encapsulation
21
Correspondent Registration (2) A Binding Update is created as follows
1. Source address of the IPv6 header = the current care-of address
2. Destination address = the address of the CN 3. Mobility header with MH type = 5, including
the Binding Authorization Data and the Nonce Indices mobility options
4. Home Address destination option = MN’s home address
22
Conceptual Data Structures CN: Binding Cache
When sending a packet, the Binding Cache is searched before the Neighbor Discovery conceptual Destination Cache
HA: Binding Cache and Home Agents List The Home Agents List is used by the dynamic home a
gent address discovery mechanism MN: Binding Update List
It records information for each BU sent by this MN, in which the lifetime of the binding has not yet expired
The Binding Update List includes all bindings sent by the MN either to its HA or CNs
23
MIPv6 Security
Binding Updates to HA IPsec and ESP between MN and HA Key Distribution (IKE, Internet Key Exchang
e) Binding Updates to CN
Return Routability Procedure to assure that the right MN is sending the message
Binding management key (Kbm) for integrity and authenticity of the BU messages
24
IPsec Security Association An SA is a cryptographically protected connection There MUST be a SA between the MN and HA Provides integrity and autentication of BU and BACK An SA is defined by: <SPI, destination adress, flag> One SA per home-address
IPsec Authentication Header
(authentication only (authentication only service)service)
25
Encapsulating Security Payload ESP: authentication + encryption
26
IPsec: AH vs. ESP
27
Binding Updates to CN
Return Routability Procedure It enables CN to obtain some reasonable assurance
that MN is in fact addressable at its claimed care-of address as well as at its home address
Done by testing whether packets addressed to the two claimed addresses are routed to MN
MN can pass the test only if it is able to supply proof that it received certain data (the “keygen tokens”) which CN sends to those addresses. These data are combined by MN into Kbm
28
Return Routability Procedure
29
RR Procedure Terminology (1)
Node Key: a secret key (20 octets), Kcn, at CN Nonce: CN also generates nonces at regular intervals Cookie: Random number used by MN
To prevent spoofing by a bogus CN in the RR procedure
Home init cookie A cookie sent to the CN in the Home Test Init message, to
be returned in the Home Test message
Care-of init cookie A cookie sent to the CN in the Care-of Test Init message,
to be returned in the Care-of Test message
30
RR Procedure Terminology (2)
Keygen Token Number supplied by CN to enable MN to compute the
necessary binding management key for authorizing a BU
Care-of keygen token: Care-of Test message Home keygen token: Home Test message
Cryptographic Functions SHA: Secure Hash Standard HMAC_SHA1: Keyed-Hashing for Message Authentication
MAC: Message Authentication Codes
31
Return Routability Test: step 1
Correspondent Node
<Correspondent Address>
Mobile Node
<Care-Of Address>
Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...
Cookies: <home init cookie>
Home Test Init:Home Test Init:src=<home address>dst=<correspondent address><home init cookie>
Home Test:Home Test:src=<correspondent address>dst=<home address><home init cookie><home keygen token> home nonce index: 1
<home keygen token> home nonce index: 1
<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64] <home init cookie>
Home Agent
32
Return Routability Test: step 2
Correspondent Node
<Correspondent Address>
Mobile Node
<Care-Of Address>
Home Agent
Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...
Care-of Test Init:Care-of Test Init:src=<care-of address>dst=<correspondent address><care-of init cookie>
<care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]<care-of init cookie>
Care-of Test:Care-of Test:src=<correspondent address>dst=<care-of address><care-of init cookie><care-of keygen token> care-of nonce index: 1
Cookies: <care-of init cookie>
<care-of keygen token> care-of nonce index: 1
33
Secure Binding Update to CN
Correspondent Node
<Correspondent Address>
Mobile Node
<Care-Of Address>
Secret Key: <Kcn> Temporary Nonces: 1 - <nonce1>2 - <nonce2>...
Cookies:<care-of init cookie><care-of keygen token> care-of nonce index: 1<home init cookie><home keygen token> home nonce index: 1
Kbm = SHA1 (<home-keygen-token> | <care-of keygen token>)MAC = HMAC_SHA1Kbm(<care-of-address>|<correspondent address>|BU) [1:96]
Binding Updatesrc=<care-of address>dst=<correspondent address>option: Home Address = <home address><sequence number><home nonce index = 1><care-of nonce index = 1><MAC>
<home keygen token> = HMAC_SHA1Kcn (<home-address> | <nonce1> | 0) [1:64] <care-of keygen token> = HMAC_SHA1Kcn (<care-of-address> | <nonce1> | 1) [1:64]
Once the correspondent node has verified the MAC, it can create a Binding Cache entry for the mobile.
34
Mobile IPv4 vs. Mobile IPv6Mobile IPv4 Mobile IPv6
Mobile node, home agent, home link, foreign link
(same)
Mobile node’s home address Globally routable home address and link-local home address
Foreign agent A “plain” IPv6 router on the foreign link (foreign agent no longer exists)Collocated care-of address
Care-of address obtained via Agent Discovery, DHCP, or manually
Care-of address obtained via Stateless Address Autoconfiguration, DHCP, or manually
Agent Discovery Router Discovery
Authenticated registration with home agent
Authenticated notification of home agent and other correspondent nodes
Routing to mobile nodes via tunneling
Routing to mobile nodes via tunneling and source routing
Route optimization via separate protocol specification
Integrated support for route optimization
35
MIPv6 References
RFC 3775: Mobility Support in IPv6 RFC 4443: ICMPv6 RFC 3776: Using IPsec for MIPv6 RFC 2408: The Internet Key Exchange