<<

. 54
( 132 .)



>>

to 1 and it does not understand the AVP, it must then reject the request. The P or privacy
bit indicates that the AVP should be protected on the link using encryption end-to-end.

Table 5.19 AAA documents
Name Functionality
Diameter base protocol Peer-to-peer session management, accounting, fail over and
proxy
De¬nes support for TLS and IPSec
Diameter network AAA service for NAS
access server Support for PPP CHAP and
application RADIUS/DIAMETER interworking
Diameter Mobile IPv4 application AAA service for mobile IPv4
AAA transport pro¬le Use of TCP and SCTP for AAA
DIAMETER EAP application Use of DIAMETER to provide extensible authentication
protocol (EAP) to PPP users
DIAMETER Transport of X.509 certi¬cate between DIAMETER peers
cryptographic message
syntax
application
5.14 MOBILE IP 255



AVP code (32-bits)


V M P AVP length (29-bits)


Optional Vendor ID (32-bits)




Data (variable length)




Figure 5.69 AVP format

5.14 MOBILE IP
Since many users on the Internet move from one location to another, it would be advan-
tageous for them to be able to access their home network resources and services on the
move. This is becoming more important as more users connect via their PDAs or lap-
tops. Ideally a user would like to connect to any network access point within a customer
premises or even use a mobile connection and be connected transparently to their home
network via the Internet.
The problem here is with the Internet addressing itself. Recall that an Internet address
consists of 4 bytes, e.g. 152.226.23.45. The 152.226 in this example identi¬es the home
network of a user; all packets addressed to the user machine will be directed by the
Internet routers to this network. If the user resides on this network then there is no
problem. However, if the user moves to another network, e.g. 145.67, then the packets
will never reach him or her. Using DHCP, a user can attach to a new network and be
given a new IP address but this does not solve the problem, since it allows access to this
visited network but not the user™s home network.
How does the system work in practice? As illustrated in Figure 5.70, the user™s home
network must have a home agent set up and the visited network must have a foreign agent
set up. Once the computer is attached to the visited network, it will contact the foreign
agent by soliciting an advertisement (or just wait until the foreign agent advertises itself).
In its advertisement the foreign agent will provide a list of care-of addresses that can be
used by the mobile node while it is residing at the foreign network.


5.14.1 Mobile IP routing
The care-of address is used as follows. Each mobile IP user has an associated care-of
address which is registered with its home agent. This is referred to as the home user™s
256 IP APPLICATIONS FOR GPRS/UMTS


Correspondent
node
IP packet IP packet
4
7
Destination Source Destination Source
128.4.5.6
165.5.2.2 128.4.5.6 165.5.2.2
165.5.2.2

Router Router

Visited
Internet Home
Network
Network
192.4.5.0 192.4.5.6 128.4.0.0
Mobile
Foreign
Node
Agent Home
128.4.5.6
Agent
Advertisement
1 128.4.255.254
care-of address = 192.4.5.6


Register request
2
care-of address = 192.4.5.6 Register request
3
home address = 128.4.5.6 care-of address = 192.4.5.6
home agent = 128.4.255.254 home address = 128.4.5.6
Authentication data home agent = 128.4.255.254
Authentication data

IP packet
5
IP packet
Tunnel header
6 Inner header
Destination Source Source Destination Source
Destination
128.4.5.6 165.5.2.2 192.4.5.6 128.4.255.254 128.4.5.6 165.5.2.2




Figure 5.70 Example of mobile IP

address binding. When packets arrive for the station, the home agent will intercept them
and then divert them to the foreign agent using the mobile node™s care-of address. Each
packet received by the mobile node is tunnelled between the home and foreign agents by
encapsulating it in an outer IP header. This allows the original packet to remain unmodi¬ed
and the process of mobility to be transparent to the end hosts. When the foreign agent
receives the tunnelled packet, it removes the outer header and forwards the contents to
the mobile user directly. In the reverse direction, the packets can be sent directly to the
source and do not have to traverse the mobile user™s home network.
Looking at the call scenario in Figure 5.70 in some detail, the following steps are
performed.

1. The mobile host receives an advertisement containing the care-of address 192.4.5.6.
2. The mobile node sends a registration request containing the care-of address, home
agent™s address (128.4.255.254), mobile node™s home address (128.4.5.6) and
5.14 MOBILE IP 257


authentication data to the foreign agent. An expiry time value is also included (not
shown) which indicates how long the binding is valid for.
3. The foreign agent forwards the registration request to the home agent. The home
agent then uses this information to create a binding between the node™s home address
(128.4.5.6) and the care-of address (192.4.5.6).
4. The packet sent from the correspondent node to 128.4.5.6 is intercepted by the
home agent.
5. The home agent tunnels the packet using the care-of address registered for 128.4.5.6.
6. The foreign agent receives the tunnelled packet, removes the outer header then
forwards it to the mobile node.
7. The mobile node sends a reply back to the correspondent node directly.


5.14.2 Mobile IP security
Since mobile IP registration requests are used to alter the routing of IP packets, rogue
registrations (i.e. from unauthorized users) could be used to facilitate a denial of service
attack on the network. For this reason mobile IP registration messages contain an authen-
tication ¬eld. This ¬eld is generated via the use of a secret which is shared between
the mobile user and its home agent. When a registration arrives at the home agent, the
authentication ¬eld is checked; if it is found to be invalid, the request is ignored.


5.14.3 Route reverse tunnelling
From Figure 5.70, it is clear that the packet sent directly from the mobile node to the
correspondent node has an illegal source address. The network pre¬x for this packet is
128.4, that of its home network. However, now it is residing on a network with pre¬x
192.4.5, and hence there is a mismatch. It is common for security devices (e.g. ¬rewalls)
to ¬lter out packets which have illegal IP source addresses. This is to protect the network
from becoming a source of certain types of denial of service attack. For the example
given all packets sent directly in the return direction would be ¬ltered. To get round this
problem, a scheme called route reverse tunnelling has been developed. In this mechanism
packets sent in the reverse direction from the mobile user to the correspondent address
are tunnelled between the foreign and home agent back to the home network. The home
agent removes the tunnel header before forwarding the packets to their ¬nal destination.


5.14.4 Route optimization
One can see from Figure 5.70, that the route packets take from the correspondent node
to the mobile node is non-optimal. This is because the correspondent node is unaware of
the mobile node™s care-of address. Ideally, there should be a mechanism which allows the
mobile node to optimize the route. To achieve this a scheme has been proposed which
258 IP APPLICATIONS FOR GPRS/UMTS


allows the mobile node to update a correspondent node directly with its care-of address
binding. This is illustrated in Figure 5.71.

1. The ¬rst packet sent from the correspondent™s address is via the home agent, which
forwards it to the mobile node. Of course, to do this the mobile user must have still
registered with the home agent.
2. The mobile node then sends a binding update to the correspondent node, containing
its care-of and home address binding.
3. The correspondent node then sends packets directly to the user™s care-of address.

The use of route optimization is dif¬cult, however, due to problems of authentication.
The binding update must be authenticated (to guard against denial of service attack).
If the updates are unauthenticated, an attacker could send a spoof binding, fooling the
correspondent node into sending packets to the wrong destination. Authentication between
the mobile node and the home agent is relatively simple since they can both be con¬gured
with a shared secret. Authentication between the correspondent node and the mobile node
is a lot more dif¬cult, since the correspondent can be any node on the Internet. Obviously
con¬guring a different shared secret between the mobile node and all other nodes on the
Internet would be totally impractical. The problem of security with route optimization is
still work in progress for the IETF.


5.14.5 Mobile IP for IPv6
For IPv6, the use of the foreign agent is dropped and all care-of addresses are co-located at
the mobile host. Three messages are supported: binding update, binding acknowledgment
and binding request.

Correspondent
node

(2) Binding update
Care-of-address = 192.4.5.6
Home address = 128.4.5.6




(3) packets sent directly (1) packet sent via home agent


Mobile
Node
192.4.5.6

Home
Agent
(1) packet sent via home agent


Figure 5.71 Route optimization in mobile IP
5.14 MOBILE IP 259


The binding update serves the same purpose as the registration request but does not
contain an authentication ¬eld. This is because authentication for IPv6 is supported using
IPSec as a standard header extension (i.e. AH or ESP). Binding updates are sent to
the user™s home agent, and they can also be sent to a correspondent node directly (to
achieve route optimization). However, the authentication problem for route optimization
still exists. For this reason, a mobile node is only allowed to send binding updates to
correspondents with which they can develop an IPSec security association. The binding
acknowledgement is sent in reply to a binding update, to ensure reliability.
Finally, the binding request is sent by a correspondent to request a new update; for
example, it may have a care-of address listed for the mobile node which is about to expire.
The mobile node is expected to reply with a new binding update.
In summary, mobile IP with IPv6 is simpler and more scalable than with IPv4. It uses
the inherent security mechanisms provide with IPv6 (i.e. IPSec) and provides support for
route optimization as standard.



5.14.6 Foreign agent handover and mobile IP
When the mobile station is on the move using a cellular radio service, as it moves from
one IP subnet to another, a new foreign agent must be contacted and the connection
to the home agent must be re-established. However, packets may still be being deliv-
ered to the old foreign agent, which does not know the new foreign agent™s care-of
address. A hand off (handover) system is required to ensure a smooth transition with no
packet loss.
To help guard against packet loss one possibility is to have a transition time when the
home agent supports registrations to both foreign agents at the same time (see Figure 5.72).
The ability to support multiple bindings at the home agent is supported via the use of the
S (simultaneous) ¬‚ag in the registration request. If the ¬‚ag is set to 1 this instructs the

192.6.7.8

Foreign
Agent
Binding table
Home address Care-of-address

<<

. 54
( 132 .)



>>