1

CSCI 6433Internet Protocols

Class 8

Dave Roberts

Topics

• Mobile IP• IPSec• Virtual Private Networks

2

Mobile IP

• IP was not designed with hand-held or book-sized mobile computers in mind

• Mobile IP has its limitations in today’s world, where IP address is tied to network address which is geographic

• However, Mobile IP does illustrate the basics of dealing with a roving host

3

Mobile IP

Allows portable computers to move from one network to another.

Hosts move from one network to another, not in the original design of IP!

Without mobile IP, either• Host address must change, or• Routers must send a host-specific route across the

entire Internet4

General Characteristics of Mobile IP

• Transparency—mobility transparent to applications, transport layer protocols, routers not involved in the change.

• Interoperability—mobile host can interoperate with stationery and mobile hosts using IPv4, and mobile IPv6 hosts can interoperate with stationary and mobile IPv6 hosts

• Scalability—scales to large internets• Security—authentication for all messages• Macro mobility—focuses on long-duration moves, rather than

roving as in a cellular phone system

5

Overview of Mobile IPv4

• Host can have primary and secondary address• Primary is obtained at “home” location, permanent and

fixed• Secondary obtained after a move. Sent to agent

(router) at home. • Agent intercepts datagrams, encapsulates in IP

datagrams, sends to secondary address.• Mobile host deregisters when returning home, notifies

agent of new address after another move6

Mobile IPv4 Addressing• Home address—conventional IP address• Temporary address is called care-of address• Two forms of care-of address:

• Co-located: mobile host does forwarding• Foreign: foreign agent (router) on network being visited assigns care-of address, handles forwarding

• A home agent (HA) stores information about mobile nodes whose permanent home address is in the home agent's network.

• The HA acts as a router on a mobile host's (MH) home network which tunnels datagrams for delivery to the MH when it is away from home, maintains a location directory (LD) for the MH.

• A foreign agent (FA) stores information about mobile nodes visiting its network. Foreign agents also advertise care-of addresses, which are used by Mobile IP. If there is no foreign agent in the host network, the mobile device has to take care of getting an address and advertising that address by its own means.

• The FA acts as a router on a MH’s visited network which provides routing services to the MH while registered. FA detunnels and delivers datagrams to the MH that were tunneled by the MH’s HA

7

Operation of Mobile IP

8

Mobile IP

• Mobile node finds an agent on its local network through the agent discovery process. Listens for agent advertisement messages, or can ask for one with agent solicitation

• Mobile node determines from the message whether it is at its home network

• If device has moved to foreign network, it obtains a (local) care-of address. Used to forward datagrams

• Mobile node tells home agent at home network by registering with the home network

• Home agent captures datagrams for the mobile node and forward them

9

IPv4 Foreign Agent Discovery

10

ICMP router discovery mechanism used to discover a foreign agent.

IPv4 Agent Registration

11

IPv6 Mobility

• No use of foreign agent or care-of addresses. Instead, IPv6 mobile host uses co-located care-of address

• Host can have a home address and co-located care-of address at once

• IPv6 does not depend on link-layer forwarding• IPv6 routing expansion header makes forwarding more

efficient than for IPv4• IPv6 mobile host does not need foreign agent

12

IPv6 Datagram Transmission

• IPv6 mobile host informs home agent before communicating with a destination

• Host includes a mobility header in sent datagram

• Destination can then communicate with home agent, find mobile’s current address, and send directly

13

Assessment of Mobile IP

• Designed for devices with static IP configuration—not practical with dynamic IP address assignment

• Retaining an IP address is less important than it was, due to dynamic IP address assignment

• Not practical for devices that move frequently—too much setup and teardown

• VPN allows remote device to have home address and have full access to its home network

14

Summary

• Mobile IP allows a computer to move from one network to another without changing its IP address

• Mobile either obtains a co-located care-of address or discovers a foreign mobility agent and requests a care-of address.

• Once registered, mobile can communicate with an arbitrary computer on the Internet.• Datagrams from mobile go directly to destination• Return datagrams go through mobile’s home agent

15

IPSec

• IPSec provides security services at the IP layer for other Internet protocols to use

16

What’s Needed for A Secure Path

• Mutually agreed security protocols• Mutually agreed specific encryption algorithm• Exchange of keys

17

IPSec Protocols and Components

18

Authentication Header

• The AH allows for the contents of the datagram to be authenticated

• It contains a checksum, computed using a secret key agreed between the sender and recipient

• The checksum is added by the sender, used by the recipient to validate the contents

19

Authentication Header

20

Encapsulation Security Payload

• ESP protects from intermediate devices examining the contents of the datagram

• Header is placed before encrypted data• Trailer is placed after encrypted data• Authentication data is used to check integrity

similarly to AH protocol, for ESP optional authentication feature to authenticate after encryption

21

ESP Payload

22

Internet Key Exchange

• A new security association involves a key exchange

• The following is established:• Encryption algorithm to be used• Hash algorithm • Authentication method• Diffie-Helman Group

23

IPSec Implementation Methods

• End host implementation: implementing in hosts provides “end to end” security

• Router implementation: implement in pairs of routers, provides security between routers

24

IPSec Architectures

• Built in to IP• Inserted into the stack:

“bump in the stack”• In device connected to

the router: “bump in the wire”

25

Built In to IP

• Integrated: change IP stack to include IPSec • Requires extensive software changes for IPv4. • IPv6 is designed to include IPSec.

26

“Bump in The Stack”

• Bump in the stack (BITS): IPSec a layer between IP and data link layer. IPSec intercepts datagrams, passes to data link layer.

27

“Bump in The Wire”

28

Bump in the wire (BITW): Add a hardware device between two communicating routers

IPSec Modes

• Transport mode: IPSec protects the message passed to IP from the transport layer. AH and ESP headers are added as the IP datagram is created.

• Tunnel mode: IPSec protects complete encapsulated IP datagram after IP header is applied. IP datagram is created normally, then AH and ESP headers are added. Usually associated with “bump in the stack” and “bump in the wire” implementations

29

IPSec Transport Mode

30

IPSec Tunnel Mode

31

Summary

• IPSec protects against observation and change of transmitted data by intermediate hosts

• IPSec requires setup between communicating hosts to establish security associations

32

VPN

• Extends a private network across a public network such as the Internet

• Enables user to send and receive data across shared networks as if the hosts were directly connected to the private network

• VPN is created by establishing virtual point-to-point connections, typically using virtual tunneling protocols, with or without traffic encryption

33

Virtual Private Networks (VPN)

Suppose we want to:• Allow external connections• Keep internal datagrams private

• We can use VPN to build a private internet, not connected to the public Internet

• Or we can use VPN to build a private network, and connect each site to the Internet also (hybrid network)

34

IPSec for VPNs

• IPSec can be used to provide a VPN• If IPSec is implemented in tunnel mode, it

protects the addresses as well as the contents of datagrams

• If IPSec is implemented using the “bump in the stack” architecture, then the security parameters can be used to implement a VPN using IPSec

35

VPN Example

36Source: Wikipedia

Virtual Private Network

37

Virtual Private Network

38

VPN Addressing

39

VPN with Private Addresses

40

VPN Services

• Today a great variety of VPN services are offered• One service lets you use an IP address

associated with a different location so that your messages appear to come from somewhere other than your location

• Another lets you use a constant IP address even though your ISP may use dynamic IP addressing or you might have a NAT router

41

Summary

• VPN—less costly alternative to private connection between networks

42