Mobile IP and VPN Tarik Cicic University of Oslo December 2001 Overview • Concept of tunneling • Mobile IP concepts and deployment • Virtual Private Network principles 2 Tunneling • Technique for modifying data transport • Used to transport data – with inconsistent addresses – belonging to incompatible protocols • Packets belonging to Layer n are transported on Layer m , where n <= m • Examples: – IP in IP (L3 in L3) – ATM in IP (L2 in L3) 3 1
“Regular” Data Packets Header Payload • Information packed in the payload HTTP HTTP • Control information in the header TCP HTTP HTTP • Each layer adds its header IP TCP HTTP HTTP 4 ” n -in- n ” ” n -in- m ” Tunneling HTTP HTTP HTTP HTTP TCP HTTP HTTP TCP HTTP HTTP IP1 TCP HTTP HTTP IP TCP HTTP HTTP IP2 IP1 TCP HTTP HTTP IP IP IP (Not drawn to scale ☺ ) 5 Proc and Cons + Tunneling is essential for a range of new IP services - It adds overhead and complexity to the communications • We would prefer to not use it, whenever possible 6 2
Mobility Mobility Concepts • Work in office and at home (DHCP, dialup) • Home-network access wherever we are – VPN, IP-SEC, dialup • Switch networks without service interruption – Mobile IP • Other – WLAN roaming, protocol service discovery, cellular technologies 8 Mobile IP Terminology • Care-of-address: temporary address on a foreign network • Home Agent (HA): computer on the home network responsible for tracking the mobile node • Foreign agent (FA): computer on the remote network responsible for assigning the care-of addresses and informing HA about it 9 3
Basic Concept Sender Mobile node introduces itself to the FA Internet Receiver 129.240.64.135 Home agent Tunnel Tunnel Foreign agent 158.9.13.15 FA sends Care- of Address to Local Address Care-of Address the HA 129.240.64.135 158.9.13.15 129.240.64.97 192.4.69.3 10 Mobile IP Protocol Components • Agent discovery • Registration procedure • Handoff rules: – from one network to another – triggered by, e.g., traffic drop, retransmissions • Address binding 11 Route Optimization • Avoiding the “triangle” communication through binding updates Sender 129.240.64.135 is at 158.9.13.15 Receiver Internet Home agent Foreign agent 12 4
Mobile IPv6 • Node autoconfiguration in foreign network • Secure binding updates • Source routing through the routing header Sender • No FA needed • No tunneling Receiver IPv6 Internet Home agent Foreign agent 13 Route Optimization in IPv6 • Routing header normally used • If a packet arrives to the HA, it is assumed that the source does not know the COA, and the packet is encapsulated to the mobile node: COA HA Dest Src Payload • Mobile node sends a routing update to the source 14 Mobile IP Summary • Mobile IP still not widely deployed: – IPv4 networks need substantial software to run Mobile IP (client protocol stack, FA, HA …) – IPv6 still on wait • We believe Mobile IP will become widespread • More work on – dynamic (smooth) handover – security – compatibility – merge between IP and telecom solutions 15 5
Virtual Private Networks Introduction • Technique to interconnect networks on geographically spread locations • Public network infrastructure is used instead of leased lines • The network looks private to the user, hence term “virtual” 17 VPN Advantages • Cost-saving, as it gains from statistical multiplexing • Flexibility (connecting new sites, contract modifications, points of presence etc.) • Transfer of servicing tasks to the network provider 18 6
VPN Challenges • Security • Reliability and QoS • Lack of standards 19 Security • Authentication (how to know that the data is really sent by the peer) • Policy enforcement (control lists, firewalls) • Transport of confidential data over public networks (encryption) • Monitoring network intrusions 20 VPN QoS • No QoS support in IP networks • Heavy requirements on ingress points in order to maintain the traffic contracts • Lesser efficiency 21 7
Where to Implement? • Layer 3 (IP SEC, GRE, L2TP, MPLS): + Flexibility, simplicity - IP only, poor standardization • Layer 2 (FR, ATM, PPP): + Multi-protocol, integration with access networks - Maintenance, complexity 22 Simple VNP Topology N1a 10.0.128/24 VPN identifiers are needed: P1 - to discriminate packets on R1 N2a destination - to perform policing on their 10.0.128/24 way R2 R3 N1b 10.0.0/17 P2 R4 N2b 10.0.0/17 23 Three VPN Categories • Access VPN: – remote, dial-in access to a “Point of Presence” in local area • Intranet VPN – site-to-site communication • Extranet VPN – business-to-business – mutual access policies enforced 24 8
Four VPN Implementation Methods • Virtual Leased Lines – intranet/extranet, L2 forwarding (e.g. AAL5/IP) • Virtual Private Dial Networks – access, L2 (e.g. PPP/L2TP/UDP/IP/PPP/L2) • Virtual Private Routed Networks – intranet/extranet, L3 • Virtual Private LAN Segments – intranet, L2 25 Virtual Leased Lines VLL is designed for companies with developed L2 (ATM) intranets Corporate Corporate Intranet I Intranet III IP AAL5 IP Backbone Link Corporate Intranet III 26 Virtual Dial Network Remote access with full functionality + cost reduction L2TP Server and Telephone Security Server Network P P P USA POP/ Corporate GW Intranet IP IP Backbone PPP L2TP POP/ GW UDP Telephone IP P Network P P Link Norway 27 9
Virtual Private Routed Networks Emulation of wide-area routed network Corporate Corporate Intranet I Intranet III IP IP IP IP IP Link • Most advanced Backbone • Complex IP • Virtual inter-domain routing Corporate (intra-VPRN reachability info) Intranet III • Overlay/Piggybacked model 28 Virtual Private LAN Segments Full virtual LAN implementation – complete protocol transparency Corporate Corporate Intranet I Intranet III IP L2 IP Backbone Link Corporate Backbone interconnect performs Intranet III as a L2 bridge 29 VPN Summary • “Suboptimal in theory, perfect in practice” • Cost-saving technology • Security issues • VPN QoS issues • Full IP standardization needed 30 10
Recommend
More recommend