Early Binding Updates for Mobile IPv6

Early Binding Updates for Mobile IPv6

Early Binding Updates for Mobile IPv6

Christian Vogt,

[email protected]

Roland Bless,

[email protected]

Mark Doll,

[email protected]

Tobias Küfner,

[email protected]

IEEE Wireless and Communications and Networking Conference

New Orleans, March 15, 2005

Mobile IPv6 Scenario

Mobile IPv6 Scenario

FTP

Outline

Outline

ƒ

Mobile IPv6 basics

ƒ

Security and efficiency

ƒ

Proposed optimization

ƒ

Early Binding Updates

ƒ

Credit-Based Authorization

ƒ

Analysis

2000::/64

2000::/64

Home Address

Home Address

Mobile IPv6 Basics

Mobile IPv6 Basics

Internet

3000::/64

3000::/64

Correspondent

Correspondent

Node

Node

Home Address = global ID above IP

Home Address = global ID above IP

Care

Care

-of Address = locator

-

of Address = locator

Mobile Node

Mobile Node

Care

2000::/64

2000::/64

Home Address

Home Address

Mobile IPv6 Basics

Mobile IPv6 Basics

Internet

3000::/64

3000::/64

Correspondent

Correspondent

Node

Node

Home Agent

Home Agent

Home Address = global ID above IP

Home Address = global ID above IP

Care

Care

-of Address = locator

-

of Address = locator

Care

Care-

-of Address

of Address

Mobile Node

Be Aware!

Be Aware!

Issue 1: Impersonation

ƒ

Attacker

binds a false HoA

to some CoA

ƒ

Unauthorized use of a HoA

⇒

connection

hi-jacking, eavesdropping, man-in-the-middle attacks, DoS

Issue 2: Packet Misdirection

ƒ

Attacker

redirects packets to a false CoA

ƒ

Unauthorized use of a CoA

⇒

flooding

Solution:

HoA/CoA-ownership proofs

(HoA/CoA tests)

Man i/t middle

(false HoA)

Victim

(true HoA)

Victim's

peer

Amplification

Attacker

(true CoA)

Victim

(false CoA)

Attacker's

peer

What Mobile IPv6 Does About It

What Mobile IPv6 Does About It

…

…

Relationship btw. MN and HA

ƒ

Long-lasting

ƒ

Pre-configuration: Credentials, authorization records

ƒ

Mobile IPv6:

IPsec authentication

Relationship btw. MN and CN

ƒ

Usually

without history

ƒ

No pre-configuration

ƒ

Key exchange insufficient; HoA/CoA-ownership proof required

ƒ

Mobile IPv6: non-cryptographic

HoA/CoA tests

What Mobile IPv6 Does About It

What Mobile IPv6 Does About It

…

…

Home

Address Test

Care-of

Address Test

Binding

Update to CN

Registration

with HA

Registration with CN

Registration with CN

Detach

Detach

Attach

Attach

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Correspondent

Correspondent

〈

〈

RFC 3775

RFC 3775

〉

〉

…

…

And How This Performs

And How This Performs

Home

Address Test

Care-of

Address Test

Binding

Update to CN

Registration

with HA

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Correspondent

Correspondent

Last packet

Last packet

First packet

First packet

Detach

Detach

Attach

Attach

1

RTT

〈

〈

RFC 3775

RFC 3775

〉

〉

…

…

And How This Performs

And How This Performs

〈

〈

RFC 3775

RFC 3775

〉

〉

Detach

Detach

Attach

Attach

Home

Address Test

Care-of

Address Test

Binding

Update to CN

Registration

with HA

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Correspondent

Correspondent

Last packet

Last packet

First packet

First packet

2

RTT

Our Objectives

Our Objectives

Need Optimization Which…

ƒ

significantly reduces handover latency

across domains and without special network support

Related Work

ƒ

Local:

Hierarchical Mobile IPv6, Fast Handovers

ƒ

pro: low latency, zero packet loss

ƒ

con: network support required, no inter-domain optimization

ƒ

End-to-end:

Cryptographically Generated Addresses

ƒ

pro: cryptographic HoA-ownership proof, eliminates HoA test

Our Approach: Early Binding Updates

Our Approach: Early Binding Updates

〈

〈

Early Binding Updates

Early Binding Updates

〉

〉

Detach

Detach

Attach

Attach

Home

Address Test

Care-of

Address Test

Binding

Update to CN

Registration

with HA

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Correspondent

Correspondent

Early Binding

Update to CN

Do this test

be-fore handover!

Register early

with the CN!

Use CoA

during test!

Unverified Care

Unverified Care

-

-

of Addresses

of Addresses

Issue: CoA unverified for a while

ƒ

Period of vulnerability btw. Early and standard Binding Update

ƒ

Negligible in some scenarios, usually requires additional protection

Solution: Prevent amplification

ƒ

Observation: amplification (not misdirection per se)

makes redirection-based flooding attractive

ƒ

Rationale: no amplification

⇒

redirection-based flooding unattractive

ƒ

Credit-based technique

Consumes credit

for being sent pkts.

to unverified CoA

Acquires credit by

sending pkts.

Maintains

credit account

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

CoA

unverified

Signaling not

Signaling not

shown

shown

Detach

Detach

Attach

Attach

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

!

!

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

CoA

unverified

Signaling not

Signaling not

shown

shown

Our Solution: Credit

Our Solution: Credit

-

-

Based Authorization

Based Authorization

Mobile Node

Mobile Node

Home Agent

Home Agent

Node

Node

Correspondent

Correspondent

Detach

Detach

Attach

Attach

Asymmetric Traffic Patterns

Asymmetric Traffic Patterns

Issue: Asymmetric Traffic Patterns

ƒ

Some applications feature asymmetric traffic patterns

ƒ

No sufficient credit upon handover

Solution: Credit for Packet Reception and Processing

ƒ

Feedback mechanism for CN

ƒ

Care-of Address Spot Checks (in-band extension of CoA tests)

ƒ

Not covered here

How Much Do We Benefit?

How Much Do We Benefit?

〈

〈

Early Binding Updates

Early Binding Updates

〉

〉

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Corresp'dnt

Corresp'dnt

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Corresp'dnt

Corresp'dnt

〈

〈

RFC 3775

RFC 3775

〉

〉

First packet

First packet

Last packet

Last packet

1

RTT

Other

_{Last packet}

_{Last packet}

First packet

First packet

How Much Do We Benefit?

How Much Do We Benefit?

〈

〈

Early Binding Updates

Early Binding Updates

〉

〉

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Corresp'dnt

Corresp'dnt

Home Agent

Home Agent

Mobile Node

Mobile Node

Node

Node

Corresp'dnt

Corresp'dnt

First packet

First packet

Last packet

Last packet

〈

〈

RFC 3775

RFC 3775

〉

〉

First packet

First packet

Last packet

Last packet

2

RTT

1

RTT

Analysis of Early Binding Updates

Analysis of Early Binding Updates

Advantages of Early Binding Updates

ƒ

Half of standard latency, or less

ƒ

No special network support

ƒ

Applicable to inter-domain handovers

Drawbacks of Early Binding Updates

ƒ

Additional signaling for proactive HoA tests (if done periodically)

ƒ

Still 1 RTT latency

One-Way Times

50ms

50ms

50ms

Scenario 1: TCP Throughput

Scenario 1: TCP Throughput

3,678KB

5s

10s

15s

20s

2.0

E6

3.0

E6

1.0

E6

4.0

E6

Seqno

RFC 3775

5s

10s

15s

20s

Early Binding Updates

One-Way Times

& Bandwidths

100m

s,256

kbps

50ms

256kbps

100m

s,256k

_bps

5s

10s

15s

20s

Early Binding Updates

4,226KB

Preliminary Results of TCP Experimentations

Preliminary Results of TCP Experimentations

5s

10s

15s

20s

2,296KB

1.5

E6

2.5

E6

0.5

E6

3.5

E6

Seqno

RFC 3775

Conclusion

Conclusion

Current Status

ƒ

Implementation in FreeBSD 5.3,

Kame-Shisa Mobile IPv6

ƒ

Ongoing work in IETF, IRTF;

CBA now to be integrated into HIP

Open Issues

ƒ

Impacts on applications? Effects on

TCP retransmission timers?

Future Perspectives