Early Binding Updates for Mobile IPv6 Early Binding Updates for - - PowerPoint PPT Presentation

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 1

Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6

Christian Vogt, chvogt@tm.uka.de Roland Bless, bless@tm.uka.de Mark Doll, doll@tm.uka.de Tobias Küfner, kuefner@tm.uka.de IEEE Wireless and Communications and Networking Conference New Orleans, March 15, 2005

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 2

Mobile IPv6 Scenario Mobile IPv6 Scenario FTP Home Agent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 3

Outline Outline

Mobile IPv6 basics Security and efficiency Proposed optimization

• Early Binding Updates
• Credit-Based Authorization

Analysis Conclusion

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 4

2000::/64 2000::/64

Home Address Home Address

Mobile IPv6 Basics Mobile IPv6 Basics

Internet

3000::/64 3000::/64

Correspondent Correspondent Node Node Home Address = global ID above IP Home Address = global ID above IP Care Care-

• of Address = locator
• f Address = locator

Mobile Node Mobile Node Care Care-

• of Address
• f Address

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 5

2000::/64 2000::/64

Home Address Home Address

Mobile IPv6 Basics Mobile IPv6 Basics

Internet

3000::/64 3000::/64

Correspondent Correspondent Node Node Home Agent Home Agent Home Address = global ID above IP Home Address = global ID above IP Care Care-

• of Address = locator
• f Address = locator

Care Care-

• of Address
• f Address

Mobile Node Mobile Node

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 6

Be Aware! Be Aware! Issue 1: Impersonation

Attacker binds a false HoA to some CoA Unauthorized use of a HoA ⇒ connection

hi-jacking, eavesdropping, man-in-the-middle attacks, DoS

Issue 2: Packet Misdirection

Attacker redirects packets to a false CoA Unauthorized use of a CoA ⇒ flooding

Solution: HoA/CoA-ownership proofs (HoA/CoA tests)

Man i/t middle (false HoA) Victim (true HoA) Victim's peer

Amplification

Attacker (true CoA) Victim (false CoA) Attacker's peer

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 7

What Mobile IPv6 Does About It What Mobile IPv6 Does About It… … Relationship btw. MN and HA

Long-lasting Pre-configuration: Credentials, authorization records Mobile IPv6: IPsec authentication

Relationship btw. MN and CN

Usually without history No pre-configuration Key exchange insufficient; HoA/CoA-ownership proof required Mobile IPv6: non-cryptographic HoA/CoA tests

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 8

What Mobile IPv6 Does About It What Mobile IPv6 Does About It… …

Home Address Test Care-of Address Test Binding Update to CN Registration with HA Registration with CN Registration with CN Detach Detach Attach Attach Home Agent Home Agent Mobile Node Mobile Node Node Node Correspondent Correspondent

〈 〈RFC 3775 RFC 3775〉 〉

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 9

… …And How This Performs And How This Performs

Home Address Test Care-of Address Test Binding Update to CN Registration with HA Home Agent Home Agent Mobile Node Mobile Node Node Node Correspondent Correspondent Last packet Last packet First packet First packet Detach Detach Attach Attach

1 RTT

〈 〈RFC 3775 RFC 3775〉 〉

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 10

… …And How This Performs And How This Performs

〈 〈RFC 3775 RFC 3775〉 〉

Detach Detach Attach Attach Home Address Test Care-of Address Test Binding Update to CN Registration with HA Home Agent Home Agent Mobile Node Mobile Node Node Node Correspondent Correspondent Last packet Last packet First packet First packet

2 RTT

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 11

Our Objectives Our Objectives Need Optimization Which…

significantly reduces handover latency

across domains and without special network support

Related Work

Local: Hierarchical Mobile IPv6, Fast Handovers

• pro: low latency, zero packet loss
• con: network support required, no inter-domain optimization

End-to-end: Cryptographically Generated Addresses

• pro: cryptographic HoA-ownership proof, eliminates HoA test
• con: CoA test still required

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 12

Our Approach: Early Binding Updates Our Approach: Early Binding Updates

〈 〈Early Binding Updates Early Binding Updates〉 〉

Detach Detach Attach Attach Home Address Test Care-of Address Test Binding Update to CN Registration with HA Home Agent Home Agent Mobile Node Mobile Node Node Node Correspondent Correspondent Early Binding Update to CN

Do this test be- fore handover! Register early with the CN! Use CoA during test!

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 13

Unverified Care Unverified Care-

• of Addresses
• f Addresses

Issue: CoA unverified for a while

Period of vulnerability btw. Early and standard Binding Update Negligible in some scenarios, usually requires additional protection

Solution: Prevent amplification

Observation: amplification (not misdirection per se)

makes redirection-based flooding attractive

Rationale: no amplification ⇒ redirection-based flooding unattractive Credit-based technique

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 14

Consumes credit for being sent pkts. to unverified CoA Acquires credit by sending pkts. Maintains credit account

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 15

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 16

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 17

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 18

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 19

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 20

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 21

CoA unverified Signaling not Signaling not shown shown Detach Detach Attach Attach

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 22

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 23

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 24

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 25

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 26

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node

! !

Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 27

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 28

CoA unverified Signaling not Signaling not shown shown

Our Solution: Credit Our Solution: Credit-

• Based Authorization

Based Authorization

Mobile Node Mobile Node Home Agent Home Agent Node Node Correspondent Correspondent Detach Detach Attach Attach

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 29

Asymmetric Traffic Patterns Asymmetric Traffic Patterns Issue: Asymmetric Traffic Patterns

Some applications feature asymmetric traffic patterns No sufficient credit upon handover

Solution: Credit for Packet Reception and Processing

Feedback mechanism for CN Care-of Address Spot Checks (in-band extension of CoA tests) Not covered here

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 30

How Much Do We Benefit? How Much Do We Benefit?

〈 〈Early Binding Updates Early Binding Updates〉 〉

Home Agent Home Agent Mobile Node Mobile Node Node Node Corresp'dnt Corresp'dnt Home Agent Home Agent Mobile Node Mobile Node Node Node Corresp'dnt Corresp'dnt

〈 〈RFC 3775 RFC 3775〉 〉

First packet First packet Last packet Last packet

1 RTT

Other Last packet Last packet First packet First packet

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 31

How Much Do We Benefit? How Much Do We Benefit?

〈 〈Early Binding Updates Early Binding Updates〉 〉

Home Agent Home Agent Mobile Node Mobile Node Node Node Corresp'dnt Corresp'dnt Home Agent Home Agent Mobile Node Mobile Node Node Node Corresp'dnt Corresp'dnt First packet First packet Last packet Last packet

〈 〈RFC 3775 RFC 3775〉 〉

First packet First packet Last packet Last packet

2 RTT 1 RTT

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 32

Analysis of Early Binding Updates Analysis of Early Binding Updates Advantages of Early Binding Updates

Half of standard latency, or less No special network support Applicable to inter-domain handovers

Drawbacks of Early Binding Updates

Additional signaling for proactive HoA tests (if done periodically) Still 1 RTT latency

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 33

One-Way Times 50ms 50ms 50ms

Scenario 1: TCP Throughput Scenario 1: TCP Throughput

3,678KB

x+5s x+10s x+15s x+20s

2.0E6 3.0E6 1.0E6 4.0E6

Seqno

RFC 3775

x+5s x+10s x+15s x+20s

Early Binding Updates 4,363KB

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 34

One-Way Times & Bandwidths 100ms,256kbps 50ms 256kbps 1 m s , 2 5 6 k b p s

x+5s x+10s x+15s x+20s

Early Binding Updates 4,226KB

Preliminary Results of TCP Experimentations Preliminary Results of TCP Experimentations

x+5s x+10s x+15s x+20s

2,296KB 1.5E6 2.5E6 0.5E6 3.5E6

Seqno

RFC 3775

Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 35

Conclusion Conclusion Current Status

Implementation in FreeBSD 5.3,

Kame-Shisa Mobile IPv6

Ongoing work in IETF, IRTF;

CBA now to be integrated into HIP

Open Issues

Impacts on applications? Effects on

TCP retransmission timers?

Future Perspectives

Proactive registration before handover ⇒ eliminate remaining delays