Ciencias Sociales Para esta área, el modelo desarrolla tres cartillas, siendo la menos desarrollada en este modelo, en razón a que no se ajusta al

The following steps provide a rough outline of the operation of Mobile IP protocol:

1. Foreign agents and home agents send Agent Advertisement messages to advertise their presence and ability to support various Mobile IP functionalities.

2. A mobile node, receiving these Agent Advertisements, determines whether it is on its home network or a foreign network or has moved from one foreign network to another. The mechanism for this detection is part of what is called agent discovery and is discussed in detail later on.

3. When the mobile node finds it is located on its home network, there is no need to use mobility services.

4. If the MN detects that it has moved to a foreign network, it needs to acquire a care of address in order to use Mobile IP services. The CoA may either be a foreign agent care of address, or a co-located care of address assigned by some external assignment mechanism such as DHCP. 5. By exchanging a registration request and a registration reply message, the mobile node

registers its new care of address with its home agent.

6. Once the registration process is complete, data sent to the mobile node’s home address are intercepted by its home agent, which tunnels the data to the mobile node’s care of address. As mentioned earlier, these data are received at the tunnel endpoint (either at a foreign agent or at the mobile node itself), and finally delivered to the mobile node. In the reverse direction, the mobile node sends data directly to the correspondent node, i.e. data sent by the mobile node are delivered to their destination using standard IP routing mechanisms. Due to security concerns, this may, however, not work in many networks and reverse tunneling must be employed. We will discuss reverse tunneling later.

7. If an MN that was residing on a foreign network detects that it has returned to its home network after being registered elsewhere, the mobile node de-registers with its home agent, through the exchange of a registration request and registration reply messages. For more information on reverse tunneling the reader is referred to the IETF standard specifi- cation [REV3024].

5.1.1.1 Mobile IP Registration

As mentioned earlier, Mobile IP registration is the procedure by which the mobile nodes inform their home agent of their current care of address and request forwarding services while visiting a foreign network. Mobile IP registration is also used when the mobile node needs to inform the home agent that the mobile node has returned home.

The concept of Mobile IP registration is very simple: there are only two control messages: registration request and registration reply, the main purpose of which is to allow the MN to communicate its latest IP address and possibly point of attachment to the HA. We will explain how these messages are used in a variety of circumstances shortly. But first we will show the exact format of these two messages and how they can be extended.

As can be seen, both of these messages can be carried over UDP and they both carry life- time fields in order to limit the extent of the period of time in which the registration (the binding created at the HA) is valid (see Table 5.2 and Table 5.3). This is sometimes called a registration lifetime. Mobile IP allows certain extensions to be added to these messages and as we will see shortly, these extensions serve important purposes, such as providing security and interaction between the Mobile IP and AAA signaling.

Depending on the topology of the foreign network, FAs may or may not be deployed, which means the registration process may not involve an FA. For that reason the Mobile IP defines two different registration procedures, one via a foreign agent that relays the registration to the mobile node’s home agent, and one directly to the mobile node’s home agent. Both registration proce- dures involve the exchange of registration request and registration reply messages. Also, when the mobile node returns home, it sends another registration request to the HA to indicate that it no longer requires forwarding services from the HA. This process is called de-registration.

In the following we describe each of these procedures briefly. For each case, we show the exact content of the source and destination addresses in the IP header of the registration request. This

will help the reader understand how the mechanics of Mobile IP routing works. In each case the MN uses the IP address of its own physical interface as the source address and the IP address of the entity, that it is sending its registration request to, as the destination address. The specifics that the HA needs to create the mobility binding are included in the registration request fields.

When registering a foreign agent-based CoA, the MN sends its registration request via a foreign agent, which means the MN sends the packet to FA first (see Figure 5.3). The registration procedure requires the following four steps:

1. The mobile node sends a registration request to the prospective foreign agent to begin the registration process. The MN uses its home address as the source address, since the CoA

Table 5.2 Mobile IP registration request highlights, including some examples of registration extensions

Field name Sub-field Description

IP header UDP header Mobile IP registration fixed payload Type Flags

=1 for registration request

Showing simultaneous bindings, presence or absence of FA (use of collocated CoA), reverse tunneling, and so on

Lifetime Life-time in seconds before the registration expires Home address Home address of the mobile if configured, if NAI

is used, cleared to zero Home agent IP address of home agent

CoA for the mobile CoA the mobile acquires either directly (CcoA) or from the foreign agent

Identification To match registration requests and response as well as to provide anti-replay protection for

messaging to HA Registration extensions

Table 5.3 Mobile IP registration reply and some related extensions

Field name Sub-field Description

IP header UDP header

Mobile IP registration fixed payload

Type For registration reply=3

Code The result of registration request, e.g.=0 registration accepted,=67 mobile node failed authentication

Lifetime If successful registration, seconds before the registration expires

Home address Home address of the mobile Home agent IP address of home agent

Identification To match registration requests and response as well as to provide anti-replay protection for messaging to MN

belongs to the FA. The MN uses the IP address of the FA as the destination address to send the registration request through the FA.

2. The foreign agent processes the registration request and then relays it to the home agent. 3. The home agent sends a registration reply to the foreign agent to grant or deny the

registration request.

4. The foreign agent processes the registration reply and then relays it to the mobile node to inform it of the disposition of its request.

When a mobile node is using a co-located care of address (obtained from a DHCP server), the mobile node registers directly with its home agent as described in the following steps (see Figure 5.4).

1. The mobile node sends a registration request to the home agent by using the IP address of the HA as the destination address in the IP header.

2. The home agent sends a registration reply to the mobile node, granting or denying the request.

If a mobile node has returned to its home network and is (de-)registering with its home agent (Figure 5.5), the mobile node MUST register directly with its home agent.

MN HoA FA IP Source port Destination port MN HoA HA IP MN CoA Data

IP fields UDP fields registration request fields

Figure 5.3 Mobile IPv4 registration packet, when an FA is in place

MN CcoA HA IP Source port Destination port MN HoA HA IP MN CcoA Data

IP fields UDP fields registration request fields

Figure 5.4 Mobile IPv4 registration packet, when the MN is using a CcoA

MN HoA HA IP Source port Destination port MN HoA HA IP MN HoA Data

IP fields UDP fields registration request fields

5.1.1.2 Mobile IP Reverse Tunneling

As mentioned earlier, Mobile IP allows the correspondent node (CN) to communicate its traffic to the mobile node without knowing the instantaneous whereabouts of the mobile node. When Mobile IP is implemented, the CN simply sends the packet towards the MN’s HoA. When the MN is away from home, these packets are intercepted by the home agent, which in turn tunnels the packet towards the MN’s CoA.

In the reverse direction, Mobile IP is not needed for routing purposes, since IP routing mechanisms do not use the source addresses in the IP packet. Theoretically, the mobile node could simply use its own home IP address as the IP source address in packets it transmits towards the CN. This means, in the reverse direction, no tunneling needs to be implemented and the triangular routing through the HA that exists in the forward direction can be avoided. This was how it was done in the original Mobile IP design.

With the increasing security threats to the enterprise networks, the security designers began to realize that conventional firewalls that filtered only inbound traffic would not protect the network from internal threats. Ingress filtering is now an important security component that prevents attacks from malicious nodes that physically reside inside the network boundaries. When ingress filtering is implemented on an edge router interface, the router will not forward IP packets received on that interface unless the packet source address matches the interface network prefix.

The implication of implementing ingress filtering is that, when the MN resides on the foreign subnet and transmits packets using its own HoA as a source address towards the CN, the packets will be dropped, since the HoA is not topologically correct within the foreign subnet. To avoid this problem, the MN must use its topologically correct CoA as the source address for any packets it is sending from its current location. However, the packets going to the CN must include the MN’s HoA, in order to hide the routing and mobility complexity from the application running at the CN. In order to comply with these two conflicting requirements, the MN will tunnel those packets in the reverse direc- tion, using its CoA as the source address in the outer packet to lead the packet through the ingress filtering, while using its HoA as the source address of the inner packet directed to the CN.

So far, we have not discussed where the outer packet is destined. To keep the forward and reverse tunnels symmetric, the MN may opt to send the packet to the HA, which decapsulates the outer packet and sends it to the CN. When a foreign agent is present, the MN may use the services of the FA for reverse tunneling. When a mobile node arrives at a foreign network, it listens for agent advertisements and selects a foreign agent that supports reverse tunnels. It requests this service when it registers through the selected foreign agent. At this time, and depending on how the mobile node wishes to deliver packets to the foreign agent, it also requests either the Direct or the Encapsulating Delivery Style.

In the Direct Delivery Style, the mobile node designates the foreign agent as its default router and proceeds to send packets directly to the foreign agent, that is, without encapsula- tion. The foreign agent intercepts them, and tunnels them to the home agent.

In the Encapsulating Delivery Style, the mobile node encapsulates all its outgoing packets to the foreign agent. The foreign agent decapsulates and re-tunnels them to the home agent, using the foreign agent’s care of address as the entry-point of this new tunnel.