A Mobile Host Protocol Supporting Route Optimization and Authentication A. Myles, D. B. Johnson, and C. Perkins

IEEE Journal on Selected Areas in Communications Vol. 13, No. 5. June 1995

@ J. P. Sheu

P. 1

Introduction • This paper implement a new mobile host protocol, called the Internet Mobile Host Protocol (IMHP) that features both route optimization and integrated authentication.

@ J. P. Sheu

P. 2

IMHP Infrastructure • The IMHP architecture include four functional entities: Mobile Hosts, Local Agents, Cache Agents, and Home Agents. • Mobile Host (MH): – Allows to move through the network. – Transparent to the user and software above the network routing layer. – Each MH is assigned a constant, unique home address (HA) that belongs to a home network. – Corresponding hosts use the HA in sending packets to the MH regardless of the MH’s current location. @ J. P. Sheu

P. 3

• Local Agent (LA): – A MH moved to a new network must identify a local agent with which to register. – Registration is performed using a registration protocol defined by IMHP. – Each LA maintains a visitor list identifying all mobile host currently registered with it. – A local agent time out the visitor list entry for a MH after a lifetime period negotiated with the MH during the registration process. – In order to maintain uninterrupted service from its current LA, a MH must reregister with its LA within this lifetime period.

@ J. P. Sheu

P. 4

– A LA provides the MH with a care-of-address (COA) which is generally the local agent’s own address. – The combination of a MH’s home address and COA is called binding.

• Visitor List Entry Delete: – The MH must notify any previous LA that might still have a visitor list for it that this MH has moved. – The notification must be periodically retransmitted either until it is Ack or the LA have timed out the entry for the MH.

• Router: – A MH will typically use the LA with which it is currently registered as a default router.

@ J. P. Sheu

P. 5

• Cache Agent (CA): – Maintains a location cache contains the binding of one or more MHs. – When sending any packet to a MH, if a cache agent has a binding in its location cache for this MH, the CA routes the packet directly to that mobile host’s COA. – Otherwise, the CA sends the packet using normal Internet routing, causing the packet to be delivered to the MH’s home network.

• Tunneling protocol: – The IP header of the packet is modified so that the packet appears to be a normal IP packet addressed from the CA to the MH’s current LA, and the original IP header fields are copied into the new IMHP tunneling header. @ J. P. Sheu

P. 6

– The packet then use only normal IP routing to reach the LA. – LA removes the added header and restore the packet’s original IP header before delivering the packet to the MH.

• Time Out: – A CA times out a location cache entry and delete it. – It may reconfirm the MH before times out. – A CA also deletes an entry if it receive a new binding for that MH is connected to its home network.

• Optimize Routing: – Any node that wants to optimize its own communication with MH should function as a cache agent. – Many LAs will also be capable of functioning as cache agents. @ J. P. Sheu

P. 7

IP Header

Modified IP Header

Transport Header

IMHP Header

Transport Data

Transport Header Transport Data

Fig. 1. Adding The IMHP tunneling header to a packet

@ J. P. Sheu

P. 8

• Home Agent (HA): – Each MH must have a HA and a HA maintains a home list. – Each HA can also serve as a CA or LA. – When MH registers a new LA it must also register HA so that the HA always knows the current binding of the MH. – HA creates a cache entry for the binding.

• Times out: – If the HA server as a LA or CA with its MH then the MH must reregister with its HA before times out to maintain continued service from its home agent. – The HA registration lifetime will be greater than the LA one. – The HA assume that the MH is at home if it does not have a valid binding. – The HA tunnels each intercept packet to the MH’s COA. @ J. P. Sheu

P. 9

Mobility Examples • Basic Assumptions: – MH1’s home agent is HA1 and MH2’s home agent is HA2. – Suppose MH1 and MH2 are within range of LA1 and LA2, respectively. – MH1 registers with LA1 and HA1 and MH2 registers with LA2 and HA2.

• Procedures of MH1 Sending Data to MH2: – MH1 send data to LA1 as MH1’s default router. – LA1 forward the packet using normal Internet routing mechanisms. – The packet is forwarded to HA2. @ J. P. Sheu

P. 10

– HA2 tunnels the packet to LA2. – LA2 then deliver the packet to MH2. – HA2 can determine that MH1 does not have a binding for MH2 so HA2 notifies MH1 it should acquire MH2’s binding. – Then MH1 transmits a binding request for MH2 including a RN as an authenticator and the routing flag set. – HA2 then replies including the original authenticator. – Until the cache entry times out, MH1 tunnels packets for MH2 directly to LA2.

@ J. P. Sheu

P. 11

• Movement Example – Assumptions: MH2 move away from LA2 into LA3. – MH2 registers with LA3 and with its home agent HA2. – MH2 also notifies its previous local agent LA2 using the authenticator negotiated during its earlier registration.

• Procedures for MH1 Sending Data to MH2 – Assume MH1’s location cache has not timed out, MH1 tunnels the packet to LA2. – LA2 uses its location cache retunnel the packet to LA3. – LA2 also sends a binding notification to MH1. – MH1 sends a binding request to MH2. – After that, MH1 tunnels data directly to LA3. – If LA2 has timed out for MH2 before MH1’s tunneled packet for MH2 reaches LA2. @ J. P. Sheu

P. 12

– Then LA2 use a special tunnel to tunnel packet to HA2. – HA2 subsequently tunnels the packet to LA3. – LA2 also notify MH1 to acquire a location cache entry for MH2.

• Intermediate Cache Example – A stationary host (SH) does not implement IMHP may need to send data to a MH. – When SH receives a notification advising it to acquire a current binding for MH2, it will ignore the notification. – Suppose CR is a router on the path from SH to MH2’s home network. Then CR can function as a cache agent. – CR snoops on notifications from HA2 to SH and acquires a binding for MH2. – CR tunnels packet directly to MH2’s local agent LA2. @ J. P. Sheu

P. 13

HA1

HA2

Internet

LA1

LA2

MH1

LA3

Mobile Hosts MH2

Example Configuration @ J. P. Sheu

P. 14

Authentication • Security Risks: – A malicious node could send forged management packets, giving incorrect information on a MH’s location, and could thus intercept packets of the MH.

• Alternative Protocol: – To force all packets addressed to a MH to be routed through the MH’s home network. – Such an alternative reduces performance.

@ J. P. Sheu

P. 15

• Mobile Host to Home Agent Authentication – This authentication is achieved by including an authenticator based on a share secret in all management protocols between MH and its HA. – The base level of authentication performs a checksum of the important fields in the registration packet or reply.

• General Authentication Procedures – In general, a node will not share a secret with any particular MH or with the MH’s home agent. – A random number is used on each pair of message request and reply. – Assume nodes along the paths must be trusted in the current Internet. @ J. P. Sheu

P. 16

IV. Forwarding Rules • Baisc Rules: – If a node receives a tunneled packet and the destination address of the tunnel belongs to the nose, then the node should extract the inner packet and continue applying the following rules. – If a node receive a packet is not tunneled ( or that it is has extracted from a tunnel) and the destination address of the packet belongs to the node, then the packet should be passed to the next protocol layer within the node for further processing.

@ J. P. Sheu

P. 17