Mobile IP (Internet Protocol) enables the transfer of information to and from mobile computers, such as laptops and wireless communications. The mobile computer can change its location to a foreign network and still access and communicate with and through the mobile computer's home network. The Solaris implementation of Mobile IP supports only IPv4.
Current versions of the Internet Protocol (IP) assume that the point at which a computer attaches to the Internet or a network is fixed and its IP address identifies the network to which it is attached. Datagrams are sent to a computer based on the location information contained in the IP address.
If a mobile computer, or mobile node, moves to a new network while keeping its IP address unchanged, its address does not reflect the new point of attachment. Consequently, existing routing protocols cannot route datagrams to the mobile node correctly. In this situation, you must reconfigure the mobile node with a different IP address representative of its new location, which is a cumbersome process. Thus, under the current Internet Protocol, if the mobile node moves without changing its address, it loses routing; but if it does change its address, it loses connections.
Mobile IP solves this problem by allowing the mobile node to use two IP addresses: a fixed home address and a care-of address that changes at each new point of attachment. Mobile IP enables a computer to roam freely on the Internet or an organization's network while still maintaining the same home address. Consequently, computing activities are not disrupted when the user changes the computer's point of attachment to the Internet or an organization's network. Instead, the network is updated with the new location of the mobile node. See Glossary for definitions of terms associated with Mobile IP.
The following figure illustrates the general Mobile IP topology.
Using the previous illustration's Mobile IP topology, the following scenario shows how a datagram moves from one point to another within the Mobile IP framework.
The Internet host sends a datagram to the mobile node using the mobile node's home address (normal IP routing process).
If the mobile node is on its home network, the datagram is delivered through the normal IP process to the mobile node. Otherwise, the home agent picks up the datagram.
If the mobile node is on a foreign network, the home agent forwards the datagram to the foreign agent.
The foreign agent delivers the datagram to the mobile node.
Datagrams from the mobile node to the Internet host are sent using normal IP routing procedures. If the mobile node is on a foreign network, the packets are delivered to the foreign agent. The foreign agent forwards the datagram to the Internet host.
In the case of wireless communications, the illustrations depict the use of wireless transceivers to transmit the datagrams to the mobile node. Also, all datagrams between the Internet host and the mobile node use the mobile node's home address regardless of whether the mobile node is on a home or foreign network. The care-of address is used only for communication with mobility agents and is never seen by the Internet host.
Mobile IP introduces the following new functional entities:
Mobile Node (MN)–Host or router that changes its point of attachment from one network to another.
Home Agent (HA)–Router on a mobile node's home network that intercepts datagrams destined for the mobile node, and delivers them through the care-of address. The home agent also maintains current location information for the mobile node.
Foreign Agent (FA)–Router on a mobile node's visited network that provides routing services to the mobile node while the mobile node is registered.
Mobile IP enables routing of IP datagrams to mobile nodes. The mobile node's home address always identifies the mobile node, regardless of its current point of attachment to the Internet or an organization's network. When away from home, a care-of address associates the mobile node with its home address by providing information about the mobile node's current point of attachment to the Internet or an organization's network. Mobile IP uses a registration mechanism to register the care-of address with a home agent.
The home agent redirects datagrams from the home network to the care-of address by constructing a new IP header that contains the mobile node's care-of address as the destination IP address. This new header then encapsulates the original IP datagram, causing the mobile node's home address to have no effect on the encapsulated datagram's routing until it arrives at the care-of address. This type of encapsulation is also called tunneling. After arriving at the care-of address, each datagram is de-encapsulated and then delivered to the mobile node.
The following illustration shows a mobile node residing on its home network, Network A, before the mobile node moves to a foreign network, Network B. Both networks support Mobile IP. The mobile node is always associated with its home network by its permanent IP address, 128.226.3.30. Though Network A has a home agent, datagrams destined for the mobile node are delivered through the normal IP process.
The following illustration shows the mobile node moving to a foreign network, Network B. Datagrams destined for the mobile node are intercepted by the home agent on the home network, Network A, encapsulated, and sent to the foreign agent on Network B. Upon receiving the encapsulated datagram, the foreign agent strips off the outer header and delivers the datagram to the mobile node visiting Network B.
The care-of address might belong to a foreign agent, or might be acquired by the mobile node through Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol (PPP). In the latter case, a mobile node is said to have a co-located care-of address.
The mobile node uses a special registration process to keep its home agent informed about its current location. Whenever a mobile node moves from its home network to a foreign network, or from one foreign network to another, it chooses a foreign agent on the new network and uses it to forward a registration message to its home agent.
Mobility agents (home agents and foreign agents) advertise their presence using agent advertisement messages. A mobile node can optionally solicit an agent advertisement message from any locally attached mobility agents through an agent solicitation message. A mobile node receives these agent advertisements and determines whether they are on its home network or a foreign network.
When the mobile node detects that it is located on its home network, it operates without mobility services. If returning to its home network from being registered elsewhere, the mobile node deregisters with its home agent.
The previous description of Mobile IP assumes that the routing within the Internet is independent of the data packet's source address. However, intermediate routers might check for a topologically correct source address. If an intermediate router does check, you should set up a reverse tunnel. By setting up a reverse tunnel from the mobile node's care-of address to the home agent, you ensure a topologically correct source address for the IP data packet. A mobile node can request a reverse tunnel between its foreign agent and its home agent when the mobile node registers. A reverse tunnel is a tunnel that starts at the mobile node's care-of address and terminates at the home agent. The following illustration shows the Mobile IP topology that uses a reverse tunnel.
Mobile nodes that have private addresses which are not globally routable through the Internet require reverse tunnels. Solaris Mobile IP supports only privately addressed mobile nodes. See Overview of the Solaris Mobile IP Implementation for the functions that Solaris Mobile IP does not support.
Enterprises employ private addresses when external connectivity is not required. Private addresses are not routable through the Internet. When a mobile node has a private address, the mobile node can only communicate with a correspondent node through a reverse tunnel. The privately addressed correspondent node must belong to the same home agent's administrative domain. The following illustration shows a network topology with two privately addressed mobile nodes that use the same care-of address when registered to the same foreign agent.
Because both privately addressed mobile nodes belong to the same administrative domain, the home agent knows how to route data packets between the two mobile nodes. Also, the foreign agent's care-of address and the home agent's IP address must be globally routable addresses.
It is possible to have two privately addressed mobile nodes with the same IP address residing on the same foreign network. This situation is only possible when each mobile node has a different home agent. Also, this situation is only possible when each mobile node is on different advertising subnets of a single foreign agent. The following illustration shows a network topology that depicts this case.
Because both privately addressed mobile nodes have the same IP address and because these mobile nodes belong to different home agent domains, the two nodes cannot communicate with each other. However, each node can communicate with nodes in its corresponding home agent's administrative domain through the reverse tunnel. For example, Mobile Node 2 can communicate with Correspondent Node 2 in the previous illustration.
Mobile IP provides the following alternative modes for the acquisition of a care-of address:
A foreign agent provides a foreign agent care-of address through its agent advertisement messages. In this case, the care-of address is an IP address of the foreign agent. The foreign agent is the endpoint of the tunnel and, on receiving tunneled datagrams, de-encapsulates them and delivers the inner datagram to the mobile node. In this mode, many mobile nodes can share the same care-of address. This sharing reduces demands on the IPv4 address space and can also save bandwidth, because the forwarded packets, from the foreign agent to the mobile node, are not encapsulated. Saving bandwidth is important on wireless links.
A mobile node acquires a co-located care-of address as a local IP address through some external means, which the mobile node then associates with one of its own network interfaces. The address might be dynamically acquired as a temporary address by the mobile node, such as through DHCP. The address might also be owned by the mobile node as a long-term address for its use only while visiting some foreign network. When using a co-located care-of address, the mobile node serves as the endpoint of the tunnel and performs de-encapsulation of the datagrams tunneled to it.
Co-located care-of address enables a mobile node to function without a foreign agent, for example, in networks that have not yet deployed a foreign agent.
If a mobile node is using a co-located care-of address, the mobile node must be located on the link identified by the network prefix of this care-of address. Otherwise, datagrams destined to the care-of address are undeliverable.
A mobile node uses a method known as agent discovery to determine the following information:
When the node has moved from one network to another
Whether the network is the node's home or a foreign network
What is the foreign agent care-of address offered by each foreign agent on that network
Mobility agents transmit agent advertisements to advertise their services on a network. In the absence of agent advertisements, a mobile node can solicit advertisements. This is known as agent solicitation.
Mobile nodes use agent advertisements to determine their current point of attachment to the Internet or to an organization's network. An agent advertisement is an Internet Control Message Protocol (ICMP) router advertisement that has been extended to also carry a mobility agent advertisement extension.
A foreign agent can be too busy to serve additional mobile nodes. However, a foreign agent must continue to send agent advertisements. This way, mobile nodes that are already registered with it will know that they have not moved out of range of the foreign agent and that the foreign agent has not failed.
Also, a foreign agent that supports reverse tunnels must send it's advertisements with the reverse tunnel flag set on.
Every mobile node should implement agent solicitation. The mobile node uses the same procedures, defaults, and constants for agent solicitation, as specified for ICMP router solicitation messages.
The rate at which a mobile node sends solicitations is limited by the mobile node. The mobile node can send three initial solicitations at a maximum rate of one per second while searching for an agent. After registering with an agent, the rate at which solicitations are sent is reduced, to limit the overhead on the local network.
When the mobile node receives an agent advertisement, the mobile node registers through the foreign agent, even when the mobile node might be able to acquire its own co-located care-of address. This feature enables sites to restrict access to mobility services. Through agent advertisements, mobile nodes detect when they have moved from one subnet to another.
Mobile IP registration provides a flexible mechanism for mobile nodes to communicate their current reachability information to their home agent. The registration process enables mobile nodes to perform the following tasks:
Inform their home agent of their current care-of address
Renew a registration that is due to expire
Request a reverse tunnel
Registration messages exchange information between a mobile node, a foreign agent, and the home agent. Registration creates or modifies a mobility binding at the home agent, associating the mobile node's home address with its care-of address for the specified lifetime.
The registration process also enables mobile nodes to:
Deregister specific care-of addresses while retaining other mobility bindings
Discover the address of a home agent if the mobile node is not configured with this information
Mobile IP defines the following registration processes for a mobile node:
If a mobile node is registering a foreign agent care-of address, the mobile node registers using that foreign agent.
If a mobile node is using a co-located care-of address, and receives an agent advertisement from a foreign agent on the link on which it is using this care-of address, the mobile node registers using that foreign agent (or another foreign agent on this link).
If a mobile node uses a co-located care-of address, the mobile node registers directly with its home agent.
If a mobile node returns to its home network, the mobile node deregisters with its home agent.
These registration processes involve the exchange of registration requests and registration reply messages. When registering using a foreign agent, the registration process takes the following steps, which the subsequent illustration depicts:
The mobile node sends a registration request to the prospective foreign agent to begin the registration process.
The foreign agent processes the registration request and then relays it to the home agent.
The home agent sends a registration reply to the foreign agent to grant or deny the request.
The foreign agent processes the registration reply and then relays it to the mobile node to inform it of the disposition of its request.
When the mobile node registers directly with its home agent, the registration process requires only the following steps:
The mobile node sends a deregistration request to the home agent.
The home agent sends a registration reply to the mobile node, granting or denying the request.
Also, a reverse tunnel might be required by either the foreign agent or the home agent. If the foreign agent supports reverse tunneling, the mobile node uses the registration process to request a reverse tunnel. The mobile node does this by setting the reverse tunnel flag on in the mobile node's registration request.
AAA servers, in use within the Internet, provide authentication and authorization services for dial-up computers. These services are likely to be equally valuable for mobile nodes using Mobile IP when the nodes are attempting to connect to foreign domains with AAA servers. AAA servers identify clients by using the Network Access Identifier (NAI). A mobile node can identify itself by including the NAI in the Mobile IP registration request.
Since the NAI is typically used to identify the mobile node uniquely, the mobile node's home address is not always necessary to provide that function. Thus, it is possible for a mobile node to authenticate itself, and be authorized for connection to the foreign domain, without even having a home address. To request that a home address be assigned, a message containing the mobile node NAI extension can set the home address field to zero in the registration request.
Each mobile node, foreign agent, and home agent supports a mobility security association between the various Mobile IP components, indexed by their security parameter index (SPI) and IP address. In the case of the mobile node, this address is its home address. Registration messages between a mobile node and its home agent are authenticated with the Mobile-home authentication extension. In addition to Mobile-home authentication, which is mandatory, you can use the optional Mobile-foreign agent and Home-foreign agent authentications.
A mobile node registers with its home agent using a registration request message so that its home agent can create or modify a mobility binding for that mobile node (for example, with a new lifetime). The foreign agent can relay the registration request to the home agent. However, if the mobile node is registering a co-located care-of address, then the mobile node can send the registration request directly to the home agent.
A mobility agent returns a registration reply message to a mobile node that has sent a registration request message. If the mobile node is requesting service from a foreign agent, that foreign agent receives the reply from the home agent and subsequently relays it to the mobile node. The reply message contains the necessary codes to inform the mobile node about the status of its request, along with the lifetime granted by the home agent, which can be smaller than the original request. The registration reply can also contain a dynamic home address assignment.
The foreign agent plays a mostly passive role in Mobile IP registration. A foreign agent adds all registered mobile nodes to its visitor table. It relays registration requests between mobile nodes and home agents, and, when it provides the care-of address, de-encapsulates datagrams for delivery to the mobile node. It also sends periodic agent advertisement messages to advertise its presence.
If reverse tunnels are supported, the foreign agent establishes appropriate routes to reverse tunnel all the data packets from the mobile node for a correspondent node. A foreign agent that supports reverse tunnels advertises that the reverse tunnel is supported for registration. Given the local policy, the foreign agent can deny a registration request when the reverse tunnel flag is not set. Also, the foreign agent can only distinguish two different mobile nodes with the same IP address when the mobile nodes visit on two different advertising interfaces.
Home agents play an active role in the registration process. The home agent receives registration requests from the mobile node (perhaps relayed by a foreign agent), updates its record of the mobility bindings for this mobile node, and issues a suitable registration reply in response to each. The home agent also forwards packets to the mobile node when the mobile node is away from its home network.
A home agent might not have to have a physical subnet configured for mobile nodes. However, the home agent must recognize its mobile node's home address through the mipagent.conf file or some other mechanism when the home agent grants registration.
In some cases, the mobile node might not know its home agent address when the mobile node attempts to register. If the mobile node does not know its home agent address, the mobile node can use dynamic home agent address resolution to learn the address of its home agent. In this case, the mobile node sets the home agent field of the registration request to the subnet-directed broadcast address of the mobile node's home network. Each home agent that receives a registration request with a broadcast destination address rejects the mobile node's registration by returning a rejection registration reply. By doing so, the mobile node can use the home agent's unicast IP address indicated in the rejection reply when the mobile node next attempts registration.
This section describes how mobile nodes, home agents, and foreign agents cooperate to route datagrams to and from mobile nodes that are connected to a foreign network.
Home agents and foreign agents support tunneling datagrams using one of the available encapsulation methods (IP in IP Encapsulation, Minimal Encapsulation, or Generic Routing Encapsulation). Mobile nodes that use a co-located care-of address can receive tunneled datagrams using any encapsulation type.
When registered on a foreign network, the mobile node chooses a default router using the following rules:
If the mobile node is registered using a foreign agent care-of address, then the mobile node chooses its default router from among the router addresses advertised in the ICMP router advertisement portion of that agent advertisement message. The mobile node can also consider the IP source address of the agent advertisement as another possible choice for the IP address of a default router.
If the mobile node is registered directly with its home agent using a co-located care-of address, then the mobile node chooses its default router from among those advertised in any ICMP router advertisement message that it receives. The chosen default router network prefix must match the mobile nodes externally obtained care-of address. If the mobile node's externally obtained care-of address matches the IP source address of the agent advertisement under the network prefix, the mobile node can also consider that IP source address as another possible choice for the IP address of a default router.
If the mobile node is registered, a foreign agent that supports reverse tunnels routes unicast datagrams from the mobile node to the home agent through the reverse tunnel.
When a home agent receives a broadcast datagram, it does not forward the datagram to any mobile nodes in its mobility binding list. However, the home agent does forward the datagram if a mobile node has requested forwarding of broadcast datagrams. For each registered mobile node, the home agent forwards received broadcast datagrams to the mobile node; the method depends on how the configuration of the home agent specifies categories of broadcast datagrams forwarded to mobile nodes. Broadcast datagrams over reverse tunnels are not supported.
To receive multicasts, a mobile node joins the multicast group in one of the following ways:
If a multicast router exists on the visited subnet, the mobile node uses this local multicast router. If the mobile node is using a co-located care-of address, it uses this address as the source IP address of its Internet Group Management Protocol (IGMP) messages. Otherwise, it uses its home address.
If the mobile node's home agent is a multicast router, the mobile node can join groups using a bidirectional tunnel to its home agent. The mobile node tunnels IGMP messages to its home agent. The home agent then forwards multicast datagrams down the tunnel to the mobile node.
A mobile node that sends datagrams to a multicast group also has the following options:
Send directly on the visited network
Send through a tunnel to its home agent
Multicast routing depends on the IP source address. Therefore, a mobile node that sends multicast datagrams directly on the visited network uses a co-located care-of address as the IP source address. Similarly, a mobile node that tunnels a multicast datagram to its home agent uses its home address as the IP source address of both the multicast datagram and the encapsulating datagram. This second option assumes that the home agent is a multicast router.
In the case of reverse tunnels, multicast datagrams are not routed through reverse tunnels. The multicast datagrams are routed as previously described.
In many cases, mobile computers use wireless links to connect to the network. Wireless links are particularly vulnerable to passive eavesdropping, active replay attacks, and other active attacks.
Though Mobile IP cannot reduce or eliminate this vulnerability, Mobile IP can authenticate the Mobile IP messages. The default algorithm used is MD5, with a key size of 128 bits. The default operational mode requires that this 128–bit key precede and succeed the data to be hashed. The foreign agent also supports authentication using MD5 and key sizes of 128 bits or greater, with manual key distribution. Mobile IP can support more authentication algorithms, algorithm modes, key distribution methods, and key sizes.
Tunneling can be a significant vulnerability, especially if registration is not authenticated. Also, the Address Resolution Protocol (ARP) is not authenticated, and can potentially be used to steal another host's traffic.