Upload
mohsin-akram
View
218
Download
0
Embed Size (px)
Citation preview
7/30/2019 Lecture6 Notes 4up(1)
1/21
32118
Mobile Communications and
Computing
Lecture 6Lecturer: Dr. Daniel R. Franklin
Notes originally by Doan Hoang
32118 Mobile Communications and Computing Lecture 6 p. 1
Notes:
This Weeks Lecture
Radio-Frequency Identification (RFID)
Mobility in IP networks - Mobile IP and VPNs
32118 Mobile Communications and Computing Lecture 6 p. 2
Notes:
7/30/2019 Lecture6 Notes 4up(1)
2/21
Radio Frequency ID
RFID is an extremely compact, asymmetric,low-power, low-data-rate communicationstechnology with a multitude of industrial andcommercial applications:
Tracking pallets or cases of product
Vehicle identification, tracking and tolling
Tracking company assets or personnel
Security tags in stores for high-value products
Routing of luggage through transport systems
Authentication tokens (ID) for people, livestock, orpets
32118 Mobile Communications and Computing Lecture 6 p. 3
Notes:
RFID Tag Types
Two types of RFID tags are available: active andpassive
Active:
The tag transmits a radio signal
Battery powered memory, radio & circuitryLong read range (max 1 km)
Passive
Tag reflects radio signal from reader
Memory is non-volatile
Reader powered
Shorter read range (10 cm - 5 m)
32118 Mobile Communications and Computing Lecture 6 p. 4
Notes:
7/30/2019 Lecture6 Notes 4up(1)
3/21
RFID Characteristics
Source: ScientificAmerican
Tags can be read-only or read-write
Tag memory can be factory or field programmed
Bytes left unlocked can be rewritten more than100000 times
32118 Mobile Communications and Computing Lecture 6 p. 5
Notes:
RFID Characteristics
32118 Mobile Communications and Computing Lecture 6 p. 6
Notes:
7/30/2019 Lecture6 Notes 4up(1)
4/21
RFID Operation
1. Reader issues commands
2. Carrier signal generated by the reader
3. Carrier signal sent out through the antennas via RFsignal
4. Carrier signal hits tag(s)5. Tag receives and modifies carrier signal - it sends
back a modulated signal
6. Antennas receive the modulated signal and sendthem to the Reader
7. Reader decodes the data - results returned to thehost application
32118 Mobile Communications and Computing Lecture 6 p. 7
Notes:
Internet Protocol (IP)
So far we have talked about a number of differentphysical layer technologiesand medium accesscontrolprotocols.
These are perfectly fine for delivering data from onestation within a given type of network to anotherstation on the same network
What happens when we want to transfer databetweentwo different networks?
What if they are not directly connected? How do wefind a route between the stations?
What if they use totally differenttechnologies (e.g.Ethernet and GPRS, or WiFi and Bluetooth)?
32118 Mobile Communications and Computing Lecture 6 p. 8
Notes:
7/30/2019 Lecture6 Notes 4up(1)
5/21
The Protocol Stack
The problem of interconnecting different networks isthe responsibility of the network layerof the OSI orIP protocol stack.
The network layer builds on the functionality of thephysical and MAC layers, providing an (unreliable)
end-to-end service.
If reliability is required, an additional transport layer(generally either TCP or UDP) is added on top.
32118 Mobile Communications and Computing Lecture 6 p. 9
Notes:
The Protocol Stack
Each successive layer means the addition of anotherset of headers INSIDE the payload of the previous:
A MAC-layer frames payload is an IP datagram;
An IP datagrams payload is part or all of a TCP
segment or UDP datagram;The TCP segment or UDP datagrams payload isthe applications actual data!
32118 Mobile Communications and Computing Lecture 6 p. 10
Notes:
7/30/2019 Lecture6 Notes 4up(1)
6/21
The Protocol Stack
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport TCP, UDP
e.g. HTTP, SMTP,SSH, Skype, NFS,Jabber, FTP etc.
Network Internet Protocol
Data Link e.g. 802.11,Ethernet, Bluetooth
Physical
ApplicationDataAH
Data
Data UnitPH
Data UnitSH
Data UnitTH
Data UnitNH
Data UnitDH DT
BITS
Outgoing Construction Incoming Reduction
32118 Mobile Communications and Computing Lecture 6 p. 11
Notes:
The Protocol Stack
It is important to realise that as an IP datagramtraverses the Internet, its source and destination IPaddresses will remain the same across each hop
However, the source and destination MAC layeraddresses are only meaningful within each
individual network- and they change as the IPdatagram is transferred from one network to another.
Depending on the supported payload sizes in eachdifferent network, an IP datagram may end up beingfragmentedas it passes through the network; it willbe reassembledwhen it arrives at its destination
32118 Mobile Communications and Computing Lecture 6 p. 12
Notes: Actually there is an exception to the second-last point; if network address
translation is being used, the source and/or destination IP address may be re-
written by a router. This is an increasingly common occurrence - your home net-
work router is almost certainly doing this. If you want to know more about this, ask
your lecturer or read about NAT online :-)
7/30/2019 Lecture6 Notes 4up(1)
7/21
Internet Protocol
IP solves the problem of global trans-networkcommunications by structuring the payload of aMAC-layer packet in such a way that it find a paththrough different networks
A station A that supports IP (everything these days!)
must have at least one IP address, which may bepermanent (static) or temporary (dynamic).
An IPv4 address is 32 bits long, normally written asfour 8-bit numbers (e.g. 138.25.47.163) - and it isglobally unique.
If it wishes to talk to another host somewhere on theInternet, it firstly needs to know the destinationaddressB 32118 Mobile Communications and Computing Lecture 6 p. 13
Notes: Actually there are certain IP addresses which are not globally unique -
special ranges which are reserved for private IP addresses. It is also possible for
a host to have multiple IP addresses, or for multiple hosts to shareone IP address
(e.g. for load balancing) - however these are rather specialised use cases! Some
special addresses are also reserved for multicast communication.
IPv6 addresses are much larger - 128 bits. This is needed because the IPv4
address space only supports about 4 billion addresses... which have now been
exhausted. There are some techniques (NAT) which allow networks to do more
with the limited pool of IP addresses, but the ultimate solution is IPv6.
Internet Protocol
It also needs to know its own network mask, which itcan use to determine whether the destinationaddress is local(i.e. on the same network as A) orremote(in a different network). This is a simplemathematical operation - bitwise AND.
The netmask is also 32 bits, with a certain numberof the high-order bits set to one (and the rest equalto zero). This can be written as /N (e.g. /23, which is11111111 11111111 11111110 00000000 or255.255.254.0).
If we calculate the bitwise AND between my IPaddress and the netmask we have my local networkaddressor prefix
32118 Mobile Communications and Computing Lecture 6 p. 14
Notes:
7/30/2019 Lecture6 Notes 4up(1)
8/21
Internet Protocol
Example:
IP 11111111 11111111 11111110 00000000 (255.255.254.0) AND
Netmask 10001010 00011001 00101111 10100011 (138.25.47.163) =
Prefix 10001010 00011001 00101110 00000000 (138.25.46.0)
If the results are the same when we do this to thesource and destination IP address, the destination islocal; otherwise it is remote.
32118 Mobile Communications and Computing Lecture 6 p. 15
Notes:
Internet Protocol
Local: the packet is delivered locally by determiningthe MAC address associated with the destination IPaddress, encapsulating the IP datagram in aMAC-layer frame and forwarding it to the destination.The IP datagram is then removed and processed by
the destination host.Remote: the packet is instead sent to a special hoston the network called a router- typically there is justone on each network, known as the default gateway.The process is very similar to a local delivery - butthe destination MAC address is for the router, not forthe destination.
32118 Mobile Communications and Computing Lecture 6 p. 16
Notes: Mapping IP addresses (either of the destination or the default gateway)
to a MAC address so the IP datagram can be delivered in a MAC-layer frame to
the intended recipient is performed using a protocol called the Address Resolution
Protocol (ARP). Hosts send a broadcastto all hosts in the network asking what is
the MAC address for this IP address? Only one host should reply saying thats
me!; after this the datagram may be packaged up in a MAC-layer frame and sent
to the recipient.
7/30/2019 Lecture6 Notes 4up(1)
9/21
Internet Protocol
By examining the destination IP address, the routerknows that this packet is not intended for itself. Ithas one or more connections to other networks, andby exchanging information with the routers in thosenetworks, knows where to forward the packet in
order to get it closer to its destination.The router chooses which next-hop router to forwardthe packet to, it encapsulates it in a NEW MAC-layerframe, and forwards it on to the next router.
A packet may be forwarded many times as ittraverses the Internet, before finally arriving at itsdestination network, where it will be delivered to thedestination node and decapsulated for processing.
32118 Mobile Communications and Computing Lecture 6 p. 17
Notes:
An IP Network
Network 1 (Ethernet)
Network 2 (Ethernet)
Network 3 (Ethernet)
Network 4 (Fibre Link) Network 5 (Fibre Link)
Network 6 (Wireless)
Network 7 (Wireless)Logical Path (4 hops)
RB RD
RCRA
Hop 1: Host A to Router A
Hop 2: Router A to Router C
Hop 3: Router C to Router D
Hop 4: Router D to Host B
IP destination: Host B
IP source: Host A
Host A
Host B
tux@ linux#
t ux@linux#
Switch
Ethernet
Switch
Ethernet
Switch
Ethernet
32118 Mobile Communications and Computing Lecture 6 p. 18
Notes: The source and destination IP address will always be the same for packets
going from Host A to Host B. However, the MAC-layer source/destination headers
are added and removed as the IP datagram is encapsulated in an Ethernet, WiFi
or optical frame, sent out from one network interface on either a host or router, then
removed at the other end of the hop. Thus the MAC source/destination addresses
(and probably most of the other fields in the MAC header) will be differenton each
network hop.
The routers maintain a list of which networks are reachable via each of their net-
workinterfaces; theyforwardpacketsout of the interfacewhich will allow thepacketto reach its destination most efficiently (e.g. least number of hops or lowest cost).
The measure of efficiency depends on the routing protocol.
7/30/2019 Lecture6 Notes 4up(1)
10/21
Mobility and IP
Mobile IP is an extension to IP which enables a hostto roam from their home network to any otherforeign network, while maintaining the sameIPaddress
Thus a host running some given service can move
around while remaining reachable from anywhere onthe Internet
This should be accomplished without breakingcompatibility with non-mobile IP networks
32118 Mobile Communications and Computing Lecture 6 p. 19
Notes:
Mobile IP Terminology
Mobile Node (MN) - the mobile users device
Correspondent Node (CN) - another IP peer withwhom the MN is communicating
Home Network (HN) - the usual network where the
MN residesForeign Network (FN) - the network that the MN iscurrently visiting
Home Agent (HA) - MIP service facilitator in the HN
Foreign Agent (FA) - MIP service facilitator in the FN
Care-of-Address (CoA) - transient address in the FN
Tunnel - Path followed by an encapsulated datagram32118 Mobile Communications and Computing Lecture 6 p. 20
Notes:
7/30/2019 Lecture6 Notes 4up(1)
11/21
Mobile IP Components
32118 Mobile Communications and Computing Lecture 6 p. 21
Notes:
How it Works
MIP allows a MN to use two IP addresses: A staticHome Address is used to identify the endpoint ofTCP or UDP connections and a Care-of-Address(CoA) which is the MNs temporary point ofattachment in the foreign network. This IP address
changes at each new point of attachment.Whenever the MN is not attached to its homenetwork, the Home Agentreceives all the packetsdestined for the MN and arranges to deliver them tothe MNs current CoA
32118 Mobile Communications and Computing Lecture 6 p. 22
Notes:
7/30/2019 Lecture6 Notes 4up(1)
12/21
How it Works
Whenever the MN moves, it registers its new CoAwith its HA.
To get a packet to a MN from its home network, thehome agent tunnelsthe packet from the homenetwork to the CoA
When the packet arrives at the CoA (the MNstemporary foreign IP address), the packet isremoved from the tunnel and passed to the MNs IPstack
It will then be processed by the transport andapplication layers exactly as if the MN was in itshome network
32118 Mobile Communications and Computing Lecture 6 p. 23
Notes:
Tunnelling
In MIP, the HA redirects packets arriving in the homenetwork but intended for the MN to the MNs CoA byconstructing a new IP header that contains the CoAas the destination IP address.
The packet to be redirected is now placed in this
new packet as the payload; therefore, thedestination address of the inner packetwill have noeffect on the routing of the container packet until itarrives at the CoA.
When the outer packetarrives at the FN, the innerpacket is removed and delivered to the appropriatetransport and application layers on the MN.
32118 Mobile Communications and Computing Lecture 6 p. 24
Notes:
7/30/2019 Lecture6 Notes 4up(1)
13/21
Tunnelling - Illustration
32118 Mobile Communications and Computing Lecture 6 p. 25
Notes: CN sends an IP datagram to the IP address of the MN (1); the home agent
intercepts this, encapsulates it into another IP datagram (fragmenting into multiple
datagrams if needed) with source = HA and dest = CoA, and sends it to the FA (2)
which forwards it to the CoA of the MN (3); The inner packet is decapsulated by
the MN (4); we now have a logical tunnel from the CN to the MN.
MIP Mechanisms
Mobile IP requires 3 separate mechanisms to beimplemented in the home and foreign networks andthe mobile node
Discovering the care-of-address;
Registering the care-of-address; and
Tunneling to the care-of-address.
32118 Mobile Communications and Computing Lecture 6 p. 26
Notes:
7/30/2019 Lecture6 Notes 4up(1)
14/21
Agent Advertisement/Discovery
These mechanisms make it possible for a MN to
Determine whether it is connected to its homenetwork or to a foreign network;
Determine whether it has changed its position interms of network recently; and
Obtain a care-of address when it changes to adifferent foreign network.
32118 Mobile Communications and Computing Lecture 6 p. 27
Notes:
Discovering the CoA
How does an MN find a foreign agent after it movesto another location?
Foreign Agents and Home Agents advertise theirpresence periodically using special agentadvertisement messages.
For advertisements, ICMP messages are usedwith some mobility extensions.
How does it discover at all that it has moved?
The MN must compare the network prefixes of therouters IP address with network portion of its ownaddress. If these differ then the MN has moved toa foreign network.
32118 Mobile Communications and Computing Lecture 6 p. 28
Notes:
7/30/2019 Lecture6 Notes 4up(1)
15/21
Registration
The registrationprocedure involves four steps:
1. The mobile node requests the forwarding serviceby sending a registration requestto the foreignagent that the mobile node wants to use
2. The foreign agent relays this request to the
mobile nodes home agent3. The home agent either accepts or rejects the
request and sends a registration reply to theforeign agent.
4. The foreign agent relays this reply to the mobilenode.
Once these steps are complete, tunnelling will occuras needed 32118 Mobile Communications and Computing Lecture 6 p. 29
Notes:
Security in Mobile IP
Mobile IP provides a limited amount of security
Registration requests and replies are timestampedand securely checksummedusing a securemessage digest algorithm
A shared secret must be present on both the HA andthe MN
Messages which have been delayed or altered bya third party not in possession of the secret keywill not have a valid checksum
Replay attacks are thus defeated
None of this protects confidential contentfrominterception
32118 Mobile Communications and Computing Lecture 6 p. 30
Notes:
7/30/2019 Lecture6 Notes 4up(1)
16/21
Mobile IPv6
IPv6 includes many features for streamlining mobilitysupport that are missing in IPv4.
A COA acquisition mechanism is built in to IPv6
A neighbour discoverymechanism is mandatory in
every node, so FAs are no longer needed.Every IPv6 node can send binding updatestoanother node, thus the MN can send its current COAto the CN and HA directly
Soft handover: the MN sends its new COA to the oldrouter servicing the MN at the old COA, and the oldrouter encapsulates any incoming packets for theMN and forwards them to the new COA.
32118 Mobile Communications and Computing Lecture 6 p. 31
Notes: Dont hold your breath waiting for Mobile IPv6! IPv6 itself is still a negligible
fraction of the global Internet.
Where is MIP Used?
There actually is one place where MIP does seesome use - inside GPRS and 3G/LTE networks!
GPRS networks provide IP mobility for clients; this isrelatively easy to do as the service provider controlsthe network where both the FA and HA reside.
For this reason the lack of encryption is notaproblem
However this is very far from the use caseenvisioned by the creators of Mobile IP!
32118 Mobile Communications and Computing Lecture 6 p. 32
Notes:
7/30/2019 Lecture6 Notes 4up(1)
17/21
Mobile IPs Irrelevance
Mobile IP dates from an era where it actuallymatteredthat a host was reachable via a constant IPaddress
However, IP addresses are now consideredtransient and dynamic in any case, and applications
have adapted to deal with this
For example, two-way services such as Skype makeuse of a stable externalserver for negotiatingend-to-end connections
In this case, your IP address is irrelevant
32118 Mobile Communications and Computing Lecture 6 p. 33
Notes:
Mobile IPs Irrelevance
The other major fault with Mobile IP is that it datesfrom an era when the Internet was consideredtrustworthyand benign
It includes limited security features - although thereis an authenticationmechanism, there is no
encryption mechanism
It is therefore extremely vulnerable to eavesdroppingand interception
This will be improved in Mobile IPv6; however it isprobably too late.
32118 Mobile Communications and Computing Lecture 6 p. 34
Notes: Never rule anything out in the world of technology! Maybe someone will
find a compelling use case for Mobile IPv6.
7/30/2019 Lecture6 Notes 4up(1)
18/21
Virtual Private Networks
The preferred solution to providing Mobile IP-likefunctionality is the Virtual Private Network(VPN)
A VPN includes strong encryption and securetwo-way authentication mechanisms
It provides a mechanism for you to access yourhome network as if you were locally connected
You can even use a static VPN IP address as well ifyou need to be reachable from your home network
32118 Mobile Communications and Computing Lecture 6 p. 35
Notes:
Virtual Private Networks
VPNs share some similarities with Mobile IP, butrequire no additional supportfrom the foreignnetwork as all traffic is carried over a bidirectionaltunnelestablished between the roaming user andthe VPN server in the home network
VPNs can operate over the network layer (such asIPsec - essentially an encrypted IP-over-IP tunnel),the transport layer (such as OpenVPN, which can betransported over either TCP or UDP, or L2TPv3), ora hybrid of the network and transport layers such as(PPTP).
32118 Mobile Communications and Computing Lecture 6 p. 36
Notes: PPTP is not the best VPN protocol - it suffers from a number of architectural
security vulnerabilities. IPsec is very secure, but rather cumbersome to configure.
Many commercial VPN solutions (e.g. from Cisco) are based on IPsec. OpenVPN
is probably the easiest VPN solution available today.
Although theseprotocolsprovide security forthe payloads,they can still be blocked
by hostile networks. For example, Iran employs deep packet inspection to identify
encrypted OpenVPN traffic; the connection cannot be intercepted, but it can be
easily broken via a malicious TCP reset injection, added by a router inside the
government-controlled parts of the network. Thus as soon as your VPN comesup, it is disconnected. There are various work-arounds to this problem, but it is a
never-ending arms race.
7/30/2019 Lecture6 Notes 4up(1)
19/21
Case Study: OpenVPN
OpenVPN is a free and open source VPN solutionwhich encapsulates encrypted IP or MAC-layertraffic (depending on the VPN configuration) over atransport-layer protocol (either TCP or UDP)
It may be configured as a point-to-point,
point-to-network or network-to-network VPN
Routing and DNS information may be pushed to theclient on connection - you can even set up the clientso that all (non-VPN) traffic is routed over the VPN(the encrypted data itself must still be sent throughthe default route!)
32118 Mobile Communications and Computing Lecture 6 p. 37
Notes:
OpenVPN Operation
An OpenVPN client firstly establishes a secureconnection to the VPN server (somewhere on theInternet - e.g. at a company HQ). This occurs overeither a TCP connection or UDP datagram flow, to aknown port on the server
It validates the identity of the server (using one of anumber of secure mechanisms), and the servervalidates the identity of the client (normally using anSSL certificate issued by the VPN administrator)
A virtual network device is now created on the client(one must already exist on the server), and it isgiven an IP address (typically a non-routeableprivate IP address) by the VPN server
32118 Mobile Communications and Computing Lecture 6 p. 38
Notes:
7/30/2019 Lecture6 Notes 4up(1)
20/21
OpenVPN Operation
Routes added on the client host selectively directcertain traffic (or even all non-VPN traffic) to thevirtual network device instead of the physicalnetwork device
This traffic is delivered to the OpenVPN service
running on the client via an operating system levelhook
It then encrypts the packets, encapsulates them inthe transport-layer connection or datagram stream,and forwards them over the physical networkinterface to the appropriate port on the remote VPNserver (somewhere on the Internet)
32118 Mobile Communications and Computing Lecture 6 p. 39
Notes: The operating system hook varies depending on the client operating sys-
tem; Linux uses a dynamically allocated tun/tap virtual network device, which
behaves exactly like a standard network interface (it can be given an IP address,
may listen to DHCP requests etc.) and can be connected to a normal Unix process
via a character device file /dev/tun. This process is the OpenVPN daemon.
MacOS and Windows use a port of the Linux tun/tap device driver.
OpenVPN Operation
The VPN server then receives the data, decrypts thecontents, and delivers them to the virtual networkdevice (as if they have just arrived on the wire of areal network device).
The normal routing tables on the VPN server then
direct the incoming (unencrypted) packets to theirdestination.
The VPN typically adds an additional latency of lessthan one millisecond. Throughput is reduced slightlycompared to an unencrypted connection due to theadditional overhead of the tunnelling process
32118 Mobile Communications and Computing Lecture 6 p. 40
Notes:
7/30/2019 Lecture6 Notes 4up(1)
21/21
OpenVPN Transport Protocol
The choice of underlying transport-layer protocoldepends on the requirements of the clients:
Using UDP is more efficient (less overhead), butis difficult or even impossible if network addresstranslation is being used (the reverse path must
be port-forwarded to the client if it doesnt have apublic IP address)
Using TCP is simpler as it is connection-orientedand bidirectional, since no port forwarding isrequired - but it may suffer from strangetcp-over-tcp interactions when the payload trafficis TCP and the underlying network connection iscongested or suffering from high latency.
32118 Mobile Communications and Computing Lecture 6 p. 41
Notes:
Next Week
Wireless Network Security
32118 Mobile Communications and Computing Lecture 6 p. 42
Notes:
References
[1] Jochen Schiller. Mobile Communications, chapter 7.6, 8.1, pages 296, 304
328. Addison Wesley, 2nd edition, 2002.