Mobile IPv6 : architectures et protocoles

squaddinnerladyΛογισμικό & κατασκευή λογ/κού

2 Ιουλ 2012 (πριν από 5 χρόνια και 1 μήνα)

902 εμφανίσεις

Th`ese de Doctorat de l’Universit´e Paris VI
Pierre et Marie Curie
Sp´ecialit´e
Syst
`
emes Informatiques
pr´esent´ee par
Guillaume Valadon
pour obtenir le grade de
Docteur de l’Universit´e Pierre et Marie Curie
Mobile IPv6:architectures et protocoles
soutenue le 27 Juin 2008 devant le jury compos´e de
MM.:Eric Fleury Rapporteurs
Thomas Noel
MM.:Rui Aguiar Examinateurs
Hiroshi Esaki
S´ebastien Tixeuil
M.:Serge Fdida Directeur
M.:Ryuji Wakikawa Encadrant
Th`ese de Doctorat de l’Universit´e Paris VI
Pierre et Marie Curie
Sp´ecialit´e
Syst
`
emes Informatiques
pr´esent´ee par
Guillaume Valadon
pour obtenir le grade de
Docteur de l’Universit´e Pierre et Marie Curie
Mobile IPv6:architectures et protocoles
soutenue le 27 Juin 2008 devant le jury compos´e de
MM.:Eric Fleury Rapporteurs
Thomas Noel
MM.:Rui Aguiar Examinateurs
Hiroshi Esaki
S´ebastien Tixeuil
M.:Serge Fdida Directeur
M.:Ryuji Wakikawa Encadrant
Remerciements
Je remercie Eric FLEURY,Professeur`a l’
´
Ecole Normale Sup´erieure de Lyon,et
Thomas NOEL,Professeur`a l’Universit´e Louis Pasteur de Strasbourg,d’avoir bien
voulu accepter la charge de rapporteurs.
Je remercie Rui AGUIAR,Professeur`a l’Universit´e d’Aveiro au Portugal,Hiroshi
ESAKI,Professeur`a l’Universit´e de Tokyo au Japon,et S´ebastien TIXEUIL,Professeur
`a l’Universit´e Pierre et Marie Curie,d’avoir bien voulu juger ce travail.
Je remercie Serge FDIDA,Professeur`a l’Universit´e Pierre et Marie,d’avoir bien
voulu encadrer cette th`ese.Je tiens ´egalement`a remercier Ryuji WAKIKAWA,d´esormais
Chercheur chez Toyota ITC au Japon,avec qui j’ai eu l’honneur de travailler sur
diff´erents projets li´es`a la mobilit´e comme Home Agent Migration,pr´esent´e dans cette
th`ese.Ses qualit´es scientifiques et humaines ont tout particuli`erement contribu´e au tr`es
bon d´eroulement de mon s´ejour au Japon.Je remercie enfin Cl´emence MAGNIEN,
Charg´ee de Recherche au CNRS,pour m’avoir apport´e une aide tr`es pr´ecieuse dans la
r´edaction et les multiples relectures de ce manuscrit.
Mon exp´erience japonaise,quant`a elle,n’aurait pas ´et´e possible sans l’aide de nom-
breuses personnes dont Atau TANAKA,Professeur`a l’Universit´e de Newcastle en An-
gleterre,et Kenjiro CHO,Chercheur chez Internet Initiative Japan,qui m’ont pr´esent´e
diff´erents chercheurs japonais,et de ce fait ont activement particip´e aux premi`eres
´etapes de mon projet de th`ese au Japon.Dans ce contexte,je tiens tout d’abord`a
remercier Hiroshi ESAKI pour m’avoir chaleureusement accueilli dans son laboratoire
`a l’Universit´e de Tokyo et financ´e pendant les derniers mois de mon s´ejour.Je remercie
´egalement mes coll`egues de Murai lab,`a l’Universit´e de Keio,ainsi que mes coll`egues
d’Esaki lab,`a l’Universit´e de Tokyo.Qu’il me soit permis de remercier s´epar´ement Seii-
chi YAMAMOTO pour tout le temps qu’il a pass´e`a m’aider lors de mon installation`a
Tokyo,ainsi que dans les diff´erentes d´emarches administratives pr´ec´edant mon arriv´ee.
J’ai ´egalement rencontr´e de nombreuses personnes durant mes deux ann´ees au Japon
qui resteront,je l’esp`ere,des amis malgr´e la distance.P`ele-mˆele,merci`a Daphne,
Romain,Koshiro,Lou,Marin,Martin,Mai,et Yukie.Mention sp´eciale au master du
meilleur restaurant du monde (`a Yokohama):le teppan et la bi`ere sont deux ´el´ements
indissociables des recherches r´eussies!
Finalement,je remercie Ema pour l’aide qu’elle m’a apport´ee avant et pendant
mon s´ejour.Sans elle,tout aurait ´et´e beaucoup plus compliqu´e,voire impossible.Merci
de m’avoir fait d´ecouvrir le Japon,et permis de pratiquer le peu de japonais que je
connais!
i
Merci aux membres du bureau 720:Laurent,Georges,Florian,et Christophe,pour
leurs d´elires,leur aide,et leur bonne humeur.Merci aux anciens et autres dinosaures,
Augustin,Julien,Chantal,et Matthieu,pour m’avoir montr´e la voie de la sagesse;parce
que c’est important.Merci ´egalement aux autres membres du labo pour les discussions
autour d’un caf´e et les d´epannages de clopes!
Finalement,merci`a ma famille,mes amis et mes relectrices.Merci aux hipss,bar-
bus,zedou et autres clubers du week-end.Merci`a celles et ceux qui ont eu la patience
et le courage de me supporter durant ces quatre ann´ees.Merci ´egalement`a celles et
ceux qui n’ont pas eu cette chance.Merci`a celles et ceux qui ont fait un d´etour par
Tokyo.Merci`a celles et ceux qui sont venus me chercher un mercredi matin`a 4h30
`a Roissy.Merci au Limoncello et`a Radio Head.Merci`a ceux qui m’ont mis une red
hat entre les mains par un beau dimanche de juin 98.Merci aux globotruncanid´es.
Merci aux Urgences (et surtout bienvenue).Merci`a Philibert et au Quick.Merci aux
joggings du vendredi soir.Par ordre alphab´etique,sans ordre de pr´ef´erence,et sur un
air des B´erus,merci`a toi:Alexis,Adeline,Arnaud,Boulette,Bozze,Carter,Ceache,
Citrouille,Delphine,Emilie,Etis,Evy,Faustine,Flavie,Fred,Galipette,Gratoune,
Grizz,H´el`ene,IKR,Julio,Karim,Kat,Kinou,Kozette,L´eo,Manu,Marion,Mat,Mel,
Michel,Philippe,Pingouin,Pwetty,Renaud,Romain,Sail,S´everine,Shai,Sly,Spyou,
Thierry,troglocan,Vincent,Virginie,et Zoro.Si jamais malgr´e toute mon attention,
je t’ai oubli´e (ou alors si tu es m´egalomane),ajoute ton nom ici:
Enfin,merci`a tous ceux qui ont relev´e le d´efi d’affronter la soutenance!
ii
R´esum´e
L’architecture de l’Internet est telle que,lorsqu’un utilisateur se d´eplace et change
de r´eseau,l’adresse IP de son p´eriph´erique est modifi´ee,entraˆınant la perte des com-
munications en cours.Afin de r´esoudre ce probl`eme,des protocoles de gestion de la
mobilit´e ont ´et´e d´efinis pour rendre les communications insensibles aux mouvements et
ind´ependantes du r´eseau o`u se trouve l’utilisateur.Cependant,la plupart des proposi-
tions souffrent de probl`emes affectant leurs performances,ou bien encore leur utilisation
dans l’architecture actuelle de l’Internet.Par exemple,certaines d’entre elles,comme
le protocole HIP,imposent que tous les p´eriph´eriques,y compris ceux qui sont fixes,
impl´ementent le protocole de mobilit´e.D’autres encore,tel que le protocole Mobile
IPv6,induisent des chemins plus longs et donc des d´elais de communication plus im-
portants.
Ce travail de th`ese vise`a am´eliorer les performances du protocole Mobile IPv6
en contrˆolant les diff´erentes limitations induites par l’utilisation d’un routeur g´erant la
mobilit´e:le home agent.Pour ce faire,nous proposons deux approches compl´ementaires
qui tout en ´etant compatibles avec l’infrastructure actuelle de l’Internet,permettent
de g´erer la mobilit´e de fa¸con transparente`a la fois pour le r´eseau et les p´eriph´eriques
fixes.Tout d’abord,nous d´ecrivons une nouvelle architecture distribu´ee de gestion de
la mobilit´e appel´ee Home Agent Migration qui permet d’utiliser plusieurs home agents
simultan´ement.Grˆace`a un d´eploiement r´eel,nous montrons qu’il est possible d’obtenir
des performances comparables`a celles de communications n’utilisant pas Mobile IPv6.
Ensuite,nous d´efinissons formellement les propri´et´es des emplacements des home agents
en termes de th´eorie des graphes.En s’appuyant sur cette ´etude,nous quantifions
l’impact du protocole Mobile IPv6 sur les communications.Finalement,nous proposons
un nouvel algorithme qui permet de traiter les probl´ematiques de d´eploiement de Mobile
IPv6 et de Home Agent Migration dans des graphes qui mod´elisent des r´eseaux de
communication.
Mots-Cl´es
Mobile IPv6,gestion de la mobilit´e,anycast,graphe,centralit´e
iii
Abstract
Nowadays,mobile devices,such as laptops,are commonly used to access the Internet
from different locations during the same day.With the current Internet architecture,a
change of location requires a mandatory modification of the IP address,and as a result
the loss of ongoing communications.Under these constraints,mobility protocols were
designed to make communications resilient to movements and location independent.So
far,diverse mobility protocols were defined that efficiently solve mobility related issues.
Unfortunately,most of them suffer from design choices that impact their performances,
or make them impractical for immediate deployments.For example,some protocols
require that every node implements mobility support,including non-mobile ones;or
causes longer paths and higher communications delays.
In this thesis,we present two possible approaches to improving Mobile IPv6 per-
formances,and to control its current shortcomings.These approaches are completely
compatible with the current networking technologies,and can be used to perform im-
mediate deployments of mobility support on the Internet.We first propose Home Agent
Migration,an additional mobility management plane,which distributes home agents
(specific mobility routers) inside the Internet topology.Practical experiments show
that it is possible to obtain performances almost identical to communications without
Mobile IPv6.Then,we formally define the properties of home agent locations in terms
of graph theory,and quantify the impact of Mobile IPv6 on communications.Finally,
based on this study,we describe a new algorithm that addresses deployment issues
of Mobile IPv6 and Home Agent Migration that could be applied to any operator’s
network.
Keywords
Mobile IPv6,mobility management,anycast,graph,betweenness centrality
v
Contents
Remerciements i
R´esum´e iii
Abstract v
Contents vii
1 Introduction 1
1.1 Standard problems induced by Mobility..................
2
1.2 What is mobility support anyway?.....................
4
1.3 Approaches for Internet mobility support.................
5
1.3.1 Locators and identifiers.......................
5
1.3.2 Which identifiers?..........................
6
1.3.3 Design constraints..........................
7
1.4 Overview of Mobile IPv6...........................
9
1.5 Contributions.................................
11
1.6 Outline....................................
12
2 Background on Mobile IPv6 13
2.1 Mobile IPv6..................................
14
2.1.1 Preliminary terminology.......................
14
2.1.2 Operation of Mobile IPv6......................
15
2.1.3 Return Routability Procedure....................
18
2.1.4 NEMO................................
21
2.1.5 Home Agent Discovery........................
22
vii
2.2 Protocols limitations.............................
23
2.2.1 Mobile IPv6..............................
23
2.2.2 Return Routability Procedure....................
24
2.2.3 NEMO................................
26
2.3 Security overview...............................
26
2.3.1 Possible attacks against Mobile IPv6................
26
2.3.2 IPsec protection...........................
27
2.4 Standardized optimizations.........................
29
2.4.1 Hierarchical Mobile IPv6......................
30
2.4.2 Fast Handover for Mobile IPv6...................
31
2.4.3 Multiple Care-of Address......................
32
2.5 Conclusion..................................
33
3 Home Agent Migration 35
3.1 General overview...............................
37
3.1.1 How it works.............................
38
3.1.2 Typical deployments.........................
39
3.1.3 Advantages..............................
41
3.1.4 Drawbacks..............................
42
3.2 Practical implementation..........................
43
3.2.1 Notion of Binding Cache.......................
43
3.2.2 Communication examples......................
43
3.2.3 Movements of mobile nodes.....................
45
3.2.4 Example of a typical deployment..................
46
3.2.5 The underlying protocol.......................
47
3.2.6 NEMO support............................
47
3.2.7 Security considerations........................
49
3.3 Evaluation...................................
49
3.3.1 Performances comparisons......................
50
3.3.2 Experimental results.........................
51
3.4 Related Work.................................
55
3.5 Conclusion..................................
56
4 Mobile IPv6 deployments 59
4.1 Graph theory reminders...........................
60
4.1.1 Preliminary definitions........................
60
4.1.2 Importance of vertices........................
62
viii
4.2 Networks as graphs..............................
63
4.2.1 Observing networks.........................
64
4.2.2 Modeling networks..........................
65
4.2.3 Weights on edges...........................
65
4.3 Home Agents locations............................
66
4.3.1 Impact on paths lengths.......................
66
4.3.2 Optimal locations..........................
68
4.3.3 Comparison methodology......................
68
4.4 Evaluation...................................
70
4.4.1 Studied networks...........................
71
4.4.2 Relationship between the degree and the betweenness......
72
4.4.3 Mobile IPv6..............................
73
4.4.4 Home Agent Migration.......................
78
4.5 Related work.................................
83
4.6 Conclusion..................................
85
5 Conclusion 87
A Scapy:IPv6 and BPF extensions 93
A.1 Contributed extensions............................
95
A.1.1 Scapy6.................................
95
A.1.2 BPF extension............................
98
A.2 Routing Header Type 0...........................
101
A.2.1 In a nutshell.............................
101
A.2.2 Advanced traceroutes........................
102
A.2.3 Amplification attacks........................
104
B Thesis’ French Version 107
B.1 Introduction..................................
109
B.1.1 Protocoles de mobilit´e........................
110
B.1.2 Plan..................................
112
B.2 Mobile IPv6 et ses limitations........................
113
B.2.1 Fonctionnement de Mobile IPv6..................
113
B.2.2 Limitations de Mobile IPv6.....................
114
B.2.3 Conclusion..............................
116
B.3 Home Agent Migration............................
117
B.3.1 Aper¸cu................................
117
ix
B.3.2 Fonctionnement............................
118
B.3.3 R´esultats exp´erimentaux.......................
119
B.3.4 Conclusion..............................
121
B.4 D´eploiement de Mobile IPv6.........................
122
B.4.1 Emplacements des home agents...................
122
B.4.2 M´ethodologie.............................
124
B.4.3
´
Evaluation..............................
125
B.4.4 Conclusion..............................
127
B.5 Conclusion..................................
128
B.5.1 Contributions.............................
128
B.5.2 Perspectives..............................
128
Bibliography 131
List of Figures 141
List of Tables 143
x
Chapter 1
Introduction
Contents
1.1 Standard problems induced by Mobility............
2
1.2 What is mobility support anyway?...............
4
1.3 Approaches for Internet mobility support...........
5
1.3.1 Locators and identifiers.....................
5
1.3.2 Which identifiers?........................
6
1.3.3 Design constraints........................
7
1.4 Overview of Mobile IPv6.....................
9
1.5 Contributions............................
11
1.6 Outline................................
12
2 1.1.Standard problems induced by Mobility
Since 2000,both computing and networking landscapes have drastically changed.
In developed countries,networks are accessible virtually everywhere,thanks to hetero-
geneous wireless technologies and computing devices that can easily fit in one’s pocket
and are powerful enough to compete with desktops.Moreover these technical evolu-
tions also change how we interact with the technology itself.Mobile phones are indeed
entirely part of our daily life.We use them not only for work but also to communicate
with friends,access the Internet or play games.They are slowly modifying the way
we socialize with each other [80] and how we access the information:in 2006,mobile
devices in Japan represents 57%
1
of all user access to the Internet.Nowadays,users
can do with their mobile phones what they would sitting in front of their desktops:
exchange emails [2],access maps [6] or buy music [7].For decades,people had been
mobile on a daily basis but they can only use technology on the go since a few years.
Another change in mobile phones usages recently took place thanks to dual-mode
GSM/Wi-Fi handsets and Voice over IP (VoIP) services.In metropolitan areas,wireless
networks are available in diverse locations such as workplaces,caf´es,parks or homes.
As a consequence,the high density of Wi-Fi access points [55,68,67] and their wide
communication ranges allow mobile devices to detect tens of access points from the
same location while walking in the streets.Users can therefore take advantage of their
VoIP accounts by using Wi-Fi to make cheap phone calls wherever they are.
1.1 Standard problems induced by Mobility
A high density of Wi-Fi access points is however not synonym of mobility.Strictly
speaking,a mobile device is only connected to one access point at the same time.
Traditionally,if the device goes out of the access point’s range,it looses its network
connectivity and must connect to another access point.Previous works addressed this
issue by expanding a unique network broadcast domain across several Wi-Fi access
points by relying on wired or wireless [17,61] backbones.
Nevertheless,as of today,it is not possible to perform vertical handovers in order
to provide seamless voice calls between different access technologies such as Wi-Fi and
HSDPA.Such handovers would for example allow a mobile phone to automatically
switch a phone call from a paying HSDPA link to a free Wi-Fi one when the user
comes in range of well-known Wi-Fi access points.From the Internet Protocol (IP)
perspective,a handover
2
occurs when a node moves from one subnetwork to another.
1
owned by approximately 48 million people,according to The Japanese Ministry of Internal Affairs
and Communications.
2
either horizontal or vertical.
Chapter 1.Introduction 3
Technically,it currently implies a mandatory change of the node’s IP address and
therefore the termination of ongoing UDP and TCP connections.They cannot be
recovered,and must be restarted using the newly acquired address.If we consider
phone calls,this change of address means that the call is first stopped then restarted.
As of today,handovers in Internet-like architecture are far from being easy to recover
from,as they must be handled either manually by the users,or independently in every
single application.
This example intelligibly lays down the context of mobility support on the Internet
as well as technical constraints that it must deal with.We list the main categories of
such constraints below.
1.
Change of IP address
Due to the Internet routing and addressing architectures,a node’s IP address
must correspond to its physical location at all times.Otherwise it is not able to
receive and send IP packets to its correspondents.Consequently,a node cannot
use the same address everywhere it goes,and must obtain a new address when it
joins a new subnetwork.
2.
Connection losses
The most popular transport protocols (TCP and UDP) were not designed to
handle changes of IP address.As a result,ongoing communications stop working
after a movement.Similarly,applications need to implement mechanisms to auto-
matically recover fromconnection losses.However,most applications do not have
such mechanisms and,in practice,users must manually restart lost connections.
3.
End-to-end communications
The recent arrival of Voice over IP makes the first move towards the come back
of real end-to-end communications.Today,client/server communications prevail
and close to zero application makes use of end-to-end communications.Even
though some applications
3
are able to establish direct communications in Network
Address Traversal (NAT) environments,they cannot be considered as pure end-to-
end communications as a third party is necessary to punch holes into NAT [51].In
a mobility context,end-to-end communications represent an important technical
challenge,as they must survive both changes of IP address and connection losses.
So far,various protocols [93,91,83,94,74,100,20] were defined at the Internet
Engineering Task Force (IETF) to provide mobility support to mobile nodes and to
3
such as Skype.
4 1.2.What is mobility support anyway?
solve problems such as previously described.This thesis focuses on the Mobile IPv6
protocol [66],described in Section 1.4,which aims at achieving immediate deployments
of mobility services over the Internet through incremental upgrades of its current ar-
chitecture.This thesis proposes solutions to improve the performance of Mobile IPv6
and solve its various limitations.It specifically concentrates on the IPv6 protocol that
makes up a favorable environment for mobility with the disappearance of NAT,and
a flat addressing space.Unless stated otherwise,this manuscript will only discuss
IPv6 [41,18],therefore terms such as IP address or IP must be interpreted as IPv6
address and IPv6.
1.2 What is mobility support anyway?
With mobile phones technologies,such as GSM [118],users keep the same phone num-
ber,a unique identifier,when they move or even travel to a different country;they
can be reached whatever their locations.Handovers are appropriately supported:voice
calls are not stopped during or after movements.Using these technologies as a ref-
erence,mobility can be interpreted as the capacity to move easily and freely without
impacting the ongoing communications.
Accordingly from an end-user perspective,being mobile is being able to move a
device around while seamlessly accessing the communication network with no modi-
fication to the device applications nor configurations.This implies that every device
must be uniquely and permanently identified independently of its physical location.
From the network architecture point of view,an address is required to deliver data
from,and to users.On the Internet,as described in Section 1.1,when a node moves,
its IP address changes.Because,the address is strongly linked to the node’s physical
location and the subnetwork it is connected to,it is called a locator.Providing mobility
support on the Internet is therefore offering a permanent identifier to a mobile device
4
along with a temporary locator which can change over time,and defining mechanisms
to store and retrieve the binding between identifiers and locators.
Nowadays,many research works try to address mobility support on the Internet:
they range from local to Internet scopes,are implemented at the transport or network
level,or target modifications of end-nodes or the infrastructure.Their application time
lines are also different:some research aim at providing near future deployments [66],
while other ones require heavy changes to the current Internet architecture [49] that
will not be possible until several tens of years.In the remainder of this chapter,we
4
also referred as a mobile node.
Chapter 1.Introduction 5
will first provide a deeper analysis of requirements to support mobility on the Internet.
Then,we will briefly present our work to improve the performance of the Mobile IPv6
protocol.
1.3 Approaches for Internet mobility support
In this section,we summarize the issues and technical choices that arise while designing
mobility protocols for the Internet.Our goal is to describe the common requirements
of Internet mobility support and briefly present typical mobility protocols as well as
their design constraints.
1.3.1 Locators and identifiers
As previously discussed,the primary property of a mobility protocol is to give both an
identifier and a locator to mobile nodes;two elements that describe a node’s identity
and its physical location.However,in order to make mobility protocols complete,there
must be some mechanisms to map a locator to an identifier,and retrieve a locator
given its corresponding identifier.For example,in a phone book,people’s names are
the identifiers and phone numbers are the locators that change over time as people
move to new residences.In order to make a phone call to a friend,a user can look up
into a phone book and find the corresponding phone number.If it changes,the user
can look up into an updated phone book and find its friends new phone number.From
the network perspective,this metaphor brings several problematic questions that affect
mobility protocols design.
1.
What are identifiers and locators exactly?
Phone numbers;IPv6 addresses;domain names;people names?
2.
How is the mapping performed?
In mobile nodes;with an external database;in a peer-to-peer fashion;by pushing
only the mapping to well-known correspondents?
3.
When does a correspondent choose to retrieve the mapping?
Each time it needs to communicate with the mobile node;at fixed time interval;
with a cache that uses a timer to make entries expire;never?
On the Internet,the addressing and routing architectures strongly constrain the
location of a node.An IPv6 address belonging to an IPv6 prefix allocated to a French
6 1.3.Approaches for Internet mobility support
Names
Protocols
Domain names
DNS
ID
HIP,SCTP
IP addresses
MIPv6,LISP,NETLMM
Table 1.1:Identifiers examples
Internet Service Provider cannot be used to receive packets in Japan.Consequently,
the current Internet architecture makes it impossible to keep the same address when
a node moves.This problem is linked to the dual function of the IP address.First,it
implicitly provides the position of a node on the globe (the locator).Then,it uniquely
identifies the node in the whole Internet topology (the identifier).As a consequence,
mobility protocols simply rely on the Internet routing architecture to ensure the delivery
of mobile nodes packets,and use IP addresses as mobile nodes locators.The different
protocols will therefore compete in the way they provide permanent identifiers and
efficient mapping mechanisms.
1.3.2 Which identifiers?
The elements used as identifiers are deeply related to the design of mobility protocols.
As listed in Table 1.1,several possibilities to supply permanent identifiers are avail-
able.For example,if we consider domain names as the identifier,we can define an
elementary application-based mobility protocol as follows.Every time a mobile node
joins a new subnetwork,it updates its DNS Resource Record [82] with its newly ac-
quired IPv6 address.This could be easily implemented with virtually no modification
to correspondents or mobile nodes,and will work on the current Internet.However,
this protocol presents drawbacks as ongoing connections are lost after handovers,and
as correspondents must access the DNS server frequently to retrieve the most recent
IP address.
On the other hand,HIP [83] and SCTP [91,104] are designed as new transport
5
protocols implemented in both mobile and correspondent nodes.Connections in these
protocols are able to survive to a handover by automatically notifying correspondents
of a change of IP address:ongoing connections can therefore be used after a movement.
5
although HIP is often referred as a layer 3.5 protocol.
Chapter 1.Introduction 7
From the application perspective,packet losses put aside,handovers have no impact.
These protocols allow both end-nodes to move inside the Internet topology.However,
they require all applications to be modified so as to benefit fromtheir mobility support:
HIP and SCTP sockets are not compatible with regular TCP and UDP ones.
Finally with mobility protocols that use IPv6 addresses as identifiers,such as Mobile
IPv6,LISP (Locator/ID Separation Protocol) [49] or NETLMM (Network-based Lo-
calized Mobility Management) [56],correspondents nodes are not concerned by mobile
nodes mobility and communicate with them using the IPv6 address as they would do
with non-mobile nodes.Consequently,such protocols are fully compatible with current
implementations of TCP and UDP.Applications are not aware that mobility support
is being used,even on the mobile node’s side.In such protocols,mobility is either
supported by mobile nodes or by the network.These protocols can however introduce
longer communication delays due to non-optimal communication paths.
1.3.3 Design constraints
As previously discussed,all mobility protocols designed at the IETF take different ap-
proaches to provide mobility support over the Internet.While these protocols may
sometime look divergent,they can however be classified and compared using the fol-
lowing requirements.
1.
Realistic utilization
In order to ease its deployment and accelerate its adoption,a mobility protocol
must not require any modification on correspondents’ sides:they should be able
to communicate with mobile nodes as if they were not mobile.Concerning an
immediate usage of mobility support on the Internet,it is indeed unreasonable
to assume that all nodes will be upgraded to support mobility.Moreover,it is
unlikely that any mobility protocol will be implemented on the server side,such as
Google or MSN,as this leads to higher operational costs without any performance
benefit for the service provider.
2.
Small impact on the existing network architecture
This is somehow similar to (1) but from a network perspective.All required
changes to the network architecture should remain compatible with the cur-
rent Internet technologies.Concerning immediate deployments,only incremental
changes could be seriously considered for practical mobility support:it is not
feasible to break the current addressing and routing architectures.
8 1.3.Approaches for Internet mobility support
Protocols
1
2
3
4
DNS-based
x
x
SCTP,HIP
x
x
LISP
x
x
x
MIPv6
x
x
x
MIPv6 & RRP
x
x
x
OLSR,AODV
x
x
Table 1.2:Design constraints and mobility protocols examples
3.
Transparency to transport layers and applications
We allow packet losses,but ongoing connections must smoothly survive han-
dovers.Moreover,mobility support must not require any modification to appli-
cations.This is impracticable,as every application would need to be upgraded.
In terms of network layers,this means that the mobility protocol must either
reside below transport layers,or provide its functionalities through transparent
application proxies such as SOCKS [75].
4.
Similar performances
A mobility protocol should not seriously impact the communications perfor-
mances,nor increase the load on the network.Moreover,it should also scale
to provide acceptable performances when the number of mobile nodes increases.
Ultimately,the users experience should remain the same as in a non-mobile con-
text.
Giving the four design constraints,we provide an overview of different mobility
protocols alternatives in Table 1.2.It easily highlights that the implementation choices
(such as the networking layer,the locator/identifier mapping,or the locator types)
impact application scopes of mobility protocols.For example,the Optimized Link State
Routing (OLSR) routing protocol [33],designed to support Mobile Ad-hoc Networks
(MANET),must be implemented in every node that want to benefit from its features.
However,it allows nodes to communicate in areas where there is no communication
infrastructure by automatically adapting itself to nodes movements.On the other
hand,LISP efficiently separates nodes identifiers from routing locators while remaining
Chapter 1.Introduction 9
compatible with current IPv6 stacks.Nevertheless,it requires heavy changes to the
current Internet Architecture.
Under the previous design constraints,we concluded that the IPv6 address is the
only identifier that could be used to achieve immediate deployments of mobility support.
This observation led us to focus our work on Mobile IPv6.At the beginning of this thesis
in 2004,four implementations were already available,and the protocol was supported
by major vendors of networking equipments [13,8,32,79].At the same time,people
agreed that Mobile IPv6 was a good,yet flawed,intermediary solution to provide
mobility support over the Internet.Today,in 2008,Mobile IPv6 is pushed by Standard
Development Organizations,and unlike any other mobility protocol,it is expected to
soon go to market.
So far we did not discuss security as a design constraint,however we firmly believe
that it is a critical aspect of mobility systems.Security is important but is driven
by usages scenarios and must be designed consequently.For example,concerning the
integration of Mobile IPv6 in the WiMAX architecture,a simple authentication mecha-
nism [92] modeled from Mobile IPv4 [93] and pushed by telecommunications operators
is preferred to IPsec which is the common way to secure Mobile IPv6 [42].Indeed,
the implementation and use of IPsec are considered as being too demanding to be
integrated into small devices such as mobile phones.
1.4 Overview of Mobile IPv6
In this section,we briefly describe the Mobile IPv6 protocol,its advantages,its limi-
tations and our solutions.It will be further described in Chapter 2.The Mobile IPv6
protocol provides a unique permanent identifier (an IPv6 address) to a mobile node
(MN) independently of its network of attachment.As shown in Figure 1.1,the key
component of Mobile IPv6 is the home agent (HA) located in the mobile node’s home
network.It is a dedicated IPv6 router that manages the home IPv6 prefix,as well as
the binding between the identifier and the locator which,in the Mobile IPv6 termi-
nology,are respectively referred as Home Address and Care-of Address.The Care-of
Address is used by the mobile node to communicate with its home agent.Packets sent
to the Home Address (that belongs the home prefix) by correspondent nodes (CN) are
routed to the home network and intercepted by the home agent which forwards it to
the current location of the mobile node:its Care-of Address.Likewise,packets sent
from the mobile node to its correspondent node must go through the home agent prior
to being delivered.This deviation of packets to the home agent is called dogleg routing,
10 1.4.Overview of Mobile IPv6
HA

Home
network
Foreign
network
Internet
V
isited
network
CN
MN

tunnel
Optimized Path
HA:Home Agent;CN:Correspondent Node;MN:Mobile Node
Figure 1.1:Mobile IPv6
and causes longer paths and higher communication delays between mobile nodes and
their correspondents.
The Mobile IPv6 specification only requires the protocol to be implemented in
home agents and mobile nodes,moreover it is transparent to transport layers.As a
consequence,it satisfies design constraints 1,2 and 3 as previously specified.
In addition,the base specification of Mobile IPv6 includes a route optimization
scheme called the Return Routability Procedure (RRP) that solves the deviation of
packets.In Figure 1.1,the resulting communication path is represented as Optimized
Path.This procedure allows packets to be directly sent between a mobile node and its
correspondent without involving the home agent.Since this optimization reduces the
latency of the communications and improves performances,it consequently validates
the fourth design constraint.However,the Return Routability Procedure requires
upgrading all correspondents,it do not anymore meet the requirements of the first
design constraint.
With the dogleg routing,the restricted position of the home agent is the funda-
mental problem that weakens Mobile IPv6 performances.Due to the addressing and
routing architectures,the location of a home agent is topologically and physically re-
stricted by its home prefix.It must be in the correct physical location so that it can
receive packets destined to the home prefix.Therefore,the home agent has to be placed
Chapter 1.Introduction 11
where this prefix is advertised on the Internet.All of the previously described design
constraints cannot be satisfied at the same time with the current Mobile IPv6 specifi-
cation.Putting the Return Routability Procedure aside,the protocol does not fulfill
the fourth constraints:it presents performances drawbacks.
1.5 Contributions
The primary goals of this thesis are to improve Mobile IPv6 performances,and to con-
trol its current shortcomings.Currently promoted by the Third Generation Partnership
Project (3GPP) and the WiMax Forum,the Mobile IPv6 protocol is a major solution
to provide mobility support while remaining compatible with current network archi-
tectures and end-nodes implementations.In order to achieve our goals,we thoroughly
analyze Mobile IPv6 limitations and then propose optimizations that satisfy the design
constraints described in Section 1.3.2.To do so,we use both practical and theoretical
approaches.Our main contributions are listed below.
1.
Home Agent Migration
We propose a new mobility architecture,called Home Agent Migration,that uses
the traditional Mobile IPv6 protocol with an additional mobility management
plane.In this new plane,home agents are distributed all over the Internet and are
exchanging information about mobile nodes that they can reach.This deployment
is performed with the help of anycast routing [69] in which each home agent
advertise the same home IPv6 prefix.Consequently,a mobile node will exchange
traffic with its topologically closest home agent,reducing communication delays.
This work led to one publication [117],and one submission to a journal [116]
(currently under review).
2.
Expose the impact of home agents locations
We model operator’s networks as undirected graphs and define the properties of
the good home agents locations in terms of graph theory.We then quantify the
impact of the dogleg routing on communications performances.In particular,
we use notions of centrality in graphs to quantify increases of communication
distances induced by dogleg routing and identify relevant home agents locations.
3.
Methodology for home agent deployments
Using the results from the above study,we describe a new approach to address
deployments issues of Mobile IPv6 that could be applied to any operator’s net-
work.We propose an algorithm that indicates good home agents locations given
12 1.6.Outline
a specific network topology.We evaluate this approach using real-world network
topologies and show that the obtained Mobile IPv6 performances could be close to
direct paths ones.The proposed algorithm is generic and can be used to achieve
Mobile IPv6 as well as Home Agent Migration deployments.
4.
NEMO enhancements
We provide detailed descriptions of possible usages of Home Agent Migration
along with Network Mobility (NEMO) [43].This protocol based on Mobile IPv6
delivers mobility service to whole networks,such as sensors deployed in a car,and
to standard IPv6 nodes that do not implement Mobile IPv6 on the client side.
This work led to a publication [110].
5.
Tool for rapid IPv6 prototyping
IPv6 as well as Mobile IPv6 extensions to Scapy
6
[26] were developed in collab-
oration with Arnaud Ebalard
7
[109,108].Their primary goal was to emulate
Mobile IPv6 node from the userland using the Python programming language
[11].These emulated nodes were used to conduct experiments in environments
where its was not possible to set up real mobile nodes.These extensions are not
only used by the research community but also by companies that mostly use them
to test their IPv6 implementations.
1.6 Outline
Chapter 2 provides a detailed description of the Mobile IPv6 protocol and its limita-
tions,as well as an overview of standardized optimizations.Chapter 3 describes the
Home Agent Migration architecture froma synthetic to an implementation perspective,
and finally provides an evaluation based on a real deployment.Chapter 4 presents an
analysis of Mobile IPv6 and Home Agent Migration in terms of graph theory,and gives
details about a methodology that efficiently choose relevant home agents locations in
given network topologies.
Appendix A describes two Scapy extensions that were written during this thesis,
and then presents possible usages of the IPv6 Routing Header that were discovered
while developing these extensions.Appendix B summarizes this thesis in French.
6
tool written in Python that simplifies the injection and the reception of frames and packets.
7
from EADS Innovation Works.
Chapter 2
Background on Mobile IPv6
Contents
2.1 Mobile IPv6.............................
14
2.1.1 Preliminary terminology.....................
14
2.1.2 Operation of Mobile IPv6....................
15
2.1.3 Return Routability Procedure..................
18
2.1.4 NEMO..............................
21
2.1.5 Home Agent Discovery......................
22
2.2 Protocols limitations.......................
23
2.2.1 Mobile IPv6............................
23
2.2.2 Return Routability Procedure..................
24
2.2.3 NEMO..............................
26
2.3 Security overview.........................
26
2.3.1 Possible attacks against Mobile IPv6..............
26
2.3.2 IPsec protection.........................
27
2.4 Standardized optimizations...................
29
2.4.1 Hierarchical Mobile IPv6....................
30
2.4.2 Fast Handover for Mobile IPv6.................
31
2.4.3 Multiple Care-of Address....................
32
2.5 Conclusion.............................
33
14 2.1.Mobile IPv6
2.1 Mobile IPv6
In this section,we give a detailed overview of Mobile IPv6.Then we discuss issues
raised by this protocol and its route optimization procedure.The aim of this section is
to describe problems that this thesis is addressing while considering immediate deploy-
ments of mobility support in the Internet,and to highlight our contributions concerning
the distribution of home agents and their locations.
2.1.1 Preliminary terminology
Here,we present the terminology that we will use throughout this thesis,visually
sustained by Figure 2.1 that locates terms in an example network topology.
Prefixes,addresses,and abstract elements
1.
Home prefix:an IPv6 prefix managed by the home agent that corresponds to
the mobile node Home Address.
2.
Home Address (HoA):a fixed IPv6 address that belongs to the home prefix
of the mobile node;it is the identifier.
3.
Care-of Address (CoA):it is an IPv6 address that belongs to the network
where the mobile node is physically located.The CoA changes as the mobile
node moves;it is the locator.
4.
Home Link:the physical link on which the home prefix is advertised using
IPv6’s auto-configuration mechanisms [105].
5.
Binding Cache:a database (similar to a routing table) that contains the map-
pings between Home Addresses and Care-of Addresses.
6.
Mobility Header:a new type of network header that is used to carry Mobile
IPv6 related signaling packets.It is transported directly over IPv6.
Nodes
1.
Home agent (HA):a specific router located in the home network.It delegates a
Home Address fromthe home prefix to a mobile node,and forwards the associated
data traffic to the mobile node.
Chapter 2.Background on Mobile IPv6 15
Foreign
network
V
isited
network
CN
MN

HA
Internet
Home Network
Home Link
Figure 2.1:Mobile IPv6 terminology
2.
Mobile node (MN):a node that keeps its Home Address after changing its
network of attachment.It implements Mobile IPv6.
3.
Correspondent node (CN):a node that communicates with a mobile node.It
may implement Mobile IPv6 if it supports the Return Routability Procedure.
Networks
1.
Home network:network where the home agent is located.The home prefix
and thus Home Addresses belongs to this network.
2.
Foreign network:network where the correspondent node is located.
3.
Visited network:network where the mobile node is located;its Care-of Address
belongs to the IPv6 prefix of this network.
2.1.2 Operation of Mobile IPv6
On the Internet,the location of a node is strongly constrained by the routing architec-
ture.An IPv6 address that belongs to an IPv6 prefix allocated to a French Internet
Service Provider cannot be used to receive packets in Japan.Consequently,the current
Internet architecture makes it impossible to keep the same address when a nodes move.
16 2.1.Mobile IPv6
HA

Home
network
Foreign
network
Internet
V
isited
network
CN
MN

tunnel
2001:db8:d0d0::/64
2001:db8:cafe:deca::/64
2001:db8:dead::/64
Figure 2.2:Mobile IPv6:communication example
This problem is linked to the dual function of the IP address.First,it implicitly pro-
vides the position of a node on the globe;this role is called locator.Then,it uniquely
identifies the node in the whole Internet topology;this second role is called identifier.
The Mobile IPv6 protocol provides a solution to separate these two functions.A mo-
bile node implementing Mobile IPv6 uses two different IP addresses:its Home Address
(HoA),which plays the role of the identifier,and its Care-of Address (CoA) the locator.
In order to bind the Home Address to the Care-of Address,Mobile IPv6 relies
on the home agent,a specific router located in the home network.Its goals are to
delegate a Home Address from the home network to each mobile node,and to for-
ward the mobile node’s data traffic.At any given time,the mobile node always
communicates using its Home Address regardless of the network it is connected to.
A simple communication example is shown in Figure 2.2 when Mobile IPv6 is used.
The home prefix is 2001:db8:d0d0::/64,the HoA is 2001:db8:d0d0::42,and the CoA is
2001:db8:cafe:deca:217:f2ff:fec7:881a
1
.
1
auto-configured with the prefix advertised by the Access Router (AR).
Chapter 2.Background on Mobile IPv6 17
ICMPv6 Echo Reply
Router Solicitation
ICMPv6 Echo Request
ICMPv6 Echo Reply
Router
Advertisement
Binding Update
Binding
Acknowledgment
ICMPv6 Echo Request
MN
CN
1. Movement
detection
2.
Association
3. Sending data
HA
Access router (AR)
IPv6-in-IPv6 tunnel
Figure 2.3:Mobile IPv6:packets exchanges
Exchanged Packets
Figure 2.3 represents the successive packets exchanges occurring after a mobile node
detected that it moves until the communication with its correspondent.The movement
detection relies on the standard IPv6 auto-configuration mechanism described in RFC
4862 [105];it is not specific to Mobile IPv6.
1.
when the mobile node moves to a new network,it first configures a new Care-of
Address (2001:db8:cafe:deca:217:f2ff:fec7:881a) using the prefix announced by the
Access Router (AR;2001:db8:cafe:deca::/64),and its network interface’s MAC
address 00:17:f2:c7:88:1a.
2.
it registers its binding information with its home agent by sending a message
called a Binding Update containing its Home Address (2001:db8:d0d0::42) and
its new Care-of Address (2001:db8:cafe:deca:217:f2ff:fec7:881a) to its home agent.
After the reception of this packet,the home agent sets up an IPv6-in-IPv6 tunnel
with the mobile node.It also fills up its Binding Cache with a mapping that
18 2.1.Mobile IPv6
HA

Home
network
Foreign
network
Internet
V
isited
network
CN
MN

Optimized Path
2001:db8:d0d0::/64
2001:db8:cafe:deca::/64
2001:db8:dead::/64
Figure 2.4:Return Routability Procedure:communication example
associates the HoA to the CoA.Finally,it sends back a Binding Acknowledgment
message to notify the mobile node of the completion of the binding phase.
3.
when the mobile node sends an ICMPv6 Echo Request message to its correspon-
dent (2001:db8:dead::beef),this message is sent to the home agent using the
tunnel,decapsulated by the home agent,and finally forwarded to the correspon-
dent.As previously shown in Figure 2.2,all of the communications between a
mobile node and a correspondent node must go through the home agent.
2.1.3 Return Routability Procedure
The base specification of Mobile IPv6 includes a route optimization scheme called the
Return Routability Procedure.It allows the mobile node to send a Binding Update
message to its correspondent nodes that also implement Mobile IPv6.After the com-
pletion of this procedure,the packets are directly routed between the mobile node and
its correspondent nodes along the optimized path
2
,as shown in Figure 2.4.
2
in practice,the optimized path is the direct path between the visited network and the foreign
network.
Chapter 2.Background on Mobile IPv6 19
CoT
HoT
i
MN
CN
1. HoA
test
HA
IPv6-in-IPv6 tunnel
HoT
i
HoT
CoT
i
3.
Association
HoT
Binding Update
Binding
Acknowledgment
ICMPv6 Echo Request
ICMPv6 Echo Reply
2. CoA
test
4. Sending data
Figure 2.5:Return Routability Procedure:packets exchanges
20 2.1.Mobile IPv6
In this optimized mode,the correspondent node behaves somehow like a home agent
as it is aware of the mobile node’s Care-of Address.However,unlike on the home agent,
no preliminary information is available on the correspondent node to authenticate the
mobile node.The mobile node must therefore prove that it is the real owner of the
Care-of Address and the Home Address that it wants to use.It does so by proving that
it is able to receive as well as emit packets from these two addresses [89].
Exchanged Packets
Figure 2.5 describes the packets exchanged between a mobile node and its correspondent
until they can send packets over the direct path.The movement detection is not
represented in the Figure.Note that this entire procedure must be repeated after each
movement.
1.
the first exchange of HoTi (Home Test init) and HoT (Home Test) messages is
used to ensure that the mobile node is able to emit and receive packets using its
Home Address.These messages are exchanged through the tunnel established
with the home agent.
2.
likewise,the exchange of CoTi (Care-of Test init) and CoT (Care-of Test) mes-
sages checks that the mobile node is able to emit and receive packets using its
Care-of Address.These messages are exchanged directly between the mobile node
and its correspondent.
3.
after the reception of the HoTi and CoTi messages,the mobile node sends a
Binding Update message to its correspondent to register the binding between
its Care-of Address and its Home Address.The correspondent also fills up its
Binding Cache.
4.
packets exchanged between the mobile node and its correspondent use the opti-
mized path and are not deviated to the home agent.Packets are sent using the
Routing Header Type 2 and the Home Address Option extensions to make sure
that the IPv6 addresses contained in the IPv6 headers are topologically correct.
Otherwise,if the Home Address was directly used in the IPv6 header,packets
could be discarded by the mobile node’s and the correspondent node’s access
routers.
In practice,the four messages (HoTi/HoT and CoTi/CoT) exchanged during the
Return Routability Procedure are used to generate a cryptographic key that is employed
Chapter 2.Background on Mobile IPv6 21
HA1

Home
network
MR1
T
unnel
Foreign
network
CN
Figure 2.6:NEMO
by the mobile node to cryptographically sign the Binding Update message.Upon
reception of the HoTi and CoTi messages,the correspondent knows that the mobile
node can emit packets from its two addresses (HoA and CoA).It then sends back two
tokens to the mobile node into the HoT and CoT messages.These two tokens are
hashed together to generate the key used to sign the Binding Update message sent by
the mobile node to the correspondent node.Possible attacks against Mobile IPv6 and
the Return Routability Procedure are later discussed in Section 2.3.1.
2.1.4 NEMO
Defined at the IETF in RFC 3963 [43],NEMO (NEtwork MObility) is an extension to
Mobile IPv6 that allows a whole network to move and change its point of attachment
to the Internet as would a mobile node.A new entity similar to the mobile node,
called a Mobile Router (MR),implements the NEMO protocol.Its goal is to hide the
effect of mobility to the nodes connected to its ingress
3
interface as shown in Figure
2.6.The main concept of NEMO is to provide a mobility service to IPv6 nodes that do
not implement Mobile IPv6,using an IPv6 prefix delegated from the home network.A
typical usage scenario for this protocol is public transportation systems such as trains
where end-nodes are connected to the Mobile Router using 802.11b.
Like a Mobile Node,the Mobile Router has a permanent Home Address that remains
the same wherever it moves.In addition,it also manages a Mobile Network Prefix
(MNP) delegated from the home network.This is the IPv6 prefix used by end-nodes
connected to its ingress interface.In NEMO,the home agent is slightly modified so
as to delegate Home Addresses as well as Mobile Network Prefixes,and to process
3
internal.
22 2.1.Mobile IPv6
HA
2
MR2
HA1

Home
network 1
MR1
Home
network 2
tunnel 1
tunnel 2
Foreign
network
CN
node B
node
A
parent-NEMO
sub-NEMO
Figure 2.7:Nested NEMO
dedicated Binding Update messages.It does not only intercept packets destined to
the Home Address of mobile routers but also intercepts data packets sent to nodes
belonging to the Mobile Network Prefix.
As defined by the NEMO terminology [45],a mobile network is said to be nested
(sub-NEMO) when it is directly connected to another mobile router (parent-NEMO).
Figure 2.7 shows a simple case of nested mobile network where a mobile router,MR2,
is connected to another mobile router,MR1.The networks interconnecting MR1 and
HA1,and HA1 and HA2 are not represented.We consider that Binding Update mes-
sages were respectively sent and received by the mobile routers and their corresponding
home agents.When node A in the parent-NEMO sends packets to node B located in
the sub-NEMO,they are forwarded to MR1 which encapsulates packets into tunnel 1.
Then,HA1 decapsulates and forwards them to the home network 2 which is the correct
destination owing to the routing architecture.When packets reach this network,they
are intercepted by HA2,immediately forwarded to MR2 via tunnel 2,and delivered
to node B.This is a typical use of NEMO that presents some performance issues that
will be described in the following Section.This scenario is likely to happen when a
passenger brings its mobile router,MR2,into a train,and use it to provide Internet
access to its devices such as his laptop and smart-phone.
2.1.5 Home Agent Discovery
While away from its home network,a mobile node might not know the IPv6 address of
the home agent serving its home prefix.The Mobile IPv6 RFC defines a new Dynamic
Home Agent Address Discovery (DHAAD) ICMPv6 message that could be used by a
Chapter 2.Background on Mobile IPv6 23
mobile node to discover all home agents configured on the home link.On the home
link,home agents periodically advert their home prefix using Router Advertisement
(RA) messages.Using these messages,a home agent can maintain a list of home agents
that serve the same home prefix.
In practice,the DHAAD message is sent to a specific anycast address [65] that is
constructed using the home prefix
4
.This message is routed and delivered to only one
home agent that sends back a DHAAD reply message containing a list of home agents
managing the home prefix.
DHAAD allows several home agents to serve different set of mobile nodes with the
same home prefix.However,if the home agent serving a mobile node crashes,on-going
communications are stopped and the mobile node must rebind to another home agent.
The Mobile IPv6 RFC does not define any mechanism that provides transparent home
agent redundancy in case of system failures.
2.2 Protocols limitations
2.2.1 Mobile IPv6
Mobile IPv6 has some fundamentals problems related to the use of the home agent to
perform the bindings between Home Addresses and Care-of Addresses.They especially
weaken the protocol performance as well as its scalability.We describe these problems
below.
1.
Dogleg routing
In Mobile IPv6,a mobile node is only associated with a single home agent.All
packets are first routed to the home agent and then forwarded to the destination in
an IPv6-in-IPv6 tunnel.Consequently,packets take a non-optimal path because
all of the traffic must transit through the home network.This problem is known
as dogleg routing and is responsible for increasing communications delays when
a mobile node communicates with its correspondent node.
2.
Restricted position
The location of a home agent is topologically and physically restricted by its home
prefix.It must be in the correct location so that it can receive packets destined to
the home prefix;as a result,it must be placed where this prefix is advertised on the
Internet.This strong location requirement is particularly problematic.Moreover,
4
the anycast address associated to the prefix 2001:db8:d0d0::/64 is 2001:db8:d0d0::fdff:ffff:ffff:fffe.
24 2.2.Protocols limitations
when the home network becomes unreachable,mobile nodes also become isolated
and cannot be reached through their home address.
3.
Constraints for the home link
In usual Mobile IPv6 deployments,when a mobile node is located in a foreign
network,it can not reply to Neighbor Discovery
5
messages sent from the home
network’s access router.In order to intercept mobile nodes’ packets,the home
agent is therefore in charge of replying to these messages on behalf of mobile
nodes away from the home network;in practice,they act as Neighbor Discovery
proxies (Proxy NDP) [87].This leads to a serious scalability issue,as the number
of Neighbor Discovery packets sent by the home agent is proportional to the
number of mobile nodes it serves.Additionally,the total bandwidth required
by mobile nodes’ data traffic of mobile nodes might be bigger than the total
home link bandwidth.Therefore,deploying Mobile IPv6 could be an operational
challenge to maintain the balance between the mobile nodes’ total bandwidth and
the home link’s stability.
2.2.2 Return Routability Procedure
The route optimization scheme described in the base specification of Mobile IPv6 has
the issues listed below.
1.
Privacy
Since the mobile node reveals its Care-of Address to its correspondent node by
sending Binding Update messages,the real location of the mobile node is disclosed
to other nodes on the network.This is a severe problem as it can ease industrial
spying,and threaten location privacy.In addition,when route optimization is
performed the mobile node’s data traffic is not protected by IPsec,which leaves
the communications vulnerable to eavesdropping on the visited network.
2.
Modifications of end-nodes
In order to perform the route optimization,every end-node must support the
Return Routability Procedure.However,it is unrealistic to expect that all IPv6
nodes will support route optimization,as it means upgrading existing nodes.
Therefore,these legacy IPv6 nodes will not be able to benefit from this procedure
and all of the data traffic will be destined to the home network.
5
it replaces the Address Resolution Protocol (ARP) in IPv6.
Chapter 2.Background on Mobile IPv6 25
3.
Complexity
As previously described,prior to sending a Binding Update message to a corre-
spondent node,the mobile node must exchange four messages to generate a key
that will be used to authenticate the binding.This binding procedure is used
with each correspondent node every time the mobile node moves.In the worst
case,this whole message exchange is repeated after each movement.Depend-
ing on implementation choices,the HoTi/HoT exchange is only necessary once
per correspondent.The overhead of this procedure is therefore high and implies
longer handovers.If the Return Routability Procedure cannot be performed af-
ter a mobile node’s movement,due to strict firewall policies or packet losses,the
mobile node cannot exchange any data with its correspondent nodes until the
Binding Cache’s entry expires.
4.
Server overload
We must consider that a server communicating with thousands of users may be
acting as a correspondent node.In this case,the Return Routability Procedure
dangerously increases the amount of work the server performs to serve queries.
The deployment of Mobile IPv6 using the Return Routability Procedure causes
its operational cost to also be supported by entities other than the one in charge of
the home network.Unlike non Mobile IPv6 based communications,more packets
are exchanged and more powerful hardware is required to handle the same amount
of users.Therefore,it is unlikely that Mobile IPv6 will be implemented in servers,
as it leads to bigger operational costs.These problems can seriously slow down
the adoption of this route optimization scheme,as it does not bring direct benefit
for the companies managing servers.
5.
Filtering
This is more a side effect that a direct issue of the Routing Routability Procedure,
however it can seriously affect its effective usages.Nowadays,networks adminis-
trators tend to drastically filter both their egress and ingress traffic,and restrict
packets types to the strict minimum (i.e.not Mobile IPv6).This new trend of
filtering could for example forbid correspondent nodes to establish an optimized
path with the mobile node.This filtering issue is especially serious since January
2007 and the disclosure of a critical bug affecting the handling of Routing Header
extensions on Cisco routers [3]:some routers are now discarding every packets
containing Routing Headers,and as a side effect messages related to Mobile IPv6
and the Return Routability Procedure.
26 2.3.Security overview
2.2.3 NEMO
As described in the NEMOproblemstatement document [88],besides with the previous
Mobile IPv6 issues,this protocol also suffers from the nested mobile network scenario
described in Section 2.1.4.This is an important problem as all of the packets ex-
changed between correspondents and nodes behind the mobile router must go through
the tunnel.When mobile routers are not managed by the same home agent,the com-
munication’s path and delay are altered by the mandatory derivation to different home
agents HA1 and HA2.Moreover,the bandwidth usage uselessly increases with the
number of nested networks,wasting network resources and increasing the probability
of the tunnel congestion.The impact of this problem is even more serious when the
home agents are far away,for example if HA1 is located in Tokyo and HA2 located in
Paris.In addition to this first issue,if the egress
6
network interface of MR1 fails,node
A can no longer send packets to node B.In other words,the egress network interface
of the root mobile router,here MR1,limits communications from all sub-NEMO in
terms of bandwidth and stability.So far,the NEMO working group at the IETF did
not come up with a solution to these issues.The only consensus is that the Routing
Routability Procedure as defined in the Mobile IPv6 RFC cannot be used with NEMO.
2.3 Security overview
Mobile IPv6 and its extensions should not bring new security related issues into the
Internet architecture.This section first describes the possible attacks that could target
Mobile IPv6 if communications are not protected.Then,it discusses security protec-
tions that were designed at the IETF.
2.3.1 Possible attacks against Mobile IPv6
Binding Update spoofing
The communications between a mobile node and its home agent are interesting targets
for an attacker.By default,Binding Update messages are not authenticated.The
attacker only needs to know the Home Address of the target in order to inject fake
Binding Update messages.As a result,the attacker can do whatever she wants to
perturb the mobile node such as retrieving its traffic,forbidding it to communicate,
or redirecting the traffic to a target to perform a Denial of Service attack.For this
reason,real life deployments of Mobile IPv6 outside closed networks cannot be done
6
external.
Chapter 2.Background on Mobile IPv6 27
without at least authenticating signaling messages,such as Binding Update messages,
and protecting them against replay.
Traffic injection
If the tunnel between the mobile node and its home agent is not protected,an attacker,
that knows its Home Address and its Care-of Address,could easily inject data packets
into the tunnel and pretend to send traffic from the Home Address.Similar to the
signaling messages,packets sent in the tunnel should be authenticated and protected
against replay.
Return Routability Procedure
From its conception,the Return Routability Procedure was developed to limit Denial
of Service attacks against the network infrastructure and the correspondents nodes [22].
No amplification attack is possible as one message sent by the mobile node corresponds
to one reply sent by the correspondent node.If an attacker want to send a fake Binding
Update message to a correspondent node,it must know the two authentication cookies
sent in the Home Test and Care-of Test messages.In other words,it must be able to
eavesdrop traffic on the home network as well as on the visited link,which is not an
easy task.Note that the Return Routability Procedure does not provide any protection
against an attacker based on the visited network:the threat is,in this case,independent
of Mobile IPv6,and equivalent to an attacker eavesdropping traffic on a non-protected
Wi-Fi hotspot.
2.3.2 IPsec protection
IPsec
IPsec [73] is a set of protocols (namely AH
7
,ESP
8
,and IKE
9
) and algorithms designed
to secure IP based communications.As IPsec operates at layer 3,it is a convenient
solution to transparently secure end-user applications,and to provide security services
to upper layer protocols.IPsec has two modes of operation:tunnel mode (IP-in-IP
tunnels are protected) and transport mode (end-to-end communications are protected).
The ESP header [72] provides encryption and protection against eavesdropping.The
AH header [71] provides authentication,replay protection,and integrity verification.
7
Authentication Header.
8
Encryption Security Payload.
9
Internet Key Exchange.
28 2.3.Security overview
In order to protect IP packets,IPsec relies on two databases:the Security Policy
(SP) database,and the Security Association (SA) database.Security Policies are rules
on IP addresses,or protocol types that define which packets must be processed by
IPsec.On the other hand,Security Associations (SA) are sets of algorithms and pa-
rameters (such as the operation mode,or cryptographic key) that define how to protect
packets selected by a Security Policy.Both Security Policy and Security Association
designate simplex communications,as a consequence two of each are required to secure
a bi-directional communication.Security Policies are manually configured by admin-
istrators or users,while Security Associations can be configured either manually or
dynamically using the IKE protocol [57,70]:this is referred as dynamic keying by the
IPsec terminology.
In order to protect from packets injection and eavesdropping,signaling messages
10
as well as the tunnel between the mobile node and the home agent must be protected
with AH and ESP as defined in RFC 3776 [19] and 4877 [42].No IPsec protection is
natively available for the Return Routability Procedure has there is no prior knowledge
of the correspondent node that could be used to perform mutual authentication.How-
ever,some work is being done to standardize the IPsec protection of communication
between a mobile node and its correspondent node when this mutual authentication is
possible [47].
Nowadays,it is quite simple to use Mobile IPv6 and IPsec conjointly,however
it required some important adjustments to the standard IPsec framework in order to
adapt it to mobility.For example,when the mobile node changes its Care-of Address the
end points of Security Policies and Security Associations must be updated accordingly
upon the reception of a Binding Update or a Binding Acknowledgment message [97].
Likewise,the IKE protocol was extended to support mobility more efficiently,and to
make it more reliable in case of handovers [46].As of today,the most advanced Mobile
IPv6 implementations are available for BSD and Linux kernels,named respectively
SHISA [13] and MIPL [8],and both support IPsec protection with dynamic keying.
Binding Update authentication
As previously discussed in the introduction,the IPsec protection is often considered
by telecommunications operators as being too complicated to be embedded into mobile
devices.Moreover,they consider that IPsec is not mandatory in their core networks if
efficient packets filtering is performed internally.As a consequence,an alternate mech-
anism to secure signaling messages was defined [92] based on Mobile IPv4.It relies on
10
Binding Update and Binding Acknowledgment messages.
Chapter 2.Background on Mobile IPv6 29
HA
Internet
CN
BU
MAP2
MAP1
MN
BU
(a) Before the handover
HA
Internet
CN
MAP2
MAP1
MN
BU
MN
(b) After the handover
Figure 2.8:Hierarchical Mobile IPv6
an authentication and a replay protection options that are carried by Binding Update
messages.Using these two options,the home agent can authenticate a mobile node,
and prevent the injection of fake signaling messages.If the Care-of Address is never dis-
closed,this protection is consequently sufficient to secure Mobile IPv6 communications;
if it is disclosed,an attacker can still inject packets into the tunnel.
2.4 Standardized optimizations
Several proposals were defined at the IETF to solve some of Mobile IPv6 limitations.
Their main goals are to reduce the number of signaling packets sent from the mobile
node to the home agent.Hierarchical Mobile IPv6 (HMIPv6) makes mobility within an
operator’s network transparent to correspondent nodes through a pyramidal hierarchy
of home agents.On the other hand,Fast Handovers for Mobile IPv6 (FMIPv6) and
the multiple Care-of Address (mCoA) extension proposes two different approaches to
reduce packets losses during handovers.
30 2.4.Standardized optimizations
2.4.1 Hierarchical Mobile IPv6
The Hierarchical Mobile IPv6 (HMIPv6) RFC[100] was specifically designed to enhance
the mobility of mobile nodes within a site
11
by pushing home agents closer to mobile
nodes.It relies on new equipments called Mobility Anchor Points (MAP) that behave
like home agents.As shown in Figure 2.8(a),they are distributed in the network to
minimize the effects of the dogleg routing through a hierarchical organization of the
home agent and Mobility Anchor Points.Thanks to this hierarchy,HMIPv6 provides
a scalable mobility support to Mobile IPv6:the number of signaling messages outside
the local network is limited.Moreover,if one MAP fails,only a small fraction of the
mobile nodes will be impacted.
Mobility Anchor Points are used to reduce the number of Binding Update messages
sent to perform local handovers:if a mobile node moves under the hierarchy,Binding
Update messages are not send over the Internet.Moreover,the hierarchy also reduces
the handover latency as signaling messages do not need to cross the whole Internet.
The handovers are handled locally:the MAP hides local mobility.
In addition to its Care-of Address
12
,a mobile node also maintains a Regional Care-
of Address (RCoA) constructed using information periodically sent by Mobility Anchor
Points.In Figure 2.8(a),the RCoA is an IPv6 address that belongs to the IPv6 prefix
managed by the MAP as a consequence packets sent to the RCoA will be routed to the
MAP.Along with its Home Address,the mobile node will use these addresses when
sending Binding Update messages.
1.
Binding Update to the MAP:the mobile node first sends a Binding Update
containing the CoA and the RCoA in order to bind the RCoA to its current
location.This could be seen as a first level of HMIPv6 hierarchy.Such messages
are sent when the mobile nodes moves under the same MAP:only its CoAchanges.
2.
Binding Update to the Home Agent:the mobile node then sends another
Binding Update containing the RCoA and the HoA.These messages are sent
when the mobile node is associated with a new MAP:both its CoA and RCoA
change.
Upon a movement from the subnetwork 1 to the subnetwork 2,the mobile node
will acquire a new CoA,but the RCoA will remain the same.As a consequence,the
mobile node only needs to send a Binding Update message to the MAP to announce
11
also referred as local mobility.
12
called Local CoA (LCoA) in the HMIPv6 terminology.
Chapter 2.Background on Mobile IPv6 31

Internet
MN
MN
CN
P
AR
HA
NAR
Previous
V
isited Network
New
V
isited Network
(a) Before the handover

Internet
MN
MN
CN
P
AR
NAR
T
unnel
HA
Previous
V
isited Net.
New
V
isited Network
(b) After the handover
Figure 2.9:Fast Handover for Mobile IPv6
the change of its CoA,as shown in Figure 2.8(b).Upon reception of this message,the
MAP will forward the entire mobile node traffic to its CoA.Concerning the home agent,
this movement is completely transparent.If the mobile node moves to a subnetwork
managed by another MAP,it will acquire a new RCoA.As a consequence,it will need
to notify both the Home Agent and the new Mobility Anchor Point of this movement,
and send them new Binding Update messages.
2.4.2 Fast Handover for Mobile IPv6
Fast Handover for Mobile IPv6 (FMIPv6) [74] defines a set of extensions designed to
minimize packets losses,and reduce handovers latency when a mobile node moves from
one visited network to another.The key idea is to enhance Mobile IPv6 with mecha-
nisms that can anticipate handovers by pushing some of the home agent functionalities
into access routers,and by suppressing delays inherent to Neighbor Discovery and
binding registration.
In Figure 2.9(a),the mobile node exchanges packets with its correspondent using the
tunnel established between its Care-of Address and its home agent,like it would with
Mobile IPv6.As shown in Figure 2.9(b),FMIPv6 allows the mobile node to continue
receiving packets delivered to the Previous Care-of Address (PCoA) immediately after
it joined the new visited network by establishing a tunnel between the Previous Access
Router (PAR) and the New Care-of Address (NCoA).This tunnel will be removed as
soon as the mobile node sends a Binding Update containing the NCoA to its home
agent.In practice,the handover latency is reduced using the following independent
steps.
32 2.4.Standardized optimizations
1.
Acquire surrounding IPv6 prefixes:each access router is aware of the dif-
ferent IPv6 prefixes served by the other access routers.A FMIPv6 mobile node
can perform a Wi-Fi scanning to discover the BSSID
13
of the surrounding access
routers.Using this list,the mobile node can query its access router and retrieve
IPv6 prefixes associated to these BSSID.
2.
Decrease Neighbor Discovery delays:using the resulting list,the mobile
node can construct its New Care-of Address and request the NAR to reserve the
NCoA on its physical link.By doing so,the mobile node ensure that no other
node will use the same IPv6 address,and will be able to use it as soon as it joins
the new visited network.
3.
Tunnel data between the NCoA and the PAR:after joining a new network,
a mobile node is able to send a message similar to a Binding Update to the PAR.
Upon reception,the PAR will setup a tunnel with the NCoA of the mobile node,
and use it to forward traffic sent to the PCoA.Note that the mobile node cannot
use its NCoA until it sends a Binding Update message to its home agent,or
correspondents nodes.
4.
Communication between the PAR and the NAR:PAR and NAR exchange
messages to confirm that a mobile node will move to the new visited network and
to indicate whether the NCoA is available or not.
Using these mechanisms,a mobile node is able to send and receive packets as soon
as it is physically associated to a new network and before it sends a Binding Update
message to its home agent.Upon reception,the home agent will configure a tunnel
with the NCoA,and forward packets to the real location of the mobile node.The
communication scheme is then similar to Mobile IPv6.
2.4.3 Multiple Care-of Address
With the Mobile IPv6 RFC,a mobile node can only bind one Care-of Address to its
Home address at the same time.As a consequence,a device with different accesses to
the Internet cannot use them simultaneously to communicate with its correspondents.
Likewise,it cannot easily anticipate its handovers and for example decide to simulta-
neously use a second interface before the first one goes down.The Multiple Care-of
Address (mCoA) Internet Draft [113] defines mechanisms that allow a mobile node with
13
Basic Service Set IDentifier;unique identifier of a Wi-Fi access point;similar to a MAC address.
Chapter 2.Background on Mobile IPv6 33
Home
network

HA
Internet
Wi-Fi network
EDGE network
CoA1
CoA2
HoA
T
unnel 1
T
unnel 2
MN
Figure 2.10:Multiple Care-of Address
multiple network interfaces to associate all of the corresponding Care-of Addresses to
its Home Address.In practice,it defines a new Binding Update option that can carry
several Care-of Addresses in one message.Similarly,mCoA allows a NEMO mobile
router to use different Care-of Address with the same Mobile Network Prefix.
This new extension brings an efficient handover mechanism model to Mobile IPv6
that does not require any specific equipment like in FMIPv6.As it is only implemented
in the home agent and the mobile nodes,it has no impact on the network architecture.
Moreover,mCoA makes it possible to define per flow policies on the home agent.For
example,in Figure 2.10,the mobile node could use its Wi-Fi link (with Tunnel 1) for
VoIP communications,and its EDGE link (with Tunnel 2) for emails and web browsing.
Note that like in Mobile IPv6,its correspondents will communicate with the mobile
node only using its Home Address.Along with the possibility to associate different
Care-of Address with one Home Address,the mCoA extension permits to perform load
balancing between the network interfaces,and to drastically minimize packets losses
during handovers if they are predicted correctly.
2.5 Conclusion
In this chapter,we thoroughly presented the Mobile IPv6 protocol,and provided details
about the mechanisms used to assign a permanent IPv6 address to mobile nodes.Due
to its design relying on the home agent,Mobile IPv6 is completely transparent to
the current Internet architecture and to transport protocols such as TCP or UDP.
Consequently,it is a pertinent solution to achieve immediate deployments of mobility
services over the Internet as it does not require any change to non-mobile nodes and
34 2.5.Conclusion
applications.However,its performances are limited by several problems mainly induced
by the home agent and its restricted position.The dogleg routing is indeed especially
serious as it makes the handovers latency increase with the distance between a mobile
node and a home agent.In other words,performances of Mobile IPv6 are constrained
by the home agent’s location.
Several solutions were already designed to minimize the impact of the home agent’s
locations on handover latencies,and communications performances.For example,
FMIPv6 pushes some of Mobile IPv6 functionalities into access routers to permit mo-
bile nodes to communicate immediately after a handover prior to rebinding to the
home agent.Similarly,mCoA describes another approach that allows mobile nodes
with multiple network interfaces to anticipate handovers by binding different Care-of
Addresses to the same Home Address.On the other hand,HMIPv6 proposes to locate
home agents closer to mobile nodes using a dedicated hierarchy of home agents that
minimize the impact of mobile nodes locations,and movements,on the communication
performances.
In the following chapters,we will present two different solutions to address limita-
tions caused by home agents locations.The first one,called Home Agent Migration,
takes a practical approach and describes a new architecture that distributes home
agents in network topologies using anycast routing.Unlike HMIPv6,it can be used to
achieve deployments within a single network,or over the whole Internet.The second
solution takes a more formal approach to describe the dogleg routing in terms of graph
theory,and identify which locations within a network are suitable to achieve efficient
home agents deployments.
Chapter 3
Home Agent Migration
Contents
3.1 General overview..........................
37
3.1.1 How it works...........................
38
3.1.2 Typical deployments.......................
39
3.1.3 Advantages............................
41
3.1.4 Drawbacks............................
42
3.2 Practical implementation.....................
43
3.2.1 Notion of Binding Cache.....................
43
3.2.2 Communication examples....................
43
3.2.3 Movements of mobile nodes...................
45
3.2.4 Example of a typical deployment................
46
3.2.5 The underlying protocol.....................
47
3.2.6 NEMO support..........................
47
3.2.7 Security considerations......................
49
3.3 Evaluation..............................
49
3.3.1 Performances comparisons....................
50
3.3.2 Experimental results.......................
51
3.4 Related Work............................
55
3.5 Conclusion.............................
56
36
As previously discussed,the Mobile IPv6 protocol,due to its use of the home agent,
generates resilience and performances issues such as protocol scalability and longer
paths.Here,we show that Internet-Scale Mobility deployments are possible using
the traditional Mobile IPv6 protocol with an additional mobility management plane
called Home Agent Migration.In this new plane,home agents are distributed all over
the current Internet topology to reduce communication distances between mobile and
correspondent nodes.This deployment is performed with the help of anycast routing
in which every home agent advertises the same IPv6 network prefix from different
locations;moreover they also exchange information about their associations with mobile
nodes contained in the Binding Cache.Consequently,a mobile node will transparently
exchange its traffic with its topologically closest home agent,reducing communication
delays.Similarly,when a correspondent node needs to exchange packets with a mobile
node,the data traffic will be intercepted by its closest home agent and redirected to
the home agent to which the mobile node is bound.We also introduce the concept of a
Global Mobility eXchange (GMX),a dedicated overlay network that efficiently handles
data traffic from and to mobile nodes,and that operates home agents,as would an
Internet eXchange Point (IXP).This research was successfully deployed in a real BGP
Autonomous System during Winter 2006.
Unlike other works that focus on end-to-end transport protocols or new routing
architecture to provide mobility,our aim is to provide an Internet-Scale Mobility sys-
tem that does not modify the existing architecture of the Internet.Our proposal is
especially interesting compared to other solutions as its deployments can be performed
with realistic operational and financial costs.In fact,if a mobility system is based on
end-to-end communications like HIP [83],all of the nodes – mobile or not – must be
modified to benefit from the system (first design constraint in Section 1.3.3).Thus,
during the deployment phase of this mobility system it is unlikely that many nodes
will really benefit from it.Likewise,modifications of the routing plane to support
mobility introduce important financial issues as core routers must be upgraded or re-
placed (second design constraint).This will probably slow down the deployment of
such technologies.On the other hand,Home Agent Migration satisfies with the four
design requirements described in the Introduction:it maintains compliance with end-
nodes regardless of whether they implement Mobile IPv6 or not,and only requires small
changes on regular home agents.Since no modification is made to end-nodes our work
can be seamlessly embedded in a network,easing the deployment of an Internet-Scale
Mobility system.
The rest of this chapter is organized as follows:we first introduce the concept of
Chapter 3.Home Agent Migration 37
Home Agent Migration in Section 3.1.Then,in Section 3.2,we provide lengthy details
about this proposal,and describe possible deployments.In Section 3.3,we present
operational results from experiments performed in a real network.Finally,prior to the
conclusion,we discuss related work in Section 3.4.
3.1 General overview
The underlying concept of the Home Agent Migration system is to disengage home
agents from the home link so as to distribute them in the Internet topology.The aim
of this new kind of home agent deployment is to provide an efficient route optimization
scheme that (1) reduces communication latency,(2) is compatible with current speci-
fication and implementation of Mobile IPv6’s mobile nodes,and (3) is transparent for
correspondent nodes.
HA
1

ADSL
subnet
ISP network

HA
2
HA
3
Wi-FI subnet
WiMAX subnet
node
A
node B
node C
Figure 3.1:Home Agent Migration and different access technologies
The main scenario assumed while developing this solution is a mobile node roaming
on a continent or country scale,i.e.from Tokyo to Paris.For example,home agents
could be globally distributed in every big city around the world in order to be closer to