an end-to-end approach to host mobility
DESCRIPTION
An End-to-End Approach to Host Mobility. Alex C. Snoeren and Hari Balakrishnan MIT Laboratory for Computer Science. A Moving Target. Internet hosts are increasingly mobile Changing physical media or attachment points often requires changing IP address Mobile hosts need to remain locatable - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/1.jpg)
An End-to-EndApproach to Host Mobility
Alex C. Snoeren
and Hari Balakrishnan
MIT Laboratory for Computer Science
![Page 2: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/2.jpg)
A Moving Target
• Internet hosts are increasingly mobile Changing physical media or attachment
points often requires changing IP address
• Mobile hosts need to remain locatable Packets are routed by IP address
• Preserve transport service model Connection-oriented protocols provide
reliable end-to-end connectivity
![Page 3: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/3.jpg)
Previous Approaches to Mobility
• Mobility-aware routing (Mobile IP) Completely transparent to end hosts Requires a home agent Often inefficient packet routes
• Endpoint ID (EID) schemes Retains standard unicast routes, but… Yet another level of indirection Also requires changes to transport layer
![Page 4: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/4.jpg)
The Migrate Approach
• Locate hosts through existing DNS Secure, dynamic DNS is currently deployed and
widely available (RFC 2137) Maintains standard IP addressing model
• IP address are topological addresses, not Ids• Fundamental to Internet scaling properties
• Ensure seamless connectivity through connection migration Notify only the current set of correspondent hosts Follows from the end-to-end argument
![Page 5: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/5.jpg)
Migrate Architecture
DNS Server
Mobile Hostfoo.bar.edu
Location Query(DNS Lookup)
Connection Initiation
Location Update(Dynamic DNS Update)
Connection Migration
xxx.xxx.xxx.xxxyyy.yyy.yyy.yyy
CorrespondentHost
![Page 6: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/6.jpg)
Previous Migration Schemes
• Multi-homed schemes Require new transport protocols (SCTP) Often require a priori knowledge of
possible set of IP addresses
• Connection-ID schemes May not preserve transport semantics May require a per-packet overhead Many security and DoS issues
![Page 7: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/7.jpg)
Our Migration Approach
• Join together two separate connections By unifying the context space Reference previous connection with token Requires minimal transport state machine
changes
• Preserve semantics, both internal and external to the connection Implicit address assignment Works with NATs, PEPs, all middle boxes
![Page 8: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/8.jpg)
An Application: TCP
• Provide special Migrate option Sent on SYN packets of new connection Indicates new connection should be joined
to a previous one
• Use previous sequence space Works with SACK, FACK, Snoop…
• Preserve three-way SYN handshake Works with statefull firewalls
![Page 9: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/9.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 10: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/10.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)
![Page 11: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/11.jpg)
TCP ConnectionMigration
1. Initial SYN
2. SYN/ACK
3. ACK (with data)
4. Normal data transfer
5. Migrate SYN
6. Migrate SYN/ACK
7. ACK (with data)(Note typo in proceedings)
![Page 12: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/12.jpg)
TCP StateMachineChanges
MIGRATE_WAIT2MSL timeout
recv
: SY
N (
mig
rate
T, R
)se
nd: S
YN
, AC
K
recv:
RST
appl:
migrate
send:
SYN (migr
ate T, R
)recv: SYN (migrate T, R)
send: SYN, ACK
• 2 new transitions between existing states
- and -• 1 new state
handles pathological race condition
![Page 13: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/13.jpg)
Experimental Topology
FixedBasestation
FixedServer
100Mbps Ethernet
MobileLocation 1
19.2KbpsModem
MobileLocation 2
19.2KbpsModem
…then moves to a new location
Mobile client initiates a transfer…
![Page 14: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/14.jpg)
Migration Trace
SYN/ACK
BufferedPackets
(old address)
Migrate SYN
![Page 15: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/15.jpg)
A Lossy Trace with SACK
SYN/ACK
Migrate SYN
BufferedPackets
(old address)
ACKw/SACK
![Page 16: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/16.jpg)
Securing the Migration
• Problem: Increased vulnerability to hijacking Ingress filtering doesn’t help Attacker only needs token and sequence space
• Solution: Keep the token secret Negotiate it using Diffie-Hellman exchange Use sequence numbers to prevent replay
• Resulting connections are as secure as standard TCP (not very) Use IPsec or SSH for real security
![Page 17: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/17.jpg)
Preventing DoS Attacks
• Migrate SYNs are heavyweight Require real computation (SHA-1 hash) Thus Migrate SYN floods are more
dangerous than standard SYN floods
• A pre-computable token guards against frivolous computation Refreshing tokens after each successful
migration makes replay window very small
![Page 18: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/18.jpg)
Benefits & Limitations
• Exposes address changes to end hosts Agile applications can adapt to changing
conditions for better performance Mobility per connection, not just per host
• Preserves IP addressing semantics No changes to the routing infrastructure
• Minimal penalty for mobility support Obtain optimal unicast packet routing
• End hosts can’t move “simultaneously” Relatively rare in non ad-hoc environments
![Page 19: An End-to-End Approach to Host Mobility](https://reader036.vdocuments.net/reader036/viewer/2022082506/568153d8550346895dc1cd8c/html5/thumbnails/19.jpg)
Software now available on the web:
http://nms.lcs.mit.edu/projects/migrate
Networks and Mobile Systems