How mobile IPv6 works (1)

1. Introduction

One of the development directions of next-generation networks is the evolution to a wide range of seamless broadband access networks. Various wired and wireless access methods require universal mobility for user service experience, allows users to enjoy Unified Business features anytime, anywhere.

To ensure smooth communication during layer-3 network switching, a mobile terminal must ensure that the mobile device is transparent to communications applications, that is, the network layer identification of communications applications-the IP address remains unchanged. The Internet routing mode selects routes based on the destination address at the network layer, and sends data packets to the network where the destination address is located to reach the node represented by this destination address. Network Layer movement must ensure that the entire communication application uses the same IP address, while routing uses the IP address that the current network segment of the node can reach. Mobile IPv6 cleverly solves this problem.

2. Basic working principles of Mobile IPv6

Mobile IPv6 provides three solutions to achieve continuous communication at the network layer:

(1) the home address is defined, and the upper-layer communication application uses the home address throughout the process to ensure mobile transparency to the application;

(2) A transfer address is defined to obtain the transfer address from a foreign network, ensuring that communication is reachable in the existing routing mode;

(3) The ing between the home address and the forwarding address establishes the relationship between the network layer ID used by the upper-layer application and the destination ID used by the network layer route.

The specific workflow can be summarized as follows:

When a mobile node is in the home network segment, it communicates with the communication node according to the traditional routing technology and does not require the intervention of Mobile IPv6.

When a mobile node moves to a remote link, the home address of the mobile node remains unchanged and a temporary IP address (that is, the forwarding address) is obtained ). The mobile node informs the hometown proxy of the ing between the home address and the transfer address. The communication between the communication node and the mobile node still uses the home address of the mobile node, and the packet is still sent to the home network segment of the mobile node. The home agent intercepts these packets, based on the obtained ing relationships, tunnel forwards the obtained ing to the forwarding address of the mobile node. A mobile node can communicate directly with the communication node. This process is also called the triangle routing process.

The Mobile Node also notifies the communication node of the ing between the home address and the forwarding address, when the communication node knows the forwarding address of the mobile node, it can directly forward the data packet to the foreign network segment where the forwarding address is located. In this way, the communication between the communication node and the mobile node can directly communicate normally. This communication process is also called the communication process after route optimization.

3. Mobile IPv6 security considerations

The basic work process of the above-mentioned Mobile IPv6 is only for the ideal state of the Internet, and security issues are not considered. In the actual network, various attacks such as eavesdropping or tampering on packets exist. If the attacker intercepts the binding packet, modifies the intermediate content delivery address to the attacker's address, and then sends the packet to the HA or CN, the attacker intercepts the communication data sent to the mobile node. Likewise, attacks on the target options or Routing headers in Mobile IPv6 also affect communication security. To ensure the communication security of Mobile IPv6, it is necessary to ensure the authenticity and integrity of Mobile IPv6 protocol messages.

The relationship between MN and CN is arbitrary. Therefore, IPSec is not applicable between MN and CN. To ensure the security between MN and CN, a round-trip routing process is introduced.

The Mobile IPv6 protocol messages between MN and CN include the binding messages sent from MN to CN, and the binding confirmation sent from CN to MN. The purpose of the round-trip routing process is to ensure that both the home address and the forwarding address in the bound message are truly reachable and belong to mobile nodes.

The relationship between MN and HA is relatively fixed, so that security association can be established in advance. Therefore, IPSec is used to protect protocol messages between MN and HA. For specific operations, refer to RFC3776.

4. Key Processes of Mobile IPv6

In the Mobile IPv6 protocol, the communication process from triangle routing to route optimization includes mobile detection, obtaining the forwarding address, registering the forwarding address, and forwarding through tunnel, round-trip routing and other signaling processes.

4.1 mobile detection

Mobile detection includes two-layer mobile detection and three-layer mobile detection. No matter what method is used for layer-2 mobile detection, mobile IPv6 relies on Route notifications to determine whether layer-3 mobile is detected. When a mobile node is in the home network segment, it can periodically receive a route prefix notice within the specified interval. When a mobile node moves from the home network to a foreign network, during the specified interval, no route notification is received from the home network segment. The mobile node considers that the network layer is moved.

4.2 obtain the forwarding address

When a mobile node detects a network switch, it needs to allocate the reachable forwarding address of the current network segment. The forwarding address can be obtained through any traditional IPv6 Address allocation method, such as stateless automatic configuration or stateful allocation. One of the simplest methods is the stateless automatic configuration method, which combines the forwarding address with the interface address of the mobile node by receiving the route prefix of the foreign network.

4.3 transfer Address Registration

After the mobile node obtains the forwarding address, it must notify the home proxy of the binding relationship between the forwarding address and the home address and the communication node that is communicating with the mobile node, this process is called hometown proxy registration and Communication Node registration respectively. The registration of the forwarding address is mainly achieved by binding an update/confirmation message.

4.4 tunnel forwarding/triangular routing

When the mobile node has completed the home site proxy registration but has not yet registered with the communication node, the data sent from the communication node to the mobile node still uses the home address of the mobile node at the network layer. The home agent intercepts these data packets and forwards the data packets to the mobile node through the IPv6inIPv6 Tunnel Based on the binding relationship between the known mobile node transfer address and the home address. A mobile node can be directly returned to a communication node. This process is also called triangle routing.

4.5 round-trip routing process

The round-trip routing process mainly aims to ensure the authenticity and reliability of the bound update received by the Communication Node. It consists of two concurrent processes: the home test process and the transfer test process.

During the home city test, the mobile node initiates the home city test initialization message and forwards the message to the communication node through the hometown proxy through the tunnel to inform the communication node of the work required to start the home city test. After receiving the home test initialization message, the communication node uses the home address and two random numbers Kcn and nonce to generate a homekeygentoken, then, the homekeygen token * And nonce index numbers will be sent to the mobile node using the home Test message returned to the mobile node;

In the transfer test, a mobile node directly sends a transfer test initialization message to the Communication Node. The communication node calculates the transfer address carried in the message with the ken and nonce to generate the care-ofkeygentoken *, then, the care-ofkeygentoken and nonce index number are carried in the transfer test information returned to the mobile node.

The mobile node uses homekeygentoken and care-ofkeygentoken to generate the bound management key Kbm, and then uses kbm and the bound update message for calculation to generate Verification Code 1, which is carried in the bound update message. After receiving the bound update message, the communication node uses the home keygen token, care-ofkeygen token, and the number of nonce to calculate the corresponding operation with the bound message and obtain the Verification Code 2. Compare the two verification codes. If the two verification codes are the same, the communication node can determine whether the bound message is authentic or credible. Otherwise, the verification code is invalid.

4.6 dynamic hometown proxy address discovery process

The prefix of the home network and the address of the home agent are usually fixed, but may be reconfigured due to a fault or other reasons. When the home network configuration changes, mobile nodes in other places need to find the home proxy address through dynamic home proxy address discovery. This is mainly because the destination is an ICMP special message with a special anycast address. It is understood that the current process is not implemented by the device, so we will not introduce it too much. For more information, see RFC3775.

Figure 1 shows the Mobile IPv6 process.

Figure 1 mobile IPv6 Process Diagram

5. Problems faced by mobile IPv6