Mobile ip reverse tunnelling principle


From Wikipedia, the free encyclopedia

Johnson, C. Perkins, J.

draft-huang-mobileip-napt - Guidelines for Integrating Mobile IP with NAPT

This address does not change and serves the purpose of identification of the MN. In contrast, the CoA changes on every movement resulting in a subnet change and is used as the locator for the routing infrastructure. Topologically, it belongs to the network the MN is currently visiting. Fur the purpose of redundancy and load balancing, a set of HAs may be used instead of a single HA.

These messages are sent over an IPsec security association and thus are authenticated. However, if the MN is far away from the home network and the CN is close to the MN, the communication path is unnecessarily long, resulting in inefficient routing and high packet delays. Note that different types of location privacy can be distinguished.

Other types are hiding the location to eavesdroppers or preventing tracking of the MN ' s location. The route optimization mode can prevent the described inefficiency by using the direct path between CN and MN. A mechanism that provides both location privacy and route optimization is certainly desirable, since interactive applications such as VoIP require short packet delays. Various approaches can be used to achieve this goal, some of them designed for other purposes. However, all of them introduce new infrastructure components or require changes to existing components in the visited networks.

If the current visited network does not provide such components, location privacy and route optimization is not available, meaning that privacy-protected interactive communication may not be possible.


  • sterling dimmitt social security death index?
  • Bibliographic Information.
  • state of new york birth records?
  • gerald john dunne newfoundland birth records.
  • Table of Contents.
  • Mobility Management in IP Networks.
  • Mobile IP With Reverse Tunneling (Mobile IP Administration Guide).

A global deployment of such new components, i. Other solutions only provide location privacy in one direction, i. Some other solutions have scalability issues when deployed in large scale. A solution is desired that does not require the introduction of new or modified components in the visited network, works also when both communication partners are mobile and does scale well with respect to deployment.

Limited period offer till stocks last

This invention describes such a solution. These approaches are briefly described in the following. Therefore, a local mobility handling is proposed by introducing a hierarchy of Mobility Anchor Points MAP in the visited network. However, because the geographical region that can be derived from the RCoA is larger than the region that can be derived from the actual CoA, this can be regarded as limited location privacy support.

Krishnamurthi, H. Chaskar, R. This way, the direct, i.

Mobile IP With Reverse Tunneling

A very similar approach is presented in WO The MN tunnels data packets to the edge router of the CN ' s current network assuming that the CN is mobile and the CN can tunnel data packets to the edge router of the MN ' s current visited network. To be able to tunnel the packets to the edge routers, each node needs to know the IP address of the correspondent edge router, which again reveals location information about the correspondent MN.

Thubert, R. Wakikawa, V.

Tunneling in Mobile IP ll Packet Forwarding and Reverse Tunneling Explained with Examples in Hindi

Location privacy is given if bi-directional tunnelling is used. However, if every visited network advertise routes to all other networks all being home networks for some MNs , routing scalability issues may arise, since the address hierarchy is not given anymore. Also, the distributed home network must manually be configured as such. An secure on-demand configuration is not supported.

Since the prefix is usually used by a router to route IP packets, this approach requires the modification of all routers in the Internet. In WO, multicast addresses are used as CoA. Since they do not include any location information, location privacy support is given even in route optimization mode.

However, this solution does not scale with the number of MNs, since a large-scale deployment would result in a flat routing in the Internet. The solution shall also work when both communication partners are mobile and shall scale well with respect to deployment, i.


  1. Mobile IP With Reverse Tunneling.
  2. Mobil IP: Design Principles and Practices.
  3. Samy Kamkar: ProxyGambit - anonymize net over GSM or PTP link.
  4. divorce lawyers in se kansas.
  5. It shall also provide the same level of security as standard Mobile IPv6. These objects are achieved by the use of bi-directional tunnelling for location privacy support and by subsequent optimization of the route by providing other HAs with binding information, which then perform proxy functionality in terms of bi-directional tunnelling.

    Other than in previous approaches, the proxy functionality only applies to the tunnelling of data packets, only to a specific MN-CN communication session, and is established in a secure and on-demand manner. This invention describes mechanisms for discovering the best suited proxy locations, establishing the proxy functionality in a secure and on-demand manner and for adapting the path after node movements. In one aspect of the present invention, a method for packet switched data transmission between a first mobile node and a correspondent mobile node in a mobile communication system comprising a plurality of mobile networks , , , , comprises the steps of a allocating a respective home network , to each of the first mobile node and the correspondent mobile node; b providing a network server , as home agent in the respective home network to each of the first mobile node and the correspondent mobile node; and c routing data packets from the first mobile node to the correspondent mobile node, over a first data tunnel , from the first mobile node to any first one of the home agents and over a second data tunnel , from said first one of the home agents to the correspondent mobile node without passing the respective other home agent.

    In another aspect of the present invention, a network server is configured to serve as a home agent for a first mobile node sending data packets to a correspondent mobile node in a mobile communication system comprising a plurality of mobile networks , , , The server is further configured to establish a data tunnel , directly to said correspondent mobile node without passing a home agent of said correspondent mobile node, for the purpose of forwarding data packets received from said first mobile node to said correspondent mobile node.

    In a further aspect of the present invention, a computer-readable storage medium , , has stored thereon instructions which, when executed on a processor of a network server , cause the network server to serve as a home agent for a first mobile node sending data packets to a correspondent mobile node in a mobile communication system comprising a plurality of mobile networks , , , , and to establish a data tunnel directly to said correspondent mobile node without passing a home agent of said correspondent mobile node, for the purpose of forwarding data packets received from said first mobile node to said correspondent mobile node.

    The present invention allows to optimize the routing of data packets between two roaming mobile nodes without revealing the location of the mobile nodes to the respective other one. Furthermore undue implementation effort is avoided because no new entities are required. Additionally required functionality in the home agents is relatively modest, and compatibility with existing methods is maintained, which allows a partial or successive implementation of the invention in larger systems.

    The need to authenticate registration information has played a major role in determining the acceptable design parameters for Mobile IP. Each mobile node and home agent must share a security association and be able to use Message Digest 5 RFC with bit keys to create unforgeable digital signatures for registration requests. To secure the registration request, each request must contain unique data so that two different registrations will in practical terms never have the same MD5 hash.

    Otherwise, the protocol would be susceptible to replay attacks , in which a malicious node could record valid registrations for later replay, effectively disrupting the ability of the home agent to tunnel to the current care-of address of the mobile node at that later time. To ensure this does not happen, Mobile IP includes within the registration message a special identification field that changes with every new registration.

    The exact semantics of the identification field depend on several details, which are described at greater length in the protocol specification. One is to use a timestamp; then each new registration will have a later timestamp and thus differ from previous registrations. The other is to cause the identification to be a pseudorandom number; with enough bits of randomness, it is highly unlikely that two independently chosen values for the identification field will be the same.

    When randomness is used, Mobile IP defines a method that protects both the registration request and reply from replay, and calls for 32 bits of randomness in the identification field. If the mobile node and the home agent get too far out of synchronization for the use of timestamps, or if they lose track of the expected random numbers, the home agent will reject the registration request and include information to allow resynchronization within the reply. Using random numbers instead of timestamps avoids problems stemming from attacks on the NTP protocol that might cause the mobile node to lose time synchronization with the home agent or to issue authenticated registration requests for some future time that could be used by a malicious node to subvert a future registration.

    The identification field is also used by the foreign agent to match pending registration requests to registration replies when they arrive at the home agent and to subsequently be able to relay the reply to the mobile node. The foreign agent also stores other information for pending registrations, including the mobile node's home address, the mobile node's Media Access Layer MAC address, the source port number for the registration request from the mobile node, the registration lifetime proposed by the mobile node, and the home agent's address.

    The foreign agent can limit registration lifetimes to a configurable value that it puts into its agent advertisements. The home agent can reduce the registration lifetime, which it includes as part of the registration reply, but it can never increase it. As Figure 1 shows, in Mobile IP foreign agents are mostly passive, relaying registration requests and replies back and forth between the home agent and the mobile node, doing mostly what they are told. The foreign agent also decapsulates traffic from the home agent and forwards it to the mobile node.

    They Note that foreign agents do not have to authenticate themselves to the mobile node or home agent. A bogus foreign agent could impersonate a real foreign agent simply by following protocol and offering agent advertisements to the mobile node. The bogus agent could, for instance, then refuse to forward decapsulated packets to the mobile node when they were received.

    However, the result is no worse than if any node were tricked into using the wrong default router, which is possible using unauthenticated router advertisements as specified in RFC Automatic home agent discovery. When the mobile node cannot contact its home agent, Mobile IP has a mechanism that lets the mobile node try to register with another unknown home agent on its home network. This method of automatic home agent discovery works by using a broadcast IP address instead of the home agent's IP address as the target for the registration request.

    When the broadcast packet gets to the home network, other home agents on the network will send a rejection to the mobile node; however, their rejection notice will contain their address for the mobile node to use in a freshly attempted registration message. Note that the broadcast is not an Internet-wide broadcast, but a directed broadcast that reaches only IP nodes on the home network.

    The new tunnel header uses the mobile node's care-of address as the destination IP address, or tunnel destination. The tunnel source IP address is the home agent, and the tunnel header uses 4 as the higher level protocol number, indicating that the next protocol header is again an IP header.

    Therefore, to recover the original packet, the foreign agent merely has to eliminate the tunnel header and deliver the rest to the mobile node. Figure 2 shows that sometimes the tunnel header uses protocol number 55 as the inner header.

    Introduction to Mobile IP

    This happens when the home agent uses minimal encapsulation 11 instead of IP-within-IP. Processing for the minimal encapsulation header is slightly more complicated than that for IP-within-IP, because some of the information from the tunnel header is combined with the information in the inner minimal encapsulation header to reconstitute the original IP header. On the other hand, header overhead is reduced.

    It retains the ideas of a home network, home agent, and the use of encapsulation to deliver packets from the home network to the mobile node's current point of attachment.

    US 2008 198 805 A1

    While discovery of a care-of address is still required, a mobile node can configure its a care-of address by using Stateless Address Autoconfiguration and Neighbor Discovery. Thus, foreign agents are not required to support mobility in IPv6. IPv6-within-IPv6 tunneling is also already specified. Route Optimization IPv6 mobility borrows heavily from the route optimization ideas specified for IPv4, 20 particularly the idea of delivering binding updates directly to correspondent nodes.

    When it knows the mobile node's current care-of address, a correspondent node can deliver packets directly to the mobile node's home address without any assistance from the home agent. Route optimization is likely to dramatically improve performance for IPv6 mobile nodes. It is realistic to require this extra functionality of all IPv6 nodes for two reasons. First, on a practical level, IPv6 standards documents are still at an early stage of standardization, so it is possible to place additional requirements on IPv6 nodes.

    Second, processing binding updates can be implemented as a fairly simple modification to IPv6's use of the destination cache.


    • Table Of Contents.
    • Mobil IP: Design Principles and Practices.
    • background checks for neogen corp.
    • Short Description;
    • Table of Contents.

    Security One of the biggest differences between IPv6 and IPv4 is that all IPv6 nodes are expected to implement strong authentication and encryption features 21 , 22 to improve Internet security. This affords a major simplification for IPv6 mobility support, since all authentication procedures can be assumed to exist when needed and do not have to be specified in the Mobile IPv6 protocol.

    Even with the security features in IPv6, however, the current working group draft for IPv6 mobility support specifies the use of authentication procedures as infrequently as possible. The reasons for this are twofold.

    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle
    mobile ip reverse tunnelling principle Mobile ip reverse tunnelling principle

Related mobile ip reverse tunnelling principle



Copyright 2019 - All Right Reserved