MobileNAT (Mobility across Heterogeneous Address Spaces)

1
MobileNAT(Mobility across Heterogeneous Address
Spaces)

• Agenda
• Motivation
• Architecture
• Implementation
• Comparison with current approaches
• Summary
• (30 slides, 60 min)

• Presented by Kundan Singh
• (Columbia University)
• Joint work with Milind Buddhikot, Adiseshu Hari
  and Scott Miller

2
Current Trends

• Explosive growth in connected devices
• Heterogeneity
• Access 802.11, 3G, Ethernet
• Provider billing
• Address space
• IPv4 vs IPv6
• Public vs Private

3
Project IOTO
http//www.bell-labs.com/mbuddhikot/IOTAProject/I
OTA.htm
4
The goal
NAT
(5)
www.cnn.com
PDSN/3G

• Preserve session for
• inter access-point
• inter sub-net
• inter-NAT
• to 3G network
• to public network

(4)
NAT
Public Addr A
NAT
Private Address Space
(3)
802.11
Ethernet
802.11
Access-point
(2)
(1)
Router
Router with NAT
5
MobileNAT(Mobility across Heterogeneous Address
Spaces)

• Agenda
• Motivation
• Architecture
• Implementation
• Comparison with current approaches
• Summary

• Presented by Kundan Singh
• (Columbia University)
• Joint work with Milind Buddhikot, Adiseshu Hari
  and Scott Miller

6
Problem with IP address
TCP association

• IP address overloaded
• Host identification
• Routing information
• Change in IP address breaks TCP/socket connection

CN (corresponding node)
128.59.16.149
MN (mobile node)
135.180.32.4
Convention
7
Two addresses

• Two IP addresses
• Virtual IP (fixed host-id)
• Actual IP (routable changes)

CN
128.59.16.149
V135.180.32.4
Anchor node (AN)
MN
MN
135.180.32.6
A135.180.54.7
8
Packet forwarding mechanismstunneling or
translation
CN
CN
128.59.16.149
128.59.16.149
128.59.16.149 135.180.54.7
128.59.16.149 135.180.54.7
AN
AN
V135.180.32.4
V135.180.32.4
moves
moves
MN
MN
A135.180.54.7
A135.180.54.7

• Translation
• More processing overhead
• Not an issue if NAT1 is already present

• Tunneling
• Outer CNgtA or HAgtA
• Inner CNgtV
• Header overhead

1NAT is described later
9
Address allocation using DHCP

• Virtual and actual IP allocated using DHCP
• New DHCP options
• MN sends current virtual IP address (or 0.0.0.0
  if none) in the request
• Server sends the allocated actual and virtual IP
  addresses in the response
• Actual IP is allocated based on relay agent IP

DHCP server
DHCP relay agent
10.0.1.x
10.0.2.2
10.0.1.5
10.0.2.x
10.0.2.9
10
Overview of NA(P)T

• Packet processing rules need to be changed in the
  event of mobility

CN
128.59.16.149
Public Addr 135.180.32.1-7
NAT
Private Address Space (10.0.0.0-10.255.255.255)
10.0.7.x
10.0.1.x
10.0.2.x
10.0.1.5
11
Mobility manager and MIDCOM

• MIDCOM to control NAT rules
• Mobility manager IP in DHCP response

NAT
DHCP server
relay
relay
relay
10.0.1.x
10.0.2.x
10.0.1.5
12
Example

• Address assignment
• Packet flow when MN is private and CN is public
• MN moves to a new subnet
• Packet flow after mobility to a new subnet
• Packet flow when MN and CN are in the same NAT
  domain
• Packet flow when MN is private and CN is public
  and MN moves to new NAT domain

13
Address assignment
DHCP request (my virtual IP 0.0.0.0) (my Mac
address)
DHCP server
DHCP response (your virtual IP
10.128.0.2) (your actual IP 10.0.1.5)
DHCP server
NAT
14
Packet flow
Shim
NAT
Shim
NAT
(1)
10.128.0.21756
135.180.32.47088
10.0.1.51756
10.0.1.51756
(2)
(3)
NAT
CN

• NAT picks up an external IP and port

15
Inter-subnet mobility
Mobility manager
DHCP request (my virtual IP 10.128.0.2) (my Mac
address)
NAT rules
DHCP server
S10.0.1.51756 D128.59.16.14980 S135.180.32.4
7088 Dsame
DHCP response (your virtual IP
10.128.0.2) (your actual IP 10.0.2.7)
10.0.2.x
DHCP server
NAT
CN
10.0.1.x
16
Packet flow after the node moves
Shim
NAT
Shim
NAT
(1)
135.180.32.47088
10.0.2.71756
(3)
(2)
NAT
CN

• MN application or CN do not know about change in
  actual IP

17
Intra-domain sessions
CN
A10.0.4.9
NAT
V10.128.0.2 A10.0.1.5
MN

• Optimization new signaling message between two
  MobileNAT clients to route the packets directly

18
Inter-domain mobility

• Mobility manager of visited NAT fetches the
  existing connection mapping from mobility manager
  of the home NAT
• If MN moves to public address space, Shim layer
  acts as visited NAT
• Dynamic home agent use visited NAT as home NAT
  for new session
• Tunneling between visited and home NAT

19
MobileNAT(Mobility across Heterogeneous Address
Spaces)

• Agenda
• Motivation
• Architecture
• Implementation
• Comparison with current approaches
• Summary

• Presented by Kundan Singh
• (Columbia University)
• Joint work with Milind Buddhikot, Adiseshu Hari
  and Scott Miller

20
Implementation client (Win XP/2000)

• Shim-layer driver to capture DHCP packets and
  translate IP addresses
• MobileNAT client application acting as DHCP
  client and server
• Handles ARP for nodes in other sub-nets

21
Client architecture
22
User interface

• Approximately 45,000 lines of code, 13,000 of
  which are Windows NDIS kernel networking code

23
Implementation DHCP server and NAT (Linux)
NAT connection tracking
Virtual IP range Actual IP range
DHCP server
PRE-ROUTING Destination NAT
POST-ROUTING Source NAT

• DHCP server to allocate virtual and actual IP
• Actual IP is based on subnet of DHCP relay agent
• MM is integrated into DHCP server
• NAT using netfilter, iptables, ip_conntrack and
  ip_nat modules

24
MobileNAT(Mobility across Heterogeneous Address
Spaces)

• Agenda
• Motivation
• Architecture
• Implementation
• Comparison with current approaches
• Summary

• Presented by Kundan Singh
• (Columbia University)
• Joint work with Milind Buddhikot, Adiseshu Hari
  and Scott Miller

25
Similarities/Differences with current proposals

• Translation mode vs. tunneling
• Packet size vs processing overhead
• Two addresses per MN can afford since private
  addresses
• No external FA needed
• Signaling
• Using DHCP (new options) and a per-domain
  Mobility Manager (MM)
• Routing path
• No change in routers or CN but change in MN, NAT
  and DHCP server
• Dynamic home agent (I.e., the NAT)

26
Comparison to existing schemes

• Schemes considered in following chart
• Mobile IP
• Extensions Location Register (MIP-LR), Route
  Optimization (MIP-RO)
• Micro-mobility schemes
• Cellular IP
• Hawaii
• Intra-Domain Mobility Protocol (IDMP)
• Hierarchical Mobile IP (HMIP)
• IPv6
• Application level mobility mechanism
• SIP
• Virtual NAT
• Similar address translation in the client stack
• Targeted for connection migration where both
  end-points implements vNAT

27
Comparison chart
MIP CIP Hawaii HMIP (RR) IDMP TeleMIP MIP LR MIP RO SIP IPv6 IPv6 Mobile NAT Virtual NAT
MIP messaging Y N Y Y Y - - N Y N N N
Inter-tunnel Y Y Y Y Y N Y N O O O N
Intra-tunnel - N N Y Y - - - O O O N
Paging O Y Y Y Y - - N Y UD UD N
Host ID HA HA CoA CoA LCoA - - SIP HA CoA CoA virtual
signaling Y Data Y Y Y Y Y Y Y DHCP/MM DHCP/MM Y
CN modify? N N N N N Y Y - N N N Y
MN modify? Y Y Y Y Y Y Y - Y Y Y Y
Router modify? FA Y Y FA FA - - - O N N N
NAT support Y1 Y Y Y Y IN IN Y IN Y Y IN
Non-mobile IP nodes Y N Y Y Y - - - Y Y Y IN
Triangular route Y Y Y Y Y N N N N N/Y N/Y N
Y yes N no - N/A O optional
INindependent UD Under Development 1 We
assume Mobile IP with UDP tunneling for NAT
28
Mobile NAT Advantages

• Problems in existing approaches
• Huge infrastructure change (CIP, IPv6, routers,
  even deploying FA)
• Not much discussion on optimizing intra-domain
  sessions
• Require tunneling overhead, inter, intra or both
• Triangular routing
• Modification in CN
• MobileNAT approach
• Addresses rapid growth in end-devices, which most
  likely will have private addresses due to slow
  deployment of IPv6
• Assume the presence of NA(P)T in a domain
• Roaming and services across heterogeneous address
  spaces
• Reduce problem space to only private address
  space
• Choice between tunneling and address translation
• Addresses bandwidth limitations of wireless links
• Use existing protocols (DHCP, ICMP) for signaling
• Discourage changing routing infrastructure
• Can co-exist with MobileIP

29
On-going work

• Scalability
• Subdivide domains into smaller NAT-ed domains
• Multiple NATs per domain
• Security
• DHCP authentication and Access-point
  authentication/encryption
• Works with IP-sec (AH mode and UDP tunnel) and
  SSL
• Paging
• Re-use of existing IP-multicast based paging
• Possible deployment issues
• Changing every MN driver (similar to Mobile IP)
• Mobility to 3G network
• Location information distribution
• Allow incremental deployment
• Other issues
• Does not solve NAT problems where application
  layer message uses IP address (FTP, SIP, RTSP)
• Fast hand-off for micro-mobility
• Intra-domain sessions on inter-domain mobility
• Combined MobileIP and MobileNAT client

30
Summary

• Main Ideas
• Virtual IP for host identification actual IP for
  routing
• Address translation in client as well as in NAT
• Existing protocols like DHCP for signaling
• Mobility manager to handle nodes in a domain
• NAT acts as a dynamic home agent
• Inter-NAT packet flow for inter-domain mobility
• No change in routers or no need for FA
• Change In MN, NAT and DHCP server
• Demonstrated a simple inter-subnet mobility

31
Survey of existing mobility approaches for
private/public addresses

• BACKUP SLIDES

32
Mobile IP for macro mobility
(1)

• Triangular routing
• Route optimization
• Slow handoff
• Hierarchical mobility
• Tunneling (HMIP)
• Mobile specific routing (CIP, Hawaii)
• Signaling overhead
• Paging (CIP, Hawaii, HMIP)
• Firewall, etc.
• Reverse tunneling

(4)
(2)
(3)

• CNgtHA
• HAgtFA
• CNgtHA
• CNgtHA
• HAgtCN

33
Mobile IP with NAT
(2) CNgtHA

• UDP port mapping created during register
• HA finds that FA is behind NAT
• HA uses IP in UDP tunnel

Oubound traffic
(3) HAgtNAT (UDP) CNgtHA (IP)
(1) register establish port mapping
(4) NATgtFA (UDP) CNgtHA (IP)
34
Micro mobility Cellular IP

• CoA is of gateway (FA)
• No change in CoA within domain
• Gateway converts cellular IP to IP
• Network elements snoop on data packets from MN to
  GW set the reverse route from GW to MN
• Paging to discover idle MN
• NAT can be at gateway

Intra-domain cellular IP (non-IP) cloud
Id HA
35
Micro mobility Hawaii
CNgtHA

• CoA is of root router (FA)
• Host specific route in IP
• Path setup tradeoff
• Explicit signal from MN to update route
• Packet loss, reorder, handoff latency
• Paging (IP multicast) to discover idle MN if no
  routing information
• NAT can be at root router

HAgtCoA CNgtHA
IP cloud
HAgtCoA CNgtHA
IdCoA
36
Micro mobility Hierarchical mobile IP
CNgtHA

• Two levels
• Works with non-mobile (but) IP traffic in domain
• Paging
• Two IP addresses (GFA and FA) per MN
• NAT can be at GFA
• High level network of FA (preferably tree) above
  IP registration updates at optimal point in the
  tree

HAgtGFA CNgtHA
GFAgtFA CNgtHA
37
Micro mobility IDMP/TeleMIP
CNgtHA

• MA acts as gateway to internet
• Subnet agent (e.g., DHCP or FA) sends domain info
• MN registers GCoAMA _at_ HA LCoAFA _at_ MA two
  level addressing
• Similar to HMIP except multiple MA allowed for
  load balancing
• MA does NAT

HAgtMA (GCoA) CNgtHA
MAgtFA (LCoA) CNgtHA
38
MIP Location Registers
Get and cache CoA of MN for given TTL

• Avoids encapsulation
• Modify CN
• New VLR deregisters old VLR
• If VLR runs out of address inform HLR which
  informs CN to use tunnel from CN to VLR
• If MN moves before TTL, (1) inform VLR, HLR that
  informs CN (2) inform CN directly (3) old VLR
  relays to new

(4)
(3)
39
SIP application level mobility

• Only for VoIP/multimedia calls
• No change in existing infrastructure
• NAT traversal (next slide)

Initial INVITE
Re-INVITE
Re-REGISTER
Initial INVITE
40
Middle box communication (midcom)

• Application specific proxy server controls
  NAT/firewall port binding/hole
• Separate NAT/ALG functionality
• Proxy snoops or modifies signaling
• Signaling traffic allowed on fixed port media on
  dynamic port
• Works with SIP
• No incentive to install

signaling
midcom
signaling
media
41
Simple Traversal of UDP through NAT (STUN)

• Host sends a packet to stun server
• NAT converts internal IP to external IP
• Responds with source IP of packet (i.e.,
  external)
• Host knows that its external IP is not same as
  internal
• It uses external IP/port when advertising in SDP
• Does not work for symmetric NAT
• external IP for same host different for
  connection to different external host

(2)
(6)
(3)
(5)
(4)
(1)
42
Realm Specific IP (RSIP)

• Get an external address from NAT for this private
  host
• Tunnel packets between NAT and private host
• Works for various combinations of multiple RSIP
  gateway, NAT, NAT with RSIP, and RSIP hosts.
• Need RSIP aware host

CN?NAT
NAT?host ltCN?NATgt
43
Mobility in IPv6

• Address auto-configuration
• Always obtain a CoA in FN
• Net partlocal part
• No FA needed
• Route optimization
• IPv6 Destination option to CN and HA
• CN caches CoA of MN and sends directly
• Hierarchical MIPv6
• Global address mobile servers network allow
  change in MS
• Local address known to mobile server

(1) First IPv6 packet CNgtHA
(3) IPv6 destination option
(4) subsequent packets
(2) Tunneled HAgtCoA CNgtHA
44
Mobile NAT motivation

• Problems in existing approaches
• Not much discussion on optimizing intra-domain
  sessions
• Require tunneling overhead, inter, intra or both
• Triangular routing or modification in CN
• Huge infrastructure change (CIP, IPv6, even
  deploying FA)
• . . .
• What MobileNAT does?
• Reduce problem space to only private address
  space MN
• Assume the presence of NA(P)T in a domain
• Choice between tunneling and address translation
• Use existing protocols (DHCP, ICMP) for signaling
  mobility
• Discourage changing routing infrastructure
• Can co-exist with MobileIP, Hawaii and IPv6 (?)
• Provide roaming and services across
  heterogeneous address spaces demarked by address
  translation devices

45
Mobile NAT intra-domain

• No explicit HA or FA
• HA is in NAT (MN is private)
• FA is in MN (driver, kernel)
• Virtual vs routable address
• Virtual fixed private address a exposed to
  application on MN
• Routable dynamic private address a or b
  using DHCP
• Transport sessions between CN?A (external), CN?a
  (internal)
• Address translation
• NAT (A?a?b), MN (b?a)
• Tunneling
• NAT?MN

CNltgtA
Aa
IP cloud
CNltgtb
a/b
a/a
IdPrivate
46
Mobile NAT inter-domain

• Inter-NAT tunnel or relay
• MN moves a/agta/c
• NAT1 and NAT informed
• Translation
• NAT1 A?a?B
• NAT2 B?a?c
• MN c?a
• Issues
• Multiple a in NAT2
• But unique map B?a
• Does IP security work (?)
• Like Mobile IP
• FANAT2,HANAT1
• At most two level of NATs

Ba
CNltgtA
Aa
a/c
CNltgtb
a/a
47
Mobile NAT intra-domain sessions

• MN1 ? MN2 active session
• MN2 sends to NAT destination a
• NAT responds router redirect b (?)
• MN2 now sends to MN1
• MN1 moves a/bgta/c
• MN1 gets c
• DHCP server (or MN1) informs NAT
• MN2 gets ICMP host unreachable
• Starts sending to NAT
• NAT responds router redirect c
• MN1 moves out of domain
• Path MN1?visited NAT ?home NAT?MN2

Aa
d/e
a/c
active session
a/b
(?) ICMP Redirect message is expected from router
in the same sub-net to which packet is being
sent. It is vulnerable to attacks (confirm?)
Cisco routers dont forward ICMP redirect from
another network. We may use proprietary IP
options if allowed.
48
TODO

• Can MobileNAT co-exist with MIP, Hawaii and
  non-mobile but IP clients?
• If MIP MN discovers no FA, switches to MobileNAT
• If MobileNAT MN discovers FA, enables both MIP
  and MobileNAT
• If MobileNAT MN goes out of domain and gets a
  public address
• If a public MN moves within the domain and gets
  private address
• For intra-domain session between MN and fixed IP
  host, route optimization does not work
• Does route optimization work if both MN move at
  the same time?
• Does MobileNAT work with multicast?
• Write a simulation program for MobileNAT,
  MobileIP and Hawaii network

49
TODO

• Can part of it be implemented using existing
  protocols like Mobile IPv6 (destination option
  for route optimization), IDMP (for public/private
  addresses), RSIP)?
• Intra-domain Route optimization is similar to
  IPv6 destination option can we use IPv6 within
  domain need to change all routers (?)
• Assuming IPv6 domain with NAT as IPv4?IPv6
  converter. What changes we need in NAT/IOTA so
  that it works with Mobile IP? For IPv6 do we need
  private address domain? How do we minimize
  changes in IPv6 MN?
• IDMP supports multiple MA. Can we install
  multiple NAT/IOTA for load balancing?
• Does tunnel mode MobileNAT reduce to IDMP, when
  HA is outside of NAT and FA is in MN? (yes) Why
  cant MobileNAT be proposed as an extension to
  IDMP? IDMP does not describe intra-domain session
  optimization.

50
TODO

• Windows related issues
• Check if TCP connections are dropped when
  ipconfig /release is done
• Check what happens when CONNECTED status is
  indicated on already connected state
• Check if TCP connections are dropped even if
  DISCONNECTED status is not propagated to higher
  layer
• Possible deployment hindrances
• Changing every MN driver (similar to Mobile IP)
• Should allow incremental deployment
• Processing overhead on NAT/IOTA
• What happens to domain/sub-net specific options
  that are not indicated to the higher layer when
  domain/sub-net change? Need to write a
  controlling application also that does
  DhcpIpRenewAddress when driver finds a different
  options field.

51
TODO

• Basic design issues
• Does DHCP security/authentication work?
• Can we use ICMP router redirect from NAT to
  private host?
• Can IP security work in all scenarios?
• Fast handoff applicability
• Since anyway we are modifying MN driver, can it
  be made more extensible or more
  auto-configurable.
• E.g., if IOTA/NAT is moved to sub-net routers
  then can modification in MN be avoided? What if
  multiple hierarchical IOTA/NAT in a domain?