6-5 Mobile IP

Previous page
Table of content
Next page

  • Mobile IP provides a way for users to keep a home-based IP address while roaming outside their home network. Sessions can be initiated and maintained with roaming users using their home address.

  • Mobile IP builds tunnels to roaming users with generic routing encapsulation (GRE) and IP-in-IP tunneling protocols.

  • Mobile IP is useful in wireless and cellular environments, where users need to maintain a single IP address while roaming between networks.

  • Mobile IP must be configured as a home agent on a router in the "home" network, as a foreign agent on all routers where roaming users can be present, and also on the mobile node, or the user 's portable host machine.

  • Roaming users maintain two addresses: a static home address, where application connections are terminated , and a care-of address. The care-of address represents the user's current location and acts as a forwarding address where all connections to the home address can be sent. The care-of address is also used as one end of the Mobile IP tunnel to the roaming user.

  • As a user roams, Mobile IP client software detects the local foreign agent through an extension of the ICMP Router Discovery Protocol (IRDP). Cisco's Aironet series wireless LAN products include a Mobile IP proxy agent, allowing nodes to roam without any extra Mobile IP client software.

  • Mobile nodes and home agents must share Message Digest 5 (MD5) security association before the mobile node can be authenticated and registered for a tunnel.

  • Mobile IP tunnels are built between the home and foreign agents as the mobile node registers itself with a newly discovered foreign agent.

NOTE

Mobile IP is based on the following protocols and ports:

  • Mobile IP (RFC 2002), which uses TCP port 434

  • IRDP (RFC 1256), which uses IP protocol number 1 (ICMP) over both broadcast address 255.255.255.255 and multicast address 224.0.0.1

  • GRE tunneling (RFC 1701), which uses IP protocol number 47

  • IP-in-IP tunneling (RFC 2003), which uses IP protocol number 4


Configuration

  1. Configure the Home Agent.

    1. Enable Mobile IP on the Home Agent router: 

       (global)  router mobile

    2. Enable the Home Agent service: 

       (global)  ip mobile home-agent  [  broadcast  ] [  care-of-access   acl  ] [  lifetime   sec  ] [  replay   sec  ] [  reverse-tunnel-off  ] [  roam-access   acl  ]   [  suppress-unreachable  ]

      The broadcast keyword (not enabled by default) specifies that broadcasts will be forwarded to the mobile node over the tunnel connection. Mobile node registration can be configured with a maximum lifetime of sec seconds (the default is 36000 seconds) and a replay protection time interval of replay sec seconds to prevent replay attacks. The reverse-tunnel-off keyword specifies that support for tunnels in the reverse direction is disabled (it is enabled by default). Normally, a tunnel is built for traffic going from the home agent network toward the mobile node, because the care-of addresses change while roaming. Traffic in the reverse direction can be forwarded without a tunnel and can reach the home destination without having to pass through the home agent. Therefore, reverse tunnels can be built, but they are optional.

      By default, any foreign agent care-of address can register itself with the home agent, and any mobile node is allowed to roam. If desired, you can restrict care-of addresses to only those permitted by the care-of-access acl standard IP access list. Mobile nodes can be permitted or denied roaming privileges by the roam-access acl standard IP access list. The IP addresses checked by the roam-access access list are the home addresses of the mobile nodes, not the dynamic foreign IP addresses.

    3. (Optional) Configure one or more virtual networks: 

       (global)  ip mobile virtual-network   address mask

      Mobile nodes can be assigned IP addresses that belong to a nonexistent network or that are not directly connected to the home agent router. In this case, the virtual network must be defined by address and network mask and placed in the home agent's routing table.

    4. (Optional) Redistribute the virtual networks into a routing protocol: 

       (global)  router   routing-protocol  (global)  redistribute mobile

      All Mobile IP virtual networks are redistributed into the routing protocol specified by the router command. Because virtual networks are not directly connected, they are not advertised by default. Redistributing them into an existing routing protocol causes them to be advertised to other routers in the routing domain.

    5. Identify the mobile nodes to be supported: 

       (global)  ip mobile host   lower  [  upper  ] {  interface   type num   virtual-network   network mask  } [  aaa  [  load-sa  ]] [  care-of-access   acl  ]   [  lifetime   seconds  ]

      The range of mobile node IP addresses is between lower and upper. Mobile nodes must belong to either a physical router interface ( interface type num ) or a virtual network ( virtual-network network mask ). A limited set of foreign agents where mobile nodes are supported can be defined with the care-of-access keyword. A standard IP access list acl (either named or numbered) is used to permit only the desired foreign agent care-of addresses. The maximum mobile node lifetime can be defined with the lifetime keyword (3 to 65535 seconds; the default is 36000 seconds).

      Mobile nodes must have security associations (SAs) for authentication during registration with the home agent. Security associations can be defined in a AAA server (either TACACS+ or RADIUS) or explicitly defined with the ip mobile secure command, as described next . SAs are downloaded to the home agent with the aaa command. The optional load-sa keyword causes the security associations to be stored in the router's memory after they are downloaded.

    6. (Optional) Configure mobile node security associations: 

       (global)  ip mobile secure host   address  {  inbound-spi   spi-in   outbound-spi   spi-out   spi   spi  }  key  {  ascii   hex  }  string  [  replay   timestamp  [  seconds  ]] [  algorithm md5  ] [  mode prefix-suffix  ]

      The IP address of the mobile node is specified with the address field. Authentication for mobile node registration is defined with a security parameter index (SPI). The SPIs can be specified as a pair of inbound/outbound, using the inbound-spi and outbound-spi, or as a single bidirectional value using the spi keyword. The SPI is a unique 4-byte index (0x100 to 0xffffffff) that selects a security context between two endpoints.

      A secret shared key is defined with the key keyword and either an ascii text string or a hex string of digits. The authentication exchange can be encrypted using MD5 if the algorithm md5 keywords are used. If the mode prefix-suffix keywords are used, the key string is used at the beginning and end of the registration information to calculate the MD5 message digest. The replay timestamp keywords can be used to protect against replay attacks, because authentication exchanges are time-stamped and compared to the current time. An optional seconds value can be added to ensure that the registration is received within the specified number of seconds. Both ends of the authentication must have their time clocks synchronized.

    7. (Optional) Configure foreign agent security associations: 

       (global)  ip mobile secure foreign-agent   address  {  inbound-spi   spi-in   outbound-spi   spi-out   spi   spi  }  key  {  ascii   hex  }  string  [  replay timestamp  [  seconds  ]] [  algorithm md5  ] [  mode prefix-suffix  ]

      This command is necessary if security associations will be used between the home agent and foreign agents. A foreign agent's IP address is specified with the address field. Authentication for foreign agent registration is defined with an SPI, a secret shared key, and the same authentication parameters as described in Step 1f.

  2. Configure a foreign agent.

    1. Enable Mobile IP on the foreign agent router: 

       (global)  router mobile

    2. Enable the care-of address on the foreign agent: 

       (global)  ip mobile foreign-agent  [  care-of   type num   reg-wait   seconds  ]

      The care-of address on a foreign agent is defined by the care-of keyword and the specified interface type and num. The address of this interface is used as one endpoint of the tunnels that are built back to the home agent. The reg-wait keyword specifies how long the foreign agent waits for a reply from the home agent to register a mobile node (5 to 600 seconds; the default is 15 seconds).

    3. Enable the foreign agent service on an interface: 

       (interface)  ip mobile foreign-service  [  home-access   acl  ] [  limit   num  ]   [  registration-required  ]

      Foreign agent service is enabled on an interface where mobile nodes can roam and connect. The care-of address defined in Step 2b is advertised on this interface. If desired, the home-access keyword can be used to restrict the set of home agent IP addresses with which mobile nodes can register. Only addresses permitted by the standard IP access list acl can be used as home agents. The limit keyword can be used to limit the number of visiting mobile nodes on the interface to num (1 to 1000; the default is unlimited). If the registration-required keyword is specified, all mobile nodes must register even if the care-of address is co-located.

    4. (Optional) Specify network prefix lengths in foreign agent advertisements: 

       (interface)  ip mobile prefix-length

      On an interface that advertises care-of addresses of a foreign agent, this command causes the network prefix length to be added to the advertisements. Roaming mobile nodes can use the prefix to differentiate between advertisements received from more than one foreign agent.

    5. (Optional) Configure home agent security associations: 

       (global)  ip mobile secure home-agent   address  {  inbound-spi   spi-in   outbound-spi   spi-out   spi   spi  } key {  ascii   hex  }  string  [  replay timestamp  [  seconds  ]] [  algorithm md5  ] [  mode prefix-suffix  ]

      This command is necessary if security associations will be used between the home agent and foreign agents. The IP address of a home agent is specified with the address field. Authentication for home agent registration is defined with an SPI, a secret shared key, and the same authentication parameters as described in Step 1f.

    6. (Optional) Configure roaming mobile node security associations: 

       (global)  ip mobile secure visitor   address  {  inbound-spi   spi-in   outbound   spi   spi-out   spi   spi  }  key  {  ascii   hex  }  string  [  replay timestamp  [  seconds  ]] [  algorithm md5  ] [  mode prefix-suffix  ]

      This command is necessary if security associations will be used between the foreign agent and roaming (visiting) mobile nodes. The IP address of a visiting mobile node is specified with the address field. Authentication for visitor registration is defined with an SPI, a secret shared key, and the same authentication parameters as described in Step 1f.

Example

A home agent router (Router 1) is configured to support Mobile IP. All roaming mobile nodes are given IP addresses on the virtual network 192.168.3.0, which does not exist inside the home agent's network. Mobile nodes are restricted such that addresses 192.168.3.17 and 192.168.3.161 are not allowed to roam beyond the home network. Mobile nodes with addresses ranging from 192.168.3.1 to 192.168.3.254 belong to the virtual network, but foreign agents with care-of addresses in the 128.10.0.0 network are not allowed to support roaming nodes. Last, security associations are set up for mobile nodes 192.168.3.1 and 192.168.3.2. SAs use MD5 encryption and the string "secret99" as a shared text key.

A foreign agent is configured on Router 2, where the ethernet 1/0 interface provides Mobile IP advertisements to mobile nodes. The care-of address becomes 17.6.3.45, or the address of the ethernet 1/0 interface.

Figure 6-2 shows the network diagram for this example.

Figure 6-2. Network Diagram for the Mobile IP Example

graphics/06fig02.gif 

 Router 1  router mobile   ip mobile home-agent broadcast roam-access 10   ip mobile virtual-network 192.168.3.0 255.255.255.0   ip mobile host 192.168.3.1 192.168.3.254 virtual-network 192.168.3.0 255.255.255.0   care-of-access 11   ip mobile secure host 192.168.3.1 spi 100 key ascii secret99 algorithm md5   ip mobile secure host 192.168.3.2 spi 100 key ascii secret99 algorithm md5   access-list 10 deny 192.168.3.17   access-list 10 deny 192.168.3.161   access-list 10 permit any   access-list 11 deny 128.10.0.0   access-list 11 permit any   router eigrp 101   network 192.168.1.0   redistribute mobile  _______________________________________________________________________ Router 2  router mobile   interface ethernet 1/0   ip address 17.6.3.45 255.255.0.0   ip mobile foreign-agent care-of ethernet 1/0   ip mobile foreign-service

Previous page
Table of content
Next page
Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
MySQL Cookbook
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Microsoft WSH and VBScript Programming for the Absolute Beginner
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy