VPN Integration

In metro mobility, Mobile Nodess usually have an added requirement of maintaining a secure tunnel into their private/corporate network as they roam. Although the techniques for traversing secured and NATed networks allow Mobile IP to be deployed in public networks, they do nothing to secure the communications of the Mobile Nodes. In fact, Mobile IP provides no security for the traffic of Mobile Nodess. While it might have been acceptable to send certain traffic in the clear to the Mobile Nodes while it was at home, it might not be acceptable to tunnel that traffic in the clear to the Mobile Nodes while it is in a Foreign Network.

Throughout the course of this book, Mobile IP has been treated as a routing protocol, and this is a clear example that helps identify Mobile IP as a routing protocol and not an application protocol. Consistent with that, Mobile IP integrates well with existing data-plane security protocols like IP Security (IPSec). Mobile IP provides a significantly improved user experience for Mobile IPSec users because the sessions need not be reestablished when the access link changes. This eliminates the need for the long setup times associated with most IPSec implementations.

Almost all Mobile IP clients support some level of integration with IPSec clients; some even come integrated. However, you must ensure that the two clients interoperate. Mobile IP and IPSec both require extensive integration with the host IP stack, and this integration can cause interference between Mobile IP and IPSec. Furthermore, some of the changes that Mobile IP clients make to the host stack can be construed as security violations, causing some VPN clients to prohibit the changes or tear down sessions. Specific client configuration is not included because it varies from client to client.

Placement of the Home Agent for mobile roaming clients is important and critical to the proper operation of the network. Figure 6-4 shows the two most common deployments. Option A is viable for clients that always connect through the public network and do not require roaming between the public and private networks. Option B shows how two Mobile IP sessions can be coupled with a single VPN session to allow roaming between public and private networks.

IPSec and Mobile IP

Although there are no specific configuration requirements to allow Mobile IP and IPSec to interoperate, you should follow certain rules. The most important rule is that neither tunnel can interrupt the other, as shown in Figure 6-5. Said another way, one tunnel must contain the other tunnel.

The first two examples show scenarios in which the tunnels interfere with one another and, thus, are unacceptable. In the first example, the traffic is first IPSec encapsulated and then Mobile IP encapsulated. When the traffic hits the remote IPSec peer first, it is an IP-in-IP packet, and the IPSec peer has no idea what to do with it because no IPSec credentials are present. Similarly, in the second example, the traffic is first Mobile IP encapsulated and then IPSec encapsulated. When the traffic hits the FA, the FA cannot retrieve the internal IP-in-IP packet to deliver it to the Mobile Nodes.

The last two examples in Figure 6-5 depict acceptable integration scenarios. In these examples, a particular protocol tunnel is contained within the other, that is, Mobile IP over IPSec or IPSec over Mobile IP, and encapsulation is always removed in the order opposite to the order in which it was added. A single device can perform both Mobile IP and IPSec functions. However, you must make sure that the device is performing the encapsulation in the expected order. You must also ensure that the MTU setting on the Mobile Nodes supports both the overhead from Mobile IP and IPSec.

Both Mobile IP over IPSec and IPSec over Mobile IP have advantages and disadvantages. Running IPSec over Mobile IP allows the user to roam without needing to reestablish the VPN after each access link change. However, this configuration allows the Mobile Nodes to roam only outside the private network. This solution works well for users who never roam into the private network. For users who need to roam into the private network, running Mobile IP over IPSec can allow sessions to be maintained within the private network. Unfortunately, with Mobile IP over IPSec, the IPSec session needs to be reestablished every time the access link changes. This can be acceptable in configurations in which the Mobile Nodes has only one single public network connection and the IP address does not change, such as with a cellular network. However, for many cases, it does not provide an ideal solution.

Mobile IP over IPSec over Mobile IP

Another viable deployment solution is Mobile IP over IPSec over Mobile IP. Before you groan too much, we present a little history.

When the Mobile IP working group in IETF first looked at solving the problem of having the Home Agent on a private network and allowing a Mobile Nodes to securely roam on public networks, some elegant proposals were presented. These proposals required new features to be implemented on VPN concentrators and firewalls. However, given that Mobile IP was an emerging technology at the time, the likelihood of mainstream adoptions of these ideas did not seem likely. Mobile IP/VPN/Mobile IP is not the most efficient solution; however, it can be deployed without making changes to existing infrastructure.

The basic premise of Mobile IP/VPN/Mobile IP is that inside a private Home Network, the Mobile Nodes can reach its Home Agent, but from outside that network, it can only reach that Home Agent through a VPN tunnel. However, to keep that VPN session alive as the Mobile Nodes roams in the network, it needs to be anchored outside the VPN concentrator. This basic topology is shown in Figure 6-6. The Mobile Nodes can detect when it has roamed out of the Home Network because it can no longer reach its Home Agent. At this point, it registers with the external Home Agent. When the registration is established, the Mobile Nodes initiates a VPN session over the Mobile IP session, allowing it to access its private network. From there, the Mobile Nodes then renews the registration with the internal Home Agent, allowing internal sessions to be maintained.