Management of the Mobile Nodes Home Address
|
| IOS Mobile IP supports the following methods of home addressing:
Static addressing is the original addressing style from Request For Comment (RFC) 2002. Static addresses are preconfigured on the Mobile Node and are the only unique identifier for the Mobile Node. The benefit of static addressing is simply that it provides a permanent reachable IP address, as discussed in the section "Static Home Addressing Without NAI," later in this chapter. However, as one would guess, static addresses do not lend themselves well to scalability, simply because each Mobile Node must be preconfigured with a Home Address. However, static addresses can also be used with an NAI. You might be asking yourself, "Well, what's the benefit of using a static Home Address and an NAI?" The section "Static Home Addressing with NAI," later in this chapter, tackles this question, but here is a glimpse of the behavior. When used together, the NAI serves as the unique identifier for the Mobile Node, and the static Home Address is verified for use by that particular NAI. The Mobile Node proposes the configured Home Address as a nonzero Home Address in the Registration Request (RRQ) message, and the Home Agent verifies that the Mobile Node can indeed use the Home Address based on its NAI. The Home Agent can accept this address or return another address in the Registration Reply (RRP) message if that Home Address is not acceptable, for example, if it is currently in use by another Mobile Node. Dynamic addressing with NAI is the most flexible and commonly used option. Dynamic addressing can be truly dynamic where the Mobile Node gets a random address upon initial registration. Dynamic addressing can also allocate the Mobile Node the same IP address all the time, which is commonly referred to as fixed addressing. This provides the benefits of static addressing, but leaves flexibility to change the address without making changes on the Mobile Node. The flow chart in Figure 8-1 shows the order in which the different addressing options are evaluated for a RRQ with an NAI extension. The most commonly used home addressing mechanisms are the static Home Address with NAI, and dynamic addressing from Dynamic Host Configuration Protocol (DHCP) and local pool. Figure 8-1. Home Address Processing Flow for Initial RRQ Virtual NetworksAll Home Addresses, regardless of how they are allocated, must be associated with a Home Network that is attached to a Home Agent. The Home Network is the prefix that aggregates the Mobile Nodes. In IOS, the Home Network can be associated with an interface or it can be configured in Mobile IP as a virtual network. It is often assumed that the Home Network should be a physical network. However, in many deployment cases, it does not make sense to have each Mobile Node attached to a physical network, because the two are never physically attached. Instead, it makes sense to have the Mobile Nodes reside on a virtual network, a "technical dreamland," if you will. When using virtual networks, the Mobile Node is always considered to be roaming; it can never be attached to its Home Network. In real-world deployments, this can cause some semantic problems. For example, in cellular deployment, users might be in their home calling area but are roaming from a Mobile IP perspective. A virtual network is similar to a loopback interface, but it is owned by the Mobile IP process. Virtual networks are configured on the Home Agent and referenced by a network number and mask pair as follows: ip mobile virtual-network net mask [address address] This Home Agent command defines the virtual network with IP address net and prefix mask mask. The optional parameter, address, specifies the IP address of a Home Agent on a virtual network and must also be configured on a loopback interface with a 32-bit mask. After the virtual network is defined on the Home Agent, Mobile Nodes can be configured to reside on the virtual network using the following command. (The ip mobile host command has numerous options, and these options are presented in the appropriate sections throughout the chapter.) ip mobile host {lower [upper]} virtual-network net mask This Home Agent command configures one or more mobile hosts to reside in the specified virtual network on the Home Agent. Virtual network routes are owned by the Mobile IP routing process and therefore must be redistributed into other routing protocols to be propagated. This can be accomplished with the following commands: router rip redistribute mobile Static Home Addressing Without NAIThe original Mobile IP specification supported only static addressing of Mobile Nodes. The Home IP Address served as the user name portion for the authentication when used with an IOS authentication, authorization, and accounting (AAA) server. Static addressing in itself is beneficial because it allows each device to keep the same address all the time, no matter where it is attached to the network. This allows the user to run mobile-terminated services without updating DNS or some other form of address resolution. Mobile Nodes are also easily managed with static addressing because the Home Address and the Home Agent always remain the same. However, as a tradeoff, provisioning and maintenance are more difficult because address allocation must be handled manually, and both the Home Agent and Mobile Node must be updated when changes occur. Configuration of Mobile Node Home Addresses on the Home Agent can be done using either an individual address or a range of addresses to represent the Mobile Nodes as follows: ip mobile host {lower [upper]} interface name This Home Agent command configures a single Mobile Node or a group of Mobile Nodes on an interface. If only one address is specified, a single Mobile Node is configured; if lower and upper are configured, all addresses between and including lower and upper are configured as Mobile Nodes. The following Home Agent command sets up the mandatory security association between the Home Agent and the Mobile Nodes. It specifies the security parameter index (SPI) value and security key.
Dynamic Home Address AssignmentAs with most things, real-world experience proved static Mobile Node addressing difficult to deploy. RFC 2794 specifies that if the Mobile Node uses an NAI extension in the RRQ, it can set its Home Address field to 0.0.0.0 or 255.255.255.255. In this case, the Home Agent assigns it an address to use for the duration of its Mobile IP session. The allocated Home Address is returned in the Home Address field of the RRP. NOTE A Mobile IP session begins with the first RRQ and ends either with the expiration of the binding lifetime or a deregistration message. When the session ends, the dynamic Home Address is returned. For this reason dynamic home addressing can only be used in scenarios where the Mobile Node is always roaming. Dynamic home addressing is often coupled with virtual networks to eliminate the possibility of returning home. When the Home Agent receives a RRQ requesting a dynamic Home Address, it assigns a Home IP Address to the Mobile Node. IOS Mobile IP provides several options for address assignment by the Home Agent. Fixed Addressing on the Command-Line Interface (CLI)You can configure the Home Agent with a fixed Home IP Address for each NAI. The fixed address is assigned to the Mobile Node each time it starts a new session, as shown in Figure 8-2. It doesn't sound very dynamic because the same address is being assigned each time. It falls into somewhat the same category as "Have your cake and eat it too." Figure 8-2. Fixed Addressing with NAI Fixed addressing with an NAI provides users all the benefits of static addressing, as described in the section "Static Home Addressing Without NAI," earlier in this chapter, while simplifying the configuration of the Mobile Node. The Mobile Node need only be configured with an NAI and security association, and any administrative changes to the address are transparent to the Mobile Node. Fixed addressing on the CLI is ideal for lab environments because it is self-contained. However, it is not ideal for large-scale deployment because the Home Agent configuration must be updated to perform all maintenance. A fixed Home Address is specified in the Home Agent configuration using the address keyword of the ip mobile host command, as follows: ip mobile host nai string address addr interface name This Home Agent command sets up a Mobile Node with an NAI and fixed Home Address on a particular interface. This command cannot be used when a group of nodes is being referenced. Local Pool Address AssignmentNumerous IOS components, including Dial and Network Address Translation (NAT), use local pools to specify a group of addresses available for dynamic assignment. The same concept can be used with Mobile IP. Local pool assignment requires that one or more address pools be configured on the Home Agent. The Home Agent then allocates addresses from the pool on a first come, first served basis, as shown in Figure 8-3(a). Figure 8-3. Home Address Allocation Through Local Pool The Mobile Node keeps the address as long as it has an active mobility binding on the Home Agent. The Mobile Node can update its binding by sending a RRQ with either the allocated address or 0.0.0.0 as its Home Address. When the binding expires or the Mobile Node deregisters, the address is immediately returned to the local pool so that it can be assigned again, as shown in Figure 8-3(b). The number of local pools that can be configured on the Home Agent is limited only by the available memory on the router. Configuration is as follows: ip local pool poolname low-ip-address [high-ip-address] This Home Agent command defines the local pool and the range of IP addresses in the pool. All addresses between and including low-ip-address and high-ip-address are part of the local pool. If the high-ip-address parameter is missing, the pool consists of a single IP address, as follows: ip mobile host nai string address pool local name {interface name | virtual-network network-address mask} This Home Agent command instructs the Home Agent to accept registrations for a Mobile Node with the specified NAI. The Mobile Node is allocated a Home Address from a local pool. The Mobile Node can reside on an interface or reside on a virtual network. NOTE Currently, local pool allocation cannot be used with the Home Agent Redundancy feature. DHCP-Based Address AssignmentThe DHCP is already widely used in allocating IP addresses for desktop computers. IOS Mobile IP leverages the existing DHCP proxy client in IOS to allow the Home Address to be allocated by a DHCP server, as shown in Figure 8-4. Essentially, the Home Agent obtains an address through DHCP on behalf of the Mobile Node. Figure 8-4. Home Address Allocation Through DHCP The DHCP proxy client allows the Home Agent to maintain the DHCP lease by tracking the lease time for each Mobile Node and renewing the lease while that Mobile Node still has an active binding. The NAI is sent in the Client-ID option and can provide dynamic DNS services. Proxy DHCP configuration on the Home Agent is as follows: ip mobile host nai string address pool dhcp-proxy-client dhcp-server addr interface name This Home Agent command sets up a Mobile Node with an NAI on an interface. A Home Address is allocated through DHCP. AAADynamic addressing from a AAA server allows the operator to support fixed and/or persession dynamic addressing for Mobile Nodes without the trouble of maintaining addressing at the Mobile Node or Home Agent. The AAA server can return either a specific address, a local pool name, or a DHCP server address. If the AAA server is being used to return a specific address, the Home Address can either be configured as an attribute on the user entry in the Remote Authentication Dial-In User Service (RADIUS) database or can be allocated from a pool, depending on the capabilities of the AAA server. Not all RADIUS servers support persession allocation, but fixed addressing should be available in all servers. Configuration and use of a AAA server at the Home Agent is covered in detail in Chapter 5, "Campus Mobility: Client-Based Mobile IP." However, we reiterate the difference between authentication and authorization in IOS. The home addressing attributes are sent as authorization attributes. Before authorization attributes are returned, AAA authentication must be achieved for each request. The three ways this can be accomplished are through MN-authentication, authorization, and accounting (MN-AAA) authorization, authentication with the default password, or null password authentication. AAA Address AssignmentWhen the AAA server allocates a specific Home IP Address for the Mobile Node, it must return the IP address in a RADIUS Framed-IP-Address attribute, as shown in Figure 8-5(a). The Framed IP Address attribute is commonly used in other protocols, including dial-up, and should be widely supported. If the RADIUS server assigns a dynamic persession Home IP Address, RADIUS accounting for Mobile IP must be enabled. The accounting start/stop records are required to ensure that addresses can be returned to the pool after the Mobile IP session is torn down. Figure 8-5. Home Address Allocation Through AAA The configuration for accounting shown here allows the Home Agent to send session start and session stop messages to the AAA server so that it knows when the address can be returned to the pool: aaa accounting ipmobile ip mobile home-agent accounting AAA-Based Local Pool SelectionAAA servers often track service subscriptions or groups of users. Using this information, you can then assign a specific type of IP address to a Mobile Node without the need for IP address pool configuration to be synchronized between the Home Agent and AAA server. The AAA server is configured to return the name of a specific local pool from which the Mobile Node's Home Address should be allocated, as shown in Figure 8-5(b). The Home Agent then allocates the Home Address from the specified local pool. A common example would be if users had the option of paying for a private address or a public address. The AAA server keeps track of this information and simply informs the Home Agent of the name of the local pool from which to allocate the Home Address. Each local pool can be configured as follows: ip local pool poolname low-ip-address [high-ip-address] This Home Agent command sets up the local pool and range of IP addresses in the pool, as described in the section "Local Pool Address Assignment," earlier in this chapter. A RADIUS attribute is defined as follows: Cisco-AVPair = "mobileip:pool-def=poolname" This RADIUS attribute allows the AAA server to return a local pool name in the AV pair. AAA-Assigned DHCP ServerThe AAA server can also assign a DHCP server IP address. This is the same attribute that is configured as part of the ip mobile host dhcp-proxy-client command. When using this attribute, all mobiles nodes that share a Home Network must use the same DHCP server so that no conflict exists in address assignment. Cisco-AVPair = "mobileip:dhcp-server=10.1.5.10" Static Home Addressing with NAIA static Home Address that is preconfigured on the Mobile Node can also be used in conjunction with NAI to support NAI-based authorization and other services. You can also allow an NAI to use multiple static IP addresses, either on the same device or multiple devices, while maintaining only one AAA record and security association. If the Home Agent receives a RRQ with a static Home Address and NAI, it authorizes the use of that address using either local or AAA-based authorization attributes, as depicted in Figure 8-6. If a Mobile Node requests an address for which a binding is already associated with a different NAI, the Home Agent attempts to return another address from the pool, unless the reject-static-addr command is set, as follows: ip mobile home-agent reject-static-addr Figure 8-6. Static Home Address Authorization with NAI This command configures the Home Agent to reject RRQs from Mobile Nodes if the Home Address in the request is already in use by another Mobile Node. Not all Mobile Nodes support this behavior. Local Authorization of Static Home AddressesA static address can be authorized on a per-Mobile Node or per-realm basis using configuration commands. Per-Mobile Node configurations require a specific NAI, in the form user or user@realm, to be defined and allow up to five addresses or a pool per NAI. The Mobile Node is authorized to use any address specified either explicitly or in the local pool. The following Home Agent command sets up a Mobile Node with an NAI on an interface:
The Mobile Node is allocated one of the static addresses that is configured or is allocated an address from the local pool specified. Per-realm configurations require a generic NAI to be configured in the form @realm and allow only the specification of a local pool. The configuration for per-realm and per-NAI local pool is the same, except for the NAI specification, as shown here: ip local pool poolname low-ip-address [high-ip-address] The following command defines the local pool and the range of IP addresses in the pool, as described in the section "Local Pool Address Assignment," earlier in this chapter: ip mobile host nai string static-address local-pool name interface name This command associates a Mobile Node with an NAI on an interface. The Mobile Node is allocated a static address from a local pool. AAA Authorization of Static Home AddressesYou can also store either the authorized addresses or local pool name in a AAA server. Each user must have either the static-addr-pool attribute or the static-pool-def attribute configured in the AAA server. Unlike the static address configuration on the command line, the static-addr-pool attribute is not limited in the number of addresses that can be returned. The configuration on the Home Agent is as follows: ip local pool poolname low-ip-address [high-ip-address] The following Home Agent command defines the local pool and the range of IP addresses in the pool, as described in the section "Local Pool Address Assignment," earlier in this chapter: ip mobile host nai string interface name aaa The following Home Agent commands associate a Mobile Node with an NAI on an interface. The Mobile Node is allocated a static address through AAA. Cisco-AVPair = "mobileip:static-addr-pool = address(es) " Cisco-AVPair = "mobileip:static-pool-def = poolname" These RADIUS attributes allow the AAA server to return an authorized address for the Mobile Node or a local pool name. To make it clearer, we present Examples 8-1 and 8-2. Example 8-1. Home Agent Configurationip local pool static-pool 10.0.0.5 10.0.0.10 ip mobile host nai user@staticuser.com interface FastEthernet0/0 aaa ip mobile host nai @static.com interface FastEthernet0/0 aaa Example 8-2. Radius AttributesCisco-AVPair = "mobileip:static-addr-pool=10.0.0.1 10.0.0.2 10.0.0.3" Cisco-AVPair = "mobileip:static-pool-def=static-pool" |
|
EAN: 2147483647
Pages: 124