6.3 Mobile IP

A bridge can be set up to allow client roaming across different IP subnets while maintaining their original IP address. This arrangement requires that a mobile IP stack be set up on both the bridge and the client devices. Each client is assigned an IP address and a home agent IP address by the network administrator. The home agent resides on the subnet for which the client’s IP address is local.

When the client roams to a foreign subnet, it contacts a foreign agent on that subnet, supplying its home agent address. The foreign agent contacts the home agent with the client’s information. The home agent relays any packets found on its local LAN destined to the client’s IP address—first to the foreign agent and from there back to the client.

From the home agent, the IP addresses of mobile clients that are currently away from their home network can be displayed. For each IP address, the foreign agent it is connected with is also displayed. From the foreign agent, the IP addresses of the mobile clients that are currently visiting the agent are displayed.

Before a node is allowed to roam, the home agent must be given information about the clients to validate their identity. The configuration utility asks for a range of IP addresses. The network administrator only needs to enter the low and high IP addresses in the range. If an employee leaves the company, the network administrator can remove only the IP address of the affected client device from the table. For security, the setup packets sent between the home agent, foreign agent, and the clients can be encrypted. The configuration utility also allows the network administrator to set parameters that control the operation of the agents. These parameters include the following:

• Lifetime. This parameter has two functions. It is the maximum amount of time the home agent will grant a mobile client to be registered on a foreign network before renewing its registration. The lifetime value is also placed in the agent advertisement packets. Mobile clients typically use this field from the advertisements to generate the lifetime value for the registration request.

• Replay protection. This option determines the scheme used to prevent attacks based on capturing packets and playing them back at a later time. Two replay protection methods are specified for mobile IP: timestamps (mandatory) and nonces (optional). Nonces are a type of handshake that checks the validity of information between the mobile client’s agent and a bridge’s home agent before granting a registration request.

With timestamps, mobile clients use the date and time of day in the identification field of the registration request. The home agent rejects the registration request if the timestamp is not close enough to its current time. A rejection message includes the home agent’s current time, so the mobile client can synchronize its clock accordingly.

With nonces (random numbers), the identification field is subdivided into lower and higher halves. The registration request specifies to the home agent which value to place in the lower half of the registration reply. The registration reply specifies to the mobility agent which value to place in the upper half of the next registration request. Both sides check nonces; if a non-matching registration message is received, the mobility agent ignores the message and the home agent rejects the message. It also sends back a message that includes values it expects in the next registration request. This process is summarized in Figure 6.4.

Figure 6.4: Replay protection via the nonces handshake between a mobility agent and a home agent.

• Broadcasts. Mobile clients can be configured so that broadcasts from their home network will be forwarded to them via tunneling. Some protocols, such as NetBIOS, require broadcast packets from the home network to maintain proper operation. Unless needed, however, this option should be disabled to avoid unnecessary traffic over the wireless links.

• Registration required. Mobile clients can be set up to allow registering to a home agent (HA) without the use of a foreign agent via a care-of-address (COA) dynamically acquired while on the foreign network. This is useful in cases where foreign agents have not yet been deployed on the foreign network. But this scheme consumes IP addresses on that network. Unless there are plenty of spare IP addresses, mobile clients should be forced to always register using a foreign agent.

• Host redirects. This indicates whether or not the foreign agent can send an Internet Control Message Protocol (ICMP) packet to mobile clients registered through it, specifying the IP address of a router for the mobile client to use. Disabling this feature will result in the mobile client always using the foreign agent as its default gateway (router). Enabling this feature may improve performance while visiting a foreign network but may also pose connectivity problems caused by ARP broadcasts from the mobile node.

• Control agent advertisements. Agents advertise themselves on the LAN so that mobile clients can find them and determine whether they are home or away. The network administrator can specify how frequently (in seconds) the mobility agent will send out an ICMP router advertisement multicast. These advertisements are used by the mobile clients to locate the mobility agents and to determine to which network they are currently attached. The more frequent the advertisement, the faster the mobile node will become aware that it has attached to a new network and can start the registration or deregistration process.