MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017) Yao-Chung Chang, Han-Chieh Chao, K.M. Liu and T. G. Tsuei* Department of Electrical Engineering, National Dong Hwa University Hualien, Taiwan, Republic of China, 97401 Email:{ changyc, hcc,m8923011 }@mail.ndhu.edu.tw *Department of Electronic Engineering Ta Hwa Institute of Technology, Hsinchu, Taiwan, ROC ABSTRACT: Due to the prevalence of Internet and mobile communications, people sending messages through Internet has concentrated on security and encryption regarding data transmission. VPN (Virtual Private Network) is the way to keep personal data secured by sending data through the public network. Following the rapid growth of network and the decrease of IPv4 network addresses, the Internet Engineering Task Force (IETF) has initiated the promotion of next generation IP (IPv6) [3] instead of the current IPv4. IPv6 supports the mobility and security of mobile communication environments. Since the VPN currently does not support cellular mobile IPv6, the goal of this paper is to construct a MPLS VPN framework in the cellular mobile IPv6 (CMIv6) [1] environment, and use the IPSEC [2] defined by IETF to keep the security and integrity of data transmission for future mobile communication systems. Key words: MPLS, VPN (Virtual Private Network), IPSEC, Cellular Mobile IPv6 1. Introduction In the mobile communication environments, Mobile IP is defined to provide users roaming everywhere and transmit information freely. It integrates communication and network systems into Internet. The Mobile IPv6 concepts are similar to Mobile IP, and some new functions of IPv6 bring new features and schemes for mobility support. Two major problems in mobile environments are packet loss and handoff. To solve those problems, the CMIv6 were proposed. The MPLS network provides high-speed IP forwarding and large scalability in the backbone network. One of the major applications of MPLS is the secure VPN [15]. MPLS VPN offers the same level of security as connection-oriented VPN. The VPN describes a technology that supports security services for transmitting encryption data on the public network. IPSEC provides the security service at IP layer, socalled layer-three network security protocol. It can be used to protect one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host. This paper is structured as follows. Section2 presents the Mobile Environment briefly. Section3 presents security concerns. Section4 describes the Cellular Mobile IPv6 security mechanism. Section5 presents the conclusions and future work. 2. Mobile Environment 2.1 Mobile IP In the mobile communication environment, Mobile IP is defined to provide users roaming everywhere and integrate communication and network systems into Internet. The IETF Mobile IP defines three functional entities, and its mobility protocols must be implemented: Mobile Node (MN) Changing its link from one to the other, a node using permanent IP home address connects to the Internet. Home Agent A router with an interface connects to mobile node s home link. 1) As the mobile node moves form one link to another, it keeps informed of its current location to the Home Agent by its care-of-address. 2) Home Agent advertises the network-prefix of mobile node s home address. Therefore, packets are destined to the mobile node s home address. 3) Home Agent intercepts packets destined to the mobile node s home address and tunnels them to the mobile node s current location (to the care-of-address). Foreign Agent A router stays on a mobile node s foreign link. 1) Foreign Agent serves the mobile node with informing its home agent of current care-of-address. 2) Foreign Agent provides a care -of-address and detunnel packets for the mobile node that has been tunneled by home agent. 3) When the mobile node connects to the foreign link, Foreign Agent is set to a default router to transmit packets. 2.2 Mobile IPv6 At the beginning, Mobile IP is based on and is compatible with IPv4. The Mobile IPv6 concepts are similar to Mobile IP, and some new functions of IPv6 bring new features and schemes for mobility support. Plug and Play When the mobile node enters a subnet, it can get an IPv6 address from the auto-configuration mechanism of IPv6. In Mobile IPv6, the MN will require a care -ofaddress in a foreign network in the same mechanism. Multiple Care-of-Address and Soft Handoff

To overcome the packet loss, the MN will be able to get multiple care -of-address in the wireless communication environment. Thus, the MN can connect one or more base stations (BS) simultaneously. This scenario can be described as a smooth handoff or a soft handoff when the MN moves within the cells of base stations. No Foreign Agent In Mobile IP, an MN registers an address to an FA to build an IP tunnel so that FA can forward the packets to the MN. But in Mobile IPv6, the MN can get a new IPv6 address when the MN enters to another sub-network. Thus, the FA does not need to exist any more. In other words, the FA is replaced by the IPv6 network and the MN itself. Destination Option Header IPv6 defines several kinds of extension headers that can be used to provide extra information in the header of IPv6 packets [7]. Destination Option Header is one of those extension headers and is used for Mobile IPv6 to inform various nodes of their care-of-address [12]. 2) An MN obtains a care-of-address with stateless autoconfiguration in foreign link. Care-of-address = prefix MAC address Figure 1. The framework of Cellular Mobile IPv6 constructed with FHA. 3) A smart router with FHA records the linking status of MN in cache table. 4) MN notifies its care-of-address to Home Agent and Corresponding Node with biding update messages. (Figure 2) Security Support The IP Authentication Header of IPv6 is mandatory for IPv6 nodes. It could provide a mechanism for wide-scale of route-optimization techniques. It can protect routing header, destination operation header, and tunneling under mobile situations. 2.3 Cellular Mobile IPv6 The Mobile IPv6 does not solve the interruption problem of handoff in cellular network. By reducing the delay time and the packet loss of handoff, the seamless handoff can be obtained. Cellular Mobile IPv6 (CMIv6) algorithm provides the way to reduce the packet loss. There are two main mechanisms in CMIv6: Foreign Home Agent (FHA) or Forward Agent (FA) and Cellular Multicasting (CM). FHA is placed in the foreign network, and the principal difference between Mobile IPv4 and CMIv6 is that FHA is not a host or server, it is treated to be a router (or switch) with improved IPv6 protocols. FHA transfers and forwards packets like a layer three IPv6 router or switch. A counter set in the MN to record the handoff frequency. If the MN compares the counter that exceeds the maximum update rate, MN will send the IGMP report message to notify FHA. Packets sent by the CN are delivered to the MN through FHA and forwarded by the FHA according to the IGMP report message in tunneling multicasting. The FHA and the CM (Cellular Multicasting) component in CMIv6 are proposed to reduce the time of forwarding packets and packet loss. Figure 1 shows the framework of Cellular Mobile IPv6 constructed with FHA. The CMIv6 mechanism is described as follows: 1) An MN enters the cellular network and determines its current location using the IPv6 Router Discovery. Figure 2. MN transmits biding update messages to HA and CN. 5) CN transmits packets to MN with its care-of-address. (Figure 3) Figure 3. CN transmits packets to MN with its care-of-address. 6) MN obtains another care-of-address when the MN moves into the overlap cellular between two base stations. 7) MN notifies HA and CN with biding update messages and HA and CN return biding acknowledge messages to MN. FHA records the alteration of MN location. Whenever CN hasn t received the binding update messages from MN yet, the packets transmitted by CN to MN are still forwarded to the previous location of MN.

FHA matches the packet s MAC address in cache table and transmits to the MN in the new foreign link. Figure 4. FHA compares the MAC address of packets and sends packets to new destination of MN. 3. Security 3.1 MPLS VPN In the MPLS network, it provides high-speed IP forwarding and large scalability in the backbone network. One of the major applications of MPLS is the secure VPN (Figure5). MPLS VPN offers the same level of security as connection-oriented VPN [15]. VPN traffic is kept separate in MPLS networks. Besides, MPLS supports the quality of service and traffic engineering services The main concepts of VPN are Tunneling and Security Association. Tunneling is the process of placing an entire packet within another packet and sending it over a network. Security Association (SA) is a simplex "connection" that affords security services to the traffic carried by it. Figure5 Architecture of MPLS VPN The basic function of VPN [8,9,10] includes tunneling, encryption and decryption, authentication and key management. In this paper we use the IPSEC protocol (embedded for IPv6) to provide the security service in Mobile IPv6 environment. 3.2 IPSEC IPSEC provides the security service at IP layer, socalled layer-three network security protocol. IPSEC can be used to protect one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host. IPSEC protocol divides into three main scopes [2]: 1) Authentication Header (AH) provides connectionless integrity, data origin authentication, and an optional anti-replay service. 2) Encapsulating Security Payload (ESP) provides confidentiality (encryption), and limited traffic flow confidentiality. It may also provide connectionless integrity, data origin authentication, and an anti-replay service. 3) Internet Security Association and Key Management Protocol, ISAKMP [13]: provides auto-configuration of Security Association and manages the encryption and authentication of key exchange. The algorithm of AH is HMAC (Hashed Message Authentication Codes). For example, calculate the value from MD5 (Message Digest 5) [14] can authenticate the authentication and integrity of packets in the receiver. The difference between AH and ESP is the ESP confidentiality for the payload. The format of ESP header shows in Figure 6. Figure 6. Header of ESP There are two different modes: transport mode and tunnel mode. In transport mode, the security headers are added before the transport layer headers. An AH added to the packet will cover the TCP header. An ESP header will cover the TCP header and payload (Figure 7). To reduce the bandwidth, the IP header is not authenticated and encrypted. It can be monitored or intercepted during the transmission. In tunnel mode, both AH and ESP headers are used to cover the entire packet (Figure 8). The IP header and IP payload are both authenticated. Usually, the tunnel mode is used between two firewalls to provide the secure connection. ISAKMP (Internet Security Association and Key Management Protocol) [13] currently uses the IKE (Internet Key Exchange) for IPSEC. ISAKMP manages the exchange of cryptographic keys in two-phase processes. Phase I Two ISAKMP peers establish a secure channel with a Security Association (SA). SA is a single, unidirectional flow of data between two IPSEC nodes. Phase II

This phase is responsible for establishing the tunnels or SA of endpoint between IPSEC hosts. Figure9. Using VPN Tunnel, CN gets information of MN from HA. Figure 7. Transport mode and tunnel mode of AH Figure 8. Transport mode and tunnel mode of ESP In Phas1, it needs a lot of CPU resources to authenticate and provide integrity protection. In Phase 2, there is no need to repeat a full authentication like the one done in Phase 1. And according to the secure environment built in the Phase 1, Phase 2 sets the SA of AH and ESP. 4. Cellular Mobile IPv6 Security Mechanism We use VPN technology in the CMIv6 mechanism to provide the security transmission. Here are the assumptions in this paper: 1) There are several base stations connected to FHA. The MN, CN, HA, FHA are the equipments with VPN function, and the connections between them are authorized. 2) The creation, encryption, decryption of VPN Tunnel and the management of key exchange follow the IPSEC standards [2,11,12,13] 3) In the Cellular Mobile IPv6 environment, the biding update messages and the biding acknowledgements transmitted between MN to CN and HA are known deservedly. The secure mechanism CMIv6 is described below: 1) CN gets the address and relative security information of MN from HA when CN wants to transmit data to MN. (Figure 9) Figure10. VPN Tunnels are constructed between CN and FHA, FHA and MN 3) Then MN establishes the new VPN Tunnel to FHA when the MN roams from subnet A to subnet B. The FHA forwards the packets transmitted from CN to MN in the new subnet B by comparing the MAC address of packets. (Figure 11) Figure 11. CN uses the VPN Tunnels to transmit packets to MN. 4) When the MN roams from subnet B to subnet C suddenly, there is no VPN Tunnel established between MN and FHA2. At this time, the MN transmits the binding update message to CN and HA. CN does not establish new VPN Tunnel to the new FHA2, so it still transmits packets to the old FHA. (Figure12) 2) VPN Tunnels are established between CN and FHA, FHA and MN to exchange secure information. (Figure10) Figure 12. CN transmits packets to old FHA1 when MN roams into new subnet B.

5) According to the messages from MN, the FHA2 establishes a new VPN Tunnel to FHA1, and FHA1 forwards the packets from CN to FHA2.(Figure 13 issue is that the Mobile Node performs the function of label switch router and establishes label switch patches to Home Agent. Acknowledgements This work is partially supported by National Science Council of Taiwan, R.O.C., under grand number NSC 90-2219-E-259-002- Figure 13. New VPN Tunnel is established between FHA1 and FHA2. 6) CN establishes the new VPN Tunnel to FHA2, transmits packets to MN, and cuts off the VPN between FHA1 and FHA2. (Figure 14) Figure 14. New VPN Tunnel is established between CN and FHA2. The computation of encryption and decryption data needs a lot of resources (CPU, memory, battery). We can set the VPN function to be optional selections to save the power of MN in the secured CMIv6 mechanism. Once the CN wants to transmit packet with security encryption, the VPN function of MN will be set at ON to enable the security of CMIv6 mechanism. 5. Conclusions and Future Work The Mobile IP provides the mobility of mobile node to roam within different base stations. The mobile environment evolves into Mobile IPv6 with the benefits of IPv6. CMIv6 mechanism is proposed to solve the packet loss and the hand off problems in the Mobile IPv6. The security issues of VPN and IPSEC can provide the encryption, integrity and authorization of CMIv6 mechanism in Mobile Internet. To transmit secure data in the Internet is significant and essential now, especially for the mobile computation environment. This paper uses the VPN technology and IPSEC protocol to provide the security mechanism in CMIv6. Far more, this mechanism can be an optional function for mobile node to save power of computation security information. In the future, combining the benefits of MPLS core network and secure function of VPN into the Mobile IPv6 environment is feasible and practicable. The key Reference [1] H. C. Chao, Y. M. Chu and M. T. Lin, The Implementation of the Next -Generation Wireless Network Design: Cellular Mobile IPv6, IEEE Transaction on Consumer Electronics, vol.46, no.3, August 2000. [2] S. Kent and R. Atkinson, Security Architecture for the Internet Protocol, IETF, RFC 2401, November 1998. [3] S. Deering and R. Hinden, Internet Protocol, Version 6(IPv6) Specification, IETF, RFC 2460, December 1998. [4] C. Perkins, IP Mobility Support, IETF, RFC 2002, October 1996. [5] S. Thompson and T. Narten, IPv6 Stateless Address Autoconfiguration, IETF, RFC2462, December 1998. [6] James D. Solomon, Mobile IP, the Internet Unplugged, Prentice Hall PTR, 1998. [7] Han-Chieh Chao, and Y. M. Chu Seamless Support for Mobile Internet Protocol Based Cellular Environments to appear in the International Journal of Wireless Information Networks. [8] W. Fumy and H. P. Rieb, Network Security Management, Advanced Communications and Application for High Speed Networks, pp.139-146, 1992. [9] D. Snow and W. Chang, Network Security, Telesystems Conference NTC-92, pp.15/13-15/16, 1992. [10] B. C. Soh and S. Young, Network System and World Wide Web Security, Computer Communication, vol.20, pp. 1431-1436, 1998. [11] S. Kent and R. Atkinson, IP Authentication Header, IETF, RFC 2402, November 1998. [12] S. Kent and R. Atkinson, IP Encapsulating Security Payload, IETF, RFC 2406, November 1998. [13] D. Maughan, M. Schertler, M. Schneider and J.Turner, Internet Security Association and Key Management Protocol, IETF, RFC 2408, November 1998. [14] C. Madson and R. Glenn, The Use of HMAC- MD5-96 within ESP and AH, IETF, RFC 2403, November 1998 [15] K. Muthukrishnan, C. Kathirvelu, T. Walsh, "A Core MPLS IP VPN Architecture "IETF, RFC 2917, July-20001.