This paper presents an end-to-end architecure for Internet host mobility
that makes no changes to the underlying IP communication substrate, but
modifies the TCP stack quite a bit through the addition of a 'migrate
option' and may also require application modifications. Unlike previous
approaches such as MobileIP, which use a third party to broker packet
routing, the proposed approach uses secure updates to the DNS upon
address change to allow Internet hosts to locate a mobile host. The
update also includes a set of connection migration options to securely
and efficiently negotiate a change to the IP address of a peer without
breaking the end-to-end connection.
Their system consists of 3 components:
1. Addressing: IP addresses are obtained by any suitable address
allocation mechanism like DHCP. Hence, they do not seem to have modified
this in any way.
2. Mobile host location: If the host now changes location, so that its
IP address changes this should not effect communication on the
connection (done by the 3rd component). Since the approach uses DNS to
provide indirection between a host's current location and an invariant
end-point identfier, when the IP address changes, a host must detect
this and updat the hostname-to-address mapping in DNS. This is done
through a user-level daemon and the secure DNS update protocol.
3. TCP Connection migration: They have added a migrate TCP option,
included in SYN segments. This option contains a token which replaces
the original 4-tuple (source ip address, source port, dest ip addres,
dest port), with the triple (source ip address, source port, token). It
informs the fixed host that the SYN is part of a previous connection for
which the address has changed so that it may re-synchronize with the
mobile host. The token is negotiated through a migrate-permitted option
in the initial SYN segment.
The authors have a secure version of the Migrate option (in the initial
SYN) in which the token is secured by a shared secret key negotiated
through an Elliptic Curve Diffie-Hellman key exchange.
The authors very briefly touch upon security issues trying to prove
their changes do not make TCP any less secure than before. They just
gloss over the issues without providing anything interesting. The
experiments are very few. I think it would have been more interesting if
they conducted some experiments comparing the effeciency of MobileIP to
their end-to-end approach. They could have also showed how their TCP
modifications effect other TCP mechanisms such as flow control and
congestion avoidance. The idea presented in the paper is interesting.
Received on Thu Oct 19 2006 - 10:27:10 EDT
This archive was generated by hypermail 2.2.0 : Thu Oct 19 2006 - 10:57:25 EDT