Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Mobile IP Overview

    Mobile IP is a tunneling-based solution that enhances the utility of E Series routers at the edge of the network between fixed wire and wireless network domains. This tunneling-based solution enables a router on a user’s home subnet to intercept and forward IP packets to users who roam beyond traditional network boundaries. Mobile IP is useful in environments where mobility is desired and the traditional land line dial-in model does not provide an adequate solution, and in environments where a wireless technology is used.

    Note: Currently, JunosE Software does not support configuration of the Mobile IP foreign agent.

    Traditionally, IP addresses are associated with a fixed network location. To achieve mobility, the mobile node assumes a secondary IP address that matches the new network and redirects the traffic bound to the primary or home address to the mobile node's new network. In the Mobile IP architecture, the two agents that accomplish this task are the home agent and the foreign agent.

    When a mobile node roams into a new network, it negotiates with the foreign agent to get a secondary IP address, which is referred to as the care-of address. The mobile node registers this care-of-address with the Mobile IP home agent. The Mobile IP home agent then establishes a tunnel to the care-of-address if the tunnel is not established earlier.

    Note: You need to establish only one tunnel between the Mobile IP home agent and the care-of-address. Demultiplexing of the traffic is done through IP address inspection.

    Packets sent to the home address of the mobile node are redirected by the Mobile IP home agent through the tunnel to the care-of-address at the foreign agent. The foreign agent routes the packets to the mobile node's home address. If the mobile node's home address is a private address or if the foreign agent implements ingress filtering, a reverse tunnel from the care-of-address to the Mobile IP home agent is required.

    You can use the Mobile IP home agent feature to configure the home agent within a virtual router. The Mobile IP home agent handles the following tasks:

    Mobile IP Agent Discovery

    Mobile nodes use the agent discovery process to identify whether they are on their home network or have roamed into a different network (referred to as a foreign network). Both the foreign agent and the home agent periodically multicast their agent advertisements. You can also request an agent advertisement from the mobile node through Internet Control Message Protocol (ICMP) router solicitations.

    Mobile IP Registration

    The Mobile IP home agent receives the registration requests on UDP port 434. The registration request contains the IP router ID as the home agent IP address. The Mobile IP home agent can support static home address allocation and dynamic home address allocation.

    Home Address Assignment

    The mobile node’s home address can either be preconfigured or dynamically allocated by the Mobile IP home agent. If a nonzero home address is preconfigured, the home agent processes the registration request using the home address. If the home address is dynamically allocated, the mobile node submits a nonzero home address and requests the home agent to assign an IP address. The mobile node then uses the address provided by the home agent for subsequent registration requests, until the mobile node is rebooted or the registration expires.

    Home address allocation is done by one of the existing AAA back-end address mechanisms, such as:

    • By RADIUS
    • From an address pool returned by RADIUS
    • From a local pool
    • By the DHCP server

    Authentication

    The home agent authenticates the requests based on RFC 3344—IP Mobility Support for IPv4 (August 2002). The mobile home authentication is verified and the authentication algorithm and key are retrieved by checking the security association indexed by the security parameter index (SPI) value. This verification results in a 128-bit key and the authentication algorithm with which to compute an MD-5 message digest over the registration request. The Mobile IP home agent supports both HMAC-MD5 and keyed-MD5 authentication algorithms. When the result of this computation matches the 128-bit authenticator, the mobile-home extension is authenticated.

    If a security association is configured for the foreign agent, the foreign-home authentication extension is verified; otherwise, authentication success is based only on the mobile-home authenticator.

    The home agent checks the identification (ID) field used for matching registration requests with response and protection against replay attacks. The home agent uses timestamp-based replay protection and the ID field represents a 64-bit Network Time Protocol (NTP)–formatted time value. By default, the timestamp must be within 7 seconds of the configured time value of the home agent.

    AAA

    You can store the security associations and configuration information remotely on a RADIUS server. You can use the ip mobile secure host command and the ip mobile secure foreign-agent command to configure the security association (MD-5 key) for a specified user or for a group of users (also known as a domain) for the home agent. The home agent can configure the security association (MD-5 key) for a specified user or a group of users (domain).

    Authentication is accomplished either by generating an authentication, authorization, and accounting (AAA) access-request or querying the locally configured security parameters, depending on whether or not you use the aaa keyword when you issue the ip mobile host command to configure the mobile node. For AAA authentication, you must include the aaa keyword; for local authentication, do not include the aaa keyword. If AAA authentication is enabled, AAA queries the security information from the RADIUS server.

    When both the network access identifier (NAI) and IP address of the mobile node are present in the registration request, the authentication request from Mobile IP home agent to AAA uses the NAI as the username and the IP address as the hint IP address. If only the NAI is present in the registration request, then the NAI address is used as the username with no hint IP address in the authentication request. If only the IP address (home address) is present in the registration request, then it is used as both the username and the hint IP address in the authentication request. If both the NAI address and the IP address are missing from the registration request, then the registration request is rejected.

    If the optional aaa keyword is present in the ip mobile host command, then the authentication parameters are obtained by querying AAA. The authentication algorithm and security key are retrieved by AAA based on its configuration, depending on the SPI provided in the registration request. If the aaa keyword is absent, then the home agent uses authentication parameters configured locally on the router to authenticate the registration request. In both cases, if security parameters are not retrieved, then the request for mobility service is rejected, a security violation error is logged, and no registration reply is generated.

    When you configure the mobile host to use RADIUS authentication for home agent users by including the aaa keyword in the ip mobile host command, the Mobile IP home agent application generates a RADIUS access-request message. The RADIUS server then uses Juniper Networks vendor-specific attributes (VSAs) to provide the appropriate authentication algorithm and secure key for the authentication request.

    For information about the specific Juniper Networks VSAs used for Mobile IP RADIUS-based authentication, see JunosE Broadband Access Configuration Guide and RADIUS IETF Attributes

    Subscriber Management

    The Mobile IP home agent interoperates with the subscriber management application on E Series routers. The subscriber management application enables customers to dynamically provision new IP subscribers and quickly create new value-added services.

    You can set up your subscriber management environment to create dynamic IP subscriber interfaces to provision subscribers and provide differentiated service delivery. In this configuration, the service parameters for an IP subscriber are bound to a dynamic IP subscriber interface.

    During the registration process when the Mobile IP home agent has authenticated the subscriber with AAA, the home agent locates or creates the appropriate IP tunnel to carry the data traffic to the foreign agent. When Mobile IP obtains all of the parameters required for interface creation, including the tunnel ID and the authentication context, it directs the subscriber management application to create the dynamic IP subscriber interface.

    During the re-registration process when there is a handoff from an initial Mobile IP foreign agent to a new Mobile IP foreign agent, the home agent reauthenticates the subscriber with AAA and locates or creates the appropriate IP tunnel to carry the data traffic to the new foreign agent. When Mobile IP obtains all the parameters required for interface creation, it directs the subscriber management application to move the dynamic IP subscriber interface from the initial tunnel for the previous foreign agent to the new tunnel that points to the new foreign agent. If this was the last subscriber on the tunnel for the previous foreign agent, then the home agent directs the IP tunneling application to tear down the initial tunnel.

    For more information about subscriber management and dynamic IP subscriber interfaces, see JunosE Broadband Access Configuration Guide. For more information about dynamic IP subscriber interfaces, see JunosE Broadband Access Configuration Guide.

    Mobile IP Routing and Forwarding

    The home agent supports both generic routing encapsulation (GRE) and Distance Vector Multicast Routing Protocol (DVMRP, also known as IP-in-IP) tunnel encapsulation for forward and reverse tunneling. When packets destined for the mobile node reach a home agent, the home agent encapsulates the packets and tunnels them to the care-of-address. Packets that exceed the maximum transmission unit (MTU) value of the tunnel are dropped and an ICMP error message is sent to the source IP address. Packets without an access route are returned to the source with an ICMP destination-unreachable error message. For reverse tunnels, packets are de-tunneled and forwarded toward the next hop to the destination address.

    For more information about configuring GRE and DVMRP dynamic IP tunnels, see Configuring a Destination Profile for Dynamic GRE Tunnels and Configuring a Destination Profile for Dynamic DVMRP Tunnels.

    Published: 2014-08-12