RE: Big picture of mobility (was RE: ip mobile question

From: wing_lam@jossynergy.com
Date: Sun Jul 06 2003 - 05:57:21 GMT-3

Hi all,

Can I ask what is a toad problem in mobile IP?

Thx,
BBD (Big Black Dog)

                                                                                                                                       
                      "Howard C.
                      Berkowitz" To: <ccielab@groupstudy.com>
                      <hcb@gettcomm.com cc:
> Subject: RE: Big picture of mobility (was RE: ip mobile question
                      Sent by:
                      nobody@groupstudy
                      .com
                                                                                                                                       
                                                                                                                                       
                      07/06/2003 03:54
                      AM
                      Please respond to
                      "Howard C.
                      Berkowitz"
                                                                                                                                       
                                                                                                                                       

At 12:04 PM -0700 7/5/03, Brian Dennis wrote:
>I think IP mobile ARP can filter tadpoles (see below) which should
>eliminate the toad problem.
>
>router eigrp 1
> redistribute mobile route-map NOTOADS
> default-metric 10000 100 255 1 1500
>
>route-map NOTOADS deny 10
> match tadpole
>route-map NOTOADS permit 20

Although this can be a problem for military applications using toad
array sonar.

>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Howard C. Berkowitz
>Sent: Saturday, July 05, 2003 11:22 AM
>To: ccielab@groupstudy.com
>Subject: Big picture of mobility (was RE: ip mobile question
>
>First, let me endorse Brian's comments, but note that he neglected to
>mention that IP mobile ARP eats toads, pays no respect to its
>parents, and is not fully potty-trained.
>
>
>At 10:52 AM -0700 7/5/03, Brian Dennis wrote:
>>What if you were in a very large network or trying to do IP mobile ARP
>>over the Internet? Which solution do you think would be better? Call
>>your ISP and tell them they need to accept the /32 routes that IP
>mobile
>>ARP generates from you ;-)
>>
>>What about security issues? How secure is regular IP mobile ARP? Do you
>>want anyone to just plug a computer into your network and advertise a
>>/32 route for whatever address they have configured? Consider this
>>hypothetical situation. What if a "hacker" plugs their computer in with
>>the same IP address as the company's HR web server? When that /32 route
>>from the mobile ARP process for the hacker's computer gets advertised
>>around where do you think the traffic destined for the HR web server is
>>going to go (assuming there isn't a /32 route for the HR web server
>>being advertised already)? The hacker throws up a mock up website on
>>their computer of the real HR website just long enough to capture a few
>>users trying to login. After the users enter their usernames and
>>passwords the hacker's mock up website tells the users the website is
>>down for the next 15 minutes and to try back later. After a few users
>>attempt to login the hacker unplugs the computer with the mock up
>>website and lets the /32 route (mobile ARP) timeout so when the users
>>try to log back into the HR web server later they will be routed back
>to
>>the real HR web server. The users don't even know that they were
>>temporarily rerouted to the hacker's mock up website that stole their
>>usernames and passwords.
>>
>>As a side note Mobile IP offers MD5 authentication and filtering
>>capabilities whereas IP mobile ARP is very insecure. I've seen Mobile
>IP
>>deployed in the real world with law enforcement. I've never seen a
>large
>>scale deployment of IP mobile ARP.
>
>Both mobile IP and mobile ARP are tools in a toolbox.
>
>When a host's position is expected to change on the order of seconds
>to minutes, and is in a limited area, this is the problem that
>wireless LAN protocols are meant to solve.
>
>When the host's position changes in a large area over minutes, the
>physical layer problem is solved by specialized cellular radio
>protocols.
>
>When the host moves for relatively long periods to a foreign subnet,
>this is the solution space for mobile IP and mobile ARP.
>
>When entire subnets and routers move and reinsert into networks, this
>is the problem space that the IETF MANET Working Group deals with.
>Think of a military environment, where a cannon company and its
>wireless LAN move into a different chain of command.
>
>IPv6 and the Router Renumbering Protocol also have facilities for
>dealing with the moving subnet.
>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>Jim Phillipo
>>Sent: Saturday, July 05, 2003 9:36 AM
>>To: 'ccielab@groupstudy.com'
>>Subject: ip mobile question
>>
>>Where does the ip mobile arp command fit into the big picture ? Seems
>>like
>>it is a lot easier to configure one router with this command along with
>>redistribute mobile than going through the hassle of configuring HA and
> >FA
>>etc.
>>
>>The reason I ask is I am doing IPEXPERT lab 35 and the requirement was
>>to
>>allow a user from one subnet to be able to connect to another routers
>>subnet
>>without changing its IP.
>>
>>I was surprised when I checked the answer config and all they used was
>>the
>>ip mobile ARP command instead of all the other stuff.
>>
> >Any thoughts appreciated.

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:26 GMT-3