Reverse-Tunnel Forwarding

Problem

You want to force all packets to use the tunnel to avoid anti-spoofing ACLs in the network.

Solution

You configure Reverse-Tunnel Forwarding on the Mobile Node so that it requests this feature when it registers with the Foreign Node:

RouterMobile#configure terminal Enter configuration commands, one per line. End with CNTL/Z. RouterMobile(config)#ip mobile router RouterMobile(mobile-router)#reverse-tunnel RouterMobile(mobile-router)#exit RouterMobile(config)#end RouterMobile#

 

Discussion

When a Mobile Node communicates with another device elsewhere on the network (called the Correspondent Node), the inbound traffic follows a path from the Correspondent Node to the Home Agent, through the tunnel to the Foreign Agent, and from there to the Mobile Node. On the way back from the Mobile Node to the Correspondent Node, the packet goes first to the Foreign Agent, which looks at the destination address, and forwards this packet according to its routing table by using the most direct path.

The trouble is that the source IP address in the packet from the Mobile Node to the Correspondent Node doesn't belong to the Foreign Agent router. It is effectively a spoofed source address. Many networks use ACLs to look at the source addresses of packets and make sure that they are received on an interface that leads back to the source network. This is a good security practice because it helps prevent hackers from deliberately spoofing addresses in packets when launching attacks.

If your network includes this sort of security precaution, you must configure what is called Reverse-Tunnel Forwarding. This means simply that packets from the Mobile Node should be sent through the tunnel to the Home Agent, even if it has a better route to the destination device. Then the illegal source address in the packet is hidden from any ACLs until it reaches the Home Agent, which is a legitimate router for this source address.

This feature is negotiated when the Mobile Node connects to the network, which is why it is only necessary to configure it on the Mobile Node:

RouterMobile(config)#ip mobile router RouterMobile(mobile-router)#reverse-tunnel

You can then verify that the Foreign Agent is using Reverse-Tunnel Forwarding with the show ip mobile tunnel command:

outerForeign#show ip mobile tunnel Mobile Tunnels: Tunnel0: src 192.168.110.1, dest 192.168.9.1 encap IP/IP, mode reverse-allowed, tunnel-users 1 IP MTU 1480 bytes Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never outbound interface Serial0/0 FA created, fast switching enabled, ICMP unreachable enabled 105 packets input, 8462 bytes, 0 drops 0 packets output, 0 bytes RouterForeign#

 

See Also

Recipe 24.2; Recipe 24.3; Recipe 24.4

Категории