Mobile IP: Extending VPN Coverage

ENT, Oct 7, 1998 by Sam Alunni

It's important to note that this wireless/roaming vision didn't entirely fail. Digital Equipment Corp., now part of Compaq Computer Corp., for example, was an early proponent of this idea. And in fact, the company got it to work. Over the years, anyone visiting Digital's facilities would be treated to the sight of professionals coming into a meeting, opening their laptops, and -- without making any wireline connections -- beginning to read their e-mail and crank out their responses. Mobile IP worked, even if there was a flaw in the futuristic vision of a largely untethered work environment. And this visionary flaw was simply in the scale of deployment. Mobile IP worked, Mobile IP networks could be built, but they were just not deployed on the scale imagined by early 1990s futurists. Mobile IP went on to become an IETF standard, and largely languished over the past few years.

Now it is back, and attached to a rising star in our Internet era world, namely, virtual private networks (VPN). Mobile-IP is now being added to VPN technology because it overcomes a severe limitation in most VPN solutions: restricted mobility. An enterprise-class VPN is a highly effective solution -- if you can live with the limitation on the number of locations from which VPN entry can be made. Today's VPNs are ideal for work-at-home employees or remote offices of large enterprises where the location -- in terms of the IP address -- always remains the same. But they fall down flat when employees are mobile and need to enter their VPN from anywhere in our Internet-connected world. When this happens, a failure occurs because the first rule of static VPNs is violated. In effect, the IP address of the mobile employee is not know by the VPN because it has been dynamically, and temporarily, assigned by the local ISP.

It's easy to see why VPN manufacturers are turning to Mobile IP for a solution to this problem. It doesn't take too much brain strain to recognize the analogy between mobile roaming in an IP-based corporate environment and mobile roaming in an Internet environment.

So how does it work? What does Mobile IP do so that VPN connections can be made from anywhere in the Internet? Interestingly enough, the biggest problem facing Mobile IP is on the outbound side, that is, when packets are being sent from a server system to a mobile user somewhere out in the Internet. Remember that the server system does not know the dynamic IP address of the mobile user. This address has been temporarily assigned by some local ISP.

But the server system does have the static IP address of the user, an address that was assigned by usual means. And in a Mobile IP environment, that's all the server needs. It continues to work as always, sending packets to the user at the static IP address it knows. But when these packets arrive at the user's home network, they are prompt- ly intercepted by a designated agent, which encapsulates them in another IP packet and forwards them on to the mobile user at the dynamic IP address.

Of course, there is an earlier step that must occur before any of these application packets are sent. And this occurs when the user's Mobile IP software connects with the agent in the home network to give it the dynamic IP address that it is currently using.

Inbound transmissions, on the other hand, are simple. When the mobile user sends packets back to the server, it simply uses its static home address as its source address.

Of course, some VPN manufacturers are already going beyond Mobile IP to further enhance their products. Companies such as Toshiba America Information Systems (Irvine, Calif., www.networks.toshiba. com) have combined Mobile IP technology with IETF standard IPSecurity that encrypts and authenticates the data packets. This is the sort of winning combination that other VPN manufacturers are likely to copy. Together, the two technologies deliver a maximum in security and location independence, a requirement for users who must connect to corporate resources from anywhere in the Internet-connected world.

--Sam Alunni is vice president of networking at Sterling Research (Sterling, Mass.). Contact him at alunni@sterling- research.com. n