Version 4.1 - 1.11 Mobile IP Part 1
I have to begin this section with admitting that I don't have a lot of experience with Mobile IP. The scope of the exam covers all Security Engineer tasks, but most positions don't perform all tasks. This is just something that has never been a part of my duties. So let's dig into this together.
Most network devices are static. You have enterprise systems and then remote systems that use VPN technology to connect to (or through) that enterprise system. Mobile deals with a persistent connection to a moving target. Think of the connection your phone uses while you're driving in your car. You expect the connection (call) to not be dropped. It should continue as you drive - and unknown to most people - the connection is handed off from cell tower to cell tower as you make your way to your destination. Another example involves laptops. You're at your desk and connected to the wireless network. You pick up your laptop and take it with you to the conference room for a meeting. You expect the wireless connection to continue and do not expect to have to log in again. This section explores how that magic happens.
Note that this information is about IPv4 Mobile. IPv6 Mobile works differently and that will be covered next. The Cisco Doc Introduction to Mobile IP covers this topic. [Note that it is from 2001.]
The Mobile node is the device whose software enables network roaming capabilities. (such as a laptop etc)
The Home Agent is the router acting as the anchor point for communication with the mobile node.
The Foreign Agent is the router acting as a point of attachment when it roams to a foreign network.
So the mobile node communicates through the Foreign Agent (for the foreign network it is on) using a tunnel built with it by the Home Agent, which forwards the resultant communication to the Correspondent Node. "The care-of address is the termination point of the tunnel toward the Mobile Node when it is on a foreign network."
Agent Discovery - Home Agents and Foreign Agents advertise their services (IRDP). Mobile node uses these to figure out where it is (home network or foreign network). Once is sees that it's on a foreign network, it begins registration.
Registration - Mobile node sends the registration to the home agent either directly or through the foreign agent of the foreign network it's on. A registration reply is sent back and the node and home agent now know where each other is located.
Tunneling - Basically there's a tunnel between the home agent and foreign agent which is what the mobile node uses to appear as though it's still attached to the home agent. The default tunnel mode is IPinIP.
Registration messages contain the Mobile-Home Authentication Extension (MHAE) which uses MD5 to compute the authenticator value. It also supports HMAC-MD5.
Not for nothing, but I think that's about as deep as I think the test may cover. Again, there are only about 14 questions on all of the Topic 1 items. If I was going to make a question for Mobile IP, it would be either on IPv6 or the difference between IPv4 and IPv6 mobility. On top of that, this is not really Cisco core stuff. I remember how lightly they passed over MDM (Mobile Device Manager) in the ISE material. It was covered, but not in depth because it was the MDM of another vendor.
However, I did find this White Paper on the Cisco Documentation - Mobile IP Security Associations on a CiscoSecure ACS Server. This document might be a good read for the exam since it is specifically about Cisco equipment. One of the drawbacks is that all the pictures do not display. Cisco moves their documentation around and sometimes you get broken links to the previous pic addresses. But if you glance through it, you get the idea. Seeing the router config was good. But again, the idea is to be familiar with the terms and concepts. The details of something like this would be on the CCIE Collaboration track.