Advanced Computer Networks (18MCA452)

Assignment
Harshith Kumar K(1RZ18MCA14)
Introduction to Mobile IP
Mobile IP is a communication protocol (created by extending Internet Protocol, IP) that
allows the users to move from one network to another with the same IP address. It ensures
that the communication will continue without user’s sessions or connections being dropped.
Terminologies:
 Mobile Node (MN):
It is the hand-held communication device that the user caries e.g. Cell phone.
 Home Network:
It is a network to which the mobile node originally belongs to as per its assigned IP
address (home address).
 Home Agent (HA):
It is a router in home network to which the mobile node was originally connected
 Home Address:
It is the permanent IP address assigned to the mobile node (within its home network).
 Foreign Network:
It is the current network to which the mobile node is visiting (away from its home
network).
 Foreign Agent (FA):
It is a router in foreign network to which mobile node is currently connected. The
packets from the home agent are sent to the foreign agent which delivers it to the
mobile node.
 Correspondent Node (CN):
It is a device on the internet communicating to the mobile node.
 Care of Address (COA):
It is the temporary address used by a mobile node while it is moving away from its
home network.
Working:
Correspondent node sends the data to the mobile node. Data packets contains correspondent
node’s address (Source) and home address (Destination). Packets reaches to the home agent.
But now mobile node is not in the home network, it has moved into the foreign network.
Foreign agent sends the care-of-address to the home agent to which all the packets should be
sent. Now, a tunnel will be established between the home agent and the foreign agent by the
process of tunnelling.
Tunnelling establishes a virtual pipe for the packets available between a tunnel entry and an
endpoint. It is the process of sending a packet via a tunnel and it is achieved by a mechanism
called encapsulation.
Now, home agent encapsulates the data packets into new packets in which the source address
is the home address and destination is the care-of-address and sends it through the tunnel to
the foreign agent. Foreign agent, on other side of the tunnel receives the data packets,
decapsulates them and sends them to the mobile node. Mobile node in response to the data
packets received, sends a reply in response to foreign agent. Foreign agent directly sends the
reply to the correspondent node.
Key Mechanisms in Mobile IP:
1. Agent Discovery:
Agents advertise their presence by periodically broadcasting their agent advertisement
messages. The mobile node receiving the agent advertisement messages observes
whether the message is from its own home agent and determines whether it is in the
home network or foreign network.
2. Agent Registration:
Mobile node after discovering the foreign agent, sends registration request (RREQ) to
the foreign agent. Foreign agent in turn, sends the registration request to the home agent
with the care-of-address. Home agent sends registration reply (RREP) to the foreign
agent. Then it forwards the registration reply to the mobile node and completes the
process of registration.
3. Tunnelling:
It establishes a virtual pipe for the packets available between a tunnel entry and an
endpoint. It is the process of sending a packet via a tunnel and it is achieved by a
mechanism called encapsulation. It takes place to forward an IP datagram from the
home agent to the care-of-address. Whenever home agent receives a packet from
correspondent node, it encapsulates the packet with source address as home address and
destination as care-of-address.
Route Optimization in Mobile IP:
The route optimization adds a conceptual data structure, the binding cache, to the
correspondent node. The binding cache contains bindings for mobile node’s home address
and its current care-of-address. Every time the home agent receives an IP datagram that is
destined to a mobile node currently away from the home network, it sends a binding update
to the correspondent node to update the information in the correspondent node’s binding
cache. After this the correspondent node can directly tunnel packets to the mobile node.
Process of Mobile IP

The mobile IP process has following three main phases, which are:

1. Agent Discovery

During the agent discovery phase the HA and FA advertise their services on the network by
using the ICMP router discovery protocol (IROP).

Mobile IP defines two methods: agent advertisement and agent solicitation which are in fact
router discovery methods plus extensions.

o Agent advertisement: For the first method, FA and HA advertise their presence

periodically using special agent advertisement messages. These messages
advertisement can be seen as a beacon broadcast into the subnet. For this
advertisement internet control message protocol (ICMP) messages according to RFC
1256, are used with some mobility extensions.
o Agent solicitation: If no agent advertisements are present or the inter arrival time is
too high, and an MN has not received a COA, the mobile node must send agent
solicitations. These solicitations are again bases on RFC 1256 for router solicitations.

2. Registration

The main purpose of the registration is to inform the home agent of the current location for
correct forwarding of packets.
Registration can be done in two ways depending on the location of the COA.

o If the COA is at the FA, the MN sends its registration request containing the COA to
the FA which is forwarding the request to the HA. The HA now set up a mobility
binding containing the mobile node's home IP address and the current COA.

Additionally, the mobility biding contains the lifetime of the registration which is negotiated
during the registration process. Registration expires automatically after the lifetime and is
deleted; so a mobile node should register before expiration. After setting up the mobility
binding, the HA send a reply message back to the FA which forwards it to the MN.

o If the COA is co-located, registration can be very simpler. The mobile node may
send the request directly to the HA and vice versa. This by the way is also the
registration procedure for MNs returning to their home network.

Mobile IP registrations message format:

Mobile IP registrations messages uses the User Datagram Protocol (UDP). The IP and UDP
header fields is followed by the Mobile IP request packet which is followed by various
extensions. There will always be at least one extension present, namely the mobile-home
authentication extension.

New Registration Request and Registration Reply Messages

To perform registration, two new message types have been defined in Mobile IP:
the Registration Request and the Registration Reply. Each of these does what you would
expect from its name. Interestingly, these are not ICMP messages like the ones used in agent
discovery; they are User Datagram Protocol (UDP) messages. Thus, technically speaking,
registration is performed at a higher layer than the rest of Mobile IP communication. Agents
listen for Registration Requests on well-known UDP port #434, and respond back to mobile
nodes using whatever ephemeral port the node used to send the message.

3. Tunnelling

A tunnel is used to establish a virtual pipe for data packets between a tunnel entry and a
tunnel endpoint. Packets which are entering in a tunnel are forwarded inside the tunnel and
leave the tunnel unchanged. Tunnelling, i.e., sending a packet through a tunnel is achieved
with the help of encapsulation.

Tunnelling is also known as "port forwarding" is the transmission and data intended for use
only within a private, usually corporate network through a public network.
The Mobile IP Data Delivery Tunnel :

The encapsulation process creates a logical construct called a tunnel between the device that
encapsulates and the one that decapsulates. This is the same idea of a tunnel used in
discussions of virtual private networks (VPNs), IPSec tunnel mode, or the various other
tunnelling protocols used for security. The tunnel represents a conduit over which datagrams
are forwarded across an arbitrary internetwork, with the details of the encapsulated datagram
(meaning the original IP headers) temporarily hidden.

In Mobile IP, the start of the tunnel is the home agent, which does the encapsulation. The end
of the tunnel depends on what sort of care-of address is being used:

o Foreign Agent Care-Of Address: The foreign agent is the end of the tunnel. It
receives encapsulated messages from the home agent, strips off the outer IP header
and then delivers the datagram to the mobile node. This is generally done using layer
two, because the mobile node and foreign agent are on the same local network, and of
course, the mobile node does not have its own IP address on that network (it is using
that of the foreign agent.)

o Co-Located Care-Of Address: The mobile node itself is the end of the tunnel and
strips off the outer header.

Problems with base Mobile IP protocol:

1. Dogleg routing
Consider that if a mobile node happens to move to the same subnetwork as its correspondent
node that wants to send it datagrams, this is what will happen in order for the datagram to be
received by the mobile node, based on the base Mobile IP protocol: the correspondent node
will send the datagram all the way to the mobile node's home agent, which may be a half
globe away; its home agent will then forward the datagram to its care-of-address, which
might just take a half second to reach if the datagram is sent directly from the correspondent
node. This kind of "indirect routing" is inefficient and undesirable.

Fix: The effort to define extensions to the operation of the base Mobile IP to allow for the
optimization of datagram routing from a correspondent node to a mobile node has been made
by the Mobile IP Working Group of the Internet Engineering Task Force (IETF). The key
approach to route optimization is as follows:

- Binding cache containing the mobility binding of mobile node(s) is provided for the node
that looks for optimizing its own communication with mobile nodes. In this way, the
correspondent node has a way to keep track of where the mobile node(s) is. So when the time
comes that the correspondent node wishes to send the datagram to its mobile node, it can
send the datagram directly to the destination address, eliminating the "zig-zag" routing.

- The means for the mobile node's previous foreign agent to be notified of the mobile node's
new location is provided. This mechanism allows datagrams in flight to the mobile node's
previous foreign agent to be re-directed to its current address.
2. Too many unwanted duplicated fields in "IP within IP"
As discussed previously, the way to encapsulate the datagram is to put the original datagram
(= IP header + payload) inside another IP envelope, of which the whole packet = outer IP
header (Care-of Address) + original datagram. The fields in the outer IP header add too much
overhead to the final datagram -- several fields are duplicated from the inner IP header. This
waste of unnecessary space is uneconomical.

Fix: Also coming from the IETF, a so-called Minimal Encapsulation scheme is defined, and
becomes another option to encapsulate the datagram. The approach to the encapsulation
method is as follows:

- Instead of inserting a new header, the original header is modified to reflect the care-of
address, and in between the modified IP header and unmodified IP payload, a minimal
forwarding header is inserted to store the original source address and original destination
address. When the foreign agent tries to decapsulate, it will simply restore the fields in the
forwarding header to the IP header, and remove the forwarding header.

There is a restriction to the use of this encapsulation method. If the original datagram is
already fragmented, then minimal encapsulation must not be used since there is no room left
to store fragmentation information.

3. Single home agent model -- a fragile model

Although single home agent model is simple and easy to configure, it has the disadvantage of
fragility. The mobile node becomes unreachable once the home agent breaks down.

Fix: One possible solution is to support multiple home agents. If one conventional home
agent fails, there are still other home agents who can take over the duty and route for the
datagram for the mobile node.

4. Unbearable frequent report to the home agent if the mobile node moves frequently
If a person is in a moving vehicle and roaming around into neighbouring communities, the
mobile IP will have to constantly report to the home agent to change its address. This
degrades the performance and delays the datagram transmission.

Fix: One possible solution is to support foreign agent clustering. The idea is that by making a
cluster of foreign agents, moves only from cluster to cluster have to be notified to the home
agent. This approach eliminates the number of times a highly mobile node needs to report to
its home agent.

5. Security issues in mobile IP:

Security is always concern in any internetworking environment these days, but it is especially
important in mobile IP. Because it has a number of risks due to it using a registration system
and then forwarding datagrams across an unsecured network.

A. Denial of Service Attack

In the case of a mobile IP network a denial of service attack occurs when a

bad guy manages to do a bogus registration of a new care-of address for a
particular mobile node. Such a bogus registration gives rise to two problems node.
 The Mobile IP specification prevents bad guys from being able to do bogus
registrations by requiring strong authentication on all registration messages that
are exchanged during the registration process. In this case, unless the shared key
is exposed, this type of attack is rendered impossible.

B. Passive Eavesdropping

Passive eavesdropping is one kind of information attack. When a mobile node and
its home network is connected and transferred data the attacker analyses the
traffic, determine the location and identify the communicating hosts. Passive
attack is very difficult to detect because they do not involve any alternation of the
data. When the messages are exchanged neither the sender nor the receiver is
aware that a third party has read the messages. This can be prevented by
encryption of data. So the attacker cannot decode or understand the cipher text and
eavesdropping can no longer happen. If we use networking specific encryption
then the traffic still might be a victim of eavesdropping. So the best solution is to
use end to end encryption on all the traffic. This makes eavesdropping attack
impossible.

C .Replay Attack

Using authentication we can protect the mobile devices from denial of service
attack but we cannot protect the mobile devices from replay attack. Because the
attacker can have a copy of registration request message, and the attacker use this
message by registering a care of address for the mobile devices. To prevent this
kind of attack, the mobile device has to generate a unique value for identification
field when the registration process is happen. So the attacker registration request
will be rejected because identification field that not match the expected value and
this message will be ignored in the case of the mobile device.

The limitations of original IP addressing scheme to support mobility.

The mentioned issues can be formalized into the following three requirements concerning the
nodes’ static ID structure:

1. ID for identification should be separated from LOC used for routing.

2. Mobile hosts should not possess a static LOC.

3. An addressable entity (for example: network node) should possess one ID not related to
any of its interfaces nor its location within network structure. The next set of requirements,
formulated in the paper, concerns the architecture of mobility support in the network. The
assumption is that a single anchor responsible for controlling traffic delivery to a mobile
host’s changing network location leads to non-optimal routing, additional traffic overhead,
and single point of failure case. Hence, two more requirements are needed for scalable,
mobile host dominant environment:

4. Mobility support should be provided natively rather than as an additional feature.

5. Traffic forwarding for mobile hosts needs to be realized in a distributed manner. A general
requirement related to quality of service states that the control and data planes should be
separated. This requirement comes from the assumption that the actual mobility provision
needs more control messages in comparison to traffic between static hosts forwarding. Hence,
the sixth requirement is formulated in the following way:

6. The control plane should be separated from the data plane. The next three requirements are
related to the Future Internet concept and concern the issues of common delivery mechanisms
for heterogeneous and diverse networks, the way of mobility provisioning, and the routing
scalability.

7. There should be a possibility of different protocols usage in mobile environments.

8. Both the host-based (end-to-end) and network-based solutions should be considered.

9. Both mobility and scalability issues should be considered in Future Internet addressing
architecture. In addition to the above requirements for current and mobile-oriented Internet
mobility support, there are also performance requirements for mobile environments. While
developing any Internet mobility solution, the following performance measures are the most
relevant:

 Handover Latency—time elapsed from the moment of receiving the last packet via the
old network to the moment of receiving the first packet via the new network after the
handover.

 Packet Loss—defined as the number of lost packets measured during the handover
process.

 Signalling Overhead—defined as the number of messages exchanged between

networking components for the handover and location procedures.

 Throughput—the amount of data successfully transmitted via a mobile Internet in a

given time period.

The mobility support protocol has to fulfil multiple functions that are not present in networks
supporting only stationary clients. Registration is the process in which the network is
informed about the device and user that connects to the network and is ready to receive
requests. The procedure typically includes authentication, authorization and accounting
(AAA). Paging is the procedure used to determine the location of a mobile device within the
network. The procedure used by the mobile device to inform network about its new position
is called location update. Handover is the procedure that controls the transition of the mobile
device between the points of attachment to the network. Its performance has a direct and
profound impact on user satisfaction. Finally, rerouting is the modification of the routing
information that is typically required after handover.

A change of node’s network point of attachment can lead to various results, as far as network
mechanisms are concerned. Example scenarios include:

 a change of access point in a homogeneous network (including a horizontal or intra-

technology handover),

 A change of access technology (both a vertical as well as inter-technology handover),

 A more advanced case of change of access router requiring network layer information
like IP addressing (inter- Access Network handover).

It should be noted that, if a mobile terminal is equipped with more than one network
interface, it can use one of them to obtain connectivity through a new point of network access
during handover, while still continuing using the old one. That way connectivity disruption is
vastly minimized, as connectivity through new point of network access is already functional,
when the old one is disconnected. Such an approach is called soft-handover, in contrast with
usual, single-interface procedure, requiring terminal to terminate network access before
attempting to connect to a new point of access (hard-handover).

Assigning the IP address to Mobile devices and stationary devices:

Mobile IP is an Internet Engineering Task Force (IETF) standard

communications protocol that is designed to allow mobile device users to move from one
network to another while maintaining their permanent IP address. Defined in Request for
Comments (RFC) 2002, Mobile IP is an enhancement of the Internet Protocol (IP) that adds
mechanisms for forwarding Internet traffic to mobile devices (known as mobile nodes) when
they are connecting through other than their home network.

In traditional IP routing, IP addresses represent a topology. Routing mechanisms rely on the

assumption that each network node will always have the same point of attachment to the
Internet, and that each node's IP address identifies the network link where it is connected.
Core Internet routers look at the IP address prefix, which identifies a device's network. At the
network level, routers look at the next few bits to identify the appropriate subnet. Finally, at
the subnet level, routers look at the bits identifying a particular device. In this routing
scheme, if you disconnect a mobile device from the Internet and want to reconnect through a
different subnet, you have to configure the device with a new IP address, and the
appropriate net mask and default router. Otherwise, routing protocols have no means of
delivering packets because the device's IP address doesn't contain the necessary information
about the current point of attachment to the Internet.

All the variations of Mobile IP assign each mobile node a permanent home address on
its home network and a care-of address that identifies the current location of the device
within a network and its subnets. Each time a user moves the device to a different network, it
acquires a new care-of address. A mobility agent on the home network associates each
permanent address with its care-of address. The mobile node sends the home agent a binding
update each time it changes its care-of address using Internet Control Message Protocol
(ICMP). In Mobile IPv4, traffic for the mobile node is sent to the home network but is
intercepted by the home agent and forwarded via tunnelling mechanisms to the appropriate
care-of address. Foreign agents on the visited network help to forward datagrams. Mobile
IPv6 was developed to minimize the necessity for tunnelling and to include mechanisms that
make foreign agents unnecessary.

Two crossing problem:

Two Crossing happens when a Remote/Correspondent Node corresponds with a Mobile Node
that has moved to a A Review on Mobile Internet Protocol (Mobile IP) A similar network as
the Remote Node. At the point when the Mobile Node sends the data packet to the Remote
Node, there is no wastefulness; the correspondence is nearby. But when the Remote Node
sends the data packet to the Mobile Node, the packet travels the Internet twice. This involves
wastefulness and this wastefulness from double crossing is noteworthy.

A Virtual Private Network (VPN):

VPN stands for virtual private network. A virtual private network (VPN) is a technology that
creates a safe and encrypted connection over a less secure network, such as the internet.
Virtual Private network is a way to extend a private network using a public network such as
internet. The name only suggests that it is Virtual “private network” i.e. user can be the part
of local network sitting at a remote location. It makes use of tunnelling protocols to establish
a secure connection.
Think of a situation where corporate office of a bank is situated in Washington, [Link]
office has a local network consisting of say 100 computers. Suppose another branches of
bank are in Mumbai, India and Tokyo, Japan. The traditional method of establishing a secure
connection between head office and branch was to have a leased line between the branches
and head office which was very costly as well as troublesome job. VPN let us overcome this
issue in an effective manner.

A virtual private network (VPN) extends a private network across a public network and

enables users to send and receive data across shared or public networks as if their computing
devices were directly connected to the private network. Applications running on an end
system (PC, smartphone etc.) across a VPN may therefore benefit from the functionality,
security, and management of the private network. Encryption is a common, though not an
inherent, part of a VPN connection.
VPN technology was developed to allow remote users and branch offices to access corporate
applications and resources. To ensure security, the private network connection is established
using an encrypted layered tunnelling protocol, and VPN users use authentication methods,
including passwords or certificates, to gain access to the VPN. In other applications, Internet
users may secure their connections with a VPN to circumvent geo-restrictions and censorship
or to connect to proxy servers to protect personal identity and location to stay anonymous on
the Internet. Some websites, however, block access to known VPN technology to prevent the
circumvention of their geo-restrictions, and many VPN providers have been developing
strategies to get around these roadblocks. A VPN is created by establishing a virtual point-to-
point connection through the use of dedicated circuits or with tunnelling protocols over
existing networks. A VPN available from the public Internet can provide some of the benefits
of a wide area network (WAN). From a user perspective, the resources available within the
private network can be accessed remotely.

Types of Virtual Private Network (VPN) and its Protocols

VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private
network over the Internet securely and privately. VPN creates an encrypted connection that is
called VPN tunnel, and all Internet traffic and communication is passed through this secure
tunnel.
Virtual Private Network (VPN) is basically of 2 types:
1. Remote Access VPN:
Remote Access VPN permits a user to connect to a private network and access all its
services and resources remotely. The connection between the user and the private
network occurs through the Internet and the connection is secure and private. Remote
Access VPN is useful for home users and business users both.
An employee of a company, while he/she is out of station, uses a VPN to connect to
his/her company’s private network and remotely access files and resources on the
private network. Private users or home users of VPN, primarily use VPN services to
bypass regional restrictions on the Internet and access blocked websites. Users aware of
Internet security also use VPN services to enhance their Internet security and privacy.
2. Site to Site VPN:
A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in
the large companies. Companies or organizations, with branch offices in different
locations, use Site-to-site VPN to connect the network of one office location to the
network at another office location.

 Intranet based VPN: When several offices of the same company are

connected using Site-to-Site VPN type, it is called as Intranet based VPN.
 Extranet based VPN: When companies use Site-to-site VPN type to connect
to the office of another company, it is called as Extranet based VPN.

Basically, Site-to-site VPN create a imaginary bridge between the networks at geographically
distant offices and connect them through the Internet and sustain a secure and private
communication between the networks. In Site-to-site VPN one router acts as a VPN Client
and another router as a VPN Server as it is based on Router-to-Router communication. When
the authentication is validated between the two routers only then the communication starts.

Types of Virtual Private Network (VPN) Protocols:

1. Internet Protocol Security (IPsec):

Internet Protocol Security, known as IPsec, is used to secure Internet communication
across an IP network. IPsec secures Internet Protocol communication by verifying the
session and encrypts each data packet during the connection.
 IPsec runs in 2 modes:
 (i) Transport mode
 (ii) Tunnelling mode
The work of transport mode is to encrypt the message in the data packet and the
tunnelling mode encrypts the whole data packet. IPSec can also be used with other
security protocols to improve the security system.
2. Layer 2 Tunnelling Protocol (L2TP):
L2TP or Layer 2 Tunnelling Protocol is a tunnelling protocol that is often combined
with another VPN security protocol like IPsec to establish a highly secure VPN
connection. L2TP generates a tunnel between two L2TP connection points and IPsec
protocol encrypts the data and maintains secure communication between the tunnels.

3. Point–to–Point Tunnelling Protocol (PPTP):

PPTP or Point-to-Point Tunnelling Protocol generates a tunnel and confines the data
packet. Point-to-Point Protocol (PPP) is used to encrypt the data between the
connections. PPTP is one of the most widely used VPN protocol and has been in use
since the early release of Windows. PPTP is also used on Mac and Linux apart from
Windows.

4. SSL and TLS:

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) generate a VPN
connection where the web browser acts as the client and user access is prohibited to
specific applications instead of entire network. Online shopping websites commonly
uses SSL and TLS protocol. It is easy to switch to SSL by web browsers and with
almost no action required from the user as web browsers come integrated with SSL and
TLS. SSL connections have “https” in the initial of the URL instead of “http”.

5. OpenVPN:
OpenVPN is an open source VPN that is commonly used for creating Point-to-Point and
Site-to-Site connections. It uses a traditional security protocol based on SSL and TLS
protocol.

6. Secure Shell (SSH):

Secure Shell or SSH generates the VPN tunnel through which the data transfer occurs
and also ensures that the tunnel is encrypted. SSH connections are generated by a SSH
client and data is transferred from a local port on to the remote server through the
encrypted tunnel.

Network address translation (NAT)

Network Address Translation (NAT) is a process in which one or more local IP address is
translated into one or more Global IP address and vice versa in order to provide Internet
access to the local hosts. NAT generally operates on router or firewall.

Network address translation (NAT) working –

Generally, the border router is configured for NAT i.e the router which have one interface in
local (inside) network and one interface in global (outside) network. When a packet traverse
outside the local (inside) network, then NAT converts that local (private) IP address to a
global (public) IP address. When a packet enters the local network, the global (public) IP
address is converted to local (private) IP address.
If NAT run out of addresses, i.e., no address is left in the pool configured then the packets
will be dropped and an Internet Control Message Protocol (ICMP) host unreachable packet to
the destination is send.
NAT types –
There are 3 types of NAT:
1. Static NAT –
In this, a single private IP address is mapped with single Public IP address, i.e., a
private IP address is translated to a public IP address. It is used in Web hosting.

2. Dynamic NAT –
In this type of NAT, multiple private IP address are mapped to a pool of public IP
address. It is used when we know the number of fixed users wants to access the
Internet at a given point of time.

3.  Port Address Translation (PAT) –

This is also known as NAT overload. In this, many local (private) IP addresses can be
translated to single public IP address. Port numbers are used to distinguish the traffic,
i.e., which traffic belongs to which IP address. This is most frequently used as it is
cost effective as thousands of users can be connected to the Internet by using only one
real global (public) IP address.

A VPN with Private Addresses:

There are two fundamental concepts of most VPNs:

 The notion of tunnelling, which means it encapsulates traffic of one type within

another.
 Most VPN client software creates a "virtual" network adapter on the system.
Traffic that is sent to this virtual network adapter is actually shunted to the
VPN client software (most modern OSs support this type of network adapter which send
traffic to an application or service and not directly out of a network adapter), which takes the
packets and adds them as payload data in an encrypted protocol (SSL, etc.), and then ships
the encrypted packets on to the VPN server via the Internet out of the real network adapter.
This whole process is called tunnelling - and encryption does not have to be involved but is
used in the case of VPN.

The VPN server then undoes the encapsulation, and then has the original traffic. It can then
route the, etc. normally. Because a virtual network adapter is used at the client, and the
encapsulation/de-encapsulation is transparent to anything traveling over the virtual network
adapter, addresses that exist at the other side of the VPN server can be used as though they
were directly connected. With regard to DNS, it's possible to tell a DNS server to return any
address you want - including private IP ranges. The VPN server needs at least one public IP
and DNS resolving to a public IP in order to allow VPN software to create the tunnel, but
once the tunnel is up, it's perfectly fine for hosts "behind" the VPN can have private IP
addresses that are accessible on a network only available "through" the VPN.
The good guy’s mobile node is no longer connected; the bad guy gets to see all traffic
directed to the original mobile
.