[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels and Mobile IP



At 03:28 PM 2/26/98 -0000, Stephen Waters wrote:
>
>Does IPSEC tunnel mean I can forget about Mobile IP?

IMNSHO, Mobile IP is for mobile units. ie cars, tanks, soldiers, and
pedestrians.  A notebook I plug into a phone jack in a hotel, car dealer,
or conference LAN does not need Mobile IP, only IPsec.

In IPsecond when we add something like
draft-ietf-ipsec-isakmp-mode-cfg-02.txt, IPsec will have a straight-forward
model for 'road warrior'.

Of course, Mobile IP needs IPsec for solid security...

>Here is the Mobile IP model as I understand it:
>
>
>Client----- PPP[IP1]-----NAS/Mobile IP ------
>[IP2][stuff][IP1]-----NAS/Mobile IP ---[xxx][IP1]---- client
>
>
>
>Mobile IP Issue: Client passes Intranet addressed packets to the NAS.  
>
>I am assuming that VPN customers will want to encrypt their own data.  I
>am also assuming that VPN customers will want to 'hide' their Intranet
>addresses.   To achieve this, the client could use IPSEC ESP,  and the
>NAS/Mobile IP would need to re-encrypt to protect the Intranet address.
>
>So, if the customer can do their own tunnel (IPSEC tunnel), why do I
>need Mobile IP?
>
>Well, there seems to be some loss of service going from Mobile IP to
>IPSEC tunnels :
>
>1) tunnel server address resolution 
>2) exposure to denial-of-service attacks
>3) client needs global Internet address
>
>These services COULD be replaced with other solutions - e.g. NAT,
>Filtering, IPCP or DNS tunnel server address resolution.
>
>Any other takes on this?
>Cheers, Steve. 
>
Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com


References: