[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels and Mobile IP



At 08:40 PM 3/1/98 -0500, you wrote:
>
>
>On Fri, 27 Feb 1998, Robert Moskowitz wrote:
>
>> At 03:28 PM 2/26/98 -0000, Stephen Waters wrote:
>> >
>> >Does IPSEC tunnel mean I can forget about Mobile IP?
>> 
>> IMNSHO, Mobile IP is for mobile units. ie cars, tanks, soldiers, and
>> pedestrians.  A notebook I plug into a phone jack in a hotel, car dealer,
>> or conference LAN does not need Mobile IP, only IPsec.
>> 
>
>I once again don't understand this.  To me the difference between
>a mobil user and other uses of IP, as far as the protocols are concerned,
>is that the mobile user is likely to have a different IP address from one
>instance to the next, and is likely to be routed differently from one
>instance to the next.

The Mobile IP user always has a permanent IP address (that IP address
he/she uses in their home subnet).  When the mobile IP user roams from the
home subnet,  the user is issued a temporary IP address (which is mapped by
the home and foreign agents to the roaming user's permanent IP address) for
use in the visited subnet.  All other nodes which send packets to the
roaming node can still use the roaming node's permanent IP address whithout
having any apriori knowledge of the roaming node's current subnet location.
Namely a roaming Mobile IP equipped node never loses it's home IP identity,
it can always be addressed by its home subnet IP address. The only routing
changes that predictably occur when a mobile IP node roams, is the tunnel
from the node's home agent to the foreign agent serving the subnet
currently being visited by the mobile IP node

>In a public network, the two may often go together.
>In a private network, including "tanks, soldiers, etc.", this may actually
>not be the case as often. So it seems to me that tanks and soldiers
>actually could conceivably look more like the non-mobile case as far
>as the network protocols are concerned,  at least more often than does the
>salesman in his hotel room, unless the salesman always dials into the
>same service point and always gets the same address.
>
>It seems to me that the real challenge presented by mobile IP, and also
>by many office LANS, is the dynamic IP address.  Will the present
>protocols accomodate dynamic IP and NFS on a multi-user host?

Mobile IP does not prevent the use of NFS even if the exported file systems
are on a roaming mobile IP equipped node.

>Is there a scalable key infrastructure that will accomodate this?

For Mobile IP to become more than a lab proof-of-concept protocol, it needs
to be adopted by packet service carriers (Cellular Phone companies, ..) and
included in shrink-wrapped desk-top computer operating systems (Win95, NT,
Solaris, Linux, ...) as a standard component.  For customers to see any
advantage to using Mobile IP away from their home subnet, using Mobile IP
must be transparent to the user.  This means that many network operators in
a metropolitan area needs to provide Mobile IP support.  Consequently
Mobile IP must work acroaa many operator domains and yet provide a common
SCALEABLE security/authentication mechanism.  I contend that Mobile IP's
authentication must be public key based so it can scale to 10,000s of
users.  This approach must also include cross-CA certificate validation
since it is Very unlikely that the different service providers in an area
will subscribe to the same CA.

I see the following as a very typical scenario in a few years:  "You are
busy in your office checking out the new corporate web pages you just
finished for a major customer across town when you get a phone call.  The
call is from the CIO of this customer and he wants a meeting in his office
in one hour to review your progress.  So you shut down your laptop, moving
it from its docking station to your briefcase and head to you car.  When
you get stuck in a traffic jam half way across town, you boot the laptop,
bring up your email and send the CIO a high priority email that you will be
30 minutes late to the meeting.  After the jam clears, you continue heading
to the customers location.  Upon arriving you head to the CIO's office.
During the meeting you  find that a key web page was left on another
computer back at work.  So you boot up your laptop and retrieve the needed
page allowing you to continue your presentation.  After the meeting, before
leaving the parking lot to return to your office, you decide to check your
email and find an emergency message for you to go home. After getting home
and resolving the emergency, you decide to continue working from home
rather than bucking the rush hour traffic back to the office.  So you boot
the laptop and start checking on the status of another project your
involved with."

Widely available Mobile IP, with scaleable authentication (and billing
capabilities) can make the above work.

>
>
>Regards,
>Mitch Nelson
>
>
>
==========================
Stuart Jacobs CISSP
Network Security
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
USA
telephone: (781) 466-3076
fax: (781) 466-2838
==========================


Follow-Ups: References: