[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMP configuration�and Mobile-IP
During Roy Pereira's presentation of <draft-ietf-ipsec-isakmp-mode
-cfg-*.txt> at the LA IETF, one of the questions raised was the
interaction of the proposed mechanisms with Mobile IP [RFC2002].
Here are some thoughts on the subject. The quick summary is that
the two protocols can work well together provided the Mobile IP
implementation on the mobile node is careful in its selection of
a co-located care-of address. No changes are necessary at the
home agent.
vipul
--------------------- Details follow ------------------------
Roy's draft "The ISAKMP Configuration Method" describes a mechanism
by which a nomadic host on the Internet (e.g. a corporate employee
"on the road") acquire an "internal address" belonging to a protected
network (e.g. the firewall-protected corporate network) and communicate
securely with other hosts on the protected network. Keys and
security associations necessary to protect such communication
are negotiated through IKE. For the rest of this discussion, IKE+
refers to IKE plus the ISAKMP Configuration method.
In this case, the "external" nomadic host is assigned two
addresses: one belonging to the protected network (negotaited
via ISAKMP Configuration), and (2) a topologically significant
address on the Internet (assigned by an ISP through DHCP, PPP, or
manual intervention). It is certainly possible to set things up
so that a nomadic host always acquires the same "internal" IP address
whenever it is out on the Internet. This is enough to emulate a limited
type of "mobility support" -- no matter where the portable computer
is on the Internet, it will be reachable at the same "internal" address.
Here IKE+ is used to "register" the portable computer's "care-of address"
with the IPSec gateway and to set up a (IPSec) tunnel between the
gateway and the portable computer. With this mechanism, however,
mobility support is only available for addresses that are normally
routed to the IPSec gateway within the protected network. When the
portable computer is moved inside the corporate network (say at the
employee's office desk), it would typically use a different
address (one that is not routed to the gateway).
To allow the portable computer to use the same IP address
within the protected network and outside on the Internet,
one could do the following:
- Use the topologically significant address to initiate
IKE+ with the IPSec gateway and acquire an "internal"
address valid within the protected network (call it I).
After this negotiation, the portable computer will be able
to communicate securely with all hosts within the protected
network. Its communication partners within the protected
network will see communications originating from I.
- Use the newly acquired address (I) as a co-located care-of address
for normal Mobile IP registration. The Mobile IP implementation
MUST not register its topologically significant address since
there is no guarantee that this external address will be
reachable from the home agent (which may be well inside the
protected network). Many protected networks keep internal
routers unaware of external addresses, nor do they use default
routing to carry packets for such external addresses to the
periphery gateway.
This automatically implies that Mobile IP must be
able to distinguish between "internal" and "external"
addresses.
The following packet flow diagrams illustrate how the overall
scheme would work. The relative positions of the portable computer,
the IPSec gateway and the home agent are assumed to be:
|
Protected Net | Internet
|
Home Agent IPSec Gateway Portable
| computer
|
|
These figures also assume that a mobile host uses reverse tunneling
[RFC 2344] to tunnel traffic for correspondent nodes through its
home agent and that ESP* (newer ESP with authentication) is used to
protect traffic on the Internet.
I: An "internal" address acquired by the portable computer
through the ISAKMP configuration method
T: The topologically significant address of the portable
computer. It identifies its current point of attachment
to the Internet.
MN: The portable computer's "home address". This is the address
at which the portable computer is always reachable if it
uses Mobile IP.
GW: An "external" address at which the IPSec gateway is reachable
from hosts on the Internet.
HA: home agent
CN: correspondent node (a communication partner of the mobile node).
a->b: An IP header in which a is the source and b is the destination.
Registration request:
====================
From portable computer to IPSec gateway (across the Internet)
|<- This part->|<-- This part generated ->|
generated by by Mobile IP
IPSec
<---------
+--------+-----+----------+--------------+
| T->GW | ESP*| I -> HA | UDP reg req |
+--------+-----+----------+--------------+
outer IP inner IP
From IPSec gateway to home agent (within the protected network)
<---------
+----------+--------------+
| I -> HA | UDP reg req |
+----------+--------------+
Registration reply:
==================
From home agent to IPSec gateway (within the protected network)
--------->
+--------------+----------+
| UDP reg req | HA -> I |
+--------------+----------+
From IPSec gateway to portable computer (across the Internet)
-------->
+--------------+----------+-----+--------+
| UDP reg req | HA -> I | ESP*| GW->T |
+--------------+----------+-----+--------+
inner IP outer IP
Outer IP and ESP* are consumed by IPSec, the rest of the pkt is
processed by Mobile IP.
Data transfer from Mobile host to a correspondent node:
======================================================
From portable computer to IPSec gateway (across the Internet)
|<-- gen. by ->|<-Generated by Mobile IP->|
IPSec
<---------
+--------+-----+----------+--------+-----+
| T->GW | ESP*| I -> HA | MN->CN | ULP |
+--------+-----+----------+--------+-----+
outer IP Inner IP
From IPSec gateway to home agent (within the protected network)
<---------
+----------+--------+-----+
| I -> HA | MN->CN | ULP |
+----------+--------+-----+
From home agent to correspondent node (the exact location of the
CN is unspecified and the mechanism used to deliver packets to
the CN is the same as that used when the mobile node is "at home").
<---------
+--------+-----+
| MN->CN | ULP |
+--------+-----+
Data transfer from the correspondent node to the mobile node:
============================================================
From the correspondent node to the home agent
--------->
+-----+--------+
| ULP | MN->CN |
+-----+--------+
From the home agent to the IPSec gateway (within the protected network)
--------->
+-----+--------+----------+
| ULP | CN->MN | HA -> I |
+-----+--------+----------+
From the IPSec gateway to the portable computer (across the Internet)
MIP hdr -------->
+-----+--------+----------+-----+--------+
| ULP | CN->MN | HA -> I | ESP*| T->GW |
+-----+--------+----------+-----+--------+
innermost IP outermost IP
Again, the outermost IP and ESP* are consumed by IPSec and the
rest is processed by Mobile IP.
These packet formats are very similar to (but not the same as) those
described in <draft-montenegro-firewall-sup-03.txt> ("Firewall Support
for Mobile IP", Montenegro and Gupta). The use of multiple tunnels
and IPSec increases the size of packets and their processing time.
The performance impact of these changes is discussed in
"Secure And Mobile Networking", Gupta and Montenegro, available
from http://playground.sun.com/pub/mobile-ip/. That paper
uses SKIP (in-line keying) and separate ESP and AH headers (old style) to
secure traffic on the Internet. Since the above scheme uses
out-of-band key management and newer ESP (which includes
authentication), it has lower overhead.