[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec-based user authentication and security policy in Mobile IP?

To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: IPsec-based user authentication and security policy in Mobile IP?
From: "Rakoczi, B." <B.Rakoczi@research.kpn.com>
Date: Wed, 01 Sep 1999 17:46:57 +0100
Sender: owner-ipsec@lists.tislabs.com

Hello,
I am new in the list. I have a few questions about use of IPsec in Mobile
IP.

You likely know that Mobile IP is designed to facilitate roaming of Internet
users between different access networks based on different technologies. As
the access networks are connected to each other across the untrusted
Internet they must be protected against malicious intruders. In the
description of Mobile IP itself solutions has been developed to secure
Mobile IP signaling messages (registration, binding update).
My guess is that it is also possible to use IPsec for these cases and even
for protecting user data traffic. And what`s more, beside signaling&data
protection (encryption, integrity checking, data origin authentication)
IPsec provides user authentication as well.  

Focusing on the requirements of a secure Mobile IP connection consider the
following questions:

User authentication
User identification in Mobile IP and in the access network will be
independent. For example the secret key stored on the SIM card and used for
GSM/UMTS level of authentication can not be reused for IP level
authentication. For IP level authentication a private/public key mechanism
can take place at every registration procedure to the home agent identifying
the user by the so-called Network Access Identifier (NAI). The public keys
are managed by a trusted third party (Certificate Authority (CA)).

Concerning question:

-> I know that IPsec provides mutual authentication (public key exchange)
even for those who do not know anything about each other prior to the
communication. I also heard about DIAMETER as an enhancement of RADIUS which
also can be used for access control and user authentication in IP networks. 
Is there any relation between IPsec and DIAMETER?
Which do you think is better for Mobile IP?

Security Policy
In IPsec the communicating parties agree on the level (encryption or/and
data origin authentication) and mode(tunneling or transport) of the
protection at SA negotiation. This agreement must satisfy the security
policy of both parties. In Mobile IP every access network has its own
security policy. It is very important for the different access networks (IP
subnets) to learn each other`s security policy quickly and easily since
seamless SA negotiation (unnoticeable by the user!)  is required when the
user moves from an access network to another.

Concerning questions:

-> Is there any standard or policy which defines how an IPsec-based security
policy should be tailored to access networks that implement Mobile IP?


I`m looking forward to having your answers.

regards
Balint

Follow-Ups:

Re: IPsec-based user authentication and security policy in MobileIP?

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: Re: IPsec-based user authentication and security policy in MobileIP?
Index(es):
- Main
- Thread