[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec-based user authentication and security policy in MobileIP?

To: "Rakoczi, B." <B.Rakoczi@research.kpn.com>
Subject: Re: IPsec-based user authentication and security policy in MobileIP?
From: Stephen Kent <kent@bbn.com>
Date: Fri, 3 Sep 1999 18:25:24 -0400
Cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: <3A8F273F00E8D111BE4A00805FA7AC5401B652FB@ntl10.research.kpn.com>
Sender: owner-ipsec@lists.tislabs.com

Balint,

>Focusing on the requirements of a secure Mobile IP connection consider the
>following questions:
>
>User authentication
>User identification in Mobile IP and in the access network will be
>independent. For example the secret key stored on the SIM card and used for
>GSM/UMTS level of authentication can not be reused for IP level
>authentication. For IP level authentication a private/public key mechanism
>can take place at every registration procedure to the home agent identifying
>the user by the so-called Network Access Identifier (NAI). The public keys
>are managed by a trusted third party (Certificate Authority (CA)).

IPsec does not embody an NAI as a form of ID, so I'm not quite sure that
we're on the same track here.  Also, in IPsec, (if one uses carts with IKE)
CA need not be a TTP; it often is operated by the organization with which
the user is affiliated, e.g.,  the same folks who operate the home agent.

>Concerning question:
>
>-> I know that IPsec provides mutual authentication (public key exchange)
>even for those who do not know anything about each other prior to the
>communication. I also heard about DIAMETER as an enhancement of RADIUS which
>also can be used for access control and user authentication in IP networks.
>Is there any relation between IPsec and DIAMETER?
>Which do you think is better for Mobile IP?

So far there is no relationship.  IPsec provides access control as an
intrinsic feature, not just authentication, integrity, and confidentiality.

>Security Policy
>In IPsec the communicating parties agree on the level (encryption or/and
>data origin authentication) and mode(tunneling or transport) of the
>protection at SA negotiation. This agreement must satisfy the security
>policy of both parties. In Mobile IP every access network has its own
>security policy. It is very important for the different access networks (IP
>subnets) to learn each other`s security policy quickly and easily since
>seamless SA negotiation (unnoticeable by the user!)  is required when the
>user moves from an access network to another.

If IPsec is provided from the user's terminal to the home agent, the access
network is not a player in the IPsec negotiation and has no role in the
policy. It sounds as though you envision using IPsec from some access
network to a home agent, rather than on an end-to-end basis.  That is
possible, but it certainly is not the preferred model for IPsec use, and it
raises serious security questions.  For example, muxing at some access
network device after exiting the wireless net and before having IPsec
applied is a security concern.  In the dialup environment we use IPsec from
the terminal to the home site, not from the PPP server to the hoem site,
and as a user I would want the same level of security if I were to employ a
wireless access network.

>Concerning questions:
>
>-> Is there any standard or policy which defines how an IPsec-based security
>policy should be tailored to access networks that implement Mobile IP?

As noted above, end-to-end IPsec is independent of the access network, and
the alternative you seem to allude to would generally not be recommended.

Steve

References:

IPsec-based user authentication and security policy in Mobile IP?

From: "Rakoczi, B." <B.Rakoczi@research.kpn.com>

Prev by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: IPsec-based user authentication and security policy in Mobile IP?
Next by thread: Tools for testing IPsec
Index(es):
- Main
- Thread