[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mobile IPv6 - IPsec interaction.

To: ipsec@lists.tislabs.com
Subject: Mobile IPv6 - IPsec interaction.
From: Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.COM>
Date: Wed, 3 Jan 2001 10:22:40 -0800 (PST)
CC: Francis.Dupont@enst-bretagne.fr, Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

Hello,

We have been discussing an IPsec issue in the Mobile IP mailing list
which we thought would get some input from this mailing list.
It looks like some of the existing VPN solutions may have
addressed this.

Mobile IPv6 allows a mobile node to move from one link to another
without changing the mobile node's IP address (Home address).
As it moves from one link to another, it configures a new address
on the link known as the care of Address (CoA). When a mobile node
configures a new care-of address, the mobile node registers this
new binding with its home agent and correspondent nodes by sending
a Binding Update. Binding Update thus creates a binding between
the Home Address and the CoA. This information is used to route
packets directly to the Mobile node. Binding updates MUST be protected
by IPsec AH. Following are the details of the Key exchange to
get an IPsec SA to protect the binding update :

1) In Main Mode, it uses the Care of Address as the source address (
    it can't use the Home Address yet as the other end either has
    a stale binding or no bindings and hence we can't get the reply
    back) and uses an appropriate authentication mechanism
    to establish the Phase I SA.

2) In Quick Mode, we want the IPsec SA to be bound to the mobile node's
    Home Address. This is acheived by using the Identification payload
    with Home Address in it. (All selector checks will happen
    against the home address)

In step (2), there is nothing that prevents a mobile node from using
the home address of some other mobile node. How does the other
end (the home agent or the correspondent node) verify that the
mobile node is using the right home address ?

This issue looks similar to the case mentioned in 4.6.3 of RFC2401,
where a road warrior tries to connect to some host in the corporate
network through a security gateway. How does one verify whether a given SG
is authorized to represent a given host ? Similarly, how do we
verify whether the Mobile node is authorized to use a given Home
Address ?

How does the existing VPN solutions solve this problem ? I am
hoping that similar solution would help this case.

Comments ?

-thanks
mohan

Follow-Ups:

Mobile IPv6 - IPsec interaction.

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: IPSEC Ciphers?
Next by Date: Mobile IPv6 - IPsec interaction.
Prev by thread: IPSEC Ciphers?
Next by thread: Mobile IPv6 - IPsec interaction.
Index(es):
- Main
- Thread