[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

request to review draft in mobile IP wg

To: ipsec@lists.tislabs.com
Subject: request to review draft in mobile IP wg
From: Jari Arkko <jari.arkko@kolumbus.fi>
Date: Mon, 28 Oct 2002 18:35:52 +0200
Cc: Vijay Devarapalli <vijayd@iprg.nokia.com>, Francis Dupont <Francis.Dupont@enst-bretagne.fr>, Michael Thomas <mat@cisco.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003


Hi,

I'd like to ask the help of the IPsec WG to take a look at a draft
which is being worked on in the Mobile IP working group.

This draft relates to Mobile IPv6. A little background may perhaps
be necessary for those not involved in IPv6 and MIPv6 work. Mobile IPv6
allows nodes to move around the network and and still use their address
they had in the home network (home address). A router in the network (home
agent) tunnels all traffic to the mobile node and back. While away
from home, the mobile nodes get temporary (care-of) addresses from
the visited networks. The mobile nodes signal these care-of addresses
to the home agent using Binding Updates, carried in an IPv6 protocol
called Mobility Header. This signaling is secured with IPsec, mandatory
manual keying and optional automatic keying. The mobile node and
the home agent usually have some real-life relationship, such as
that the home agent is a router in your company, service provider,
or home.

Mobile IPv6 allows also route optimization, where the mobile node
can inform its peers (correspondent nodes) where it is currently
located. There may not be any relationship between the mobile node and
the correspondent node in this case, e.g., the corresponde node
could be a web server somewhere. This signaling is not secured
using IPsec or any other security mechanism requiring pre-shared
keys or security infrastructure. Instead, a simple mechanism
called return routability is used. However, we assume that the
mobile node and home agent can encrypt the messages in this
mechanism as they travel between the mobile node and the home
agent. Thus at least some of the tunneled packets need encryption.

But back to the subject of this e-mail, the use of IPsec: As described
above, the signaling between the home agent and the mobile node applies
IPsec. Mobile IPv6 introduces a number of interesting factors that
make the use of security less trivial. These new factors are:
- Movements. The mobile node sends from one address at one time,
   from another at another time.
- Home Address Option and Type 2 Routing Header. These are used to
   carry the home address in the packets from and to the mobile
   node, respectively.
- Tunnels

Some of you may also remember Francis' draft about the complications
caused by the combination of mobility and IPsec. We think that we
now have a solution that works, even if many of the optimizations
that Francis proposed are left for future work. But review on this
would be useful, given that the issues are quite subtle. Please take a
look at least on Section 4 (formats), Section 5 (requirements), and
Section 9 (design decisions). There's a few discussions ongoing
also about the draft in the mobile IP WG. If we end up with
specific questions or choices I can send those to this list
as well.

Since this draft is related to how the mobile IPv6 could become an
RFC we'd like to get input as soon as possible. (MIPv6 itself has
passed last call with comments; we are starting the last call for
this other document now.)

Here's the IPsec draft URL and abstract:

   http://www.ietf.org/internet-drafts/draft-ietf-mobileip-mipv6-ha-ipsec-01.txt

   "Using IPsec to Protect Mobile IPv6 Signaling between
    Mobile Nodes and Home Agents"

   Mobile IPv6 uses IPsec to protect signaling between the home
   agent and the mobile node. Mobile IPv6 base document defines the
   main requirements these nodes must follow. This draft discusses
   these requirements in more depth, illustrates the used packet
   formats, describes suitable configuration procedures, and shows
   how implementations can process the packets in the right order.

The latest mobile IPv6 draft (being prepared for submission of the
draft 19; don't use draft 18 because the text in question has changed):

    http://people.nokia.net/charliep/txt/mobilev6/mobilev6+++.txt

    "Mobility Support in IPv6"

    This document specifies the operation of the IPv6 Internet with
    mobile computers.  Each mobile node is always identified by its
    home address, regardless of its current point of attachment to the
    Internet.  While situated away from its home, a mobile node is also
    associated with a care-of address, which provides information about
    the mobile node's current location.  IPv6 packets addressed to a
    mobile node's home address are transparently routed to its care-of
    address.  The protocol enables IPv6 nodes to cache the binding of
    a mobile node's home address with its care-of address, and to then
    send any packets destined for the mobile node directly to it at this
    care-of address.  To support this operation, Mobile IPv6 defines a
    new IPv6 protocol and a new destination option.  All IPv6 nodes,
    whether mobile or stationary can communicate with mobile nodes.

The sections that relate to this issue are 5.1, 5.4 to 5.5 and
14.1 to 14.3.

--Jari

Prev by Date: Re: IKEv2 Key Size Conformance Requirements
Next by Date: Re: IKEv2 Key Size Conformance Requirements
Prev by thread: Re: ISAKMP-SA & Security Policy
Next by thread: I-D ACTION:draft-bew-ipsec-signatures-00.txt
Index(es):
- Date
- Thread