Re: request to review draft in mobile IP wg

[Vijay Devarapalli <vijayd@iprg.nokia.com>]

hi,

thanks for the comments. apologies for the lengthy mail.

Cheryl Madson wrote:
> 
> Issues:
> 
> a.  I'd understood that MobileIP supported its own tunnels between
>       a MN and an HA. Is the intent that these IPsec tunnels (which
>       don't simply represent a securing of MobileIP tunnels) are
>       replacing the MobileIP tunnels?

kind of/yes. as Francis Duponts would put it, MIPv6 and IPsec 
should be tightly integrated :-)

> b.  Sequence of events relative to changeover of addresses relative to
>       changing IKE and/or IPsec endpoints. This issue is glossed over too
>       much in this draft; this should be spelled out in much greater detail.
>       [This is the area that makes me the most nervous, since there is so
>       little detail; I can't convince myself that things will behave properly.]
> 
>      + When should new CoA be used? Immediately? Upon completion of the
>         BU/BA exchange?

the MN starts using the new CoA as soon as it moves. it cant
use the old CoA anyway. the tunnel gateway address is also 
changed immediately at the MN. at the Home Agent, the tunnel
gateway address is changed as soon as it processes a Binding 
Update and updates its binding cache entry with the new CoA.

>      + What happens if BU or BA is dropped?

until the binding cache entry at the home agent is updated with
the new CoA, all packets sent by the MN with newCoA are dropped.
so, till the BU reaches the home agent, MN loses packets. if BA 
is dropped, no harm done.

as an aside, there is work going on in the Mobile IP WG on Fast 
Handoffs for Mobile IPv6, which sets up a bi-directional tunnel 
between the old access router and the new access router. the 
mobile node can continue using old CoA, until the BU/BA exchange 
for the new CoA is completed.

>      + May need recommendations as to how to handle address change
>         during a rekey -- there is a potential for higher chance of lost
> packets,
>         at least in the short term. If out-of-sequence events cause more
>         retransmissions in a shorter period of time, this could become
>         problematic for certain types of devices in this space.
> 
>      + May need recommendations as to how to handle address change for
>         things like dead peer detection/keepalives.  [I'll ask (cringingly
> -- is that
>         a word?) -- would NAT also be a possibility in this scenario?]

I will let Jari or Francis comment on this.

> c.   What differences, if any, are there when a MN acts as a MR?

the MIPv6 drafts are only about mobile hosts. mobile routers are 
not being considered here. infact there is another WG called NEMO 
which is working on a mobility solution for a mobile router.

> d.   Is it possible for a MN to have several simultaneous connections to
>        different HAs? How does this scenario play out relative to this draft?

an MN can have multiple home addresses. but if all these home 
addresses are from the same home link, then it has connections to 
only one home agent. if the home addresses are from different 
prefixes and different links, then it could have connections with 
one home agent in each link. but I think the latter case does not 
introduce any new issues.

> e.  There is no hiding of the home address-to-COA binding. It might not hurt
>       to point this out. Is this acceptable?

can you please elaborate? if the MN wants to hides its current
location from the CN, it can use reverse tunneling through the
home agent. 

> 
> f.  Relative to packet handling for BU/BA and PD/PA messages:
>      are there other scenarios where the value in the Home Address Option/
>      RH2 headers should not override the address in the v6 header? If so,
>      how will a node be able to distinguish?

I cant think of any scenarios. the Home Address Option and Routing
header Type 2 are always present on BU/BA and PD/PA messages if 
the MN is not at home. and they should contain the correct address 
at all times.

do you have a scenario in mind?

> 
> Comments
> 
> a. Buried amongst the discussion of manual keying, there is a
>      comment about dealing with new prefixes. Why is this not
>      mentioned at all until here -- why isn't this discussed earlier
>      in the general processing discussions, or at least in the
>      Requirements chapter? Also, it seems like the text in this section
>      and the dynamic keying section could be better aligned.
>           + Are all of these addresses active at once? What triggers their
>              usage?

there a couple of subtle points here. the MN can have multiple
home address. it can also register the multiple home address
at the home agent by setting the 'S' bit to 0 (see base MIPv6
spec). but it need not have security associations based on 
each home address, because it does not register each home
address individually.

so a new prefix on the home link does mean a new home address
for the MN. but it is not necessary for the MN to configure
a new SA.

but you are right, we should dicuss that in the requirements
section. I will do that.

regarding what triggers the MN to use a different home address,
we dont know yet.

> c. What is the granularity of a "user" relative to a MN? Can a MN support more
>      than one user? (Do they get separate home addresses? Share a home
>      address? ??) If so, how is that associated with traffic selectors
> (which traffic
>      selectors are associated with which user)?

good question. I have to think about this a bit more before I 
can answer.

regards
Vijay