Alternative (Future) Proposals for MIPv6 Security - PowerPoint PPT Presentation

About This Presentation
Title:

Alternative (Future) Proposals for MIPv6 Security

Description:

Properties: Easy for BITS, tough on manual keying ... In MIPv6, move IKEv2 first, then send a BU. Not a part of IKEv2 RFC, design somewhat open ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 8
Provided by: ietf
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Alternative (Future) Proposals for MIPv6 Security


1
Alternative (Future) Proposalsfor MIPv6 Security
  • MIP6 BOF/WG
  • IETF-57
  • Jari Arkko, Ericsson Research NomadicLab
  • Charlie Perkins, Nokia Research Center

2
Background
  • Improvements over RR
  • New functions for HA - MN communications
  • Michael Thomas non-SPD based authorization model
  • HA-MN IKE-variant feedback
  • Other developments in IETF - IKEv2

3
Improvements on RR
  • Several proposed mechanisms
  • Shared secret
  • CGA
  • It seems that most people are after speed
  • Example CGA could eliminate most or all home
    address tests
  • A hard problem is trying to optimize care-of
    tests
  • Suggestion
  • Optional mechanisms allowed in addition to RR

4
New Functions
  • Addressing freedom
  • Previously unknown home addresses (3041)
  • Previously unknown home agents
  • Currently, we assume a tight binding to addresses
  • Dynamic assignment of home agents
  • Reduces RTT through the home agent
  • Hides mobile nodes topological location
  • Need to solve AAA interaction, secure anycast,
    and authorization issues
  • Suggestion
  • Work on a specification for these functions

5
HA-MN IKE-Variant Feedback
  • SSH has a IKE-based HA-MN security implementation
  • But, it does things in a slightly different
    way...
  • IPsec policies and SAs use only care-of addresses
  • No authorization policy needed for IKE phase 2
    establishment
  • Additional HAO checks are associated with
    SAs/credentials
  • Properties
  • Easy for BITS, tough on manual keying
  • Performs both SPDselector checks and HAO checks
  • On-the-wire format the same for packets, only
    difference in IKE
  • Reminds us of the scheme Michael Thomas proposed
    earlier
  • Suggestion
  • Produce a future extended specification
    (perhaps IKEv2 version of the current
    specification), and take this in account

6
Additional IKEv2 Issues
  • Mobility/roaming/multi-homing/SCTP function for
    IKEv2?
  • A method to move SAs to a new address
  • In MIPv6, move IKEv2 first, then send a BU
  • Not a part of IKEv2 RFC, design somewhat open
  • Different signaling approaches proposed
  • Scope - is multi-homing included?
  • Suggestion
  • Produce a future specification for IKEv2 roaming
  • Ensure that it suits MIPv6 needs

7
Possible Future Work Items
  • Improved RR protocols
  • IKEv2 roaming -- work with the IPsec WG (or new
    WG)
  • A new, more powerful specification for MN - HA
    security
  • Dynamic home addresses
  • Dynamic home agents
  • Using IKEv2 features
  • Strawman designs for the above
  • Application layer design
  • IKEv2 design
Write a Comment
User Comments (0)
About PowerShow.com