Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta, ed.
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 2 Design Team Members Gerardo Giaretta Vijay Devarapalli James Kempf Yoshihiro Ohba Kuntal Chowdury Jari Arkko Basavaraj Patil Gopal Dommety Alpesh Patel Alper Yegin Junghoon Jee Julien Bournelle
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 3 Scope of the DT draft-ietf-mip6-bootstrapping-ps defines the MIPv6 bootstrapping problem MN requires –HA address –Home Address –IPsec security associations with its Home Agent Two scenarios –split scenario → draft-ietf-mip6-bootstrapping-split-00 –integrated scenario → currently under study
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 4 Main Design Guideline The main objective of the bootstrapping solution is the minimization of pre-configured data on the Mobile Node
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 5 Terminology ASA - Access Service Authorizer –a network operator that authenticates a mobile host and establishes the mobile host's authorization to receive Internet service ASP - Access Service Provider –a network operator that provides direct IP packet forwarding to and from the end host MSA - Mobility Service Authorizer –a service provider that authorizes Mobile IPv6 service MSP - Mobility Service Provider –a service provider that provides Mobile IPv6 service
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 6 Split scenario Network access and mobility services are authorized by different entities –authentication and authorization for mobility service and network access are considered separately –this separation is a clear assumption in the problem statement draft MIPv6 is bootstrapped independently from the authentication protocol for network access –no leverage of protocol exchanges done during network access authentication (e.g. PANA, EAP) –the solution for this scenario may also be applied to the integrated access network deployment model –other optimized solutions are under study for the integrated scenario
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 7 Split scenario (cont’d) In split scenario two entities can be identified –entity that provides the service: MSP –entity that authenticates and authorizes the user: MSA –similar to the roaming model for network access Two different cases can be identified Home Agent AAA-MSP Server Mobility Service Provider and Authorizer AAA-HA interface Home Agent AAA-MSP Server AAA-MSA Server Mobility Service Authorizer Mobility Service Provider AAA-HA interface AAA protocol (a) (b)
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 8 Solution components Home Agent Address Discovery IPsec Security Associations setup Home Address Assignment Authentication and Authorization with MSA
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 9 HA Address Discovery DHAAD may not be applicable –it requires the home network prefix pre-configured on the MN –does not allow an operator to load balance by having MNs dynamically assigned to HAs located in different subnets The solution for HA address discovery is based on a new DNS SRV record –the unique information to be pre-configured on the MN is the domain name of the MSP –optionally, DHCP can be used when the ASP and the MSP are the same entity
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split HA Address Discovery (cont’d) DNS lookup by Home Agent Name –MN configured with the FQDN of the HA (e.g. ha1.example.com where "example.com" is the domain name of the MSP) –DNS request with QNAME == HA name and QTYPE == 'AAAA' DNS lookup by service name –RFC 2782 defines the service resource record (SRV RR) –service name == "mip6" –protocol name == "ipv6“ –no transport name required –if multiple HAs are available in the DNS SRV record MN is responsible for picking one Home Agent
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split IPsec SAs setup IPsec SAs setup through IKEv2 –based on draft-ietf-mip6-ikev2-ipsec IKEv2 peer authentication –public key signatures or EAP –choice of an IKEv2 peer authentication method depends on the deployment –IKEv2 restricts the HA to MN authentication to use public key signature based authentication
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address Assignment Home Address is assigned by the Home Agent during the IKEv2 exchange –based on draft-ietf-mip6-ikev2-ipsec MNHA HDR, SK {IDi, […], AUTH, CP(CFG_REQUEST), SAi2, TSi, TSr} HDR, SK {IDr, […] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr} INTERNAL_IP6_ADDRESS
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address Assignment (cont’d) MN may also auto-configure its Home Address –stateless auto-configuration, CGA, privacy addresses MN may include a proposed HoA in the INTERNAL_IP6_ADDRESS attribute –the MN must be provided with a pre-configured home prefix and home prefix length A new attribute is defined for HoA auto- configuration –in case MN is not provided with home prefix and home prefix length –MIP6_HOME_PREFIX attribute used in CFG_REQUEST and CFG_REPLY
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address Assignment (cont’d) MIP6_HOME_PREFIX attribute
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address Assignment (cont’d) During IKE_AUTH exchange MN includes the MIP6_HOME_PREFIX attribute in the CFG_REQUEST HA includes in the CFG_REPLY payload prefix information for one prefix on the home link –prefix length is included –if other prefixes are needed MPD should be used –if auto-configuration is not allowed HA includes a Notify Payload type "USE_ASSIGNED_HoA" and the HoA in a INTERNAL_IP6_ADDRESS attribute MN auto-configures a Home Address and runs a CREATE_CHILD_SA exchange to create a SA for the new HoA
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Authentication and Authorization with MSA The user must be authenticated and the mobility service authorized in order for the MSA to grant the service Different ways depending on the credentials used by the MN during the IKEv2 peer authentication and on the backend infrastructure (PKI or AAA) –draft-ietf-mip6-aaa-ha-goals-00
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address registration in the DNS DNS needs to be updated with the new HoA –needed for the MN to be reachable at new address –DNS update is essential for providing IP reachability to the MN which is the main purpose of the Mobile IPv6 protocol DNS update must be performed securely –the node performing this update must share a security association with the DNS server –MN cannot update the DNS by itself to prevent redirection-based flooding attacks (i.e. address ownership issues)
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address registration in the DNS (cont’d) HA performs DNS update on behalf of the MN –MN includes a new mobility option, the DNS Update option, with the flag R not set in the Binding Update AAA server of the MSA performs DNS update if the MN wants to be reachable through a FQDN that belongs to the MSA –the Home Agent and the DNS server that must be updated belong to different administrative domain –the Home Agent sends to the AAA-MSA server the FQDN-HoA pair through the AAA protocol –out of scope of the DT
August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split Home Address registration in the DNS (cont’d) DNS Update mobility option –R flag used to request the removal of DNS entry –separate Status namespece for DNS update