March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen
1 Address Selection, Failure Detection and Recovery in MULTI6 draft-arkko-multi6dt-failure-detection-00.txt Multi6 Design Team -- Jari Arkko, Marcelo Bagnulo,
1 The Marketing Story A single protocol –Exploration = confirmation of reachability = quick check –Works the same way for the current or other pairs Efficient.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.
MOBILITY SUPPORT IN IPv6
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
K. Salah1 Security Protocols in the Internet IPSec.
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
Chapter 27 Q and A Victor Norman IS333 Spring 2015.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
1 Introduction on the Architecture of End to End Multihoming Masataka Ohta Tokyo Institute of Technology
Host Identity Protocol
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.
Internet Control Message Protocol (ICMP)
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
I-D: draft-rahman-mipshop-mih-transport-01.txt Transport of Media Independent Handover Messages Over IP 67 th IETF Annual Meeting MIPSHOP Working Group.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
1 Design of the MOBIKE Protocol Editors: T. Kivinen H. Tschofenig.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Automatic VPN Client Recovery from IPsec Pass-through Failures Dr. José Brustoloni Dept. Computer Science, University of Pittsburgh 210 S. Bouquet St.
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
strongSwan Workshop for Siemens
Interdomain multicast routing with IPv6 Stig Venaas University of Southampton Jerome Durand RENATER Mickael Hoerdt University Louis Pasteur - LSIIT.
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol draft-kivinen-mobike-protocol-00.txt Tero Kivinen
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Chapter 3.  Upon completion of this chapter, you should be able to:  Select and install network cards to meet network connection requirements  Connect.
07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Networks 0110-IP Gergely Windisch
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
HIP-Based NAT Traversal in P2P-Environments
An Analysis on NAT Security
PANA Issues and Resolutions
IKEv2 Mobility and Multihoming WG
draft-jeyatharan-netext-pmip-partial-handoff-02
IKEv2 Mobility and Multihoming Protocol (MOBIKE)
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Securing Access to Mobile Operator Core Networks using IKEv2
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Outline The spoofing problem Approaches to handle spoofing
Computer Networks Protocols
Presentation transcript:

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen

March 7, 2005MOBIKE WG, IETF 622 Basic approach: “initiator decides” Responder sends its list of addresses to the initiator Initiator decides which pair is used for IPsec SAs and tells the responder –If there is any reason to change the path (e.g., new interface, DPD failing, etc.) initiator handles it –NAT Traversal can be enabled or disabled when changing path

March 7, 2005MOBIKE WG, IETF 623 IKE_SA_INIT: …, N(MOPO_SUPPORTED), … INFORMATIONAL: …, N(NAT_DETECTION_*_IP), … IKE_SA_INIT: …, N(MOPO_SUPPORTED), … INFORMATIONAL: …, N(CHANGE_PATH), N(NAT_DETECTION_*_IP), … Host A IKE_AUTH: … VPN gateway B Gateway saves the new address (from the IP header) and updates the IPsec SAs …time passes… Host A gets a new IP address and decides to move the VPN traffic there IPsec traffic IKE_AUTH: …

March 7, 2005MOBIKE WG, IETF 624 IKE_SA_INIT: … INFORMATIONAL: …, N(NAT_DETECTION_*_IP), … IKE_SA_INIT: … INFORMATIONAL: …, N(CHANGE_PATH), N(NAT_DETECTION_*_IP), … Host A IKE_AUTH: … IKE_AUTH: …, N(ADDITIONAL_ADDRESS=2001:DB8::1), … VPN gateway B Host A moves to IPv6 network, and decides to use B’s IPv6 address instead of 6to4 or something …time passes… Gateway saves the new addresses (from the IP header) and updates the IPsec SAs IPsec traffic

March 7, 2005MOBIKE WG, IETF 625 More features… Separate path test (“ping”) message to handle partial connectivity / failures in the “middle” –Simplifies protocol –No need to support window size >1 Return routability test using informational exchange + cookie

March 7, 2005MOBIKE WG, IETF 626 INFORMATIONAL: …, N(CHANGE_PATH), N(NAT_DETECTION_*_IP), … Host A Background: A has addresses A1/A2, B has B1/B2 VPN gateway B INFORMATIONAL: … A decides to try some other pair PATH_TEST: … OK, works IPsec traffic Host A decides to do dead peer detection (Note added after presentation) The figure has an error, the 1st informational exchange is retransmitted before the CHANGE_PATH message can be sent.

March 7, 2005MOBIKE WG, IETF 627 Still more features… Also supports the case where responder’s set of addresses changes –Responder can send a new address list –For this purpose, the initiator also sends its list of addresses to the responder –If the responder’s addresses do not change, this list is never used for anything –This is the only feature that does not fully work with all types of stateful packet filters and NATs

March 7, 2005MOBIKE WG, IETF 628 MOPO-IKE vs. the issue list Match with closed issues Positions taken in open issues

March 7, 2005MOBIKE WG, IETF 629 Closed issues Issue 2: no special support for simultaneous movement: OK Issue 4: MOBIKE support signaled using Notify payloads: OK Issue 5: no “zero address set” functionality: OK Issue 7: first document considers tunnel mode only: OK

March 7, 2005MOBIKE WG, IETF 6210 More closed issues Issue 9: assumes 2401bis: OK Issue 12: interaction with other protocols doing RR is beyond our scope: OK Issue 13: IPv4/v6 movement works: OK Issue 15: RR done by adding “cookie” payload to informational exchange: OK

March 7, 2005MOBIKE WG, IETF 6211 Issue 3 Interaction with NAT traversal: does moving to behind NAT, from behind NAT, or from one NAT to another work? –Everything works if the responder’s addresses don’t change (and initiator is the one behind the NAT) –Changing responder’s addresses works in some cases, too (depends on exact type of NAT and other details)

March 7, 2005MOBIKE WG, IETF 6212 Issue 6 “When to do return routability checks?” –After updating the SAs or any time after that, if required by local policy –Version –02 does not mandate any particular policy: next version will probably say that default policy should be “do RR after updating the SAs, if not done for this address in this IKE_SA before” Does not prohibit fancier policies like “don’t do RR for addresses contained in the certificate”

March 7, 2005MOBIKE WG, IETF 6213 Issue 8 “Scope of SA changes: do we need per- IPsec SA granularity, or is it acceptable to use separate IKE SAs when needing this?” –If you want different IPsec SAs to use different addresses, you need several IKE SAs

March 7, 2005MOBIKE WG, IETF 6214 Issue 10 (closed) “Changing addresses vs. changing paths” –Updating address lists is separate from actually moving the traffic (changing path)

March 7, 2005MOBIKE WG, IETF 6215 Issue 11 “Window size vs. retransmissions and DPD” –Works with window size 1 –Even if something happens (e.g. interface goes down) when changing paths –(Separate path test exchange not constrained by the window)

March 7, 2005MOBIKE WG, IETF 6216 Issue 16 “Can the protocol recover from situations where the only sign of problems is lack of packets from the other end?” –“Lack of packets” means “no IKEv2 replies” –Works (because of the separate path test exchange) –Even if the IKEv2 request was about changing paths

March 7, 2005MOBIKE WG, IETF 6217 Issue 17 (closed) “If both parties have several addresses, do we assume that all pairs have connectivity between them?” –No, full connectivity is not assumed. –Since MOPO-IKE handles issue 16, this is easy: no big difference between “planned lack of connectivity” and “failure in the middle” –Determining connectivity works even if the need to do it arises unexpectedly

March 7, 2005MOBIKE WG, IETF 6218 Issue 19 “Should IPsec traffic in both directions use the same pair of addresses (in stable situations)?” –If the initiator wants it so (=usually yes) –Allows working with stateful packet filters and NATs

March 7, 2005MOBIKE WG, IETF 6219 Open things in MOPO-IKE Level of support for responder address changes with NATs –Some cases simply can’t be made to work (with existing NATs) –Some cases work easily without really needing anything extra –Still other cases can be made to work with extra effort and added protocol complexity Current approach: don’t care about responder address changes with NATs  don’t handle the difficult cases

March 7, 2005MOBIKE WG, IETF 6220 Conclusions & moving forward Some folks are really interested in shipping implementations of MOBIKE –Do not care about protocol details as long as it works (with some definition of “working”) and is simple enough to implement A protocol for handling just the initiator mobility case would be really simple, but we decided to include multihoming aspects too “Initiator decides” makes the former case simple while still handling the latter

March 7, 2005MOBIKE WG, IETF 6221 Conclusions & moving forward Our goal should be to get the protocol done to enable interoperable implementations –Not solve all possible problems in one shot (“Make it as simple as possible, but not simpler”) –Not make the protocol perfect or explore all possible alternatives before deciding (Good enough is better than perfect)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.