Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal.

Slides:

Advertisements

Similar presentations

Secure Mobile IP Communication

Advertisements

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

Network Research Lab. Sejong University, Korea Jae-Kwon Seo, Kyung-Geun Lee Sejong University, Korea.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

A Seamless Handoff Approach of Mobile IP Protocol for Mobile Wireless Data Network. 資研一黃明祥.

1 Mobile IP Myungchul Kim Tel:

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.

NEtwork MObility By: Kristin Belanger. Contents Introduction Introduction Mobile Devices Mobile Devices Objectives Objectives Security Security Solution.

Network-based, Localized Mobility Management – the Problem James Kempf DoCoMo Labs USA

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Gopal Dommety Mobile IP VPN Design Team Update.

Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a "mobile node" (MN) to change its point.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Seamless connectivity for mobile computers.

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

Introducing Reliability and Load Balancing in Home Link of Mobile IPv6 based Networks Jahanzeb Faizan, Mohamed Khalil, and Hesham El-Rewini Parallel, Distributed,

1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.

Fault-Tolerant Design for Mobile IPv6 Networks Jenn-Wei Lin and Ming-Feng Yang Graduate Institute of Applied Science and Engineering Fu Jen Catholic University.

Mobile IP Most of the slides borrowed from Prof. Sridhar Iyer

1 Sideseadmed (IRT0040) loeng 5/2010 Avo

1 © 1999, Cisco Systems, Inc. AAA/Mobile IP For 3G CDMA Systems Gopal Dommety and Allen Long.

NEMO Requirements and Mailing List Discussions/Conclusions T.J. Kniveton - Nokia Pascal Thubert - Cisco IETF 54 – July 14, 2002 Yokohama, Japan.

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.

1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IPv6 in 6NET: An Overview Chris Edwards, Lancaster University, UK.

Introduction to Mobile IPv6

Performance Validation of Mobile IP Wireless Networks Presented by Syed Shahzad Ali Advisor Dr. Ravi Pendse.

111 © 2001, Cisco Systems, Inc. All rights reserved. Presentation_ID Mobile IPv4 Dynamic Home Agent Assignment Framework (draft-kulkarni-mobileip-dynamic-assignment-01.txt)

ENABLING TECHNOLOGIES FOR 4G NETWORKS BY ADEL AL-SHAHRANI June 3, 2003.

Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )

Mobile IP 순천향대학교 정보기술공학부 이 상 정 VoIP 특론 순천향대학교 정보기술공학부 이 상 정 2 References  Tutorial: Mobile IP

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

Doc.: IEEE /345r0 Submission May 2002 Albert Young, Ralink TechnologySlide 1 Enabling Seamless Hand-Off Across Wireless Networks Albert Young.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.

Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.

Mobile IP Definition: Mobile IP is a standard communication protocol, defined to allow mobile device users to move from one IP network to another while.

1 Route Optimization and Location Privacy using Tunneling Agents (ROTA) draft-weniger-rota-01 Kilian Weniger, Takashi Aramaki IETF #64, Nov 2005.

Network Mobility (NEMO) Advanced Internet 2004 Fall

Optimized Mobile IPv4 UDP Encapsulation draft-vaarala-mip4-optudp-00.txt Farid Adrangi Sami Vaarala.

Multiple Care-of Address Registration draft-ietf-monami6-multiplecoa-02.txt.

IP Address Location Privacy and Mobile IPv6: Problem Statement draft-irtf-mobopts-location-privacy-PS-00.txt Rajeev Koodli.

111 © 2001, Cisco Systems, Inc. All rights reserved. Presentation_ID Mobile IPv4 Dynamic Home Agent Assignment Framework (draft-kulkarni-mobileip-dynamic-assignment-02.txt)

MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.

Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.

Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 

MOBILE IP & IP MICRO-MOBILITY SUPPORT Presented by Maheshwarnath Behary Assisted by Vishwanee Raghoonundun Koti Choudary MSc Computer Networks Middlesex.

 Mobile IP is the underlying technology for support of various mobile data and wireless networking applications.  It is designed by IETF.

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

MOBILE IPv6 SECURITY ISSUES

Support for Flow bindings in MIPv6 and NEMO

for IP Mobility Protocols

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

2002 IPv6 技術巡迴研討會 IPv6 Mobility

© Model Engineering College

Firewalls Routers, Switches, Hubs VPNs

دیواره ی آتش.

Mobile IP Presented by Team : Pegasus Kishore Reddy Yerramreddy Jagannatha Pochimireddy Sampath k Bavipati Spandana Nalluri Vandana Goyal.

Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Presentation transcript:

draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal

Outline Design team conclusions and rationale Three layer solution Summary and status of solution draft Optimizations and improvements

Design team conclusions and rationale Decided to document base approach –Favor solution with minimal changes to standards –Optimizations considered (but postponed) We need an internal home agent –The MN needs to be able to move inside –But overhead of always tunnelling to the DMZ was considered to be too high We need an external mobility agent –IPsec does not have standardized mobility (SA endpoint update), and we want ”seamless” mobility even when outside –We need to support FAs in the external networks => the lowest layer must speak MIP Some problems left out of scope for now –E.g. networks with only HTTP access

Three layer solution – Topology Firewall External Home Agent Internal Home Agent VPN External network Internal network (e.g. corporate network) MN CN Internal MIPv4 tunnel IPsec tunnel External MIPv4 tunnel DMZ

Three layer solution – MN inside (1) MNExt. HAInt. HAVPN GWCN RRQ RRP RRQ (dereg.) Internal MIP tunnel OK RRP Data traffic (w/ reverse tunnelling) If external HA responds, deregister

Three layer solution – MN inside (2) MNExt. HAInt. HAVPN GWCN RRQ RRP Internal MIP tunnel OK Data traffic (w/ reverse tunnelling) MN moves and gets a new care-of address RRQ

Three layer solution – MN outside (1) MNExt. HAInt. HAVPN GW CN External MIP tunnel OK : IPsec tunnel OK Internal MIP tunnel OK RRQ RRP IKE + VPN address assignment RRQ RRP Data packets (w/ reverse tunnelling) All data goes through the internal HA, even if CN is outside

Three layer solution – MN outside (2) MNExt. HAInt. HAVPN GW CN External MIP tunnel OK RRQ RRP Data packets (w/ reverse tunnelling) MN moves and gets a new care-of address Data packets (w/ reverse tunnelling) RRQ

Three layer solution – Pros and Cons Pros –Only mobile node aware of solution –No changes to IPsec or Mobile IPv4 standards –Existing VPN, HA, FA boxes can be used Cons –Overhead (latency, packet size) –Three layers to manage (e.g. authentication) –Software complexity Three layers != three boxes –Combined VPN+HA box possible

Summary of the solution draft Solution draft –Applicability statement of MIPv4 & IPsec –for enterprise mobile users –only imposes requirements on the mobile node What’s there in addition to standards? –Scenarios, message and packet diagrams –Network detection requirements and basic algorithm important because has major security impact! double registration, trust (only) internal HA reply –Other security considerations

Solution draft status -02 –Missing minor comments from design team –Security review by Radia pending Plan –Final design team round => -03 –Working group review => -04 –Last call

Optimizations and improvements Scoped outside base solution draft –Interesting because of base solution overhead –Worst case – 129 octets / packet Really the worst case, NAT on each layer Approaches collapse tunnelling some way –Combined VPN/FA device –IPsec mobility SA endpoint update –Zero-overhead MIP tunnelling address switching Improve security of network detection

Thank you! Questions ?