Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

Secure Mobile IP Communication
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Registration Revocation in Mobile IP draft-glass-mobileip-reg-revok-00.txt (soon to be -01!) Steven M. Glass - Sun Microsystems
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
MOBILITY SUPPORT IN IPv6
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.
Lectured By: Vivek Dimri Asst Professor CSE Deptt. Sharda University, Gr. Noida.
Mobile IP Chapter 19. Introduction Mobile IP is designed to allow portable computers to move from one network to another Associated with wireless technologies.
IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,
1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.
Practical Considerations for Securely Deploying Mobility Will Ivancic NASA Glenn Research Center (216)
1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.
1 Motorola PMIPv4 Call Flows: Bearer Setup with Dual Anchoring Parviz YeganiVojislav VuceticAlmon Tang (408) (732) (847)
Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.
AAA Registration Keys Charles E. Perkins/Nokia Research Pat R. Calhoun/Sun Microsystems.
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Module 5: Designing Security for Internal Networks.
Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.
111 © 2001, Cisco Systems, Inc. All rights reserved. Presentation_ID Mobile IPv4 Dynamic Home Agent Assignment Framework (draft-kulkarni-mobileip-dynamic-assignment-01.txt)
Spring 2004 Mobile IP School of Electronics and Information Kyung Hee University Choong Seon HONG
Diameter NAPT Control Application: Discussion on naming of involved entities Frank Brockners.
1 HRPD Roamer Authentication Zhibi Wang, Sarvar Patel, Simon Mizikovsky, Nancy Lee.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.
Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.
Revising RFC 3775 MEXT WG, IETF 70 Vijay Devarapalli
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
An Introduction to Mobile IPv4
Diameter SIP Application
IP Address Location Privacy and Mobile IPv6: Problem Statement draft-irtf-mobopts-location-privacy-PS-00.txt Rajeev Koodli.
: MobileIP. : r Goal: Allow machines to roam around and maintain IP connectivity r Problem: IP addresses => location m This is important for efficient.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.
DMET 602: Networks and Media Lab Amr El Mougy Yasmeen EssamAlaa Tarek.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Mobility support in IP v4. Internet Computing (CS-413) 2.
Lecture 14 Mobile IP. Mobile IP (or MIP) is an Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile.
Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
MIPv4-Diameter Update Tom Hiller Lucent Technologies.
Mobile IP Lecture 5.
DMET 602: Networks and Media Lab
Route Optimization of Mobile IP over IPv4
Mobile IP.
Carrying Location Objects in RADIUS
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
draft-ipdvb-sec-01.txt ULE Security Requirements
DMET 602: Networks and Media Lab
IEEE MEDIA INDEPENDENT HANDOVER
Mobile IP Regional Registration
Security Activities in IETF in support of Mobile IP
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
IEEE MEDIA INDEPENDENT HANDOVER
Presentation transcript:

Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies

AAA-Keys and MIP-Diameter Status Thomas Narten performed in-depth review Thomas made suggestions for terminology improvement in MIP-Diameter, which have been acted upon. Draft will be resubmitted. –In IESG review. Thomas currently reviewing AAA-Keys MIP extension names. –Next step is to start an IETF last call. Remaining slides address issues and highlight changes from the last IETF meeting

Issue 386 Rationale/Explanation of issue: 1.6: What is a "preconfigured shared security association"? Do you mean a preshared secret? A security association comprises far more than just a key. There is new nomenclature I have not evaluated the security of the scheme in this section, since it depends on another draft, and possibly on the security of MobileIP itself. Can we really even consider this draft until those are done? The AAA-Keys draft is in Publication Requested 1.10: What firewall rules? Are the agents supposed to tell their local firewalls to open up some holes? The administrator needs to open up such holes 5.2: 64 bits is not sufficient for a key. Why not just mandate 128, instead of strongly recommending it? Done. 5: I confess that it still isn't clear to me how the home and foreign agents know authoritatively who each other are. Then again, that's always been my main complaint about AAA. But here they're handing out keys. The draft uses TLS or IPSec to authenticate the mobility agents and protect the keys from being seen by agents without a need to know (The above comment is from two years ago and the draft considerably changed)

Issue 432 Rationale/Explanation of issue: Section 4.0 of draft-ietf-aaa-diameter-mobileip-14.txt says that MIP- Host-Agent-Host AVP is of type DiameterIdentity: MIP-Home-Agent DiamIdent | M | P | | V | N | Host | | | | | | On the other hand, in Section 4.11 the same AVP is defined as type Grouped: MIP-Home-Agent-Host ::= { Destination-Realm } { Destination-Host } * [ AVP ] Which is correct? The second case is correct; will fix the first case

Issue 445 The document is incomprehensible. … Introduction rewritten

IESG Review Steve Bellovin: 2.2 writes “Security considerations may require that the HAR be sent directly from the AAAH to the HA without the use of intermediary Diameter agents. This requires that a security association between the AAAH and HA be established, as in Figure 4” –If the HA is in the foreign network, how does AAAH get suitable information to set up a secure session? The AAAH gets the HA identity in the candidate HA AVP from the visited network. The HA accepts the IPSec/TLS connection from the AAAH if the AAAH is a roaming buddy or if the HA previously redirected a proxied HAR from the AAAH.

IESG Review: Symmetric Key Historically, Mobile IP uses the same key for both directions, e.g., MN-HA and HA-MN –This draft follows that convention Question for Steve Bellovin: What is the security vulnerability of using the same key in both directions?

HA-FA Mobility Security Associations HA-FA key scaling –Previous draft had one HA-FA mobility security association per mobile –This would be a major burden on Mobile IP entities, many of which are built from routers and therefore light on memory –The draft outlines a discard policy to discard previous HA-FA keys and SPIs between an FA and HA pair, so that there is only one such key most of the time.

When to Accept an IPSec/TLS Connection Assuming a valid certificate, when should the AAAH or HA accept an IPSec or TLS request from the FA (AAAH)? – The AAAH accepts IPSec/TLS requests from FAs owned by roaming buddies; the HA accepts IPSec/TLS connections from AAAHs owned by roaming buddies –The AAAH or (HA) first receives an AMR (HAR) from the FA (AAAH), and responds with redirection to itself. Subsequently the AAAH (HA) receives an IPSec/TLS connection request from the FA (AAAH) and accepts the connection. This permits transitive roaming agreements that are not reflected locally on a roaming list in the AAAH or HA

FA Tunnel Address The FA Tunnel address is not authenticated in “Mobile IP Diameter”, i.e., there is no way to prove it belongs to the actual “FA entity” that makes AAA requests Now, the draft points out that if the FA COA address equals the AAA FA address of IPSec and TLS connections, then the FA tunnel address may be presumed to truly belong to the FA –However in practice the FA AAA address is different than the FA CoA (tunnel) address. Such systems are already deployed

New Revision Adopts through out terms like “MN-HA” instead of “mobile home”; this improves readability