Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

Published byRudolph Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,"— Presentation transcript:

1 Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta, ed.

2 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 2 Design Team Members Gerardo Giaretta Vijay Devarapalli James Kempf Yoshihiro Ohba Kuntal Chowdury Jari Arkko Basavaraj Patil Gopal Dommety Alpesh Patel Alper Yegin Junghoon Jee Julien Bournelle

3 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 3 Scope of the DT draft-ietf-mip6-bootstrapping-ps defines the MIPv6 bootstrapping problem MN requires –HA address –Home Address –IPsec security associations with its Home Agent Two scenarios –split scenario → draft-ietf-mip6-bootstrapping-split-00 –integrated scenario → currently under study

4 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 4 Main Design Guideline The main objective of the bootstrapping solution is the minimization of pre-configured data on the Mobile Node

5 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 5 Terminology ASA - Access Service Authorizer –a network operator that authenticates a mobile host and establishes the mobile host's authorization to receive Internet service ASP - Access Service Provider –a network operator that provides direct IP packet forwarding to and from the end host MSA - Mobility Service Authorizer –a service provider that authorizes Mobile IPv6 service MSP - Mobility Service Provider –a service provider that provides Mobile IPv6 service

6 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 6 Split scenario Network access and mobility services are authorized by different entities –authentication and authorization for mobility service and network access are considered separately –this separation is a clear assumption in the problem statement draft MIPv6 is bootstrapped independently from the authentication protocol for network access –no leverage of protocol exchanges done during network access authentication (e.g. PANA, EAP) –the solution for this scenario may also be applied to the integrated access network deployment model –other optimized solutions are under study for the integrated scenario

7 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 7 Split scenario (cont’d) In split scenario two entities can be identified –entity that provides the service: MSP –entity that authenticates and authorizes the user: MSA –similar to the roaming model for network access Two different cases can be identified Home Agent AAA-MSP Server Mobility Service Provider and Authorizer AAA-HA interface Home Agent AAA-MSP Server AAA-MSA Server Mobility Service Authorizer Mobility Service Provider AAA-HA interface AAA protocol (a) (b)

8 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 8 Solution components Home Agent Address Discovery IPsec Security Associations setup Home Address Assignment Authentication and Authorization with MSA

9 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 9 HA Address Discovery DHAAD may not be applicable –it requires the home network prefix pre-configured on the MN –does not allow an operator to load balance by having MNs dynamically assigned to HAs located in different subnets The solution for HA address discovery is based on a new DNS SRV record –the unique information to be pre-configured on the MN is the domain name of the MSP –optionally, DHCP can be used when the ASP and the MSP are the same entity

10 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 10 HA Address Discovery (cont’d) DNS lookup by Home Agent Name –MN configured with the FQDN of the HA (e.g. ha1.example.com where "example.com" is the domain name of the MSP) –DNS request with QNAME == HA name and QTYPE == 'AAAA' DNS lookup by service name –RFC 2782 defines the service resource record (SRV RR) –service name == "mip6" –protocol name == "ipv6“ –no transport name required –if multiple HAs are available in the DNS SRV record MN is responsible for picking one Home Agent

11 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 11 IPsec SAs setup IPsec SAs setup through IKEv2 –based on draft-ietf-mip6-ikev2-ipsec IKEv2 peer authentication –public key signatures or EAP –choice of an IKEv2 peer authentication method depends on the deployment –IKEv2 restricts the HA to MN authentication to use public key signature based authentication

12 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 12 Home Address Assignment Home Address is assigned by the Home Agent during the IKEv2 exchange –based on draft-ietf-mip6-ikev2-ipsec MNHA HDR, SK {IDi, […], AUTH, CP(CFG_REQUEST), SAi2, TSi, TSr} HDR, SK {IDr, […] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr} INTERNAL_IP6_ADDRESS

13 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 13 Home Address Assignment (cont’d) MN may also auto-configure its Home Address –stateless auto-configuration, CGA, privacy addresses MN may include a proposed HoA in the INTERNAL_IP6_ADDRESS attribute –the MN must be provided with a pre-configured home prefix and home prefix length A new attribute is defined for HoA auto- configuration –in case MN is not provided with home prefix and home prefix length –MIP6_HOME_PREFIX attribute used in CFG_REQUEST and CFG_REPLY

14 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 14 Home Address Assignment (cont’d) MIP6_HOME_PREFIX attribute

15 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 15 Home Address Assignment (cont’d) During IKE_AUTH exchange MN includes the MIP6_HOME_PREFIX attribute in the CFG_REQUEST HA includes in the CFG_REPLY payload prefix information for one prefix on the home link –prefix length is included –if other prefixes are needed MPD should be used –if auto-configuration is not allowed HA includes a Notify Payload type "USE_ASSIGNED_HoA" and the HoA in a INTERNAL_IP6_ADDRESS attribute MN auto-configures a Home Address and runs a CREATE_CHILD_SA exchange to create a SA for the new HoA

16 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 16 Authentication and Authorization with MSA The user must be authenticated and the mobility service authorized in order for the MSA to grant the service Different ways depending on the credentials used by the MN during the IKEv2 peer authentication and on the backend infrastructure (PKI or AAA) –draft-ietf-mip6-aaa-ha-goals-00

17 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 17 Home Address registration in the DNS DNS needs to be updated with the new HoA –needed for the MN to be reachable at new address –DNS update is essential for providing IP reachability to the MN which is the main purpose of the Mobile IPv6 protocol DNS update must be performed securely –the node performing this update must share a security association with the DNS server –MN cannot update the DNS by itself to prevent redirection-based flooding attacks (i.e. address ownership issues)

18 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 18 Home Address registration in the DNS (cont’d) HA performs DNS update on behalf of the MN –MN includes a new mobility option, the DNS Update option, with the flag R not set in the Binding Update AAA server of the MSA performs DNS update if the MN wants to be reachable through a FQDN that belongs to the MSA –the Home Agent and the DNS server that must be updated belong to different administrative domain –the Home Agent sends to the AAA-MSA server the FQDN-HoA pair through the AAA protocol –out of scope of the DT

19 August, 2005 IETF 63 rd – mip6 WG draft-ietf-mip6-bootstrapping-split-00 19 Home Address registration in the DNS (cont’d) DNS Update mobility option –R flag used to request the removal of DNS entry –separate Status namespece for DNS update

Download ppt "Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,"

Similar presentations

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.

1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
IKEv2 Configuration Payload Integration

IKEv2 Configuration Payload Integration
Irish IPv6 Task Force - Irish IPv6 Task Force Mobility in IPv6 (MIPv6)

Irish IPv6 Task Force - Irish IPv6 Task Force Mobility in IPv6 (MIPv6)
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.

Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.

Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.
1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.

1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.
November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.

Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)

50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)

Similar presentations

Ads by Google