Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal.

Published byJayson Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal."— Presentation transcript:

1 draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal

2 Outline Design team conclusions and rationale Three layer solution Summary and status of solution draft Optimizations and improvements

3 Design team conclusions and rationale Decided to document base approach –Favor solution with minimal changes to standards –Optimizations considered (but postponed) We need an internal home agent –The MN needs to be able to move inside –But overhead of always tunnelling to the DMZ was considered to be too high We need an external mobility agent –IPsec does not have standardized mobility (SA endpoint update), and we want ”seamless” mobility even when outside –We need to support FAs in the external networks => the lowest layer must speak MIP Some problems left out of scope for now –E.g. networks with only HTTP access

4 Three layer solution – Topology Firewall External Home Agent Internal Home Agent VPN External network Internal network (e.g. corporate network) MN CN Internal MIPv4 tunnel IPsec tunnel External MIPv4 tunnel DMZ

5 Three layer solution – MN inside (1) MNExt. HAInt. HAVPN GWCN RRQ RRP RRQ (dereg.) Internal MIP tunnel OK RRP Data traffic (w/ reverse tunnelling) If external HA responds, deregister

6 Three layer solution – MN inside (2) MNExt. HAInt. HAVPN GWCN RRQ RRP Internal MIP tunnel OK Data traffic (w/ reverse tunnelling) MN moves and gets a new care-of address RRQ

7 Three layer solution – MN outside (1) MNExt. HAInt. HAVPN GW CN External MIP tunnel OK : IPsec tunnel OK Internal MIP tunnel OK RRQ RRP IKE + VPN address assignment RRQ RRP Data packets (w/ reverse tunnelling) All data goes through the internal HA, even if CN is outside

8 Three layer solution – MN outside (2) MNExt. HAInt. HAVPN GW CN External MIP tunnel OK RRQ RRP Data packets (w/ reverse tunnelling) MN moves and gets a new care-of address Data packets (w/ reverse tunnelling) RRQ

9 Three layer solution – Pros and Cons Pros –Only mobile node aware of solution –No changes to IPsec or Mobile IPv4 standards –Existing VPN, HA, FA boxes can be used Cons –Overhead (latency, packet size) –Three layers to manage (e.g. authentication) –Software complexity Three layers != three boxes –Combined VPN+HA box possible

10 Summary of the solution draft Solution draft –Applicability statement of MIPv4 & IPsec –for enterprise mobile users –only imposes requirements on the mobile node What’s there in addition to standards? –Scenarios, message and packet diagrams –Network detection requirements and basic algorithm important because has major security impact! double registration, trust (only) internal HA reply –Other security considerations

11 Solution draft status -02 –Missing minor comments from design team –Security review by Radia pending Plan –Final design team round => -03 –Working group review => -04 –Last call

12 Optimizations and improvements Scoped outside base solution draft –Interesting because of base solution overhead –Worst case – 129 octets / packet Really the worst case, NAT on each layer Approaches collapse tunnelling some way –Combined VPN/FA device –IPsec mobility SA endpoint update –Zero-overhead MIP tunnelling address switching Improve security of network detection

13 Thank you! Questions ?

Download ppt "Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Network Research Lab. Sejong University, Korea Jae-Kwon Seo, Kyung-Geun Lee Sejong University, Korea.

Network Research Lab. Sejong University, Korea Jae-Kwon Seo, Kyung-Geun Lee Sejong University, Korea.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.

1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
A Seamless Handoff Approach of Mobile IP Protocol for Mobile Wireless Data Network. 資研一 黃明祥.

A Seamless Handoff Approach of Mobile IP Protocol for Mobile Wireless Data Network. 資研一 黃明祥.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Mobile IP.

Mobile IP.
IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.

IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.
NEtwork MObility By: Kristin Belanger. Contents Introduction Introduction Mobile Devices Mobile Devices Objectives Objectives Security Security Solution.

NEtwork MObility By: Kristin Belanger. Contents Introduction Introduction Mobile Devices Mobile Devices Objectives Objectives Security Security Solution.
Network-based, Localized Mobility Management – the Problem James Kempf DoCoMo Labs USA

Network-based, Localized Mobility Management – the Problem James Kempf DoCoMo Labs USA
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Gopal Dommety Mobile IP VPN Design Team Update.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Gopal Dommety Mobile IP VPN Design Team Update.
Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a mobile node (MN) to change its point.

Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a "mobile node" (MN) to change its point.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Similar presentations

Ads by Google