1 / 10

Vancouver, November 2005

Vancouver, November 2005. IETF 64 th – mip6 WG. Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-01). Gerardo Giaretta James Kempf Vijay Devarapalli and mip6-boot-sol DT. Scope of the DT.

thor
Download Presentation

Vancouver, November 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vancouver, November 2005 IETF 64th – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-01) Gerardo Giaretta James Kempf Vijay Devarapalli and mip6-boot-sol DT

  2. Scope of the DT • draft-ietf-mip6-bootstrapping-ps defines the MIPv6 bootstrapping problem • MN requires • HA address • Home Address • IPsec security associations with its Home Agent • Two scenarios • split scenario → draft-ietf-mip6-bootstrapping-split-01 • integrated scenario → draft-ietf-mip6-bootstrapping-integrated-dhc-00 (see next presentation)

  3. Summary of the solution (1) • Home Agent Address Discovery • based on HA name or on a new DNS SRV record • IPsec Security Associations setup • based on IKEv2 and optionally on EAP over IKEv2 (draft-ietf-mip6-ikev2-ipsec) • Home Address Assignment • based on IKEv2 INTERNAL_IP6_ADDRESS attribute for HoA assignment • MIP6_HOME_PREFIX attribute for auto-configuration

  4. Summary of the solution (2) • Authentication and Authorization with MSA • based on AAA or PKI • Home Address registration in the DNS • HA performs DNS update on behalf of the MN • MN includes a new mobility option, the DNS Update option, with the flag R not set in the Binding Update • The solution defined in the draft can be used both for split and integrated scenarios • the solution does not require updates on the access network equipment

  5. Status • Received many reviews • deep reviews from Jari Arkko and Francis Dupont • Some issues raised • 6 editorial issues • 3 technical issues • all issues have been closed or have a proposed resolution • see http://www.mip4.org/issues/tracker/mip6/ for details about all issues and their resolution

  6. Issue 48 - HA discovery and load balancing • Issue • the draft is not clear about the possibilty to perform load balancing in HA discovery and assignment • using DNS solution an operator cannot do a per node load balancing, that is it cannot be sure to allocate a specific HA to a specific MN • Resolution • new text in section 5.1 • “This document does not provide a specific mechanism to load balance different Mobile Nodes among Home Agents. It is possible for an MSP to achieve coarse- grained load balancing by dynamically updating the SRV RR priorities to reflect the current load on the MSP's collection of Home Agents. Mobile Nodes then use the priority mechanism to preferentially select the least loaded HA. The effectiveness of this technique depends on how much of a load it will place on the DNS servers, particularly if dynamic DNS is used for frequent updates.”

  7. Issue 50 - Identity in HoA config. • Issue • identity given in EAP-based authentication is not necessarily something that you can tie a long-term home address identity to (e.g. pseudonym in EAP-SIM) • Discussion • even though the MN uses a pseudonym or a privacy NAI, it is mapped to the actual identity of the node in the home network. • if the MN changes privacy NAI when it changes the access network (keeping the same HoA and HA) it has still an IPsec SA with the HA and does not need to perform an EAP exchange again. • Solution • the issue is not specific to MIP6 and has been rejected

  8. Issue 51- CGA check • Issue • the draft described a solution that lets the MN to configure a CGA Home Address • should the home agentcheck the ownership? • Discussion • HA may check the ownership when receiving a BU (if the MN includes a CGA option in the BU) but in that case it is orthogonal to bootstrapping • No reason (e.g. possible attacks) why the check should be done during IKEv2 exchange • Solution • rejected as not related to bootstrapping

  9. Issue 52 - HoA Auth in DNS update • Issue • MN1 should not take over the DNS name of MN2 • there is a need to authorize the use of a particular FQDN • Discussion • some AAA attributes are needed to support this authorization • the HA must perform an address authorization check • even if the address is a CGA, the HA will have to determine that the MN actually owns the FQDN • Solution • added clarifying text in sections 5.2 and 9.5 • more text on AAA requirements is needed in draft-ietf-mip6-aaa-ha-goals

  10. Next steps • Currently in WGLC • WGLC ends Nov. 30th • Please review the draft and provide feedback!

More Related