1 / 9

Julien Laganier MEXT WG, IETF-79, Nov. 2010

Julien Laganier MEXT WG, IETF-79, Nov. 2010. Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses. http:// tools.ietf.org/id/draft-laganier-mext-cga-01.txt. Overview. RFC 3775 secures Binding Updates to Home Agent with IPsec

eve
Download Presentation

Julien Laganier MEXT WG, IETF-79, Nov. 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JulienLaganierMEXT WG, IETF-79, Nov. 2010 Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses http://tools.ietf.org/id/draft-laganier-mext-cga-01.txt

  2. Overview RFC 3775 secures Binding Updates to Home Agent with IPsec RFC 4866 allows to secure Binding Updates to Correspondent Nodes with a public key signature when the HoA is a CGA MEXT WG rechartered to experiment with security mechanisms alternatives to IPsec Secure Binding Updates to Home Agent based on CGA as well

  3. Solution MN: generates public-private key pair generates from public key an HoA that is a CGA signs Binding Update with private key HA: verifies HoA ownership by verifying signature Optimization: HA sends to MN a symmetric secret key to MN to protect further Binding Updates, ciphered with public key Secret key used to compute MAC over BU

  4. Choices to be made Is MN authorized for HA service? CGA validates address ownership Does not prevent any MN to create state with arbitrary HA Solutions: Provision MN with Authorization Certificates HA has repository of authorized MN public keys Restrict service to MN that attached to home link Is MN trusted by HA: Does HA verifies CoAreachability with RR test? Avoid third party flooding attack

  5. Choices to be made, Cont’d How to provide Anti-replay protection? Initial Binding Creation currently protected with timestamp in BU Alternative: 3-way handshake with Nonce Further Binding Updates (Lifetime Extension, Handoffs, Deletion) protected with Sequence Number and symmetric secret key MAC

  6. IPv4 support IPv4-only visited network  m6t http://tools.ietf.org/html/draft-ebalard-mext-m6t On-demand creation of UDP tunnel For each new IPv4 CoA Assigns new unique local IPv6 address Tunnel exists as long as it’s used Same security level as RFC 5555 Does not protect against active attacks Protects again passive attacks IPv4-only application  Configure IPv4 Home address as in RFC 5555

  7. Pros and Cons No dependency on IPsec No impact on IPsec IPsec can still be used independently Does not re-invent ESP and ESP tunneling in UDP Ala http://tools.ietf.org/html/draft-korhonen-mext-mip6-altsec Allows fully decentralized HA operation Possibly useful for Distributed/Dynamic Mobility Management?

  8. Next Steps Is there interest in the WG? Makes some choices MN trusted? MN authenticated? Implement and experiment...

  9. Thank you

More Related