MIPv6%20bootstrapping%20in%20split%20scenario - PowerPoint PPT Presentation

About This Presentation
Title:

MIPv6%20bootstrapping%20in%20split%20scenario

Description:

Vancouver, November 2005. IETF 64th mip6 WG. Mobile ... IPsec security associations with its Home Agent. Two scenarios ... IPsec Security Associations setup ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 11
Provided by: gerardog
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: MIPv6%20bootstrapping%20in%20split%20scenario


1
Vancouver, November 2005
IETF 64th mip6 WG
Mobile IPv6 bootstrapping
in split scenario (draft-ietf-mip6-bootstrapping
-split-01)
Gerardo Giaretta James Kempf Vijay
Devarapalli and mip6-boot-sol DT
2
Scope of the DT
  • draft-ietf-mip6-bootstrapping-ps defines the
    MIPv6 bootstrapping problem
  • MN requires
  • HA address
  • Home Address
  • IPsec security associations with its Home Agent
  • Two scenarios
  • split scenario ? draft-ietf-mip6-bootstrapping-spl
    it-01
  • integrated scenario ? draft-ietf-mip6-bootstrappin
    g-integrated-dhc-00 (see next presentation)

3
Summary of the solution (1)
  • Home Agent Address Discovery
  • based on HA name or on a new DNS SRV record
  • IPsec Security Associations setup
  • based on IKEv2 and optionally on EAP over IKEv2
    (draft-ietf-mip6-ikev2-ipsec)
  • Home Address Assignment
  • based on IKEv2 INTERNAL_IP6_ADDRESS attribute for
    HoA assignment
  • MIP6_HOME_PREFIX attribute for auto-configuration

4
Summary of the solution (2)
  • Authentication and Authorization with MSA
  • based on AAA or PKI
  • Home Address registration in the DNS
  • HA performs DNS update on behalf of the MN
  • MN includes a new mobility option, the DNS Update
    option, with the flag R not set in the Binding
    Update
  • The solution defined in the draft can be used
    both for split and integrated scenarios
  • the solution does not require updates on the
    access network equipment

5
Status
  • Received many reviews
  • deep reviews from Jari Arkko and Francis Dupont
  • Some issues raised
  • 6 editorial issues
  • 3 technical issues
  • all issues have been closed or have a proposed
    resolution
  • see http//www.mip4.org/issues/tracker/mip6/ for
    details about all issues and their resolution

6
Issue 48 - HA discovery and load balancing
  • Issue
  • the draft is not clear about the possibilty to
    perform load balancing in HA discovery and
    assignment
  • using DNS solution an operator cannot do a per
    node load balancing, that is it cannot be sure to
    allocate a specific HA to a specific MN
  • Resolution
  • new text in section 5.1
  • This document does not provide a specific
    mechanism to load balance different Mobile Nodes
    among Home Agents. It is possible for an MSP to
    achieve coarse- grained load balancing by
    dynamically updating the SRV RR priorities to
    reflect the current load on the MSP's collection
    of Home Agents. Mobile Nodes then use the
    priority mechanism to preferentially select the
    least loaded HA. The effectiveness of this
    technique depends on how much of a load it will
    place on the DNS servers, particularly if dynamic
    DNS is used for frequent updates.

7
Issue 50 - Identity in HoA config.
  • Issue
  • identity given in EAP-based authentication is not
    necessarily something that you can tie a
    long-term home address identity to (e.g.
    pseudonym in EAP-SIM)
  • Discussion
  • even though the MN uses a pseudonym or a privacy
    NAI, it is mapped to the actual identity of the
    node in the home network.
  • if the MN changes privacy NAI when it changes the
    access network (keeping the same HoA and HA) it
    has still an IPsec SA with the HA and does not
    need to perform an EAP exchange again.
  • Solution
  • the issue is not specific to MIP6 and has been
    rejected

8
Issue 51- CGA check
  • Issue
  • the draft described a solution that lets the MN
    to configure a CGA Home Address
  • should the home agentcheck the ownership?
  • Discussion
  • HA may check the ownership when receiving a BU
    (if the MN includes a CGA option in the BU) but
    in that case it is orthogonal to bootstrapping
  • No reason (e.g. possible attacks) why the check
    should be done during IKEv2 exchange
  • Solution
  • rejected as not related to bootstrapping

9
Issue 52 - HoA Auth in DNS update
  • Issue
  • MN1 should not take over the DNS name of MN2
  • there is a need to authorize the use of a
    particular FQDN
  • Discussion
  • some AAA attributes are needed to support this
    authorization
  • the HA must perform an address authorization
    check
  • even if the address is a CGA, the HA will have to
    determine that the MN actually owns the FQDN
  • Solution
  • added clarifying text in sections 5.2 and 9.5
  • more text on AAA requirements is needed in
    draft-ietf-mip6-aaa-ha-goals

10
Next steps
  • Currently in WGLC
  • WGLC ends Nov. 30th
  • Please review the draft and provide feedback!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "MIPv6%20bootstrapping%20in%20split%20scenario" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!