WGLC : MIP6 Bootstrap Solution for Integrated Scenario

About This Presentation

Title:

Description:

Number of Views:13

Avg rating:3.0/5.0

Slides: 16

Provided by: kuntalch

Learn more at: https://www.ietf.org

Category:

more less

Transcript and Presenter's Notes

Title: WGLC : MIP6 Bootstrap Solution for Integrated Scenario

1
WGLC MIP6 Bootstrap Solution for Integrated
Scenario

2
WGLC Status Update

3
Open Issue 1

Can we use the FQDN in DHCP and AAA (AVPs) to
carry service specific HA information e.g.
HA mip6.ha.realm
HA for DSMIP6 dsmip6.ha.realm
If yes, do we mandate the format of the FQDN for
this?
An alternative will be to use a bit-mask

4
Open Issue 1, contd.

Jounis suggestion
We just mention that FQDN can be used.
Kilian thought that we needed to define the FQDN
format for interoperability.
Kilians alternative suggestion
To add the following clarifying text
"How the mobility protocol is encoded into the
FQDN is not specified, but the implementers must
make sure that all involved entities from
different operator domains understand the same
encoding".

5
Open Issue 2

From the security considerations section, should
we remove texts that are trying to explain how
DHCP security should work?
Alpers Suggestion
Instead we can simply state that DHCP
transactions are secured by standard DHCP
security mechanisms.

6
Open Issue 3

Does the MSA assign Home Agents for each of the
authorized MSPs for a MN at the time of access
authentication?
Answer Yes, the MSA can assign HAs
In the home MSP, and
In any other MSP ! ASP, and
authorize an HA assignment in the ASP i.e. MSP
ASP.
Does this explanation suffice to close this issue?

7
Open Issue 4

Does the MSA (AAA server) verify whether the MN
is accessing an authorized HA?
Proposed resolution by Alper
The AAA server can verify the HA IP address in
the AAA messages against the assigned Home Agent
for a given MN (during IKEv2 auth w/ EAP)

8
Open Issue 4, contd.

Notes
Whether a Home Agent is authorized for access by
a MN is a generic mip6 auth/authz issue
If agreed, this should be addressed in the
MIP6-Dime and MIP6-RADIUS
We also need to add a requirement for this in the
AAA-goals I-D

9
Open Issue 5

HoA privacy with HoA updated in the DNS when the
Home Agent is assigned locally.
The current security considerations highlight
location privacy issue when a local HA is
assigned every time the MN connects to the
network and the HoA is updated in the DNS
Location privacy is impacted when both HoA and
location of the HA is known to the eavesdropper
The HoA-CoA mapping (known to the CN in RO mode)
is not a concern

10
Open Issue 5, contd.

Vidya
Why is an MN that is interested in privacy
updating the DNS record with its HoA?
Kilian
The text basically recommends that, if location
privacy is required by the MN, the MN should not
reveal the local HoA
Mobopts is working on solutions to simultaneously
achieve optimized routing (e.g. local HA) and
location privacy

11
Open Issue 5, contd.

Question to the WG
Should we defer this security consideration
regarding location privacy to future solutions
from mobopts, mip6 or any other WG?

12
Open Issue 6

How does the HoA assigned via DHCP gets bound to
the IPsec SA between the MN and the HA?
Answer
The MN includes the assigned HoA in the IKEv2
CFG_REQUEST as requested INTERNAL_IP6_ADDRESS
HA either accepts the requested HoA or assigns a
different one.
This is outlined in MIP6-IKEv2 I-D and it is
consistent with RFC 4306

13
Open Issue 6, contd.

What about the HoA lifetime?
Answer
HoA assignment via DHCP is a stateless assignment
The MN can use the HoA as long as the mobility
binding and IPsec SA with the Home Agent exist

14
Open Issue 6, contd.

Any other Issue?
Is there any objection to let the MN bootstrap
HoA via DHCP and propose it in IKEv2 CFG_REQUEST
while establishing IPsec SA with the HA?
Note that the MN is allowed to propose an IP
address in IKEv2 CFG_REQUEST regardless of what
we decide here