62nd IETF - PowerPoint PPT Presentation

About This Presentation
Title:

62nd IETF

Description:

... the message can also be used to handle K-bit. 07/03/2005 ... New SA Information: New tunnel source address. New tunnel destination address. Protocol (ESP/AH) ... – PowerPoint PPT presentation

Number of Views:12
Avg rating:3.0/5.0
Slides: 15
Provided by: nrjs
Learn more at: https://www.ietf.org
Category:
Tags: 62nd | ietf | manner

less

Transcript and Presenter's Notes

Title: 62nd IETF


1
PF_KEY Extension as an Interface between Mobile
IPv6 and IPsec/IKE

draft-sugimoto-mip6-pfkey-migrate-00
  • Shinta Sugimoto
  • Francis Dupont

2
Topics
  • Background
  • Do we need any interaction between Mobile IPv6
    and IPsec/IKE?
  • Extension to PF_KEY framework MIGRATE
  • Concepts
  • Message Format
  • Message sequence
  • Limitation
  • Conclusion

3
Background
  • Mobile IPv6 uses IPsec to protect messages
    exchanged between MN and HA as specified in RFC
    3775, RFC 3776
  • Home Registration signals (BU/BA)
  • Return Routability messages (HoTI/HoT)
  • MIPv6 specific ICMPv6 messages (MPS/MPA)
  • Payload packets
  • SA pairs are necessary to be established between
    the MN and HA in static or dynamic manner
  • Tunnel mode SAs are necessary to be updated
    whenever the MN performs movement

4
HA2
HA1
Internet
IP-in-IP tunnel
IP-in-IP tunnel
MN2
MN1
5
Necessary Interactions between Mobile IPv6 and
IPsec/IKE
  • Update endpoint address of tunnel mode SA
  • Mobile IPv6 component may not have full access to
    SADB
  • Update endpoint address stored in SPD entry which
    is associated with tunnel mode SA
  • IKE should be able to continuously perform key
    negotiation and re-keying
  • IKE daemon should update endpoint address of the
    IKE connection (aka K-bit) to keep its alive
    while the MN changes its CoA

6
Requirements
  • Modifications to the existing software (Mobile
    IPv6 and IPsec/IKE stack) should be kept minimum
  • The mechanism should not be platform dependent

7
Extension to PF_KEY framework PF_KEY MIGRATE
  • Introduce a new PF_KEY message named MIGRATE
    which is to be issued by Mobile IPv6 components
    to inform movement
  • PF_KEY MIGRATE requests system and user
    application to update SADB and SPD
  • Tunnel mode SA entry
  • SPD entry which is associated with the tunnel
    mode SA
  • Additionally, the message can also be used to
    handle K-bit

8
PF_KEY MIGRATE message format
  • Selector Information
  • Source address
  • Destination address
  • Upper layer protocol (i.e. MH)
  • Direction (inbound/outbound)
  • Old SA Information
  • Old tunnel source address
  • Old tunnel destination address
  • Protocol (ESP/AH)
  • New SA Information
  • New tunnel source address
  • New tunnel destination address
  • Protocol (ESP/AH)

9
Mobile IPv6
IPsec
Mobile IPv6 daemon
IKE daemon
ISAKMP SA
Userland
Kernel
PF_KEY Socket
Mobile IPv6 core
SPD
SAD
10
Message Sequence of PF_KEY MIGRATE
MN
HA
11
Limitations/Concerns
  • There is an ambiguity in the way to specify
    target SADB entry
  • Current scheme to specify target SADB entry based
    on src/dst address pair does not seem to be the
    best solution
  • Delivery of PF_KEY MIGRATE message cannot be
    guaranteed
  • When a message is lost, there will be an
    inconsistency between Mobile IPv6 and IPsec
    database
  • Some parts of the PF_KEY MIGRATE are
    implementation dependent
  • There is no standard way to make an access to SPD

12
Implementation Status
  • BSD
  • MIPv6 A prototype implemented on KAME/SHISA on
    FreeBSD
  • IKE Enhancements made to IKEv1 daemon (racoon)
  • Linux
  • MIPv6 A prototype implemented on MIPL 2.0 on
    Linux-2.6
  • IKE Enhancements made to IKEv1 daemon (racoon)
    which was originally ported from BSD

13
Conclusion
  • There should be a minimum interface between
    Mobile IPv6 and IPsec/IKE to fully take advantage
    of security features
  • Newly defined PF_KEY MIGRATE message makes it
    possible for Mobile IPv6 and IPsec/IKE to
    interact each other
  • By receiving PF_KEY MIGRAGE message, system and
    user application will become able to make
    necessary update of SADB/SPD
  • Proposed mechanism has been implemented on both
    Linux and BSD platform
  • Further improvements are needed to overcome some
    limitations

14
Thank you ! Questions ?
15
MN
HA
CN
Static Keying
Update endpoint address of SA pairs with CoA1
Movement (CoA1)
Update endpoint address of SA pairs with CoA1
Payload packet
Payload traffic is injected to IPsec tunnel
Update endpoint address of SA pairs with CoA2
Update endpoint address of SA pairs with CoA2
Care-of Test Init
Home Test Init
Care-of Test
Return Routability procedure completed
Home Test
Corresponding binding entry is created
BA
16
Dynamic Keying K-bit0
MN
HA
CN
Movement (CoA1)
Establish IPsec SA to protect RR signals
Establish IPsec SA to protect RR signals
Return Routability
Update endpoint address of SA pairs with CoA2
Update endpoint address of SA pairs with CoA2
Return Routability
IKEv1 Phase 1 endpoint address updated
IKEv1 Phase 1 endpoint address updated
17
Dynamic Keying K-bit1
MN
HA
CN
Movement (CoA1)
No phase 1 connection established yet
Establish IPsec SA to protect RR signals
Establish IPsec SA to protect RR signals
Return Routability
Corresponding binding is updated
Update IKE endpoint with CoA2
Update IKE endpoint with CoA2
Return Routability
Update endpoint address of SA pairs with CoA2
Update endpoint address of SA pairs with CoA2
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "62nd IETF " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!