Short%20Report%20of%20MIPv6/IKEv1%20Interoperability%20Test%20from%20TAHI%20Interop%20Event

1
Short Report of MIPv6/IKEv1 Interoperability Test
from TAHI Interop Event

• YASKAWA INFORMATION SYSTEMS Corporation
• USAGI Project

2
Overview
Mobile Node (MN0) Mobile IPv6 Protocol Stack,
V1.0-20060120 developed by YASKAWA INFORMATION
SYSTEMS Corporation

• Basic Information
• An interoperability test was conducted in order
  to verify operation of Mobile IPv6 in conjunction
  with IKEv1 work among different implementations.
• As a part of 8th TAHI IPv6 Interoperability Test
  Event (Jan 23th-27th,2006)
• Test scenarios
• K-bit0
• K-bit1
• Each scenario includes all types of movements
• Home-to-Foreign
• Foreign-to-Foreign
• Foreign-to-Home
• IPsec Configuration
• MN0 and HA0 run IKEv1 and are configured to
  protect Mobility Header messages.
• ESP Transport Mode for protecting BU/BA (SA1,
  SA2)
• ESP Tunnel Mode for protecting HoTI/HoT (SA3, SA4)

MN0
Link2 lt3ffe501ffff102/64gt
MN0
R
Link1 lt3ffe501ffff101/64gt
MN0
HA0
Link0 lt3ffe501ffff100/64gt
Home Agent (HA0) MIPL2.0 RC3 with USAGI patch,
ipsec-tools-0.6.4 with MIPv6 patch
3
Example of Message Sequence K-bit0
MN0_at_ Link0
MN0_at_ Link1
MN0_at_ Link2
HA0_at_ Link0
time (sec.)
0
Condition Setting
Phase-1 negotiation Aggressive mode
ISAKMP SA lifetime 300 sec.
IPsec SA lifetime 120 sec.
Authentication scheme Pre-shared secret
BU lifetime 420 sec. (retransmission is invoked in 210 sec.)
K-bit OFF
175
350
525
700
875
MIPv6 BU/BA
IKE Phase-1
1050
IKE Phase-2 (SA1,SA2)
IKE Phase-2 (SA3,SA4)
1225
1400
4
Example of Message Sequence K-bit1
MN0_at_ Link0
MN0_at_ Link1
MN0_at_ Link2
HA0_at_ Link0
time (sec.)
0
Condition Setting
Phase-1 negotiation Aggressive mode
ISAKMP SA lifetime 3600 sec.
IPsec SA lifetime 120 sec.
Authentication scheme Pre-shared secret
BU lifetime 420 sec. (retransmission is invoked in 210 sec.)
K-bit ON
100
200
MIPv6 BU/BA
IKE Phase-1
300
IKE Phase-2 (SA1,SA2)
IKE Phase-2 (SA3,SA4)
400
5
Summary

• Interoperability of Mobile IPv6 operation in
  conjunction with IKEv1 was confirmed among MN0
  and HA0 in both K-bit0 and K-bit1 scenarios.
• In Mobile IPv6 operation in conjunction with
  IKEv1,
• Rekeying of IPsec SA can be performed
  independently from MIPv6 binding
  registration/movements.
• Rekeying of ISAKMP SA can be performed
  independently from MIPv6 binding
  registration/movements. However, ISAKMP SA
  should be closed when the MN changes its
  attachment point to the Internet in K-bit0
  scenario.
• In case of IKEv2, if an IKE SA is closed
  (assuming that K-bit0) any associated child SAs
  must also be closed.
• A few implementation specific issues were
  identified
• Treatment of IPsec SA when the MN returns home
• Maintaining Transport mode IPsec SA pairs seem to
  be beneficial in terms of minimizing the latency
  in subsequent home registration.
• Which IKE endpoint should be used when the MN
  returns home?