Title: Short%20Report%20of%20MIPv6/IKEv1%20Interoperability%20Test%20from%20TAHI%20Interop%20Event
1Short Report of MIPv6/IKEv1 Interoperability Test
from TAHI Interop Event
- YASKAWA INFORMATION SYSTEMS Corporation
-
- USAGI Project
2Overview
Mobile Node (MN0) Mobile IPv6 Protocol Stack,
V1.0-20060120 developed by YASKAWA INFORMATION
SYSTEMS Corporation
- Basic Information
- An interoperability test was conducted in order
to verify operation of Mobile IPv6 in conjunction
with IKEv1 work among different implementations. - As a part of 8th TAHI IPv6 Interoperability Test
Event (Jan 23th-27th,2006) - Test scenarios
- K-bit0
- K-bit1
- Each scenario includes all types of movements
- Home-to-Foreign
- Foreign-to-Foreign
- Foreign-to-Home
- IPsec Configuration
- MN0 and HA0 run IKEv1 and are configured to
protect Mobility Header messages. - ESP Transport Mode for protecting BU/BA (SA1,
SA2) - ESP Tunnel Mode for protecting HoTI/HoT (SA3, SA4)
MN0
Link2 lt3ffe501ffff102/64gt
MN0
R
Link1 lt3ffe501ffff101/64gt
MN0
HA0
Link0 lt3ffe501ffff100/64gt
Home Agent (HA0) MIPL2.0 RC3 with USAGI patch,
ipsec-tools-0.6.4 with MIPv6 patch
3Example of Message Sequence K-bit0
MN0_at_ Link0
MN0_at_ Link1
MN0_at_ Link2
HA0_at_ Link0
time (sec.)
0
Condition Setting
Phase-1 negotiation Aggressive mode
ISAKMP SA lifetime 300 sec.
IPsec SA lifetime 120 sec.
Authentication scheme Pre-shared secret
BU lifetime 420 sec. (retransmission is invoked in 210 sec.)
K-bit OFF
175
350
525
700
875
MIPv6 BU/BA
IKE Phase-1
1050
IKE Phase-2 (SA1,SA2)
IKE Phase-2 (SA3,SA4)
1225
1400
4Example of Message Sequence K-bit1
MN0_at_ Link0
MN0_at_ Link1
MN0_at_ Link2
HA0_at_ Link0
time (sec.)
0
Condition Setting
Phase-1 negotiation Aggressive mode
ISAKMP SA lifetime 3600 sec.
IPsec SA lifetime 120 sec.
Authentication scheme Pre-shared secret
BU lifetime 420 sec. (retransmission is invoked in 210 sec.)
K-bit ON
100
200
MIPv6 BU/BA
IKE Phase-1
300
IKE Phase-2 (SA1,SA2)
IKE Phase-2 (SA3,SA4)
400
5Summary
- Interoperability of Mobile IPv6 operation in
conjunction with IKEv1 was confirmed among MN0
and HA0 in both K-bit0 and K-bit1 scenarios. - In Mobile IPv6 operation in conjunction with
IKEv1, - Rekeying of IPsec SA can be performed
independently from MIPv6 binding
registration/movements. - Rekeying of ISAKMP SA can be performed
independently from MIPv6 binding
registration/movements. However, ISAKMP SA
should be closed when the MN changes its
attachment point to the Internet in K-bit0
scenario. - In case of IKEv2, if an IKE SA is closed
(assuming that K-bit0) any associated child SAs
must also be closed. - A few implementation specific issues were
identified - Treatment of IPsec SA when the MN returns home
- Maintaining Transport mode IPsec SA pairs seem to
be beneficial in terms of minimizing the latency
in subsequent home registration. - Which IKE endpoint should be used when the MN
returns home?