Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.

Published bySamuel Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate."— Presentation transcript:

1 1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Contributors are also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.This document has been prepared by the contributors to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on the contributors. The contributors specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of the contributors other than provided in the copyright statement above.

2 2 Goals Protect MIP6 signaling Integrity protect BU/BA Optional encryption for route optimization support Minimize messages exchanged

3 3 Failure Recovery Operation MIP6 Session Initialization Handoff Operation IPsec SA Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) Handoff Binding Update (Protected with IPsec) Binding Acknowledgement (Protected with IPsec) IPsec SA MNHA1AAAHA2 Failure Recovery (HA2 allocated) Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) Option 1 (Manual IPsec Keying)

4 4 Set up manual keying parameters at the MN and AAA server Keys, SPI, Algorithms need to be configured When MN sends the first BU, HA retrieves the IPsec SA from the AAA server BU/BA protected with IPsec Subsequent BUs (after the first one) don’t need any AAA interaction This option needs zero key management related messaging The IPsec SA is not unique to the {MN,HA} pair If the HAs are well trusted and belong to the same operator, this may be okay. But, it could be an issue if HA is dynamically assigned in a visited operator. This option requires additional configuration (IPsec SA) at the MN and AAA server

5 5 Failure Recovery Operation MIP6 Session Initialization Handoff Operation First Time Power-up Operation MNHA1HA3 Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) Handoff Binding Update (Protected with IPsec) Binding Acknowledgement (Protected with IPsec) IKEv2 and IPsec SAs Setup IKE & IPsec SAs Stored in non- volatile memory Failure Recovery (HA2 allocated) Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) MN-AAA Key HA2 IKE & IPsec SAs Stored in non- volatile memory Option 2 (Optimized IKEv2-based Operation for Dynamic IPsec Keying) AAA MN-AAA Key AAA (IKE & IPsec SAs for MN) AAA (Ack)

6 6 Option 2 (Optimized IKEv2-based Operation for Dynamic IPsec Keying) Set up both IKE and IPsec SA with HA3 at the time of first power-up operation The IKE and IPsec SAs can be set up via IKEv2/EAP. This is done when the MN powers up for the very first time and can be refreshed at an appropriate time (e.g., once per day). The IKE and IPsec SAs are then uploaded to the AAA server by HA3 using the HA- AAA interface. Both IKE and IPsec SAs to be stored in non-volatile memory of MN and AAA, avoiding the need to run IKEv2 again (e.g., at failure recovery time) Only MN-AAA key to be configured at the AAA server and MN. If MS wants to initiate a MIP6 session and obtains a dynamic HA (e.g., HA1), MN can use the same IPsec SA (established during power-up with HA3) to protect BU sent to HA1. No need for full IKEv2/EAP exchange between MN and HA1, because HA1 fetches the IPsec SA from the AAA. Subsequent BUs (after the first one) don’t need this AAA interaction. The IPsec SA is not unique to the {MN,HA} pair. If the HAs are well trusted and belong to the same operator, this may be okay This is optimal for home domain operation (i.e., when the HA is in the home domain) The handoff and failure recovery operation are similar to Option 1 The failure/recovery case shown is a system failure that causes the MN to bootstrap again upon recovery, e.g., from HA1 to HA2. Again, No need for full IKEv2/EAP exchange between MN and HA2, because HA2 fetches the IPsec SA from the AAA. Failure/recovery of HAs also can be handled by hot standby methods

7 7 Failure Recovery Operation MIP6 Session Initialization Handoff Operation First Time Power-up Operation MNHA1HA3 Binding Update (Protected with IPsec) AAA (Get IPsec SA for MN-HA1) AAA (IPsec SA for MN-HA1) Binding Acknowledgement (Protected with IPsec) Handoff Binding Update (Protected with IPsec) Binding Acknowledgement (Protected with IPsec) IKEv2 and IPsec SAs Setup IKE & IPsec SAs Stored in NV memory Failure Recovery (HA2 allocated) Binding Update (Protected with IPsec) AAA (Get IPsec SA for MN-HA2) AAA (IPsec SA for MN-HA2) Binding Acknowledgement (Protected with IPsec) MN-AAA Key HA2 Option 2a (Optimized IKEv2-based Operation for HA in Visited Domain) AAA MN-AAA Key AAA (IKE & IPsec SAs for MN-HA3) AAA (Ack) IKE_SA_INIT Request (IPsec SA for MN-HA1) IKE_SA_INIT Response (IPsec SA for MN-HA1) IKE_SA_INIT Request (IPsec SA for MN-HA2) IKE_SA_INIT Response (IPsec SA for MN-HA2) AAA (IPsec SA for MN-HA1) AAA (Ack) AAA (IPsec SA for MN-HA2) AAA (Ack) IKE & IPsec SAs Stored in NV memory

8 8 Option 2a (Optimized IKEv2-based Operation for HA in Visited Domain) Set up both IKE and IPsec SA with HA3 (in MN’s home domain) at the time of first power-up operation (same as option 2) If MN wants to initiate a MIP6 session and obtains a dynamic HA (e.g., HA1) in the visited domain, MN establishes an IPsec SA with HA3 that uploads the IPsec SA to the home AAA server. This requires only a single roundtrip of create child SA exchange. MN uses this IPsec SA to protect BU sent to HA1. No need for full IKEv2/EAP exchange between MN and HA1, because HA1 fetches the IPsec SA from the home AAA. Subsequent BUs (after the first one) don’t need this AAA interaction. The IPsec SA is unique to the {MN,HA} pair Optimal when a visited domain allocates HA to the MN The failure/recovery case shown is a system failure that causes the MN to bootstrap again upon recovery, e.g., from HA1 to HA2. If a different HA is assigned upon failure recovery, MN establishes a new IPsec SA with HA3 that uploads the IPsec SA to the home AAA server. This requires only a single roundtrip of create child SA exchange. Again, No need for full IKEv2/EAP exchange between MN and HA2, because HA2 fetches the IPsec SA from the AAA. Failure/recovery of HAs also can be handled by hot standby methods

9 9 Additional Points The IP address of the HA that bootstraps IKE SA and IPsec SA can be given to the MN via DHCPv6 3GPP2 vendor specific AAA attributes can be defined to distribute IPsec SA Attributes needed for the security-bootstrapping HA (in home domain) to upload the SAs to the home AAA server Attributes needed for the dynamically-assigned HA (in visited or home domain) to fetch the SAs from the home AAA server This proposal can co-exist with the regular MIP6 security mechanism of always performing IKEv2 with the assigned HA. But, how MN knows which mechanism to use (e.g., in roaming scenarios) needs further study.

10 10 Conclusion & Recommendation Conclusion: Option 2 provides all the features with the maximum flexibility Avoids any additional configuration Zero re-keying messages needed for home domain operation Two messages (single roundtrip) needed for visited domain operation Two messages (single roundtrip) needed for failure/recovery operation Recommendation: Use option 2 when HA is in the home network and option 2a when HA is in the visited network

Download ppt "1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate."

Similar presentations

WLAN IW Enhancement for IMS Support

WLAN IW Enhancement for IMS Support
Mobile IPv4 FA CoA Support in WLAN Interworking Raymond Hsu Qualcomm Inc. Notice: QUALCOMM Incorporated grants a free, irrevocable license.

Mobile IPv4 FA CoA Support in WLAN Interworking Raymond Hsu Qualcomm Inc. Notice: QUALCOMM Incorporated grants a free, irrevocable license.
Mobile IPv4 FA CoA Support in WLAN Interworking Raymond Hsu, Qualcomm Inc., Sanket S. Nesargi, Nortel, Nanying Yin,

Mobile IPv4 FA CoA Support in WLAN Interworking Raymond Hsu, Qualcomm Inc., Sanket S. Nesargi, Nortel, Nanying Yin,
Dynamic HA Assignment for MIPv4 in WLAN Interworking Raymond Hsu, Qualcomm Inc., Wing C. Lau, Qualcomm Inc., Notice:

Dynamic HA Assignment for MIPv4 in WLAN Interworking Raymond Hsu, Qualcomm Inc., Wing C. Lau, Qualcomm Inc., Notice:
Www.huawei.com MIP6-HA-Local-Assignment-Capability indication to MS Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners.

MIP6-HA-Local-Assignment-Capability indication to MS Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.

1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
IP Connectivity for E911 in HRPD/PDS Networks Page 1 IP Connectivity for Emergency Calls in HRPD/PDS Networks 3GPP2 Meeting, 1/07 IP Connectivity for Emergency.

IP Connectivity for E911 in HRPD/PDS Networks Page 1 IP Connectivity for Emergency Calls in HRPD/PDS Networks 3GPP2 Meeting, 1/07 IP Connectivity for Emergency.
XHRPD Example Scenario for MSS Masa Shirota Qualcomm Inc. July 15, 2014 3GPP2 Dalian Meeting Recommendation: FYI Notice QUALCOMM Incorporated grants a.

XHRPD Example Scenario for MSS Masa Shirota Qualcomm Inc. July 15, GPP2 Dalian Meeting Recommendation: FYI Notice QUALCOMM Incorporated grants a.
1 Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained.

1 Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained.
HRPD Femto Local IP Access: Overview Peerapol Tinnakornsrisuphap Qualcomm October 27 th, 2008 3GPP2 Seoul,

HRPD Femto Local IP Access: Overview Peerapol Tinnakornsrisuphap Qualcomm October 27 th, GPP2 Seoul,
1 IP Service Authorization Support and Mobility Selection for X.S0011-E Source: QUALCOMM Inc.: Masa Shirota, George Cherian, Jun Wang,

1 IP Service Authorization Support and Mobility Selection for X.S0011-E Source: QUALCOMM Inc.: Masa Shirota, George Cherian, Jun Wang,
1 UATI-IP address mapping Peerapol Tinnakornsrisuphap David Ott Qualcomm.

1 UATI-IP address mapping Peerapol Tinnakornsrisuphap David Ott Qualcomm.
1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.

1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.
3GPP2 Network Evolution: Inter-working Across Technologies January 08, 2007 QUALCOMM Inc Notice Contributors grant a free, irrevocable license to 3GPP2.

3GPP2 Network Evolution: Inter-working Across Technologies January 08, 2007 QUALCOMM Inc Notice Contributors grant a free, irrevocable license to 3GPP2.
1 cdma2000® Data Service Transition to NULL Support Jun Wang Ravi Patwardhan June 5, 2003 Recommendation -

1 cdma2000® Data Service Transition to NULL Support Jun Wang Ravi Patwardhan June 5, 2003 Recommendation -
© Alcatel-Lucent 2010 1 | M2M Numbering | April 12, 2010 3GPP2 M2M-20100412-004 TITLE Numbering in 3GPP2 for M2MSOURCE Mike Dolan, Alcatel-Lucent, Mike.

© Alcatel-Lucent | M2M Numbering | April 12, GPP2 M2M TITLE Numbering in 3GPP2 for M2MSOURCE Mike Dolan, Alcatel-Lucent, Mike.
Broadcast Area Based Management for BCMCS Quanzhong Gao Weidong Wu 04/05/2005.

Broadcast Area Based Management for BCMCS Quanzhong Gao Weidong Wu 04/05/2005.
Security Framework for (e)HRPD 1 S40-20100621-005 3GPP2 TSG-S WG4 Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder

Security Framework for (e)HRPD 1 S GPP2 TSG-S WG4 Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder
IP Packet Tunneling and Routing in UMB March 26 th, 2007 Qualcomm/Alcatel-Lucent/Hitachi Notice Contributors grant a free, irrevocable license to 3GPP2.

IP Packet Tunneling and Routing in UMB March 26 th, 2007 Qualcomm/Alcatel-Lucent/Hitachi Notice Contributors grant a free, irrevocable license to 3GPP2.
80-VXXX-X A July 2008 Page 1 QUALCOMM Confidential and Proprietary PCC Support for cdma2000 QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota

80-VXXX-X A July 2008 Page 1 QUALCOMM Confidential and Proprietary PCC Support for cdma2000 QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota

Similar presentations

Ads by Google