Presentation is loading. Please wait.

Presentation is loading. Please wait.

07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.

Published byOlivia Young Modified over 8 years ago

Similar presentations

Presentation on theme: "07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont."— Presentation transcript:

1 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont draft-sugimoto-mip6-pfkey-migrate-00

2 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Topics Background Do we need any interaction between Mobile IPv6 and IPsec/IKE? Extension to PF_KEY framework – MIGRATE –Concepts –Message Format –Message sequence –Limitation Conclusion

3 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Background Mobile IPv6 uses IPsec to protect messages exchanged between MN and HA as specified in RFC 3775, RFC 3776: –Home Registration signals (BU/BA) –Return Routability messages (HoTI/HoT) –MIPv6 specific ICMPv6 messages (MPS/MPA) –Payload packets SA pairs are necessary to be established between the MN and HA in static or dynamic manner Tunnel mode SAs are necessary to be updated whenever the MN performs movement

4 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting HA2 MN2 HA1 MN1 Internet IP-in-IP tunnel IPsec tunnel INBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) OUTBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) INBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) OUTBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) INBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) OUTBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) INBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) OUTBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) IP-in-IP tunnel 4 1 2 3

5 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Necessary Interactions between Mobile IPv6 and IPsec/IKE Update endpoint address of tunnel mode SA –Mobile IPv6 component may not have full access to SADB Update endpoint address stored in SPD entry which is associated with tunnel mode SA –IKE should be able to continuously perform key negotiation and re-keying IKE daemon should update endpoint address of the IKE connection (aka K-bit) to keep its alive while the MN changes its CoA

6 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Requirements Modifications to the existing software (Mobile IPv6 and IPsec/IKE stack) should be kept minimum The mechanism should not be platform dependent

7 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Extension to PF_KEY framework – PF_KEY MIGRATE Introduce a new PF_KEY message named MIGRATE which is to be issued by Mobile IPv6 components to inform movement PF_KEY MIGRATE requests system and user application to update SADB and SPD: –Tunnel mode SA entry –SPD entry which is associated with the tunnel mode SA Additionally, the message can also be used to handle K-bit

8 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY MIGRATE – message format Selector Information: –Source address –Destination address –Upper layer protocol (i.e. MH) –Direction (inbound/outbound) Old SA Information: –Old tunnel source address –Old tunnel destination address –Protocol (ESP/AH) New SA Information: –New tunnel source address –New tunnel destination address –Protocol (ESP/AH) 3ffe:501:ffff:100:1:2:3:4/128 (HoA) ::/128 135 (MH) 1 (outbound) 3ffe:501:ffff:500:1:2:3:4/128 (Old-CoA) 3ffe:501:ffff:100::1/128 (HA address) 50 (ESP) 3ffe:501:ffff:400:1:2:3:4/128 (New-CoA) 3ffe:501:ffff:100::1/128 (HA address) 50 (ESP) Example: MN updating outbound SP entry for MN to protect MH messages

9 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Mobile IPv6 daemon IKE daemon SPD SAD Mobile IPv6IPsec ISAKMP SA PF_KEY Socket Userland Kernel PF_KEY MIGRATE Mobile IPv6 core

10 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Message Sequence of PF_KEY MIGRATE MN HA Home Re-registration Initial Home Registration HoA=>CoA1 MIGRATE Home Registration CoA1=>CoA2 MIGRATE Home De-Registration CoA2=>HoA MIGRATE

11 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Limitations/Concerns There is an ambiguity in the way to specify target SADB entry: –Current scheme to specify target SADB entry based on src/dst address pair does not seem to be the best solution Delivery of PF_KEY MIGRATE message cannot be guaranteed: –When a message is lost, there will be an inconsistency between Mobile IPv6 and IPsec database Some parts of the PF_KEY MIGRATE are implementation dependent: –There is no standard way to make an access to SPD

12 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Implementation Status BSD –MIPv6: A prototype implemented on KAME/SHISA on FreeBSD –IKE: Enhancements made to IKEv1 daemon (racoon) Linux –MIPv6: A prototype implemented on MIPL 2.0 on Linux-2.6 –IKE: Enhancements made to IKEv1 daemon (racoon) which was originally ported from BSD

13 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Conclusion There should be a minimum interface between Mobile IPv6 and IPsec/IKE to fully take advantage of security features Newly defined PF_KEY MIGRATE message makes it possible for Mobile IPv6 and IPsec/IKE to interact each other By receiving PF_KEY MIGRAGE message, system and user application will become able to make necessary update of SADB/SPD Proposed mechanism has been implemented on both Linux and BSD platform Further improvements are needed to overcome some limitations

14 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Thank you ! & Questions ?

15 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting MNHA BU (Home Registration) BA CN Update endpoint address of SA pairs with CoA1 Movement (CoA1) Movement (CoA2) BU (Home Registration) BA BU (Corresponding Binding Update) BA Corresponding binding entry is created Update endpoint address of SA pairs with CoA2 Payload traffic is injected to IPsec tunnel Payload packet Update endpoint address of SA pairs with CoA2 Care-of Test Init Care-of Test Home Test Init Home Test Return Routability procedure completed Static Keying

16 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Return Routability MNHA BU (Home Registration) BA CN IKEv1 Phase 1 IKEv1 Phase 2 Establish IPsec SA to protect RR signals BU (Corresponding Update) BA Movement (CoA1) Movement (CoA2) BU (Home Registration) BA IKEv1 Phase 1 BU (Corresponding Update) BA Dynamic Keying K-bit=0 Update endpoint address of SA pairs with CoA2 IKEv1 Phase 1 endpoint address updated

17 07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting Return Routability MNHA BU (Home Registration) BA CN IKEv1 Phase 1 IKEv1 Phase 2 Establish IPsec SA to protect RR signals BU (Corresponding Update) BA Movement (CoA1) Movement (CoA2) BU (Home Registration) BA BU (Corresponding Update) BA Corresponding binding is updated No phase 1 connection established yet Update IKE endpoint with CoA2 Dynamic Keying K-bit=1 Update endpoint address of SA pairs with CoA2

Download ppt "07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
IPv6 Mobility Support Henrik Petander

IPv6 Mobility Support Henrik Petander
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.

Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.
1 © 2005 Nokia mobike-transport.ppt/2005-11-09 MOBIKE Transport mode usage and issues Mohan Parthasarathy.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Mobile IP.

Mobile IP.

Similar presentations

Ads by Google