1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy

2 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials MOBIKE transport mode use cases summary SCTP Mobile IPv6 IP-IP tunnel + transport mode SA (RFC 3884 interaction) TCP/UDP + transport mode SA

3 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials SCTP – Stream Control Transmission Protocol (RFC 2960) SCTP (RFC 2960) supports multi-homing Exchange multiple addresses during SCTP association setup After successful “ASSOCIATE”, SCTP picks one of the destination address as the primary path It also returns a transport address list that can be used by ULP to override primary path Destination address (and source address) of a packet can change due to various reasons Applications can change the primary path at any time Retransmission SHOULD use a different destination address from last time SACKs to duplicate data may be transmitted using different address from the source in the received packet HEARTBEATs (used on idle associations) can be used to mark an address inactive causing new address to be selected Packets can change addresses can from either side of the association

4 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials SCTP use case (contd..) SCTP Dynamic Address Configuration (draft-ietf-tsvwg-addip-sctp-12.txt) Reconfigure IP addresses on an existing association Supports ADD/DELETE/Set primary path primitives Requires SCTP-AUTH for these primitives SCTP-AUTH draft – a non WG draft expired (draft-tuexen-sctp-auth-chunk-03) SCTP usage in IKEv1 RFC 3554 describes SCTP usage with IPsec for IKEv1 Not a commonly used feature SCTP usage in IKEv2 TSi/TSr can be used to exchange additional addresses TSi/TSr not sufficient to support dynamic address configuration of SCTP Not yet implemented by anyone ?

5 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials SCTP and MOBIKE usage MOBIKE allows only initiator to change the addresses of the SA MOBIKE uses only one address pair at any time for both sending and receiving sides Issues Similar problem exists in shim6 WG (shim6 – SCTP interaction) Either side of the SCTP association can change the path anytime conflicting with MOBIKE ? SCTP HEARTBEAT Vs IKEv2 PATH_TEST conflict ? SCTP chooses a path and IKEv2 overrides with a different path ?

6 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Mobile IPv6 Usage (RFC 3775/3776) Mobile Node and Home Agent use transport mode SA for protecting the Binding Updates and Binding Acknowledgements There are two addresses : Fixed Home Address and transient care-of address IKE uses care-of address while the IPsec SA itself is bound to the home address Use case 1 (Francis draft) Use MOBIKE to add the home address as alternate address (using ADDITIONAL_ADDRESS_IPv6 notification) Issues IPsec may try to use the home address if the CoA does not work ? RR may not work always ! Use case 2 MIPv6 has in-built functionality for updating the SAs when CoA changes CoA change (after the initial SA setup) is not authorized MOBIKE can provide this using the RR No additional changes needed in the MOBIKE spec for both use cases !

7 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Use of IPsec Transport mode for Dynamic Routing (RFC 3884) This use case was closed as Issue 7 IP-IP tunnel is used between the peers and the traffic protected using transport mode IPsec SA MOBIKE support should be similar to NAT-T support for IPsec protected IP- IP/L2TP tunnel NAT reboot can cause IP address change similar to MOBIKE Implementations may not implement this NAT-T feature today. Mobility support Update the IPsec SA with the new address from the UPDATE_SA message Questions Do we update the tunnel endpoints and traffic selectors ? If NO, reuse of original tunnel endpoint address by some other node will cause problems

8 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials MOBIKE multi-homing support with RFC 3884 Multi-homing support Two possible models Model 1 Single IP-IP tunnel between the peers MOBIKE manages multiple addresses between the peers No issues ? Model 2 Multiple IP-IP tunnels between the peers and routing protocols running over the tunnels IPsec protects each of the tunnel traffic using transport mode SA MOBIKE manages multiple addresses between the peers Routing Protocols (depending on its reachability) decides the forwarding of packets over the tunnel MOBIKE protocol (depending on its reachability) decides what source and destination will be used by the packet Bad interaction similar to SCTP ? Routing switches to tunnel 1, MOBIKE switches to a different address pair Bad effects needs to be studied further

9 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials MOBIKE support for TCP/UDP Similar to IP-IP tunnel + transport mode TCP connection setup or UDP packet to destination X triggers IPsec MOBIKE exchanges the “available” addresses Mobility support Update the IPsec SA with the new address Updating the TCP connection state will break applications Traffic selectors, TCP, UDP still based on the original address Issue Reuse of original address will cause issues (duplicate traffic selector!) Multi-homing support Similar to IP-IP tunnel + transport mode except that no interaction with routing ?

10 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Conclusion IPsec acts like a “shim” layer in the context of multi-homing SCTP Use of IPsec for SCTP does not seem to be common MOBIKE address selection interacts badly with SCTP address selection MIPv6 Nothing special needed in MOBIKE itself IP-IP tunnel + transport mode RFC 3884 use case may be more common Interaction with routing layer needs to be studied TCP + transport mode Does not seem to be an interesting case ?