07/03/2005 62nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.

Slides:

Advertisements

Similar presentations

Secure Mobile IP Communication

Advertisements

IPv6 Mobility Support Henrik Petander

MIP Extensions: FMIP & HMIP

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Internet Security CSCE 813 IPsec

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

Security at the Network Layer: IPSec

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Chapter 5 Network Security Protocols in Practice Part I

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

Protocol for Hiding Movement of Mobile Nodes in Mobile IPv6 draft-qiu-mip6-hiding-movement-00.txt F. BAO, R. DENG, J. Kempf, Y. QIU and J.Y ZHOU.

Host Identity Protocol

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Introducing Reliability and Load Balancing in Home Link of Mobile IPv6 based Networks Jahanzeb Faizan, Mohamed Khalil, and Hesham El-Rewini Parallel, Distributed,

1 /160 © NOKIA 2001 MobileIPv6_Workshop2001.PPT / / Tutorial Mobile IPv6 Kan Zhigang Nokia Research Center Beijing, P.R.China

National Institute Of Science & Technology Mobile IP Jiten Mishra (EC ) [1] MOBILE IP Under the guidance of Mr. N. Srinivasu By Jiten Mishra EC

1 Sideseadmed (IRT0040) loeng 5/2010 Avo

1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained.

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.

49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.

Mobile IPv6 in 6NET: An Overview Chris Edwards, Lancaster University, UK.

Introduction to Mobile IPv6

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.

1 Alternative (Future) Proposals for MIPv6 Security MIP6 BOF/WG IETF-57 Jari Arkko, Ericsson Research NomadicLab Charlie Perkins, Nokia Research Center.

Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.

Multiple Care-of Address Registration on Mobile IPv6 Ryuji Wakikawa Keisuke Uehara Thierry Ernst Keio University / WIDE.

Network Mobility (NEMO) Advanced Internet 2004 Fall

2003/3/1856th IETF NEMO WG1 Basic Network Mobility Support draft-wakikawa-nemo-basic-00.txt Ryuji Wakikawa Keisuke Uehara

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Multiple Care-of Address Registration draft-ietf-monami6-multiplecoa-02.txt.

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.

IP Address Location Privacy and Mobile IPv6: Problem Statement draft-irtf-mobopts-location-privacy-PS-00.txt Rajeev Koodli.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy.

RFC 3775 IPv6 Mobility Support

Booting up on the Home Link

Monitoring MIPv6 Traffic with IPFIX

IT443 – Network Security Administration Instructor: Bo Sheng

Mobility Support in IPv6 (MIPv6)

Presentation transcript:

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont draft-sugimoto-mip6-pfkey-migrate-00

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Topics Background Do we need any interaction between Mobile IPv6 and IPsec/IKE? Extension to PF_KEY framework – MIGRATE –Concepts –Message Format –Message sequence –Limitation Conclusion

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Background Mobile IPv6 uses IPsec to protect messages exchanged between MN and HA as specified in RFC 3775, RFC 3776: –Home Registration signals (BU/BA) –Return Routability messages (HoTI/HoT) –MIPv6 specific ICMPv6 messages (MPS/MPA) –Payload packets SA pairs are necessary to be established between the MN and HA in static or dynamic manner Tunnel mode SAs are necessary to be updated whenever the MN performs movement

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting HA2 MN2 HA1 MN1 Internet IP-in-IP tunnel IPsec tunnel INBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) OUTBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) INBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) OUTBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) INBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) OUTBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) INBOUND: sel: src=any, dst=HoA_MN1, proto=MH  apply SA1 (ESP tunnel) OUTBOUND: sel: src=HoA_MN1, dst=any, proto=MH  apply SA2 (ESP tunnel) IP-in-IP tunnel

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Necessary Interactions between Mobile IPv6 and IPsec/IKE Update endpoint address of tunnel mode SA –Mobile IPv6 component may not have full access to SADB Update endpoint address stored in SPD entry which is associated with tunnel mode SA –IKE should be able to continuously perform key negotiation and re-keying IKE daemon should update endpoint address of the IKE connection (aka K-bit) to keep its alive while the MN changes its CoA

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Requirements Modifications to the existing software (Mobile IPv6 and IPsec/IKE stack) should be kept minimum The mechanism should not be platform dependent

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Extension to PF_KEY framework – PF_KEY MIGRATE Introduce a new PF_KEY message named MIGRATE which is to be issued by Mobile IPv6 components to inform movement PF_KEY MIGRATE requests system and user application to update SADB and SPD: –Tunnel mode SA entry –SPD entry which is associated with the tunnel mode SA Additionally, the message can also be used to handle K-bit

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY MIGRATE – message format Selector Information: –Source address –Destination address –Upper layer protocol (i.e. MH) –Direction (inbound/outbound) Old SA Information: –Old tunnel source address –Old tunnel destination address –Protocol (ESP/AH) New SA Information: –New tunnel source address –New tunnel destination address –Protocol (ESP/AH) 3ffe:501:ffff:100:1:2:3:4/128 (HoA) ::/ (MH) 1 (outbound) 3ffe:501:ffff:500:1:2:3:4/128 (Old-CoA) 3ffe:501:ffff:100::1/128 (HA address) 50 (ESP) 3ffe:501:ffff:400:1:2:3:4/128 (New-CoA) 3ffe:501:ffff:100::1/128 (HA address) 50 (ESP) Example: MN updating outbound SP entry for MN to protect MH messages

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Mobile IPv6 daemon IKE daemon SPD SAD Mobile IPv6IPsec ISAKMP SA PF_KEY Socket Userland Kernel PF_KEY MIGRATE Mobile IPv6 core

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Message Sequence of PF_KEY MIGRATE MN HA Home Re-registration Initial Home Registration HoA=>CoA1 MIGRATE Home Registration CoA1=>CoA2 MIGRATE Home De-Registration CoA2=>HoA MIGRATE

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Limitations/Concerns There is an ambiguity in the way to specify target SADB entry: –Current scheme to specify target SADB entry based on src/dst address pair does not seem to be the best solution Delivery of PF_KEY MIGRATE message cannot be guaranteed: –When a message is lost, there will be an inconsistency between Mobile IPv6 and IPsec database Some parts of the PF_KEY MIGRATE are implementation dependent: –There is no standard way to make an access to SPD

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Implementation Status BSD –MIPv6: A prototype implemented on KAME/SHISA on FreeBSD –IKE: Enhancements made to IKEv1 daemon (racoon) Linux –MIPv6: A prototype implemented on MIPL 2.0 on Linux-2.6 –IKE: Enhancements made to IKEv1 daemon (racoon) which was originally ported from BSD

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Conclusion There should be a minimum interface between Mobile IPv6 and IPsec/IKE to fully take advantage of security features Newly defined PF_KEY MIGRATE message makes it possible for Mobile IPv6 and IPsec/IKE to interact each other By receiving PF_KEY MIGRAGE message, system and user application will become able to make necessary update of SADB/SPD Proposed mechanism has been implemented on both Linux and BSD platform Further improvements are needed to overcome some limitations

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Thank you ! & Questions ?

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting MNHA BU (Home Registration) BA CN Update endpoint address of SA pairs with CoA1 Movement (CoA1) Movement (CoA2) BU (Home Registration) BA BU (Corresponding Binding Update) BA Corresponding binding entry is created Update endpoint address of SA pairs with CoA2 Payload traffic is injected to IPsec tunnel Payload packet Update endpoint address of SA pairs with CoA2 Care-of Test Init Care-of Test Home Test Init Home Test Return Routability procedure completed Static Keying

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Return Routability MNHA BU (Home Registration) BA CN IKEv1 Phase 1 IKEv1 Phase 2 Establish IPsec SA to protect RR signals BU (Corresponding Update) BA Movement (CoA1) Movement (CoA2) BU (Home Registration) BA IKEv1 Phase 1 BU (Corresponding Update) BA Dynamic Keying K-bit=0 Update endpoint address of SA pairs with CoA2 IKEv1 Phase 1 endpoint address updated

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting Return Routability MNHA BU (Home Registration) BA CN IKEv1 Phase 1 IKEv1 Phase 2 Establish IPsec SA to protect RR signals BU (Corresponding Update) BA Movement (CoA1) Movement (CoA2) BU (Home Registration) BA BU (Corresponding Update) BA Corresponding binding is updated No phase 1 connection established yet Update IKE endpoint with CoA2 Dynamic Keying K-bit=1 Update endpoint address of SA pairs with CoA2