Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

Secure Mobile IP Communication
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.
MOBILITY SUPPORT IN IPv6
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
National Institute Of Science & Technology Mobile IP Jiten Mishra (EC ) [1] MOBILE IP Under the guidance of Mr. N. Srinivasu By Jiten Mishra EC
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
NEtwork MObility (NEMO) Houcheng Lee. Main Idea NEMO works by moving the mobility functionality from Mobile IP mobile nodes to a mobile router. The router.
Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.
Introduction to Mobile IPv6
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
1 Alternative (Future) Proposals for MIPv6 Security MIP6 BOF/WG IETF-57 Jari Arkko, Ericsson Research NomadicLab Charlie Perkins, Nokia Research Center.
Revising RFC 3775 MEXT WG, IETF 70 Vijay Devarapalli
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Click to edit Master title style Click to add subtitle © 2008 Wichorus Inc. All rights reserved. CONFIDENTIAL - DO NOT DISTRIBUTE rfc3775bis Issues November.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Multiple Care-of Address Registration draft-ietf-monami6-multiplecoa-02.txt.
Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
Draft-ietf-v6ops-ipsec-tunnels-03 Using IPsec to Secure IPv6-in-IPv4 Tunnels draft-ietf-v6ops-ipsec-tunnels-03 Richard Graveman Mohan Parthasarathy Pekka.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Mobile IP Security Konidala M. Divyan International Research Center for Information Security Network Security (ICE 615) Term Project – 2002 Autumn.
Booting up on the Home Link
Open issues with PANA Protocol
Encryption and Network Security
IT443 – Network Security Administration Instructor: Bo Sheng
Virtual Private Networks (VPNs)
Presentation transcript:

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Mobile IPv6 and IPsec RFC 3776 describes how IPsec is used with Mobile IPv6 IPsec architecture has been revised IPsec selectors revised Security policy and association databases more clearly defined IKEv2 developed Simplified The use of EAP defined in the spec Need a new specification to describe Mobile IPv6 operation with IKEv2 and the revised IPsec architecture

A new draft draft-ietf-mip6-ikev2-ipsec-00.txt describe the necessary SPD and SAD configuration and packet formats describe the required processing steps on the MN and the HA describe the use of IKEv2 for key negotiation for Mobile IPv6 A very initial version. Far from complete Missing some sections Will try to get a stable version out soon If the above approach is a bad idea, speak up

Key negotiation Manual IPsec keying MUST be supported Minimal requirement to support interoperability Dynamic Keying through IKEv2 should be supported RFC 3775 has MAY for dynamic key negotiation through IKEv1 Leave it at MAY for IKEv2 too? Make it a SHOULD? Proposal is to leave it as it is RFC 3775 is one that should really say whether dynamic keying SHOULD be supported or MAY be supported This draft will only describe how IKEv2 can be run with Mobile IPv6 ‘K’ bit still required to dynamically update the tunnel end points

SPD configuration New selectors Mobility Header message type ICMPv6 message type Makes it easier to apply policies just to the HoTi or HoT message instead of all reverse tunneled mobility header messages Makes it easier to apply policies just to the Mobile Prefix Discovery messages instead of all ICMPv6 messages SPD configurations described in the draft (not listed here) Please read draft and comment on mailing list

SPD configuration RFC 3776 required per-interface SPDs Not needed anymore Is that true? We still need policy entries that can be applied to payload traffic reverse tunneled through the Home Agent Need to distinguish between payload traffic sent reverse tunneled, payload traffic sent route optimized, payload traffic sent using CoA only Can we do this with just tools provided in RFC2401-bis? Implementation is complex for per-interface SPDs But it is implementation specific

PAD configuration Peer Authorization Database provides a link between a key negotiation protocol and the SPD Indicates the range of identities that a peer may use for negotiating keys HA maintains an entry per mobile node in the Peer Authorization Database Indexed by the identity of the MN Has one of more Home Addresses allocated to the MN HA can check if the MN is authorized for a home address when the MN initiates IKE negotiation or when the MN sends a BU PAD entry also indicates whether the MN needs to be authenticated through a shared key, certificate, etc.. PAD is optional Implementations can use any mechanism to achieve the above

SAD configuration Transport mode SAs for Binding Update and Binding Acknowledgement Integrity protection a must Confidentiality protection optional Tunnel mode SAs for HoTi and HoT messages Integrity and confidentiality protection Transport mode SAs for Mobile Prefix Discovery messages Integrity protection a must Confidentiality protection optional

Use of IKEv2 to negotiate keys MN initiates IKEv2 exchange Authentication of Home Agent through public keys Should the use of a shared key be allowed? (guess, the answer is YES) Identity included in IDi in IKE_AUTH exchange FQDN or RFC 822 identifier After IKE_AUTH exchange, MN and HA initiate CREATE_CHILD_SA exchange TSi set to Home Address of the MN All required security associations for Mobile IPv6 created using CREATE_CHILD_SA exchanges

Use of IKEv2 to negotiate keys Issues At the end of IKE_AUTH exchange an IKE SA and an IPsec SA created Can the IPsec SA created in IKE_AUTH exchange used for protecting the BU/Back? Is it okay to set TSi to Home Address during the IKE_AUTH exchange? What about the IKE SA if TSi is set to HoA in IKE_AUTH exchange? –Is it keyed on CoA or HoA? Can TSi in CREATE_CHILD_SA exchange be different from TSi in IKE_AUTH exchange? Am I making any sense at all?

Use of EAP MN indicates it wants to use EAP Includes the IDi payload, but excludes AUTH payload in the IKE_AUTH exchange Home Agent includes an EAP payload IKE_AUTH exchange done after EAP success Can the key generated during EAP exchange be used for generating the AUTH payload in IKE_AUTH exchange? Issues Takes four round trips instead of two round trip to create the first security association Should work with other EAP and AAA-HA interface proposals being proposed in the WG Must we require the HA to support the mechanism? MUST/MAY?

Home Address configuration MN dynamically configures a HoA during initial IKE negotiation IKE_AUTH exchange Configuration Payload CFG_REQUEST INTERNAL_IP6_ADDRESS INTERNAL_IP6_SUBNET INTERNAL_IP6_DNS Home Agent allocates a HoA for the MN Could use a DHCPv6 backend CFG_REPLY INTERNAL_IP6_ADDRESS INTERNAL_IP6_SUBNET INTERNAL_IP6_DNS INTERNAL_ADDRESS_EXPIRY If Home Agent unable to allocate a HoA, include INTERNAL_ADDRESS_FAILURE in a Notify payload Should the support for this be optional? MUST/MAY?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.