Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies.

Published byCharles Green Modified over 8 years ago

Similar presentations

Presentation on theme: "Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies."— Presentation transcript:

1 Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies

2 AAA-Keys and MIP-Diameter Status Thomas Narten performed in-depth review Thomas made suggestions for terminology improvement in MIP-Diameter, which have been acted upon. Draft will be resubmitted. –In IESG review. Thomas currently reviewing AAA-Keys MIP extension names. –Next step is to start an IETF last call. Remaining slides address issues and highlight changes from the last IETF meeting

3 Issue 386 Rationale/Explanation of issue: 1.6: What is a "preconfigured shared security association"? Do you mean a preshared secret? A security association comprises far more than just a key. There is new nomenclature I have not evaluated the security of the scheme in this section, since it depends on another draft, and possibly on the security of MobileIP itself. Can we really even consider this draft until those are done? The AAA-Keys draft is in Publication Requested 1.10: What firewall rules? Are the agents supposed to tell their local firewalls to open up some holes? The administrator needs to open up such holes 5.2: 64 bits is not sufficient for a key. Why not just mandate 128, instead of strongly recommending it? Done. 5: I confess that it still isn't clear to me how the home and foreign agents know authoritatively who each other are. Then again, that's always been my main complaint about AAA. But here they're handing out keys. The draft uses TLS or IPSec to authenticate the mobility agents and protect the keys from being seen by agents without a need to know (The above comment is from two years ago and the draft considerably changed)

4 Issue 432 Rationale/Explanation of issue: Section 4.0 of draft-ietf-aaa-diameter-mobileip-14.txt says that MIP- Host-Agent-Host AVP is of type DiameterIdentity: MIP-Home-Agent- 348 4.11 DiamIdent | M | P | | V | N | Host | | | | | | On the other hand, in Section 4.11 the same AVP is defined as type Grouped: MIP-Home-Agent-Host ::= { Destination-Realm } { Destination-Host } * [ AVP ] Which is correct? The second case is correct; will fix the first case

5 Issue 445 The document is incomprehensible. … Introduction rewritten

6 IESG Review Steve Bellovin: 2.2 writes “Security considerations may require that the HAR be sent directly from the AAAH to the HA without the use of intermediary Diameter agents. This requires that a security association between the AAAH and HA be established, as in Figure 4” –If the HA is in the foreign network, how does AAAH get suitable information to set up a secure session? The AAAH gets the HA identity in the candidate HA AVP from the visited network. The HA accepts the IPSec/TLS connection from the AAAH if the AAAH is a roaming buddy or if the HA previously redirected a proxied HAR from the AAAH.

7 IESG Review: Symmetric Key Historically, Mobile IP uses the same key for both directions, e.g., MN-HA and HA-MN –This draft follows that convention Question for Steve Bellovin: What is the security vulnerability of using the same key in both directions?

8 HA-FA Mobility Security Associations HA-FA key scaling –Previous draft had one HA-FA mobility security association per mobile –This would be a major burden on Mobile IP entities, many of which are built from routers and therefore light on memory –The draft outlines a discard policy to discard previous HA-FA keys and SPIs between an FA and HA pair, so that there is only one such key most of the time.

9 When to Accept an IPSec/TLS Connection Assuming a valid certificate, when should the AAAH or HA accept an IPSec or TLS request from the FA (AAAH)? – The AAAH accepts IPSec/TLS requests from FAs owned by roaming buddies; the HA accepts IPSec/TLS connections from AAAHs owned by roaming buddies –The AAAH or (HA) first receives an AMR (HAR) from the FA (AAAH), and responds with redirection to itself. Subsequently the AAAH (HA) receives an IPSec/TLS connection request from the FA (AAAH) and accepts the connection. This permits transitive roaming agreements that are not reflected locally on a roaming list in the AAAH or HA

10 FA Tunnel Address The FA Tunnel address is not authenticated in “Mobile IP Diameter”, i.e., there is no way to prove it belongs to the actual “FA entity” that makes AAA requests Now, the draft points out that if the FA COA address equals the AAA FA address of IPSec and TLS connections, then the FA tunnel address may be presumed to truly belong to the FA –However in practice the FA AAA address is different than the FA CoA (tunnel) address. Such systems are already deployed

11 New Revision Adopts through out terms like “MN-HA” instead of “mobile home”; this improves readability

Download ppt "Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.

IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Registration Revocation in Mobile IP draft-glass-mobileip-reg-revok-00.txt (soon to be -01!) Steven M. Glass - Sun Microsystems

Registration Revocation in Mobile IP draft-glass-mobileip-reg-revok-00.txt (soon to be -01!) Steven M. Glass - Sun Microsystems
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.

Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.
Lectured By: Vivek Dimri Asst Professor CSE Deptt. Sharda University, Gr. Noida.

Lectured By: Vivek Dimri Asst Professor CSE Deptt. Sharda University, Gr. Noida.
Mobile IP Chapter 19. Introduction Mobile IP is designed to allow portable computers to move from one network to another Associated with wireless technologies.

Mobile IP Chapter 19. Introduction Mobile IP is designed to allow portable computers to move from one network to another Associated with wireless technologies.
IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,

IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,
1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.

1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.
Practical Considerations for Securely Deploying Mobility Will Ivancic NASA Glenn Research Center (216) 433-3494

Practical Considerations for Securely Deploying Mobility Will Ivancic NASA Glenn Research Center (216)
1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.

1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.

Similar presentations

Ads by Google