Transcript PPT Version
Paris, August 2005
IETF 63rd – mip6 WG
Mobile IPv6 bootstrapping
in split scenario
(draft-ietf-mip6-bootstrapping-split-00)
mip6-boot-sol DT
Gerardo Giaretta, ed.
Design Team Members
• Gerardo Giaretta
• Basavaraj Patil
• Vijay Devarapalli
• Gopal Dommety
• James Kempf
• Alpesh Patel
• Yoshihiro Ohba
• Alper Yegin
• Kuntal Chowdury
• Junghoon Jee
• Jari Arkko
• Julien Bournelle
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
2
Scope of the DT
• draft-ietf-mip6-bootstrapping-ps defines the
MIPv6 bootstrapping problem
• MN requires
– HA address
– Home Address
– IPsec security associations with its Home Agent
• Two scenarios
– split scenario → draft-ietf-mip6-bootstrapping-split-00
– integrated scenario → currently under study
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
3
Main Design Guideline
• The main objective of the bootstrapping
solution is the minimization of pre-configured
data on the Mobile Node
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
4
Terminology
• ASA - Access Service Authorizer
– a network operator that authenticates a mobile host and establishes
the mobile host's authorization to receive Internet service
• ASP - Access Service Provider
– a network operator that provides direct IP packet forwarding to and
from the end host
• MSA - Mobility Service Authorizer
– a service provider that authorizes Mobile IPv6 service
• MSP - Mobility Service Provider
– a service provider that provides Mobile IPv6 service
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
5
Split scenario
• Network access and mobility services are
authorized by different entities
– authentication and authorization for mobility service and network
access are considered separately
– this separation is a clear assumption in the problem statement draft
• MIPv6 is bootstrapped independently from the
authentication protocol for network access
– no leverage of protocol exchanges done during network access
authentication (e.g. PANA, EAP)
– the solution for this scenario may also be applied to the integrated
access network deployment model
– other optimized solutions are under study for the integrated scenario
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
6
Split scenario (cont’d)
• In split scenario two entities can be identified
– entity that provides the service: MSP
– entity that authenticates and authorizes the user: MSA
– similar to the roaming model for network access
• Two different cases can be identified
Mobility Service
Provider and Authorizer
AAA-MSA
Server
Mobility Service
Authorizer
AAA protocol
AAA-MSP
Server
AAA-HA interface
(a)
Home
Agent
AAA-MSP
Server
Mobility Service
Provider
AAA-HA interface
Home
Agent
(b)
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
7
Solution components
• Home Agent Address Discovery
• IPsec Security Associations setup
• Home Address Assignment
• Authentication and Authorization with MSA
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
8
HA Address Discovery
•
DHAAD may not be applicable
– it requires the home network prefix pre-configured on the MN
– does not allow an operator to load balance by having MNs
dynamically assigned to HAs located in different subnets
•
The solution for HA address discovery is
based on a new DNS SRV record
– the unique information to be pre-configured on the MN is the
domain name of the MSP
– optionally, DHCP can be used when the ASP and the MSP are the
same entity
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
9
HA Address Discovery (cont’d)
• DNS lookup by Home Agent Name
– MN configured with the FQDN of the HA (e.g. ha1.example.com
where "example.com" is the domain name of the MSP)
– DNS request with QNAME == HA name and QTYPE == 'AAAA'
• DNS lookup by service name
– RFC 2782 defines the service resource record (SRV RR)
– service name == "mip6"
– protocol name == "ipv6“
– no transport name required
– if multiple HAs are available in the DNS SRV record MN is
responsible for picking one Home Agent
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
10
IPsec SAs setup
• IPsec SAs setup through IKEv2
– based on draft-ietf-mip6-ikev2-ipsec
• IKEv2 peer authentication
– public key signatures or EAP
– choice of an IKEv2 peer authentication method depends on the
deployment
– IKEv2 restricts the HA to MN authentication to use public key
signature based authentication
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
11
Home Address Assignment
• Home Address is assigned by the Home Agent
during the IKEv2 exchange
– based on draft-ietf-mip6-ikev2-ipsec
MN
HDR, SK {IDi, […], AUTH,
CP(CFG_REQUEST) , SAi2, TSi, TSr}
HA
INTERNAL_IP6_ADDRESS
HDR, SK {IDr, […] AUTH,
CP(CFG_REPLY), SAr2, TSi, TSr}
INTERNAL_IP6_ADDRESS
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
12
Home Address Assignment (cont’d)
• MN may also auto-configure its Home Address
– stateless auto-configuration, CGA, privacy addresses
• MN may include a proposed HoA in the
INTERNAL_IP6_ADDRESS attribute
– the MN must be provided with a pre-configured home prefix and
home prefix length
• A new attribute is defined for HoA autoconfiguration
– in case MN is not provided with home prefix and home prefix length
– MIP6_HOME_PREFIX attribute used in CFG_REQUEST and
CFG_REPLY
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
13
Home Address Assignment (cont’d)
• MIP6_HOME_PREFIX attribute
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!R|
Attribute Type
!
Length
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
home prefix
|
|
|
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix Length |
+-+-+-+-+-+-+-+-+
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
14
Home Address Assignment (cont’d)
• During IKE_AUTH exchange MN includes the
MIP6_HOME_PREFIX attribute in the CFG_REQUEST
• HA includes in the CFG_REPLY payload prefix
information for one prefix on the home link
– prefix length is included
– if other prefixes are needed MPD should be used
– if auto-configuration is not allowed HA includes a Notify Payload type
"USE_ASSIGNED_HoA" and the HoA in a INTERNAL_IP6_ADDRESS
attribute
• MN auto-configures a Home Address and runs a
CREATE_CHILD_SA exchange to create a SA for the
new HoA
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
15
Authentication and Authorization with MSA
• The user must be authenticated and the
mobility service authorized in order for the MSA
to grant the service
• Different ways depending on the credentials
used by the MN during the IKEv2 peer
authentication and on the backend
infrastructure (PKI or AAA)
– draft-ietf-mip6-aaa-ha-goals-00
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
16
Home Address registration in the DNS
• DNS needs to be updated with the new HoA
– needed for the MN to be reachable at new address
– DNS update is essential for providing IP reachability to the MN which
is the main purpose of the Mobile IPv6 protocol
• DNS update must be performed securely
– the node performing this update must share a security association
with the DNS server
– MN cannot update the DNS by itself to prevent redirection-based
flooding attacks (i.e. address ownership issues)
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
17
Home Address registration in the DNS
(cont’d)
• HA performs DNS update on behalf of the MN
– MN includes a new mobility option, the DNS Update option, with the
flag R not set in the Binding Update
• AAA server of the MSA performs DNS update if
the MN wants to be reachable through a FQDN
that belongs to the MSA
– the Home Agent and the DNS server that must be updated belong to
different administrative domain
– the Home Agent sends to the AAA-MSA server the FQDN-HoA pair
through the AAA protocol
– out of scope of the DT
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
18
Home Address registration in the DNS
(cont’d)
• DNS Update mobility option
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Status
|R| Reserved
|
MN identity (FQDN) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
– R flag used to request the removal of DNS entry
– separate Status namespece for DNS update
draft-ietf-mip6-bootstrapping-split-00
August, 2005
IETF 63rd – mip6 WG
19