1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6...
-
Upload
patrick-lee -
Category
Documents
-
view
215 -
download
2
Transcript of 1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6...
1IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6
IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6Sri GundavelliRajeev Koodli
111
draft-gundavelli-netext-pmip6-ipsec-link-support
2IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6
Motivation
Proxy Mobile IPv6 Domain
Access Point
Extend Proxy Mobile IPv6 protocol for supporting IPsec with IKEv2 based access links.
Specify the needed interworking between the two protocols (PMIPv6 and IKEv2), on the mobile access gateway. The use of MobIKE mechanism for layer-3 mobility within the IPsec sub-domain.
Document best practices in system architectures using this mode.
IPSec-IKEv2 Sub-domain
LMA
MAG
Proxy Mobile IPv6
IKEv2/MobIKE
3IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6
Key Considerations A MN attached to un-trusted access network establishes
an IPsec tunnel with the MAG. It uses IKEv2 protocol for establishing the IPsec security associations and furthermore uses MobIKE for managing IPsec session mobility.
The MAG is part of Proxy Mobile IPv6 domain and has a collocated IPsec gateway function. When the mobile node attaches to MAG over IPsec tunnel, the MAG completes the needed PMIPv6 signaling with the LMA and obtains the assigned address configuration for the mobile node.
The MN identity (MN-Id) in the PMIPv6 signaling is the IDi of the IKE session.
The semantics of address delivery on the access link is based on IKEv2 Mode Config with RFC-5739 update.
4IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6
Key Considerations The IPsec link as seen by the MAG is like any other IPv6
link. However, there are some considerations on the prefix hosting on the IPsec link.
Any time the MN moves and obtains a new care-of address, it uses MobIKE extensions for updating the IPsec SA. Layer-3 mobility for the IPsec session is preserved by means of MobIKE.
The LMA and the MAG will be in the data path, all packets will flow through the chained tunnels.
Next Steps
Seek WG inputs on the initial draft and take it from there.
5IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6
Thank You