IETF Logo Mail Archive

Re: [Int-area] [MEXT] Rethink on Mobile IPv6

arno@natisbad.org (Arnaud Ebalard) Wed, 03 March 2010 17:25 UTC

Return-Path: <arno@natisbad.org>
X-Original-To: int-area@core3.amsl.com
Delivered-To: int-area@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FA1828C14E; Wed, 3 Mar 2010 09:25:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxKXFvA8EzS8; Wed, 3 Mar 2010 09:25:28 -0800 (PST)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id BD3D328C0E6; Wed, 3 Mar 2010 09:25:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natisbad.org; s=mail; h=From:To:Cc:Subject:References:Date: In-Reply-To:Message-ID:MIME-Version:Content-Type; bh=+haPZu/Ko+b khlb0BclWr6vxG8ccgXRFBCU022hhsN4=; b=i7olK3FCwlb9Xpqio7o640hKn+h 5AGQppe3Hg+fS4gMP17yDPBU0aEBMD2gDko1xpomEr/R28LVn00+lqLXePiOVDKD 53IAo88NtBjFdXA9jRWaUGaEw7nOqT5NdZdkgpLWPjLA3wRC4jsD9ytjFAr6H0Yq UfDVuQEwMJAt0pd0=
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f79] (helo=small.ssi.corp) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1NmsJy-00077y-KR; Wed, 03 Mar 2010 18:25:18 +0100
From: arno@natisbad.org
To: Basavaraj.Patil@nokia.com
References: <C7B3E2AE.5767%basavaraj.patil@nokia.com>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: D3A5 B68A 839B 38A5 815A 781B B77C 0748 A7AE 341B
X-Hashcash: 1:20:100303:basavaraj.patil@nokia.com::pxgC97rzDBIiLynp:0000000000000000000000000000000000000UXK
X-Hashcash: 1:20:100303:jari.arkko@piuha.net::ARdOpwzM5/C4ORPO:000000000000000000000000000000000000000000/Hk
X-Hashcash: 1:20:100303:rdroms@cisco.com::U0Fgs6ETP17Av/aT:050ri
X-Hashcash: 1:20:100303:mext@ietf.org::Fc4Mu+PKkuyH21UL:00009m/C
X-Hashcash: 1:20:100303:int-area@ietf.org::fYzHTdxLvRGAODL3:000000000000000000000000000000000000000000009qeW
Date: Wed, 03 Mar 2010 18:25:39 +0100
In-Reply-To: <C7B3E2AE.5767%basavaraj.patil@nokia.com> (Basavaraj Patil's message of "Wed, 3 Mar 2010 16:55:58 +0100")
Message-ID: <878wa92u7g.fsf@small.ssi.corp>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailman-Approved-At: Fri, 05 Mar 2010 05:14:05 -0800
Cc: rdroms@cisco.com, int-area@ietf.org, mext@ietf.org
Subject: Re: [Int-area] [MEXT] Rethink on Mobile IPv6
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 17:25:29 -0000

Hi,

with some salt ...

<Basavaraj.Patil@nokia.com> writes:

> Mobile IPv6 (RFC3775) has been an RFC since 2004, and Dual-stack
> Mobile IPv6 (RFC5555) since 2009. Implementations of the protocol has
> been lacklustre to say the least. Several SDOs have considered MIP6
> and DSMIP6 as a solution for interworking and mobility between
> different access technologies and only 3GPP has adopted it in a very
> limited manner for Rel 8 (for use on the S2c interface) with the
> likelihood of it being actually deployed quite low (IMO).
>
> While there are many reasons that can be attributed to the lack of
> implementations and use, one that I would like to raise is the the
> concern with the overly complex security model that MIP6/DSMIP6 relies
> on today. MIP6/DSMIP6 requires IPsec and IKE/IKEv2 (RFC3776/4877) to
> secure the signaling between the MN and HA. The fundamental purpose of
> MIP6/DSMIP6 is to provide mobility to hosts. At a very high level the
> MIP6/DSMIP6 protocol boils down to the ability to setup a tunnel
> between the MN and HA and update the MN tunnel end-point whenever
> there is a change in the associated IP address (CoA). The signaling to
> establish the tunnel needs to be secure. But using a protocol like
> IKEv2 and IPsec to achieve this security is just an overkill. It
> increases the complexity of the implementation as a result of many
> factors that have been captured in I-D:
> draft-patil-mext-mip6issueswithipsec and discussed in the MEXT WG
> meetings. 
>
> Given the objective of the protocol is to enable IP mobility for hosts,
> it should focus on doing that well in a manner that makes it easy to
> implement/adopt/deploy/scale. My opinion as a result of implementation
> experience is that MIP6/DSMIP6 can be significantly simplified,
> especially the security architecture. The protocol as specified
> currently in RFC3775/RFC5555 is a kitchensink of features.

I don't think RFC 3775 is. There are some questionable features (DHAAD,
...) but it's a good document IMHO. As for RFC 5555, it inherits the
complexity of NAT traversal mechanisms. Blame NAT, not IPsec/IKE for
that.

Sure, it is always possible to reduce MIPv6 to a simple data tunnel
between a MN and a HA which needs to be updated from time to time via
some secure signaling. And then it's easy to flag IPsec/IKE use as
overkill, all the more if you include RFC 5555 in the game.

But MIPv6 is expected to provide more than that.

First, the Route Optimization is an integral part of the protocol and
IMHO, without it, MIPv6 can advantageously be replaced by some
MOBIKE-enabled IPsec VPN solution or some DTLS-based equivalent. 

Additionally, MIPv6 is probably just a milestone and the main building
block for NEMO in many scenarios: in those scenarios, the ability to
secure the data tunnel with the HA to protect traffic from MR's clients
sometimes make a lot of sense. Future aeronautical networks will have
that need, in order to provide protection of data traffic, no matter
the wireless communication link or the foreign network. IPsec/IKE is
perfect for the job.

> Getting back to basics of simply establishing a tunnel between the MN
> and HA and managing that tunnel is all that is needed and would
> potentially see the light of day in the real world.
>
> You may want to call it as Mobile IPv6-lite if you wish. But I do
> believe that a simplification of the protocol is needed without which
> I fear it will remain an academic exercise with many years spent in
> developing a spec. I hope the working group and people who are
> involved in mobility related work would consider undertaking such an
> effort in the IETF.

Why don't you write a draft for that MIPv6-lite protocol? It seems like
the best approach to see if people are interested.

Personally, I will continue to work on finishing the integration of
IPsec/IKE and MIPv6 (for the RO part).

At some point if you write the draft, get implementations done, get
people to use your protocol, if they ask for some security for tunneled
data (let say for nemo) and secure RO (say for releasing the core of
their architecture), I suggest pointing them to MIPv6.

As a side note, I have MIPv6 and IPsec/IKE running on my Nokia N900
(Native IPv6 on 3G and Wifi) and the main problem I have with that
setup are not IPsec/IKE related: they are due to Cisco firewall in the
network which basically drop packets with RH2. If you write your
MIPv6-lite draft, I would suggest getting rid of HAO in Destopt and
RH2.

Cheers,

a+

v2.23.0 | Report a Bug | By Email