IETF Logo Mail Archive

Re: [Int-area] [MEXT] Rethink on Mobile IPv6

<Basavaraj.Patil@nokia.com> Thu, 04 March 2010 22:00 UTC

Return-Path: <Basavaraj.Patil@nokia.com>
X-Original-To: int-area@core3.amsl.com
Delivered-To: int-area@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E3DF128C0E1; Thu, 4 Mar 2010 14:00:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZZJZ9nhbzRT; Thu, 4 Mar 2010 14:00:44 -0800 (PST)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 5D8863A8710; Thu, 4 Mar 2010 14:00:44 -0800 (PST)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o24LxTP2015145; Thu, 4 Mar 2010 16:00:11 -0600
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 4 Mar 2010 23:58:31 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.8]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 4 Mar 2010 23:58:26 +0200
Received: from NOK-EUMSG-03.mgdnok.nokia.com ([65.54.30.88]) by nok-am1mhub-04.mgdnok.nokia.com ([65.54.30.8]) with mapi; Thu, 4 Mar 2010 22:58:26 +0100
From: Basavaraj.Patil@nokia.com
To: hesham@elevatemobile.com, mext@ietf.org
Date: Thu, 04 Mar 2010 22:58:21 +0100
Thread-Topic: [MEXT] Rethink on Mobile IPv6
Thread-Index: Acq66gOoUWTseQTmoUO8Px+IuYFs9gAV/yYqACjzamM=
Message-ID: <C7B5891D.586F%basavaraj.patil@nokia.com>
In-Reply-To: <C7B5655C.11D78%hesham@elevatemobile.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 04 Mar 2010 21:58:26.0480 (UTC) FILETIME=[D12D6B00:01CABBE5]
X-Nokia-AV: Clean
Cc: int-area@ietf.org, rdroms@cisco.com
Subject: Re: [Int-area] [MEXT] Rethink on Mobile IPv6
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 22:00:46 -0000

Hi Hesham,


On 3/3/10 8:25 PM, "ext Hesham Soliman" <hesham@elevatemobile.com> wrote:

> Hi Raj,
> 
> A couple of thoughts.
> First, you've redefined the purpose of MIPv6 to be about setting up a tunnel
> between the MN and the HA. Whether this is correct or not, it's worth noting
> that your basis for such definition is unknown. It certainly doesn't match
> our reference for MIPv6 (RFC 3775).

As I wrote, the very basic functionality of MIP6 is to establish the tunnel
and then manage the end-point change. This is my PoV. But maybe you see it
differently. 

> 
> Regarding the complexity of DSMIPv6. Arnaud is 100% right in his response
> and this was discussed on the mext list more times than I can remember. The
> complexity is due to NAT traversal. Yes, we could have reduced the
> complexity if we relied on MIP-only traversal techniques instead of having
> both MIP and IPsec traversal run simultaneously, but what is the other
> alternative for negotiating a security association behind a NAT?

I am not disagreeing that part of the complexity results from the presence
of a NAT and having to develop means to traverse the NAT.
I am of the view that the use of IPsec and IKEv,v2 in conjunction with
Mobile IPv6 is complex. There is really no good reason to bind MIP6 with
Ipsec and IKE. This is a legacy decision and one that is just proving to be
plain wrong. An IPsec SA between the MN and HA is not required for enabling
IP mobility. We overcome the NAT related complexities by dropping the
reliance on Ipsec/IKE. The security model for MIP6 is a relic that needs to
be revisited for simplification of the protocol itself.

> The problem *is* NAT. I'm afraid that once you plant the seeds of hackiness
> (if that's a word) by using NATs you have to harvest the output at some
> point. There is no free lunch when you have a deployed base of 2 billion
> users.

Deployed base of 2 billion users??? You mean behind a NAT? But none of them
will ever use MIP6/DSMIP6 (IMO at least) if we have to employ the hackiness
of traversing NATs. Obviously NATs are not going away for sure and we will
probably have other variants as well in the future (NAT64s and NAT464s
etc.). We do not have as much of an issue with the NATs if we don't have to
rely on Ipsec/IKE,v2.

> 
> I continued to suggest (for about 6 years now) that we use CGAs for MIPv6.
> It's by far the cleanest solution we have. My best description to the
> resistance of adopting CGAs is: Politics. There is no technical reason for
> not using them and we all know that. So if you want to come up with
> alternatives, you'd be doing the community a disservice if you don't
> seriously consider CGAs.

I think we should consider all alternatives. I don't know if you have
proposed how CGAs could be used in the context of MIP6 security. I am more
than happy to build a MIP6 protocol that uses CGAs if such an approach would
reduce the complexity.

> In fact, I'd go further and say you need to explain
> why not. 

I don't need to explain because I am quite happy to consider the CGA
proposal. 

> We've already seen what happens when we produce half cooked
> security proposals tailored to a specific SDO's needs (read: RFC 4285).

4285 IMO is quite okay in certain deployments. If the network in which you
deploy MIP6 already has a means to securely exchange keys (eg. 3GPP/2, WiMAX
networks) then you could very well use RFC4285. Why would you need to
establish an IPsec SA using IKE/v2 between the MN and HA in such networks?
Just does not make sense. And FWIW, I am not raising the topic of
simplifying MIP6/DSMIP6 with a specific solution in mind. But rather from
the perspective that we need to revisit the protocol and simplify it to meet
the basic mobility needs first.

> 
> I look forward to the continuation of these discussions.

Sure. 

-Raj
> 
> Hesham
> 
> 
> On 4/03/10 2:55 AM, "Basavaraj.Patil@nokia.com" <Basavaraj.Patil@nokia.com>
> wrote:
> 
>> 
>> Mobile IPv6 (RFC3775) has been an RFC since 2004, and Dual-stack
>> Mobile IPv6 (RFC5555) since 2009. Implementations of the protocol has
>> been lacklustre to say the least. Several SDOs have considered MIP6
>> and DSMIP6 as a solution for interworking and mobility between
>> different access technologies and only 3GPP has adopted it in a very
>> limited manner for Rel 8 (for use on the S2c interface) with the
>> likelihood of it being actually deployed quite low (IMO).
>> 
>> While there are many reasons that can be attributed to the lack of
>> implementations and use, one that I would like to raise is the the
>> concern with the overly complex security model that MIP6/DSMIP6 relies
>> on today. MIP6/DSMIP6 requires IPsec and IKE/IKEv2 (RFC3776/4877) to
>> secure the signaling between the MN and HA. The fundamental purpose of
>> MIP6/DSMIP6 is to provide mobility to hosts. At a very high level the
>> MIP6/DSMIP6 protocol boils down to the ability to setup a tunnel
>> between the MN and HA and update the MN tunnel end-point whenever
>> there is a change in the associated IP address (CoA). The signaling to
>> establish the tunnel needs to be secure. But using a protocol like
>> IKEv2 and IPsec to achieve this security is just an overkill. It
>> increases the complexity of the implementation as a result of many
>> factors that have been captured in I-D:
>> draft-patil-mext-mip6issueswithipsec and discussed in the MEXT WG
>> meetings.
>> 
>> Given the objective of the protocol is to enable IP mobility for hosts,
>> it should focus on doing that well in a manner that makes it easy to
>> implement/adopt/deploy/scale. My opinion as a result of implementation
>> experience is that MIP6/DSMIP6 can be significantly simplified,
>> especially the security architecture. The protocol as specified
>> currently in RFC3775/RFC5555 is a kitchensink of features. Getting back
>> to basics of simply establishing a tunnel between the MN and HA and
>> managing that tunnel is all that is needed and would potentially see
>> the light of day in the real world.
>> 
>> You may want to call it as Mobile IPv6-lite if you wish. But I do
>> believe that a simplification of the protocol is needed without which
>> I fear it will remain an academic exercise with many years spent in
>> developing a spec. I hope the working group and people who are
>> involved in mobility related work would consider undertaking such an
>> effort in the IETF.
>> 
>> -Basavaraj
>> 
>> _______________________________________________
>> MEXT mailing list
>> MEXT@ietf.org
>> https://www.ietf.org/mailman/listinfo/mext
> 
>

v2.23.0 | Report a Bug | By Email