[Mip4] review of draft-devarapalli-mip4-mobike-connectivity-00.txt
Jari Arkko <jari.arkko@piuha.net> Mon, 22 August 2005 15:23 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7E9R-0005y0-69; Mon, 22 Aug 2005 11:23:53 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E7E9O-0005xv-4M for mip4@megatron.ietf.org; Mon, 22 Aug 2005 11:23:51 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22578 for <mip4@ietf.org>; Mon, 22 Aug 2005 11:23:47 -0400 (EDT)
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E7Ejy-0004Lj-Ck for mip4@ietf.org; Mon, 22 Aug 2005 12:01:38 -0400
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id EB50D89852; Mon, 22 Aug 2005 18:23:34 +0300 (EEST)
Message-ID: <4309EE00.4030503@piuha.net>
Date: Mon, 22 Aug 2005 18:23:44 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: mip4@ietf.org, Vijay Devarapalli <vijayd@iprg.nokia.com>, Pasi Eronen <Pasi.Eronen@nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8de5f93cb2b4e3bee75302e9eacc33db
Content-Transfer-Encoding: 7bit
Cc:
Subject: [Mip4] review of draft-devarapalli-mip4-mobike-connectivity-00.txt
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Sender: mip4-bounces@ietf.org
Errors-To: mip4-bounces@ietf.org
Hi Pasi and Vijay, I finally found time to read this draft. Overall, I like it a lot. Some of its good properties include simplicity, minimal changes to both existing VPN plumbing and MIPv4 systems, and the separation between the two. I support taking this work forward. Technical: > 3. Solution Overview I started to wonder whether there's something here that would apply in similar manner to Mobile IPv6. There does not appear to be any specific dependency on Mobile IPv4 here. Doing the same for Mobile IPv6 appears to be possible, although doing VPN + IPsec-based home agent security would imply nested IPsec tunnels. Interestingly, with v6 RO you could eliminate the second (inner) tunnel in your solution. But perhaps that discussion falls under the scope of the v4-v6 interoperability scheme. In any case, I think it would be useful to think about this matter in order to ensure that we don't have too fragmented solutions (this works for v6 only; that you can do only if you also access a corporate VPN; it connects v4 and v6 but doesn't work if you combine it with VPNs; etc). > 3.4 Crossing Security Boundaries > > Security boundary detection is based on the reachability of the i-HA > from the mobile node's current point of attachment. I think it would be useful to recognize that there can be other sources of information. I like the fact that you have defined one mandated scheme here but its quite possible that there will e.g. L2 assist or configuration information in some cases; lets not rule that out. > 3.4.1 Operation when moving from an untrusted network Is there a need to talk about the specific SPD policy settings that are necessary to enable MIPv4 operations to be carried through a VPN tunnel? Or are we assuming (the most often used) all-or-nothing VPN model? > 3.4.2 Operation when moving from a trusted network Lets remember that MOBIKE has mechanisms not just for movements, but also for multihoming support and the ability to detect problems. I suppose there has to be some specification here about the interaction between problem detection mechanisms in MIPv4 and MOBIKE -- unless we are restricting this spec to situations where we get information from L2 that we have moved. > Appendix A. Mobility Extensions for IKEv1 I would rather not see this defined in this document. Personally, I'd favor recommending an upgrade to IKEv2, but if that's not sufficient then it would make sense to have a discussion elsewhere in the IETF (maybe in the MOBIKE WG or on the IPsec mailing list) about whether this is needed, and how it should be provided. Editorial: > typically, separated by a DMZ. Access to the intranet is controlled Expand DMZ on its first occurrence. > 1. Initiate IKE mobility exchange to update the current address with > the VPN gateway. If the new network is also untrusted, this will > be enough for setting up the connectivity. If the new network is > trusted, and if the VPN gateway is reachable, this exchange will > allow the mobile node to keep the VPN state alive while in the > trusted side. If the VPN gateway is not reachable from inside, > then this exchange will fail. > 2. At the same time as step 1, send a Mobile IPv4 Registration > Request to the internal Home Agent without VPN encapsulation. > 3. If the mobile node receives a Registration Response to the > request sent in step 2, then the current subnet is a trusted > subnet, and the mobile node can communicate without VPN > tunneling. The mobile node MAY tear down the VPN tunnel. Maybe renumber these "1a", "1b", and "2" for clarity (or something similar). Other occurrences later in the document, too. --Jari -- Mip4 mailing list: Mip4@ietf.org Web interface: https://www1.ietf.org/mailman/listinfo/mip4 Charter page: http://www.ietf.org/html.charters/mip4-charter.html Supplemental site: http://www.mip4.org/
- [Mip4] review of draft-devarapalli-mip4-mobike-co… Jari Arkko
- Re: [Mip4] review of draft-devarapalli-mip4-mobik… Sami Vaarala
- [Mip4] Re: review of draft-devarapalli-mip4-mobik… Vijay Devarapalli
- Re: [Mip4] review of draft-devarapalli-mip4-mobik… Jari Arkko
- Re: [Mip4] review of draft-devarapalli-mip4-mobik… Sami Vaarala
- RE: [Mip4] review of draft-devarapalli-mip4-mobik… Kent Leung (kleung)
- Re: [Mip4] review of draft-devarapalli-mip4-mobik… Vijay Devarapalli
- RE: [Mip4] review of draft-devarapalli-mip4-mobik… Kent Leung (kleung)