IETF Logo Mail Archive

Re: [Mip4] Enterprise connectivity using MIP4 and MOBIKE

Henrik Levkowetz <henrik@levkowetz.com> Sat, 23 July 2005 04:03 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DwBEk-0001Mu-Ee; Sat, 23 Jul 2005 00:03:42 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DwBEh-0001Lt-Tb for mip4@megatron.ietf.org; Sat, 23 Jul 2005 00:03:39 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA06235 for <mip4@ietf.org>; Sat, 23 Jul 2005 00:03:36 -0400 (EDT)
Received: from av11-2-sn2.hy.skanova.net ([81.228.8.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1DwBj3-0005bh-5q for mip4@ietf.org; Sat, 23 Jul 2005 00:35:03 -0400
Received: by av11-2-sn2.hy.skanova.net (Postfix, from userid 502) id B3F0938008; Sat, 23 Jul 2005 06:03:28 +0200 (CEST)
Received: from smtp4-2-sn2.hy.skanova.net (smtp4-2-sn2.hy.skanova.net [81.228.8.93]) by av11-2-sn2.hy.skanova.net (Postfix) with ESMTP id 4530D37F55; Sat, 23 Jul 2005 06:03:28 +0200 (CEST)
Received: from shiraz.levkowetz.com (81-224-201-50-no45.tbcn.telia.com [81.224.201.50]) by smtp4-2-sn2.hy.skanova.net (Postfix) with ESMTP id 23DA137E45; Sat, 23 Jul 2005 06:03:28 +0200 (CEST)
Received: from localhost ([127.0.0.1] ident=henrik) by shiraz.levkowetz.com with esmtp (Exim 4.52) id 1DwBEV-0001uE-TM; Sat, 23 Jul 2005 06:03:28 +0200
Message-ID: <42E1C18F.7070104@levkowetz.com>
Date: Sat, 23 Jul 2005 06:03:27 +0200
From: Henrik Levkowetz <henrik@levkowetz.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Vijay Devarapalli <vijayd@iprg.nokia.com>
Subject: Re: [Mip4] Enterprise connectivity using MIP4 and MOBIKE
References: <42D58E93.20608@iprg.nokia.com> <42DECD1D.2030104@levkowetz.com> <42E17E71.2080907@iprg.nokia.com>
In-Reply-To: <42E17E71.2080907@iprg.nokia.com>
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: henrik@levkowetz.com
X-SA-Exim-Scanned: No (on shiraz.levkowetz.com); SAEximRunCond expanded to false
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e8c5db863102a3ada84e0cd52a81a79e
Cc: mip4@ietf.org, Pasi.Eronen@nokia.com
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1954135900=="
Sender: mip4-bounces@ietf.org
Errors-To: mip4-bounces@ietf.org

on 2005-07-23 01:17 Vijay Devarapalli said the following:
> hi Henrik,
> 
> thanks for the detailed review.
> 
> Henrik Levkowetz wrote:
>> Overall:
>> 
>>   This is a pretty straightforward, easily accessible draft which
>>   provides a solution to an existing deployment problem.
>> 
>>   The draft would be improved by cleaning out unnecessary terminology
>>   inheritance from draft-ietf-mip4-vpn-problem-solution-01.  As an
>>   example, the term "i-HA" is used throughout the document, but as there
>>   is no external HA (x-HA) the document could just as well have used
>>   plain "HA", rather than "i-HA".  Generally all the "i-" prefixes
>>   seem unnecessary, and other terminology simplifications probably
>>   also can be done.
> 
> for the 00 version, we wanted to make sure we use the same
> terminology that is used in draft-ietf-mip4-vpn-problem-solution.

Ok.

>>   Symbolic references instead of numeric ones would also be nice.
> 
> symbolic references tend to clutter up the text. so I prefer numberic
> ones.

Well, we'll agree to disagree here, I think :-)

>>>3.2  Mobility within the enterprise
>>>
>>>   When the mobile node is inside the enterprise network and attached to
>>>   the intranet, it uses Mobile IPv4 [2] for subnet mobility.  The
>>>   mobile node uses Foreign Agent co-located care-of address, if a
>>>   foreign agent is available.  Otherwise it acquires an address through
>>>   DHCP  on the access link and uses it as the care-of address (CoA) for
>>>   Mobile IP.  The mobile node attempts Foreign Agent discovery and CoA
>>>   address acquisition through DHCP simultaneously in order to avoid the
>>>   delay in discovering a foreign agent when there is no foreign agent
>>>   available.  The mobile node at any time maintains a valid binding
>>>   cache entry that maps the home address to the current CoA, at the
>>>   Home Agent.  Whenever the mobile node moves, it sends a Registration
>>>   Request to update the binding cache entry.
>> 
>>
>> This is standard MIPv4, and I'm not sure this description is really
>> needed here; especially the detailed description of FA vs. co-located
>> operation.
> 
> really? AFAIK, the simultaneous use of DHCP request and Foreign Agent
> discovery is not defined anywhere. the mobile node first attempts agent
> discovery and then does DHCP, right?

I don't think either of these are defined anywhere - it's up to the
implementation.  The implementation I know most about does these and
other stuff as parallel as possible; and the other stuff is mostly
covered by draft-ietf-dhc-dna-ipv4.

>>>   The Mobile IP signaling messages between the mobile node and the Home
>>>   Agent are authenticated as described in [2].
>> 
>> 
>> The next paragraph doesn't belong under the section title above.  Either
>> move to the next section of add a section "Moving from within the
>> enterprise to the outside":
>> 
>> 
>>>   When the mobile node moves outside the enterprise and attaches to an
>>>   untrusted network, it sets up a VPN tunnel with the VPN gateway.  It
>>>   also maintains a valid binding cache entry at the Home Agent.  The
>>>   VPN TIA given out by the VPN gateway is used as care-of address for
>>>   Mobile IP registration.  If the mobile node attaches to another VPN
>>>   gateway or it re-connects to the same VPN gateway after a while, it
>>>   might get allocated a new TIA.  In such a case, the mobile node sends
>>>   a Registration Request to its Home Agent to update the binding cache
>>>   with its current TIA.
>>>
>>>3.3  Mobility when outside the enterprise
>>>
>>>   When the mobile node is attached to an untrusted network, it sets up
>>>   a VPN tunnel with the VPN gateway to gain access to the enterprise
>>>   network.  IKEv2 [4] and IPsec [5] are used to setup the VPN tunnel.
>> 
>> 
>> Unnecessary repetition?
>> 
>> 
>>>   If the mobile node moves and its IP address changes, it initiates the
>>>   MOBIKE protocol [3] to update the address on the VPN gateway.  If the
>>>   TIA changes or the mobile node attaches to another VPN gateway, while
>>>   outside the enterprise, the mobile node should send a Registration
>>>   Request to its Home Agent using the new TIA as the co-located care-of
>>>   address.
>> 
>> 
>> Unnecessary repetition?
> 
> I re-wrote sections 3.2 and 3.3. the updated text is at
> http://people.nokia.net/vijayd/mipsec/mipsec.txt

Yes, it looks better now.

> 
>>>4.  NAT Traversal
>>>
>>>   There could be a NAT device between the mobile node and the home
>>>   agent in any of the access modes, 'c', 'f' and 'mc', and between the
>>>   mobile node and the VPN gateway in the access mode 'mc'.  Mobile IPv4
>>>   NAT traversal, as described in [7] MUST be supported by the mobile
>>>   node and the home agent when the mobile node is using access modes
>>>   'c' or 'f'.  When using access mode, 'mc', IPsec NAT traversal [8]
>>>   [9] MUST be supported by the mobile node and the VPN gateway.
>>>   Typically, the TIA would be a routable address inside the enterprise
>>>   network.  But in some cases, the TIA could be from a private address
>>>   space associated with the VPN gateway.  In such a case, Mobile IPv4
>>>   NAT traversal should be used in addition to IPsec NAT traversal in
>>>   the 'mc' mode.
>> 
>> 
>> I don't see that it's a MUST to support MIPv4 NAT traversal within the
>> intranet.  It's a must (not a MUST) if you have internal NATs and want
>> MIPv4 to work, but that's not a protocol or implementation issue.  The
>> formulation in the last sentence of the paragraph is much more
>> appropriate.
> 
> you are right. fixed this.
> 
>     There could be a NAT device between the mobile node and the home
>     agent in any of the access modes, 'c', 'f' and 'mc', and between the
>     mobile node and the VPN gateway in the access mode 'mc'.  Mobile IPv4
>     NAT traversal, as described in [7] should be used by the mobile node
>     and the home agent in access modes 'c' or 'f', when there is a NAT
>     device present.  When using access mode, 'mc', IPsec NAT traversal
>     [8] [9] should be used by the mobile node and the VPN gateway, if
>     there is a NAT device present.  Typically, the TIA would be a
>     routable address inside the enterprise network.  But in some cases,
>     the TIA could be from a private address space associated with the VPN
>     gateway.  In such a case, Mobile IPv4 NAT traversal should be used in
>     addition to IPsec NAT traversal in the 'mc' mode.

Looks good.

>>>   Security concerns related to the mobile node detecting that is on a
>>>   trusted network and thereafter dropping the VPN tunnel are described
>>>   in [10].
>> 
>> 
>> It's not certain that 10 will be published.  Better cover it here.
> 
> oh.. I didnt know that. will do that.
> 
>>>Appendix A.  Mobility Extensions for IKEv1
>> 
>> 
>> I have no comments on this appendix, apart from feeling that it might not
>> belong here ...
> 
> agreed. it will probably be moved to a separate document later on.

Ok, sounds good


	Henrik

-- 
Mip4 mailing list: Mip4@ietf.org
    Web interface: https://www1.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

v2.23.0 | Report a Bug | By Email