Re: [Mip4] Enterprise connectivity using MIP4 and MOBIKE
Henrik Levkowetz <henrik@levkowetz.com> Sat, 23 July 2005 04:03 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DwBEk-0001Mu-Ee; Sat, 23 Jul 2005 00:03:42 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DwBEh-0001Lt-Tb for mip4@megatron.ietf.org; Sat, 23 Jul 2005 00:03:39 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA06235 for <mip4@ietf.org>; Sat, 23 Jul 2005 00:03:36 -0400 (EDT)
Received: from av11-2-sn2.hy.skanova.net ([81.228.8.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1DwBj3-0005bh-5q for mip4@ietf.org; Sat, 23 Jul 2005 00:35:03 -0400
Received: by av11-2-sn2.hy.skanova.net (Postfix, from userid 502) id B3F0938008; Sat, 23 Jul 2005 06:03:28 +0200 (CEST)
Received: from smtp4-2-sn2.hy.skanova.net (smtp4-2-sn2.hy.skanova.net [81.228.8.93]) by av11-2-sn2.hy.skanova.net (Postfix) with ESMTP id 4530D37F55; Sat, 23 Jul 2005 06:03:28 +0200 (CEST)
Received: from shiraz.levkowetz.com (81-224-201-50-no45.tbcn.telia.com [81.224.201.50]) by smtp4-2-sn2.hy.skanova.net (Postfix) with ESMTP id 23DA137E45; Sat, 23 Jul 2005 06:03:28 +0200 (CEST)
Received: from localhost ([127.0.0.1] ident=henrik) by shiraz.levkowetz.com with esmtp (Exim 4.52) id 1DwBEV-0001uE-TM; Sat, 23 Jul 2005 06:03:28 +0200
Message-ID: <42E1C18F.7070104@levkowetz.com>
Date: Sat, 23 Jul 2005 06:03:27 +0200
From: Henrik Levkowetz <henrik@levkowetz.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Vijay Devarapalli <vijayd@iprg.nokia.com>
Subject: Re: [Mip4] Enterprise connectivity using MIP4 and MOBIKE
References: <42D58E93.20608@iprg.nokia.com> <42DECD1D.2030104@levkowetz.com> <42E17E71.2080907@iprg.nokia.com>
In-Reply-To: <42E17E71.2080907@iprg.nokia.com>
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: henrik@levkowetz.com
X-SA-Exim-Scanned: No (on shiraz.levkowetz.com); SAEximRunCond expanded to false
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e8c5db863102a3ada84e0cd52a81a79e
Cc: mip4@ietf.org, Pasi.Eronen@nokia.com
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1954135900=="
Sender: mip4-bounces@ietf.org
Errors-To: mip4-bounces@ietf.org
on 2005-07-23 01:17 Vijay Devarapalli said the following: > hi Henrik, > > thanks for the detailed review. > > Henrik Levkowetz wrote: >> Overall: >> >> This is a pretty straightforward, easily accessible draft which >> provides a solution to an existing deployment problem. >> >> The draft would be improved by cleaning out unnecessary terminology >> inheritance from draft-ietf-mip4-vpn-problem-solution-01. As an >> example, the term "i-HA" is used throughout the document, but as there >> is no external HA (x-HA) the document could just as well have used >> plain "HA", rather than "i-HA". Generally all the "i-" prefixes >> seem unnecessary, and other terminology simplifications probably >> also can be done. > > for the 00 version, we wanted to make sure we use the same > terminology that is used in draft-ietf-mip4-vpn-problem-solution. Ok. >> Symbolic references instead of numeric ones would also be nice. > > symbolic references tend to clutter up the text. so I prefer numberic > ones. Well, we'll agree to disagree here, I think :-) >>>3.2 Mobility within the enterprise >>> >>> When the mobile node is inside the enterprise network and attached to >>> the intranet, it uses Mobile IPv4 [2] for subnet mobility. The >>> mobile node uses Foreign Agent co-located care-of address, if a >>> foreign agent is available. Otherwise it acquires an address through >>> DHCP on the access link and uses it as the care-of address (CoA) for >>> Mobile IP. The mobile node attempts Foreign Agent discovery and CoA >>> address acquisition through DHCP simultaneously in order to avoid the >>> delay in discovering a foreign agent when there is no foreign agent >>> available. The mobile node at any time maintains a valid binding >>> cache entry that maps the home address to the current CoA, at the >>> Home Agent. Whenever the mobile node moves, it sends a Registration >>> Request to update the binding cache entry. >> >> >> This is standard MIPv4, and I'm not sure this description is really >> needed here; especially the detailed description of FA vs. co-located >> operation. > > really? AFAIK, the simultaneous use of DHCP request and Foreign Agent > discovery is not defined anywhere. the mobile node first attempts agent > discovery and then does DHCP, right? I don't think either of these are defined anywhere - it's up to the implementation. The implementation I know most about does these and other stuff as parallel as possible; and the other stuff is mostly covered by draft-ietf-dhc-dna-ipv4. >>> The Mobile IP signaling messages between the mobile node and the Home >>> Agent are authenticated as described in [2]. >> >> >> The next paragraph doesn't belong under the section title above. Either >> move to the next section of add a section "Moving from within the >> enterprise to the outside": >> >> >>> When the mobile node moves outside the enterprise and attaches to an >>> untrusted network, it sets up a VPN tunnel with the VPN gateway. It >>> also maintains a valid binding cache entry at the Home Agent. The >>> VPN TIA given out by the VPN gateway is used as care-of address for >>> Mobile IP registration. If the mobile node attaches to another VPN >>> gateway or it re-connects to the same VPN gateway after a while, it >>> might get allocated a new TIA. In such a case, the mobile node sends >>> a Registration Request to its Home Agent to update the binding cache >>> with its current TIA. >>> >>>3.3 Mobility when outside the enterprise >>> >>> When the mobile node is attached to an untrusted network, it sets up >>> a VPN tunnel with the VPN gateway to gain access to the enterprise >>> network. IKEv2 [4] and IPsec [5] are used to setup the VPN tunnel. >> >> >> Unnecessary repetition? >> >> >>> If the mobile node moves and its IP address changes, it initiates the >>> MOBIKE protocol [3] to update the address on the VPN gateway. If the >>> TIA changes or the mobile node attaches to another VPN gateway, while >>> outside the enterprise, the mobile node should send a Registration >>> Request to its Home Agent using the new TIA as the co-located care-of >>> address. >> >> >> Unnecessary repetition? > > I re-wrote sections 3.2 and 3.3. the updated text is at > http://people.nokia.net/vijayd/mipsec/mipsec.txt Yes, it looks better now. > >>>4. NAT Traversal >>> >>> There could be a NAT device between the mobile node and the home >>> agent in any of the access modes, 'c', 'f' and 'mc', and between the >>> mobile node and the VPN gateway in the access mode 'mc'. Mobile IPv4 >>> NAT traversal, as described in [7] MUST be supported by the mobile >>> node and the home agent when the mobile node is using access modes >>> 'c' or 'f'. When using access mode, 'mc', IPsec NAT traversal [8] >>> [9] MUST be supported by the mobile node and the VPN gateway. >>> Typically, the TIA would be a routable address inside the enterprise >>> network. But in some cases, the TIA could be from a private address >>> space associated with the VPN gateway. In such a case, Mobile IPv4 >>> NAT traversal should be used in addition to IPsec NAT traversal in >>> the 'mc' mode. >> >> >> I don't see that it's a MUST to support MIPv4 NAT traversal within the >> intranet. It's a must (not a MUST) if you have internal NATs and want >> MIPv4 to work, but that's not a protocol or implementation issue. The >> formulation in the last sentence of the paragraph is much more >> appropriate. > > you are right. fixed this. > > There could be a NAT device between the mobile node and the home > agent in any of the access modes, 'c', 'f' and 'mc', and between the > mobile node and the VPN gateway in the access mode 'mc'. Mobile IPv4 > NAT traversal, as described in [7] should be used by the mobile node > and the home agent in access modes 'c' or 'f', when there is a NAT > device present. When using access mode, 'mc', IPsec NAT traversal > [8] [9] should be used by the mobile node and the VPN gateway, if > there is a NAT device present. Typically, the TIA would be a > routable address inside the enterprise network. But in some cases, > the TIA could be from a private address space associated with the VPN > gateway. In such a case, Mobile IPv4 NAT traversal should be used in > addition to IPsec NAT traversal in the 'mc' mode. Looks good. >>> Security concerns related to the mobile node detecting that is on a >>> trusted network and thereafter dropping the VPN tunnel are described >>> in [10]. >> >> >> It's not certain that 10 will be published. Better cover it here. > > oh.. I didnt know that. will do that. > >>>Appendix A. Mobility Extensions for IKEv1 >> >> >> I have no comments on this appendix, apart from feeling that it might not >> belong here ... > > agreed. it will probably be moved to a separate document later on. Ok, sounds good Henrik
-- Mip4 mailing list: Mip4@ietf.org Web interface: https://www1.ietf.org/mailman/listinfo/mip4 Charter page: http://www.ietf.org/html.charters/mip4-charter.html Supplemental site: http://www.mip4.org/
- [Mip4] Enterprise connectivity using MIP4 and MOB… Vijay Devarapalli
- [Mip4] HA=0.0.0.0 question (HA Discovery) Ranjitsinh Wable
- [Mip4] HA=0.0.0.0 question (HA Discovery) Pete McCann
- Re: [Mip4] Enterprise connectivity using MIP4 and… Henrik Levkowetz
- Re: [Mip4] Enterprise connectivity using MIP4 and… Vijay Devarapalli
- Re: [Mip4] Enterprise connectivity using MIP4 and… Vijay Devarapalli
- Re: [Mip4] Enterprise connectivity using MIP4 and… Sami Vaarala
- Re: [Mip4] Enterprise connectivity using MIP4 and… Henrik Levkowetz
- Re: [Mip4] Enterprise connectivity using MIP4 and… Henrik Levkowetz
- Re: [Mip4] Enterprise connectivity using MIP4 and… Henrik Levkowetz
- Re: [Mip4] Enterprise connectivity using MIP4 and… Sami Vaarala