[Mobopts] MIPv6 IPsec Route Optimization (IRO)

arno@natisbad.org (Arnaud Ebalard) Mon, 17 November 2008 08:32 UTC

Return-Path: <mobopts-bounces@irtf.org>
X-Original-To: mobopts-archive@megatron.ietf.org
Delivered-To: ietfarch-mobopts-archive@core3.amsl.com
Received: from [] (localhost []) by core3.amsl.com (Postfix) with ESMTP id BE0593A698A; Mon, 17 Nov 2008 00:32:58 -0800 (PST)
X-Original-To: mobopts@core3.amsl.com
Delivered-To: mobopts@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 46A8B3A698A; Mon, 17 Nov 2008 00:32:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0BiSduYjrQE8; Mon, 17 Nov 2008 00:32:57 -0800 (PST)
Received: from copper.chdir.org (copper.chdir.org []) by core3.amsl.com (Postfix) with ESMTP id 4388A3A696C; Mon, 17 Nov 2008 00:32:57 -0800 (PST)
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f78] (helo=localhost.localdomain) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1L1zXG-0006cY-98; Mon, 17 Nov 2008 09:32:42 +0100
X-Hashcash: 1:20:081117:mext@ietf.org::uS+ElyPx6d1zShNw:00002aX9
X-Hashcash: 1:20:081117:mobopts@irtf.org::rBHPMCBm0o28YDvh:00gRY
X-Hashcash: 1:20:081117:ipsec@ietf.org::rW2BcA47NML8k/be:000EcwZ
From: arno@natisbad.org (Arnaud Ebalard)
To: IETF MEXT WG ML <mext@ietf.org>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026
Date: Mon, 17 Nov 2008 00:30:57 -0800
Message-ID: <87d4guwy7y.fsf@natisbad.org>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Cc: IPsec IETF WG ML <ipsec@ietf.org>, Mobopts IRTF WG ML <mobopts@irtf.org>
Subject: [Mobopts] MIPv6 IPsec Route Optimization (IRO)
X-BeenThere: mobopts@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobility Optimizations <mobopts.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/mobopts>, <mailto:mobopts-request@irtf.org?subject=unsubscribe>
List-Archive: <https://www.irtf.org/mailman/private/mobopts>
List-Post: <mailto:mobopts@irtf.org>
List-Help: <mailto:mobopts-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/mobopts>, <mailto:mobopts-request@irtf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: mobopts-bounces@irtf.org
Errors-To: mobopts-bounces@irtf.org


Sorry for crossposting but the topic discussed in the draft may be of
interest for people of the 3 lists.

> IETF I-D Submission Tool <idsubmission@ietf.org> writes:
> A new version of I-D, draft-ebalard-mext-ipsec-ro-00.txt has been
> successfuly submitted by Arnaud Ebalard and posted to the IETF
> repository. 
> Filename:      draft-ebalard-mext-ipsec-ro
> Revision:      00
> Title:         Mobile IPv6 IPsec Route Optimization (IRO)
> Creation_date: 2008-11-17
> WG ID:         Independent Submission
> Number_of_pages: 44
> Abstract:
> This memo specifies an improved alternate route optimization procedure
> for Mobile IPv6 designed specifically for environments where IPsec is
> used between peers (most probably with IKE). The replacement of the
> complex Return Routability procedure for a simple mechanism and the
> removal of HAO and RH2 extensions from exchanged packets result in
> performance and security improvements.

I have just submitted a new I-D [1] which certainly requires an
introduction (and disclaimer): it specifies a MIPv6 Route Optimization
procedure *dedicated* to environments where IPsec/IKE is used between
peers (MN-HA, MN-CN, MN-MN) for protecting both signaling and data

Some of the improvements provided by this "IPsec Route Optimization"
mechanism (IRO) are also proposed for the IPsec communications between
the MN and its HA.

Among the features provided by IRO (introduction of the document as
a more accurate list):

  * Complete removal of RH2 and HAO (resulting in simplified packet
    handling on both sides and possibly better compatibility with
    filtering implemented in the network),
  * Per packet MTU gains between 24 and 48 bytes in comparison with
    equivalent uses of IPsec in standard RO context,
  * Improved and more generic proof of address ownership mechanism,
  * Safe by default behavior avoiding direct unprotected traffic flows,
  * No additionnal changes to IPsec or IKE protocols and limited
    changes to MIPv6 via four simple messages and a single option.

Next steps is to gather some initial feedback from interested people of
the WG. Then, I intend to spend some time implementing it (under Linux)
to challenge the ideas provided in the draft.

Comments are welcome. Note that this is a -00 which implies that some
parts are still quite raw and might deserve additional comments/work.



[1]: http://www.ietf.org/internet-drafts/draft-ebalard-mext-ipsec-ro-00.txt
Mobopts mailing list