[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04                                                
Network Working Group                                           B. Patil
Internet-Draft                                                     Nokia
Intended status: Informational                                C. Perkins
Expires: April 30, 2009                                         WiChorus
                                                           H. Tschofenig
                                                  Nokia Siemens Networks
                                                        October 27, 2008


 Issues related to the design choice of IPsec for Mobile IPv6 security
              draft-patil-mext-mip6issueswithipsec-00.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 30, 2009.















Patil, et al.            Expires April 30, 2009                 [Page 1]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


Abstract

   Mobile IPv6 as specified in RFC3775 relies on IPsec for security.  An
   IPsec SA between the mobile node and the home agent provides security
   for the mobility signaling.  Use of IPsec for securing the data
   traffic between the mobile node and home agent is optional.  This
   document analyses the implications of the design decision to mandate
   IPsec as the default security protocol for Mobile IPv6 and recommends
   revisiting this decision in view of the experience gained from
   implementation and adoption in other standards bodies.


Table of Contents

   1.  Requirements notation  . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  5
   4.  Background . . . . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Problem Statement  . . . . . . . . . . . . . . . . . . . . . .  7
   6.  Issues with the use of IPsec . . . . . . . . . . . . . . . . .  8
   7.  MIP6 evolution . . . . . . . . . . . . . . . . . . . . . . . . 10
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 13
     10.2.  Informative References  . . . . . . . . . . . . . . . . . 13
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
   Intellectual Property and Copyright Statements . . . . . . . . . . 15























Patil, et al.            Expires April 30, 2009                 [Page 2]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].














































Patil, et al.            Expires April 30, 2009                 [Page 3]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


2.  Introduction

   Mobile IPv6 as specified in RFC3775 [RFC3775] requires an IPsec
   security association between the mobile node (MN) and home agent
   (HA).  The IPsec SA protects the mobility signaling messages between
   the MN and HA.  The user data may be optionally protected by the
   IPsec SA but is not required.

   The use of IPsec and IKE (v1 and v2) with Mobile IPv6 are specified
   in RFCs 3776 [RFC3776] and 4877 [RFC4877].  The Mobile IP and MIP6
   working groups in the IETF chose to mandate IPsec as the default
   security protocol for Mobile IPv6 based on various criteria and
   discussions between the years 2000 and 2004.  Implementation
   experience with Mobile IPv6 and the security variants with which it
   has been specified in some SDOs indicates a need to revisit the
   design choice for MIP6 signaling security.

   This document discusses the issues and concerns with the use of IPsec
   for MIP6 security and proposes revisiting the security design for
   MIP6 protocol.































Patil, et al.            Expires April 30, 2009                 [Page 4]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


3.  Terminology

   This document refers to [RFC3775][RFC4877] for terminology.
















































Patil, et al.            Expires April 30, 2009                 [Page 5]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


4.  Background

   IP mobility support in IPv6 was considered to be an integral feature
   of the IPv6 stack based on the experience gained from developing
   mobility support for IPv4.  The design of Mobile IPv6 was worked on
   by the Mobile IP WG in the late 90s and by the MIP6 WG until its
   publication as [RFC3775] in 2004.

   IPsec was also intended to be a default component of the IPv6 stack
   and was the preferred protocol choice for use by any other IPv6
   protocols that needed security.  Rather than design security into
   every protocol feature the intent was to reuse a well-defined
   security protocol to meet security needs.  Hence Mobile IPv6 has been
   designed with a direct dependency on IPsec.

   The Mobile IPv6 specification [RFC3775] was published along with the
   companion specification "Using IPsec to Protect Mobile IPv6 Signaling
   Between Mobile Nodes and Home Agents", [RFC3776].  The establishment
   of the IPsec SA between the MN and HA as per RFC 3776 is based on the
   use of IKE.  The use of IKE in the context of Mobile IPv6 for IPsec
   SA establishment did not gain traction because of factors such as
   complexity of IKE and the IETF transitioning to IKEv2.  The MIP6 WG
   completed the specification, Mobile IPv6 Operation with IKEv2 and the
   Revised IPsec Architecture [RFC4877] in April 2007.  This [RFC4877]
   is considered as the default security protocol solution for MIP6 and
   updates [RFC3776].

























Patil, et al.            Expires April 30, 2009                 [Page 6]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


5.  Problem Statement

   Mobile IPv6 is encumbered by its reliance on IPsec from an
   implementation and deployment perspective.  As a protocol solution
   for host based mobility, MIP6 can be simpler without the IPsec
   baggage.  The issues with IPsec are even more exacerbated in the case
   of dual-stack MIP6 [DSMIP6].

   IPsec SAs between the MN and HA are established either manually or by
   the use of IKEv2.  Manual SA configuration is not a scalable solution
   and hence MIP6 hosts and Home agents rely on IKEv2 for establishing
   dynamically IPsec SAs.  As a result MIP6 depends on the existence of
   IPsec and IKEv2 for successful operation.

   The problem in summary for MIP6 is the dependence on IPsec and IKEv2
   for operation.



































Patil, et al.            Expires April 30, 2009                 [Page 7]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


6.  Issues with the use of IPsec

   This section captures several issues with the use of IPsec by MIP6.

   (1)  The design of Mobile IPv6 emphasized on the reuse of IPv6
        features such as IPsec.  IPsec for IPv4 was a bolt-on solution.
        With the increasing need for security, IPv6 designers chose to
        incorporate IPsec as a default feature.  There existed an
        assumption in the MIP6 working group that every IPv6 host would
        have IPsec capability as a standard feature.  While this is true
        in many host implementations today, the existence of IPsec in
        every IPv6 stack is not a given.  Hence a host which needs to
        implement Mobile IPv6 must ensure that IPsec and IKEv2 are also
        available.  As a result of this dependence, MIP6 is no longer a
        standalone host-based mobility protocol.  A good example of a
        host based mobility protocol that works as a self-sufficient
        module is Mobile IPv4.  The security associated with MIP4
        signaling is integrated into the protocol itself.  MIP4 has been
        successfully deployed on large scale in several networks.

   (2)  IPsec use in most hosts is generally for the purpose of VPN
        connectivity to enterprises.  It has not evolved into a generic
        security protocol that can be used by Mobile IPv6 easily.  While
        RFC4877 does specify the details which enable only the MIP6
        signaling to be encapsulated with IPsec, the general method of
        IPsec usage has been such that all traffic between a host and
        the IPsec gateway is carried via the tunnel.  Selective
        application of IPsec to protocols is not the norm.  Use of IPsec
        with Mobile IPv6 requires configuration which in many cases is
        not easily done because of reasons such as enterprise
        environments preventing changing to IPsec policies or other.

   (3)  A MIP6 home agent is one end of the IPsec SA in a many-to-one
        relationship.  A MIP6 HA may support a very large of mobile
        nodes which could number in the hundreds of thousands to
        millions.  The ability to terminate a large number of IPsec SAs
        (millions) requires signifiant hardware and platform capability.
        The cost issues of such an HA are detrimental and hence act as a
        barrier to deployment.

   (4)  The implementation complexity of Mobile IPv6 is greatly
        increased because of the interaction with IPsec and IKEv2.  A
        standalone MIP6 protocol is easier to implement and deploy (such
        as MIP4 [RFC3344]).  The complexity of the protocol
        implementation is even more so in the case of [DSMIP6].






Patil, et al.            Expires April 30, 2009                 [Page 8]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


   (5)  IPsec and IKEv2 is not implemented in every IPv6 or dual stack
        host.  Mobile IPv6 support on such devices is not an option.
        Many low-end cellular hosts have IP stacks.  The need for IPsec
        and IKEv2 in these devices is not important whereas mobility
        support is needed in many cases.  MIP6 without any dependencies
        on protocols for security is easier to implement and has wider
        applicability.

   (6)  [RFC4877] which specifies the use of IKEv2 and IPsec with Mobile
        IPv6 essentially results in a variant of IPsec which is specific
        to Mobile IP.  Hence this results in added complexity to
        implementations.

   (7)  Mobile IPv6 needs to be capable of being deployed in situations
        where alternative security mechanisms are already well-
        understood by the network administration.  It should be possible
        to enable Mobile IPv6 to work in situations where alternative
        security mechanisms already supply the necessary authentication
        and privacy.

   (8)  IPsec has been successfully applied to VPN and other
        infrastructure operations, but less so for general end-to-end
        applications.  Thus, the granularity for selectors was
        originally not at all sufficient for Mobile IPv6.

   (9)  The way that the IPsec code sits in the usual kernel, and the
        access mechanisms for the SA database, are not very convenient
        for use by straightforward implementations of Mobile IPv6.
        Unusual calling sequences and parameter passing seems to be
        required on many platforms.

   (10) In certain environments the use of IPsec and IKEv2 for
        establishing the SA is considered as an overhead.  Bandwidth
        constrained links such as cellular networks and air interfaces
        which are in the licensed spectrum tend to be optimized for user
        traffic.  MIP6 signaling with the IPsec overhead and the IKEv2
        messages are viewed negatively.  It is more acceptable to have
        signaling without IPsec encapsulation.

   The issues listed above have been a cause for MIP6 not being
   implemented widely or adopted by other SDOs which are considering IP
   mobility solutions.









Patil, et al.            Expires April 30, 2009                 [Page 9]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


7.  MIP6 evolution

   In order to make the Mobile Ipv6 protocol a solution that is easy to
   implement and available in even low-end devices, it is necessary to
   simplify the protocol.  The design or the security architecture for
   MIP6 needs to be revisited and a solution that does not rely on other
   components developed.












































Patil, et al.            Expires April 30, 2009                [Page 10]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


8.  Security Considerations

   This I-D discusses the security architecture of Mobile IPv6 which is
   based on IPsec.  The dependency on IPsec for security of MIP6
   signaling is a detriment to the protocol implementation and
   deployment.  Hence the security architecture needs to be revisited.

   The experience gained over the last few years indicates that IPsec
   cannot necessarily be used as a generic solution for security.  The
   design choice made for MIP6 in the initial stages no longer are valid
   and is hampering the implementation and use.








































Patil, et al.            Expires April 30, 2009                [Page 11]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


9.  IANA Considerations

   This document does not have any information which requires IANA
   review.















































Patil, et al.            Expires April 30, 2009                [Page 12]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3775]  Johnson, D., "Mobility Support in IPv6", RFC 3775,
              June 2004.

   [RFC3776]  Arkko, J., "Using IPsec to Protect Mobile IPv6 Signaling
              Between Mobile Nodes and Home Agents", RFC 3776,
              June 2004.

   [RFC4877]  Devarapalli, V., "Mobile IPv6 Operation with IKEv2 and the
              Revised IPsec Architecture", RFC 4877, April 2007.

   [DSMIP6]   Soliman, H., Ed., "Mobile IPv6 Support for Dual Stack
              Hosts and Routers",
               draft-ietf-mext-nemo-v4traversal-05.txt, July 2008.

10.2.  Informative References

   [RFC3344]  Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
              August 2002.


























Patil, et al.            Expires April 30, 2009                [Page 13]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


Authors' Addresses

   Basavaraj Patil
   Nokia
   6021 Connection Drive
   Irving, TX  75039
   USA

   Email: basavaraj.patil@nokia.com


   Charles Perkins
   WiChorus
   3590 N. 1st Street, Suite 300
   San Jose, CA  95134
   USA

   Email: charliep@wichorus.com


   Hannes Tschofenig
   Nokia Siemens Networks
   Linnoitustie 6
   Espoo  02600
   Finland

   Phone: +358 (50) 4871445
   Email: Hannes.Tschofenig@gmx.net
   URI:   http://www.tschofenig.priv.at






















Patil, et al.            Expires April 30, 2009                [Page 14]


Internet-Draft        IPsec issues with Mobile IPv6         October 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.











Patil, et al.            Expires April 30, 2009                [Page 15]