IPsec is specified as the sole means of securing all signaling
messages between the Mobile Node and Home agent for Mobile IPv6
(see RFC 3775). Some deployments, and 3GPP2 in particular, desire
a different model for securing signalling between the Mobile Node
and Home Agent, one that more closely fits their existing Mobile
IPv4 deployments. This document proposes an alternate method for
securing the signaling messages, one based on defining a
MIPv6-specific authentication extension.
Working Group Summary
This document certainly generated controversy within the WG. There
were some who argued that this approach was not appropriate and that
we should just stick with "use the IPsec-based approach as defined
in RFC 3775". Others argued that we should listen to an important
"customer" and that it was appropriate to put this document forward
on standards track, since there were likely to be many
implementations. In the end, most people recognized the need to be
pragmatic in dealing with the input from 3GPP2, given that
3GPP2-based mobile IPv4 is the largest current deployment of
MIPv4. In the end, the WG supported moving this work forward, but as
an informational document rather than on the Standards Track.
This document has been reviewed for the IESG by Thomas Narten.
This RFC is not a candidate for any level of Internet Standard. RFC
3775 and 3776 define Mobile IPv6 and its security mechanism. This
document presents an alternate security mechanism for Mobile IPv6 used
in 3GPP2 networks.
The security properties of this mechanism have not been reviewed in
the IETF. Conducting this review proved difficult because the
standards-track security mechanism for Mobile IPv6 is tightly
integrated into the protocol; extensions to Mobile IPv6 and the core
documents make assumptions about the properties of the security model
without explicitly stating what assumptions are being made. There is
no documented service model. Thus it is difficult to replace the
security mechanism and see if the current protocol and future
extensions meet appropriate security requirements both under the
original and new security mechanisms. If a service model for Mobile
IPv6 security is ever formally defined and reviewed, a mechanism
similar to this one could be produced and fully reviewed.
Section 1.1 of this document provides an applicability statement for
this RFC. The IESG recommends against the usage of this specification
outside of environments that meet the conditions of that applicability
statement. In addition the IESG recommends those considering
deploying or implementing this specification conduct a sufficient
security review to meet the conditions of the environments in which
this RFC will be used.