IKEv2 Mobility and Multihoming Protocol (MOBIKE)
RFC 4555

 
Document Type RFC - Proposed Standard (June 2006; No errata)
Last updated 2013-03-02
Replaces draft-eronen-mobike-simple, draft-eronen-mobike-mopo, draft-kivinen-mobike-protocol
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4555 (Proposed Standard)
Telechat date
Responsible AD Russ Housley
Send notices to paul.hoffman@vpnc.org, jari.arkko@ericsson.com
Network Working Group                                     P. Eronen, Ed.
Request for Comments: 4555                                         Nokia
Category: Standards Track                                      June 2006

            IKEv2 Mobility and Multihoming Protocol (MOBIKE)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes the MOBIKE protocol, a mobility and
   multihoming extension to Internet Key Exchange (IKEv2).  MOBIKE
   allows the IP addresses associated with IKEv2 and tunnel mode IPsec
   Security Associations to change.  A mobile Virtual Private Network
   (VPN) client could use MOBIKE to keep the connection with the VPN
   gateway active while moving from one address to another.  Similarly,
   a multihomed host could use MOBIKE to move the traffic to a different
   interface if, for instance, the one currently being used stops
   working.

Eronen                      Standards Track                     [Page 1]
RFC 4555                    MOBIKE Protocol                    June 2006

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Motivation . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Scope and Limitations  . . . . . . . . . . . . . . . . . .  4
     1.3.  Terminology and Notation . . . . . . . . . . . . . . . . .  4
   2.  Protocol Overview  . . . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Basic Operation  . . . . . . . . . . . . . . . . . . . . .  5
     2.2.  Example Protocol Exchanges . . . . . . . . . . . . . . . .  6
     2.3.  MOBIKE and Network Address Translation (NAT) . . . . . . .  9
   3.  Protocol Exchanges . . . . . . . . . . . . . . . . . . . . . . 10
     3.1.  Initial IKE Exchange . . . . . . . . . . . . . . . . . . . 10
     3.2.  Signaling Support for MOBIKE . . . . . . . . . . . . . . . 10
     3.3.  Initial Tunnel Header Addresses  . . . . . . . . . . . . . 11
     3.4.  Additional Addresses . . . . . . . . . . . . . . . . . . . 11
     3.5.  Changing Addresses in IPsec SAs  . . . . . . . . . . . . . 12
     3.6.  Updating Additional Addresses  . . . . . . . . . . . . . . 15
     3.7.  Return Routability Check . . . . . . . . . . . . . . . . . 17
     3.8.  Changes in NAT Mappings  . . . . . . . . . . . . . . . . . 18
     3.9.  NAT Prohibition  . . . . . . . . . . . . . . . . . . . . . 19
     3.10. Path Testing . . . . . . . . . . . . . . . . . . . . . . . 20
     3.11. Failure Recovery and Timeouts  . . . . . . . . . . . . . . 20
     3.12. Dead Peer Detection  . . . . . . . . . . . . . . . . . . . 20
   4.  Payload Formats  . . . . . . . . . . . . . . . . . . . . . . . 21
     4.1.  Notify Messages - Error Types  . . . . . . . . . . . . . . 21
     4.2.  Notify Messages - Status Types . . . . . . . . . . . . . . 21
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 24
     5.1.  Traffic Redirection and Hijacking  . . . . . . . . . . . . 24
     5.2.  IPsec Payload Protection . . . . . . . . . . . . . . . . . 24
     5.3.  Denial-of-Service Attacks against Third Parties  . . . . . 25
     5.4.  Spoofing Network Connectivity Indications  . . . . . . . . 26
     5.5.  Address and Topology Disclosure  . . . . . . . . . . . . . 27
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 28
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 29
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 29
   Appendix A.  Implementation Considerations . . . . . . . . . . . . 31
     A.1.  Links from SPD Cache to Outbound SAD Entries . . . . . . . 31
     A.2.  Creating Outbound SAs  . . . . . . . . . . . . . . . . . . 31

Eronen                      Standards Track                     [Page 2]
RFC 4555                    MOBIKE Protocol                    June 2006

1.  Introduction

1.1.  Motivation

   IKEv2 is used for performing mutual authentication, as well as
   establishing and maintaining IPsec Security Associations (SAs).  In
   the base IKEv2 protocol [IKEv2], the IKE SAs and tunnel mode IPsec
   SAs are created implicitly between the IP addresses that are used
   when the IKE_SA is established.  These IP addresses are then used as
Show full document text