Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture
RFC 4877
Document Type RFC - Proposed Standard (April 2007; Errata)
Updates RFC 3776
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4877 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Jari Arkko
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                     V. Devarapalli
Request for Comments: 4877                               Azaire Networks
Updates: 3776                                                  F. Dupont
Category: Standards Track                                          CELAR
                                                              April 2007

  Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document describes Mobile IPv6 operation with the revised IPsec
   architecture and IKEv2.

Devarapalli & Dupont        Standards Track                     [Page 1]
RFC 4877            Mobile IPv6 with IKEv2 and IPsec          April 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Packet Formats . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . .  4
     4.1.  General Requirements . . . . . . . . . . . . . . . . . . .  5
     4.2.  Policy Requirements  . . . . . . . . . . . . . . . . . . .  5
     4.3.  IPsec Protocol Processing Requirements . . . . . . . . . .  7
     4.4.  Dynamic Keying Requirements  . . . . . . . . . . . . . . .  9
   5.  Selector Granularity Considerations  . . . . . . . . . . . . . 10
   6.  Manual Configuration . . . . . . . . . . . . . . . . . . . . . 11
     6.1.  Binding Updates and Acknowledgements . . . . . . . . . . . 12
     6.2.  Return Routability Messages  . . . . . . . . . . . . . . . 13
     6.3.  Mobile Prefix Discovery Messages . . . . . . . . . . . . . 14
     6.4.  Payload Packets  . . . . . . . . . . . . . . . . . . . . . 14
   7.  Dynamic Configuration  . . . . . . . . . . . . . . . . . . . . 15
     7.1.  Peer Authorization Database Entries  . . . . . . . . . . . 15
     7.2.  Security Policy Database Entries . . . . . . . . . . . . . 15
       7.2.1.  Binding Updates and Acknowledgements . . . . . . . . . 16
       7.2.2.  Return Routability Messages  . . . . . . . . . . . . . 17
       7.2.3.  Mobile Prefix Discovery Messages . . . . . . . . . . . 17
       7.2.4.  Payload Packets  . . . . . . . . . . . . . . . . . . . 18
     7.3.  Security Association Negotiation Using IKEv2 . . . . . . . 18
     7.4.  Movements and Dynamic Keying . . . . . . . . . . . . . . . 20
   8.  The Use of EAP Authentication  . . . . . . . . . . . . . . . . 21
   9.  Dynamic Home Address Configuration . . . . . . . . . . . . . . 22
   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 23
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 24
     12.2. Informative References . . . . . . . . . . . . . . . . . . 24

Devarapalli & Dupont        Standards Track                     [Page 2]
RFC 4877            Mobile IPv6 with IKEv2 and IPsec          April 2007

1.  Introduction

   RFC 3776 describes how IPsec, as described in RFC 2401 [11], is used
   with Mobile IPv6 [2] to protect the signaling messages.  It also
   illustrates examples of Security Policy Database and Security
   Association Database entries that can be used to protect Mobile IPv6
   signaling messages.

   The IPsec architecture has been revised in RFC 4301 [5].  Among the
   many changes, the list of selectors has been expanded to include the
   Mobility Header message type.  This has an impact on how security
   policies and security associations are configured for protecting
   mobility header messages.  It becomes easier to differentiate between
   the various Mobility Header messages based on the type value instead
   of checking if a particular mobility header message is being sent on
   a tunnel interface between the mobile node and the home agent, as it
   was in RFC 3776.  The revised IPsec architecture specification also
   includes ICMP message type and code as selectors.  This makes it
   possible to protect Mobile Prefix Discovery messages without applying
   the same security associations to all ICMPv6 messages.

   This document discusses new requirements for the home agent and the
   mobile node to use the revised IPsec architecture and IKEv2.
   Section 4 lists the requirements.  Sections 6 and 7 describe the
   required Security Policy Database (SPD) and Security Association
   Database (SAD) entries.

   The Internet Key Exchange (IKE) protocol has also been substantially
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools