Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture
RFC 4877
Document | Type |
RFC - Proposed Standard
(April 2007; Errata)
Updates RFC 3776
|
|
---|---|---|---|
Authors | Francis Dupont , Vijay Devarapalli | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4877 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Jari Arkko | ||
Send notices to | (None) |
Network Working Group V. Devarapalli Request for Comments: 4877 Azaire Networks Updates: 3776 F. Dupont Category: Standards Track CELAR April 2007 Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document describes Mobile IPv6 operation with the revised IPsec architecture and IKEv2. Devarapalli & Dupont Standards Track [Page 1] RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. General Requirements . . . . . . . . . . . . . . . . . . . 5 4.2. Policy Requirements . . . . . . . . . . . . . . . . . . . 5 4.3. IPsec Protocol Processing Requirements . . . . . . . . . . 7 4.4. Dynamic Keying Requirements . . . . . . . . . . . . . . . 9 5. Selector Granularity Considerations . . . . . . . . . . . . . 10 6. Manual Configuration . . . . . . . . . . . . . . . . . . . . . 11 6.1. Binding Updates and Acknowledgements . . . . . . . . . . . 12 6.2. Return Routability Messages . . . . . . . . . . . . . . . 13 6.3. Mobile Prefix Discovery Messages . . . . . . . . . . . . . 14 6.4. Payload Packets . . . . . . . . . . . . . . . . . . . . . 14 7. Dynamic Configuration . . . . . . . . . . . . . . . . . . . . 15 7.1. Peer Authorization Database Entries . . . . . . . . . . . 15 7.2. Security Policy Database Entries . . . . . . . . . . . . . 15 7.2.1. Binding Updates and Acknowledgements . . . . . . . . . 16 7.2.2. Return Routability Messages . . . . . . . . . . . . . 17 7.2.3. Mobile Prefix Discovery Messages . . . . . . . . . . . 17 7.2.4. Payload Packets . . . . . . . . . . . . . . . . . . . 18 7.3. Security Association Negotiation Using IKEv2 . . . . . . . 18 7.4. Movements and Dynamic Keying . . . . . . . . . . . . . . . 20 8. The Use of EAP Authentication . . . . . . . . . . . . . . . . 21 9. Dynamic Home Address Configuration . . . . . . . . . . . . . . 22 10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 12.1. Normative References . . . . . . . . . . . . . . . . . . . 24 12.2. Informative References . . . . . . . . . . . . . . . . . . 24 Devarapalli & Dupont Standards Track [Page 2] RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007 1. Introduction RFC 3776 describes how IPsec, as described in RFC 2401 [11], is used with Mobile IPv6 [2] to protect the signaling messages. It also illustrates examples of Security Policy Database and Security Association Database entries that can be used to protect Mobile IPv6 signaling messages. The IPsec architecture has been revised in RFC 4301 [5]. Among the many changes, the list of selectors has been expanded to include the Mobility Header message type. This has an impact on how security policies and security associations are configured for protecting mobility header messages. It becomes easier to differentiate between the various Mobility Header messages based on the type value instead of checking if a particular mobility header message is being sent on a tunnel interface between the mobile node and the home agent, as it was in RFC 3776. The revised IPsec architecture specification also includes ICMP message type and code as selectors. This makes it possible to protect Mobile Prefix Discovery messages without applying the same security associations to all ICMPv6 messages. This document discusses new requirements for the home agent and the mobile node to use the revised IPsec architecture and IKEv2. Section 4 lists the requirements. Sections 6 and 7 describe the required Security Policy Database (SPD) and Security Association Database (SAD) entries. The Internet Key Exchange (IKE) protocol has also been substantiallyShow full document text