datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Mobile IPv4 Traversal across IPsec-Based VPN Gateways
RFC 5265

Document type: RFC - Proposed Standard (June 2008)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html
IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned
IESG State: RFC 5265 (Proposed Standard)
Responsible AD: Jari Arkko
Send notices to: mip4-chairs@tools.ietf.org, draft-ietf-mip4-vpn-problem-solution@tools.ietf.org
Email Authors | IPR Disclosures (1) | References | Referenced By | Check nits | History feed | Search Mailing Lists 
Network Working Group                                         S. Vaarala
Request for Comments: 5265                                       Codebay
Category: Standards Track                                    E. Klovning
                                                                Birdstep
                                                               June 2008

         Mobile IPv4 Traversal across IPsec-Based VPN Gateways

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document outlines a solution for the Mobile IPv4 (MIPv4) and
   IPsec coexistence problem for enterprise users.  The solution
   consists of an applicability statement for using Mobile IPv4 and
   IPsec for session mobility in corporate remote access scenarios, and
   a required mechanism for detecting the trusted internal network
   securely.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Scope  . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     1.3.  Related Work . . . . . . . . . . . . . . . . . . . . . . .  5
     1.4.  Terms and Abbreviations  . . . . . . . . . . . . . . . . .  5
     1.5.  Requirement Levels . . . . . . . . . . . . . . . . . . . .  6
     1.6.  Assumptions and Rationale  . . . . . . . . . . . . . . . .  7
     1.7.  Why IPsec Lacks Mobility . . . . . . . . . . . . . . . . .  8
   2.  The Network Environment  . . . . . . . . . . . . . . . . . . .  9
     2.1.  Access Mode: 'c' . . . . . . . . . . . . . . . . . . . . . 12
     2.2.  Access Mode: 'f' . . . . . . . . . . . . . . . . . . . . . 13
     2.3.  Access Mode: 'cvc' . . . . . . . . . . . . . . . . . . . . 13
     2.4.  Access Mode: 'fvc' . . . . . . . . . . . . . . . . . . . . 14
     2.5.  NAT Traversal  . . . . . . . . . . . . . . . . . . . . . . 14
   3.  Internal Network Detection . . . . . . . . . . . . . . . . . . 15
     3.1.  Assumptions  . . . . . . . . . . . . . . . . . . . . . . . 16
     3.2.  Implementation Requirements  . . . . . . . . . . . . . . . 16
       3.2.1.  Separate Tracking of Network Interfaces  . . . . . . . 16
       3.2.2.  Connection Status Change . . . . . . . . . . . . . . . 16
       3.2.3.  Registration-Based Internal Network Detection  . . . . 17

Vaarala & Klovning          Standards Track                     [Page 1]
RFC 5265                       MIPv4-VPN                       June 2008

       3.2.4.  Registration-Based Internal Network Monitoring . . . . 17
     3.3.  Proposed Algorithm . . . . . . . . . . . . . . . . . . . . 19
     3.4.  Trusted Networks Configured (TNC) Extension  . . . . . . . 20
     3.5.  Implementation Issues  . . . . . . . . . . . . . . . . . . 20
     3.6.  Rationale for Design Choices . . . . . . . . . . . . . . . 21
       3.6.1.  Firewall Configuration Requirements  . . . . . . . . . 21
       3.6.2.  Registration-Based Internal Network Monitoring . . . . 22
       3.6.3.  No Encryption When Inside  . . . . . . . . . . . . . . 22
     3.7.  Improvements . . . . . . . . . . . . . . . . . . . . . . . 22
   4.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 23
     4.1.  Mobile Node Requirements . . . . . . . . . . . . . . . . . 23
     4.2.  VPN Device Requirements  . . . . . . . . . . . . . . . . . 23
     4.3.  Home Agent Requirements  . . . . . . . . . . . . . . . . . 24
   5.  Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
     5.1.  Comparison against Guidelines  . . . . . . . . . . . . . . 24
     5.2.  Packet Overhead  . . . . . . . . . . . . . . . . . . . . . 26
     5.3.  Latency Considerations . . . . . . . . . . . . . . . . . . 27
     5.4.  Firewall State Considerations  . . . . . . . . . . . . . . 27
     5.5.  Intrusion Detection Systems (IDSs) . . . . . . . . . . . . 28
     5.6.  Implementation of the Mobile Node  . . . . . . . . . . . . 28
     5.7.  Non-IPsec VPN Protocols  . . . . . . . . . . . . . . . . . 28
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 29
     6.1.  Internal Network Detection . . . . . . . . . . . . . . . . 29
     6.2.  Mobile IPv4 versus IPsec . . . . . . . . . . . . . . . . . 30
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 31
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 32

[include full document text]