Mobile IPv4 Traversal across IPsec-Based VPN Gateways
RFC 5265
Document Type RFC - Proposed Standard (June 2008; No errata)
Last updated 2015-10-14
Replaces draft-ietf-mobileip-vpn-problem-solution
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5265 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Jari Arkko
Send notices to (None)
Email authors Email WG IPR 1 References Referenced by Nits 
Network Working Group                                         S. Vaarala
Request for Comments: 5265                                       Codebay
Category: Standards Track                                    E. Klovning
                                                                Birdstep
                                                               June 2008

         Mobile IPv4 Traversal across IPsec-Based VPN Gateways

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document outlines a solution for the Mobile IPv4 (MIPv4) and
   IPsec coexistence problem for enterprise users.  The solution
   consists of an applicability statement for using Mobile IPv4 and
   IPsec for session mobility in corporate remote access scenarios, and
   a required mechanism for detecting the trusted internal network
   securely.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Scope  . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     1.3.  Related Work . . . . . . . . . . . . . . . . . . . . . . .  5
     1.4.  Terms and Abbreviations  . . . . . . . . . . . . . . . . .  5
     1.5.  Requirement Levels . . . . . . . . . . . . . . . . . . . .  6
     1.6.  Assumptions and Rationale  . . . . . . . . . . . . . . . .  7
     1.7.  Why IPsec Lacks Mobility . . . . . . . . . . . . . . . . .  8
   2.  The Network Environment  . . . . . . . . . . . . . . . . . . .  9
     2.1.  Access Mode: 'c' . . . . . . . . . . . . . . . . . . . . . 12
     2.2.  Access Mode: 'f' . . . . . . . . . . . . . . . . . . . . . 13
     2.3.  Access Mode: 'cvc' . . . . . . . . . . . . . . . . . . . . 13
     2.4.  Access Mode: 'fvc' . . . . . . . . . . . . . . . . . . . . 14
     2.5.  NAT Traversal  . . . . . . . . . . . . . . . . . . . . . . 14
   3.  Internal Network Detection . . . . . . . . . . . . . . . . . . 15
     3.1.  Assumptions  . . . . . . . . . . . . . . . . . . . . . . . 16
     3.2.  Implementation Requirements  . . . . . . . . . . . . . . . 16
       3.2.1.  Separate Tracking of Network Interfaces  . . . . . . . 16
       3.2.2.  Connection Status Change . . . . . . . . . . . . . . . 16
       3.2.3.  Registration-Based Internal Network Detection  . . . . 17

Vaarala & Klovning          Standards Track                     [Page 1]
RFC 5265                       MIPv4-VPN                       June 2008

       3.2.4.  Registration-Based Internal Network Monitoring . . . . 17
     3.3.  Proposed Algorithm . . . . . . . . . . . . . . . . . . . . 19
     3.4.  Trusted Networks Configured (TNC) Extension  . . . . . . . 20
     3.5.  Implementation Issues  . . . . . . . . . . . . . . . . . . 20
     3.6.  Rationale for Design Choices . . . . . . . . . . . . . . . 21
       3.6.1.  Firewall Configuration Requirements  . . . . . . . . . 21
       3.6.2.  Registration-Based Internal Network Monitoring . . . . 22
       3.6.3.  No Encryption When Inside  . . . . . . . . . . . . . . 22
     3.7.  Improvements . . . . . . . . . . . . . . . . . . . . . . . 22
   4.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 23
     4.1.  Mobile Node Requirements . . . . . . . . . . . . . . . . . 23
     4.2.  VPN Device Requirements  . . . . . . . . . . . . . . . . . 23
     4.3.  Home Agent Requirements  . . . . . . . . . . . . . . . . . 24
   5.  Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
     5.1.  Comparison against Guidelines  . . . . . . . . . . . . . . 24
     5.2.  Packet Overhead  . . . . . . . . . . . . . . . . . . . . . 26
     5.3.  Latency Considerations . . . . . . . . . . . . . . . . . . 27
     5.4.  Firewall State Considerations  . . . . . . . . . . . . . . 27
     5.5.  Intrusion Detection Systems (IDSs) . . . . . . . . . . . . 28
     5.6.  Implementation of the Mobile Node  . . . . . . . . . . . . 28
     5.7.  Non-IPsec VPN Protocols  . . . . . . . . . . . . . . . . . 28
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 29
     6.1.  Internal Network Detection . . . . . . . . . . . . . . . . 29
     6.2.  Mobile IPv4 versus IPsec . . . . . . . . . . . . . . . . . 30
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 31
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 32
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 33
   Appendix A.  Packet Flow Examples  . . . . . . . . . . . . . . . . 34
     A.1.  Connection Setup for Access Mode 'cvc' . . . . . . . . . . 34
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools