07/03/2005 62nd ietf – minneapolis mobile ipv6 wg meeting pf_key extension as an interface between...
TRANSCRIPT
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE
Shinta Sugimoto
Francis Dupont
draft-sugimoto-mip6-pfkey-migrate-00
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Topics
• Background• Do we need any interaction between Mobile IPv6
and IPsec/IKE?• Extension to PF_KEY framework – MIGRATE
– Concepts– Message Format– Message sequence– Limitation
• Conclusion
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Background
• Mobile IPv6 uses IPsec to protect messages exchanged between MN and HA as specified in RFC 3775, RFC 3776:– Home Registration signals (BU/BA)– Return Routability messages (HoTI/HoT)– MIPv6 specific ICMPv6 messages (MPS/MPA)– Payload packets
• SA pairs are necessary to be established between the MN and HA in static or dynamic manner
• Tunnel mode SAs are necessary to be updated whenever the MN performs movement
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
HA2
MN2
HA1
MN1
Internet
IP-in-IP tunnelIPsec tunnel
INBOUND:sel: src=HoA_MN1, dst=any, proto=MHapply SA2 (ESP tunnel)OUTBOUND:sel: src=any, dst=HoA_MN1, proto=MHapply SA1 (ESP tunnel)
INBOUND:sel: src=HoA_MN1, dst=any, proto=MHapply SA2 (ESP tunnel)OUTBOUND:sel: src=any, dst=HoA_MN1, proto=MHapply SA1 (ESP tunnel)
INBOUND:sel: src=any, dst=HoA_MN1, proto=MHapply SA1 (ESP tunnel)OUTBOUND:sel: src=HoA_MN1, dst=any, proto=MHapply SA2 (ESP tunnel)
INBOUND:sel: src=any, dst=HoA_MN1, proto=MHapply SA1 (ESP tunnel)OUTBOUND:sel: src=HoA_MN1, dst=any, proto=MHapply SA2 (ESP tunnel)
IP-in-IP tunnel
4
1
23
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Necessary Interactions between Mobile IPv6 and IPsec/IKE
• Update endpoint address of tunnel mode SA– Mobile IPv6 component may not have full access to
SADB
• Update endpoint address stored in SPD entry which is associated with tunnel mode SA– IKE should be able to continuously perform key
negotiation and re-keying
• IKE daemon should update endpoint address of the IKE connection (aka K-bit) to keep its alive while the MN changes its CoA
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Requirements
• Modifications to the existing software (Mobile IPv6 and IPsec/IKE stack) should be kept minimum
• The mechanism should not be platform dependent
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Extension to PF_KEY framework – PF_KEY MIGRATE
• Introduce a new PF_KEY message named MIGRATE which is to be issued by Mobile IPv6 components to inform movement
• PF_KEY MIGRATE requests system and user application to update SADB and SPD:– Tunnel mode SA entry– SPD entry which is associated with the tunnel mode SA
• Additionally, the message can also be used to handle K-bit
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
PF_KEY MIGRATE – message format
• Selector Information:– Source address– Destination address– Upper layer protocol (i.e. MH)– Direction (inbound/outbound)
• Old SA Information:– Old tunnel source address– Old tunnel destination address– Protocol (ESP/AH)
• New SA Information:– New tunnel source address– New tunnel destination address– Protocol (ESP/AH)
3ffe:501:ffff:100:1:2:3:4/128 (HoA)
::/128
135 (MH)
1 (outbound)
3ffe:501:ffff:500:1:2:3:4/128 (Old-CoA)
3ffe:501:ffff:100::1/128 (HA address)
50 (ESP)
3ffe:501:ffff:400:1:2:3:4/128 (New-CoA)
3ffe:501:ffff:100::1/128 (HA address)
50 (ESP)
Example: MN updating outbound SP entry for MN to protect MH messages
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Mobile IPv6daemon
IKE daemon
SPD SAD
Mobile IPv6 IPsec
ISAKMPSA
PF_KEY Socket
Userland
Kernel
PF_KEY MIGRATE
Mobile IPv6core
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Message Sequence of PF_KEY MIGRATE
MN HA
Home Re-registration
Initial Home Registration
HoA=>CoA1 HoA=>CoA1MIGRATE MIGRATE
Home Registration
CoA1=>CoA2 CoA1=>CoA2
MIGRATE MIGRATE
Home De-Registration
CoA2=>HoA CoA2=>HoA
MIGRATE MIGRATE
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Limitations/Concerns
• There is an ambiguity in the way to specify target SADB entry:– Current scheme to specify target SADB entry based on
src/dst address pair does not seem to be the best solution
• Delivery of PF_KEY MIGRATE message cannot be guaranteed:– When a message is lost, there will be an inconsistency
between Mobile IPv6 and IPsec database
• Some parts of the PF_KEY MIGRATE are implementation dependent:– There is no standard way to make an access to SPD
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Implementation Status
• BSD– MIPv6: A prototype implemented on KAME/SHISA on
FreeBSD
– IKE: Enhancements made to IKEv1 daemon (racoon)
• Linux– MIPv6: A prototype implemented on MIPL 2.0 on
Linux-2.6
– IKE: Enhancements made to IKEv1 daemon (racoon) which was originally ported from BSD
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Conclusion• There should be a minimum interface between Mobile IPv6
and IPsec/IKE to fully take advantage of security features• Newly defined PF_KEY MIGRATE message makes it
possible for Mobile IPv6 and IPsec/IKE to interact each other
• By receiving PF_KEY MIGRAGE message, system and user application will become able to make necessary update of SADB/SPD
• Proposed mechanism has been implemented on both Linux and BSD platform
• Further improvements are needed to overcome some limitations
07/03/2005 62nd IETF – MinneapolisMobile IPv6 WG meeting
Thank you !&
Questions ?