From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3776.txt | 2243 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2243 insertions(+) create mode 100644 doc/rfc/rfc3776.txt (limited to 'doc/rfc/rfc3776.txt') diff --git a/doc/rfc/rfc3776.txt b/doc/rfc/rfc3776.txt new file mode 100644 index 0000000..88bc78b --- /dev/null +++ b/doc/rfc/rfc3776.txt @@ -0,0 +1,2243 @@ + + + + + + +Network Working Group J. Arkko +Request for Comments: 3776 Ericsson +Category: Standards Track V. Devarapalli + Nokia Research Center + F. Dupont + GET/ENST Bretagne + June 2004 + + + Using IPsec to Protect Mobile IPv6 Signaling Between + Mobile Nodes and Home Agents + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2004). + +Abstract + + Mobile IPv6 uses IPsec to protect signaling between the home agent + and the mobile node. Mobile IPv6 base document defines the main + requirements these nodes must follow. This document discusses these + requirements in more depth, illustrates the used packet formats, + describes suitable configuration procedures, and shows how + implementations can process the packets in the right order. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5 + 3. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . 5 + 3.1 Binding Updates and Acknowledgements . . . . . . . . . 5 + 3.2 Return Routability Signaling . . . . . . . . . . . . . 7 + 3.3 Prefix Discovery . . . . . . . . . . . . . . . . . . . 8 + 3.4 Payload Packets . . . . . . . . . . . . . . . . . . . 9 + 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 9 + 4.1 Mandatory Support . . . . . . . . . . . . . . . . . . 10 + 4.2 Policy Requirements . . . . . . . . . . . . . . . . . 10 + 4.3 IPsec Protocol Processing . . . . . . . . . . . . . . 13 + 4.4 Dynamic Keying . . . . . . . . . . . . . . . . . . . . 15 + 5. Example Configurations . . . . . . . . . . . . . . . . . . . 16 + + + +Arkko, et al. Standards Track [Page 1] + +RFC 3776 Home Agent IPsec June 2004 + + + 5.1 Format . . . . . . . . . . . . . . . . . . . . . . . . 17 + 5.2 Manual Configuration . . . . . . . . . . . . . . . . . 18 + 5.2.1 Binding Updates and Acknowledgements . . . . . . 18 + 5.2.2 Return Routability Signaling . . . . . . . . . . 19 + 5.2.3 Prefix Discovery . . . . . . . . . . . . . . . . 20 + 5.2.4 Payload Packets . . . . . . . . . . . . . . . . 21 + 5.3 Dynamic Keying . . . . . . . . . . . . . . . . . . . . 22 + 5.3.1 Binding Updates and Acknowledgements . . . . . . 22 + 5.3.2 Return Routability Signaling . . . . . . . . . . 23 + 5.3.3 Prefix Discovery . . . . . . . . . . . . . . . . 24 + 5.3.4 Payload Packets . . . . . . . . . . . . . . . . 25 + 6. Processing Steps within a Node . . . . . . . . . . . . . . . 25 + 6.1 Binding Update to the Home Agent . . . . . . . . . . . 25 + 6.2 Binding Update from the Mobile Node . . . . . . . . . 26 + 6.3 Binding Acknowledgement to the Mobile Node . . . . . . 27 + 6.4 Binding Acknowledgement from the Home Agent . . . . . 28 + 6.5 Home Test Init to the Home Agent . . . . . . . . . . . 29 + 6.6 Home Test Init from the Mobile Node . . . . . . . . . 30 + 6.7 Home Test to the Mobile Node . . . . . . . . . . . . . 30 + 6.8 Home Test from the Home Agent . . . . . . . . . . . . 31 + 6.9 Prefix Solicitation Message to the Home Agent . . . . 31 + 6.10 Prefix Solicitation Message from the Mobile Node . . . 31 + 6.11 Prefix Advertisement Message to the Mobile Node . . . 32 + 6.12 Prefix Advertisement Message from the Home Agent . . . 32 + 6.13 Payload Packet to the Home Agent . . . . . . . . . . . 32 + 6.14 Payload Packet from the Mobile Node . . . . . . . . . 32 + 6.15 Payload Packet to the Mobile Node . . . . . . . . . . 32 + 6.16 Payload Packet from the Home Agent . . . . . . . . . . 32 + 6.17 Establishing New Security Associations . . . . . . . . 32 + 6.18 Rekeying Security Associations . . . . . . . . . . . . 33 + 6.19 Movements and Dynamic Keying . . . . . . . . . . . . . 34 + 7. Implementation Considerations . . . . . . . . . . . . . . . 35 + 7.1 IPsec . . . . . . . . . . . . . . . . . . . . . . . . 35 + 7.2 IKE . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 7.3 Bump-in-the-Stack . . . . . . . . . . . . . . . . . . 37 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 37 + 9. Security Considerations . . . . . . . . . . . . . . . . . . 37 + 10 References . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 10.1 Normative References . . . . . . . . . . . . . . . . . 38 + 10.2 Informative References . . . . . . . . . . . . . . . . 38 + 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 + 12. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 39 + 13. Full Copyright Statement . . . . . . . . . . . . . . . . . . 40 + + + + + + + + +Arkko, et al. Standards Track [Page 2] + +RFC 3776 Home Agent IPsec June 2004 + + +1. Introduction + + This document illustrates the use of IPsec in securing Mobile IPv6 + [7] traffic between mobile nodes and home agents. In Mobile IPv6, a + mobile node is always expected to be addressable at its home address, + whether it is currently attached to its home link or is away from + home. The "home address" is an IP address assigned to the mobile + node within its home subnet prefix on its home link. While a mobile + node is at home, packets addressed to its home address are routed to + the mobile node's home link. + + While a mobile node is attached to some foreign link away from home, + it is also addressable at a care-of address. A care-of address is an + IP address associated with a mobile node that has a subnet prefix + from a particular foreign link. The association between a mobile + node's home address and care-of address is known as a "binding" for + the mobile node. While away from home, a mobile node registers its + primary care-of address with a router on its home link, requesting + this router to function as the "home agent" for the mobile node. The + mobile node performs this binding registration by sending a "Binding + Update" message to the home agent. The home agent replies to the + mobile node by returning a "Binding Acknowledgement" message. + + Any other nodes communicating with a mobile node are referred to as + "correspondent nodes". Mobile nodes can provide information about + their current location to correspondent nodes, again using Binding + Updates and Acknowledgements. Additionally, return routability test + is performed between the mobile node, home agent, and the + correspondent node in order to authorize the establishment of the + binding. Packets between the mobile node and the correspondent node + are either tunneled via the home agent, or sent directly if a binding + exists in the correspondent node for the current location of the + mobile node. + + Mobile IPv6 tunnels payload packets between the mobile node and the + home agent in both directions. This tunneling uses IPv6 + encapsulation [6]. Where these tunnels need to be secured, they are + replaced by IPsec tunnels [2]. + + Mobile IPv6 also provides support for the reconfiguration of the home + network. Here, the home subnet prefixes may change over time. + Mobile nodes can learn new information about home subnet prefixes + through the "prefix discovery" mechanism. + + This document discusses security mechanisms for the control traffic + between the mobile node and the home agent. If this traffic is not + protected, mobile nodes and correspondent nodes are vulnerable to + man-in-the-middle, hijacking, passive wiretapping, impersonation, and + + + +Arkko, et al. Standards Track [Page 3] + +RFC 3776 Home Agent IPsec June 2004 + + + denial-of-service attacks. Any third parties are also vulnerable to + denial-of-service attacks, for instance if an attacker could direct + the traffic flowing through the home agent to a innocent third party. + These attacks are discussed in more detail in Section 15.1 of the + Mobile IPv6 base specification [7]. + + In order to avoid these attacks, the base specification uses IPsec + Encapsulating Security Payload (ESP) [3] to protect control traffic + between the home agent and the mobile node. This control traffic + consists of various messages carried by the Mobility Header protocol + in IPv6 [5]. The traffic takes the following forms: + + o Binding Update and Acknowledgement messages exchanged between the + mobile node and the home agent, as described in Sections 10.3.1, + 10.3.2, 11.7.1, and 11.7.3 of the base specification [7]. + + o Return routability messages Home Test Init and Home Test that pass + through the home agent on their way to a correspondent node, as + described in Section 10.4.6 of the base specification [7]. + + o ICMPv6 messages exchanged between the mobile node and the home + agent for the purposes of prefix discovery, as described in + Sections 10.6 and 11.4 of the base specification [7]. + + The nodes may also optionally protect payload traffic passing through + the home agent, as described in Section 5.5 of the base specification + [7]. If multicast group membership control protocols or stateful + address autoconfiguration protocols are supported, payload data + protection support is required. + + The control traffic between the mobile node and the home agent + requires message authentication, integrity, correct ordering and + anti-replay protection. The mobile node and the home agent must have + an IPsec security association to protect this traffic. IPsec does + not proving correct ordering of messages. Correct ordering of the + control traffic is ensured by a sequence number in the Binding Update + and Binding Acknowledgement messages. The sequence number in the + Binding Updates also provides protection to a certain extent. It + fails in some scenarios, for example, if the Home Agent loses the + Binding Cache state. Full protection against replay attacks is + possible only when IKE is used. + + Great care is needed when using IKE [4] to establish security + associations to Mobile IPv6 home agents. The right kind of addresses + must be used for transporting IKE. This is necessary to avoid + circular dependencies in which the use of a Binding Update triggers + the need for an IKE exchange that cannot complete prior to the + Binding Update having been completed. + + + +Arkko, et al. Standards Track [Page 4] + +RFC 3776 Home Agent IPsec June 2004 + + + The mobile IPv6 base document defines the main requirements the + mobile nodes and home agents must follow when securing the above + traffic. This document discusses these requirements in more depth, + illustrates the used packet formats, describes suitable configuration + procedures, and shows how implementations can process the packets in + the right order. + + We begin our description by showing the required wire formats for the + protected packets in Section 3. Section 4 describes rules which + associated Mobile IPv6, IPsec, and IKE implementations must observe. + Section 5 discusses how to configure either manually keyed IPsec + security associations or how to configure IKE to establish them + automatically. Section 6 shows examples of how packets are processed + within the nodes. + + All implementations of Mobile IPv6 mobile node and home agent MUST + support at least the formats described in Section 3 and obey the + rules in Section 4. + + The configuration and processing sections are informative, and should + only be considered as one possible way of providing the required + functionality. + + Note that where this document indicates a feature MUST be supported + and SHOULD be used, this implies that all implementations must be + capable of using the specified feature, but there may be cases where, + for instance, a configuration option disables to use of the feature + in a particular situation. + +2. Terminology + + The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [1]. + +3. Packet Formats + +3.1. Binding Updates and Acknowledgements + + When the mobile node is away from its home, the BUs sent by it to the + home agent MUST support at least the following headers in the + following order: + + IPv6 header (source = care-of address, + destination = home agent) + Destination Options header + Home Address option (home address) + ESP header in transport mode + + + +Arkko, et al. Standards Track [Page 5] + +RFC 3776 Home Agent IPsec June 2004 + + + Mobility header + Binding Update + Alternate Care-of Address option (care-of address) + + Note that the Alternate Care-of Address option is used to ensure that + the care-of address is protected by ESP. The home agent considers + the address within this option as the current care-of address for the + mobile node. The home address is not protected by ESP directly, but + the use of a specific home address with a specific security + association is required by policy. + + The Binding Acknowledgements sent back to the mobile node when it is + away from home MUST support at least the following headers in the + following order: + + IPv6 header (source = home agent, + destination = care-of address) + Routing header (type 2) + home address + ESP header in transport mode + Mobility header + Binding Acknowledgement + + When the mobile node is at home, the above rules are different as the + mobile node can use its home address as a source address. This + typically happens for the de-registration Binding Update when the + mobile is returning home. In this situation, the Binding Updates + MUST support at least the following headers in the following order: + + IPv6 header (source = home address, + destination = home agent) + ESP header in transport mode + Mobility header + Binding Update + + The Binding Acknowledgement messages sent to the home address MUST + support at least the following headers in the following order: + + IPv6 header (source = home agent, + destination = home address) + ESP header in transport mode + Mobility header + Binding Acknowledgement + + + + + + + + +Arkko, et al. Standards Track [Page 6] + +RFC 3776 Home Agent IPsec June 2004 + + +3.2. Return Routability Signaling + + When the Home Test Init messages tunneled to the home agent are + protected by IPsec, they MUST support at least the following headers + in the following order: + + IPv6 header (source = care-of address, + destination = home agent) + ESP header in tunnel mode + IPv6 header (source = home address, + destination = correspondent node) + Mobility Header + Home Test Init + + This format assumes that the mobile node's current care-of address is + used as the outer header destination address in the security + association. As discussed in Section 4.3, this requires the home + agent to update the destination address when the mobile node moves. + Policy entries and security association selectors stay the same, + however, as the inner packets do not change upon movements. + + Note that there are trade-offs in using care-of addresses as the + destination addresses versus using the home address and attaching an + additional Home Address destination option and/or Routing header to + the packets. The basis for requiring support for at least the + care-of address case has been discussed in Section 7. + + Similarly, when the Home Test messages tunneled from the home agent + are protected by IPsec, they MUST support at least the following + headers in the following order: + + IPv6 header (source = home agent, + destination = care-of address) + ESP header in tunnel mode + IPv6 header (source = correspondent node, + destination = home address) + Mobility Header + Home Test + + The format used to protect return routability packets relies on the + destination of the tunnel packets to change for the mobile node as it + moves. The home agent's address stays the same, but the mobile + node's address changes upon movements, as if the security + association's outer header destination address had changed. When the + mobile node adopts a new care-of address, it adopts also a new source + address for outgoing tunnel packets. The home agent accepts packets + sent like this, as the outer source address in tunnel packets is not + checked according to the rules in RFC 2401. (We note, however, that + + + +Arkko, et al. Standards Track [Page 7] + +RFC 3776 Home Agent IPsec June 2004 + + + some implementations are known to make source address checks.) For a + discussion of the role of source addresses in outer tunnel headers, + see Section 5.1.2.1 of RFC 2401 [2]. Note also that the home agent + requires the packets to be authenticated regardless of the source + address change, hence the "new" sender must possess the same keys for + the security association as it had in the previous location. This + proves that the sender is the same entity, regardless of the changes + in the addresses. + + The process is more complicated in the home agent side, as the home + agent has stored the previous care-of address in its Security + Association Database as the outer header destination address. When + IKE is being used, the mobile node runs it on top of its current + care-of address, and the resulting tunnel-mode security associations + will use the same addresses as IKE run over. In order for the home + agent to be able to tunnel a Home Test message to the mobile node, it + uses the current care-of address as the destination of the tunnel + packets, as if the home agent had modified the outer header + destination address in the security association used for this + protection. This implies that the same security association can be + used in multiple locations, and no new configuration or + re-establishment of IKE phases is needed per movement. Section 5.2.2 + discusses the security policy and security association database + entries that are needed to accomplish this. + +3.3. Prefix Discovery + + If IPsec is used to protect prefix discovery, requests for prefixes + from the mobile node to the home agent MUST support at least the + following headers in the following order. + + IPv6 header (source = care-of address, + destination = home agent) + Destination Options header + Home Address option (home address) + ESP header in transport mode + ICMPv6 + Mobile Prefix Solicitation + + Again if IPsec is used, solicited and unsolicited prefix information + advertisements from the home agent to the mobile node MUST support at + least the following headers in the following order. + + IPv6 header (source = home agent, + destination = care-of address) + Routing header (type 2) + home address + ESP header in transport mode + + + +Arkko, et al. Standards Track [Page 8] + +RFC 3776 Home Agent IPsec June 2004 + + + ICMPv6 + Mobile Prefix Advertisement + +3.4. Payload Packets + + If IPsec is used to protect payload packets tunneled to the home + agent from the mobile node, we use a format similar to the one in + Section 3.2. However, instead of the MobilityHeader, these packets + may contain any legal IPv6 protocol(s): + + IPv6 header (source = care-of address, + destination = home agent) + ESP header in tunnel mode + IPv6 header (source = home address, + destination = correspondent node) + Any protocol + + Similarly, when the payload packets are tunneled from the home agent + to the mobile node with ESP encapsulation, they MUST support at least + the following headers in the following order: + + IPv6 header (source = home agent, + destination = care-of address) + ESP header in tunnel mode + IPv6 header (source = correspondent node, + destination = home address) + Any protocol + +4. Requirements + + This section describes mandatory rules for all Mobile IPv6 mobile + nodes and home agents. These rules are necessary in order for it to + be possible to enable IPsec communications despite movements, + guarantee sufficient security, and to ensure correct processing order + of packets. + + The rules in the following sections apply only to the communications + between home agents and mobile nodes. They should not be taken as + requirements on how IPsec in general is used by mobile nodes. + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 9] + +RFC 3776 Home Agent IPsec June 2004 + + +4.1. Mandatory Support + + The following requirements apply to both home agents and mobile + nodes: + + o Manual configuration of IPsec security associations MUST be + supported. The configuration of the keys is expected to take + place out-of-band, for instance at the time the mobile node is + configured to use its home agent. + + o Automatic key management with IKE [4] MAY be supported. Only + IKEv1 is discussed in this document. Other automatic key + management mechanisms exist and will appear beyond IKEv1, but this + document does not address the issues related to them. + + o ESP encapsulation of Binding Updates and Acknowledgements between + the mobile node and home agent MUST be supported and MUST be used. + + o ESP encapsulation of the Home Test Init and Home Test messages + tunneled between the mobile node and home agent MUST be supported + and SHOULD be used. + + o ESP encapsulation of the ICMPv6 messages related to prefix + discovery MUST be supported and SHOULD be used. + + o ESP encapsulation of the payload packets tunneled between the + mobile node and home agent MAY be supported and used. + + o If multicast group membership control protocols or stateful + address autoconfiguration protocols are supported, payload data + protection MUST be supported for those protocols. + +4.2. Policy Requirements + + The following requirements apply to both home agents and mobile + nodes: + + o As required in the base specification [7], when a packet destined + to the receiving node is matched against IPsec security policy or + selectors of a security association, an address appearing in a + Home Address destination option is considered as the source + address of the packet. + + Note that the home address option appears before IPsec headers. + Section 11.3.2 of the base specification describes one possible + implementation approach for this: The IPsec policy operations can + be performed at the time when the packet has not yet been modified + per Mobile IPv6 rules, or has been brought back to its normal form + + + +Arkko, et al. Standards Track [Page 10] + +RFC 3776 Home Agent IPsec June 2004 + + + after Mobile IPv6 processing. That is, the processing of the Home + Address option is seen as a fixed transformation of the packets + that does not affect IPsec processing. + + o Similarly, a home address within a Type 2 Routing header destined + to the receiving node is considered as the destination address of + the packet, when a packet is matched against IPsec security policy + or selectors of a security association. + + Similar implementation considers apply to the Routing header + processing as was described above for the Home Address destination + option. + + o When IPsec is used to protect return routability signaling or + payload packets, this protection MUST only be applied to the + return routability packets entering the IPv6 encapsulated tunnel + interface between the mobile node and the home agent. This can be + achieved, for instance, by defining the security policy database + entries specifically for the tunnel interface. That is, the + policy entries are not generally applied on all traffic on the + physical interface(s) of the nodes, but rather only on traffic + that enters this tunnel. + + o The authentication of mobile nodes MAY be based either on machine + or user credentials. Note that multi-user operating systems + typically allow all users of a node to use any of the IP addresses + assigned to the node. This limits the capability of the home + agent to restrict the use of a home address to a particular user + in such environment. Where user credentials are applied in a + multi-user environment, the configuration should authorize all + users of the node to control all home addresses assigned to the + node. + + o When the mobile node returns home and de-registers with the Home + Agent, the tunnel between the home agent and the mobile node's + care-of address is torn down. The security policy entries, which + were used for protecting tunneled traffic between the mobile node + and the home agent MUST be made inactive (for instance, by + removing them and installing them back later through an API). The + corresponding security associations could be kept as they are or + deleted depending on how they were created. If the security + associations were created dynamically using IKE, they are + automatically deleted when they expire. If the security + associations were created through manual configuration, they MUST + be retained and used later when the mobile node moves away from + home again. The security associations protecting Binding Updates + and Acknowledgements, and prefix discovery SHOULD NOT be deleted + as they do not depend on care-of addresses and can be used again. + + + +Arkko, et al. Standards Track [Page 11] + +RFC 3776 Home Agent IPsec June 2004 + + + The following rules apply to mobile nodes: + + o The mobile node MUST use the Home Address destination option in + Binding Updates and Mobile Prefix Solicitations, sent to the home + agent from a care-of address. + + o When the mobile node receives a changed set of prefixes from the + home agent during prefix discovery, there is a need to configure + new security policy entries, and there may be a need to configure + new security associations. It is outside the scope of this + specification to discuss automatic methods for this. + + The following rules apply to home agents: + + o The home agent MUST use the Type 2 Routing header in Binding + Acknowledgements and Mobile Prefix Advertisements sent to the + mobile node, again due to the need to have the home address + visible when the policy checks are made. + + o It is necessary to avoid the possibility that a mobile node could + use its security association to send a Binding Update on behalf of + another mobile node using the same home agent. In order to do + this, the security policy database entries MUST unequivocally + identify a single security association for protecting Binding + Updates between any given home address and home agent when + manually keyed IPsec security associations are used. When dynamic + keying is used, the security policy database entries MUST + unequivocally identify the IKE phase 1 credentials which can be + used to authorize the creation of security associations for + protecting Binding Updates for a particular home address. How + these mappings are maintained is outside the scope of this + specification, but they may be maintained, for instance, as a + locally administered table in the home agent. If the phase 1 + identity is a Fully Qualified Domain Name (FQDN), secure forms of + DNS may also be used. + + o When the set of prefixes advertised by the home agent changes, + there is a need to configure new security policy entries, and + there may be a need to configure new security associations. It is + outside the scope of this specification to discuss automatic + methods for this, if new home addresses are required. + + + + + + + + + + +Arkko, et al. Standards Track [Page 12] + +RFC 3776 Home Agent IPsec June 2004 + + +4.3. IPsec Protocol Processing + + The following requirements apply to both home agents and mobile + nodes: + + o When securing Binding Updates, Binding Acknowledgements, and + prefix discovery, both the mobile nodes and the home agents MUST + support and SHOULD use the Encapsulating Security Payload (ESP) + [3] header in transport mode and MUST use a non-null payload + authentication algorithm to provide data origin authentication, + connectionless integrity and optional anti-replay protection. + + Mandatory support for encryption and integrity protection + algorithms is as defined in RFC 2401 [2], RFC 2402 [8], and RFC + 2406 [3]. Care is needed when selecting suitable encryption + algorithms for ESP, however. Currently available integrity + protection algorithms are in general considered to be secure. The + encryption algorithm, DES, mandated by the current IPsec standards + is not, however. This is particularly problematic when IPsec + security associations are configured manually, as the same key is + used for a long time. + + o Tunnel mode IPsec ESP MUST be supported and SHOULD be used for the + protection of packets belonging to the return routability + procedure. A non-null encryption transform and a non-null + authentication algorithm MUST be applied. + + Note that the return routability procedure involves two message + exchanges from the mobile node to the correspondent node. The + purpose of these exchanges is to assure that the mobile node is + live at the claimed home and care-of addresses. One of the + exchanges is sent directly to and from the correspondent node, + while another one is tunneled through the home agent. If an + attacker is on the mobile node's link and the mobile node's + current link is an unprotected wireless link, the attacker would + able to see both sets of messages, and launch attacks based on it + (these attacks are discussed further in Section 15.4 of the base + specification [7].) One can prevent the attack by making sure + that the packets tunneled through the home agent are encrypted. + + Note that this specification concerns itself only with on-the-wire + formats, and does not dictate specific implementations mechanisms. + In the case of IPsec tunnel mode, the use of IP-in-IP + encapsulation followed by IPsec transport mode encapsulation may + also be possible. + + + + + + +Arkko, et al. Standards Track [Page 13] + +RFC 3776 Home Agent IPsec June 2004 + + + The following rules apply to mobile nodes: + + o When ESP is used to protect Binding Updates, there is no + protection for the care-of address which appears in the IPv6 + header outside the area protected by ESP. It is important for the + home agent to verify that the care-of address has not been + tampered with. As a result, the attacker would have redirected + the mobile node's traffic to another address. In order to prevent + this, Mobile IPv6 implementations MUST use the Alternate Care-of + Address mobility option in Binding Updates sent by mobile nodes + while away from home. The exception to this is when the mobile + node returns home and sends a Binding Update to the home agent in + order to de-register. In this case no Alternate Care-of Address + option is needed, as described in Section 3.1. + + When IPsec is used to protect return routability signaling or + payload packets, the mobile node MUST set the source address it + uses for the outgoing tunnel packets to the current primary care- + of address. The mobile node starts to use a new primary care-of + address immediately after sending a Binding Update to the home + agent to register this new address. Similarly, it starts to use + the new address as the required destination address of tunneled + packets received from the home agent. + + The following rules apply to home agents: + + o When IPsec is used to protect return routability signaling or + payload packets, IPsec security associations are needed to provide + this protection. When the care-of address for the mobile node + changes as a result of an accepted Binding Update, special + treatment is needed for the next packets sent using these security + associations. The home agent MUST set the new care-of address as + the destination address of these packets, as if the outer header + destination address in the security association had changed. + Similarly, the home agent starts to expect the new source address + in the tunnel packets received from the mobile node. + + Such address changes can be implemented, for instance, through an + API from the Mobile IPv6 implementation to the IPsec + implementation. It should be noted that the use of such an API + and the address changes MUST only be done based on the Binding + Updates received by the home agent and protected by the use of + IPsec. Address modifications based on other sources, such as + Binding Updates to the correspondent nodes protected by return + routability, or open access to an API from any application may + result in security vulnerabilities. + + + + + +Arkko, et al. Standards Track [Page 14] + +RFC 3776 Home Agent IPsec June 2004 + + +4.4. Dynamic Keying + + The following requirements apply to both home agents and mobile + nodes: + + o If anti-replay protection is required, dynamic keying MUST be + used. IPsec can provide anti-replay protection only if dynamic + keying is used (which may not always be the case). IPsec also + does not guarantee correct ordering of packets, only that they + have not been replayed. Because of this, sequence numbers within + the Mobile IPv6 messages are used to ensure correct ordering. + However, if the 16 bit Mobile IPv6 sequence number space is cycled + through, or the home agent reboots and loses its state regarding + the sequence numbers, replay and reordering attacks become + possible. The use of dynamic keying, IPsec anti-replay + protection, and the Mobile IPv6 sequence numbers can together + prevent such attacks. + + o If IKE version 1 is used with preshared secrets in main mode, it + determines the shared secret to use from the IP address of the + peer. With Mobile IPv6, however, this may be a care-of address + and does not indicate which mobile node attempts to contact the + home agent. Therefore, if preshared secret authentication is used + in IKEv1 between the mobile node and the home agent then + aggressive mode MUST be used. Note also that care needs to be + taken with phase 1 identity selection. Where the ID_IPV6_ADDR + Identity Payloads is used, unambiguous mapping of identities to + keys is not possible. (The next version of IKE may not have these + limitations.) + + Note that the difficulties with main mode and preshared secrets in + IKE version 1 are well known for dynamic addresses. With static + addresses, there has not been a problem. With Mobile IPv6, however, + the use of the care-of addresses to run IKE to the home agent + presents a problem even when the home address stays stable. Further + discussion about the use of care-of addresses in this way appears in + Section 7. + + The following rules apply to mobile nodes: + + o In addition to the rules above, if dynamic keying is used, the key + management protocol MUST use the care-of address as the source + address in the protocol exchanges with the mobile node's home + agent. + + + + + + + +Arkko, et al. Standards Track [Page 15] + +RFC 3776 Home Agent IPsec June 2004 + + + o However, the IPsec security associations with the mobile node's + home agent use home addresses. That is, the IPsec security + associations MUST be requested from the key management protocol + using the home address of the mobile node as the client identity. + + The security associations for protecting Binding Updates and + Acknowledgements are requested for the Mobility header protocol in + transport mode and for specific IP addresses as endpoints. No + other selectors are used. Similarly, the security associations + for protecting prefix discovery are requested for the ICMPv6 + protocol and the specific IP addresses, again without other + selectors. Security associations for payload and return + routability protection are requested for a specific tunnel + interface and either the payload protocol or the Mobility header + protocol, in tunnel mode. In this case one requested endpoint is + an IP address and the other one is a wildcard, and there are no + other selectors. + + o If the mobile node has used IKE version 1 to establish security + associations with its home agent, it should follow the procedures + discussed in Section 11.7.1 and 11.7.3 of the base specification + [7] to determine whether the IKE endpoints can be moved or if IKE + phase 1 has to be re-established. + + The following rules apply to home agents: + + o If the home agent has used IKE version 1 to establish security + associations with the mobile node, it should follow the procedures + discussed in Section 10.3.1 and 10.3.2 of the base specification + [7] to determine whether the IKE endpoints can be moved or if IKE + phase 1 has to be re-established. + +5. Example Configurations + + In the following we describe the Security Policy Database (SPD) and + Security Association Database (SAD) entries necessary to protect + Binding Updates and Binding Acknowledgements exchanged between the + mobile node and the home agent. + + Section 5.1 introduces the format we use in the description of the + SPD and the SAD. Section 5.2 describes how to configure manually + keyed IPsec security associations without dynamic keying, and Section + 5.3 describes how to use dynamic keying. + + + + + + + + +Arkko, et al. Standards Track [Page 16] + +RFC 3776 Home Agent IPsec June 2004 + + +5.1. Format + + The format used in the examples is as follows. The SPD description + has the format + + "SPD OUT:" + "-" + "-" + ... + "-" + + "SPD IN:" + "-" + "-" + ... + "-" + + Where represents the name of the node, and has the + following format: + + "IF" "THEN USE SA " | + "IF" "THEN USE SA " | + + Where is a boolean expression about the fields of the + IPv6 packet, is the name of a specific security association, and + is a specification for a security association to be + negotiated via IKE [4]. The SAD description has the format + + "SAD:" + "-" + "-" + ... + "-" + + Where represents the name of the node, and has the + following format: + + "(" "," + "," + "," + "," + ")" ":" + + + + + + + + + +Arkko, et al. Standards Track [Page 17] + +RFC 3776 Home Agent IPsec June 2004 + + + Where is "IN" or "OUT", is the SPI of the security + association, is its destination, is in + our case "ESP", is either "TUNNEL" or "TRANSPORT", and + is an expression which describes the IPsec selectors, i.e., which + fields of the IPv6 packet must have which values. + + We will be using an example mobile node in this section with the home + address "home_address_1". The user's identity in this mobile node is + "user_1". The home agent's address is "home_agent_1". + +5.2. Manual Configuration + +5.2.1. Binding Updates and Acknowledgements + + Here are the contents of the SPD and SAD for protecting Binding + Updates and Acknowledgements: + + mobile node SPD OUT: + - IF source = home_address_1 & destination = home_agent_1 & + proto = MH + THEN USE SA SA1 + + mobile node SPD IN: + - IF source = home_agent_1 & destination = home_address_1 & + proto = MH + THEN USE SA SA2 + + mobile node SAD: + - SA1(OUT, spi_a, home_agent_1, ESP, TRANSPORT): + source = home_address_1 & destination = home_agent_1 & + proto = MH + - SA2(IN, spi_b, home_address_1, ESP, TRANSPORT): + source = home_agent_1 & destination = home_address_1 & + proto = MH + + home agent SPD OUT: + - IF source = home_agent_1 & destination = home_address_1 & + proto = MH + THEN USE SA SA2 + + home agent SPD IN: + - IF source = home_address_1 & destination = home_agent_1 & + proto = MH + THEN USE SA SA1 + + home agent SAD: + - SA2(OUT, spi_b, home_address_1, ESP, TRANSPORT): + source = home_agent_1 & destination = home_address_1 & + + + +Arkko, et al. Standards Track [Page 18] + +RFC 3776 Home Agent IPsec June 2004 + + + proto = MH + - SA1(IN, spi_a, home_agent_1, ESP, TRANSPORT): + source = home_address_1 & destination = home_agent_1 & + proto = MH + + In the above, "MH" refers to the protocol number for the Mobility + Header [7]. + +5.2.2. Return Routability Signaling + + In the following we describe the necessary SPD and SAD entries to + protect return routability signaling between the mobile node and the + home agent. Note that the rules in the SPD are ordered, and the ones + in the previous section must take precedence over these ones. In + other words, the higher precedence entries must occur first in the + RFC 2401 [2] ordered list of SPD entries. + + mobile node SPD OUT: + - IF interface = IPv6 IPv6 tunnel to home_agent_1 & + source = home_address_1 & destination = any & + proto = MH + THEN USE SA SA3 + + mobile node SPD IN: + - IF interface = IPv6 tunnel from home_agent_1 & + source = any & destination = home_address_1 & + proto = MH + THEN USE SA SA4 + + mobile node SAD: + - SA3(OUT, spi_c, home_agent_1, ESP, TUNNEL): + source = home_address_1 & destination = any & proto = MH + - SA4(IN, spi_d, care_of_address_1, ESP, TUNNEL): + source = any & destination = home_address_1 & proto = MH + + home agent SPD OUT: + - IF interface = IPv6 tunnel to home_address_1 & + source = any & destination = home_address_1 & + proto = MH + THEN USE SA SA4 + + home agent SPD IN: + - IF interface = IPv6 tunnel from home_address_1 & + source = home_address_1 & destination = any & + proto = MH + THEN USE SA SA3 + + + + + +Arkko, et al. Standards Track [Page 19] + +RFC 3776 Home Agent IPsec June 2004 + + + home agent SAD: + - SA4(OUT, spi_d, care_of_address_1, ESP, TUNNEL): + source = any & destination = home_address_1 & proto = MH + - SA3(IN, spi_c, home_agent_1, ESP, TUNNEL): + source = home_address_1 & destination = any & proto = MH + + The security association from the home agent to the mobile node uses + the current care-of address as the destination. As discussed + earlier, this address is updated in the SAD as the mobile node moves. + It can be initialized to the home address before the mobile node has + registered. + +5.2.3. Prefix Discovery + + In the following we describe some additional SPD and SAD entries to + protect prefix discovery. Note that the SPDs described above protect + all ICMPv6 traffic between the mobile node and the home agent, as + IPsec may not have the ability to distinguish between different + ICMPv6 types. + + mobile node SPD OUT: + - IF source = home_address_1 & destination = home_agent_1 & + proto = ICMPv6 + THEN USE SA SA5. + + mobile node SPD IN: + - IF source = home_agent_1 & destination = home_address_1 & + proto = ICMPv6 + THEN USE SA SA6 + + mobile node SAD: + - SA5(OUT, spi_e, home_agent_1, ESP, TRANSPORT): + source = home_address_1 & destination = home_agent_1 & + proto = ICMPv6 + - SA6(IN, spi_f, home_address_1, ESP, TRANSPORT): + source = home_agent_1 & destination = home_address_1 & + proto = ICMPv6 + + home agent SPD OUT: + - IF source = home_agent_1 & destination = home_address_1 & + proto = ICMPv6 + THEN USE SA SA6 + + home agent SPD IN: + - IF source = home_address_1 & destination = home_agent_1 & + proto = ICMPv6 + THEN USE SA SA5 + + + + +Arkko, et al. Standards Track [Page 20] + +RFC 3776 Home Agent IPsec June 2004 + + + home agent SAD: + - SA6(OUT, spi_f, home_address_1, ESP, TRANSPORT): + source = home_agent_1 & destination = home_address_1 & + proto = ICMPv6 + - SA5(IN, spi_e, home_agent_1, ESP, TRANSPORT): + source = home_address_1 & destination = home_agent_1 & + proto = ICMPv6 + +5.2.4. Payload Packets + + It is also possible to perform some additional, optional, protection + of tunneled payload packets. This protection takes place in a + similar manner to the return routability protection above, but + requires a different value for the protocol field. The necessary SPD + and SAD entries are shown below. It is assumed that the entries for + protecting Binding Updates and Acknowledgements, and the entries to + protect Home Test Init and Home Test messages take precedence over + these entries. + + mobile node SPD OUT: + - IF interface = IPv6 tunnel to home_agent_1 & + source = home_address_1 & destination = any & + proto = X + THEN USE SA SA7 + + mobile node SPD IN: + - IF interface = IPv6 tunnel from home_agent_1 & + source = any & destination = home_address_1 & + proto = X + THEN USE SA SA8 + + mobile node SAD: + - SA7(OUT, spi_g, home_agent_1, ESP, TUNNEL): + source = home_address_1 & destination = any & proto = X + - SA8(IN, spi_h, care_of_address_1, ESP, TUNNEL): + source = any & destination = home_address_1 & proto = X + + home agent SPD OUT: + - IF interface = IPv6 tunnel to home_address_1 & + source = any & destination = home_address_1 & + proto = X + THEN USE SA SA8 + + home agent SPD IN: + - IF interface = IPv6 tunnel from home_address_1 & + source = home_address_1 & destination = any & + proto = X + THEN USE SA SA7 + + + +Arkko, et al. Standards Track [Page 21] + +RFC 3776 Home Agent IPsec June 2004 + + + home agent SAD: + - SA8(OUT, spi_h, care_of_address_1, ESP, TUNNEL): + source = any & destination = home_address_1 & proto = X + - SA7(IN, spi_g, home_agent_1, ESP, TUNNEL): + source = home_address_1 & destination = any & proto = X + + If multicast group membership control protocols such as MLDv1 [9] or + MLDv2 [11] need to be protected, these packets may use a link-local + address rather than the home address of the mobile node. In this + case the source and destination can be left as a wildcard and the SPD + entries will work solely based on the used interface and the + protocol, which is ICMPv6 for both MLDv1 and MLDv2. + + Similar problems are encountered when stateful address + autoconfiguration protocols such as DHCPv6 [10] are used. The same + approach is applicable for DHCPv6 as well. DHCPv6 uses the UDP + protocol. + + Support for multiple layers of encapsulation (such as ESP + encapsulated in ESP) is not required by RFC 2401 [2] and is also + otherwise often problematic. It is therefore useful to avoid setting + the protocol X in the above entries to either AH or ESP. + +5.3. Dynamic Keying + + In this section we show an example configuration that uses IKE to + negotiate security associations. + +5.3.1. Binding Updates and Acknowledgements + + Here are the contents of the SPD for protecting Binding Updates and + Acknowledgements: + + mobile node SPD OUT: + - IF source = home_address_1 & destination = home_agent_1 & + proto = MH + THEN USE SA ESP TRANSPORT: local phase 1 identity = user_1 + + mobile node SPD IN: + - IF source = home_agent_1 & destination = home_address_1 & + proto = MH + THEN USE SA ESP TRANSPORT: local phase 1 identity = user_1 + + home agent SPD OUT: + - IF source = home_agent_1 & destination = home_address_1 & + proto = MH + THEN USE SA ESP TRANSPORT: peer phase 1 identity = user_1 + + + + +Arkko, et al. Standards Track [Page 22] + +RFC 3776 Home Agent IPsec June 2004 + + + home agent SPD IN: + - IF source = home_address_1 & destination = home_agent_1 & + proto = MH + THEN USE SA ESP TRANSPORT: peer phase 1 identity = user_1 + + We have omitted details of the proposed transforms in the above, and + all details related to the particular authentication method such as + certificates beyond listing a specific identity that must be used. + + We require IKE version 1 to be run using the care-of addresses but + still negotiate IPsec SAs that use home addresses. The extra + conditions set by the home agent SPD for the peer phase 1 identity to + be "user_1" must be verified by the home agent. The purpose of the + condition is to ensure that the IKE phase 2 negotiation for a given + user's home address can not be requested by another user. In the + mobile node, we simply set our local identity to be "user_1". + + These checks also imply that the configuration of the home agent is + user-specific: every user or home address requires a specific + configuration entry. It would be possible to alleviate the + configuration tasks by using certificates that have home addresses in + the Subject AltName field. However, it is not clear if all IKE + implementations allow one address to be used for carrying the IKE + negotiations when another address is mentioned in the used + certificates. In any case, even this approach would have required + user-specific tasks in the certification authority. + +5.3.2. Return Routability Signaling + + Protection for the return routability signaling can be configured in + a similar manner as above. + + mobile node SPD OUT: + - IF interface = IPv6 tunnel to home_agent_1 & + source = home_address_1 & destination = any & + proto = MH + THEN USE SA ESP TUNNEL: outer destination = home_agent_1 & + local phase 1 identity = user_1 + + mobile node SPD IN: + - IF interface = IPv6 tunnel from home_agent_1 & + source = any & destination = home_address_1 & + proto = MH + THEN USE SA ESP TUNNEL: outer destination = home_agent_1 & + local phase 1 identity = user_1 + + + + + + +Arkko, et al. Standards Track [Page 23] + +RFC 3776 Home Agent IPsec June 2004 + + + home agent SPD OUT: + - IF interface = IPv6 tunnel to home_address_1 & + source = any & destination = home_address_1 & + proto = MH + THEN USE SA ESP TUNNEL: outer destination = home_address_1 & + peer phase 1 identity = user_1 + + home agent SPD IN: + - IF interface = IPv6 tunnel from home_address_1 & + source = home_address_1 & destination = any & + proto = MH + THEN USE SA ESP TUNNEL: outer destination = home_address_1 & + peer phase 1 identity = user_1 + + The security association from the home agent to the mobile node uses + the current care-of address as the destination. As discussed + earlier, this address is updated in the SAD as the mobile node moves. + The SPD entries can be written using the home address (as above), if + the care-of address update in the SAD is also done upon the creation + of security associations. + +5.3.3. Prefix Discovery + + In the following we describe some additional SPD entries to protect + prefix discovery with IKE. (Note that when actual new prefixes are + discovered, there may be a need to enter new manually configured SPD + entries to specify the authorization policy for the resulting new + home addresses.) + + mobile node SPD OUT: + - IF source = home_address_1 & destination = home_agent_1 & + proto = ICMPv6 + THEN USE SA ESP TRANSPORT: local phase 1 identity = user_1 + + mobile node SPD IN: + - IF source = home_agent_1 & destination = home_address_1 & + proto = ICMPv6 + THEN USE SA ESP TRANSPORT: local phase 1 identity = user_1 + + home agent SPD OUT: + - IF source = home_agent_1 & destination = home_address_1 & + proto = ICMPv6 + THEN USE SA ESP TRANSPORT: peer phase 1 identity = user_1 + + home agent SPD IN: + - IF source = home_address_1 & destination = home_agent_1 & + proto = ICMPv6 + THEN USE SA ESP TRANSPORT: peer phase 1 identity = user_1 + + + +Arkko, et al. Standards Track [Page 24] + +RFC 3776 Home Agent IPsec June 2004 + + +5.3.4. Payload Packets + + Protection for the payload packets happens similarly to the + protection of return routability signaling. As in the manually keyed + case, these SPD entries have lower priority than the above ones. + + mobile node SPD OUT: + - IF interface = IPv6 tunnel to home_agent_1 & + source = home_address_1 & destination = any & + proto = X + THEN USE SA ESP TUNNEL: outer destination = home_agent_1 & + local phase 1 identity = user_1 + + mobile node SPD IN: + - IF interface = IPv6 tunnel from home_agent_1 & + source = any & destination = home_address_1 & + proto = X + THEN USE SA ESP TUNNEL: outer destination = home_agent_1 & + local phase 1 identity = user_1 + + home agent SPD OUT: + - IF interface = IPv6 tunnel to home_address_1 & + source = any & destination = home_address_1 & + proto = X + THEN USE SA ESP TUNNEL: outer destination = home_address_1 & + peer phase 1 identity = user_1 + + home agent SPD IN: + - IF interface = IPv6 tunnel from home_address_1 & + source = home_address_1 & destination = any & + proto = X + THEN USE SA ESP TUNNEL: outer destination = home_address_1 & + peer phase 1 identity = user_1 + +6. Processing Steps within a Node + +6.1. Binding Update to the Home Agent + + Step 1. At the mobile node, Mobile IPv6 module first produces the + following packet: + + IPv6 header (source = home address, + destination = home agent) + Mobility header + Binding Update + + Step 2. This packet is matched against the IPsec SPD on the mobile + node and we make a note that IPsec must be applied. + + + +Arkko, et al. Standards Track [Page 25] + +RFC 3776 Home Agent IPsec June 2004 + + + Step 3. Then, we add the necessary Mobile IPv6 options but do not + change the addresses yet, as described in Section 11.3.2 of the base + specification [7]. This results in: + + IPv6 header (source = home address, + destination = home agent) + Destination Options header + Home Address option (care-of address) + Mobility header + Binding Update + + Step 4. Finally, IPsec headers are added and the necessary + authenticator values are calculated: + + IPv6 header (source = home address, + destination = home agent) + Destination Options header + Home Address option (care-of address) + ESP header (SPI = spi_a) + Mobility header + Binding Update + + Here spi_a is the SPI value that was either configured manually, or + agreed upon in an earlier IKE negotiation. + + Step 5. Before sending the packet, the addresses in the IPv6 header + and the Destination Options header are changed: + + IPv6 header (source = care-of address, + destination = home agent) + Destination Options header + Home Address option (home address) + ESP header (SPI = spi_a) + Mobility header + Binding Update + +6.2. Binding Update from the Mobile Node + + Step 1. The following packet is received at the home agent: + + IPv6 header (source = care-of address, + destination = home agent) + Destination Options header + Home Address option (home address) + ESP header (SPI = spi_a) + Mobility header + Binding Update + + + + +Arkko, et al. Standards Track [Page 26] + +RFC 3776 Home Agent IPsec June 2004 + + + Step 2. The home address option is processed first, which results in + + IPv6 header (source = home address, + destination = home agent) + Destination Options header + Home Address option (care-of address) + ESP header (SPI = spi_a) + Mobility header + Binding Update + + Step 3. ESP header is processed next, resulting in + + IPv6 header (source = home address, + destination = home agent) + Destination Options header + Home Address option (care-of address) + Mobility header + Binding Update + + Step 4. This packet matches the policy required for this security + association (source = home address, destination = home agent, proto = + MH). + + Step 5. Mobile IPv6 processes the Binding Update. The Binding + Update is delivered to the Mobile IPv6 module. + + Step 6. If there are any security associations in the security + association database for the protection of return routability or + payload packets for this mobile node, those security associations are + updated with the new care-of address. + +6.3. Binding Acknowledgement to the Mobile Node + + Step 1. Mobile IPv6 produces the following packet: + + IPv6 header (source = home agent, + destination = home address) + Mobility header + Binding Acknowledgement + + Step 2. This packet matches the IPsec policy entries, and we + remember that IPsec has to be applied. + + + + + + + + + +Arkko, et al. Standards Track [Page 27] + +RFC 3776 Home Agent IPsec June 2004 + + + Step 3. Then, we add the necessary Route Headers but do not change + the addresses yet, as described in Section 9.5.4 of the base + specification [7]. This results in: + + IPv6 header (source = home agent, + destination = home address) + Routing header (type 2) + care-of address + Mobility header + Binding Acknowledgement + + Step 4. We apply IPsec: + + IPv6 header (source = home agent, + destination = home address) + Routing header (type 2) + care-of address + ESP header (SPI = spi_b) + Mobility header + Binding Acknowledgement + + Step 5. Finally, before sending the packet out we change the + addresses in the IPv6 header and the Route header: + + IPv6 header (source = home agent, + destination = care-of address) + Routing header (type 2) + home address + ESP header (SPI = spi_b) + Mobility header + Binding Acknowledgement + +6.4. Binding Acknowledgement from the Home Agent + + Step 1. The following packet is received at the mobile node + + IPv6 header (source = home agent, + destination = care-of address) + Routing header (type 2) + home address + ESP header (SPI = spi_b) + Mobility header + Binding Acknowledgement + + + + + + + + +Arkko, et al. Standards Track [Page 28] + +RFC 3776 Home Agent IPsec June 2004 + + + Step 2. After the routing header is processed the packet becomes + + IPv6 header (source = home agent, + destination = home address) + Routing header (type 2) + care-of address + ESP header (SPI = spi_b) + Mobility header + Binding Acknowledgement + + Step 3. ESP header is processed next, resulting in: + + IPv6 header (source = home agent, + destination = home address) + Routing header (type 2) + care-of address + Mobility header + Binding Acknowledgement + + Step 4. This packet matches the policy required for this security + association (source = home agent, destination = home address, proto = + MH). + + Step 5. The Binding Acknowledgement is delivered to the Mobile IPv6 + module. + +6.5. Home Test Init to the Home Agent + + Step 1. The mobile node constructs a Home Test Init message: + + IPv6 header (source = home address, + destination = correspondent node) + Mobility header + Home Test Init + + Step 2. Mobile IPv6 determines that this packet should go to the + tunnel to the home agent. + + Step 3. The packet is matched against IPsec policy entries for the + interface, and we find that IPsec needs to be applied. + + Step 4. IPsec tunnel mode headers are added. Note that we use a + care-of address as a source address for the tunnel packet. + + IPv6 header (source = care-of address, + destination = home agent) + ESP header (SPI = spi_c) + IPv6 header (source = home address, + + + +Arkko, et al. Standards Track [Page 29] + +RFC 3776 Home Agent IPsec June 2004 + + + destination = correspondent node) + Mobility header + Home Test Init + + Step 5. The packet is sent directly to the home agent using IPsec + encapsulation. + +6.6. Home Test Init from the Mobile Node + + Step 1. The home agent receives the following packet: + + IPv6 header (source = care-of address, + destination = home agent) + ESP header (SPI = spi_c) + IPv6 header (source = home address, + destination = correspondent node) + Mobility Header + Home Test Init + + Step 2. IPsec processing is performed, resulting in: + + IPv6 header (source = home address, + destination = correspondent node) + Mobility Header + Home Test Init + + Step 3. The resulting packet matches the policy required for this + security association and the packet can be processed further. + + Step 4. The packet is then forwarded to the correspondent node. + +6.7. Home Test to the Mobile Node + + Step 1. The home agent receives a Home Test packet from the + correspondent node: + + IPv6 header (source = correspondent node, + destination = home address) + Mobility Header + Home Test Init + + Step 2. The home agent determines that this packet is destined to a + mobile node that is away from home, and decides to tunnel it. + + Step 3. The packet matches the IPsec policy entries for the tunnel + interface, and we note that IPsec needs to be applied. + + + + + +Arkko, et al. Standards Track [Page 30] + +RFC 3776 Home Agent IPsec June 2004 + + + Step 4. IPsec is applied, resulting in a new packet. Note that the + home agent must keep track of the location of the mobile node, and + update the tunnel endpoint address in the security association(s) + accordingly. + + IPv6 header (source = home agent, + destination = care-of address) + ESP header (SPI = spi_d) + IPv6 header (source = correspondent node, + destination = home address) + Mobility Header + Home Test Init + + Step 5. The packet is sent directly to the care-of address using + IPsec encapsulation. + +6.8. Home Test from the Home Agent + + Step 1. The mobile node receives the following packet: + + IPv6 header (source = home agent, + destination = care-of address) + ESP header (SPI = spi_d) + IPv6 header (source = correspondent node, + destination = home address) + Mobility Header + Home Test Init + + Step 2. IPsec is processed, resulting in: + + IPv6 header (source = correspondent node, + destination = home address) + Mobility Header + Home Test Init + + Step 3. This matches the policy required for this security + association (source = any, destination = home address). + + Step 4. The packet is given to Mobile IPv6 processing. + +6.9. Prefix Solicitation Message to the Home Agent + + This procedure is similar to the one presented in Section 6.1. + +6.10. Prefix Solicitation Message from the Mobile Node + + This procedure is similar to the one presented in Section 6.2. + + + + +Arkko, et al. Standards Track [Page 31] + +RFC 3776 Home Agent IPsec June 2004 + + +6.11. Prefix Advertisement Message to the Mobile Node + + This procedure is similar to the one presented in Section 6.3. + +6.12. Prefix Advertisement Message from the Home Agent + + This procedure is similar to the one presented in Section 6.4. + +6.13. Payload Packet to the Home Agent + + This procedure is similar to the one presented in Section 6.5. + +6.14. Payload Packet from the Mobile Node + + This procedure is similar to the one presented in Section 6.6. + +6.15. Payload Packet to the Mobile Node + + This procedure is similar to the one presented in Section 6.7. + +6.16. Payload Packet from the Home Agent + + This procedure is similar to the one presented in Section 6.8. + +6.17. Establishing New Security Associations + + Step 1. The mobile node wishes to send a Binding Update to the home + agent. + + IPv6 header (source = home address, + destination = home agent) + Mobility header + Binding Update + + Step 2. There is no existing security association to protect the + Binding Update, so the mobile node initiates IKE. The IKE packets + are sent as shown in the following examples. The first packet is an + example of an IKE packet sent from the mobile node, and the second + one is from the home agent. The examples shows also that the phase 1 + identity used for the mobile node is a FQDN. + + IPv6 header (source = care-of address, + destination = home agent) + UDP + IKE + ... IDii = ID_FQDN mn123.ha.net ... + + + + + +Arkko, et al. Standards Track [Page 32] + +RFC 3776 Home Agent IPsec June 2004 + + + IPv6 header (source = home agent + destination = care-of address) + UDP + IKE + ... IDir = ID_FQDN ha.net ... + + Step 3. IKE phase 1 completes, and phase 2 is initiated to request + security associations for protecting traffic between the mobile + node's home address and the home agent. These addresses will be used + as selectors. This involves sending and receiving additional IKE + packets. The below example shows again one packet sent by the mobile + node and another sent by the home agent. The example shows also that + the phase 2 identity used for the mobile node is the mobile node's + home address. + + IPv6 header (source = care-of address, + destination = home agent) + UDP + IKE + ... IDci = ID_IPV6_ADDR home address ... + + IPv6 header (source = home agent, + destination = care-of address) + UDP + IKE + ... IDcr = ID_IPV6_ADDR home agent ... + + Step 4. The remaining steps are as shown in Section 6.1. + +6.18. Rekeying Security Associations + + Step 1. The mobile node and the home agent have existing security + associations. Either side may decide at any time that the security + associations need to be rekeyed, for instance, because the specified + lifetime is approaching. + + Step 2. Mobility header packets sent during rekey may be protected + by the existing security associations. + + Step 3. When the rekeying is finished, new security associations are + established. In practice there is a time interval during which an + old, about-to-expire security association and newly established + security association will both exist. The new ones should be used as + soon as they become available. + + Step 4. A notification of the deletion of the old security + associations is received. After this, only the new security + associations can be used. + + + +Arkko, et al. Standards Track [Page 33] + +RFC 3776 Home Agent IPsec June 2004 + + + Note that there is no requirement that the existence of the IPsec and + IKE security associations is tied to the existence of bindings. It + is not necessary to delete a security association if a binding is + removed, as a new binding may soon be established after this. + + Since cryptographic acceleration hardware may only be able to handle + a limited number of active security associations, security + associations may be deleted via IKE in order to keep the number of + active cryptographic contexts to a minimum. Such deletions should + not be interpreted as a sign of losing a contact to the peer or as a + reason to remove a binding. Rather, if additional traffic needs to + be sent, it is preferable to bring up another security association to + protect it. + +6.19. Movements and Dynamic Keying + + In this section we describe the sequence of events that relate to + movement with IKE-based security associations. In the initial state, + the mobile node is not registered in any location and has no security + associations with the home agent. Depending on whether the peers + will be able to move IKE endpoints to new care-of addresses, the + actions taken in Step 9 and 10 are different. + + Step 1. Mobile node with the home address A moves to care-of address + B. + + Step 2. Mobile node runs IKE from care-of address B to the home + agent, establishing a phase 1. The home agent can only act as the + responder before it knows the current location of the mobile node. + + Step 3. Protected by this phase 1, mobile node establishes a pair of + security associations for protecting Mobility Header traffic to and + from the home address A. + + Step 4. Mobile node sends a Binding Update and receives a Binding + Acknowledgement using the security associations created in Step 3. + + Step 5. Mobile node establishes a pair of security associations for + protecting return routability packets. These security associations + are in tunnel mode and their endpoint in the mobile node side is + care-of address B. For the purposes of our example, this step uses + the phase 1 connection established in Step 2. Multiple phase 1 + connections are also possible. + + Step 6. The mobile node uses the security associations created in + Step 5 to run return routability. + + + + + +Arkko, et al. Standards Track [Page 34] + +RFC 3776 Home Agent IPsec June 2004 + + + Step 7. The mobile node moves to a new location and adopts a new + care-of address C. + + Step 8. Mobile node sends a Binding Update and receives a Binding + Acknowledgement using the security associations created in Step 3. + The home agent ensures that the next packets sent using the security + associations created in Step 5 will have the new care-of address as + their destination address, as if the outer header destination address + in the security association had changed. + + Step 9. If the mobile node and the HA have the capability to change + the IKE endpoints, they change the address to C. If they do not have + the capability, both nodes remove their phase 1 connections created + on top of the care-of address B and will establish a new IKE phase 1 + on top of the care-of address C. This capability to change the IKE + phase 1 end points is indicated through setting the Key Management + Mobility Capability (K) flag [7] in the Binding Update and Binding + Acknowledgement messages. + + Step 10. If a new IKE phase 1 connection was setup after movement, + the MN will not be able to receive any notifications delivered on top + of the old IKE phase 1 security association. Notifications delivered + on top of the new security association are received and processed + normally. If the mobile node and HA were able to update the IKE + endpoints, they can continue using the same IKE phase 1 connection. + +7. Implementation Considerations + +7.1. IPsec + + Note that packet formats and header ordering discussed in Section 3 + must be supported, but implementations may also support other + formats. In general, the use of formats not required here may lead + to incorrect processing of the packets by the peer (such as silently + discarding them), unless support for these formats has been verified + off-line. Such verification can take place at the same time the + parameters of the security associations are agreed upon. In some + cases, however, basic IPv6 specifications call for support of options + not discussed here. In these cases, such a verification step might + be unnecessary as long as the peer fully supports the relevant IPv6 + specifications. However, no claims are made in this document about + the validity of these other formats in the context of Mobile IPv6. + It is also likely that systems that support Mobile IPv6 have been + tested more extensively with the required formats. + + We have chosen to require an encapsulation format for return + routability and payload packet protection which can only be realized + if the destination of the IPsec packets sent from the home agent can + + + +Arkko, et al. Standards Track [Page 35] + +RFC 3776 Home Agent IPsec June 2004 + + + be changed as the mobile node moves. One of the main reasons for + choosing such a format is that it removes the overhead of twenty four + bytes when a home address option or routing header is added to the + tunneled packet. Such an overhead would not be significant for the + protection of the return routability packets, but would create an + additional overhead if IPsec is used to protect the tunneling of + payload packets to the home agent. This overhead may be significant + for real-time traffic. Given that the use of the shorter packet + formats for any traffic requires the existence of suitable APIs, we + have chosen to require support for the shorter packet formats both + for payload and return routability packets. + + In order to support the care-of address as the destination address on + the mobile node side, the home agent must act as if the outer header + destination address in the security association to the mobile node + would have changed upon movements. Implementations are free to + choose any particular method to make this change, such as using an + API to the IPsec implementation to change the parameters of the + security association, removing the security association and + installing a new one, or modification of the packet after it has gone + through IPsec processing. The only requirement is that after + registering a new binding at the home agent, the next IPsec packets + sent on this security association will be addressed to the new + care-of address. + + We have chosen to require policy entries that are specific to a + tunnel interface. This means that implementations have to regard the + Home Agent - Mobile Node tunnel as a separate interface on which + IPsec SPDs can be based. A further complication of the IPsec + processing on a tunnel interface is that this requires access to the + BITS implementation before the packet actually goes out. + +7.2. IKE + + We have chosen to require that a dynamic key management protocol must + be able to make an authorization decision for IPsec security + association creation with different addresses than with what the key + management protocol is run. We expect this to be done typically by + configuring the allowed combinations of phase 1 user identities and + home addresses. + + When certificate authentication is used, IKE fragmentation can be + encountered. This can occur when certificate chains are used, or + even with single certificates if they are large. Many firewalls do + not handle fragments properly, and may drop them. Routers in the + path may also discard fragments after the initial one, since they + + + + + +Arkko, et al. Standards Track [Page 36] + +RFC 3776 Home Agent IPsec June 2004 + + + typically will not contain full IP headers that can be compared + against an access list. Where fragmentation occurs, the endpoints + will not always be able to establish a security association. + + Fortunately, typical Mobile IPv6 deployment uses short certificate + chains, as the mobile node is communicating directly with its home + network. Where the problem appears, it may be difficult (at least + away from home) to replace the firewalls or routers with equipment + that can properly support fragments. It may help to store the peer + certificates locally, or to obtain them through other means. + +7.3. Bump-in-the-Stack + + Mobile IPv6 sets high requirements for a so-called Bump-In-The-Stack + (BITS) implementation model of IPsec. As Mobile IPv6 specific + modifications of the packets are required before or after IPsec + processing, the BITS implementation has to perform also some tasks + related to mobility. This may increase the complexity of the + implementation, even if it already performs some tasks of the IP + layer (such as fragmentation). + + Specifically, Bump-in-the-Stack implementations may have to deal with + the following issues: + + o Processing the Home Address destination option and Routing header + type 2 to a form suitable for IPsec processing to take place. + This is needed, among other things, for the security association + and policy lookups. While relatively straightforward, the + required processing may have a hardware effect in BITS + implementations, if they use hardware support beyond the + cryptographic operations. + + o Detecting packets sent between the mobile node and its home agent + using IPv6 encapsulation. + + o Offering the necessary APIs for updating the IPsec and IKE + security association endpoints. + +8. IANA Considerations + + No IANA actions are necessary based on this document. IANA actions + for the Mobile IPv6 protocol itself have been covered in [7]. + +9. Security Considerations + + The Mobile IPv6 base specification [7] requires strong security + between the mobile node and the home agent. This memo discusses how + that security can be arranged in practice, using IPsec. The security + + + +Arkko, et al. Standards Track [Page 37] + +RFC 3776 Home Agent IPsec June 2004 + + + considerations related to this are documented in the base + specification, including a discussion of the implications of using + either manual or dynamic keying. + +10. References + +10.1. Normative References + + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Kent, S. and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [3] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload + (ESP)", RFC 2406, November 1998. + + [4] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", + RFC 2409, November 1998. + + [5] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) + Specification", RFC 2460, December 1998. + + [6] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 + Specification", RFC 2473, December 1998. + + [7] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in + IPv6", RFC 3775, June 2004. + +10.2. Informative References + + [8] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, + November 1998. + + [9] Deering, S., Fenner, W. and B. Haberman, "Multicast Listener + Discovery (MLD) for IPv6", RFC 2710, October 1999. + + [10] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C. and + M. Carney, "Dynamic Host Configuration Protocol for IPv6 + (DHCPv6)", RFC 3315, July 2003. + + [11] Vida, R. and L. Costa, Eds., "Multicast Listener Discovery + Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. + + + + + + + + +Arkko, et al. Standards Track [Page 38] + +RFC 3776 Home Agent IPsec June 2004 + + +11. Acknowledgements + + The authors would like to thank Greg O'Shea, Michael Thomas, Kevin + Miles, Cheryl Madson, Bernard Aboba, Erik Nordmark, Gabriel + Montenegro, Steven Kent, and Santeri Paavolainen for interesting + discussions in this problem space. + +12. Authors' Addresses + + Jari Arkko + Ericsson + 02420 Jorvas + Finland + + EMail: jari.arkko@ericsson.com + + + Vijay Devarapalli + Nokia Research Center + 313 Fairchild Drive + Mountain View CA 94043 + USA + + EMail: vijayd@iprg.nokia.com + + + Francis Dupont + ENST Bretagne + Campus de Rennes + 2, rue de la Chataigneraie + CS 17607 + 35576 Cesson-Sevigne Cedex + France + + EMail: Francis.Dupont@enst-bretagne.fr + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 39] + +RFC 3776 Home Agent IPsec June 2004 + + +13. Full Copyright Statement + + Copyright (C) The Internet Society (2004). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + +Arkko, et al. Standards Track [Page 40] + -- cgit v1.2.3