1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
|
Network Working Group V. Devarapalli
Request for Comments: 4877 Azaire Networks
Updates: 3776 F. Dupont
Category: Standards Track CELAR
April 2007
Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes Mobile IPv6 operation with the revised IPsec
architecture and IKEv2.
Devarapalli & Dupont Standards Track [Page 1]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Packet Formats . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. General Requirements . . . . . . . . . . . . . . . . . . . 5
4.2. Policy Requirements . . . . . . . . . . . . . . . . . . . 5
4.3. IPsec Protocol Processing Requirements . . . . . . . . . . 7
4.4. Dynamic Keying Requirements . . . . . . . . . . . . . . . 9
5. Selector Granularity Considerations . . . . . . . . . . . . . 10
6. Manual Configuration . . . . . . . . . . . . . . . . . . . . . 11
6.1. Binding Updates and Acknowledgements . . . . . . . . . . . 12
6.2. Return Routability Messages . . . . . . . . . . . . . . . 13
6.3. Mobile Prefix Discovery Messages . . . . . . . . . . . . . 14
6.4. Payload Packets . . . . . . . . . . . . . . . . . . . . . 14
7. Dynamic Configuration . . . . . . . . . . . . . . . . . . . . 15
7.1. Peer Authorization Database Entries . . . . . . . . . . . 15
7.2. Security Policy Database Entries . . . . . . . . . . . . . 15
7.2.1. Binding Updates and Acknowledgements . . . . . . . . . 16
7.2.2. Return Routability Messages . . . . . . . . . . . . . 17
7.2.3. Mobile Prefix Discovery Messages . . . . . . . . . . . 17
7.2.4. Payload Packets . . . . . . . . . . . . . . . . . . . 18
7.3. Security Association Negotiation Using IKEv2 . . . . . . . 18
7.4. Movements and Dynamic Keying . . . . . . . . . . . . . . . 20
8. The Use of EAP Authentication . . . . . . . . . . . . . . . . 21
9. Dynamic Home Address Configuration . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 23
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . . 24
Devarapalli & Dupont Standards Track [Page 2]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
1. Introduction
RFC 3776 describes how IPsec, as described in RFC 2401 [11], is used
with Mobile IPv6 [2] to protect the signaling messages. It also
illustrates examples of Security Policy Database and Security
Association Database entries that can be used to protect Mobile IPv6
signaling messages.
The IPsec architecture has been revised in RFC 4301 [5]. Among the
many changes, the list of selectors has been expanded to include the
Mobility Header message type. This has an impact on how security
policies and security associations are configured for protecting
mobility header messages. It becomes easier to differentiate between
the various Mobility Header messages based on the type value instead
of checking if a particular mobility header message is being sent on
a tunnel interface between the mobile node and the home agent, as it
was in RFC 3776. The revised IPsec architecture specification also
includes ICMP message type and code as selectors. This makes it
possible to protect Mobile Prefix Discovery messages without applying
the same security associations to all ICMPv6 messages.
This document discusses new requirements for the home agent and the
mobile node to use the revised IPsec architecture and IKEv2.
Section 4 lists the requirements. Sections 6 and 7 describe the
required Security Policy Database (SPD) and Security Association
Database (SAD) entries.
The Internet Key Exchange (IKE) protocol has also been substantially
revised and simplified [4]. Section 7.3 of this document describes
how IKEv2 can be used to set up security associations for Mobile
IPv6.
The use of EAP within IKEv2 is allowed to authenticate the mobile
node to the home agent. This is described in Section 8. A method
for dynamically configuring a home address from the home agent using
the Configuration Payload in IKEv2 is described in Section 9.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
Devarapalli & Dupont Standards Track [Page 3]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
3. Packet Formats
The mobile node and the home agent MUST support the packet formats as
defined in Section 3 of RFC 3776.
In case the mobile node reverse tunnels all traffic including Mobile
IPv6 signaling messages exchanged between the mobile node and the
home agent, then the Home Address Option is not required to be
present in the messages sent to the home agent. The packet format
for the binding update when sent in the tunnel mode looks as follows.
IPv6 hdr (source = care-of address,
destination = home agent)
ESP header in tunnel mode
IPv6 hdr (source = home address,
destination = home agent)
Mobility Header
Binding Update
Alternate Care-of Address option (care-of address)
The binding acknowledgement sent to the mobile node when it is away
from the home link looks as follows.
IPv6 hdr (source = home agent,
destination = care-of address)
ESP header in tunnel mode
IPv6 hdr (source = home agent,
destination = home address)
Mobility Header
Binding Acknowledgement
The packet formats for tunneled mobile prefix discovery messages are
very similar to the tunneled Binding Update and Binding
Acknowledgment with the with the home address as the source address
in the inner IP header.
The support for the above tunneled packet format is optional on the
mobile node and the home agent.
4. Requirements
This section describes mandatory rules and requirements for all
Mobile IPv6 mobile nodes and home agents so that IPsec, with IKEv2 as
the key management protocol, can be used to protect traffic between
the mobile node and the home agent. Many of the requirements are
repeated from RFC 3776 to make this document self-contained and
complete.
Devarapalli & Dupont Standards Track [Page 4]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
4.1. General Requirements
o RFC 3775 states that manual configuration of IPsec security
associations MUST be supported, and automated key management MAY
be supported. This document does not make any recommendations
regarding the support of manual IPsec configuration and dynamic
IPsec configuration. This document just describes the use of
manually created IPsec security associations and the use of IKEv2
as the automated IPsec key management protocol for protecting
Mobile IPv6 signaling messages.
o ESP encapsulation for Binding Updates and Binding Acknowledgements
MUST be supported and used.
o ESP encapsulation in tunnel mode for the Home Test Init (HoTi) and
Home Test (HoT) messages tunneled between the mobile node and the
home agent MUST be supported and SHOULD be used.
o ESP encapsulation of the ICMPv6 messages related to mobile prefix
discovery MUST be supported and SHOULD be used.
o ESP encapsulation of the payload packets tunneled between the
mobile node and the home agent MAY be supported and used.
o If multicast group membership control protocols or stateful
address autoconfiguration protocols are supported, payload data
protection MUST be supported for those protocols.
o The home agent and the mobile node MAY support authentication
using EAP in IKEv2 as described in Section 8.
o The home agent and the mobile node MAY support remote
configuration of the home address as described in Section 9. When
the home agent receives a configuration payload with a CFG_REQUEST
for INTERNAL_IP6_ADDRESS, it must reply with a valid home address
for the mobile node. The home agent can pick a home address from
a local database or from a DHCPv6 server on the home link.
4.2. Policy Requirements
The following requirements are related to the configuration of the
security policy database on the home agent and the mobile node.
o RFC 3776 required configuration of the security policies per
interface in order to be able to differentiate between mobility
header messages sent to the home agent and those tunneled through
the home agent to the correspondent node. Since the Mobility
Header message type is a selector, it is now easy to differentiate
Devarapalli & Dupont Standards Track [Page 5]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
between HoTi and HoT messages from other mobility header messages.
Therefore per-interface configuration of security policies is not
required for protecting mobility header messages. Note that
without per-interface security policies, payload packet protection
is limited to packets originating/terminating at the home address.
Traffic using a link local address within the Mobile IP tunnel
cannot be provided IPsec protection without per-interface security
policies.
o The home agent MUST be able to prevent a mobile node from using
its security association to send a Binding Update on behalf of
another mobile node. With manual IPsec configuration, the home
agent MUST be able to verify that a security association was
created for a particular home address. With dynamic keying, the
home agent MUST be able to verify that the identity presented in
the IKE_AUTH exchange is allowed to create security associations
for a particular home address.
o The home agent uses the Peer Authorization Database (PAD) [5] to
store per-mobile node state. More specifically the per-mobile
state stores information that is used to authenticate the mobile
node and the authorization information that ties the mobile node's
identity to the home address of the mobile node. This will allow
the home agent to prevent a mobile node from creating IPsec
security associations for another mobile node's home address. In
case of dynamic home address assignment, the home agent creates a
temporary PAD entry linking the authenticated peer identity and
the newly allocated home address.
o As required in the base specification [2], when a packet destined
to the receiving node is matched against IPsec security policy or
selectors of a security association, an address appearing in a
Home Address destination option is considered as the source
address of the packet.
Note that the home address option appears before IPsec headers.
Section 11.3.2 of the base specification describes one possible
implementation approach for this: The IPsec policy operations can
be performed at the time when the packet has not yet been modified
per Mobile IPv6 rules, or has been brought back to its normal form
after Mobile IPv6 processing. That is, the processing of the Home
Address option is seen as a fixed transformation of the packets
that does not affect IPsec processing.
o Similarly, a home address within a Type 2 Routing header destined
to the receiving node is considered as the destination address of
the packet, when a packet is matched against IPsec security policy
or selectors of a security association.
Devarapalli & Dupont Standards Track [Page 6]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
Similar implementation considerations apply to the Routing header
processing as was described above for the Home Address destination
option.
o When the mobile node returns home and de-registers with the Home
Agent, the tunnel between the home agent and the mobile node's
care-of address is torn down. The security policy entries, which
were used for protecting tunneled traffic between the mobile node
and the home agent, SHOULD be made inactive (for instance, by
removing them and installing them back later through an API). The
corresponding security associations could be kept as they are or
deleted depending on how they were created. If the security
associations were created dynamically using IKE, they are
automatically deleted when they expire. If the security
associations were created through manual configuration, they MUST
be retained and used later when the mobile node moves away from
home again. The security associations protecting Binding Updates,
Binding Acknowledgements and Mobile Prefix Discovery messages
SHOULD NOT be deleted as they do not depend on care-of addresses
and can be used again.
o The mobile node MUST use the Home Address destination option in
Binding Updates and Mobile Prefix Solicitations when transport
mode IPsec protection is used, so that the home address is visible
when the IPsec policy checks are made.
o The home agent MUST use the Type 2 Routing header in Binding
Acknowledgements and Mobile Prefix Advertisements sent to the
mobile node when transport mode IPsec protection is used, again
due to the need to have the home address visible when the policy
checks are made.
4.3. IPsec Protocol Processing Requirements
The following lists requirements for IPsec processing at the Home
Agent and the mobile node.
o The home agent and mobile node SHOULD support Mobility Header
message type as an IPsec selector.
o The home agent and mobile node SHOULD support ICMPv6 message type
as an IPsec selector.
o The home agent MUST be able to distinguish between HoTi messages
sent to itself (when it is acting as a Correspondent Node) and
those sent to Correspondent Nodes (when it is acting as a home
agent) based on the destination address of the packet.
Devarapalli & Dupont Standards Track [Page 7]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
o When securing Binding Updates, Binding Acknowledgements, and
Mobile Prefix Discovery messages, both the mobile node and the
home agent MUST support the use of the Encapsulating Security
Payload (ESP) [6] header in transport mode and MUST use a non-null
payload authentication algorithm to provide data origin
authentication, connectionless integrity, and optional anti-replay
protection. The use of sequence number in the ESP header to
provide anti-replay protection is optional because the sequence
numbers in the Binding Updates provide anti-replay protection.
However, the anti-replay protection fails if the home agent loses
the binding cache state, for example, due to a reboot. Since the
IPsec security association state can also be assumed to be lost,
ESP cannot provide anti-replay protection in this case. Complete
anti-replay protection can only be provided by the use of a
dynamic keying mechanism, like IKEv2.
Support for protecting these messages using ESP in tunnel mode is
optional.
o Tunnel mode IPsec ESP MUST be supported and SHOULD be used for the
protection of packets belonging to the return routability
procedure. A non-null encryption transform and a non-null
authentication algorithm MUST be applied.
o When ESP is used to protect Binding Updates, there is no
protection for the care-of address that appears in the IPv6 header
outside the area protected by ESP. It is important for the home
agent to verify that the care-of address has not been tampered
with. As a result, the attacker would have redirected the mobile
node's traffic to another address. In order to prevent this,
Mobile IPv6 implementations MUST use the Alternate Care-of Address
mobility option in Binding Updates sent by mobile nodes while away
from home. The exception to this is when the mobile node returns
home and sends a Binding Update to the home agent in order to de-
register.
When IPsec is used to protect return routability signaling or
payload packets, the mobile node MUST set the source address it
uses for the outgoing tunnel packets to the current primary
care-of address.
o When IPsec is used to protect return routability signaling or
payload packets, IPsec security associations are needed to provide
this protection. When the care-of address for the mobile node
changes as a result of an accepted Binding Update, special
treatment is needed for the next packets sent using these security
associations. The home agent MUST set the new care-of address as
the destination address of these packets, as if the outer header
Devarapalli & Dupont Standards Track [Page 8]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
destination address in the security association had changed.
Similarly, the home agent starts to expect the new source address
in the tunnel packets received from the mobile node.
Such address changes can be implemented, for instance, through an
API from the Mobile IPv6 implementation to the IPsec
implementation. One such API is described in [12]. It should be
noted that the use of such an API and the address changes MUST
only be done based on the Binding Updates received by the home
agent and protected by the use of IPsec. Address modifications
based on other sources, such as Binding Updates to the
correspondent nodes protected by return routability, or open
access to an API from any application may result in security
vulnerabilities.
4.4. Dynamic Keying Requirements
The following requirements are related to the use of a dynamic key
management protocol by the mobile node and the home agent.
Section 7.3 describes the use of IKEv2 as the dynamic key management
protocol.
o The mobile node MUST use its care-of address as source address in
protocol exchanges, when using dynamic keying.
o The mobile node and the home agent MUST create security
associations based on the home address, so that the security
associations survive changes in care-of address. When using IKEv2
as the key exchange protocol, the home address should be carried
as the initiator IP address in the TSi payload during the
CREATE_CHILD_SA exchange [4].
o If the mobile node has used IKEv2 to establish security
associations with its home agent, it should follow the procedures
discussed in Sections 11.7.1 and 11.7.3 of the base specification
[2] to determine whether the IKE endpoints can be moved or if the
SAs, including the IKEv2 SA, have to be re-established.
o If the home agent has used IKEv2 to establish security
associations with the mobile node, it should follow the procedures
discussed in Section 10.3.1 and 10.3.2 of the base specification
[2] to determine whether the IKE endpoints can be moved or if the
SAs, including the IKEv2 SA, have to be re-established.
Devarapalli & Dupont Standards Track [Page 9]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
5. Selector Granularity Considerations
IPsec implementations are compatible with this document even if they
do not support fine-grain selectors such as the Mobility Header
message type and ICMPv6 message type. Note that such IPsec
implementations are not compliant with RFC 4301 [5]. For various
reasons, some implementations may choose to support only coarse-grain
selectors (i.e., addresses and in some cases the protocol field) for
forwarded traffic. As finer-grain selectors give better control,
i.e., the protection is only applied when required, the examples in
this document always use the finest granularity.
The following describes different ways of setting up IPsec policies
for protecting Mobile IPv6 messages:
1. The IPsec implementations on the mobile node and the home agent
support fine-grain selectors, including the Mobility Header
message type. This is the case assumed in the IPsec SPD and SAD
examples in this document.
2. The IPsec implementations only support selectors at a protocol
level. Such an IPsec implementation can only identify mobility
header traffic and cannot identify the individual mobility header
messages. In this case, the protection of Return Routability
Messages uses a setup similar to the regular payload packets sent
to the correspondent node with the protocol selector set to
Mobility Header. All tunneled Mobility Header messages will be
protected.
3. The third case is where the protocol selector is not available in
the IPsec implementation. In this case, all traffic sent by the
mobile node that is reverse tunneled through the home agent is
protected using ESP in tunnel mode. This case is also applicable
when the mobile node, due to privacy considerations, tunnels all
traffic to the home agent. This includes Mobile IPv6 signaling
messages exchanged between the mobile node and the home agent and
all traffic exchanged between the mobile node and the
correspondent node. This case uses IPsec tunnel mode SA with the
protocol selector set to 'any'.
The third case where all tunneled traffic is protected introduces
some additional considerations:
o If there is just one IPsec SA providing protection for all
traffic, then the SA MUST fulfill the requirements for protecting
the Return Routability messages which require confidentiality
protection. If the third case is being used for privacy
considerations, then there can also be separate tunnel mode SPD
Devarapalli & Dupont Standards Track [Page 10]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
entries for protecting the Return Routability messages with a
higher priority in the SPD so that the SPD entry with the higher
priority gets applied first.
o The receipt of a Binding Update from the new care-of address
updates the tunnel endpoint of the IPsec SA as described in
Section 4.3. Since the Binding Update that updates the tunnel
endpoint is received through the same tunnel interface that needs
to be updated, special care should be taken on the home agent to
ensure that the Binding Update is not dropped. This can be
achieved either by performing the source address check on the
outer IPv6 header after the binding update is processed or by
having exception handling to check the inner packet for a Binding
Update when the source address match on the outer source address
fails. Typical IPsec processing does not check the outer source
address when the originator of the packet has already been
authenticated.
6. Manual Configuration
This section describes the SPD and SAD entries that can be used to
protect Mobile IPv6 signaling messages. The SPD and SAD entries are
only example configurations. A particular mobile node implementation
and a home agent implementation could configure different SPD and SAD
entries as long as they provide the required security of the Mobile
IPv6 signaling messages.
For the examples described in this document, a mobile node with home
address, "home_address_1", primary care-of address,
"care_of_address_1", a home agent with address, "home_agent_1" and a
user of the mobile node with identity "user_1" are assumed. If the
home address of the mobile node changes, the SPD and SAD entries need
to be re-created or updated for the new home address.
The Peer Authorization Database is not used when manual IPsec
configuration is used for setting up security associations for
protecting Mobile IPv6 signaling messages.
Devarapalli & Dupont Standards Track [Page 11]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
6.1. Binding Updates and Acknowledgements
The following are the SPD and SAD entries on the mobile node and the
home agent to protect Binding Updates and Acknowledgements.
mobile node SPD-S:
- IF local_address = home_address_1 &
remote_address = home_agent_1 & proto = MH &
local_mh_type = BU & remote_mh_type = BAck
Then use SA SA1 (OUT) and SA2 (IN)
mobile node SAD:
- SA1(OUT, spi_a, home_agent_1, ESP, TRANSPORT):
local_address = home_address_1 &
remote_address = home_agent_1 &
proto = MH & mh_type = BU
- SA2(IN, spi_b, home_address_1, ESP, TRANSPORT):
local_address = home_agent_1 &
remote_address = home_address_1 &
proto = MH & mh_type = BAck
home agent SPD-S:
- IF local_address = home_agent_1 &
remote_address = home_address_1 & proto = MH &
local_mh_type = BAck & remote_mh_type = BU
Then use SA SA2 (OUT) and SA1 (IN)
home agent SAD:
- SA2(OUT, spi_b, home_address_1, ESP, TRANSPORT):
local_address = home_agent_1 &
remote_address = home_address_1 &
proto = MH & mh_type = BAck
- SA1(IN, spi_a, home_agent_1, ESP, TRANSPORT):
local_address = home_address_1 &
remote_address = home_agent_1 &
proto = MH & mh_type = BU
Devarapalli & Dupont Standards Track [Page 12]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
6.2. Return Routability Messages
The following are the SPD and SAD entries on the mobile node and the
home agent to protect Return Routability messages.
mobile node SPD-S:
- IF local_address = home_address_1 & remote_address = any &
proto = MH & local_mh_type = HoTi & remote_mh_type = HoT
Then use SA SA3 (OUT) and SA4 (IN)
mobile node SAD:
- SA3(OUT, spi_c, home_agent_1, ESP, TUNNEL):
local_address = home_address_1 & remote_address = any &
proto = MH & mh_type = HoTi
- SA4(IN, spi_d, care_of_address_1, ESP, TUNNEL):
local_address = any & remote_address = home_address_1 &
proto = MH & mh_type = HoT
home agent SPD-S:
- IF remote_address = home_address_1 & local_address = any &
proto = MH & local_mh_type = HoT & remote_mh_type = HoTi
Then use SA SA4 (OUT) and SA3 (IN)
home agent SAD:
- SA4(OUT, spi_d, care_of_address_1, ESP, TUNNEL):
local_address = any & remote_address = home_address_1 &
proto = MH & mh_type = HoT
- SA3(IN, spi_c, home_agent_1, ESP, TUNNEL):
local_address = home_address_1 & remote_address = any &
proto = MH & mh_type = HoTi
Devarapalli & Dupont Standards Track [Page 13]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
6.3. Mobile Prefix Discovery Messages
The following are the SPD and SAD entries used to protect Mobile
Prefix Discovery messages.
mobile node SPD-S:
- IF local_address = home_address_1 &
remote_address = home_agent_1 & proto = ICMPv6 &
local_icmp6_type = MPS & remote_icmp6_type = MPA
Then use SA SA5 (OUT) and SA6 (IN)
mobile node SAD:
- SA5(OUT, spi_e, home_agent_1, ESP, TRANSPORT):
local_address = home_address_1 &
remote_address = home_agent_1 &
proto = ICMPv6 & icmp6_type = MPS
- SA6(IN, spi_f, home_address_1, ESP, TRANSPORT):
local_address = home_agent_1 &
remote_address = home_address_1 &
proto = ICMPv6 & icmp6_type = MPA
home agent SPD-S:
- IF local_address = home_agent_1 &
remote_address = home_address_1 & proto = ICMPv6 &
local_icmp6_type = MPA & remote_icmp6_type = MPS
Then use SA SA6 (OUT) and SA5 (IN)
home agent SAD:
- SA6(OUT, spi_f, home_address_1, ESP, TRANSPORT):
local_address = home_agent_1 &
remote_address = home_address_1 &
proto = ICMPv6 & icmp6_type = MPA
- SA5(IN, spi_e, home_agent_1, ESP, TRANSPORT):
local_address = home_address_1 &
remote_address = home_agent_1 &
proto = ICMPv6 & icmp6_type = MPS
6.4. Payload Packets
Regular payload traffic between the mobile node and the correspondent
node tunneled through the home agent can be protected by IPsec, if
required. The mobile node and the home agent use ESP in tunnel mode
to protect the tunneled traffic. The SPD and SAD entries shown in
Section 5.2.4 of [3] are applicable here.
Devarapalli & Dupont Standards Track [Page 14]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
7. Dynamic Configuration
This section describes the use of IKEv2 to set up the required
security associations.
7.1. Peer Authorization Database Entries
The following describes PAD entries on the mobile node and the home
agent. The PAD entries are only example configurations. Note that
the PAD is a logical concept; a particular mobile node and a home
agent can implement the PAD in an implementation-specific manner.
The PAD state may also be distributed across various databases in a
specific implementation.
mobile node PAD:
- IF remote_identity = home_agent_identity_1
Then authenticate (shared secret/certificate/)
and authorize CHILD_SA for remote address home_agent_1
home agent PAD:
- IF remote_identity = user_1
Then authenticate (shared secret/certificate/EAP)
and authorize CHILD_SAs for remote address home_address_1
The list of authentication mechanisms in the above examples is not
exhaustive. There could be other credentials used for authentication
stored in the PAD.
In case of dynamic home address assignment, the home agent creates a
temporary PAD entry linking the authenticated peer identity and the
newly allocated home address.
7.2. Security Policy Database Entries
The following sections describe the security policy entries on the
mobile node and the home agent. The SPD entries are only example
configurations. A particular mobile node implementation and a Home
Agent implementation could configure different SPD entries as long as
they provide the required security of the Mobile IPv6 signaling
messages.
In the examples shown below, the identity of the user of the mobile
node is assumed to be user_1, the home address of the mobile node is
assumed to be home_address_1, the primary care-of address of the
mobile node is assumed to be care_of_address_1, and the IPv6 address
of the Home Agent is assumed to be home_agent_1.
Devarapalli & Dupont Standards Track [Page 15]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
7.2.1. Binding Updates and Acknowledgements
The following are the SPD entries on the mobile node and the home
agent for protecting Binding Updates and Acknowledgements.
mobile node SPD-S:
- IF local_address = home_address_1 &
remote_address = home_agent_1 &
proto = MH & local_mh_type = BU & remote_mh_type = BAck
Then use SA ESP transport mode
Initiate using IDi = user_1 to address home_agent_1
home agent SPD-S:
- IF local_address = home_agent_1 &
remote_address = home_address_1 &
proto = MH & local_mh_type = BAck & remote_mh_type = BU
Then use SA ESP transport mode
In the examples shown above, the home address of the mobile node
might not be available all the time. For instance, the mobile node
might not have configured a home address yet. When the mobile node
acquires a new home address, it must either add the address to the
corresponding SPD entries or create the SPD entries for the home
address.
The home agent should have named SPD entries per mobile node, based
on the identity of the mobile node. The identity of the mobile node
is stored in the "Name" selector in the SPD [5]. The home address
presented by the mobile node during the IKE negotiation is stored as
the remote IP address in the resultant IPsec security associations.
If the mobile node dynamically configures a home agent and the home
address, the home agent may not know which mobile nodes it is
supposed to be serving. Therefore, the home agent cannot have SPD
entries configured per mobile node. Instead, the home agent should
have generic SPD entries to prevent mobility header traffic that
requires IPsec protection from bypassing the IPsec filters. Once a
mobile node authenticates to the home agent and configures a home
address, appropriate SPD entries are created for the mobile node.
The Mobility Header message type is negotiated by placing it in the
most significant eight bits of the 16-bit local "port" selector
during IKEv2 exchange. For more details, refer to [5]. The TSi and
TSr payloads in the above examples will contain many other selectors
apart from home_address_1. For the sake of brevity, we show only
those values that are relevant for Mobile IPv6.
Devarapalli & Dupont Standards Track [Page 16]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
7.2.2. Return Routability Messages
The following are the SPD entries on the mobile node and the home
agent for protecting the Return Routability messages.
mobile node SPD-S:
- IF local_address = home_address_1 & remote_address = any &
proto = MH & local_mh_type = HoTi & remote_mh_type = HoT
Then use SA ESP tunnel mode
Initiate using IDi = user_1 to address home_agent_1
home agent SPD-S:
- IF local_address = any & remote_address = home_address_1 &
proto = MH & local_mh_type = HoT & remote_mh_type = HoTi
Then use SA ESP tunnel mode
When the mobile node's care-of address changes, the SPD entries on
both the mobile node and the home agent must be updated. The home
agent knows about the change in care-of address of the mobile node
when it receives a Binding Update from the mobile node.
7.2.3. Mobile Prefix Discovery Messages
The following are the SPD entries on the mobile node and the home
agent for protecting Mobile Prefix Discovery messages.
mobile node SPD-S:
- IF local_address = home_address_1 &
remote_address = home_agent_1 &
proto = ICMPv6 & local_icmp6_type = MPS &
remote_icmp6_type = MPA
Then use SA ESP transport mode
Initiate using IDi = user_1 to address home_agent_1
home agent SPD-S:
- IF local_address = home_agent_1 &
remote_address = home_address_1 &
proto = ICMPv6 & local_icmp6_type = MPA &
remote_icmp6_type = MPS
Then use SA ESP transport mode
In the examples shown above, the home address of the mobile node
might not be available all the time. When the mobile node acquires a
new home address, it must add the address to the corresponding SPD
entries.
Devarapalli & Dupont Standards Track [Page 17]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
The TSi and TSr payloads in the above examples will contain many
other selectors apart from home_address_1. For brevity, they are not
shown here.
7.2.4. Payload Packets
The following are the SPD entries on the mobile node and the home
agent if payload traffic exchanged between the mobile node and its
Correspondent Node needs to be protected. The SPD entries are
similar to the entries for protecting Return Routability messages and
have lower priority than the above SPD entries.
mobile node SPD-S:
- IF interface = IPv6 tunnel to home_agent_1 &
source = home_address_1 & destination = any & proto = X
Then use SA ESP tunnel mode
Initiate using IDi = user_1 to address home_agent_1
home agent SPD-S:
- IF interface = IPv6 tunnel to home_address_1 &
source = any & destination = home_address_1 & proto = X
Then use SA ESP tunnel mode
7.3. Security Association Negotiation Using IKEv2
Mobile IPv6 signaling messages are typically initiated by the mobile
node. The mobile node sends a Binding Update to the home agent
whenever it moves and acquires a new care-of address.
The mobile node initiates an IKEv2 protocol exchange if the required
security associations are not present. A possible mechanism used for
mutual authentication is a shared secret between the mobile node and
the home agent. The home agent uses the identity of the mobile node
to identify the corresponding shared secret. When a public-key-based
mechanism is available, it should be the preferred mechanism for
mutual authentication.
If a shared secret is being used, the mobile node uses the shared
secret to generate the AUTH payload in the IKE_AUTH exchange. If the
mobile node is using a public-key-based mechanism, then it uses its
private key to generate the AUTH payload in the IKE_AUTH exchange.
Devarapalli & Dupont Standards Track [Page 18]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
Mobile Node Home Agent
----------- ----------
HDR, SAi1, KEi, Ni -->
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
AUTH, SAi2, TSi, TSr}
-->
<-- HDR, SK {IDr, [CERT,] AUTH,
SAr2, TSi, TSr}
The mobile node always includes its identity in the IDi payload in
the IKE_AUTH exchange. The mobile node could use the following
different types of identities to identify itself to the home agent.
o Home Address - The mobile node could use its statically configured
home address as its identity. In this case the ID Type field is
set to ID_IPV6_ADDR.
o FQDN - The mobile node can use a Fully Qualified Domain Name as
the identifier and set the ID Type field to ID_FQDN.
o RFC 822 identifier - If the mobile node uses a RFC 822 identifier
[9], it sets the ID Type field to ID_RFC822_ADDR.
The above list of identities is not exhaustive.
In the IKE_AUTH exchange, the mobile node includes the home address
and the appropriate selectors in the TSi (Traffic Selector-initiator)
payload to negotiate IPsec security associations for protecting the
Binding Update and Binding Acknowledgement messages. The mobile node
MAY use a range of selectors that includes the mobility message types
for Binding Update and Binding Acknowledgement to use the same pair
of IPsec security associations for both messages.
After the IKE_AUTH exchange completes, the mobile node initiates
CREATE_CHILD_SA exchanges to negotiate additional security
associations for protecting Return Routability signaling, Mobile
Prefix Discovery messages, and (optionally) payload traffic. The
CREATE_CHILD_SA exchanges are protected by IKEv2 security
associations created during the IKE_SA_INIT exchange. If a
correspondent node, that is also a mobile node, initiates the return
routability exchange, then the home agent initiates the
CREATE_CHILD_SA exchange to negotiate security associations for
protecting Return Routabilty messages.
Devarapalli & Dupont Standards Track [Page 19]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
It is important that the security associations are created based on
the home address of the mobile node, so that the security
associations survive care-of address change. The mobile node MUST
use its home address as the initiator IP address in the TSi payload
in the CREATE_CHILD_SA exchange in order to create the IPsec security
associations for the home address.
Mobile Node Home Agent
----------- ----------
HDR, SK {[N], SA, Ni, [KEi],
[TSi, TSr]} -->
<-- HDR, SK {SA, Nr, [KEr],
[TSi, TSr]}
When PKI-based authentication is used between the mobile node and the
Home Agent, the identity presented by the mobile node in the IDi
payload MUST correspond to the identity in the certificate obtained
by the Home Agent. The home agent uses the identity presented in the
IDi payload to lookup the policy and the certificate that corresponds
to the mobile node. If the mobile node presents its home address in
the IDi payload, then the home agent MUST verify that the home
address matches the address in an iPAddress field in the
SubjectAltName extension [8].
When the mobile node uses its home address in the IDi field,
implementations are not required to match the source address in the
outermost IP header with the IP address in the IDi field. According
to RFC 4306 [4], the IP header fields in the IKEv2 messages are
ignored and used only in the IP headers for IKEv2 messages sent as
replies.
7.4. Movements and Dynamic Keying
If the mobile node moves and its care-of address changes, the IKEv2
SA might not be valid. RFC 3775 defines a mechanism based on the
successful exchange of Binding Update and Binding Acknowledgement
messages. The mobile node establishes the IKE SA with the home agent
using its primary care-of address. The IKE SA endpoints are updated
on the home agent when it receives the Binding Update from the mobile
node's new care-of address and on the mobile node when it sends the
Binding Update to the home agent or when it receives the Binding
acknowledgement sent by the home agent. This capability to change
IKE endpoints is indicated through setting the Key Management
Capability (K) flag [2] in the Binding Update and Binding
Acknowledgement messages. If the mobile node or the home agent does
Devarapalli & Dupont Standards Track [Page 20]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
not support this capability, and has no other means to update the
addresses, then an IKEv2 exchange MUST be initiated to re-establish a
new IKE SA.
8. The Use of EAP Authentication
In addition to using public key signatures and shared secrets, EAP
[10] can be used with IKEv2 for authenticating the mobile node to the
home agent.
The mobile node indicates that it wants to use EAP by including the
IDi payload but leaving out the AUTH payload in the first message
during the IKE_AUTH exchange. The home agent then includes an EAP
payload if it is willing to use an extensible authentication method.
Security associations are not created until the subsequent IKE_AUTH
exchange after successful EAP authentication. The use of EAP adds at
least two round trips to the IKE negotiation. The number of round
trips depends on the EAP method used.
Mobile Node Home Agent
------------ ----------
HDR, SAi1, KEi, Ni -->
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
HDR, SK {IDi, [CERTREQ,] [IDr,]
SAi2, TSi, TSr}-->
<-- HDR, SK {IDr, [CERT,] AUTH,
EAP }
.
.
.
HDR, SK {EAP} -->
<-- HDR, SK {EAP (success)}
HDR, SK {AUTH} -->
<-- HDR, SK {AUTH, SAr2, TSi,
TSr}
When EAP is used, the identity presented by the mobile node in the
IDi field may not be the actual identity of the mobile node. It
could be set to an identity that is used only for Authentication,
Authorization, and Accounting (AAA) routing purposes and selecting
the right EAP method. It is possible that the actual identity is
Devarapalli & Dupont Standards Track [Page 21]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
carried inside EAP, invisible to the home agent. While IKEv2 does
not allow an EAP Identity Request/Response message exchange, EAP
methods may exchange identities within themselves. In this case, the
home agent MUST acquire the mobile node's identity from the
corresponding AAA server. How the home agent acquires the mobile
node's identity is out of scope for this document.
Some EAP methods, when used with IKEv2, generate a shared key on the
mobile node and the Home Agent once the EAP authentication succeeds.
This shared key is used to generate the AUTH payloads in the
subsequent IKEv2 messages. The shared key, if used to generate the
AUTH payloads, MUST NOT be used for any other purpose. For more
details, refer to [4].
The use of EAP between the mobile node and the home agent might
require the home agent to contact an authorization server like the
AAA Home server, on the home link, to authenticate the mobile node.
Please refer to [7] for more details.
9. Dynamic Home Address Configuration
The mobile node can dynamically configure a home address by including
a Configuration Payload in the IKE_AUTH exchange, with a request for
an address from the home link. The mobile node should include a
zero-length INTERNAL_IP6_ADDRESS attribute in the CFG_REQUEST
Payload. The mobile node MAY include multiple instances of the
INTERNAL_IP6_ADDRESS to request multiple home address to the assigned
by the home agent.
When the home agent receives a configuration payload with a
CFG_REQUEST for INTERNAL_IP6_ADDRESS, it replies with a valid home
address for the mobile node. The INTERNAL_IP6_ADDRESS attribute in
the CFG_REPLY contains the prefix length of the home prefix in
addition to a 128 bit home address. The home agent could use a local
database or contact a DHCPv6 server on the home link to allocate a
home address. The duration for which the home address is allocated
to the mobile node is the same as the duration for which an IKEv2
security association exists between the mobile node and the home
agent. If the IKEv2 security association is rekeyed, the home
address lifetime is also extended.
Devarapalli & Dupont Standards Track [Page 22]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
Mobile Node Home Agent
----------- ----------
HDR, SK {IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, CP(CFG_REQUEST),
SAi2, TSi, TSr}
-->
<-- HDR, SK {IDr, [CERT,] AUTH,
CP(CFG_REPLY), SAr2,
TSi, TSr}
The mobile node could suggest a home address that it wants to use in
the CFG_REQUEST. For example, this could be a home address that was
allocated for the mobile node before or an address that the mobile
node auto-configured from the IPv6 prefix on the home link. The Home
Agent could let the mobile node use the same home address by setting
the INTERNAL_IP6_ADDRESS attribute in the CFG_REPLY payload to the
same home address. If the home agent wants the mobile node to use a
different home address, it sends a new home address in the
INTERNAL_IP6_ADDRESS attribute in the CFG_REPLY payload. The Mobile
Node MUST stop using its old home address and start using the newly
allocated home address.
In case the home agent is unable to allocate a home address for the
mobile node during the IKE_AUTH exchange, it MUST send a Notify
Payload with an INTERNAL_ADDRESS_FAILURE message. When the mobile
node receives a Notify Payload with an INTERNAL_ADDRESS_FAILURE
message, it SHOULD terminate the IKE_AUTH exchange. The mobile node
then should initiate a new IKE_SA_INIT and IKE_AUTH exchange and try
to auto-configure a home address as described in [13]. The mobile
node MAY also switch to another home agent. The new home agent
address can be obtained by consulting a home agent list received
during a previous home agent discovery phase or, if such list is
empty or not available, by attempting a new home agent discovery.
If the mobile node wants to configure a DNS server from the home
link, it can request the DNS server information by including an
INTERNAL_IP6_DNS attribute in the CFG_REQUEST payload.
10. Security Considerations
This document describes how IPsec can be used to secure Mobile IPv6
signaling messages. Please refer to RFC 3775 [2] for security
considerations related to the use of IPsec with Mobile IPv6.
A misbehaving mobile node could create IPsec security associations
for a home address that belongs to another mobile node. Therefore,
the home agent should check if a particular mobile node is authorized
Devarapalli & Dupont Standards Track [Page 23]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
to use a home address before creating IPsec security associations for
the home address. If the home address is assigned as described in
Section 9, the home agent MUST associate the home address with the
identity used in IKE negotiation. The home agent MAY store the
assigned home address in the SPD entries created for the mobile node.
The use of EAP for authenticating the mobile node to the home agent
is described in Section 8. Security considerations related to the
use of EAP with IKEv2 are described in [4].
11. Acknowledgements
The authors would like to thank Mika Joutsenvirta, Pasi Eronen, Jari
Arkko, Gerardo Giaretta, Shinta Sugimoto, Tero Kivinen, Steve
Bellovin, Kilian Weniger, and Vijay Gurbani for reviewing the
document.
Many of the requirements listed in Section 4 are copied from RFC
3776. Therefore, the authors of RFC 3776 are acknowledged.
12. References
12.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
IPv6", RFC 3775, June 2004.
[3] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to
Protect Mobile IPv6 Signaling Between Mobile Nodes and Home
Agents", RFC 3776, June 2004.
[4] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[5] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
[6] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
12.2. Informative References
[7] Giaretta, G., "AAA Goals for Mobile IPv6", Work in Progress,
September 2006.
Devarapalli & Dupont Standards Track [Page 24]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
[8] Korver, B., "The Internet IP Security PKI Profile of IKEv1/
ISAKMP, IKEv2, and PKIX", Work in Progress, February 2007.
[9] Crocker, D., "Standard for the format of ARPA Internet text
messages", STD 11, RFC 822, August 1982.
[10] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004.
[11] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[12] Sugimoto, S., "PF_KEY Extension as an Interface between Mobile
IPv6 and IPsec/IKE", Work in Progress, September 2006.
[13] Giaretta, G., "Mobile IPv6 bootstrapping in split scenario",
Work in Progress, December 2006.
Authors' Addresses
Vijay Devarapalli
Azaire Networks
3121 Jay Street
Santa Clara, CA 95054
USA
EMail: vijay.devarapalli@azairenet.com
Francis Dupont
CELAR
EMail: Francis.Dupont@fdupont.fr
Devarapalli & Dupont Standards Track [Page 25]
^L
RFC 4877 Mobile IPv6 with IKEv2 and IPsec April 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Devarapalli & Dupont Standards Track [Page 26]
^L
|
