[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 RFC 7651

IPSECME WG                                                      A. Noble
Internet-Draft                                             S. Gundavelli
Intended status: Standards Track                                   Cisco
Expires: February 22, 2014                                   J. Korhonen
                                                          Renesas Mobile
                                                             F. Baboescu
                                                    Broadcom Corporation
                                                         August 21, 2013


                       3GPP IMS Option for IKEv2
            draft-gundavelli-ipsecme-3gpp-ims-options-01.txt

Abstract

   This document defines two new configuration attributes for Internet
   Key Exchange Protocol version 2 (IKEv2).  These attributes can be
   used for carrying the IPv4 and IPv6 address of the Proxy-Call Control
   and Service function (P-CSCF).  This is one of the few methods that
   an IPsec client can obtain the IP address of the P-CSCF function
   located in the home network.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 22, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Noble, et al.           Expires February 22, 2014               [Page 1]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Conventions and Terminology . . . . . . . . . . . . . . . . . . 3
     2.1.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . 4
     2.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4
   3.  P-CSCF_IP4_ADDRESS Configuration Attribute  . . . . . . . . . . 4
   4.  P-CSCF_IP6_ADDRESS Configuration Attribute  . . . . . . . . . . 5
   5.  Example Scenario  . . . . . . . . . . . . . . . . . . . . . . . 5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 8




























Noble, et al.           Expires February 22, 2014               [Page 2]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


1.  Introduction

   The 3GPP S2b reference point [TS23402], specified by the 3GPP system
   architecture defines a mechanism for allowing a mobile node attached
   in an untrusted non-3GPP IP Access Network to securely connect to the
   3GPP home network and access IP services.  In this scenario, the
   mobile node establishes an IPsec tunnel to the security gateway
   called ePDG and which in turn establishes a PMIPv6/GTP tunnel to the
   PDN gateway where the mobile node's session is anchored.  The below
   figure shows the interworking option for Untrusted Non-3GPP access.



                                 +------------+
                                 |    ePDG    |
                                 | +--------+ |
   +------+        _----_        | | IPsec  | |      _----_      +-----+
   |  MN  |      _(      )_      | | Module | |    _(      )_    | LMA |
   |      |<====( Internet )=====| +--------+ |===( Operator )===|(PGW)|
   +------+      (_      _)      |      :     |    (_Network_)   +-----+
                   '----'        | +--------+ |      '----'
                  IPsec Tunnel   | | PMIPv6 | |  PMIPv6/GTP Tunnel
                                 | |   MAG  | |
                                 | +--------+ |
                                 +------------+

      |<------------ IKEv2/IPsec ------> | <-------------PMIPv6/GTP-->|


           Figure 1: Exchange of IPv4 Traffic Offload Selectors

   A mobile node in this scenario may potentially need to access the IMS
   services in the home network.  Currently, there are no attributes in
   IKEv2 that can be used for carrying these information elements.  In
   the absence of these Attributes the mobile node needs to be
   statically configured with this information and this is proving to be
   an operational challenge.

   This specification therefore defines two new IKEv2 attributes
   [RFC5996] that allows an IPsec gateway to provide the IPv4 and/or
   IPv6 address of the P-CSCF function.  These attributes can be
   exchanged by IKEv2 peers as part of the configuration payload
   exchange.


2.  Conventions and Terminology





Noble, et al.           Expires February 22, 2014               [Page 3]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


2.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.2.  Terminology

   All the IKEv2 related terms used in this document are to be
   interpreted as defined in [RFC5996] and [RFC5739].  All the mobility
   related terms are to interpreted as defined in [RFC5213] and
   [RFC5844].  Additionally, this document uses the following terms:

   Proxy-Call Session Control Function (P-CSCF)

      The P-CSCF is the entry point to the 3GPP IMS (IP Multimedia
      Subsystem) domain and serves as the outbound proxy server for the
      mobile node.  The mobile node attaches to the P-CSCF prior to
      performing IMS registrations and initiating SIP sessions.


3.  P-CSCF_IP4_ADDRESS Configuration Attribute

   The P-CSCF_IP4_ADDRESS configuration attribute is formatted as
   follows:


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |R|        Attribute Type       |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         IPv4 Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


                     Figure 2: IPv4 Address of P-CSCF

   Reserved (1 bit)
      Refer to IKEv2 specification

   Attribute Type (15 bits)
      <IANA-1>

   Length (2 octets)
      Length of the value field in octets.  In this case, its 4.





Noble, et al.           Expires February 22, 2014               [Page 4]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


   IPv4 Address (4 octets)
      An IPv4 address of the P-CSCF function.

   Multiple instances of this Attribute with different values can be
   present in the configuration payload and there is no implied
   preferrential order.


4.  P-CSCF_IP6_ADDRESS Configuration Attribute

   The P-CSCF_IP4_ADDRESS configuration attribute is formatted as
   follows:


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |R|        Attribute Type       |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                                                               |
   |                          IPv6 Address                         |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


                     Figure 3: IPv6 Address of P-CSCF

   Reserved (1 bit)
      Refer to IKEv2 specification

   Attribute Type (15 bits)
      <IANA-1>

   Length (2 octets)
      Length of the value field in octets.  In this case, its 16.

   IPv6 Address (16 octets)
      An IPv4 address of the P-CSCF function.

   Multiple instances of this Attribute with different values can be
   present in the configuration payload and there is no implied
   preferrential order.


5.  Example Scenario

   The mobile node MAY request the IP address of an P-CSCF function as



Noble, et al.           Expires February 22, 2014               [Page 5]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


   shown below.



         Client      Gateway
        --------    ---------

         HDR(IKE_SA_INIT), SAi1, KEi, Ni  -->

                  <--  HDR(IKE_SA_INIT), SAr1, KEr, Nr, [CERTREQ]

         HDR(IKE_AUTH),
         SK { IDi, CERT, [CERTREQ], AUTH, [IDr],
              CP(CFG_REQUEST) =
                 { INTERNAL_IP4_ADDRESS(),
                   INTERNAL_IP4_DNS(),
                   P-CSCF_IP4_ADDRESS,
                   P-CSCF_IP6_ADDRESS }, SAi2,
              TSi = (0, 0-65535, 0.0.0.0-255.255.255.255),
              TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) }  -->

                <--  HDR(IKE_AUTH),
                     SK { IDr, CERT, AUTH,
                          CP(CFG_REPLY) =
                             { INTERNAL_IP4_ADDRESS(192.0.2.234),
                                              P-CSCF_IP4_ADDRESS,
                                              P-CSCF_IP6_ADDRESS,
                               INTERNAL_IP4_DNS(198.51.100.33) },
                          SAr2,
                          TSi = (0, 0-65535, 192.0.2.234-192.0.2.234),
                          TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) }


                    Figure 4: P-CSCF Attribute Exchange


6.  IANA Considerations

   This document requires the following two IANA actions.

   o  Action-1: This specification defines a new IKEv2 attribute for
      carrying the IPv4 address of P-CSCF function.  This attribute is
      defined in Section 3.  The Type value for this Attribute needs to
      be assigned from the IKEv2 Configuration Payload Attribute Types
      namespace defined in [RFC5996].

   o  Action-2: This specification defines a new IKEv2 attribute for
      carrying the IPv6 address of P-CSCF function.  This attribute is



Noble, et al.           Expires February 22, 2014               [Page 6]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


      defined in Section 4.  The Type value for this Attribute needs to
      be assigned from the IKEv2 Configuration Payload Attribute Types
      namespace defined in [RFC5996].


7.  Security Considerations

   This document is an extension to IKEv2 [RFC5996] and therefore it
   inherits all the security properties of IKEv2.

   The two new IKEv2 attributes defined in this specification are for
   carrying the IPv4 and IPv6 address of the P-CSCF function.  These
   attributes can be exchanged by IKE peers as part of the configuration
   payload and the currently defined IKEv2 security framework provides
   the needed integrity and privacy protection for these attributes.
   Therefore this specification does not introduce any new security
   vulnarabilities.


8.  Acknowledgements

   The Authors would like to thank Vojislav Vuecetic, Heather Sze,
   Sebastian Speicher, Maulik Vaidya and Tiro Kivinen for all the
   discussions related to this topic.


9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
              "Internet Key Exchange Protocol Version 2 (IKEv2)",
              RFC 5996, September 2010.

9.2.  Informative References

   [RFC5213]  Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K.,
              and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008.

   [RFC5739]  Eronen, P., Laganier, J., and C. Madson, "IPv6
              Configuration in Internet Key Exchange Protocol Version 2
              (IKEv2)", RFC 5739, February 2010.

   [RFC5844]  Wakikawa, R. and S. Gundavelli, "IPv4 Support for Proxy
              Mobile IPv6", RFC 5844, May 2010.



Noble, et al.           Expires February 22, 2014               [Page 7]


Internet-Draft          3GPP IMS Option for IKEv2            August 2013


   [TS23402]  3GPP, "Architecture enhancements for non-3GPP accesses",
              2012.


Authors' Addresses

   Aeneas Noble
   Cisco
   30 International Pl
   TEWKSBURY, MASSACHUSETTS  95134
   USA

   Email: noblea@cisco.com


   Sri Gundavelli
   Cisco
   170 West Tasman Drive
   San Jose, CA  95134
   USA

   Email: sgundave@cisco.com


   Jouni Korhonen
   Renesas Mobile
   Porkkalankatu 24
   Helsinki  FIN-00180
   Finland

   Email: jouni.nospam@gmail.com


   Florin Baboescu
   Broadcom Corporation
   100 Mathilda Place
   Sunnyvale, CA  94086
   USA

   Email: baboescu@broadcom.com>











Noble, et al.           Expires February 22, 2014               [Page 8]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/