draft-ietf-mext-mip6-tls-03.txt   draft-ietf-mext-mip6-tls-04.txt 
Mobility Extensions (MEXT) J. Korhonen, Ed. Mobility Extensions (MEXT) J. Korhonen, Ed.
Internet-Draft Nokia Siemens Networks Internet-Draft Nokia Siemens Networks
Intended status: Experimental B. Patil Intended status: Experimental B. Patil
Expires: August 18, 2012 Nokia Expires: September 13, 2012 Nokia
H. Tschofenig H. Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
D. Kroeselberg D. Kroeselberg
Siemens Siemens
February 15, 2012 March 12, 2012
Transport Layer Security-based Mobile IPv6 Security Framework for Mobile Transport Layer Security-based Mobile IPv6 Security Framework for Mobile
Node to Home Agent Communication Node to Home Agent Communication
draft-ietf-mext-mip6-tls-03.txt draft-ietf-mext-mip6-tls-04.txt
Abstract Abstract
Mobile IPv6 signaling between a mobile node and its home agent is Mobile IPv6 signaling between a mobile node and its home agent is
secured using IPsec. The security association between a mobile node secured using IPsec. The security association between a mobile node
and the home agent is established using IKEv1 or IKEv2. The security and the home agent is established using IKEv1 or IKEv2. The security
model specified for Mobile IPv6, which relies on IKE/IPsec, requires model specified for Mobile IPv6, which relies on IKE/IPsec, requires
interaction between the Mobile IPv6 protocol component and the IKE/ interaction between the Mobile IPv6 protocol component and the IKE/
IPsec module of the IP stack. This document proposes an alternate IPsec module of the IP stack. This document proposes an alternate
security framework for Mobile IPv6 and Dual-Stack Mobile IPv6, which security framework for Mobile IPv6 and Dual-Stack Mobile IPv6, which
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2012. This Internet-Draft will expire on September 13, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
7. Route Optimization . . . . . . . . . . . . . . . . . . . . . . 28 7. Route Optimization . . . . . . . . . . . . . . . . . . . . . . 28
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
8.1. New Registry: Packet Type . . . . . . . . . . . . . . . . 29 8.1. New Registry: Packet Type . . . . . . . . . . . . . . . . 29
8.2. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 29 8.2. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 29
8.3. Port Numbers . . . . . . . . . . . . . . . . . . . . . . . 29 8.3. Port Numbers . . . . . . . . . . . . . . . . . . . . . . . 29
9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30
9.1. Discovery of the HAC . . . . . . . . . . . . . . . . . . . 30 9.1. Discovery of the HAC . . . . . . . . . . . . . . . . . . . 30
9.2. Authentication and Key Exchange executed between the 9.2. Authentication and Key Exchange executed between the
MN and the HAC . . . . . . . . . . . . . . . . . . . . . . 30 MN and the HAC . . . . . . . . . . . . . . . . . . . . . . 30
9.3. Protection of MN and HA Communication . . . . . . . . . . 33 9.3. Protection of MN and HA Communication . . . . . . . . . . 33
9.4. AAA Interworking . . . . . . . . . . . . . . . . . . . . . 34 9.4. AAA Interworking . . . . . . . . . . . . . . . . . . . . . 35
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35
11.1. Normative References . . . . . . . . . . . . . . . . . . . 35 11.1. Normative References . . . . . . . . . . . . . . . . . . . 35
11.2. Informative References . . . . . . . . . . . . . . . . . . 35 11.2. Informative References . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
Mobile IPv6 [RFC6275] signaling, and optionally user traffic, between Mobile IPv6 [RFC6275] signaling, and optionally user traffic, between
a mobile node (MN) and home agent (HA) are secured by IPsec a mobile node (MN) and home agent (HA) are secured by IPsec
[RFC4301]. The current Mobile IPv6 security architecture is [RFC4301]. The current Mobile IPv6 security architecture is
specified in [RFC3776] and [RFC4877]. This security model requires a specified in [RFC3776] and [RFC4877]. This security model requires a
tight coupling between the Mobile IPv6 protocol part and the IKE(v2)/ tight coupling between the Mobile IPv6 protocol part and the IKE(v2)/
IPsec part of the IP stack. Client implementation experience has IPsec part of the IP stack. Client implementation experience has
shown that the use of IKE(v2)/IPsec with Mobile IPv6 is fairly shown that the use of IKE(v2)/IPsec with Mobile IPv6 is fairly
skipping to change at page 30, line 34 skipping to change at page 30, line 34
to the scope of this document. to the scope of this document.
9.2. Authentication and Key Exchange executed between the MN and the 9.2. Authentication and Key Exchange executed between the MN and the
HAC HAC
This document describes a simple authentication and MN-HA SA This document describes a simple authentication and MN-HA SA
negotiation exchange over TLS. The TLS procedures remain unchanged; negotiation exchange over TLS. The TLS procedures remain unchanged;
however, channel binding is provided. however, channel binding is provided.
Authentication: Server-side certificate based authentication MUST be Authentication: Server-side certificate based authentication MUST be
performed using TLS 1.2 [RFC5246]. performed using TLS 1.2 [RFC5246]. The MN MUST verify the HAC's
TLS server certificate, using either subjectAltName extension
[RFC5280] dNSName identities as described in [RFC6125] or
subjectAltName iPAddress identities. In case of iPAddress
identities the MN MUST check the IP address of the TLS connection
against these iPAddress identities and SHOULD reject the
connection if none of the iPAddress identities match the
connection. In case of dNSName identities the rules and
guidelines defined in [RFC6125] apply here, with the following
considerations:
* Support for DNS-ID identifier type (the dNSName identity in the
subjectAltName extension) is REQUIRED in the HAC and the MN TLS
implementations.
* DNS names in the HAC server certificates MUST NOT contain the
wildcard character "*".
* The CN-ID MUST NOT be used for authentication within the rules
described in [RFC6125].
* The MN MUST set its "reference identifier" to the DNS name of
the HAC.
The client-side authentication may depend on the specific The client-side authentication may depend on the specific
deployment and is therefore not mandated. Note that TLS-PSK deployment and is therefore not mandated. Note that TLS-PSK
[RFC4279] cannot be used in conjunction with the methods described [RFC4279] cannot be used in conjunction with the methods described
in section 5.8 and 5.9 of this document due to the limitations of in section 5.8 and 5.9 of this document due to the limitations of
the channel binding type used. the channel binding type used.
Through the protected TLS tunnel, an additional authentication Through the protected TLS tunnel, an additional authentication
exchange is performed that provides client-side or mutual exchange is performed that provides client-side or mutual
authentication and exchanges SA parameters and optional authentication and exchanges SA parameters and optional
skipping to change at page 35, line 42 skipping to change at page 36, line 20
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007. Channels", RFC 5056, November 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, July 2010. for TLS", RFC 5929, July 2010.
[RFC6275] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support [RFC6275] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support
in IPv6", RFC 6275, July 2011. in IPv6", RFC 6275, July 2011.
11.2. Informative References 11.2. Informative References
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
August 1980. August 1980.
skipping to change at page 37, line 5 skipping to change at page 37, line 31
[RFC5555] Soliman, H., "Mobile IPv6 Support for Dual Stack Hosts and [RFC5555] Soliman, H., "Mobile IPv6 Support for Dual Stack Hosts and
Routers", RFC 5555, June 2009. Routers", RFC 5555, June 2009.
[RFC5944] Perkins, C., "IP Mobility Support for IPv4, Revised", [RFC5944] Perkins, C., "IP Mobility Support for IPv4, Revised",
RFC 5944, November 2010. RFC 5944, November 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", "Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010. RFC 5996, September 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
Authors' Addresses Authors' Addresses
Jouni Korhonen (editor) Jouni Korhonen (editor)
Nokia Siemens Networks Nokia Siemens Networks
Linnoitustie 6 Linnoitustie 6
Espoo FIN-02600 Espoo FIN-02600
Finland Finland
Email: jouni.nospam@gmail.com Email: jouni.nospam@gmail.com
Basavaraj Patil Basavaraj Patil
Nokia Nokia
6021 Connection Drive 6021 Connection Drive
Irving, TX 75039 Irving, TX 75039
USA USA
Email: basavaraj.patil@nokia.com Email: basavaraj.patil@nokia.com
Hannes Tschofenig Hannes Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
 End of changes. 10 change blocks. 
10 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/