--- 1/draft-ietf-mobike-design-07.txt 2006-03-03 22:12:36.000000000 +0100 +++ 2/draft-ietf-mobike-design-08.txt 2006-03-03 22:12:36.000000000 +0100 @@ -1,19 +1,19 @@ IKEv2 Mobility and Multihoming T. Kivinen (mobike) Safenet, Inc. Internet-Draft H. Tschofenig -Expires: July 31, 2006 Siemens - January 27, 2006 +Expires: September 4, 2006 Siemens + March 3, 2006 Design of the MOBIKE Protocol - draft-ietf-mobike-design-07.txt + draft-ietf-mobike-design-08.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -24,21 +24,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on July 31, 2006. + This Internet-Draft will expire on September 4, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The MOBIKE (IKEv2 Mobility and Multihoming) is an extension of the Internet Key Exchange Protocol version 2 (IKEv2). These extensions should enable an efficient management of IKE and IPsec Security @@ -393,70 +393,67 @@ MOBIKE peers. MOBIKE interacts with the packet processing module of the IPsec implementation using an internal API (such as those based on PF_KEY [RFC2367]). Using this API, the MOBIKE module can create entries in the Security Association (SAD) and Security Policy Databases (SPD). The packet processing module of the IPsec implementation may also interact with IKEv2 and MOBIKE module using this API. The content of the Security Policy and Security Association Databases determines what traffic is protected with IPsec in which fashion. MOBIKE, on the other hand, receives information from a number of sources that may run both in kernel-mode and in - user-mode. Information relevant for MOBIKE might be stored in a - database. The content of such a database, along with the occurrence - of events of which the MOBIKE process is notified, form the basis on - which MOBIKE make decisions regarding the set of available addresses, - the peer address set, and the preferred address. Policies may also - affect the selection process. + user-mode. These sources form the basis on which MOBIKE make + decisions regarding the set of available addresses, the peer address + set, and the preferred address. Policies may also affect the + selection process. The peer address set and the preferred address needs to be made available to the other peer. In order to address certain failure cases, MOBIKE should perform connectivity tests between the peers (potentially over a number of different paths). Although a number of address pairs may be available for such tests, the most important is the pair (source address, destination address) of the current path. This is because this pair is selected for sending and receiving MOBIKE signaling and IPsec traffic. If a problem along this current path is detected (e.g., due to a router failure) it is necessary to switch to a new current path. In order to be able to do so quickly, it may be helpful to perform connectivity tests of other paths periodically. Such a technique would also help in identifying previously disconnected paths that become operational again. - +-------------+ +---------+ - |User-space | | MOBIKE | - |Protocols | +-->>| Module | - |relevant for | | | | - |MOBIKE | | +---------+ - +-------------+ | ^ - User Space ^ | ^ - ++++++++++++++++++++++++++++ API ++++++ API ++++ PF_KEY ++++++++ - Kernel Space v | v - _______ | v - +-------------+ / \ | +--------------+ - |Routing | / Trigger \ | | IPsec | - |Protocols |<<-->>| Database |<<-+ +>+ Engine | - | | \ / | | (+Databases) | - +-----+---+---+ \_______/ | +------+-------+ - ^ ^ ^ | ^ - | +---------------+-------------+--------+-----+ - | v | | | - | +-------------+ | | | - I | |Kernel-space | | | | I - n | +-------->+Protocols +<----+-----+ | | n - t v v |relevant for | | v v v t - e +----+---+-+ |MOBIKE | | +-+--+-----+-+ e - r | Input | +-------------+ | | Outgoing | r - f | Packet +<--------------------------+ | Interface | f - ==a>|Processing|===============================| Processing |=a> - c | | | | c - e +----------+ +------------+ e - s s + +---------------------+ +----------------+ + | User-space | | | + | Protocols and | | MOBIKE and | + | Functions Relevant |<---------->| IKEv2 Module | + | MOBIKE (e.g., DHCP, | | | + | policies) | +----------------+ + +---------------------+ ^ + ^ | + | | User space + ++++++++++API++++++++++++++++++++++++++++PF_KEY+++++++++++++++ + | | Kernel space + | v + | +----------------+ + v | | + +---------------------+ | IPsec engine | + | Kernel-space |<---------->| (and databases)| + | Protocols | | | + | Relevant for | +----------------+ + | MOBIKE (e.g., ND, | ^ + | DNA, L2) |<---------------+ | + +---------------------+ v v + || +----------------+ + \/ | | + Inter- =====================>| IP forwarding, | + faces <=====================|input and output| + | | + +----------------+ + ===> = IP packets arriving/leaving a MOBIKE node <-> = control and configuration operations Figure 3: Framework Please note that Figure 3 illustrates an example of how a MOBIKE implementation could work. Hence, it serves illustrative purposes only. 5. Design Considerations @@ -1243,43 +1240,43 @@ [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. 10.2. Informative References [I-D.ietf-mobike-protocol] Eronen, P., "IKEv2 Mobility and Multihoming Protocol - (MOBIKE)", draft-ietf-mobike-protocol-07 (work in - progress), December 2005. + (MOBIKE)", draft-ietf-mobike-protocol-08 (work in + progress), February 2006. [I-D.ietf-shim6-failure-detection] Arkko, J. and I. Beijnum, "Failure Detection and Locator Pair Exploration Protocol for IPv6 Multihoming", draft-ietf-shim6-failure-detection-03 (work in progress), December 2005. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC4225] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E. Nordmark, "Mobile IP Version 6 Route Optimization Security Design Background", RFC 4225, December 2005. [I-D.ietf-hip-mm] Nikander, P., "End-Host Mobility and Multihoming with the - Host Identity Protocol", draft-ietf-hip-mm-02 (work in - progress), July 2005. + Host Identity Protocol", draft-ietf-hip-mm-03 (work in + progress), March 2006. [I-D.crocker-celp] Crocker, D., "Framework for Common Endpoint Locator Pools", draft-crocker-celp-00 (work in progress), February 2004. [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson, "Stream Control Transmission Protocol", RFC 2960, October 2000. @@ -1327,22 +1324,22 @@ [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation", RFC 3424, November 2002. [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and A. Rayhan, "Middlebox communication architecture and framework", RFC 3303, August 2002. [I-D.ietf-nsis-nslp-natfw] Stiemerling, M., "NAT/Firewall NSIS Signaling Layer - Protocol (NSLP)", draft-ietf-nsis-nslp-natfw-08 (work in - progress), October 2005. + Protocol (NSLP)", draft-ietf-nsis-nslp-natfw-09 (work in + progress), February 2006. [Aur02] Aura, T., Roe, M., and J. Arkko, "Security of Internet Location Management", In Proc. 18th Annual Computer Security Applications Conference, pages 78-87, Las Vegas, NV USA, December 2002. Authors' Addresses Tero Kivinen Safenet, Inc.