110 likes | 237 Views
MOPO-IKE (draft-eronen-mobike-mopo-00). Pasi Eronen. Overview. Yet another protocol proposal for MOBIKE WG Not a continuation of draft-eronen-mobike-simple-00 (“SMOBIKE”). Window size. Works with window size 1 Even if something else was going on when mobility occurs In either direction.
E N D
MOPO-IKE(draft-eronen-mobike-mopo-00) Pasi Eronen MOBIKE WG, IETF60
Overview • Yet another protocol proposal for MOBIKE WG • Not a continuation of draft-eronen-mobike-simple-00 (“SMOBIKE”) MOBIKE WG, IETF60
Window size • Works with window size 1 • Even if something else was going on when mobility occurs • In either direction MOBIKE WG, IETF60
Connectivity information 1/3 • A changes its address, and B has several addresses… 1. B’s address stays the same • Assumes all address pairs are connected • Protocol does not require address lists 2. A has prior knowledge (obtained in some unspecified way) which of B’s addresses is the right one 3. Protocol provides a way to find out which combinations work MOBIKE WG, IETF60
Connectivity information 2/3 • A does not get an answer to an IKE request. Where is the problem? 1. Assume the problem is at A • Try different source addresses 1.5 Assume the problem is at B • Try different addresses for B 2. Either or both parties have knowledge (obtained in some unspecified way, e.g. L2) about where the problem is 3. Provide a way to locate problem MOBIKE WG, IETF60
Connectivity information 3/3 • MOPO-IKE supports both 2 and 3 • If we have local information, use it • If we don’t, find out • Can be combined: if we have some limited information, less testing may be required MOBIKE WG, IETF60
NATs • Design issue: Is it possible to enable/disable NAT-T within a single IKE SA? • Yes. Moving behind NAT enables NAT Traversal (UDP encapsulation, address updates and keepalives), moving back to clear disables them. • Certain cases where the gateway (outside NAT) changes addresses don’t work MOBIKE WG, IETF60
NAT prevention • IKEv2/IPsec without NAT-T can actually work with some types of NATs • Some think this is a problem • Related to 3rd party bombing • Solution orthogonal from the rest of the protocol MOBIKE WG, IETF60
Return routability • Always verifies RR before updating IPsec SAs • Both ways, if both addresses are changed • Can verify RR also between updates (“continued return routability”) MOBIKE WG, IETF60
UDP encapsulation without NATs • For stateful firewalls that block incoming ESP (without UDP encapsulation) • Orthogonal from the rest of the protocol MOBIKE WG, IETF60
Non-features • Does not modify traffic selectors (i.e. no transport mode for e.g. SCTP) • Assumes NATs don’t appear “out of the blue” on existing links • No “zero address set” MOBIKE WG, IETF60