1 / 11

MOPO-IKE (draft-eronen-mobike-mopo-00)

MOPO-IKE (draft-eronen-mobike-mopo-00). Pasi Eronen. Overview. Yet another protocol proposal for MOBIKE WG Not a continuation of draft-eronen-mobike-simple-00 (“SMOBIKE”). Window size. Works with window size 1 Even if something else was going on when mobility occurs In either direction.

asta
Download Presentation

MOPO-IKE (draft-eronen-mobike-mopo-00)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MOPO-IKE(draft-eronen-mobike-mopo-00) Pasi Eronen MOBIKE WG, IETF60

  2. Overview • Yet another protocol proposal for MOBIKE WG • Not a continuation of draft-eronen-mobike-simple-00 (“SMOBIKE”) MOBIKE WG, IETF60

  3. Window size • Works with window size 1 • Even if something else was going on when mobility occurs • In either direction MOBIKE WG, IETF60

  4. Connectivity information 1/3 • A changes its address, and B has several addresses… 1. B’s address stays the same • Assumes all address pairs are connected • Protocol does not require address lists 2. A has prior knowledge (obtained in some unspecified way) which of B’s addresses is the right one 3. Protocol provides a way to find out which combinations work MOBIKE WG, IETF60

  5. Connectivity information 2/3 • A does not get an answer to an IKE request. Where is the problem? 1. Assume the problem is at A • Try different source addresses 1.5 Assume the problem is at B • Try different addresses for B 2. Either or both parties have knowledge (obtained in some unspecified way, e.g. L2) about where the problem is 3. Provide a way to locate problem MOBIKE WG, IETF60

  6. Connectivity information 3/3 • MOPO-IKE supports both 2 and 3 • If we have local information, use it • If we don’t, find out • Can be combined: if we have some limited information, less testing may be required MOBIKE WG, IETF60

  7. NATs • Design issue: Is it possible to enable/disable NAT-T within a single IKE SA? • Yes. Moving behind NAT enables NAT Traversal (UDP encapsulation, address updates and keepalives), moving back to clear disables them. • Certain cases where the gateway (outside NAT) changes addresses don’t work MOBIKE WG, IETF60

  8. NAT prevention • IKEv2/IPsec without NAT-T can actually work with some types of NATs • Some think this is a problem • Related to 3rd party bombing • Solution orthogonal from the rest of the protocol MOBIKE WG, IETF60

  9. Return routability • Always verifies RR before updating IPsec SAs • Both ways, if both addresses are changed • Can verify RR also between updates (“continued return routability”) MOBIKE WG, IETF60

  10. UDP encapsulation without NATs • For stateful firewalls that block incoming ESP (without UDP encapsulation) • Orthogonal from the rest of the protocol MOBIKE WG, IETF60

  11. Non-features • Does not modify traffic selectors (i.e. no transport mode for e.g. SCTP) • Assumes NATs don’t appear “out of the blue” on existing links • No “zero address set” MOBIKE WG, IETF60

More Related