70 likes | 83 Views
This draft proposes the use of Mobile IPv6 for seamless and secure access to the network inside the home (HomeLAN). The concept is to have the Mobile Node (MN) always connected to the home.link and utilize link-local communication for zero-configuration setup. The draft introduces new flags and options for requesting bypass of specific link-local multicast traffic and alternate interface identifiers. Security considerations include the need for proper authentication and confidentiality of data traffic through the use of IPsec tunnel mode.
E N D
Using Mobile IPv6 forHomeLAN Access draft-sugimoto-mip6-homelan-access-00.txt Shinta Sugimoto
Seamless and secure access to the network inside home (HomeLAN) is needed: User may want to access resource inside his/her home remotely in a seamless manner. Mobile IPv6 may fit well in this scenario: Its concept is that MN is assured to be always connected (virtually) to the ‘home link’ Applications or application framework designed for HomeLAN environment may rely on the link-local communication to realize ‘zero-conf’: Handiness of link-local scope address helps fast and easy setup of connecting to the network (auto-configuration). UPnP assumes that link-local scope is default scope in which SSDP runs. RFC 3775 does not allow HA forwarding link-local traffic (MUST NOT) Motivation/Background
‘S’ flag introduces ‘S’ flag in order to allow MN to utilize link-local home address Link-local Scope Multicast Address option: allows MN to request for bypassing particular link-local multicast traffic protocol, port number, and link-local scope multicast address can be specified valid only when ‘S’ flag is set in the BU message Alternate Interface Identifier option: Allows MN to request alternate interface identifier to be used for the lower 64-bit of the link-local home address valid only when ‘S’ flag is set in the BU message Extensions to BU message
Security Considerations • Proposal can lead to exposing the network internals to third party. In other words, off-path eavesdropping could become possible. • Access inside the HomeLAN must not be granted without proper authentication. Confidentiality of the data traffic must also be provided (MUST use ESP tunnel mode with non-null encryption).
Summary • MN may utilize link-local scope home address by sending BU message with ‘S’ flag set • MN may additionally request for bypassing specific link-local scope multicast traffic by including Link-local Scope Multicast Address option • HA maintains local policy of bypassing rules upon receiving BU message with Link-local Scope Multicast Address option • Use of IPsec tunnel (ESP tunnel mode) is highly recommended in this particular scenario • MN can facilitate a “virtual home interface,” which is logically tied to a binding association with the HA. A care should be made when the MN returns home as “virtual home interface” should remain active even though there is no binding association.