90 likes | 172 Views
Security issues related to HMIPv6. H.Soliman@flarion.com. Current Security scheme. Current scheme relies on IPsec Static or dynamic keying possible – Dynamic is more realistic MN picks an RCoA and binds it with the LCoA.
E N D
Security issues related to HMIPv6 H.Soliman@flarion.com
Current Security scheme • Current scheme relies on IPsec • Static or dynamic keying possible – Dynamic is more realistic • MN picks an RCoA and binds it with the LCoA. • MAP makes sure that no other MN is using the RCoA (check list of used addresses during IKE policy check). • MN need not pick a specific RCoA (NOT like the HoA).
Issues raised • Technically there is no problem with current solution. • Use of Certificates on the host is difficult. Reasons not clear, some guesses below: • Configuration and renewal of Certs on host does not use standard mechanisms (?) • Some operators might want to reuse existing security credentials (e.g. AAA credentials).
Different trust models for deployment • Authentication only model • Authentication and Authorisation model • Both models addressed in the current draft.
Different HMIPv6 deployment scenarios – Authentication only MAP IKE/IPsec Only Mutual authentication required. All MNs are authorised to use the MAP and get an RCoA.
Different HMIPv6 deployment scenarios – Authentication and authorisation (A) Home CA-MN MAP Local IKE/IPsec MAP needs to authorise the MN for the service. In the current scheme Authorisation is done based on MN Cert.
Different HMIPv6 deployment scenarios – Authentication and authorisation (B) Home AAAH EAP-RADUS/Diameter AAAL MAP IKEv2 (EAP)/IPsec MAP needs to authorise the MN for the service. MN AAA credentials are used over EAP with AAAL or AAAH. IKEv2 used to setup IPsec SA after EAP is done.
Sumary of solution set • Authentication only: • IKE/IPsec • Possible new solution => CGAs • Authentication and Authorisation: • IKE/IPsec if CAs are applicable. Allows for roaming based on trust between different CAs. • IKEv2(EAP)/IPsec if there is a need to reuse AAA credenticals.
Way forward • Keep the current mechanism in HMIPv6 as default. • Propose new mechanism for nomad scenario (Authentication only). • Work started on CGAs for HMIPv6 • Move curent HMIPv6 to PS after a little cleanup. • Another possible area of improvement for new specs: • Improving inter-MAP domain handovers.