draft-ietf-mobileip-vpn-problem-solution-02 sami vaarala netseal
TRANSCRIPT
![Page 1: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/1.jpg)
draft-ietf-mobileip-vpn-problem-solution-02
Sami Vaarala
Netseal
![Page 2: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/2.jpg)
Outline
• Design team conclusions and rationale
• Three layer solution
• Summary and status of solution draft
• Optimizations and improvements
![Page 3: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/3.jpg)
Design team conclusions and rationale
• Decided to document base approach– Favor solution with minimal changes to standards– Optimizations considered (but postponed)
• We need an internal home agent– The MN needs to be able to move inside– But overhead of always tunnelling to the DMZ was considered to
be too high• We need an external mobility agent
– IPsec does not have standardized mobility (SA endpoint update), and we want ”seamless” mobility even when outside
– We need to support FAs in the external networks => the lowest layer must speak MIP
• Some problems left out of scope for now– E.g. networks with only HTTP access
![Page 4: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/4.jpg)
Three layer solution – Topology
FirewallExternal
Home Agent
InternalHome Agent
VPN
External network Internal network(e.g. corporate network)
MNMN
CN
Internal MIPv4 tunnel
IPsec tunnel
External MIPv4 tunnel
DMZ
![Page 5: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/5.jpg)
Three layer solution – MN inside (1)MNExt. HA Int. HAVPN GW CN
RRQRRQRRP
RRPRRQ (dereg.)
Internal MIP tunnel OK
RRP
Data traffic (w/ reverse tunnelling)
If external HA responds, deregister
![Page 6: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/6.jpg)
Three layer solution – MN inside (2)MNExt. HA Int. HAVPN GW CN
RRQRRP
Internal MIP tunnel OK
Data traffic (w/ reverse tunnelling)
Data traffic (w/ reverse tunnelling)
MN moves and gets a new care-of address
RRQ
![Page 7: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/7.jpg)
Three layer solution – MN outside (1)MN Ext. HA Int. HAVPN GW CN
External MIP tunnel OK
:
IPsec tunnel OK
Internal MIP tunnel OK
RRQRRQ
RRP
IKE+ VPN address assignment
RRQRRP
Data packets(w/ reverse tunnelling)
All data goes through the internal HA, even if CN is outside
![Page 8: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/8.jpg)
Three layer solution – MN outside (2)MN Ext. HA Int. HAVPN GW CN
External MIP tunnel OK
RRQ
RRP
Data packets(w/ reverse tunnelling)
MN moves and gets a new care-of address
Data packets(w/ reverse tunnelling)
RRQ
![Page 9: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/9.jpg)
Three layer solution – Pros and Cons
• Pros– Only mobile node aware of solution– No changes to IPsec or Mobile IPv4 standards– Existing VPN, HA, FA boxes can be used
• Cons– Overhead (latency, packet size)– Three layers to manage (e.g. authentication)– Software complexity
• Three layers != three boxes– Combined VPN+HA box possible
![Page 10: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/10.jpg)
Summary of the solution draft
• Solution draft– Applicability statement of MIPv4 & IPsec– for enterprise mobile users– only imposes requirements on the mobile node
• What’s there in addition to standards?– Scenarios, message and packet diagrams– Network detection requirements and basic algorithm
• important because has major security impact!• double registration, trust (only) internal HA reply
– Other security considerations
![Page 11: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/11.jpg)
Solution draft status
• -02– Missing minor comments from design team– Security review by Radia pending
• Plan– Final design team round => -03– Working group review => -04– Last call
![Page 12: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/12.jpg)
Optimizations and improvements
• Scoped outside base solution draft– Interesting because of base solution overhead– Worst case – 129 octets / packet
• Really the worst case, NAT on each layer
• Approaches collapse tunnelling some way– Combined VPN/FA device– IPsec mobility
• SA endpoint update
– Zero-overhead MIP tunnelling• address switching
• Improve security of network detection
![Page 13: Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f065503460f94c1b1bd/html5/thumbnails/13.jpg)
Thank you!
Questions ?