Network Working Group                                   Stephane Antoine
Internet-Draft                               France Telecom Research and
Intended status: Standards Track                             Development
Expires: February 9, 2008                                August 08, 2007


                  Mobility using Proxy MIP and Mobike
                 draft-antoine-mip4-proxymobike-00.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.
   This document may not be modified, and derivative works of it may not
   be created.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on February 9, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   The simultaneous use of Mobike and Mobile IPv4 has been proposed to
   provide secure connectivity and session continuity to roaming
   corporate users.  Optimization of this solution have eliminated the
   tunneling overhead of Mobile IPv4 in the vpn tunnel by having a
   Foreign Agent co-located to the mobile vpn gateway.  This document
   further proposes an interaction between Mobike and Proxy Mobile IP



Stephane Antoine        Expires February 9, 2008                [Page 1]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


   that simplifies implementation and deployment of the previous
   methods.  The mobile vpn gateway is co-located to the Mobility Proxy
   Agent and each Access Point in the corporate network is equipped with
   Proxy Mobile IP.  When moving outside the corporate network, the
   Mobile Node secure connectivity and session continuity is handled by
   Mobike.  Proxy Mobile IP alone is used to handle mobility when the
   Mobile Node moves within the corporate network.  This document
   introduces an interaction between Internet Key Exchange v2 and Proxy
   Mobile IP in which the Internet Key Exchange AUTH request triggers
   the Proxy Mobile IP registration request to the internal Home Agent.
   This interaction easily allows the Mobile Node's home address to be
   used as vpn Tunnel Inner Address.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Architecture and solution overview . . . . . . . . . . . . . .  3
   4.  Solution description . . . . . . . . . . . . . . . . . . . . .  5
     4.1.  VPN establishment and HoA address acquisition. . . . . . .  5
     4.2.  Detecting that MN has moved into the trusted network.  . .  6
     4.3.  Moving to the trusted network  . . . . . . . . . . . . . .  6
     4.4.  Moving outside the trusted network . . . . . . . . . . . .  6
     4.5.  Moving back to an un-trusted network . . . . . . . . . . .  7
     4.6.  Moving within the enterprise network . . . . . . . . . . .  7
   5.  Routing considerations . . . . . . . . . . . . . . . . . . . .  7
   6.  Packet formats . . . . . . . . . . . . . . . . . . . . . . . .  7
   7.  Solution Benefits  . . . . . . . . . . . . . . . . . . . . . .  8
     7.1.  Simplicity . . . . . . . . . . . . . . . . . . . . . . . .  8
     7.2.  Reduction of the overhead  . . . . . . . . . . . . . . . .  8
   8.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . .  8
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
   10. Normative References . . . . . . . . . . . . . . . . . . . . .  9
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . .  9
   Intellectual Property and Copyright Statements . . . . . . . . . . 10















Stephane Antoine        Expires February 9, 2008                [Page 2]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


1.  Introduction

   To provide secure connectivity and session continuity to corporate
   users a combination of mobike and Mobile IPv4 (MIPv4) has been
   proposed [SECURE].  Mobike is used to achieve vpn session continuity
   as the Mobile Node (MN) is moving outside the corporate network
   premises.  The MIPv4 session alone which is anchored to an internal
   Home Agent (i-HA) is used to handle mobility as the MN is moving
   inside the corporate network.  To eliminate the overhead of MIPv4 in
   the vpn tunnel, an optimisation introduced a Foreign Agent (FA) co-
   located with the mobile VPN (mVPN) gateway.  However this
   optimisation introduced complexity in setting the MN's Home address
   as the vpn tunnel inner address.  In the present document, a
   combination of Mobike and Proxy MIP eliminates the previous problems.
   The Proxy Mobility Agent is co-located to the mVPN gateway.  Outside
   the corporate network, the MN uses Mobike for secure connectivity and
   session continuity.  When the MN moves within the corporate network,
   proxy MIP alone is used with the i-HA to maintain the MN's session
   continuity.  The Internet Key Exchange (IKEv2) AUTH request triggers
   the Proxy MIP (PMIP) registration hence making it easy for the Home
   Address to be assigned as the vpn Tunnel Inner Address (TIA).  It
   also removes some complexity as the MN only has an instance of Mobike
   on the MN and its mobility inside the corporate network is handled by
   the network through Proxy MIP.

   .


2.  Terminology

   The terminology in [SECURE] applies for this document and we further
   introduce the following terms: GMPA: Gateway Mobility Proxy Agent.
   MPA collocated to the mVPN gateway. i-MPA: Internal Mobility Proxy
   Agent residing in the trusted enterprise network.


3.  Architecture and solution overview

   The architecture considered involved a mVPN Gateway, the
   demilitarized zone and the internal network which is the trusted
   network










Stephane Antoine        Expires February 9, 2008                [Page 3]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


     (MN)                                        (MN)     [i-HA]
      !                                            \     /
    .------.                                      .-+---+-.
   (        )                                    (         )
    -------                      [mVPN/GMPA]       --+----
      \                             !                 !
       [R/(MPA)]                 .--+--.             [AR/MPA]
        \                       ( DMZ   )             !
        .+------------.          --+----        .-----+------.
       (               )            !          (              )
       ( external net  +---[R]----[FW]----[R]--+ internal net )
       (               )                       (              )
        -----+---------                         ---+---+------
            /                                     /     \
   [DHCP] [R]                          [DHCP]   [AR/MPA] [AR/MPA][i-MPA]
      \   /                               \     /          \    /
      .+-+---.                            .-+-+--.       .--+--+-.
     (        )                          (        )     (         )
       --+---                             --+----        ---+-----
         !                                  !               !
        (MN)                               (MN)            (MN)


   Figure 1: Network topology with GMPA colocated with VPN Gateway

   The architecture described supports PMIP in the corporate network.
   In this architecture, it is assumed that every Access Point or Access
   Router (AR) in the corporate network is a MPA implementing the
   functionalities of PMIP.  In this architecture, the MPAs and the i-HA
   are not directly accessible from the external network.  The mobility
   service provided by the i-HA is not available to un-trusted users.
   When a trusted MN moves within the corporate network, PMIP is used to
   maintain the MN session continuity.  The MPA maintains a valid
   Binding cache entry at all times at the Home Agent mapping the Home
   address to the current CoA (Address of the MPA or of the FA).
   Whenever, the MN attaches a new MPA, the MPA sends a registration
   request to update the binding cache entry for that MN.  If the mobile
   node moves while outside the enterprise and its access network
   changes, it uses the MOBIKE protocol [MOB] to update the VPN gateway
   of its current address.  When the MN is connected to the same VPN
   Gateway, the GMPA still maintains a valid binding cache entry at the
   i-HA.  The i-HA is not aware of the mobile node's movement as long as
   the MN is attached to the same VPN gateway and the GMPA address
   remains the same.  In order to maintain session continuity of the MN
   as it moves between networks, the Home Address (HoA) stays unchanged.
   If the MN had to change VPN gateway, the new GMPA would update the
   i-HA with the new Care of Address.




Stephane Antoine        Expires February 9, 2008                [Page 4]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


4.   Solution description

   The few set of functionality introduced in the document are depicted
   in this section.

4.1.  VPN establishment and HoA address acquisition.

   To use the MN's HoA as the vpn TIA, the current solution proposes
   that the IKE AUTH request of the vpn session establishment triggers
   the Proxy MIP registration.  Figure 2 illustrates the interaction
   between the IKEv2 signalling exchange and the first proxy MIP
   registration.



    MN                   mVPN/GMPA                      i-HA
    |                         |                          |
    |------------------------>|                          |
   1| IKE_SA_INIT             |                          |
    |<------------------------|                          |
    |                         |                          |
    |IKE_AUTH request         |                          |
   2|------------------------>|                          |
    |IDi=NAI                  |                          |
    |CP_CFG_REQUEST           |                          |
    |initial address= 0.0.0.0 |                          |
    |                         |                          |
    |                         |   Reg_Req: (HoA=0.0.0.0) |
    |                         |3------------------------>|
    |                         |<------------------------4|
    |                         |       Reg_Repl (HoA)     |
    | IKE_AUTH response       |                          |
   5| <-----------------------|                          |
    |CP(CFG_REPLY)= Internal_address (HoA)               |
    |                         |                          |

   Figure 2: Initial registration and HoA acquisition

   1.  The first message exchange is the IKE_SA_INIT.

   2.  The MN presents its NAI in the IDi (Identification of initiator)
       payload of the IKE_AUTH request.  The GMPA will use the NAI to
       send the Registration request for the MN.  IKE_AUTH request will
       also contain a CP_CFG_REQUEST payload containing the internal
       address 0.0.0.0 indicating that the MN is requesting an IP
       address from the internal network.





Stephane Antoine        Expires February 9, 2008                [Page 5]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


   3.  Following the Reception of the IKE_AUTH request and correct
       processing, the GMPA sends a Registration Request to the i-HA.

   4.  The i-HA will return the HoA to be allocated to the MN in the
       Registration reply.

   5.  When the GMPA receives the Reg_Reply with the HoA, the mVPN sends
       that HoA in the CP(CFG_REPLY) payload of the IKE_AUTH response.

4.2.  Detecting that MN has moved into the trusted network.

   When a new network becomes available, the MN performs network access
   authentication on that network.  During this authentication, the MN
   presents its NAI to the Access Router.  Alternatively, if network
   access authentication is not required, the client Fully Qualified
   Domain Name (FQDN) sub-option [DHCP] will present the MN's FQDN to
   the AR.  Assuming that in each MPA of the trusted network, it exists
   a mapping between the FQDN and the NAI; the MN will be identified by
   that mapping.  The AR/MPA then sends a Proxy Registration Request for
   the MN's NAI to the i-HA address.  The MN uses reception of native
   unprotected data to its HoA as an indication that it is in the
   trusted network.

4.3.  Moving to the trusted network

   In the trusted network, the MN does not use the vpn tunnel to send
   and receive traffic.  So the vpn tunnel may be torn down when the MN
   detects that it has moved in the trusted network.  The SAs that used
   to protect the traffic between the MN and the mVPN gateway can be
   deleted.  To that end the MN can send a Mobike DELETE message (with
   address 0.0.0.0) to the mVPN gateway.  The IPsec SA can be created
   when required.  The MN may have to re-negotiate IKEv2 SA to prevent
   the IKE SA from expiring.  This negotiation can be done through the
   old network if it is still available or through the internal network
   if the vpn gateway is reachable from the internal network.

4.4.  Moving outside the trusted network

   Mobike is used to handle mobility of the MN when it is roaming
   outside the trusted network.  The HoA which is the VPN TIA stays
   unchanged to maintain session continuity.  When the MN disconnects
   from the VPN gateway or attaches a different VPN gateway, it should
   re-connect and obtain the same VPN TIA as the previous one.  This
   will allow sessions to survive VPN disconnection as the Mobility
   Bindings for the MN's HoA at the i-HA have remained in spite of the
   VPN disconnection.





Stephane Antoine        Expires February 9, 2008                [Page 6]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


4.5.  Moving back to an un-trusted network

   After detecting that it has moved outside the trusted network, the MN
   will re-establish the VPN connection with possibly the old IKE SA it
   had before tearing the VPN tunnel down.  The mobile node may not have
   to re-negotiate the IKEv2 SA if it has maintained the VPN states
   alive in the VPN gateway while it was receiving traffic directly from
   the trusted network [SECURE].

4.6.  Moving within the enterprise network

   Within the corporate network, PMIP as described in [PMIP4] is
   handling mobility of MN with the i-HA serving as the mobility anchor.


5.   Routing considerations

   The GMPA is configured with the i-HA as its default router.  Packets
   from the MN are de-capsulated by the m-VPN gateway which, pass the
   inner packets to the GMPA.  The GMPA reverse tunnel them in IP to the
   i-HA.  Packets from the i-HA are de-capsulated by the GMPA and then
   re-encapsulated in the IPsec tunnel to the MN.  The GMPA might use a
   private address as source address of the Registration Request sent to
   the i-HA.  For routing simplifications, most corporate networks would
   not have any NAT between the MPA and the i-HA.  Encapsulation would
   then be of the type IP in IP for both forward and reverse tunnels.


6.  Packet formats

   Packet format from MN to the mVPN gateway:
   Outer IPv4 header: (Src: local IPA, Dst: mVPN Gtwy)
   ESP header
   Inner IPv4 header: (Src: HoA=TIA, Dst: CN )
   Payload

   Packet from the MPA to the i-HA:
   Outer IPv4 header: (Src: MPA, Dst: i-HA)
   Inner IPv4 header: ( Src: HoA, Dst: CN)
   Payload

   Packet from the i-HA to the CN:
   IPv4 header: (Src: HoA, Dst: CN)
   Payload

   For the forward path, the source and destination addresses are
   reversed.




Stephane Antoine        Expires February 9, 2008                [Page 7]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


7.   Solution Benefits

7.1.  Simplicity

   This method makes it easy to assign the MN's HoA as the VPN TIA.  It
   thus removes the complexity associated with the method proposed in
   [OPT] where the MN runs an instance of MIP and where the FA is co-
   located to the mVPN gateway.  This method suggested to; first
   allocate a TIA to the MN during vpn (IPsec tunnel mode) setup and
   then replace the TIA with the home address.  This would violate RFC
   4301 [SEC] which; states that the TIA cannot be changed without
   rendering the tunnel mode IPsec SAs invalid.  An alternative method
   was suggested to perform an additional CREATE_CHILD_SA exchange after
   the initial exchange to create an IPsec SA for the Home Address and
   let the first CHILD SA with the TIA expires.  This method introduced
   significant complexity.  Instead; the interaction between PMIP and
   Mobike works simply to allocate the HoA as the VPN TIA without any
   additional mechanism.  The method presented in this document also
   reduces the amount of signalling that would be necessary if Dynamic
   Host Configuration Protocol (DHCP) was used to obtain the HoA after
   the establishment of the VPN connection.

7.2.  Reduction of the overhead

   With this method, the MIPv4 overhead in [SECURE] is removed between
   the MN and the mVPN gateway.  Moreover, the present method eliminates
   the MIPv4 Registration overhead that still occurs between the MN and
   the FA in the method described in [OPT].  The great benefit of PMIP
   lies in the elimination of the MIP signalling between the MN and the
   MPA.


8.  Conclusion

   This document introduces the interaction between Mobike and Proxy MIP
   to provide secure connectivity and mobility to the corporate users.
   The proposed architecture involves a Gateway Proxy Mobility Agent co-
   located with the mVPN gateway and a MPA on each AP within the
   enterprise network.  When moving outside the corporate network,
   Mobike is used to maintain the user secure connectivity with the
   intranet.  Proxy MIP is used to maintain session continuity within
   the corporate network.  During the initial IKEv2 negotiation, the
   IKEv2 IKE_AUTH Request message triggers the Proxy Registration
   Request for the MN.  The Home Address allocated for the MN in the
   Registration Reply is passed to the MN in the IKE_AUTH Reply.  The
   MN's Home Address henceforth coincides with the MN's VPN Tunnel Inner
   Address.  Combining Proxy MIP and Mobike simplifies the deployment of
   a seamless mobility solution for corporate users while removing the



Stephane Antoine        Expires February 9, 2008                [Page 8]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


   overhead of MIPv4 in the vpn tunnel.  Using PMIP, guarantees mobility
   in the intranet without requiring the Mobile Node to run any mobility
   management protocol such as MIPv4.


9.  Acknowledgements


10.  Normative References

   [DHCP]    M. Stapp, B. Volz, Y. Rekhter, "The Dynamic Host
             Configuration Protocol (DHCP) Client, Fully Qualified
             Domain Name (FQDN) Option, Request for Comments: 4702",
             October 2006.

   [MOB]     P. Eronen, "Mobike, Internet draft; IKEv2 Mobility and
             Multihoming Protocol (MOBIKE)", February 2006.

   [OPT]     Sahasrabudhe, M. and V. Devarapalli, "Optimizations to
             Secure Connectivity and Mobility,
             draft-meghana-mip4-mobike-optimizations-01 (work in
             progress)", October  2006.

   [PMIP4]   K. Leung, G. Dommety, P. Yegani, K. Chowdhury, "Mobility
             Management using Proxy Mobile IPv4", January  2007.

   [SEC]     S. Kent, K. Seo, "Security Architecture for the Internet
             protocol, rfc 4301", December 2005.

   [SECURE]  V. Devarapalli, P. Eronen, Editor., "Secure Connectivity
             and Mobility using Mobile IPv4 and Mobike, MIPv4-Mobike: ht
             tp://www.ietf.org/internet-drafts/
             draft-ietf-mip4-mobike-connectivity-02.txt", January
              2007.


Author's Address

   Stephane Antoine
   France Telecom Research and Development
   Chiswick Park
   London, Chiswick  W4 5XS
   United Kingdom

   Phone: + 44 (0)208 849 5821
   Fax:   +44 (0)208 849 0991
   Email: stephane.antoine@orange-ftgroup.com




Stephane Antoine        Expires February 9, 2008                [Page 9]

Internet-Draft     Mobility using Proxy MIP and Mobike       August 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Stephane Antoine        Expires February 9, 2008               [Page 10]