Internet Engineering Task Force Atul Sharma Mobile IP Working Group (Nokia, Inc) INTERNET-DRAFT May 4, 2004 Expires: November 4, 2004 Secure Mobility Dimensions Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/lid-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract Several solutions to internet mobility have been offered. But the solutions are sometimes for different kinds of mobility with different kinds of requirements. It becomes confusing to see these disparate types of mobility being discussed in the same vein. This document is an attempt to delineate and classify different types of network mobility. This attempt shall help us in understanding already existing mobility solutions and at the same time help us in proposing new solutions. Adding security to mobility adds a new dimension by itself. Various types of secure mobility are discussed closely following the types of mobility. Sharma, A. Expires November 4, 2004 [Page 1] Internet-Draft Secure Mobility Dimensions May 2004 Table of Contents 1. Introduction .......................................................3 2. State of Device during Mobility ....................................3 2.1 Always-ON Mobility ................................................3 2.2 Secure Always-ON Mobility .........................................3 2.3 Switch-OFF/Switch-ON Mobility .....................................4 2.4 Secure Switch-OFF/Switch-ON Mobility ..............................4 3. Connectivity Domain during Mobility ................................5 3.1 Mobile Connectivity to the Home Network ...........................5 3.2 Secure Mobile Connectivity to the Home Network ....................5 3.3 Mobile Connectivity to Everyone ...................................5 3.4 Secure Mobile Connectivity to Everyone ............................6 4. Location and Security with respect to Home (Security) Gateway ......6 4.1 Mobility behind a Gateway (Access Point Mobility) .................6 4.2 Secure Access Point Mobility ......................................6 4.3 WLAN Mobility (Mobility across controller-gateways) ...............7 4.4 Secure WLAN Mobility ..............................................7 5. Homogeneity of the Network(s) of Mobility ..........................8 5.1 Mobility within a Homogeneous network .............................8 5.1.1 Wired Mobility ..................................................8 5.1.2 WLAN Mobility ...................................................8 5.1.3 Cellular Wireless Mobility ......................................8 5.2 Secure Mobility within or between Homogeneous networks ............8 5.3 Mobility between Heterogeneous networks ...........................9 5.4 Secure Mobility between heterogeneous networks ....................9 6. Hidden Mobility vs. Visible Mobility ...............................9 6.1 Hidden Mobility ...................................................9 6.2 Secure Hidden Mobility ...........................................10 6.3 Visible Mobility .................................................10 6.4 Secure Visible Mobility ..........................................10 7. Symmetric vs. Asymmetric Mobility .................................11 7.1 Symmetric Mobility ...............................................11 7.2 Secure Symmetric Mobility ........................................11 7.3 Asymmetric Mobility ..............................................11 7.4 Secure Asymmetric Mobility .......................................12 8. Type of Element Mobility ..........................................12 8.1 Mobility of Nodes ................................................12 8.2 Secure Mobility of Nodes .........................................12 8.3 Mobility of Routers ..............................................13 8.4 Secure Mobility of Routers .......................................13 8.5 Network Mobility .................................................13 8.6 Secure Network Mobility ..........................................13 9. Security Considerations............................................13 10. References .......................................................13 Sharma, A. Expires November 4, 2004 [Page 2] Internet-Draft Secure Mobility Dimensions May 2004 1. Introduction There has been considerable activity for mobility in IETF. Several working groups Mobile IP4 (MIPv4), Mobile IPv6 (MIP6), Mobile Ad-hoc Networks (MANET), Network Mobility (NEMO). And very recently secure mobility is handled in MOBIKE, the IKEv2 Mobility and Multihoming, working group. This document tries to understand, delineate, and classify various types of secure mobility in the intranet and the internet. This shall help us to understand and refine existing solutions. At the same time it shall help us in proposing new solutions for different types of mobility. The document is organized by proposing a dimension of Mobility and then discuss possible types of Mobility in that dimension. No new solutions are offered in this document. But possibly already existing Mobility solutions may be classified in a dimension. 2. State of the device during Mobility The powered state of the device during the mobility can be a basis of differentiation in Mobility. Some devices like cellular phones, PDAs or may hybrid devices can be always ON, i.e. ON during mobility. Some devices like laptops, or even cellular phones, PDAs, and many hybrids can be switched OFF then switched ON after changing location. 2.1 Always-ON Mobility In this type of Mobility, the device is ON while moving. This shall imply some kind of active hand-off between controlling elements of the networks. So in cellular phones, it may mean hand-off between base stations. In Wireless LAN, it may mean hand-off between access points or WLAN switch-controllers. Based on the current location of the device an appropriate controller is controlling the device. A roaming laptop in a WLAN will need the support of such Mobility. Having hand-offs between the heterogeneous networks, for example WLAN and Cellular networks, shall help in providing true Always-ON Mobility betweeen the heterogeneous networks. One possibility is to have multi-modal devices able to communicate with different types of networks at the same time. A critical requirement for true Always-ON Mobility between heterogeneous networks could be the preservation of the state and operation while the device moves. 2.2 Secure Always-ON Mobility Here besides keeping the device up and operational during and after moving, we have to keep the device secure during and after moving. Sharma, A. Expires November 4, 2004 [Page 3] Internet-Draft Secure Mobility Dimensions May 2004 That means security state (in IPsec terminology Security Associations) should be preserved during the move. The goals of MOBIKE working group[3] is to support such type of Mobility. The aim is that a renegotiation of the security policy should not be necessary after the move. Attempt should be made to keep operating with the old secure connection just with the change in address. Again depending on the type of secure connection, ways to preserve secure connection may be different. Secure connection can be between Mobile endpoint to a remote endpoint, or between Mobile endpoint and remote gateway, or between the gateway Mobile device is visiting and a remote gateway or endpoint. (This remote gateway or endpoint can be in the home corporate network or anywhere in the internet). As long as the secure connection terminates in the Mobile device, preserving secure connection during the move may mean changing the address of the Mobile device at the remote endpoint/gateway, as being worked on by the MOBIKE working group. But if the Mobile device is always behind some gateway terminating the secure connection, it may not be simple to preserve the secure connection from one visited gateway to another visited gateway. The new visited gateway shall need to get the state of the secure connection besides making change in the gateway address at the remote end. 2.3 Switch-OFF/Switch-ON Mobility In this type of Mobility, the device is powered OFF while moving. A road warrior would power OFF the laptop, move to a remote site, and power ON there. No active hand-off is performed. But some kind of deregistration and registration is performed when the device is powered OFF and then ON after moving. Now with advent of several wireless LAN technologies even laptops could be mobile while ON. But still there will be scenarios when the laptop would have to be switched OFF during the move. The Always-ON devices would also typically support Switch-OFF/ Switch-ON Mobility. The converse may not be true. 2.4 Secure Switch-OFF/Switch-ON Mobility Since the device is going to be power cycled during the move, the active security policy need not be preserved. Once powered ON at the new location, security policy can be negotiated along with Mobility registration. Sharma, A. Expires November 4, 2004 [Page 4] Internet-Draft Secure Mobility Dimensions May 2004 3. Connectivity Domain during Mobility Another dimension of Mobility is the domain of the connectivity after the move. One possibility could be to just keep connectivity to the home network, may be the corporate network. Another possibility is to keep the connectivity with everyone including both the internet and the corporate intranet. 3.1 Mobile Connectivity to the Home Network This is the case of the road warrior trying to maintain continuous mobile connectivity to the corporate network. The only goal is to access corporate resources. Internet connectivity is not a requirement, but may come for free. Also it is not expected that hosts internal to home network will try to initiate connection with the Mobile device. Mobile IP [1] can accomplish such type of Mobility. But if maintaining the home address is not a requirement Mobile IP may not be needed. The modem pool / dial-up mechanism to provide access to corporate network can also simply accomplish this type of Mobility. 3.2 Secure Mobile Connectivity to the Home Network Security will be of paramount importance for Mobile Connectivity to the Home Network over the internet. The corporate information should not be available on the insecure path between the Home Network and the Visiting Network. An IPsec client or an SSL browser on the mobile device can be used to connect to the gateway on the corporate network. In addition Mobile IP can be used if local presence in the home network is required. Mobile IP payload can be secured by let us say IPsec. Another way to have secure local presence is by innovative mechanism proposed in [2] using DHCPv4 and IPsec. 3.3 Mobile Connectivity to Everyone (End to End Mobility) Here the Mobile connectivity to both the home network and the internet is required. Connecting to an ISP will give accessibility to the internet and will also expose the externally visible resources of a corporate home network. If local presence on the corporate network is required then Mobile IP shall be needed. Mobile IP besides enabling mobile connectivity to the home network, shall also provide connectivity to everyone (internet) via home network. Sharma, A. Expires November 4, 2004 [Page 5] Internet-Draft Secure Mobility Dimensions May 2004 3.4 Secure Mobile Connectivity to Everyone (End to End Secure Mobility) Securing traffic while on a remote site may mean having either IPsec client or a SSL-enabled browser on the mobile device or the remote site has gateway terminating IPsec connections. Any host in the home network or behind a gateway else where on the internet can setup a secure connection with the mobile device, via IPsec or SSL. If Mobile-IP is being employed, securing that mechanism shall need Hop-by-Hop security for connecting to some one not in the home network. First secure connection between the connecting host/device to the home agent is required. Then secure connection between the home agent and mobile device at the remote site shall be required. For connecting to a host in the home network, only secure connection between mobile device and home agent shall be needed. Secure local presence solution offered in [2] shall not be able to provide this type of Mobility, as secure connection to just the home network and not the rest of the internet shall not be enabled. 4. Location and Security with respect to Home (Security) Gateway One basis of differentiation for Mobility can be the location of and security with respect to the home gateway. It shall depend if mobile device is mobile behind a gateway in the home WLAN or roaming away from the home WLAN to another WLAN on campus or entirely new site. Here we assume the existence of a WLAN controller-gateway having the functionality of controlling the access points and also act as a gateway between WLAN and outside world or the corporate network. 4.1 Mobility behind a Gateway (Access Point Mobility) This is Access Point Mobility behind a gateway within a Wireless LAN. This is link-layer Mobility as specified by WLAN technologies (802.11 a/b/g). Nothing more is required over and above what is provided by the WLAN technology. 4.2 Secure Access Point Mobility The connection from the mobile device on the WLAN to the corporate network needs to be secured, as over-the-air is an insecure medium. The security provided by WEP was inadequate, so an IPsec connection between the mobile device (an IPsec client) and the corporate WLAN gateway can be used. With 802.11i, the security is deemed adequate and no IPsec connection between the mobile device and local WLAN corporate gateway shall be needed. Sharma, A. Expires November 4, 2004 [Page 6] Internet-Draft Secure Mobility Dimensions May 2004 The connection from the Mobile device on WLAN to the outside world can be secured and terminated by the local WLAN controller-gateway. Mobility within the LAN will not exert anymore requirements on security. 4.3 WLAN Mobility (Mobility across controller-gateways) The mobile device can roam away from the home WLAN to another WLAN in the campus or it may roam to another campus/site connected to the home site via internet or a private link. Mobility from one WLAN to another WLAN on campus would be Always-ON kind of mobility, while the Mobility to a different campus could be a Switch-ON/Switch-OFF kind of mobility. From one WLAN to another WLAN within a campus shall require a hand-off between the WLAN controllers on the two WLANs. The IP address of the mobile device shall need to be changed as part of the hand-off. Any existing communication going on with the mobile device should seemlessly continue after the move with the new IP address. Mobile IP can help in supporting this type of Mobility. It shall still need some form of hand-off mechanism for it to fully work. Mobile IP can tunnel the traffic to the new WLAN, provided hand-off mechanism has done proper registarion and provisioning with the new WLAN. Issues with Mobile connectivity to the home WLAN or to everyone else shall also come up here. To support Always-ON roaming to another campus/site would need multimode device able to hand-off between different types of networks. 4.4 Secure WLAN Mobility If we rely on 802.11i to secure the air link, and trust the two WLANs on the campus, we do not have to perform any more security between the roaming mobile device and the corporate home network. If we do not trust the link between the two WLANs or the visitng WLAN, we shall need IPsec link between the mobile device (IPsec client) to the home corporate network gateway. Then we will also have to make sure that the security policy be preserved and need not be renegotiated with the move. Security can also be maintained between the visitng WLAN gateway and the corporate gateway or the outside world. Sharma, A. Expires November 4, 2004 [Page 7] Internet-Draft Secure Mobility Dimensions May 2004 5. Homogeneity of the Network(s) of Mobility One dimension to Mobility can be the type of the network(s) where the mobile device is mobile. It could be within a or between two homogeneous networks. It could be between two heterogeneous networks. 5.1 Mobility within a Homogeneous network When a mobile node moves between same type of networks say within a WLAN or between two adjacent WLANs or within a cellular network, the mobility is homogeneous. For Always-ON mobility, the hand-offs in a homogeneous network are already defined or acheived with relative ease. Devices can be just single devices. Homogeneous Mobility can be further classified based on type of Network, viz: wired IP network, WLAN, Cellular wireless networks. 5.1.1 Wired Mobility Mobility is possible in wired networks also. It would be Switch-OFF/ Switch-ON type of mobility. A wired laptop can be detached from one place in the internet and then attached somewhere else on the internet. Mobile IP can solve this kind of mobility. 5.1.2 WLAN Mobility Mobile devices can roam within and between WLANs. WLAN technologies (802.11 a/b/g) enable Mobility within a WLAN. To enable Mobility between two WLANs within a campus, we need support outside the WLAN technology. 5.1.3 Cellular Wireless Mobility Cellular Wireless networks are of different kinds (GSM, GPRS, CDMA, W-CDMA, 3G). Then with each type each operator may have different networks. Mobility is enabled within one operator network within the same type of cellular neteork. 5.2 Secure Mobility within or between Homogeneous networks Security in a homogeneous network may be enabled by the technology itself (802.11i fro WiFi networks). Security may be needed when underlying technology does not have adequate security or the medium by its nature is insecure or when traffic from/to the mobile device has to traverse insecure public networks. Even when moving within a homogeneous network, one goal of the Secure Mobility would be to preserve secure connection during the move for Sharma, A. Expires November 4, 2004 [Page 8] Internet-Draft Secure Mobility Dimensions May 2004 Always-ON type of Mobility within the homogeneous network. Again this may be done differently depending on whether the Mobile device is terminating the secure connection or not. If a visited gatweway terminates the secure connection, homogeneity of the network may not help, as the preserved state of the connection shall need to be transferred to the new visited gateway. 5.3 Mobility between Heterogeneous networks When the mobile device moves between two heterogeneous networks, it needs to be multimodal so that it can communicate in both the networks. If the goal is that we have Always-ON Mobility, we have to also make sure that some kind of hand-off between the two heterogeneous networks is performed. Just Switch-OFF/Switch-ON type of Mobility may not be good enough for applications like voice. 5.4 Secure Mobility between heterogeneous networks The real challenge is when the secure connection needs to be moved over to a heterogeneous network. The need to preserve secure connection during the move is one requirement of Always-ON Mobility. The question is: Does the heterogeneity of the networks add any more requirements to Secure Mobility? Once the hand-off mechanism over the heterogeneous networks is enabled, preserving secure connection being terminated in the Mobile device would mean making changes in the addresses known to the secure connection, like being proposed in MOBIKE working group. Heterogeneity of networks, makes the goal of preserving the secure connection from one visited gateway tougher. 6. Hidden Mobility vs. Visible Mobility Whether Mobility of the Mobile device is visible to the hosts/devices it is communicating with can be the basis of classification of Mobility. 6.1 Hidden Mobility When to the Home (Corporate) network and the internet, the device still seems to exist in the home network, i.e. it has Local Presence, we can call it Hidden Mobility. Mobile IP facilitates such type of Mobility. Only Home Agent is aware of the new location of the Mobile device. The Home Agent hides the new location of the Mobile device Sharma, A. Expires November 4, 2004 [Page 9] Internet-Draft Secure Mobility Dimensions May 2004 and acts as the go-between the Mobile device and the other device it is trying to communicate with. 6.2 Secure Hidden Mobility If we want to secure the Hidden Mobile connection, we can protect Mobile IP with IPsec. That may mean presence of two clients (Mobile IP client and IPsec client) on the Mobile device, if IPsec connection is being terminated at the Mobile device. Alternatively, the IPsec connection could be to the visited gateway, then Mobile device need not have IPsec client. Another option is the one offered by [2], where after an IPsec connection between the Mobile device, DHCP is used to give the Mobile device an IP address which is local to the home network. The Mobile device communicates with the Home network using this Local Presence IP address on a virtual interface and coomunicates with everyone else using the IP address on the real interface. 6.3 Visible Mobility When the new location of the Mobile device is visible to the hosts/ devices it is trying to communicate with, the Mobility can be called Visible Mobility. A road warrior when connects to the home corporate network without security to access externally visible resources of the corporate network, the hosts in the home corporate network see the new location of the Mobile host. 6.4 Secure Visible Mobility Typically the home corporate networks do not allow insecure connection to the road warriors. A secure connection is established with the corporate gateway, before giving access to the corporate resources. IPsec or SSL/TLS can be used to securely connect to the corporate network. Still the new location of the Mobile device shall be visible to corporate network. Besides having a secure access to the corporate network, another requirement could be to preserve secure connection during Always-ON Secure Mobility. The Secure Mobility being solved by MOBIKE working group shall fall under this category, as the remote security gateway/ endpoint is made aware of the new address of the Mobile device. Sharma, A. Expires November 4, 2004 [Page 10] Internet-Draft Secure Mobility Dimensions May 2004 7. Symmetric vs. Asymmetric Mobility Symmetry in the Secure Mobile communication can be considered another dimension of Mobility. Symmetry may mean the path taken by traffic, after the move, be the same in both directions. Symmetry may also mean whether the source address used by the Mobile device is the same as the destination address used to reach it. Sometimes Mobility may be symmetric with respect to path but not with respect to address or vice-versa or symmetric with respect to both simultaneously. Symmetry can also mean whether the way to connect to the home corporate network is different than the way to connect to the Internet. 7.1 Symmetric Mobility Symmetric Mobility is when communication is symmetric in evey respect: the path taken in both the directions is same; the source address used by Mobile device is the same as the destination address used to reach it; the way to connect to home corporate network is the same as the way to connect to the internet. In case of Mobile IP, the path taken by the traffic from a host on the internet to reach Mobile device may be different from the path taken by the traffic from Mobile device to the internet. So it can be asymmetric. Symmetry may not always be practical, desirable, or required. For example if traffic from Mobile Host can directly reach the internet host, why tunnel it to the Home Agent first? But as we shall see it in the next section, sometimes Symmetric Mobility may be the only way possible. 7.2 Secure Symmetric Mobility If we want Secure Mobility, we may need to perform Symmetric Mobility, as we may not understand and able to perform Asymmetric Security. We do not know how to have a secure connection with one set of addresses in one direction and a different secure connection over a different path with different set of addresses in the other direction. So when we want to secure Mobility, symmetry may be the only choice. 7.3 Asymmetric Mobility We can introduce asymmetry in any aspect of Mobility for the sake of practicality. Mobile IP allows two different paths when communicating Sharma, A. Expires November 4, 2004 [Page 11] Internet-Draft Secure Mobility Dimensions May 2004 to an internet host with communication initiated by the internet host. From the internet host, traffic goes to the home agent, where it is tunneled to the current location of the Mobile device. Another asymmetry could be that communication initiated by the Mobile host to the home network uses the Home Agent (and hence home address as the source address) to maintain local presence, but directly contacts an internet host (without Home Agent) using its current visited location as the source address. Any time there is communication via Home Agent, the Mobile device shall tend to use its home address as the source address. But should it use the home address as the source address to communicate with the other hosts on the visited network? 7.4 Secure Asymmetric Mobility Securing Asymmetric Mobility may be a tough problem, depending on how the Mobility is asymmetric. With the known current security technologies, it is not obvious how to have different secure connections with different paths and/or different addresses in both the directions traffic flows. 8. Type of Element Mobility What network element is mobile in the network can also be a dimension of Mobility. We could have hosts mobile within a network or between networks. We could also conceivably think that even the routers besides the hosts are mobile. Even further step would be if the whole networks are mobile as a unit. 8.1 Mobility of Nodes Here just the nodes (hosts or devices) are mobile in the network or between the networks. Most type of Mobility we have talked about shall fall under this category. Mobile IP(v4 or v6), WLAN, Cellular Wireless are about mobility of the hosts or devices. 8.2 Secure Mobility of Nodes The Secure Mobility we have considered till now with its various aspects is basically Secure Mobility of Nodes. Sharma, A. Expires November 4, 2004 [Page 12] Internet-Draft Secure Mobility Dimensions May 2004 8.3 Mobility of Routers When even routers and gateways of a network are mobile, we have Adhoc Networks. The MANET working group works on the Mobility of all hosts and routers. How to perform routing in such networks shall be of critical importance. 8.4 Secure Mobility of Routers How we shall secure traffic in Adhoc networks, or preserve secure connection during mobility, are all open areas. 8.5 Network Mobility When the whole network is mobile, for example say a network on an airplane or a train, we get Network Mobility. The NEMO working group is working on this type of Mobility. Here the assumption is that even though network is mobile, there is only one gateway on the network, the primary contact with rest of the internet. The network being Mobile is a stub network, i.e. it terminates communication. No traffic shall be in transit through the network. 8.6 Secure Network Mobility Most aspects of security with mobile networks shall be open areas. But we can surmise that the gateway on the network can terminate secure connections for hosts. 9. Security Considerations Impact of security on Mobility is discussed in relevant sections prior in the document. 10. References 10.1 Normative References [1] C. Perkins. IP Mobility Support. Request for Comments (Proposed Standard) 3344, Internet Engineering Task Force, August 2002. Sharma, A. Expires November 4, 2004 [Page 13] Internet-Draft Secure Mobility Dimensions May 2004 10.2 Informative References [2] B. Patel et al. DHCPv4 Configuration of IPsec Tunnel Mode. RFC 3456, Internet Engineering Task Force, January 2003. [3] T. Kivinen. Design of MOBIKE protocol. draft-kivinen-mobike-design (work in Progress), Mar 2004 Author's Address Atul Sharma 5 Wayside Road, #4091 Burlington, MA 01803 USA Email: atul.sharma@nokia.com Sharma, A. Expires November 4, 2004 [Page 14]