 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
Hi Vijay, On Jun 16, 2009, at 3:32 AM, Vijay Devarapalli wrote:
Hi Jouni,On Wed, Jun 10, 2009 at 11:03 PM, jouni korhonen<jouni.nospam at gmail.com > wrote:Hi Vijay, On Jun 11, 2009, at 12:49 AM, Vijay Devarapalli wrote:Hi Jouni, I have a comment on the "VPN Gateway feature". There is no documentthat describes what it means for a Mobile IPv6 home agent to act as aVPN gateway. The IKEv2 exchange between the MN and the HA [RFC 4877 and 5026] already supports mutual authentication, address assignment and setting up of tunnel mode ESP SAs. Are you referring to this as VPN mode? But isn't this regular Home agent functionality?The "VPN mode" is when you use HA IKEv2/IPsec functionality purely forconventional VPN remote access purposes without any mobility.Again, what does this mean? When you run IKEv2 as described in RFC 4877 and 5026, you are creating tunnel mode security associations for a *Mobile IPv6 tunnel*. In the "VPN" mode, does the mobile node switch of the Mobile IPv6 stack?
VPN mode is plain RFC4306 + 4303 etc. You end up implementing that machinery there in any case, so why not allow using a HA as a VPN gateway as well. In this case, there is no mobility involved.
Or does the Home Agent behave an IPsec VPN gateway for pure IPsec clients, i.e., there is no Mobile IPv6 stack on these clients.
Yes.
That type ofdeployment is shortly referenced in draft-ietf-dime-mip6-split Section 4.1.I recall this functionality was originally requested by Gerardo.It doesn't make sense to me. :) This looks more like co-locating a Mbile IPv6 home agent and an IPsec VPN gateway and supporting both Mobile IPv6 mobile nodes and plain IPsec clients at the same time.
Yes, it is about co-location. To me it makes sense as much as IKEv2+IPsec with MIP6 ;)
There has to be more to this scenario than just the short paragraph in draft-ietf-dime-mip6-split.
Yes, agree.
Or is there a separate IPsec VPN that is first setup and then Mobile IPv6 is run on top of the IPsec tunnels?As shortly described in split document: In some deployment scenarios, the HA may also act as an IKEv2Responder for a conventional IPsec VPN access. The challenge in thiscase is that the IKEv2 responder may not know if IKEv2 is used for Mobile IPv6 service or for IPsec VPN access service. A networkoperator needs to be aware of this limitation. One solution alreadysupported by IKEv2 is to use different responder identities whenoperating as a conventional IPsec VPN gateway or as a HA. The MN can then indicate the preferred responder type using the appropriate IDrpayload in the IKE_AUTH message.But yeah, now that feature bits are taken into a separate document, the connection between the above and the new feature bit is rather weak. Either we need more text and/or reference in the draft-korhonen-dime- feature-bitsor just remove the bit all together. Since the difference betweenconventional IKEv2 IPsec VPN gateway part and HA's IKEv2 IPsec functionality is rather small, I would keep the feature bit and enhance the text instead.It is not "rather small" in my opinion. I don't understand how supporting plain IPsec clients can be a feature on a Mobile IPv6 home agent. :)
Well.. feature in a sense that you have both functionalities in the same box anyway. Stretching my memory on the requirements, this came from the cases where an I-WLAN PDG and a HA were to be bundled together.
Jouni
VijayJouniVijayOn Wed, Jun 10, 2009 at 2:55 AM, jouni korhonen<jouni.nospam at gmail.com >wrote:Hi all,I have updated the additional feature bits draft. I did remove some stuffso that the draft now only reserves MIP6-Feature-Vector flag bits and nothing more. I'll forward the draft soon to RFC editor so if anyone has comments, please be quick :) Cheers, Jouni Begin forwarded message:From: IETF I-D Submission Tool <idsubmission at ietf.org> Date: June 10, 2009 12:26:53 PM GMT+03:00 To: jouni.nospam at gmail.com Subject: New Version Notification for draft-korhonen-dime-mip6-feature-bits-01A new version of I-D, draft-korhonen-dime-mip6-feature- bits-01.txt has been successfuly submitted by Jouni Korhonen and posted to the IETFrepository. Filename: draft-korhonen-dime-mip6-feature-bits Revision: 01Title: Diameter MIP6 Feature Vector Additional Bit AllocationsCreation_date: 2009-06-10 WG ID: Independent Submission Number_of_pages: 5 Abstract:During the Mobile IPv6 Split Scenario bootstrapping the Mobile IPv6Home Agent and the Authentication, Authorization, and Accountingserver may exchange a set of authorized mobility capabilities. Thisdocument defines new mobility capability flags that are used to authorize per Mobile Node route optimization, Multiple Care-ofAddress and user plane traffic encryption support. Furthermore, thisdocument also defines a capability flag of indicating whether the Home Agent is authorized to act as a stand alone Virtual Private Network gateway. The IETF Secretariat._______________________________________________ DiME mailing list DiME at ietf.org https://www.ietf.org/mailman/listinfo/dime