[IPsec] Use of IKE to obtain address of home agent

To: <Christian.Kaas-Petersen at tietoenator.com>
Subject: [IPsec] Use of IKE to obtain address of home agent
From: Tero Kivinen <kivinen at iki.fi>
Date: Thu, 18 Sep 2008 13:43:26 +0300
Cc: ipsec at ietf.org
Delivered-to: ietfarch-ipsec-web-archive at core3.amsl.com
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <D3CFEF84287B46408A7F0405EE7C5457014F7BAA at corvette.eu.tieto.com>
List-archive: <http://www.ietf.org/pipermail/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <D3CFEF84287B46408A7F0405EE7C5457014F7BAA at corvette.eu.tieto.com>
Sender: ipsec-bounces at ietf.org

Christian.Kaas-Petersen at tietoenator.com writes:
> 3GPP has in document TS 24.302 (can be retrieved from  
> http://www.3gpp.org/ftp/Specs/html-info/24302.htm), section 7.2.2, 
> specified a use of IKE, where IKE sets up a secure tunnel to 
> a security gateway, denoted ePDG, and expects this security gateway 
> to return both an address to the mobile node, which normally 
> will be a care-of address, and the address(es) of the home agent.
> The said document thinks this possible by having two Configuration
> Payloads.  IKEv2bis, and previous documents, only indicated one
> Configuration Payload to be present, and with the recent discussion
> in mind where the order of the payloads in an IKE packet should 
> not matter, then having two Configuration Payloads is not a viable 
> approach.  It would be better to introduce two new configuration 
> attributes, for example named INTERNAL_IP4_HA and INTERNAL_IP6_HA.

Yes, it would be better to have 2 new configuration options. The
section 7.2.2. does not actually specify which configuration attribute
type is used to negotiate Home Agent addresses.

Including more than one configuration payloads in the exchange, would
be bad idea, as the configuration payloads do not hve any kind of
transaction id or similar, meaning there is no way to know which
CFG_REPLY matches which CFG_REQUEST if there is multiple configuration
payloads (of same CFG TYPE) in same exchange.

Another option is to use the INTERNAL_IP{4,6}_DHCP attribute in IKEv2
and then get the home agent address from the DHCP server.
-- 
kivinen at safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [IPsec] Use of IKE to obtain address of home agent
  - From: Hui Deng
- Re: [IPsec] Use of IKE to obtain address of home agent
  - From: Julien Laganier

References:
- [IPsec] Use of IKE to obtain address of home agent
  - From: Christian.Kaas-Petersen

Prev by Date: Re: [IPsec] Reauthentication extension for IKEv2
Next by Date: Re: [IPsec] Reauthentication extension for IKEv2
Previous by thread: [IPsec] Use of IKE to obtain address of home agent
Next by thread: Re: [IPsec] Use of IKE to obtain address of home agent
Index(es):
- Date
- Thread

[IPsec] Use of IKE to obtain address of home agent

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.