Re: [IPsec] Use of IKE to obtain address of home agent

To: ipsec at ietf.org
Subject: Re: [IPsec] Use of IKE to obtain address of home agent
From: Julien Laganier <julien.laganier.ietf at googlemail.com>
Date: Thu, 18 Sep 2008 13:17:41 +0200
Cc: Christian.Kaas-Petersen at tietoenator.com, Tero Kivinen <kivinen at iki.fi>
Delivered-to: ietfarch-ipsec-web-archive at core3.amsl.com
Delivered-to: ipsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:to:subject:date:user-agent:cc :references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id:from; bh=QT6atgV3Pg5CKZ3zuqXMBK6Lps5NKwVs9IeCfQ3NqLE=; b=VJmTjbtU1uqfF0zUlKSZnKbE8viwrq2CCbavCNmv4m+T0q5VZUaOnpR91FhlYR49tZ DCHOsyGPwm90joHgdVJEXHVyEBClQnAUKs02MyJp1A2rir+aPwoyfSyIsFp0lhd+1CNh YCi8cIxRE7Ev0yIgCq4cPC1KlT2zp+sHYAFL4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=to:subject:date:user-agent:cc:references:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :message-id:from; b=uP0CUo/Khl5EWsE8OywjJMEf1687qtGfo+9CXG+wqO8sCc4msLHsStRkBq59OBcYDu zI+p2uYnRNfw59bXZipQzAcL85z4R9ikR/vZddwJ+oxJD3TpjCUyB5Ig5Mn+jyJxeK7a VgaBXT86WEOgsv80XOnEzbNvmgSdx6xhb0r70=
In-reply-to: <18642.12494.564286.298618 at fireball.kivinen.iki.fi>
List-archive: <http://www.ietf.org/pipermail/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <D3CFEF84287B46408A7F0405EE7C5457014F7BAA at corvette.eu.tieto.com> <18642.12494.564286.298618 at fireball.kivinen.iki.fi>
Sender: ipsec-bounces at ietf.org
User-agent: KMail/1.9.9

Christian and Tero,

Quick follow-up on this topic:

On Thursday 18 September 2008, Tero Kivinen wrote:
> Christian.Kaas-Petersen at tietoenator.com writes:
> > 3GPP has in document TS 24.302 (can be retrieved from
> > http://www.3gpp.org/ftp/Specs/html-info/24302.htm), section 7.2.2,
> > specified a use of IKE, where IKE sets up a secure tunnel to
> > a security gateway, denoted ePDG, and expects this security gateway
> > to return both an address to the mobile node, which normally
> > will be a care-of address, and the address(es) of the home agent.
> > The said document thinks this possible by having two Configuration
> > Payloads.  IKEv2bis, and previous documents, only indicated one
> > Configuration Payload to be present, and with the recent discussion
> > in mind where the order of the payloads in an IKE packet should
> > not matter, then having two Configuration Payloads is not a viable
> > approach.  It would be better to introduce two new configuration
> > attributes, for example named INTERNAL_IP4_HA and INTERNAL_IP6_HA.
>
> Yes, it would be better to have 2 new configuration options. The
> section 7.2.2. does not actually specify which configuration
> attribute type is used to negotiate Home Agent addresses.
>
> Including more than one configuration payloads in the exchange, would
> be bad idea, as the configuration payloads do not hve any kind of
> transaction id or similar, meaning there is no way to know which
> CFG_REPLY matches which CFG_REQUEST if there is multiple
> configuration payloads (of same CFG TYPE) in same exchange.

I have a different reading of 3GPP TS 24.302; I think there's a little 
mistake in the text and what it want to say is that "the UE may also 
request the address(es) of a Home Agent for DSMIPv6 related signaling, 
by including a corresponding _attribute_ in the CFG_REQUEST 
configuration payload." 

That would be in-line with the Editor's note that follows which 
state "it is FFS which type of attribute (private or assigned by IANA) 
is used in the configuration payload.

I see absolutely no reason to use two CFG_REQUEST be needed...

Thus TS 24.302 has to be fixed.

> Another option is to use the INTERNAL_IP{4,6}_DHCP attribute in IKEv2
> and then get the home agent address from the DHCP server.

The alternative of getting the HA information via DHCP is already 
covered as part of 3GPP TS 24.303 "Mobility Management based on 
Dual-Stack Mobile IPv6", amongst other alternatives (DNS, and GTP 
Protocol Configuration Options.)

--julien
_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [IPsec] Use of IKE to obtain address of home agent
  - From: Giaretta, Gerardo

References:
- [IPsec] Use of IKE to obtain address of home agent
  - From: Christian.Kaas-Petersen
- [IPsec] Use of IKE to obtain address of home agent
  - From: Tero Kivinen

Prev by Date: Re: [IPsec] Reauthentication extension for IKEv2
Next by Date: Re: [IPsec] Secure Crash Discovery for IKEv2
Previous by thread: [IPsec] Use of IKE to obtain address of home agent
Next by thread: Re: [IPsec] Use of IKE to obtain address of home agent
Index(es):
- Date
- Thread

Re: [IPsec] Use of IKE to obtain address of home agent

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.