Network Working Group B. Patil Internet-Draft Nokia Intended status: Informational C. Perkins Expires: April 30, 2009 WiChorus H. Tschofenig Nokia Siemens Networks October 27, 2008 Issues related to the design choice of IPsec for Mobile IPv6 security draft-patil-mext-mip6issueswithipsec-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 30, 2009. Patil, et al. Expires April 30, 2009 [Page 1] Internet-Draft IPsec issues with Mobile IPv6 October 2008 Abstract Mobile IPv6 as specified in RFC3775 relies on IPsec for security. An IPsec SA between the mobile node and the home agent provides security for the mobility signaling. Use of IPsec for securing the data traffic between the mobile node and home agent is optional. This document analyses the implications of the design decision to mandate IPsec as the default security protocol for Mobile IPv6 and recommends revisiting this decision in view of the experience gained from implementation and adoption in other standards bodies. Table of Contents 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 7 6. Issues with the use of IPsec . . . . . . . . . . . . . . . . . 8 7. MIP6 evolution . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Intellectual Property and Copyright Statements . . . . . . . . . . 15 Patil, et al. Expires April 30, 2009 [Page 2] Internet-Draft IPsec issues with Mobile IPv6 October 2008 1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Patil, et al. Expires April 30, 2009 [Page 3] Internet-Draft IPsec issues with Mobile IPv6 October 2008 2. Introduction Mobile IPv6 as specified in RFC3775 [RFC3775] requires an IPsec security association between the mobile node (MN) and home agent (HA). The IPsec SA protects the mobility signaling messages between the MN and HA. The user data may be optionally protected by the IPsec SA but is not required. The use of IPsec and IKE (v1 and v2) with Mobile IPv6 are specified in RFCs 3776 [RFC3776] and 4877 [RFC4877]. The Mobile IP and MIP6 working groups in the IETF chose to mandate IPsec as the default security protocol for Mobile IPv6 based on various criteria and discussions between the years 2000 and 2004. Implementation experience with Mobile IPv6 and the security variants with which it has been specified in some SDOs indicates a need to revisit the design choice for MIP6 signaling security. This document discusses the issues and concerns with the use of IPsec for MIP6 security and proposes revisiting the security design for MIP6 protocol. Patil, et al. Expires April 30, 2009 [Page 4] Internet-Draft IPsec issues with Mobile IPv6 October 2008 3. Terminology This document refers to [RFC3775][RFC4877] for terminology. Patil, et al. Expires April 30, 2009 [Page 5] Internet-Draft IPsec issues with Mobile IPv6 October 2008 4. Background IP mobility support in IPv6 was considered to be an integral feature of the IPv6 stack based on the experience gained from developing mobility support for IPv4. The design of Mobile IPv6 was worked on by the Mobile IP WG in the late 90s and by the MIP6 WG until its publication as [RFC3775] in 2004. IPsec was also intended to be a default component of the IPv6 stack and was the preferred protocol choice for use by any other IPv6 protocols that needed security. Rather than design security into every protocol feature the intent was to reuse a well-defined security protocol to meet security needs. Hence Mobile IPv6 has been designed with a direct dependency on IPsec. The Mobile IPv6 specification [RFC3775] was published along with the companion specification "Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents", [RFC3776]. The establishment of the IPsec SA between the MN and HA as per RFC 3776 is based on the use of IKE. The use of IKE in the context of Mobile IPv6 for IPsec SA establishment did not gain traction because of factors such as complexity of IKE and the IETF transitioning to IKEv2. The MIP6 WG completed the specification, Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture [RFC4877] in April 2007. This [RFC4877] is considered as the default security protocol solution for MIP6 and updates [RFC3776]. Patil, et al. Expires April 30, 2009 [Page 6] Internet-Draft IPsec issues with Mobile IPv6 October 2008 5. Problem Statement Mobile IPv6 is encumbered by its reliance on IPsec from an implementation and deployment perspective. As a protocol solution for host based mobility, MIP6 can be simpler without the IPsec baggage. The issues with IPsec are even more exacerbated in the case of dual-stack MIP6 [DSMIP6]. IPsec SAs between the MN and HA are established either manually or by the use of IKEv2. Manual SA configuration is not a scalable solution and hence MIP6 hosts and Home agents rely on IKEv2 for establishing dynamically IPsec SAs. As a result MIP6 depends on the existence of IPsec and IKEv2 for successful operation. The problem in summary for MIP6 is the dependence on IPsec and IKEv2 for operation. Patil, et al. Expires April 30, 2009 [Page 7] Internet-Draft IPsec issues with Mobile IPv6 October 2008 6. Issues with the use of IPsec This section captures several issues with the use of IPsec by MIP6. (1) The design of Mobile IPv6 emphasized on the reuse of IPv6 features such as IPsec. IPsec for IPv4 was a bolt-on solution. With the increasing need for security, IPv6 designers chose to incorporate IPsec as a default feature. There existed an assumption in the MIP6 working group that every IPv6 host would have IPsec capability as a standard feature. While this is true in many host implementations today, the existence of IPsec in every IPv6 stack is not a given. Hence a host which needs to implement Mobile IPv6 must ensure that IPsec and IKEv2 are also available. As a result of this dependence, MIP6 is no longer a standalone host-based mobility protocol. A good example of a host based mobility protocol that works as a self-sufficient module is Mobile IPv4. The security associated with MIP4 signaling is integrated into the protocol itself. MIP4 has been successfully deployed on large scale in several networks. (2) IPsec use in most hosts is generally for the purpose of VPN connectivity to enterprises. It has not evolved into a generic security protocol that can be used by Mobile IPv6 easily. While RFC4877 does specify the details which enable only the MIP6 signaling to be encapsulated with IPsec, the general method of IPsec usage has been such that all traffic between a host and the IPsec gateway is carried via the tunnel. Selective application of IPsec to protocols is not the norm. Use of IPsec with Mobile IPv6 requires configuration which in many cases is not easily done because of reasons such as enterprise environments preventing changing to IPsec policies or other. (3) A MIP6 home agent is one end of the IPsec SA in a many-to-one relationship. A MIP6 HA may support a very large of mobile nodes which could number in the hundreds of thousands to millions. The ability to terminate a large number of IPsec SAs (millions) requires signifiant hardware and platform capability. The cost issues of such an HA are detrimental and hence act as a barrier to deployment. (4) The implementation complexity of Mobile IPv6 is greatly increased because of the interaction with IPsec and IKEv2. A standalone MIP6 protocol is easier to implement and deploy (such as MIP4 [RFC3344]). The complexity of the protocol implementation is even more so in the case of [DSMIP6]. Patil, et al. Expires April 30, 2009 [Page 8] Internet-Draft IPsec issues with Mobile IPv6 October 2008 (5) IPsec and IKEv2 is not implemented in every IPv6 or dual stack host. Mobile IPv6 support on such devices is not an option. Many low-end cellular hosts have IP stacks. The need for IPsec and IKEv2 in these devices is not important whereas mobility support is needed in many cases. MIP6 without any dependencies on protocols for security is easier to implement and has wider applicability. (6) [RFC4877] which specifies the use of IKEv2 and IPsec with Mobile IPv6 essentially results in a variant of IPsec which is specific to Mobile IP. Hence this results in added complexity to implementations. (7) Mobile IPv6 needs to be capable of being deployed in situations where alternative security mechanisms are already well- understood by the network administration. It should be possible to enable Mobile IPv6 to work in situations where alternative security mechanisms already supply the necessary authentication and privacy. (8) IPsec has been successfully applied to VPN and other infrastructure operations, but less so for general end-to-end applications. Thus, the granularity for selectors was originally not at all sufficient for Mobile IPv6. (9) The way that the IPsec code sits in the usual kernel, and the access mechanisms for the SA database, are not very convenient for use by straightforward implementations of Mobile IPv6. Unusual calling sequences and parameter passing seems to be required on many platforms. (10) In certain environments the use of IPsec and IKEv2 for establishing the SA is considered as an overhead. Bandwidth constrained links such as cellular networks and air interfaces which are in the licensed spectrum tend to be optimized for user traffic. MIP6 signaling with the IPsec overhead and the IKEv2 messages are viewed negatively. It is more acceptable to have signaling without IPsec encapsulation. The issues listed above have been a cause for MIP6 not being implemented widely or adopted by other SDOs which are considering IP mobility solutions. Patil, et al. Expires April 30, 2009 [Page 9] Internet-Draft IPsec issues with Mobile IPv6 October 2008 7. MIP6 evolution In order to make the Mobile Ipv6 protocol a solution that is easy to implement and available in even low-end devices, it is necessary to simplify the protocol. The design or the security architecture for MIP6 needs to be revisited and a solution that does not rely on other components developed. Patil, et al. Expires April 30, 2009 [Page 10] Internet-Draft IPsec issues with Mobile IPv6 October 2008 8. Security Considerations This I-D discusses the security architecture of Mobile IPv6 which is based on IPsec. The dependency on IPsec for security of MIP6 signaling is a detriment to the protocol implementation and deployment. Hence the security architecture needs to be revisited. The experience gained over the last few years indicates that IPsec cannot necessarily be used as a generic solution for security. The design choice made for MIP6 in the initial stages no longer are valid and is hampering the implementation and use. Patil, et al. Expires April 30, 2009 [Page 11] Internet-Draft IPsec issues with Mobile IPv6 October 2008 9. IANA Considerations This document does not have any information which requires IANA review. Patil, et al. Expires April 30, 2009 [Page 12] Internet-Draft IPsec issues with Mobile IPv6 October 2008 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3775] Johnson, D., "Mobility Support in IPv6", RFC 3775, June 2004. [RFC3776] Arkko, J., "Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents", RFC 3776, June 2004. [RFC4877] Devarapalli, V., "Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture", RFC 4877, April 2007. [DSMIP6] Soliman, H., Ed., "Mobile IPv6 Support for Dual Stack Hosts and Routers", draft-ietf-mext-nemo-v4traversal-05.txt, July 2008. 10.2. Informative References [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002. Patil, et al. Expires April 30, 2009 [Page 13] Internet-Draft IPsec issues with Mobile IPv6 October 2008 Authors' Addresses Basavaraj Patil Nokia 6021 Connection Drive Irving, TX 75039 USA Email: basavaraj.patil@nokia.com Charles Perkins WiChorus 3590 N. 1st Street, Suite 300 San Jose, CA 95134 USA Email: charliep@wichorus.com Hannes Tschofenig Nokia Siemens Networks Linnoitustie 6 Espoo 02600 Finland Phone: +358 (50) 4871445 Email: Hannes.Tschofenig@gmx.net URI: http://www.tschofenig.priv.at Patil, et al. Expires April 30, 2009 [Page 14] Internet-Draft IPsec issues with Mobile IPv6 October 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Patil, et al. Expires April 30, 2009 [Page 15]