--------------------------------------
Mobility EXTensions for IPv6 WG (mext)
TUESDAY, March 23, 2010
1300-1500 Afternoon Session I
--------------------------------------

These meeting minutes are based on notes taken by Jouni Korhonen.


Home Agent Initiated Flow Binding for Mobile IPv6, Behcet Sarikaya (15 min)
---------------------------------------------------------------------------

Frank presents.

http://tools.ietf.org/html/draft-xia-mext-ha-init-flow-binding-01


use case 1: flow binding revocation. The HA revokes a binding created by the MN at some time for a reason or other.

use case 2: inter-interface flow mobility: HA commands a handover (move all flows) from an interface to another like from 3G to WLAN.

Marcello: the assumption is that the same entity that runs the HA runs all access networks as well.


use case 3: exceeding traffic quota. Force/suggest flows to a different access but not actually terminating the session.

use case 4: real-time offload. For example move flows from 3G to WLAN. What is the difference to use case 2?

Solution:  define two new messages. FBI/FBA..

status: new use cases 3 & 4.

Marcello: all uses cases except 1 assume that the same entity is running both access network and HA.

Sri: can you clarify use case 2. Is there a flow state in access routers?

Frank: no state.. Break down the link and move flows to another access..

Raj: it is sometimes useful be able to move flows HA commanding it.

Sri: use case seams to be useful.

Marcello: lets take this as part of the charter discussion.


DHCPv4 Options for Home Information Discovery in Dual Stack MIPv6, Behcet Sarikaya (10 min)
-------------------------------------------------------------------------------------------

ttp://tools.ietf.org/html/draft-xia-mext-hioptv4-00

Problem: discovery only available for DHCPv6.
Solution: define a DHCPv4 equivalent.

Alper: is this using DHCPv4 to find HA address? RFC2132 already defines such option.

Frank: Defines only IPv4 address of the HA.

Alper: does the new option deliver IPv4 address?

Frank: can also deliver IPv6 address.

Raj: DSMIP HA has both IPv4 & IPv6 addresses.. you don’t really need IPv6 always. You can send BU to that IPv4 address.

Frank: erm..

Sri: 2132 has address for ipv4 HA?

Sri: different things.. 2132 is for MIPv4. Not for receiving DSMOP6 packets

Suresh: it is for HA.. Shouldn’t be issues

Sri: was defined when there was no MIP6..

alper: belongs to DHC..

Behcet: presented in DHC WG.. said to wait once HIOPT gets to RFC..

Kent: clarify the use case. ?

Frank: use case 1: carry IPv4 DSMIPv6 HA address. Use case 2: 

Raj: ..

Marcello: not sure whether use case is valid or whether current tools are enough.






Security On Demand for Mobile IPv6 and Dual-stack Mobile IPv6, Gabor Bajko (15 min)
-----------------------------------------------------------------------------------

http://tools.ietf.org/html/draft-bajko-mext-sod-00

problem: security for UP is optional and no way to signal whether it is used or not.

A mechanism needed to signal whether UP security is to be used or not.

Solution: a new bit in BU and another to BA..


Charlie: dangerous to have..

Gabor: this is backward compatible with old stuff.

Marcello: 

alper: BU comes after the IPSec has been set up? what’s the use?

Julien: BUs are always protected by IPsec. This is about UP. What is the situation when mobile node knows when it needs UP protection or not?

gabor; local policy:

Combes: Is this only for IPsec or for all security protocols?

Raj: any.. Answering to julien: local policies.

Julien: need actually two bots. for encryption and integrity..

Combes: ?

Raj: currently UP security is optional.

Kent: if there are more than IPsec is there a way to select between those?

Raj: this is specific for IPsec.. there are other proposals for other solutions.

Kent: 

Raj: S bit only for whether UP is protected.

Ruijy: why not mobility option?

Gabor: in the draft..???

Ruijy: can be done during mid session?

Raj: during binding refresh yes.

Ruijy:_ what if IKE needs to be used to setup the SA?

Raj: SA is already there.

Sri: the SA is there what the only means then?

Raj: you either decide to use SA or send it unprotected.

Ruijy: what is the timing is S boit state changes? does MH stop sending packets?

Raj: behavior changes on the MN only after receiving the BA.

Frank: what is the benefit?

Marcello: this is for the UP.

Marcello: Interesting discussion. Seems to be interesting. Will discuss if this is important or not?

Kent: not clear. it is not how things are used today. so it is not clear whether it is useful or not.

Frank: is useful.. 

Ruijy: minor enhancement. would use IKE onlu..?

Julien: IKE allows only negotiating SAs, not security policies. This is about security policies. Allow you to defined whether to use SPD for UP dynamically. This is not possible with IKE.

Marcello: discuss on ,

Transport Layer Security-based Mobile IPv6 Security Framework
for Mobile Node to Home Agent Communication, Jouni Korhonen (15 min)
--------------------------------------------------------------------

http://tools.ietf.org/html/draft-korhonen-mext-mip6-altsec-03


Terry Davis: likes the idea of using security mechanism that has proven interoperability.

Kent: asks about collocation properties…

Jouni: in draft but very flexible. HAC & AAA & HA can be collocated or separated whatever way.



Marcello: first need to understand whether we need to rework the security mechanisms then we can come to discussion for adoption.


Generalized MIPv6 Tunneling and Security Interfaces, Charles Perkins (15 min)

Jari: OK to move stuff from the MIP6 what we do not need anymore. Other parts like restructuring is not that important..

Jari: if people do not understand protocol basics restructuring etc does not help.

Marcello: if you have a base protocol like this it does not allow you to build a MN and HA that can interoperate.

I am saying this is not sufficient. You have a base spec that does not guarantee interoperability.

Charlie: we could agree that we need a base spec that allows interoperability.

suresh: have a split to achieve a clean separation.. is this what you are after?

Charlie: yes I made that point.

Hannes: makes sense.


Hannes: 

Charlie:

Marcello: is this a problem for the lack of deployment?

Hannes: maybe the problems are somewhere else then restructuring does not help:


Marcello: like lack of IPv6 deployment? ;)

Suresh: there is no consensus document that would list issues that people see.

Jari: agrees with hannes. Lack of IPv6 deployment, security issues and alike are reason for no deployment. Should attack those rather than fixing the document.

Charlie: we could have a bar bof discussion this stuff.

Charlie preaches about the healing power of Mobile IP.

Marcello: security related questions to rechartering discussion.

Julien: if you rely on access specific security you can only 

Charlie: 

Jari: are you looking to remove sec+tun, mandate something or make them optional?

Charlie: asking a permission to do this stuff:

Boeing: I like the idea of modularizing.




Next steps for the MEXT WG, Chairs and WG participants (30 min)
---------------------------------------------------------------

Marcello: security rework: one solution already proposed. What others like CGA based?

Marcello: do we need to rework Mobile IPv6 security mechanism?

Julien: Why we need another security mechanism? Implementation complexity is no reason. What are the requirements?

Marcello: we are not going to rehash this discussion. People are not convincing you. 

Julien: we have not seen a document that lists the security solution requirements. IPsec is simple.

Marcello: already multiple alternative solutions. 

Charlie: alternative security solutions are needed because other solutions exist and are not going away. People have to be able to use those if they want so.

Raj: having IPsec as the only solution makes MIP6 unsuitable for various deployments like WiMAX (as an example). Makes MIP6 irrelevant for many deployments with a fixed security solution.

Boing: we need the options. IPsec requires too much “debugging” to get it running.

Jari: I’d like to see alternative security mechanism.. a pluggable solution. Worried whether we actually could manage that. Worried what would be the mandatory in few yesrs if we have multiple..

tony hain: don’t make a solution where a leaf networks defines cross internet security model. We need to have a mandatory security mechanism.

suresh: mip6 ipsec/ike is not really ipsec/ike off the selves. we need other security mechanisms.

Marcello: about security api? You promised to give pointers last time..

suresh: yes.. People has tried a lot to come up with security APIs and always failed.

juri: supports the idea of modularization.. but you basically need a new version of MIP6 standard..

xyz: for restricted devices maybe another security mechanism would be ok.

Julien: in 3GPP there is no overhead in 3GPP access (home network). When handovering to other accesses IPSec is used and needed to access 3GPP core anyway.

alper: RFC4285 is used in two SDOs already. That has to be taken into considerations in this discussion.

Raj: yes 3GPP is the dominant wireless tech. minimum requirement is the key distribution..

Marcello: 

abc: issues about possible double IPsec 

Marcello: asks the feeling of the WG.

Overwhelming YES, 1 no.