< draft-patil-mext-mip6issueswithipsec-02.txt		draft-patil-mext-mip6issueswithipsec-03.txt >
	Mobility Extensions (MEXT) B. Patil		Mobility Extensions (MEXT) B. Patil
	Internet-Draft Nokia		Internet-Draft Nokia
	Intended status: Standards Track D. Premec		Intended status: Standards Track D. Premec
	Expires: April 29, 2010 Unaffiliated		Expires: January 10, 2011 Unaffiliated
	C. Perkins		C. Perkins
	WiChorus		Tellabs
	H. Tschofenig		H. Tschofenig
	Nokia Siemens Networks		Nokia Siemens Networks
	October 26, 2009		July 11, 2010
	Problems with the use of IPsec as the security protocol for Mobile IPv6		Problems with the use of IPsec as the security protocol for Mobile IPv6
	draft-patil-mext-mip6issueswithipsec-02		draft-patil-mext-mip6issueswithipsec-03
	Status of this Memo		Status of this Memo
	This Internet-Draft is submitted to IETF in full conformance with the		This Internet-Draft is submitted in full conformance with the
	provisions of BCP 78 and BCP 79.		provisions of BCP 78 and BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF), its areas, and its working groups. Note that		Task Force (IETF). Note that other groups may also distribute
	other groups may also distribute working documents as Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	The list of current Internet-Drafts can be accessed at		This Internet-Draft will expire on January 10, 2011.
	http://www.ietf.org/ietf/1id-abstracts.txt.
	The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.
	This Internet-Draft will expire on April 29, 2010.
	Copyright Notice		Copyright Notice
	Copyright (c) 2009 IETF Trust and the persons identified as the		Copyright (c) 2010 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents in effect on the date of		Provisions Relating to IETF Documents
	publication of this document (http://trustee.ietf.org/license-info).		(http://trustee.ietf.org/license-info) in effect on the date of
	Please review these documents carefully, as they describe your rights		publication of this document. Please review these documents
	and restrictions with respect to this document.		carefully, as they describe your rights and restrictions with respect
			to this document. Code Components extracted from this document must
			include Simplified BSD License text as described in Section 4.e of
			the Trust Legal Provisions and are provided without warranty as
			described in the Simplified BSD License.
	Abstract		Abstract
	Mobile IPv6 as specified in RFC3775 relies on IPsec for securing the		Mobile IPv6 as specified in RFC3775 relies on IPsec for securing the
	signaling messages and user plane traffic between the mobile node and		signaling messages and user plane traffic between the mobile node and
	home agent. An IPsec SA between the mobile node and the home agent		home agent. An IPsec SA between the mobile node and the home agent
	provides security for the mobility signaling. Use of IPsec for		provides security for the mobility signaling. Use of IPsec for
	securing the data traffic between the mobile node and home agent is		securing the data traffic between the mobile node and home agent is
	optional. This document analyses the implications of the design		optional. This document analyses the implications of the design
	decision to mandate IPsec as the default security protocol for Mobile		decision to mandate IPsec as the default security protocol for Mobile
	skipping to change at page 3, line 32 ¶		skipping to change at page 3, line 32 ¶
	with which it has been specified in some SDOs indicates a need to		with which it has been specified in some SDOs indicates a need to
	revisit the design choice for MIP6 signaling security. The analysis		revisit the design choice for MIP6 signaling security. The analysis
	and recommendation to revisit the security protocol architecture for		and recommendation to revisit the security protocol architecture for
	MIP6 should not be interpreted as a recommendation for Authentication		MIP6 should not be interpreted as a recommendation for Authentication
	Protocol for Mobile IPv6 [RFC4285]. The objective is to highlight		Protocol for Mobile IPv6 [RFC4285]. The objective is to highlight
	the misfit of IPsec and IKEv2 as the security protocol for MIP6 and		the misfit of IPsec and IKEv2 as the security protocol for MIP6 and
	hence the need for considering alternatives. A simpler security		hence the need for considering alternatives. A simpler security
	architecture for securing the signaling and traffic between the MN		architecture for securing the signaling and traffic between the MN
	and HA can co-exist with the IPsec based solution as well.		and HA can co-exist with the IPsec based solution as well.
			The objective of Mobile IPv6 [RFC3775] is to enable IP mobility for
			IPv6 hosts. The security aspect of the protocol is a critical
			component for consideration in terms of deployment and operation on
			large scales. If complexity of implementation were a consideration
			then the current specification dealing with Mobile IPv6, i.e
			RFC3775 and RFC5555 would win high accolades. An implementer spends
			20% of his time on implementing the Mobile IPv6 protocol and 80% of
			the time integrating it with IPsec and IKEv2. And even after that
			interoperability of the client with home agents is not
			guaranteed. The IPsec/IKEv2 security architecture may work in
			implementations wherein the OS, the IPsec/IKEv2 stack and mobile
			ipv6 client software are all implemented by a single entity. It
			just does not work on open systems.
	2. Terminology and Abbreviations		2. Terminology and Abbreviations
	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",		The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this		"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
	document are to be interpreted as described in [RFC2119].		document are to be interpreted as described in [RFC2119].
	This document refers to [RFC3775][RFC4877] for terminology.		This document refers to [RFC3775][RFC4877] for terminology.
	3. Background		3. Background
	skipping to change at page 14, line 29 ¶		skipping to change at page 14, line 29 ¶
	11.2. Informative References		11.2. Informative References
	[I-D.ebalard-mext-pfkey-enhanced-migrate]		[I-D.ebalard-mext-pfkey-enhanced-migrate]
	Ebalard, A. and S. Decugis, "PF_KEY Extension as an		Ebalard, A. and S. Decugis, "PF_KEY Extension as an
	Interface between Mobile IPv6 and IPsec/IKE",		Interface between Mobile IPv6 and IPsec/IKE",
	draft-ebalard-mext-pfkey-enhanced-migrate-00 (work in		draft-ebalard-mext-pfkey-enhanced-migrate-00 (work in
	progress), August 2008.		progress), August 2008.
	[I-D.korhonen-mext-mip6-altsec]		[I-D.korhonen-mext-mip6-altsec]
	Korhonen, J., "Security architecture for Mobile IPv6 using		Korhonen, J., "Security architecture for Mobile IPv6 using
	TLS", draft-korhonen-mext-mip6-altsec-02.txt (work in		TLS", draft-korhonen-mext-mip6-altsec-05.txt (work in
	progress), Ocober 2009.		progress), July 2010
	[I-D.sugimoto-mip6-pfkey-migrate]		[I-D.sugimoto-mip6-pfkey-migrate]
	Sugimoto, S., Dupont, F., and M. Nakamura, "PF_KEY		Sugimoto, S., Dupont, F., and M. Nakamura, "PF_KEY
	Extension as an Interface between Mobile IPv6 and IPsec/		Extension as an Interface between Mobile IPv6 and IPsec/
	IKE", draft-sugimoto-mip6-pfkey-migrate-04 (work in		IKE", draft-sugimoto-mip6-pfkey-migrate-04 (work in
	progress), December 2007.		progress), December 2007.
	[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,		[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
	August 2002.		August 2002.
	skipping to change at page 15, line 26 ¶		skipping to change at page 15, line 26 ¶
	Unaffiliated		Unaffiliated
	Heinzelova 70a		Heinzelova 70a
	Zagreb, 10000		Zagreb, 10000
	CROATIA		CROATIA
	Phone:		Phone:
	Fax:		Fax:
	Email: domagoj.premec.ext@gmail.com		Email: domagoj.premec.ext@gmail.com
	Charles Perkins		Charles Perkins
	WiChorus		Tellabs
	3590 N. 1st Street, Suite 300		3590 N. 1st Street, Suite 300
	San Jose, CA 95134		San Jose, CA 95134
	USA		USA
	Email: charliep@wichorus.com		Email: charles.perkina@tellabs.com
	Hannes Tschofenig		Hannes Tschofenig
	Nokia Siemens Networks		Nokia Siemens Networks
	Linnoitustie 6		Linnoitustie 6
	Espoo 02600		Espoo 02600
	Finland		Finland
	Phone: +358 (50) 4871445		Phone: +358 (50) 4871445
	Email: Hannes.Tschofenig@gmx.net		Email: Hannes.Tschofenig@gmx.net
	URI: http://www.tschofenig.priv.at		URI: http://www.tschofenig.priv.at
End of changes. 13 change blocks.
	24 lines changed or deleted		36 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/