idnits 2.17.1 draft-gundavelli-ipsecme-3gpp-ims-options-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 21, 2013) is 3900 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'CERTREQ' is mentioned on line 212, but not defined == Missing Reference: 'IDr' is mentioned on line 212, but not defined ** Obsolete normative reference: RFC 5996 (Obsoleted by RFC 7296) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSECME WG A. Noble 3 Internet-Draft S. Gundavelli 4 Intended status: Standards Track Cisco 5 Expires: February 22, 2014 J. Korhonen 6 Renesas Mobile 7 F. Baboescu 8 Broadcom Corporation 9 August 21, 2013 11 3GPP IMS Option for IKEv2 12 draft-gundavelli-ipsecme-3gpp-ims-options-01.txt 14 Abstract 16 This document defines two new configuration attributes for Internet 17 Key Exchange Protocol version 2 (IKEv2). These attributes can be 18 used for carrying the IPv4 and IPv6 address of the Proxy-Call Control 19 and Service function (P-CSCF). This is one of the few methods that 20 an IPsec client can obtain the IP address of the P-CSCF function 21 located in the home network. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 22, 2014. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions and Terminology . . . . . . . . . . . . . . . . . . 3 59 2.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3. P-CSCF_IP4_ADDRESS Configuration Attribute . . . . . . . . . . 4 62 4. P-CSCF_IP6_ADDRESS Configuration Attribute . . . . . . . . . . 5 63 5. Example Scenario . . . . . . . . . . . . . . . . . . . . . . . 5 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 65 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 66 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 67 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 68 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 69 9.2. Informative References . . . . . . . . . . . . . . . . . . 7 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 72 1. Introduction 74 The 3GPP S2b reference point [TS23402], specified by the 3GPP system 75 architecture defines a mechanism for allowing a mobile node attached 76 in an untrusted non-3GPP IP Access Network to securely connect to the 77 3GPP home network and access IP services. In this scenario, the 78 mobile node establishes an IPsec tunnel to the security gateway 79 called ePDG and which in turn establishes a PMIPv6/GTP tunnel to the 80 PDN gateway where the mobile node's session is anchored. The below 81 figure shows the interworking option for Untrusted Non-3GPP access. 83 +------------+ 84 | ePDG | 85 | +--------+ | 86 +------+ _----_ | | IPsec | | _----_ +-----+ 87 | MN | _( )_ | | Module | | _( )_ | LMA | 88 | |<====( Internet )=====| +--------+ |===( Operator )===|(PGW)| 89 +------+ (_ _) | : | (_Network_) +-----+ 90 '----' | +--------+ | '----' 91 IPsec Tunnel | | PMIPv6 | | PMIPv6/GTP Tunnel 92 | | MAG | | 93 | +--------+ | 94 +------------+ 96 |<------------ IKEv2/IPsec ------> | <-------------PMIPv6/GTP-->| 98 Figure 1: Exchange of IPv4 Traffic Offload Selectors 100 A mobile node in this scenario may potentially need to access the IMS 101 services in the home network. Currently, there are no attributes in 102 IKEv2 that can be used for carrying these information elements. In 103 the absence of these Attributes the mobile node needs to be 104 statically configured with this information and this is proving to be 105 an operational challenge. 107 This specification therefore defines two new IKEv2 attributes 108 [RFC5996] that allows an IPsec gateway to provide the IPv4 and/or 109 IPv6 address of the P-CSCF function. These attributes can be 110 exchanged by IKEv2 peers as part of the configuration payload 111 exchange. 113 2. Conventions and Terminology 114 2.1. Conventions 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in RFC 2119 [RFC2119]. 120 2.2. Terminology 122 All the IKEv2 related terms used in this document are to be 123 interpreted as defined in [RFC5996] and [RFC5739]. All the mobility 124 related terms are to interpreted as defined in [RFC5213] and 125 [RFC5844]. Additionally, this document uses the following terms: 127 Proxy-Call Session Control Function (P-CSCF) 129 The P-CSCF is the entry point to the 3GPP IMS (IP Multimedia 130 Subsystem) domain and serves as the outbound proxy server for the 131 mobile node. The mobile node attaches to the P-CSCF prior to 132 performing IMS registrations and initiating SIP sessions. 134 3. P-CSCF_IP4_ADDRESS Configuration Attribute 136 The P-CSCF_IP4_ADDRESS configuration attribute is formatted as 137 follows: 139 0 1 2 3 140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 |R| Attribute Type | Length | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 | IPv4 Address | 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 147 Figure 2: IPv4 Address of P-CSCF 149 Reserved (1 bit) 150 Refer to IKEv2 specification 152 Attribute Type (15 bits) 153 155 Length (2 octets) 156 Length of the value field in octets. In this case, its 4. 158 IPv4 Address (4 octets) 159 An IPv4 address of the P-CSCF function. 161 Multiple instances of this Attribute with different values can be 162 present in the configuration payload and there is no implied 163 preferrential order. 165 4. P-CSCF_IP6_ADDRESS Configuration Attribute 167 The P-CSCF_IP4_ADDRESS configuration attribute is formatted as 168 follows: 170 0 1 2 3 171 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 |R| Attribute Type | Length | 174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 | | 176 | | 177 | IPv6 Address | 178 | | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 181 Figure 3: IPv6 Address of P-CSCF 183 Reserved (1 bit) 184 Refer to IKEv2 specification 186 Attribute Type (15 bits) 187 189 Length (2 octets) 190 Length of the value field in octets. In this case, its 16. 192 IPv6 Address (16 octets) 193 An IPv4 address of the P-CSCF function. 195 Multiple instances of this Attribute with different values can be 196 present in the configuration payload and there is no implied 197 preferrential order. 199 5. Example Scenario 201 The mobile node MAY request the IP address of an P-CSCF function as 202 shown below. 204 Client Gateway 205 -------- --------- 207 HDR(IKE_SA_INIT), SAi1, KEi, Ni --> 209 <-- HDR(IKE_SA_INIT), SAr1, KEr, Nr, [CERTREQ] 211 HDR(IKE_AUTH), 212 SK { IDi, CERT, [CERTREQ], AUTH, [IDr], 213 CP(CFG_REQUEST) = 214 { INTERNAL_IP4_ADDRESS(), 215 INTERNAL_IP4_DNS(), 216 P-CSCF_IP4_ADDRESS, 217 P-CSCF_IP6_ADDRESS }, SAi2, 218 TSi = (0, 0-65535, 0.0.0.0-255.255.255.255), 219 TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) } --> 221 <-- HDR(IKE_AUTH), 222 SK { IDr, CERT, AUTH, 223 CP(CFG_REPLY) = 224 { INTERNAL_IP4_ADDRESS(192.0.2.234), 225 P-CSCF_IP4_ADDRESS, 226 P-CSCF_IP6_ADDRESS, 227 INTERNAL_IP4_DNS(198.51.100.33) }, 228 SAr2, 229 TSi = (0, 0-65535, 192.0.2.234-192.0.2.234), 230 TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) } 232 Figure 4: P-CSCF Attribute Exchange 234 6. IANA Considerations 236 This document requires the following two IANA actions. 238 o Action-1: This specification defines a new IKEv2 attribute for 239 carrying the IPv4 address of P-CSCF function. This attribute is 240 defined in Section 3. The Type value for this Attribute needs to 241 be assigned from the IKEv2 Configuration Payload Attribute Types 242 namespace defined in [RFC5996]. 244 o Action-2: This specification defines a new IKEv2 attribute for 245 carrying the IPv6 address of P-CSCF function. This attribute is 246 defined in Section 4. The Type value for this Attribute needs to 247 be assigned from the IKEv2 Configuration Payload Attribute Types 248 namespace defined in [RFC5996]. 250 7. Security Considerations 252 This document is an extension to IKEv2 [RFC5996] and therefore it 253 inherits all the security properties of IKEv2. 255 The two new IKEv2 attributes defined in this specification are for 256 carrying the IPv4 and IPv6 address of the P-CSCF function. These 257 attributes can be exchanged by IKE peers as part of the configuration 258 payload and the currently defined IKEv2 security framework provides 259 the needed integrity and privacy protection for these attributes. 260 Therefore this specification does not introduce any new security 261 vulnarabilities. 263 8. Acknowledgements 265 The Authors would like to thank Vojislav Vuecetic, Heather Sze, 266 Sebastian Speicher, Maulik Vaidya and Tiro Kivinen for all the 267 discussions related to this topic. 269 9. References 271 9.1. Normative References 273 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 274 Requirement Levels", BCP 14, RFC 2119, March 1997. 276 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 277 "Internet Key Exchange Protocol Version 2 (IKEv2)", 278 RFC 5996, September 2010. 280 9.2. Informative References 282 [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., 283 and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. 285 [RFC5739] Eronen, P., Laganier, J., and C. Madson, "IPv6 286 Configuration in Internet Key Exchange Protocol Version 2 287 (IKEv2)", RFC 5739, February 2010. 289 [RFC5844] Wakikawa, R. and S. Gundavelli, "IPv4 Support for Proxy 290 Mobile IPv6", RFC 5844, May 2010. 292 [TS23402] 3GPP, "Architecture enhancements for non-3GPP accesses", 293 2012. 295 Authors' Addresses 297 Aeneas Noble 298 Cisco 299 30 International Pl 300 TEWKSBURY, MASSACHUSETTS 95134 301 USA 303 Email: noblea@cisco.com 305 Sri Gundavelli 306 Cisco 307 170 West Tasman Drive 308 San Jose, CA 95134 309 USA 311 Email: sgundave@cisco.com 313 Jouni Korhonen 314 Renesas Mobile 315 Porkkalankatu 24 316 Helsinki FIN-00180 317 Finland 319 Email: jouni.nospam@gmail.com 321 Florin Baboescu 322 Broadcom Corporation 323 100 Mathilda Place 324 Sunnyvale, CA 94086 325 USA 327 Email: baboescu@broadcom.com>