Security on Demand for MIP6 I-D: draft-bajko-mext-sod-00 Gabor Bajko, Basavaraj Patil, Teemu...
9
Security on Demand for MIP6 I-D: draft-bajko-mext-sod-00 Gabor Bajko, Basavaraj Patil, Teemu Savolainen 1 IETF77
-
Upload
arron-bishop -
Category
Documents
-
view
215 -
download
0
Transcript of Security on Demand for MIP6 I-D: draft-bajko-mext-sod-00 Gabor Bajko, Basavaraj Patil, Teemu...
Security on Demand for MIP6I-D: draft-bajko-mext-sod-00
Gabor Bajko, Basavaraj Patil, Teemu Savolainen
1IETF77
Overview
• MIP6 provides the possibility for securing the user plane traffic between the MN and HA via an IPSec SA
• Security of the user-plane traffic is optional
• The HA has no way to enforce the MN to use or not to use security for the user-plane traffic
• The MN and HA should have the capability to trigger security for the MN-HA link depending on various factors such as type of access network, roaming, etc.
IETF77 2
Scenarios when HA would prefer security not to be used
• HA is overloaded and prefers security not to be used by the MN
• A MN may be attached via a trusted access network such as an operators 3G network while at home– Securing the user plane traffic on the MN-HA link
would not have added value– No need for securing the MN-HA traffic
IETF77 3
Scenarios when HA would prefer security to be used
• The MN may attach to the HA via an untrusted access such as Wifi– MN may not want to use security– HA would want to trigger the use of security for the
user plane traffic
• MN may be roaming in a visited country and attached to a 3G network– HA would prefer the MN to use security, while MN
may think it is not necessary
MN or HA may indicate security
• MN may indicate its intention for traffic on the MN-HA link to be secured– And/Or
• HA may detect that security is necessary/not_necessary for the MN-HA link and signals this to the MN
IETF77 5
Proposal
• Use one of the reserved bits in the BU to indicate the intention of the MN for securing or not securing the user plane traffic
• Use one of the reserved bits in the BAck by the HA to acknowledge or overwrite the MN’s intention for securing or not securing the user plane traffic
• Provides MIP6 a mechanism wherein security for user-plane traffic is indicated a priori
IETF77 6
BU
IETF77 7
S flag: When set, this flag indicates MN prefers to turn on user plane traffic encryption. When clear, MN prefers not to use security for user plane data
BAck
IETF77 8
S flag: When set, this flag indicates HA acknowledges, or strongly recommends, use of user plane encryption. When clear, HA does not support or allow use of user plane encryption
Next steps
• Adopt this as a work item in MEXT ?
IETF77 9
