1 / 9

Security issues related to HMIPv6

Security issues related to HMIPv6. H.Soliman@flarion.com. Current Security scheme. Current scheme relies on IPsec Static or dynamic keying possible – Dynamic is more realistic MN picks an RCoA and binds it with the LCoA.

zeheb
Download Presentation

Security issues related to HMIPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security issues related to HMIPv6 H.Soliman@flarion.com

  2. Current Security scheme • Current scheme relies on IPsec • Static or dynamic keying possible – Dynamic is more realistic • MN picks an RCoA and binds it with the LCoA. • MAP makes sure that no other MN is using the RCoA (check list of used addresses during IKE policy check). • MN need not pick a specific RCoA (NOT like the HoA).

  3. Issues raised • Technically there is no problem with current solution. • Use of Certificates on the host is difficult. Reasons not clear, some guesses below: • Configuration and renewal of Certs on host does not use standard mechanisms (?) • Some operators might want to reuse existing security credentials (e.g. AAA credentials).

  4. Different trust models for deployment • Authentication only model • Authentication and Authorisation model • Both models addressed in the current draft.

  5. Different HMIPv6 deployment scenarios – Authentication only MAP IKE/IPsec Only Mutual authentication required. All MNs are authorised to use the MAP and get an RCoA.

  6. Different HMIPv6 deployment scenarios – Authentication and authorisation (A) Home CA-MN MAP Local IKE/IPsec MAP needs to authorise the MN for the service. In the current scheme Authorisation is done based on MN Cert.

  7. Different HMIPv6 deployment scenarios – Authentication and authorisation (B) Home AAAH EAP-RADUS/Diameter AAAL MAP IKEv2 (EAP)/IPsec MAP needs to authorise the MN for the service. MN AAA credentials are used over EAP with AAAL or AAAH. IKEv2 used to setup IPsec SA after EAP is done.

  8. Sumary of solution set • Authentication only: • IKE/IPsec • Possible new solution => CGAs • Authentication and Authorisation: • IKE/IPsec if CAs are applicable. Allows for roaming based on trust between different CAs. • IKEv2(EAP)/IPsec if there is a need to reuse AAA credenticals.

  9. Way forward • Keep the current mechanism in HMIPv6 as default. • Propose new mechanism for nomad scenario (Authentication only). • Work started on CGAs for HMIPv6 • Move curent HMIPv6 to PS after a little cleanup. • Another possible area of improvement for new specs: • Improving inter-MAP domain handovers.

More Related