Minutes of the Mobile IP Working Group Meeting at IETF45, Oslo Norway Logistics: Total attendance for the two sessions was 227. Reported by: Phil Roberts and Gabriel Montenegro Session 1 : Thursday, July 15th 1-3 PM Vipul Gupta presented his draft on an inline security parameter extension (draft-gupta-mobileip-inline-secparams-00.txt) Designed to carry parameters that are usually configured out of band. Transition to public key while allowing private key. Motivation is to simplify pk authentication with Mobile IP, allowing inline exchange of pk certificates. Charlie Perkins raised the issue that before 2002 last call a previous related approach was rejected because of _ claims _ it might be insecure based on identifying the security algorithm by a key-id field. Charlie's point of view is that identifying the algorithm does not make the approach less secure to any significant degree and so MIP might use the same approach as in IPSEC and secure DHCP with no adverse effects. Vipul pointed out that even in IPSEC the algorithm is easy to discover. The same kind of approach is also being used in secure DHCP. Basavaraj Patil asked whether this didn't raise a lot of overhead which is a concern in wireless networks. Vipul responded that it did, but only once at the start of an exchange. The group agreed to discuss how to proceed with this draft on the mailing list. Martin Johnsson presented his draft on simple Mobile IP (draft-ietf-mobileip-simpleip-01.txt) The basic idea here is to use a fixed name but allow a variable IP address and provide this as an alternative to Mobile IP for certain applications with limited mobility and restricted organizational scope. Dave Johnson wanted to know why this was simpler than Mobile IP and what was wrong with Mobile IP that would make one want to use this approach instead? Martin asserted that there are fewer options, it is better at symmetric routing, easier to comprehend and manage. Dave still wanted to know why this was the case. Others wanted to know why this instead of Mobile IP. What was wrong with Mobile IP. Martin responded that this is really for a mobile terminal (laptop, notebook). Someone asserted that this approach doesn't provide application level mobility (editor: presumably due to the changing IP address during a "session"). Martin's response to this was : The IP address allocated to what is referred to the Mobile LAN (MLAN) (the IP layer below TCP/UDP) in SMIP is NEVER changing after a terminal/user once logged on to the network. Application mobility is in this sense the same as for MIP. Charlie Perkins asked whether the author had compared this to option 68 in DHCP. Gopal Dommety asked how authentication was to be handled. The author envisions this to be used in only one organizational scope. Milo Orsic raised questions about the utility of this approach where the mobile entitiy is a host. Someone raised a question about how DHCP can provide two addresses as called for in the proposal. Martin responded that DHCP will need to be enhanced to support this. Karim El Malki presented his proposal for fast handoffs (draft-elmalki-mobileip-fast-handoffs-00.txt) Idea is to add an extra fast handoff method to Mobile IP to support inelastic services. Anticipate movement and create an auxiliary flow to prepare for handoff. Uses simultaneous binding in cdma where appropriate. Uses hierarchical agents (mip regionalized tunnel mgmt). Conclusion is to use this as a migration to 3G because of cdma technology support for simultaneous bindings, hierarchical networks are scalable. Cellular QoS to be based on intserv and diffserv. Charlie Perkins raised a question about whether one might do multicast registration messages based on link-layer detection of mobility and the answer was yes. Charlie next raised a question about whether it might be better to increase the frequency of advertisement messages when link layer information is not available and the answer was in general no for wireless systems IF it would chew up bandwidth. There are examples where increased frequency of advertisements would NOT consume too much bandwidth. When a question was raised about how an application handles receiving multiple copies of the same packet due to the multicast it was pointed out that TCP will sort that out for TCP based apps. Erik Nordmark made a short presentation on IPv6 site prefixes (draft-ietf-ipngwg-site-prefixes-03.txt) Goals are to make site renumbering easier by reducing impact on communication within the site. Avoid breaking long running TCP connections internal to the site. Tolerate broken applications which store ip addresses. Administrative control of which nodes use site-local addresses. Recommendation is not to give mobile node's site local address, otherwise the mechanism in this draft are needed. Ram Ramjee presented his draft on HAWAII (draft-ietf-mobileip-hawaii-00.txt) HAWAII is transparent to mn's that use mip w/extensions. The mip security model applies to HAWAII. The goal is for mobility to be handled locally. Design goals are to process updates locally (scalable) - regionalized tunnel mgmt; forward packets if necessary (limit disruption); avoid tunneling where possible (efficiency); qos ; leverage fault detection mechanism in routing protocols for reliability. Gopal Dommety pointed out that this does not rely on traditional routing procedures for failure detection and recovery and Ram commented that this is part of what HAWAII is supposed to do. It was pointed out that there is a patent involved here but the draft is 2026 compliant. Emad Quadoura presented security enhancements for route optimization (draft-mkhalil-mobileip-optim-sec-00.txt) This solves a particular problem that a new foreign agent can begin to receive mn's data before being authenticated. Soln is not to send data to the new fa before authentication is complete. Charlie Perkins commented that the binding update should be secure (see secure keys) And that it was done so that you can start to receive your own data faster. One doesn't have to couple the start buffer request with the handoff. Dave Johnson stated that the registration reply indicates that the mn is who it claims to be. It doesn't prove anything to the fa. Binding update does not prove who the mn is, just that it's the same mn that was there before. Emad answered that this extension does allow the fa to be authenticated. Dave responded that that's not required. Session 2 : Friday, July 16th 9-11:30 AM Charlie Perkins presented the AAA requirements material for Mobile IP (draft-ietf-aaa-mobile-ip-req-00.txt) This is a summary of the Mobile IP requirements for AAA done for the AAA working group. The AAA working group is looking at results 2-3 years out. Milo Orsic asked about how an operator or network provide could terminate an existing authorization. Charlie responded that if this is needed it belongs as a AAA requirement but that there is no procedure for doing this with Mobile IP now. A separate work item would be needed to enable this functionality. Dave Johnson observed that such a capability would enable a denial-of-service attack. Tom Hiller suggested that DIAMETER be standardized in this group since US cellular can't wait for 2-3 years for a AAA protocol. Charlie suggested that it would be better to state requirements from a Mobile IP perspective rather than endorse a particular protocol. Stuart Jacobs suggested that secret key based systems need a lot more review. Pat Calhoun pointed out that roamops has taken up DIAMETER as a work item pending AD approval. Milo Orsic repeated that the network needs to be able to terminate a session. Erik Nordmark suggested the appropriate approach to handling an interface to a AAA system is to publish requirements for Mobile IP and to add extensions to Mobile IP to allow interoperabilty with whatever AAA system becomes standard. The working group was asked for its opinion on this issue. The working group agreed to requirements and extensions to enable interaction with AAA rather than agreeing to a particular AAA protocol. Fergal Ladley presented his proposal for using DIAMETER with Mobile IP mainly for Mobile IP v6 (draft-ladley-diameter-pr-00.txt) Pete McCann presented his proposal to use DIAMETER and Mobile IP together for security policy and key distribution (draft-mccann-transform-00.txt) Vipul Gupta raised some questions about the overhead associated with an IKE distribution system. He asserted that the number of messages going over a high bandwidth network would probably not be a problem. Pete responded that even a 6 message exchange would produce a high latency, and that latency was more the issue than bandwidth usage. Vipul asserted that with less than 3 messages you can't have replay protection. Pete suggested it could be done with AAA. Charlie Perkins pointed out that Mobile IP has replay protection using nonces and that it doesn't require 3 messages. Dave Johnson reminded the group that IBM has a patent claim on nonce technology. Vipul and Pete began a discussion of using IKE for identifying individuals. Pete pointed out that it is a requirement to identify individual mobiles, not on a per FA destination and agreed he and Vipul could talk more about it offline. Basavaraj Patil presented his draft on the use of IPSec with Mobile IP (draft-bpatil-mobileip-sec-guide-00.txt) Charlie Perkins raised an issue that MCMGF participates in each message exchange and Raj responded that it is routed through. Charlie followed up asking who authenticates the message and that the MN and home agent need a security association. Raj responded that there is an authentication center that is not depicted. Pat Calhoun asked who establishes the trust relationship between the MN & FA. Raj responded that the MN obtains a session key in the registration response message and the MN and FA then use IKE to establish an IPSEC SA. Charlie yielded the slot allocated to discuss private addresses for a discussion of the problem with tunnel identifiers and GRE. GRE is an informational RFC but there is some growing interest in a number of areas to use it, and it could use some cleanup. Erik suggested that GRE could be moved rather strictly to a standards track by the IESG. The conversation on use of Mobile IP and private addresses came to the following summary: 1) a colocated care-of address allows the use of private addresses with Mobile IP now 2) if an approach that does not rely on colocated care-of address (the fa provides a care-of address), mandatory reverse tunnelling may be used but there is no way then to access local services 3) figuring out how to provide private addresses AND local services in an approach that does not use a colocated care-of address must be worked out. Dave Johnson observed that three speakers have stated that the last option is not possible. We will discuss this on the mailist list to determine how we should continue to pursue the use of private addresses with Mobile IP. Ken Peirce presented his draft on interaction between Mobile IP, DIAMETER, and RADIUS (draft-ietf-mobileip-radius-challenge-00.txt) The draft deals with interactions between existing "AAA" systems including RADIUS, DIAMETER, and transitions from one system to the next. Pat Calhoun asked who generates key info. Assuming that there is a DIAMETER server in the HA network, there is a DIAMETER server in a broker network which generates the keys. Charlie Perkins pointed out that an SPI may not have to be allocated from the reserved set but that an extension could be added for this. Bob Heile presented an overview of IEEE 802.15 activities. Bob is attempting to create liaisons with Mobile IP and manet working groups in the IETF. Further information is available from the web as follows: WPAN Archives: http://grouper.ieee.org/groups/802/15 WPAN Mailing List: stds-802-wpan@majordomo.ieee.org IEEE 802.11: http://grouper.ieee.org/groups/802/11 Bluetooth Special Interest Group: http://www.bluetooth.com Home RF Working Group: http://www.homerf.org/ Lubovic Bellier made a presentation on hierarchical mobility management (draft-castelluccia-uhmm-framework-00.txt) Dave Johnson commented that this is in contrast with the design goals of mipv6 Ram Ramjee made a very brief presentation on paging in HAWAII as we were running out of time (draft-ietf-mobileip-paging-hawaii-00.txt) We then began a discussion of the document cleanup on the web page. Since there wasn't time to do it justice, we decided to continue the cleanup on the mailing list. Raj has already mailed out the draft naming policy. The goal of the cleanup will be to eliminate expired drafts, rename drafts in accordance with the draft naming policy, get a current update on the status of existing drafts, and move those drafts to last call which are ready for it. Dave Johnson raised an issue that the draft Mobile IP version 2 is misnamed as it is the same Mobile IP, just a cleaned up document, not a completely new version of Mobile IP.