Security%20issues%20related%20to%20HMIPv6 - PowerPoint PPT Presentation

About This Presentation
Title:

Security%20issues%20related%20to%20HMIPv6

Description:

Authentication and Authorisation model. Both models addressed in the current draft. ... MAP needs to authorise the MN for the service. In ... – PowerPoint PPT presentation

Number of Views:248
Avg rating:3.0/5.0
Slides: 10
Provided by: GeorgeT59
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Security%20issues%20related%20to%20HMIPv6


1
Security issues related to HMIPv6
  • H.Soliman_at_flarion.com

2
Current Security scheme
  • Current scheme relies on IPsec
  • Static or dynamic keying possible Dynamic is
    more realistic
  • MN picks an RCoA and binds it with the LCoA.
  • MAP makes sure that no other MN is using the RCoA
    (check list of used addresses during IKE policy
    check).
  • MN need not pick a specific RCoA (NOT like the
    HoA).

3
Issues raised
  • Technically there is no problem with current
    solution.
  • Use of Certificates on the host is difficult.
    Reasons not clear, some guesses below
  • Configuration and renewal of Certs on host does
    not use standard mechanisms (?)
  • Some operators might want to reuse existing
    security credentials (e.g. AAA credentials).

4
Different trust models for deployment
  • Authentication only model
  • Authentication and Authorisation model
  • Both models addressed in the current draft.

5
Different HMIPv6 deployment scenarios
Authentication only
MAP
IKE/IPsec
Only Mutual authentication required. All MNs are
authorised to use the MAP and get an RCoA.
6
Different HMIPv6 deployment scenarios
Authentication and authorisation (A)
Home
CA-MN
MAP
Local
IKE/IPsec
MAP needs to authorise the MN for the service.
In the current scheme Authorisation is done based
on MN Cert.
7
Different HMIPv6 deployment scenarios
Authentication and authorisation (B)
Home
AAAH
EAP-RADUS/Diameter
AAAL
MAP
IKEv2 (EAP)/IPsec
MAP needs to authorise the MN for the service. MN
AAA credentials are used over EAP with AAAL or
AAAH. IKEv2 used to setup IPsec SA after EAP is
done.
8
Sumary of solution set
  • Authentication only
  • IKE/IPsec
  • Possible new solution gt CGAs
  • Authentication and Authorisation
  • IKE/IPsec if CAs are applicable. Allows for
    roaming based on trust between different CAs.
  • IKEv2(EAP)/IPsec if there is a need to reuse AAA
    credenticals.

9
Way forward
  • Keep the current mechanism in HMIPv6 as default.
  • Propose new mechanism for nomad scenario
    (Authentication only).
  • Work started on CGAs for HMIPv6
  • Move curent HMIPv6 to PS after a little cleanup.
  • Another possible area of improvement for new
    specs
  • Improving inter-MAP domain handovers.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security%20issues%20related%20to%20HMIPv6" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!