From mobike-bounces@machshav.com Wed Aug 09 20:45:57 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GAygP-0005BM-ND for mobike-archive@lists.ietf.org; Wed, 09 Aug 2006 20:45:57 -0400 Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GAygN-0002wF-Ad for mobike-archive@lists.ietf.org; Wed, 09 Aug 2006 20:45:57 -0400 Received: by machshav.com (Postfix, from userid 512) id 6022AFB290; Wed, 9 Aug 2006 20:45:52 -0400 (EDT) Received: from machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 0E0D4FB285; Wed, 9 Aug 2006 20:45:50 -0400 (EDT) X-Original-To: mobike@machshav.com Delivered-To: mobike@machshav.com Received: by machshav.com (Postfix, from userid 512) id CE0ABFB286; Wed, 9 Aug 2006 20:45:48 -0400 (EDT) Received: from nit.isi.edu (nit.isi.edu [128.9.160.116]) by machshav.com (Postfix) with ESMTP id E65FCFB284 for ; Wed, 9 Aug 2006 20:45:47 -0400 (EDT) Received: from nit.isi.edu (loopback [127.0.0.1]) by nit.isi.edu (8.12.11.20060308/8.12.11) with ESMTP id k7A0jjnv007018; Wed, 9 Aug 2006 17:45:45 -0700 Received: (from apache@localhost) by nit.isi.edu (8.12.11.20060308/8.12.11/Submit) id k7A0jj4d007017; Wed, 9 Aug 2006 17:45:45 -0700 Date: Wed, 9 Aug 2006 17:45:45 -0700 Message-Id: <200608100045.k7A0jj4d007017@nit.isi.edu> To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org From: rfc-editor@rfc-editor.org Cc: mobike@machshav.com, rfc-editor@rfc-editor.org Subject: [Mobike] RFC 4621 on Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol X-BeenThere: mobike@machshav.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Mobile/Multihoming IKEv2 IETF list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mobike-bounces@machshav.com Errors-To: mobike-bounces@machshav.com X-Spam-Score: 0.2 (/) X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac A new Request for Comments is now available in online RFC libraries. RFC 4621 Title: Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol Author: T. Kivinen, H. Tschofenig Status: Informational Date: August 2006 Mailbox: kivinen@safenet-inc.com, Hannes.Tschofenig@siemens.com Pages: 30 Characters: 73070 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-mobike-design-08.txt URL: http://www.rfc-editor.org/rfc/rfc4621.txt The IKEv2 Mobility and Multihoming (MOBIKE) protocol is an extension of the Internet Key Exchange Protocol version 2 (IKEv2). These extensions should enable an efficient management of IKE and IPsec Security Associations when a host possesses multiple IP addresses and/or where IP addresses of an IPsec host change over time (for example, due to mobility). This document discusses the involved network entities and the relationship between IKEv2 signaling and information provided by other protocols. Design decisions for the MOBIKE protocol, background information, and discussions within the working group are recorded. This memo provides information for the Internet community. This document is a product of the IKEv2 Mobility and Multihoming Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... _______________________________________________ Mobike mailing list Mobike@machshav.com https://www.machshav.com/mailman/listinfo.cgi/mobike From mobike-bounces@machshav.com Mon Aug 21 13:12:17 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFDJx-0004bN-HZ for mobike-archive@lists.ietf.org; Mon, 21 Aug 2006 13:12:17 -0400 Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GFDJv-0001AO-4w for mobike-archive@lists.ietf.org; Mon, 21 Aug 2006 13:12:17 -0400 Received: by machshav.com (Postfix, from userid 512) id EEF4EFB2AE; Mon, 21 Aug 2006 13:12:09 -0400 (EDT) Received: from machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id EBF9AFB2A5; Mon, 21 Aug 2006 13:12:07 -0400 (EDT) X-Original-To: mobike@machshav.com Delivered-To: mobike@machshav.com Received: by machshav.com (Postfix, from userid 512) id ACFC6FB2AA; Mon, 21 Aug 2006 13:12:05 -0400 (EDT) Received: from mail.ca.certicom.com (nat194.certicom.com [66.48.18.194]) by machshav.com (Postfix) with ESMTP id 28D35FB2A4 for ; Mon, 21 Aug 2006 13:12:05 -0400 (EDT) Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id 2E3361006B021 for ; Mon, 21 Aug 2006 13:12:04 -0400 (EDT) Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19783-96 for ; Mon, 21 Aug 2006 13:12:01 -0400 (EDT) Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id CF86D100233C6 for ; Mon, 21 Aug 2006 13:12:01 -0400 (EDT) Received: from [10.0.2.186] ([10.0.2.186]) by certicom1.certicom.com (Lotus Domino Release 6.5.4) with ESMTP id 2006082113110216-61448 ; Mon, 21 Aug 2006 13:11:02 -0400 Message-ID: <44E9E961.9020204@certicom.com> Date: Mon, 21 Aug 2006 13:12:01 -0400 From: Eric Fung User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: mobike@machshav.com X-MIMETrack: Itemize by SMTP Server on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 08/21/2006 01:11:02 PM, Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 08/21/2006 01:11:02 PM, Serialize complete at 08/21/2006 01:11:02 PM Subject: [Mobike] Changes in NAT mapping X-BeenThere: mobike@machshav.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Mobile/Multihoming IKEv2 IETF list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mobike-bounces@machshav.com Errors-To: mobike-bounces@machshav.com X-Spam-Score: 0.0 (/) X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c 1) When the initiator detects a change in its NAT mapping (from a received NAT_DETECTION_DESTINATION_IP payload), it does not actually know what the new mapping is, and hence, following Sec. 3.5, does nothing to change its IKE_SA, correct? It only sends UPDATE_SA_ADDRESSES to tell the peer to update its SAs' tunnel endpoints. 2) Can other INFORMATIONAL exchanges be used to detect changes in NAT mapping? Sec 3.8 seems to imply only the IKE_SA_INIT exchange and exchanges containing UPDATE_SA_ADDRESSES should be used. _______________________________________________ Mobike mailing list Mobike@machshav.com https://www.machshav.com/mailman/listinfo.cgi/mobike From mobike-bounces@machshav.com Tue Aug 22 03:53:31 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFR4l-0006sd-Su for mobike-archive@lists.ietf.org; Tue, 22 Aug 2006 03:53:31 -0400 Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GFR4i-00017C-HA for mobike-archive@lists.ietf.org; Tue, 22 Aug 2006 03:53:31 -0400 Received: by machshav.com (Postfix, from userid 512) id CFA49FB2C0; Tue, 22 Aug 2006 07:53:22 +0000 (UTC) Received: from machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 17631FB2AA; Tue, 22 Aug 2006 07:53:20 +0000 (UTC) X-Original-To: mobike@machshav.com Delivered-To: mobike@machshav.com Received: by machshav.com (Postfix, from userid 512) id BFC72FB2AB; Tue, 22 Aug 2006 07:53:18 +0000 (UTC) Received: from mgw-ext12.nokia.com (mgw-ext12.nokia.com [131.228.20.171]) by machshav.com (Postfix) with ESMTP id E1301FB2A6 for ; Tue, 22 Aug 2006 07:53:17 +0000 (UTC) Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-ext12.nokia.com (Switch-3.1.10/Switch-3.1.7) with ESMTP id k7M7rBrp027178; Tue, 22 Aug 2006 10:53:14 +0300 Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 22 Aug 2006 10:53:13 +0300 Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 22 Aug 2006 10:53:13 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Tue, 22 Aug 2006 10:53:12 +0300 Message-ID: In-Reply-To: <44E9E961.9020204@certicom.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Mobike] Changes in NAT mapping Thread-Index: AcbFRZpUorkpaPgrRVWgrJRtSfiDfQAeXzGw From: To: , X-OriginalArrivalTime: 22 Aug 2006 07:53:13.0241 (UTC) FILETIME=[04D9C090:01C6C5C0] Subject: Re: [Mobike] Changes in NAT mapping X-BeenThere: mobike@machshav.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Mobile/Multihoming IKEv2 IETF list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mobike-bounces@machshav.com Errors-To: mobike-bounces@machshav.com X-Spam-Score: 0.2 (/) X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22 Eric Fung wrote: > 1) When the initiator detects a change in its NAT mapping (from a > received NAT_DETECTION_DESTINATION_IP payload), it does not > actually know what the new mapping is, and hence, following > Sec. 3.5, does nothing to change its IKE_SA, correct? It only > sends UPDATE_SA_ADDRESSES to tell the peer to update its SAs' > tunnel endpoints. Correct; since the IKE_SA doesn't contain the old mapping (initiator does not know it), there's nothing to update there when the mapping changes. > 2) Can other INFORMATIONAL exchanges be used to detect changes in > NAT mapping? Sec 3.8 seems to imply only the IKE_SA_INIT exchange > and exchanges containing UPDATE_SA_ADDRESSES should be used. Section 3.8 says that "the NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP notifications MAY be included in any INFORMATIONAL request", so the request does not have to contain UPDATE_SA_ADDRESSES. Best regards, Pasi _______________________________________________ Mobike mailing list Mobike@machshav.com https://www.machshav.com/mailman/listinfo.cgi/mobike From mobike-bounces@machshav.com Tue Aug 29 15:24:13 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GI9C1-0000ie-Tn for mobike-archive@lists.ietf.org; Tue, 29 Aug 2006 15:24:13 -0400 Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GI9Bz-0003xp-IK for mobike-archive@lists.ietf.org; Tue, 29 Aug 2006 15:24:13 -0400 Received: by machshav.com (Postfix, from userid 512) id 1B5E7FB2BC; Tue, 29 Aug 2006 19:24:01 +0000 (UTC) Received: from machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 1D7FFFB2B0; Tue, 29 Aug 2006 19:23:59 +0000 (UTC) X-Original-To: mobike@machshav.com Delivered-To: mobike@machshav.com Received: by machshav.com (Postfix, from userid 512) id 420C3FB2B4; Tue, 29 Aug 2006 19:23:57 +0000 (UTC) Received: from mail.ca.certicom.com (nat194.certicom.com [66.48.18.194]) by machshav.com (Postfix) with ESMTP id 881C6FB2AD for ; Tue, 29 Aug 2006 19:23:56 +0000 (UTC) Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id A271B10027FF2 for ; Tue, 29 Aug 2006 15:23:56 -0400 (EDT) Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27581-17 for ; Tue, 29 Aug 2006 15:23:55 -0400 (EDT) Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 5B09810027FF0 for ; Tue, 29 Aug 2006 15:23:55 -0400 (EDT) Received: from [10.0.2.186] ([10.0.2.186]) by certicom1.certicom.com (Lotus Domino Release 6.5.4) with ESMTP id 2006082915225057-10415 ; Tue, 29 Aug 2006 15:22:50 -0400 Message-ID: <44F4944A.7060806@certicom.com> Date: Tue, 29 Aug 2006 15:23:54 -0400 From: Eric Fung User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: mobike@machshav.com X-MIMETrack: Itemize by SMTP Server on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 08/29/2006 03:22:50 PM, Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 08/29/2006 03:22:51 PM, Serialize complete at 08/29/2006 03:22:51 PM Subject: [Mobike] Changing to port 4500 X-BeenThere: mobike@machshav.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Mobile/Multihoming IKEv2 IETF list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mobike-bounces@machshav.com Errors-To: mobike-bounces@machshav.com X-Spam-Score: 0.0 (/) X-Scan-Signature: 1ac7cc0a4cd376402b85bc1961a86ac2 RFC 4555, Sec. 3.3 says that if both peers support MOBIKE and NAT-T, then they must change to port 4500 even if NAT was not detected between them. But in the design document, RFC 4621, Sec 5.2.3 says that the port change should be done immediately after IKE_SA_INIT and before IKE_AUTH. However, support for MOBIKE is declared during the IKE_AUTH exchange. I suppose it's not a big deal, since peers will be listening on port 4500 anyway. But when should the initiator and responder change ports in the scenario where there is no NAT between them? _______________________________________________ Mobike mailing list Mobike@machshav.com https://www.machshav.com/mailman/listinfo.cgi/mobike From mobike-bounces@machshav.com Wed Aug 30 03:27:51 2006 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GIKUJ-0007uU-1I for mobike-archive@lists.ietf.org; Wed, 30 Aug 2006 03:27:51 -0400 Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GIKUE-00022U-K7 for mobike-archive@lists.ietf.org; Wed, 30 Aug 2006 03:27:51 -0400 Received: by machshav.com (Postfix, from userid 512) id 0E372FB2CD; Wed, 30 Aug 2006 07:27:40 +0000 (UTC) Received: from machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 20BC9FB2B0; Wed, 30 Aug 2006 07:27:36 +0000 (UTC) X-Original-To: mobike@machshav.com Delivered-To: mobike@machshav.com Received: by machshav.com (Postfix, from userid 512) id 11362FB2B6; Wed, 30 Aug 2006 07:27:34 +0000 (UTC) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by machshav.com (Postfix) with ESMTP id BEC09FB298 for ; Wed, 30 Aug 2006 07:27:32 +0000 (UTC) Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.13.8/8.12.10) with ESMTP id k7U7RB32005540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Aug 2006 10:27:11 +0300 (EEST) Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.13.8/8.12.11) id k7U7RAvw018060; Wed, 30 Aug 2006 10:27:10 +0300 (EEST) X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f MIME-Version: 1.0 Message-ID: <17653.15822.752778.803299@fireball.kivinen.iki.fi> Date: Wed, 30 Aug 2006 10:27:10 +0300 From: Tero Kivinen To: Eric Fung In-Reply-To: <44F4944A.7060806@certicom.com> References: <44F4944A.7060806@certicom.com> X-Mailer: VM 7.19 under Emacs 21.4.1 X-Edit-Time: 7 min X-Total-Time: 6 min Cc: mobike@machshav.com Subject: [Mobike] Changing to port 4500 X-BeenThere: mobike@machshav.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Mobile/Multihoming IKEv2 IETF list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mobike-bounces@machshav.com Errors-To: mobike-bounces@machshav.com X-Spam-Score: 0.1 (/) X-Scan-Signature: 7baded97d9887f7a0c7e8a33c2e3ea1b Eric Fung writes: > RFC 4555, Sec. 3.3 says that if both peers support MOBIKE and NAT-T, > then they must change to port 4500 even if NAT was not detected > between them. Yes. > But in the design document, RFC 4621, Sec 5.2.3 says that the port change > should be done immediately after IKE_SA_INIT and before IKE_AUTH. However, > support for MOBIKE is declared during the IKE_AUTH exchange. RFC4555 does the same. If you check the example in section 2.2 you see that initiator changes to the port 4500 immediately after IKE_SA_INIT. It knows at that point that the other end supports NAT-T (the other end sent NAT_DETECTION_*_IP notifications) and it knows it supports MOBIKE, so he does the change at that point, even when he is not sure if the other end supports MOBIKE. > I suppose it's not a big deal, since peers will be listening on port 4500 > anyway. But when should the initiator and responder change ports in the > scenario where there is no NAT between them? RFC 4621 and RFC 4555 agree on that, i.e. IKE_AUTH is already done on port 4500. RFC 4621 is more clear as it says we change to port 4500 immediately upon detecting that the other end supports NAT-T (this implicitly also says that we support NAT-T and MOBIKE). The RFC 4555 has a bit underspecified text saying we change if both ends supports both, but actually we do not need to know whether remote end supports MOBIKE, knowing that it supports NAT-T is enough. Anyways examples make it very clear that we change to port 4500 for the IKE_AUTH. -- kivinen@safenet-inc.com _______________________________________________ Mobike mailing list Mobike@machshav.com https://www.machshav.com/mailman/listinfo.cgi/mobike