Editor's Note: These minutes have not been edited. 38th IETF Meeting Minutes (Memphis) Reported by Frank Ciotti (edited by Jim Solomon) I) Mobile IPv4 -- 4/7/97 0930 1. Dave Johnson reminded everyone about MobiCom '97 Sept 26-30 Budapest, Hungary 2. Jim Solomon -- PPP IPCP Mobile IP Option draft Main benefits: 1. allows FA's to be deployed which have no means for assigning unique addresses to MNs. 2. Less wasteful of IP addr space - no unique IP addr assignment to MN unless one is required. Issues: - Co-located COA assignment mechanism might be redundant with the IP-Address option semantics. Jim and Steve to investigate whether the IP-Address option can be used instead. Jim to present to PPPEXT working group and to move the draft forward. 3. Jim Solomon on behalf of Gabriel Montenegro -- Reverse Tunneling draft Issues: - MN *MUST* use FA as ONLY rtr, not simply default router. - Major security hole with reverse tunneling: Bad Guy can conspire to get an FA to reverse tunnel the packets generated by a Good Guy to a bogus location [possibly causing a routing loop -- ed.] Gabriel to address security concerns before this document moves forward. - Things to clarify in the draft: + Why use 16 bits for a 1-bit field in the Delivery Style Extension? Why not just use a "boolean" extension? + Should the Registration Reply contain a list of the types of encapsulation supported (IPIP vs MIN vs GRE)? + If the MN is a router and is forwarding pkts, the MN should encapsulate the datagrams itself before sending them to the FA. + The draft states that the HA should only accept reverse tunneled packets from the MN's COA. This is incompatible with generic IP in IP encapsulation (e.g., tunnels unrelated to mobility) and provides no security since the COA can be spoofed anyway. Chairs expressed concern that, despite numerous requests, these issues had not been brought up on the mailing list before the meeting. 4. Vipul Gupta -- Firewall Traversal draft Goals: Enable use of Mobile IP in the presence of multiple IPSEC firewalls & private addresses. Issues: - MTU can go to zero if there are large numbers of firewalls but usually there will only be one or two. - In future, all ESP transforms will have authentication too. - We should keep the requirement that the FW is not necessarily the HA and vice-versa. - IPv6 provides site-local addresses which perpetuates the "private address" problem. We should not drop "private addresses" as a requirement. - MIP is really first "consumer" of IPSEC services and IPSEC doesn't really address policy concerns which is why all of these issues are coming up. - The AFT working group is wrestling with internal nodes getting out through the firewall -- not external (authorized) nodes getting inside the firewall. Open Issues: - how does MN discover all firewalls? - how does MN detect that it is "inside" versus "outside" the firewalls. CONCLUSION: we need to continue this exercise to see what develops in terms of requirements, particularly with regard to policy, for MNs, HAs, and firewalls. Whether the MOBILEIP working group goes beyond this, by specifying packet formats and message sequences, is unclear. This latter activity might be performed by the IPSEC group. The chairs have requested help from the Security Area to assist in the firewall-traversal effort. 5. Steve Glass -- FTP Software Interoperability Testathon Results - 18 attendees - 10 implementations (6 corporations, 4 universities) - 4 days of testing (lost 1 day due to Winter storm) - 14 HA's, 13 FA's, 10 MN's - co-located COAs obtained by manual configuration - 'R' bit tested with co-located MNs - reverse tunneling demonstrated - Jim Solomon and Frank Kastenholz put together a list of issues and will post them to the mailing list. - Steve Glass will post more detailed results to the mailing list. To get to draft standard we need: - Significant campus type deployment experience (at least "a few" campuses with "many" people actually using MIP). - Traversal over public network required. II) Mobile IPv6 -- 4/8/97 1300 Dave Johnson -- Mobility Support in IPv6 Issues: 1. Dynamic HA address discovery - no directed broadcasts in IPv6; - IPng wg does not like the multicast-in-anycast tunnel discussed in San Jose because of denial-of-service attack; - IPng wg prefers a change which requires *all* IPv6 routers to recognize a "HA Discovery Anycast Packet" and emit it as an all-nodes multicast on home link. - authentication isn't an issue cuz all HAs *reject* this anyway which, by definition, means they don't modify behavior as a result. - Is this an ICMP? Destination Option? UDP? Other? + Use of ICMP for HA Discover packet would make it easy for routers to process since they must already implement support for ICMP. 2. How will a MN find an HA on its home network if its home network is renumbered while it is away? The general consensus here was that this was an administrative issue since the Home Address configured in the MN itself will also need to be modified at the time the Home Network is renumbered. 3. Replay protection for Binding Updates - We cannot use replay protection provided by IPSEC because Binding Updates *must* be applied *only* in order. - Choices: a. Do our own replay protection. b. Convince IPSEC wg to modify their replay protection to allow us to select an in-order option. c. Use IPSEC replay prot *and* our own sequence number. The best choice seems to be #3 + Lets IPSEC worry about re-keying before wrap around. + Lets us worry only about sequencing. + Similar to TCP seq # when using IPSEC replay protection. Most people agreed with this choice. 4. Multiple Routers on the Foreign Network Issues: - MN can really only do neighbor unreachability detection with its default router Solutions: - Route packet to specific router: + Use a routing header to first go to the correct rtr, then to the COA. + somewhat reintroduces the concept of FAs. - Fix the problem outside of Mobile IP: + This is a wireless problem, not a Mobile IP problem. + Most likely a problem together w/mip, though. Consensus: This is a wireless problem that needs to be fixed but not in the Mobile IP working group. Also, if this is an issue, don't architect the system such that transceivers on the *same* subnet have coverage overlap (i.e., make them separate links). 5. Movement Detection Timing Proposal: Add a field (e.g., a Nominal Advertisement Interval field) that lets MN know *exactly* how often the router is advertising such that the MN can know *exactly* when it has missed one. There were some concerns, but overall feeling was to submit the proposal to the IPng working group. 6. Other issues a. PROBLEM: If router B does not support sending a Binding Update to router A after the MN moves from A to B, packets may be dropped. SOLUTION: The spec should be changed to say the lifetime of the Binding Update MUST (not SHOULD) be <= the registration lifetime. b. PROBLEM: Ingress Filtering might prevent MN from sending pkt w/src addr = home address. PROPOSAL: Both the MN and the CH use the care-of address instead of the MN's home addr. The MN also sends a router header to the CH to indicate the route back to MN home addr. If the CH ever loses the routing information (power loss), the CH will send the pkt to the care-of address, not the home address. The MN can detect it received the packet via its care-of addr, not home addr, and send a routing header to the CH. Continue discussion on mailing list.