|
|
United States-English | |
|
|
 |
|
HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 7 HP-UX IPSec and HP-UX
Mobile IPv6
Introduction |
|
|
Mobile IPv6 provides transparent routing of IP data-packets to a mobile IP device or node, such as a portable computer, regardless of the mobile node’s point of attachment to the network. HP provides Mobile IPv6 functionality with the HP-UX Mobile IPv6 product. For more information about HP-UX Mobile IPv6, refer to the HP-UX Mobile IPv6 product documentation available at the following URL: http://www.docs.hp.com/hpux/netcom/index.html#HP-UX%20Mobile%20IPv6. With Mobile IPv6, a client IP node, or Mobile Node (MN), can change network attachment points and use a single, fixed IPv6 address for extended periods of time, regardless of its current attachment point to the network. This address is known as the Mobile Node’s home address. The Mobile Node’s home address is assigned from its home network, the network that administers the Mobile Node. The Mobile Node’s home network is also typically the network to which the Mobile Node is attached when it is not mobile. When a Mobile Node is attached to a foreign network—a network other than its home network—it gets a temporary Care-of Address (COA) on the foreign network. The Care-of Address is an IPv6 unicast global address with the network prefix of the foreign network. In Mobile IPv6 architecture, a node that communicates or corresponds with the Mobile Node is referred to as a Correspondent Node (CN). The Mobile Node registers its Care-of Address with a router on the Mobile Node’s home network, known as the Home Agent (HA). The Home Agent maintains a record of the association, or binding of the Mobile Node’s current Care-of Address and its home address. The Home Agent also forwards packets addressed to the Mobile Node’s home address to the Mobile Node’s Care-of Address as needed. In Mobile IPv6 Basic Operation, the Correspondent Node sends data-packets to the Mobile Node using the Mobile Node’s home address. A Home Agent (HA), a node or router on the Mobile Node’s home network, intercepts these data-packets and sends them through an IPSec tunnel to the Mobile Node’s current Care-of Address, as shown in Figure 7-1 “Mobile IPv6 Basic Operation: Correspondent Node to Mobile Node” The Mobile Node sends data packets to the Correspondent Node through its Home Agent in Basic Operation, as shown in Figure 7-2 “Mobile IPv6 Basic Operation: Mobile Node to Correspondent Node” In addition to Basic Operation, Mobile IPv6 can operate using Route Optimization. Route Optimization improves data transmission rates between the Correspondent Node and Mobile Node. With Route Optimization, the Mobile Node and Correspondent Node communicate directly with each other and bypass the Home Agent. Route Optimization is especially beneficial when the Mobile Node and Correspondent Node are in the same network. The Mobile Node sends data packets directly to the Correspondent Node, as shown by the solid-line data path in Figure 7-3 “Mobile IPv6 Route Optimization” The Correspondent Node sends data-packets directly to the Mobile Node’s Care-of Address, as shown by the dotted-line data path in Figure 7-3 “Mobile IPv6 Route Optimization” You can configure HP-UX IPSec to secure Mobile IPv6 packets between a Home Agent and Mobile Node on systems that are HP-UX Mobile IPv6 Home Agents. There are four types of Mobile IPv6 packets to secure with IPSec:
RFC 3776 specifies that you must use ESP to secure Binding Update and Binding Acknowledgement messages between the Home Agent and Mobile Node. (See Appendix A “Product Specifications”, “RFC 3776 Mandatory Support” for the RFC 3776 extract.) When a Mobile Node attaches to a new network, the Mobile Node sends a Binding Update message to its Home Agent with its new Care-of Address. The Binding Update message must be protected to prevent intruders from sending Binding Update messages with false Care-of Addresses.The Home Agent sends a Binding Acknowledgement message to the Mobile Node to confirm it received the Binding Update. The Mobile Node’s home address is not in the source or destination IP address fields in the binding messages; the source IP address in the Binding Update is the Mobile Node’s Care-of Address, and the destination IP address in the Binding Acknowledgement is the Mobile Node’s Care-of Address. However, Mobile IPv6 uses a special IPv6 header option and header—the Home Address destination option and IPv6 Type 2 Routing Header—therefore, the binding messages are processed as if the appropriate source and destination address fields contain the Mobile Node’s Home Address. Only Binding Update and Binding Acknowledgement messages exchanged between the Home Agent and Mobile Node can be secured using IPSec; Binding Update and Binding acknowledgement messages exchanged between the Mobile Node and Correspondent Nodes are secured using a Mobile IPv6 mechanism. RFC 3776 specifies that you should use ESP to secure Home Test Init and Home Test messages between the Home Agent and Mobile Node. (See Appendix A “Product Specifications”, “RFC 3776 Mandatory Support” for the RFC 3776 extract.) Using IPSec to secure the Home Test Init and Home Test messages between the Home Agent and the Mobile Node provides protection from attacks initiated from within the Mobile Node’s foreign network. Mobile IPv6 uses a procedure known as the Return Routability procedure when establishing Route Optimization. The Return Routability procedure provides proof to the Correspondent Node that the Mobile Node is reachable through two routes: one to the Mobile Node’s claimed Care-of Address and one through the Mobile Node’s Home Address. In the initial phases of the Return Routability procedure, the Mobile Node sends a Home Test Init message to the Correspondent Node through the Home Agent. The Correspondent Node sends back a Home Test message through the Home Agent that includes keying material. The Mobile Node combines the keying material in the Home Test message with keying material it receives through its Care-of Address to form an authentication key. The Mobile Node uses the authentication key to sign a Binding Update it sends to the Correspondent Node with its current Care-of Address. RFC 3776 specifies that you should use ESP to secure ICMPv6 Mobile Prefix Solicitation and Mobile Prefix Advertisement messages between the Home Agent and Mobile Node. (See Appendix A “Product Specifications”, “RFC 3776 Mandatory Support” for the RFC 3776 extract.) Prefix Discovery allows a Mobile Node to get network prefix information about its Home Network and to configure its Home Address if needed. The Home Agent monitors prefix information from Router Advertisement messages on the Home Network. The Mobile Node can request prefix information by sending a Mobile Prefix Solicitation message to the Home Agent. RFC 3776 specifies that you may use ESP to secure payload (data) packets between Mobile Nodes and Correspondent Nodes when these packets are forwarded through the Home Agent. (See Appendix A “Product Specifications”, “RFC 3776 Mandatory Support” for the RFC 3776 extract.) Data packets between the Mobile Node and the Correspondent Nodes are forwarded through the Home Agent in Basic Operation, which is used when Route Optimization is not established. RFC 3776 also specifies that if the Home Agent supports stateful address autoconfiguration (such as DHCPv6) for the Mobile Nodes, or supports multicast group membership control protocols, the IPSec implementation must support payload protection, but using it is not mandatory. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
