Re: WG Review: MIPv6 Signaling and Handoff Optimization (mipshop)

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 6 Oct 2003, The IESG wrote:
[...]
>    - Hierarchical Mobile IPv6 mobility management (HMIPv6)
> 
>        HMIPv6 deals with reducing the amount and latency of signaling
>        between a MN, its Home Agent and one or more correspondents by
>        introducing the Mobility Anchor Point (MAP) (a special node located
>        in the network visited by the mobile node). The MAP acts somewhat
>        like a local home agent for the visiting mobile node by limiting
>        the amount of signaling required outside the MAP's domain.
> 
>    - Fast Handovers for Mobile IPv6 (FMIPv6)
> 
>        FMIPv6 reduces packet loss by providing fast IP connectivity as
>        soon as a new link is established. It does so by fixing up the
>        routing during link configuration and binding update, so that
>        packets delivered to the old care of address are forwarded to the
>        new. In addition, FMIPv6 provides support for preconfiguration of
>        link information (such as the subnet prefix) in the new subnet
>        while the mobile node is still attached to the old subnet. This
>        reduces the amount of preconfiguration time in the new subnet.
[...]
>  2) Complete the specification of FMIPv6 protocol.
> 
>        Because work (ongoing or originating) in other working groups may
>        suggest changes or alternative designs for HMIPv6 and FMIPv6, these
>        specifications will be advanced as Experimental RFCs until more
>        experience is obtained with IP mobility in IPv6.
[...]
> 
>  There are security issues that arise because of the highly dynamic
>  nature of the security relationships between, say, a mobile node and
>  its mobility anchor points, or between a mobile node and its access
>  routers in a fast handover scenario. The working group is not required
>  to provide solutions to all these issues before publishing its
>  experimental and informational protocols. The working group will
>  document the security requirements and the shortcomings of the
>  solutions in the corresponding protocol specifications. This will
>  provide valuable feedback to other groups or subsequent efforts.

I've a concern here.

FMIPv6 and HMIPv6 seem to be changes which are very likely severely 
adversely affected (especially if you want to deal with direct MN<->CN 
bindings as well, as hinted in the proposed charter) by the current MIPv6 
security design, which does not work very fast, requiring multiple 
round-trip times.

Therefore, the whole applicability of either mechanism, unless this is 
taken into the consideration from the start, is potentially jeopardized.

There is a danger that this work will not only be irrelevant, but also
dangerous if it ends up deployed.  Of course, the WG could be "successful"  
as well, by issuing Experimental proposals which are *not* really
deployed, but which give experience on how to deal with the issues, and
give pointers where to start when having to redesign the mechanisms from
scratch.

I do not know whether it is a good idea to go forward with this WG and
these proposed enhancements or not, and whether these should be done
piece-wise, without solving the security problems from the start.  How to
fix this?  Not sure, but if we go ahead with this, the charter should have
some very pessimistic and clear verbiage on the expected usefulness of the
work. But this bears some very heavy thinking about.

What I'd like to avoid is having people stand on yet another soapbox, go
on specifying mechanisms with little concern about realities (including
but not related to security), and pretend their output would be useful in
the general Internet or to the IETF in general.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings