Fixed Mobile Convergence (News - Alert) (FMC) is happening and mobile handset vendors are rolling out dual mode devices that allow users to move between cellular networks and WiFi (News - Alert) zones. For example, in a typical scenario, a user in his office might use voice and data services via a corporate WiFi network then switch to a cellular network as he leaves, use a WiFi hot spot at an airport, next a cellular network, and once at his hotel, switch to a local WiFi hot spot.

Various technologies are available to address the implementation of such a system, the details of which are outside the scope of this article. In this article, I’ll discuss some of the security mechanisms that can be used.

Just as users outside a corporate network often secure the data connections using a VPN, similar technologies can be applied to secure signaling channels in VoIP systems, for example IP Multimedia Subsystems (IMS).

Regardless of the application (data, VoIP, etc.), the IP address assigned to a user is based on the point of network attachment. If a user moves from a cellular network to a WiFi network, the IP address assigned to the device changes. IPSec-based VPNs utilize the IP address of the device. If the IP address changes, the session for the old IP address needs to be terminated and a new session established utilizing the new IP address. For a user, this means logging in again, which might entail entering a password, security token ID number, etc. This can be bothersome, and results in user dissatisfaction.

To overcome this issue, there are various use case scenarios that can be considered. In this article, we’ll look at mechanisms to address mobility applications. The solutions discussed here are not necessarily the only solutions, nor do they address all of the potential issues associated with each. They do, however, provide a good basis to understand the application of two key technologies – MOBIKE and Mobile IP.

Mobile IKE (MOBIKE) was developed by the Internet Engineering Task Force (IETF) as a mechanism to maintain IPSec tunnels when a user moves his point of network attachment, and the IP address changes, as defined in RFC 4555. MOBIKE operation is based on the Internet Key Exchange Version 2 (IKEv2 – RFC 4306) protocol. During the IKE initialization exchange (IKE_INIT) between the client and the gateway, the peers inform each other that they support MOBIKE.

Later, after VPN tunnel establishment, the client may detect that it has moved to a new point of network attachment, resulting in a change in its IP address. The client then sends an INFORMATIONAL message to the gateway, using the new IP Address, containing a request to update the security association addresses (UPDATE_SA_ADDRESSES). All further traffic sent by the client uses this new address. The gateway, upon receipt of the UPDATE_SA_ADDRESSES, will start using this new address as the destination in its outgoing traffic.

MOBIKE provides a mechanism called “return routability check”, which can optionally be used to determine if the peer is reachable using the new address. MOBIKE also provides a mechanism for handling clients that are located behind Network Address Translators (NAT). Further details on these capabilities can be found in RFC 4555.

The use of Mobile IP (see RFC 3344 – IP Mobility Support for IPv4) can also affect VPN connectivity. Mobile IP is used to enable a device (called the “mobile node”) that is moving between networks to maintain the same IP address as it moves from one point of network attachment to another. Mobile IP introduces two new network elements – the home agent and the visitor agent – whose functions are somewhat analogous to those of the home location register and visitor location register in the cellular world.

The home agent is a router on the mobile node’s home network. Its primary role is to tunnel packets to the mobile node when the mobile node is away from the home network, maintaining information on the location of the mobile node. The foreign agent is a router on the network that the mobile node is currently attached to when it is not attached to the home network. The foreign agent terminates the Mobile IP tunnel from the home agent, and delivers packets to the mobile node.

While connected to the home network, the mobile node operates without mobility. When the mobile node leaves the home network and attaches to a foreign network, it checks for the availability of a foreign agent. If present, it registers with the foreign agent, which notifies the home agent of the location of the mobile node. Any data that is received by the home agent for the mobile node is then routed to the foreign agent for delivery to the mobile node.

To support a VPN connection to the home network, several processes are possible. One common example is specified by 3GPP2 in X.S0028-200 v0.3. In this case, IKEv2 is used to establish the VPN tunnel to the security gateway. The initial IPSec tunnel is created using the temporary Mobile IP address (received from the gateway) as the Tunnel Inner Address (TIA). The home agent address is retrieved from the gateway during this IKEv2 exchange. The Mobile IP client will use the home agent to complete the Mobile IP Registration, and obtains the home address (HoA), or the real IP address that it is assigned.

If the HoA is the same as the TIA, then the original IPSec tunnel can be used to protect traffic between the home agent and the mobile node. If the HoA is different than the TIA, a new IPSec tunnel will be created using the HoA. This process requires that the IPSec/IKEv2 protocol stack be “Mobile IP Aware (News - Alert)”. The mobile IP stack and the IPSec stack need to exchange TIA, HoA and HA information.

In summary, if the user in the above scenario moves to a new IP network, MOBIKE can be used to update the IPSec tunnel endpoints without the need to re-negotiate Mobile IP and IKEv2. Without the inclusion of MOBIKE, the client needs to re-negotiate both Mobile IP and IKEv2.

As mentioned, this article covers only one of many possible scenarios, but for those considering the development and deployment of mobility applications, the inclusion of MOBIKE and a Mobile IP aware IPSec/IKEv2 stack should be considered as part of the overall solution.

---------

Rick Pitz is Sr. Product Manager for Certicom Corp.