Thursday, February 7, 2008

Mobility with IPsec

IPsec protocol is being increasingly used by Enterprises to provide secure remote connectivity to internal networks thereby enabling access to internal resources to 'on road' employees and tele-commuters. IPsec gateways assign private IP address and related information (IP address, Internal networks, DNS Server and WINS Sever IP addresses) to the remote clients. Note that this is in addition to the IP address provided by service providers. Applications use private IP address to communicate with Enterprise servers and ISP provided IP address (Outer IP address) is used to tunnel the traffic securely to Enterprise gateway.

Since applications on client use private IP address, any change in the ISP provided IP address does not destroy the IP connections to Enterprise networks. This is in particular helps mobile users. While traveling by car, Mobiles may get different IP addresses across different point of attachments to the cellular network. As long as private IP address does not change, there is no disconnection to voice calls and data sessions. These sessions and calls work even in cases where mobile point of attachment changes from cellular to wi-fi and vice versa.

When outer IP address changes, IPsec client creates new tunnel to the IPsec gateway. Tunnel establishment typically takes hundred of milliseconds to a second. Though this is fine for data sessions, it introduces big jitter and that may not be acceptable for voice and other real time multi-media applications. At Intoto, we have created a proprietary solution (We call it IPsec address adoption) to adopt the IP address change in existing tunnel, there by avoiding new tunnel creation. Both IPsec Gateway and IPsec client adopt to change in IP address and change the tunnel addresses securely, avoiding expensive tunnel creation and thereby providing smooth transition.

Assumptions and Limitations of 'Address adoption' technique:
  • It always uses tunnel mode.
  • Forces NAT-T even when there is no NAT device in between
    • Always does UDP encapsulation.
    • Always sends Keep alive messages.
  • Since it detects the address change based on incoming packets, it is assumed that there is traffic in both directions.
One of the advantages of 'Address adoption' solution is that it works with both IKEv1 and IKEv2. This solution is simple compared to MOBIKE. Hence, this solution can be called 'SMOBIKE' (Simple MOBIKE).

In summary, IPsec with its inherent capability of tunneling, provides seamless mobility to Enterprise resources. With additional Intoto proprietary address adoption technique, it reduces jitterness in the real time traffic.


No comments: