RFC 5266: Secure connectivity and mobility using mobile IPv4 and IKEv2 mobility and multihoming (MOBIKE)

Summary

A typical enterprise network involves users connecting from both trusted (intranet) and untrusted (Internet) networks, separated by a demilitarized zone (DMZ) and controlled by a firewall and VPN gateway. Enterprise users on untrusted networks authenticate to the VPN gateway and set up a secure tunnel, often using IPsec VPNs. When on the trusted network, VPNs are not used, but session mobility between subnets through Mobile IPv4 is beneficial. Previous solutions involving Mobile IPv4 and IPsec VPNs, such as in [RFC5265], have limitations like high overhead and complexity due to dual MIPv4 layers.

This document proposes an alternative solution that eliminates the need for two MIPv4 layers. It uses Mobile IPv4 on the trusted network and MOBIKE-capable IPsec VPNs on the untrusted network. The mobile node uses the IPsec VPN tunnel inner address as the MIPv4 co-located care-of address, removing the need for an external MIPv4 home agent and reducing overhead. The solution assumes the use of IKEv2 and MOBIKE extensions. When on the trusted network, traffic does not go through the DMZ, maintaining the DMZ’s security architecture. Additionally, the document presents a method for the mobile node to detect when it is on a trusted network to drop the IPsec tunnel and use Mobile IP. IPsec VPN gateways using IKEv1 are not addressed.