Simple mobility support for IPsec tunnel mode

Abstract

Many corporate employees (those commonly known as road warriors) often access the resources in protected corporate intranets, while working remotely, through IPsec tunnels between their corporate VPN (virtual private network) gateway and their remote hosts. With the proliferation of wireless LANs, 3G wireless networks, and mobile workers, it becomes highly desirable for remote hosts to be able to move among multiple networks (IP subnets) freely, even across different air interface technologies. Currently, IPsec does not support this movement without breaking and re-establishing of IPsec tunnels. Re-establishing IPsec tunnels could cause disruptions to applications currently running across the tunnels, in addition to incurring the overhead of a 3 to 6 roundtrip handshake for a new tunnel establishment. One solution could be to run IPsec tunnels over mobileIP to enable mobility. However, that is inefficient due to the double tunneling, which is especially an issue for resource-limited wireless networks. We explore modifying an IPsec implementation to enable mobility without compromising security and without incurring tunnel-re-establishment at handoff. We do not intend to address the general issue of secure mobility support for the Internet. Instead, we focus on a single scenario of VPN remote access via IPsec ESP-only tunnel mode in IPv4, which has a large commercial application of the secure remote access of corporate intranets. Our approach is to change the tunnel endpoint IP address of the mobile host at the IPsec VPN gateway via a secure signaling, which is possible with minor modifications to how IPsec operates. To this end, we modified FreeS/WAN v1.8, an open-source implementation of IPsec. We remove the dependence of identifying a security association on the outer-header destination address so that the same security parameters can be used even in the new network. Two new private messages are added to ISAKMP (Internet security association and key management protocol) to enable the required signaling to update new tunnel endpoint addresses. Our approach neither compromises the security of IPsec, nor requires changes to the existing IPsec standard, preserving interoperability with mobility-unaware hosts and gateways. We describe a working implementation of these modifications, discuss the performance of this approach, and compare with the standard IPsec and IPsec over mobileIP.