draft-ietf-v6ops-3gpp-eps-05.txt   draft-ietf-v6ops-3gpp-eps-06.txt 
Individual Submission J. Korhonen, Ed. Individual Submission J. Korhonen, Ed.
Internet-Draft Nokia Siemens Networks Internet-Draft Nokia Siemens Networks
Intended status: Informational J. Soininen Intended status: Informational J. Soininen
Expires: March 3, 2012 Renesas Mobile Expires: March 23, 2012 Renesas Mobile
B. Patil B. Patil
T. Savolainen T. Savolainen
G. Bajko G. Bajko
Nokia Nokia
K. Iisakkila K. Iisakkila
Renesas Mobile Renesas Mobile
August 31, 2011 September 20, 2011
IPv6 in 3GPP Evolved Packet System IPv6 in 3GPP Evolved Packet System
draft-ietf-v6ops-3gpp-eps-05 draft-ietf-v6ops-3gpp-eps-06
Abstract Abstract
Use of data services in smart phones and broadband services via HSPA Use of data services in smart phones and broadband services via HSPA
and HSPA+, in particular Internet services, has increased rapidly and and HSPA+, in particular Internet services, has increased rapidly and
operators that have deployed networks based on 3GPP network operators that have deployed networks based on 3GPP network
architectures are facing IPv4 address shortages at the Internet architectures are facing IPv4 address shortages at the Internet
registries and are feeling a pressure to migrate to IPv6. This registries and are feeling a pressure to migrate to IPv6. This
document describes the support for IPv6 in 3GPP network document describes the support for IPv6 in 3GPP network
architectures. architectures.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 3, 2012. This Internet-Draft will expire on March 23, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 15, line 40 skipping to change at page 15, line 40
uses layer-2 signaling to suggest user equipment an Interface uses layer-2 signaling to suggest user equipment an Interface
Identifier that is guaranteed not to conflict with gateway's Identifier that is guaranteed not to conflict with gateway's
Interface Identifier. The UE must configure its link-local address Interface Identifier. The UE must configure its link-local address
using this Interface Identifier. The UE is allowed to use any using this Interface Identifier. The UE is allowed to use any
Interface Identifier it wishes for the other addresses it configures. Interface Identifier it wishes for the other addresses it configures.
There is no restriction, for example, of using Privacy Extension for There is no restriction, for example, of using Privacy Extension for
SLAAC [RFC4941] or other similar types of mechanisms. However, there SLAAC [RFC4941] or other similar types of mechanisms. However, there
are network drivers that fail to pass the Interface Identifier to the are network drivers that fail to pass the Interface Identifier to the
stack and instead synthesize their own Interface Identifier (usually stack and instead synthesize their own Interface Identifier (usually
a MAC address equivalent). If the UE skips the Duplicate Address a MAC address equivalent). If the UE skips the Duplicate Address
Detection (DAD) or has other issues with the Neighbor Discovery Detection (DAD) and also has other issues with the Neighbor Discovery
Protocol (see Section 5.4), then there is a small theoretical chance Protocol (see Section 5.4), then there is a small theoretical chance
that the UE configures exactly the same link-local address as the that the UE configures exactly the same link-local address as the
GGSN/PDN-GW. The address collision may then cause issues in the IP GGSN/PDN-GW. The address collision may then cause issues in the IP
connectivity. connectivity, for instance, the UE not being able to forward any
packets to uplink.
In the 3GPP link model the /64 prefix assigned to the UE cannot be In the 3GPP link model the /64 prefix assigned to the UE cannot be
used for on-link determination (because the L-bit in the Prefix used for on-link determination (because the L-bit in the Prefix
Information Option (PIO) in the RA must always be set to zero). If Information Option (PIO) in the RA must always be set to zero). If
the advertised prefix is used for SLAAC then the A-bit in the PIO the advertised prefix is used for SLAAC then the A-bit in the PIO
must be set to one. The details of the 3GPP link-model and address must be set to one. The details of the 3GPP link-model and address
configuration is described in Section 11.2.1.3.2a of [TS.29061]. configuration is described in Section 11.2.1.3.2a of [TS.29061].
More specifically, the GGSN/PDN-GW guarantees that the /64 prefix is More specifically, the GGSN/PDN-GW guarantees that the /64 prefix is
unique for the UE. Therefore, there is no need to perform any unique for the UE. Therefore, there is no need to perform any
Duplicate Address Detection (DAD) on addresses the UE creates (i.e., Duplicate Address Detection (DAD) on addresses the UE creates (i.e.,
skipping to change at page 17, line 23 skipping to change at page 17, line 24
the IP stack. This has few known issues, especially when the IP the IP stack. This has few known issues, especially when the IP
stack is made to believe the underlying link has link-layer stack is made to believe the underlying link has link-layer
addresses. First, the Neighbor Advertisement sent by a GGSN as a addresses. First, the Neighbor Advertisement sent by a GGSN as a
response to an address resolution triggered Neighbor Solicitation may response to an address resolution triggered Neighbor Solicitation may
not contain a Target Link-Layer address option (as suggested in not contain a Target Link-Layer address option (as suggested in
[RFC4861] Section 4.4). Then it is possible that the address [RFC4861] Section 4.4). Then it is possible that the address
resolution never completes when the UE tries to resolve the link- resolution never completes when the UE tries to resolve the link-
layer address of the GGSN, thus stalling all IPv6 traffic. layer address of the GGSN, thus stalling all IPv6 traffic.
Second, the GGSN may simply discard all address resolution triggered Second, the GGSN may simply discard all address resolution triggered
Neighbor Solicitation messages (as hinted in [RFC3316] Section 2.4.1 Neighbor Solicitation messages (as sometimes misinterpreted from
that address resolution and next-hop determination are not needed). [RFC3316] Section 2.4.1 that responding to address resolution and
As a result the address resolution never completes when the UE tries next-hop determination are not needed). As a result the address
to resolve the link-layer address of the GGSN, thus stalling all IPv6 resolution never completes when the UE tries to resolve the link-
traffic. layer address of the GGSN, thus stalling all IPv6 traffic.
6. 3GPP Dual-Stack Approach to IPv6 6. 3GPP Dual-Stack Approach to IPv6
6.1. 3GPP Networks Prior to Release-8 6.1. 3GPP Networks Prior to Release-8
3GPP standards prior to Release-8 provide IPv6 access for cellular 3GPP standards prior to Release-8 provide IPv6 access for cellular
devices with PDP contexts of type IPv6 [TS.23060]. For dual-stack devices with PDP contexts of type IPv6 [TS.23060]. For dual-stack
access, a PDP context of type IPv6 is established in parallel to the access, a PDP context of type IPv6 is established in parallel to the
PDP context of type IPv4, as shown in Figure 5 and Figure 6. For PDP context of type IPv4, as shown in Figure 5 and Figure 6. For
IPv4-only service, connections are created over the PDP context of IPv4-only service, connections are created over the PDP context of
skipping to change at page 30, line 8 skipping to change at page 30, line 8
not understand the requested PDN Type, then the PDN Type is handled not understand the requested PDN Type, then the PDN Type is handled
as IPv6. as IPv6.
9. IANA Considerations 9. IANA Considerations
This document has no requests to IANA. This document has no requests to IANA.
10. Security Considerations 10. Security Considerations
This document does not introduce any security related concerns. This document does not introduce any security related concerns.
However, there are several general security concerns to take into Section 5 of [RFC3316] already contains in depth discussion of IPv6
related security considerations in 3GPP networks prior Release-8.
This section discusses few additional security concerns to take into
consideration. consideration.
In 3GPP access the UE and the network always perform a mutual In 3GPP access the UE and the network always perform a mutual
authentication during the network attachment [TS.33102][TS.33401]. authentication during the network attachment [TS.33102][TS.33401].
Furthermore, each time a PDP Context/PDN Connection gets created, a Furthermore, each time a PDP Context/PDN Connection gets created, a
new connection, a modification of an existing connection and an new connection, a modification of an existing connection and an
assignment of an IPv6 prefix or an IP address can be authorized assignment of an IPv6 prefix or an IP address can be authorized
against the PCC infrastructure [TS.23203] and/or PDN's AAA server. against the PCC infrastructure [TS.23203] and/or PDN's AAA server.
The wireless part of the 3GPP link between the UE and the (e)NodeB as The wireless part of the 3GPP link between the UE and the (e)NodeB as
well as the signaling messages between the UE and the MME/SGSN can be well as the signaling messages between the UE and the MME/SGSN can be
protected depending on the regional regulation and operators' protected depending on the regional regulation and operators'
deployment policy. User plane traffic can be confidentiality deployment policy. User plane traffic can be confidentiality
protected. The control plane is always at least integrity and replay protected. The control plane is always at least integrity and replay
protected, and may also be confidentiality protected. The protection protected, and may also be confidentiality protected. The protection
within the transmission part of the network depends on operators' within the transmission part of the network depends on operators'
deployment policy. [TS.33401] deployment policy. [TS.33401]
Due the nature of 3GPP point to point link model, the UE and the Several of the on-link and neighbor discovery related attacks can be
first hop router (PGW/GGSN or SGW) are the only nodes on the link, mitigated due the nature of 3GPP point to point link model, and the
which mitigates most of the known on-link attacks. For off-link IPv6 fact the UE and the first hop router (PGW/GGSN or SGW) being the only
attacks the 3GPP EPS is as vulnerable as any IPv6 system. There have nodes on the link. For off-link IPv6 attacks the 3GPP EPS is as
also been concerns that the UE IP stack might use permanent vulnerable as any IPv6 system.
subscriber identities, such as IMSI, as the source for IPv6 address
Interface Identifier. This would be a privacy threat and allow There have also been concerns that the UE IP stack might use
tracking of subscribers, and therefore use of IMSI (or any [TS.23003] permanent subscriber identities, such as IMSI, as the source for IPv6
defined identity) as the Interface Identifier is prohibited address Interface Identifier. This would be a privacy threat and
[TS.23401]. However, there is no standardized method to block such allow tracking of subscribers, and therefore use of IMSI (or any
misbehaving UEs. [TS.23003] defined identity) as the Interface Identifier is
prohibited [TS.23401]. However, there is no standardized method to
block such misbehaving UEs.
11. Summary and Conclusion 11. Summary and Conclusion
The 3GPP network architecture and specifications enable the The 3GPP network architecture and specifications enable the
establishment of IPv4 and IPv6 connections through the use of establishment of IPv4 and IPv6 connections through the use of
appropriate PDP context types. The current generation of deployed appropriate PDP context types. The current generation of deployed
networks can support dual-stack connectivity if the packet core networks can support dual-stack connectivity if the packet core
network elements such as the SGSN and GGSN have the capability. With network elements such as the SGSN and GGSN have the capability. With
Release-8, 3GPP has specified a more optimal PDP context type which Release-8, 3GPP has specified a more optimal PDP context type which
enables the transport of IPv4 and IPv6 packets within a single PDP enables the transport of IPv4 and IPv6 packets within a single PDP
skipping to change at page 31, line 14 skipping to change at page 31, line 18
maintaining the fall back to IPv4 capability. Enabling IPv6 maintaining the fall back to IPv4 capability. Enabling IPv6
connectivity in the 3GPP networks by itself will provide some degree connectivity in the 3GPP networks by itself will provide some degree
of relief to the IPv4 address space as many of the applications and of relief to the IPv4 address space as many of the applications and
services can start to work over IPv6. However without comprehensive services can start to work over IPv6. However without comprehensive
testing of different applications and solutions that exist today and testing of different applications and solutions that exist today and
are widely used, for their ability to operate over IPv6 PDN are widely used, for their ability to operate over IPv6 PDN
connections, an IPv6-only access would cause disruptions. connections, an IPv6-only access would cause disruptions.
12. Acknowledgements 12. Acknowledgements
The authors thank Shabnam Sultana, Sri Gundavelli, Hui Deng, and The authors thank Shabnam Sultana, Sri Gundavelli, Hui Deng,
Zhenqiang Li, Mikael Abrahamsson, James Woodyatt, Martin Thomson, Zhenqiang Li, Mikael Abrahamsson, James Woodyatt, Martin Thomson,
Russ Mundy, Cameron Byrne, Ales Vizdal and Frank Brockners for their Russ Mundy, Cameron Byrne, Ales Vizdal, Frank Brockners, Adrian
reviews and comments on this document. Farrel, Stephen Farrell, and Jari Arkko for their reviews and
comments on this document.
13. Informative References 13. Informative References
[GSMA.IR.34] [GSMA.IR.34]
GSMA, "Inter-PLMN Backbone Guidelines", GSMA GSMA, "Inter-PLMN Backbone Guidelines", GSMA
PRD IR.34.4.9, March 2010. PRD IR.34.4.9, March 2010.
[I-D.ietf-dhc-pd-exclude] [I-D.ietf-dhc-pd-exclude]
Korhonen, J., Savolainen, T., Krishnan, S., and O. Troan, Korhonen, J., Savolainen, T., Krishnan, S., and O. Troan,
"Prefix Exclude Option for DHCPv6-based Prefix "Prefix Exclude Option for DHCPv6-based Prefix
 End of changes. 11 change blocks. 
26 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/