IKEv2 Mobility and Multihoming Protocol

Description

MOBIKE (IKEv2 Mobility and Multihoming Protocol) is a standards-based protocol defined by the IETF and adopted within 3GPP systems. It extends the core IKEv2 protocol, which is responsible for mutual authentication and establishment of IPsec Security Associations (SAs). The primary function of MOBIKE is to enable an established IKEv2 session and its associated IPsec Child SAs to remain active even when the IP addresses of one or both endpoints change. This is achieved through a lightweight update mechanism rather than a full re-negotiation.

Architecturally, MOBIKE operates within the IKEv2 protocol stack. The MOBIKE-enabled peers exchange new informational payloads, namely the UPDATE_SA_ADDRESSES notification. When a mobile node detects a change in its IP address (e.g., due to a handover), it sends this UPDATE_SA_ADDRESSES message to its peer, informing it of the new address. The peer acknowledges the update, and both sides then redirect the IPsec ESP/AH traffic to the new source/destination addresses. The IKEv2 SA itself, which contains the cryptographic keys and identities, remains unchanged. This process preserves the session state and avoids the computational overhead and service interruption of a full IKE_SA_INIT and IKE_AUTH exchange.

Key components in a MOBIKE transaction are the MOBIKE-supported IKEv2 initiator and responder. The protocol includes mechanisms for path testing (using return routability checks) to ensure the new address is reachable and to prevent flooding attacks. It also supports Network Address Translation (NAT) traversal scenarios. Within 3GPP, MOBIKE is particularly relevant for scenarios such as Non-3GPP access (e.g., untrusted WLAN) integration with the 5G Core, where a UE uses IPsec tunnels via a N3IWF. As the UE moves, MOBIKE allows the IPsec tunnel between the UE and the N3IWF to be maintained seamlessly across IP address changes, ensuring continuous secure access to 5G core network services.

Purpose & Motivation

MOBIKE was created to solve a fundamental problem with traditional IPsec VPNs: they are brittle in mobile environments. Standard IKEv2 binds Security Associations to specific IP addresses. If a client's IP address changes—a common occurrence for a device moving between Wi-Fi networks or performing a cellular handover—the existing IPsec SAs become invalid, and the VPN connection drops. This forces a full VPN reconnection, causing service disruption, increased signaling load, and poor user experience.

The protocol addresses the limitations of previous approaches by decoupling the IKEv2 security association from the specific endpoint IP addresses. Before MOBIKE, workarounds involved using stable virtual IP addresses or Mobile IP, which added complexity. MOBIKE integrates mobility support directly into IKEv2, providing a standardized, lightweight solution. Its adoption in 3GPP, notably from Release 8 for early EPS/SAE architectures and reinforced in later releases for 5G, was motivated by the need for secure, seamless mobility across heterogeneous access networks. It enables always-on VPNs for corporate access and is essential for the 5G architecture's convergence of 3GPP and non-3GPP access, allowing a UE to maintain a persistent secure connection to the core network regardless of access technology changes.

Key Features

• Enables IPsec SA survivability across IP address changes
• Uses lightweight UPDATE_SA_ADDRESSES signaling instead of full IKE renegotiation
• Includes return routability checks for security and reachability verification
• Supports NAT traversal scenarios
• Maintains IKEv2 session state and cryptographic keys during mobility
• Essential for seamless mobility in 3GPP-non-3GPP interworking (e.g., via N3IWF)

Evolution Across Releases

Defining Specifications