MOBIKE

IKEv2 Mobility and Multihoming Protocol

Protocol →
Introduced in Rel-8

MOBIKE is an extension to the IKEv2 protocol that enables an IPsec Security Association to survive changes in endpoint IP addresses, crucial for seamless mobile VPN connectivity during network handovers.

Category
Protocol
Introduced
Rel-8
Where
Security
Specifications
3 specs
MOBIKE Description Purpose Related Classification Detected Changes Specifications

Description

MOBIKE (IKEv2 Mobility and Multihoming Protocol) is a standards-based protocol defined by the IETF and adopted within 3GPP systems. It extends the core IKEv2 protocol, which is responsible for mutual authentication and establishment of IPsec Security Associations (SAs). The primary function of MOBIKE is to enable an established IKEv2 session and its associated IPsec Child SAs to remain active even when the IP addresses of one or both endpoints change. This is achieved through a lightweight update mechanism rather than a full re-negotiation.

Architecturally, MOBIKE operates within the IKEv2 protocol stack. The MOBIKE-enabled peers exchange new informational payloads, namely the UPDATE_SA_ADDRESSES notification. When a mobile node detects a change in its IP address (e.g., due to a handover), it sends this UPDATE_SA_ADDRESSES message to its peer, informing it of the new address. The peer acknowledges the update, and both sides then redirect the IPsec ESP/AH traffic to the new source/destination addresses. The IKEv2 SA itself, which contains the cryptographic keys and identities, remains unchanged. This process preserves the session state and avoids the computational overhead and service interruption of a full IKE_SA_INIT and IKE_AUTH exchange.

Key components in a MOBIKE transaction are the MOBIKE-supported IKEv2 initiator and responder. The protocol includes mechanisms for path testing (using return routability checks) to ensure the new address is reachable and to prevent flooding attacks. It also supports Network Address Translation (NAT) traversal scenarios. Within 3GPP, MOBIKE is particularly relevant for scenarios such as Non-3GPP access (e.g., untrusted WLAN) integration with the 5G Core, where a UE uses IPsec tunnels via a N3IWF. As the UE moves, MOBIKE allows the IPsec tunnel between the UE and the N3IWF to be maintained seamlessly across IP address changes, ensuring continuous secure access to 5G core network services.

Purpose & Motivation

MOBIKE was created to solve a fundamental problem with traditional IPsec VPNs: they are brittle in mobile environments. Standard IKEv2 binds Security Associations to specific IP addresses. If a client's IP address changes—a common occurrence for a device moving between Wi-Fi networks or performing a cellular handover—the existing IPsec SAs become invalid, and the VPN connection drops. This forces a full VPN reconnection, causing service disruption, increased signaling load, and poor user experience.

The protocol addresses the limitations of previous approaches by decoupling the IKEv2 security association from the specific endpoint IP addresses. Before MOBIKE, workarounds involved using stable virtual IP addresses or Mobile IP, which added complexity. MOBIKE integrates mobility support directly into IKEv2, providing a standardized, lightweight solution. Its adoption in 3GPP, notably from Release 8 for early EPS/SAE architectures and reinforced in later releases for 5G, was motivated by the need for secure, seamless mobility across heterogeneous access networks. It enables always-on VPNs for corporate access and is essential for the 5G architecture's convergence of 3GPP and non-3GPP access, allowing a UE to maintain a persistent secure connection to the core network regardless of access technology changes.

Classification

Part ofIPSec
Related approachesN3IWF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (19 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-17.

Rel-17 12 changes

In Release 17, the primary update for the MOBIKE function was a clarification of its usage, specifically within the context of supporting Layer-3 UE-to-Network Relay with N3IWF. This work was part of broader enhancements for 5G ProSe relay procedures, including updates to security, QoS handling, and relay selection criteria for scenarios involving the N3IWF.

  • Handling of unknown, unforeseen and erroneous protocol data for PC8 interface TS 24.554CR0015
  • Transport protocol for PC3ch Control Protocol for 5G ProSe direct communication TS 24.554CR0074
  • Procedures for PC3ch Control Protocol for 5G ProSe direct communication TS 24.554CR0075
  • Update to Mobility Restrictions for 5G ProSe UE-to-Network Relaying TS 24.554CR0023
  • Update to QoS handling for layer-3 relay with N3IWF TS 24.554CR0024
  • Release of PC5 link by an L2 remote UE due to mobility management back-off timer TS 24.554CR0046

+ 6 more changes

Rel-18 4 changes

In Release 18, the MOBIKE function was enhanced to support 5G ProSe layer-3 UE-to-network relaying, including scenarios both with and without Non-3GPP InterWorking Function (N3IWF) support. This enables a remote UE to use IKEv2 mobility procedures to maintain IPsec security associations when connected via a relay UE, including for emergency services. The release also included protocol clarifications and corrections for handling mobility restrictions and erroneous data in these ProSe relay scenarios.

  • Providing emergency service using 5G ProSe layer-3 UE-to-network relay with and without N3IWF support TS 24.554CR0361
  • PC5 signalling protocol cause update TS 24.554CR0305
  • Clarifications related to the handling of the unknown, unforeseen and erroneous of ProSe protocol data TS 24.554CR0580
  • Correction to mobility restrictions for 5G ProSe UE-to-network relaying TS 24.554CR0445
Rel-19 3 changes

In Release 19, the MOBIKE (IKEv2 Mobility and Multihoming Protocol) function was newly added to the protocol inventory list for Proximity-based Services. Furthermore, the release introduced updates to QoS handling specifically for the scenario of a 5G ProSe layer-3 UE-to-network relay when connected via an N3IWF to support 5G ProSe within a Standalone Non-Public Network.

  • Update on QoS handling for 5G ProSe layer-3 UE-to-network relay with N3IWF to support 5G ProSe in SNPN TS 24.554CR0639
  • Correction of descriptions regarding PC5 signalling protocol cause value TS 24.554CR0712
  • Adding MOBILE protocol to inventory list TS 33.938CR0008

Explore further

Broader topics and technologies where MOBIKE plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityTesting & ConformanceMEC (Edge Computing)Lawful InterceptSMS & Messaging
Technologies
5G

Defining Specifications

3GPP specifications that define or reference MOBIKE, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.554 vj40 5G Proximity Services (ProSe) Protocols Rel-19
TS 33.822 v1800 Security Architecture for Inter-Access Mobility Rel-8
TR 33.938 vj10 3GPP Cryptographic Inventory for 5G Rel-19