One document matched: draft-ietf-mobileip-challenge-08.txt
Differences from draft-ietf-mobileip-challenge-07.txt
Mobile IP Working Group Charles E. Perkins
INTERNET DRAFT Nokia Research Center
6 January 2000 Pat R. Calhoun
Sun Microsystems Laboratories
Mobile IP Challenge/Response Extensions
draft-ietf-mobileip-challenge-08.txt
Status of This Memo
This document is a submission by the mobile-ip Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the MOBILE-IP@STANDARDS.NORTELNETWORKS.COM mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at:
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at:
http://www.ietf.org/shadow.html.
Abstract
Mobile IP, as originally specified, defines an authentication
extension (the Mobile-Foreign Authentication extension) by
which a mobile node can authenticate itself to a foreign agent.
Unfortunately, this extension does not provide ironclad replay
protection for the foreign agent, and does not allow for the use
of existing techniques (such as CHAP) for authenticating portable
computer devices. In this specification, we define extensions for
the Mobile IP Agent Advertisements and the Registration Request
that allow a foreign agent to use a challenge/response mechanism to
authenticate the mobile node.
Perkins, Calhoun Expires 6 July 2000 [Page i]
Internet Draft Mobile IP Challenge/Response 6 January 2000
1. Introduction
Mobile IP, as originally specified, defines an authentication
extension (the Mobile-Foreign Authentication extension) by
which a mobile node can authenticate itself to a foreign agent.
Unfortunately, this extension does not provide ironclad replay
protection, from the point of view of the foreign agent, and does
not allow for the use of existing techniques (such as CHAP [15]) for
authenticating portable computer devices. In this specification,
we define extensions for the Mobile IP Agent Advertisements and
the Registration Request that allow a foreign agent to a use
challenge/response mechanism to authenticate the mobile node.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
2. Mobile IP Agent Advertisement Challenge Extension
This section defines a new extension to the Router Discovery
Protocol [5] for use by foreign agents that need to issue a challenge
for authenticating mobile nodes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The Challenge Extension
Type 24
Length The length of the Challenge value in octets; MUST be
at least 16
Challenge A random value of at least 128 bits.
The Challenge extension, illustrated in figure 1, is inserted
in the Agent Advertisements by the Foreign Agent, in order to
communicate the latest challenge value that can be used by the mobile
node to compute an authentication for its registration request
message. The challenge is selected by the foreign agent to provide
local assurance that the mobile node is not replaying any earlier
registration request. Eastlake, et al. [6] provides more information
Perkins, Calhoun Expires 6 July 2000 [Page 1]
Internet Draft Mobile IP Challenge/Response 6 January 2000
on generating pseudo-random numbers suitable for use as values for
the challenge.
3. Operation
This section describes modifications to the Mobile IP registration
process which may occur after the Foreign Agent issues a Mobile IP
Agent Advertisement containing the Challenge on its local link.
3.1. Mobile Node Processing for Registration Requests
Whenever the Agent Advertisement contains the Challenge extension,
if the mobile node does not have a security association with the
Foreign Agent, then it MUST include the Challenge value in a MN-FA
Challenge extension to the Registration Request message. If, on
the other hand, the mobile node does have a security association
with the foreign agent, it SHOULD include the Challenge value in its
Registration Request message.
If the Mobile Node has a security association with the Foreign
Agent, it MUST include a Mobile-Foreign Authentication extension
in its Registration Request message, according to the base
Mobile IP specification [12]. When the Registration Request
contains the MN-FA Challenge extension specified in section 4, the
Mobile-Foreign Authentication MUST follow the Challenge extension in
the Registration Request.
If the Mobile Node does not have a security association with the
Foreign Agent, the Mobile Node MUST include the MN-AAA Authentication
extension as defined in section 6. In addition, the Mobile
Node SHOULD include the NAI extension [4], to enable the foreign
agent to make use of any available verification infrastructure.
The SPI field of the MN-AAA Authentication extension specifies
the particular secret and algorithm (shared between the Mobile
Node and the verification infrastructure) that must be used
to perform the authentication. If the SPI value is chosen as
CHAP_SPI (see section 9), then the mobile node specifies CHAP-style
authentication [15] using MD5 [14].
In either case, the MN-FA Challenge extension and one of the above
specified authentication extensions MUST follow the Mobile-Home
Authentication extension, if present.
A successful Registration Reply from the Foreign Agent MAY include
a new Challenge value (see section 3.3). The Mobile Node MAY use
either the value found in the latest Advertisement, or the one found
in the last Registration Reply from the Foreign Agent. This approach
Perkins, Calhoun Expires 6 July 2000 [Page 2]
Internet Draft Mobile IP Challenge/Response 6 January 2000
enables the Mobile Node to make use of the challenge without having
to wait for advertisements.
A Mobile Node might receive an UNKNOWN_CHALLENGE error (see
section 9) if it moves to a new Foreign Agent that cannot validate
the challenge provided in the Registration Request. In such
instances, the Mobile Node MUST use a new Challenge value in any new
registration, obtained either from an Agent Advertisement, or from a
Challenge extension to the Registration Reply containing the error.
A Mobile Node that does not include a Challenge when the
Mobile-Foreign Authentication extension is present may receive a
MISSING_CHALLENGE (see section 10) error. In this case, the foreign
agent will not process the request from the mobile node unless the
request contains a valid Challenge.
3.2. Foreign Agent Processing for Registration Requests
Upon receipt of the Registration Request, if the Foreign Agent has
issued a Challenge as part of its Agent Advertisements, and it does
not have a security association with the mobile node, then the
Foreign Agent MUST check that the MN-FA Challenge extension exists,
and that it contains a challenge value previously unused by the
Mobile Node. This ensures that the mobile node is not attempting
to replay a previous advertisement and authentication. If the
challenge extension is needed and does not exist, the Foreign Agent
MUST send a Regstration Reply to the mobile node with the error code
MISSING_CHALLENGE.
A foreign agent that sends Agent Advertsements containing a Challenge
value MAY send a Registration Reply message with a MISSING_CHALLENGE
error if the mobile node sends a Registration Request with a
Mobile-Foreign Authentication extension without including a
Challenge. In other words, such a foreign agent MAY refuse to
process a Registration Request request from the mobile node unless
the request contains a valid Challenge.
If a mobile node retransmits a Registration Request with the same
Identification field and the same Challenge extension, and the
Foreign Agent still has a pending Registration Request record
in effect for the mobile node, then the Foreign Agent forwards
the Registration Request to the Home Agent again. In all other
circumstances, if the Foreign Agent receives a Registration
Request with a Challenge extension containing a Challenge value
previously used by that mobile node, the Foreign Agent SHOULD send
a Registration Reply to the mobile node containing the Code value
STALE_CHALLENGE.
Perkins, Calhoun Expires 6 July 2000 [Page 3]
Internet Draft Mobile IP Challenge/Response 6 January 2000
The Foreign Agent MUST NOT accept any Challenge in the Registration
Request unless it was offered in last successful Registration Reply
issued to the Mobile Node, or else advertised as one of the last
CHALLENGE_WINDOW (see section 9) Challenge values inserted into the
immediately preceding Agent advertisements. If the Challenge is not
one of the recently advertised values, the foreign Agent SHOULD send
a Registration Reply with Code UNKNOWN_CHALLENGE (see section 10).
Furthermore, the Foreign Agent MUST check that there is either a
Mobile-Foreign, or a MN-AAA Authentication after the Challenge
extension. Any registration message containing the Challenge
extension without either of these authentication extensions MUST
be silently discarded. If the registration message contains
a Mobile-Foreign Authentication extension with an incorrect
authenticator that fails verification, the Foreign Agent MAY
send a Registration Reply to the mobile node with Code value
BAD_AUTHENTICATION (see Section 10).
If MN-AAA Authentication extension (see Section 6) is present in
the message, or if an NAI extension is included indicating that
the mobile node belongs to a different administrative domain, the
foreign agent may take actions outside the scope of this protocol
specification to carry out the authentication of the mobile node.
The appendix provides an example of an action that could be taken by
a foreign agent.
Since the Challenge extension, and the authentication extension that
is used by the Mobile Node to satisfy the challenge, both follow
the Mobile-Home Authentication extension whenever the latter is
present, the Foreign Agent MAY remove the Challenge Extension and
the applicable authentication from the Registration Request without
disturbing the authentication value computed by the Mobile Node for
use by the Home Agent.
If the Foreign Agent does not remove those extensions, then the
Foreign Agent SHOULD store the Challenge value as part of the pending
registration request list [12]. Also in this case, the Foreign Agent
MUST reject any Registration Reply message coming from the Home Agent
that does not also include the Challenge Extension with the same
Challenge Value that was included in the Registration Request. The
Foreign Agent MUST send the rejected Registration message to the
mobile node, and change the status in the Registration Reply to the
value MISSING_CHALLENGE (see section 10).
If the Foreign Agent does remove the Challenge extension and
applicable authentication from the Registration Request message,
then it SHOULD insert the Identification field from the Registration
Request message along with its record-keeping information about the
particular Mobile Node in order to protect against replays.
Perkins, Calhoun Expires 6 July 2000 [Page 4]
Internet Draft Mobile IP Challenge/Response 6 January 2000
3.3. Foreign Agent Processing for Registration Replies
The Foreign Agent MAY include a new Challenge extension in any
Registration Reply, successful or not. If the foreign agent includes
this extension in a successful Registration Reply, the extension
SHOULD precede a MN-FA authentication extension.
Suppose the Registration Reply includes a Challenge extension from
the Home Agent, and the foreign agent wishes to include another
Challenge extension with the Registration Reply for use by the mobile
node. In that case, the foreign agent MUST delete the Challenge
extension from the Home Agent from the Registration Reply, along
with any FA-HA authentication extension, before appending the new
Challenge extension to the Registration Reply.
3.4. Home Agent Processing for the Challenge Extensions
If the Home Agent receives a Registration Request with the MN-FA
Challenge extension, and recognizes the extension, the Home Agent
MUST include the Challenge extension in the Registration Reply.
The Challenge Extension MUST be placed after the Mobile-Home
authentication extension, and the extension SHOULD be authenticated
by a Foreign-Home Authentication extension.
Since the extension type for the Challenge extension is within the
range 128-255, the Home Agent MUST process such a Registration
Request even if it does not recognize the Challenge extension [12].
In this case, the Home Agent will send a Registration Reply to the
Foreign Agent that does not include the Challenge extension.
4. MN-FA Challenge Extension
This section specifies a new Mobile IP Registration extension that is
used to satisfy a Challenge in an Agent Advertisement. The Challenge
extension to the Registration Request message is used to indicate the
challenge that the mobile node is attempting to satisfy.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The MN-FA Challenge Extension
Perkins, Calhoun Expires 6 July 2000 [Page 5]
Internet Draft Mobile IP Challenge/Response 6 January 2000
Type 132 (skippable) (see [12])
Length MUST be at least 16
Challenge The Challenge field is copied from the Challenge field
found in the Agent Advertisement Challenge extension
(see section 2).
5. Generalized Mobile IP Authentication Extension
Several new authentication extensions have been designed for various
control messages proposed for extensions to Mobile IP (see, for
example, [13]). A new authentication extension is required for a
mobile node to present its credentials to any other entity other
than the ones already defined; the only entities defined in the base
Mobile IP specification [12] are the home agent and the foreign
agent. It is the purpose of the generalized authentication extension
defined here to collect together data for all such new authentication
applications into a single extension type with subtypes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The Generalized Mobile IP Authentication Extension
Perkins, Calhoun Expires 6 July 2000 [Page 6]
Internet Draft Mobile IP Challenge/Response 6 January 2000
Type 36 (not skippable) (see [12])
Subtype a number assigned to identify the kind of
endpoints or characteristics of the particular
authentication strategy
Length 4 plus the number of bytes in the Authenticator;
MUST be at least 20.
SPI Security Parameters Index
Authenticator The variable length Authenticator field
In this document, only one subtype is defined:
1 MN-AAA Authentication subtype (see section 6)
6. MN-AAA Authentication subtype
The Generalized Authentication extension with subtype 1 will be
referred to as a MN-AAA Authentication extension. If the mobile node
does not include a Mobile-Foreign Authentication [12] extension,
then it MUST include the MN-AAA Authentication extension whenever
the Challenge extension is present. If the MN-AAA Authentication
extension is present, then the Registration Message MAY be sent by
the mobile node without containing the Mobile-HA Authentication
extension [12]. The mobile node MAY include a MN-AAA Authentication
extension in any Registration Request.
The default algorithm for computation of the authenticator is
MD5 [14] computed on the following data, in the order shown:
Key || Preceding Mobile IP data ||
Type, Subtype, Length, SPI || Key
where the Type, Length, Subtype, and SPI are as shown in
section 5. Each mobile node MUST support the ability to produce the
authenticator by using MD5 as shown (known as "prefix+suffix" mode).
Just as with Mobile IP, this default algorithm MUST be able to be
configured for selection at any arbitrary 32-bit SPI outside of the
SPIs in the reserved range 0-255.
7. Reserved SPIs for Mobile IP
Mobile IP defines several authentication extensions for use in
Registration Requests and Replies. Each authentication extension
carries a Security Parameters Index (SPI) which should be used to
Perkins, Calhoun Expires 6 July 2000 [Page 7]
Internet Draft Mobile IP Challenge/Response 6 January 2000
index a table of security associations. Values in the range 0 - 255
are reserved for special use. A list of reserved SPI numbers is to
be maintained by IANA at the following URL:
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers
8. SPI For RADIUS AAA Servers
Some AAA servers only admit a single security association, and thus
do not use the SPI numbers for Mobile IP authentication extensions
for use when determining the security association that would be
necessary for verifying the authentication information included with
the Authentication extension.
SPI number CHAP_SPI (see section 9) is reserved (see section 7) for
indicating the following procedure for computing authentication data
(called the "authenticator"), which is used by many RADIUS servers
today.
To compute the authenticator, apply MD5 [14] computed on the
following data, in the order shown:
High-order byte from Challenge || Key ||
MD5(Preceding Mobile IP data ||
Type, Subtype (if present), Length, SPI ||
Least-order 237 bytes from Challenge
where the Type, Length, SPI, and possibly Subtype, are the fields
of the authentication extension in use. For instance, all four of
these fields would be in use when SPI == CHAP_SPI is used with the
Generalized Authentication extension. Since the RADIUS protocol
cannot carry attributes greater than 253 in size, the preceding
Mobile IP data, type, subtype (if present), length and SPI are
hashed using MD5. Finally, the least significant 237 octets of the
challenge are concatenated.
9. Configurable Parameters
Every Mobile IP agent supporting the extensions defined in this
document SHOULD be able to configure each parameter in the following
table. Each table entry contains the name of the parameter, the
default value, and the section of the document in which the parameter
first appears.
Parameter Name Default Value Section(s) of Document
-------------- ------------- ----------------------
CHALLENGE_WINDOW 2 3.2
Perkins, Calhoun Expires 6 July 2000 [Page 8]
Internet Draft Mobile IP Challenge/Response 6 January 2000
CHAP_SPI TBD 8,11
10. Error Values
Each entry in the following table contains the name of Code [12] to
be returned in a Registration Reply, the value for the Code, and the
section in which the error is first mentioned in this specification.
Error Name Value Section of Document
---------------------- ----- -------------------
UNKNOWN_CHALLENGE 104 3.2
BAD_AUTHENTICATION 67 3.2 - also see [12]
MISSING_CHALLENGE 105 3.1,3.2
STALE_CHALLENGE 106 3.2
11. IANA Considerations
The number for the Mobile IP Agent Advertisement Challenge extension
(section 2) is taken from the numbering space defined for Mobile
IP [12] extensions to the ICMP Router Advertisements [5]. The number
for the MN-FA Challenge extension (section 4) and the Generalized
Authentication extension (section 5) is taken from the numbering
space defined for Mobile IP registration extensions [12] as extended
for reverse tunnels [9], and the Mobile IP Network Address Identifier
Extension specification [4]. The numbering for the extensions SHOULD
NOT conflict with values specified in the Internet Draft for Route
Optimization [13]. The Code values specified for errors, listed
in section 10, MUST NOT conflict with any other code values listed
in RFC 2002, RFC 2344 [9], or RFC 2356 [10], or the abovementioned
Internet Drafts. These code values are to be taken from the space of
error values conventionally associated with rejection by the foreign
agent (i.e., 64-127).
A new section for enumerating algorithms identified by specific SPIs
within the range 0-255 is to be added to
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers.
The CHAP_SPI number discussed in section 8 is to be assigned from
this range of reserved SPI numbers. New assignments from this
reserved range must be specified and approved by the Mobile IP
working group. SPI number 1 should not be assigned unless in the
future the Mobile IP working group decides that SKIP is not important
for enumeration in the list of reserved numbers. SPI number 0 should
not be assigned.
Perkins, Calhoun Expires 6 July 2000 [Page 9]
Internet Draft Mobile IP Challenge/Response 6 January 2000
A new number space is to be created for enumerating subtypes of the
Generalized Authentication extension (see section 5). New subtypes
of the Generalized Authentication extension, other than that for
the MN-AAA authentication extension specified in section 6, must be
specified and approved by the Mobile IP working group.
12. Security Considerations
In the event that a malicious mobile node attempts to replay the
authenticator for an old MN-FA Challenge, the Foreign Agent would
detect it since the agent always checks whether it has recently
advertised the Challenge (see section 3.2). Allowing mobile nodes
with different IP addresses or NAIs to use the same Challenge
value does not represent a security vulnerability, because the
authentication data provided by the mobile node will be computed over
data that is different (at least by the bytes of the mobile nodes' IP
addresses).
Whenever a Foreign Agent updates a field of the Registration Reply
(as suggested in section 3.2), it invalidates the authentication data
supplied by the Home Agent in the MN-HA Authentication extension to
the Registration Reply. Thus, this opens up a security exposure
whereby a node might try to supply a bogus Registration Reply to a
mobile node that causes the mobile node to act as if its Registration
Reply were rejected. This might happen when, in fact, a Registration
Reply showing acceptance of the registration might soon be received
by the mobile node.
13. IPv6 Considerations
For use with IPv6 mobility [7], the challenge extension should
be applied to Router Advertisements [11]. In order to check the
response from the mobile node, the router would need to have a
security relationship with either the mobile node, its home agent,
or another entity within the IPv6 security infrastructure. It is
not yet known which security model would be more appropriate, or
whether it would make the most sense to enable maximum flexibility by
specifying the protocol for each case.
14. Acknowledgements
The authors would like to thank Tom Hiller, Mark Munson, the TIA
TR45-6 WG, Gabriel Montenegro, Vipul Gupta, and Pete McCann for their
useful discussions. A recent draft [8] by Mohamed Khalil, Raja
Narayanan, Emad Qaddoura, and Haseeb Akhtar has also suggested the
Perkins, Calhoun Expires 6 July 2000 [Page 10]
Internet Draft Mobile IP Challenge/Response 6 January 2000
definition of a generalized authentication extension similar to the
specification contained in section 5.
References
[1] S. Bradner. Key words for use in RFCs to Indicate Requirement
Levels. Request for Comments (Best Current Practice) 2119,
Internet Engineering Task Force, March 1997.
[2] P. Calhoun and C. Perkins. DIAMETER Mobile IP Extensions.
Internet Draft, Internet Engineering Task Force.
draft-calhoun-diameter-mobileip-01.txt, November 1998. Work in
progress.
[3] P. Calhoun and A. Rubens. DIAMETER Base Protocol. Internet
Draft, Internet Engineering Task Force.
draft-calhoun-diameter-07.txt, November 1998. Work in progress.
[4] Pat R. Calhoun and Charles E. Perkins. Mobile IP Network
Address Identifier Extension.
draft-ietf-mobileip-mn-nai-05.txt, October 1999. (work in
progress).
[5] S. Deering. ICMP Router Discovery Messages. Request for
Comments (Proposed Standard) 1256, Internet Engineering Task
Force, September 1991.
[6] D. Eastlake, 3rd, S. Crocker, and J. Schiller. Randomness
Recommendations for Security. Request for Comments
(Informational) 1750, Internet Engineering Task Force, December
1994.
[7] D. Johnson and C. Perkins. Mobility Support in IPv6.
draft-ietf-mobileip-ipv6-08.txt, June 1999. (work in progress).
[8] Mohamed Khalil, Raja Narayanan, Emad Qaddoura, and Haseeb
Akhtar. Mobile IP Extensions Rationalization (MIER).
draft-ietf-mobileip-mier-00.txt, December 1999. (work in
progress).
[9] G. Montenegro. Reverse Tunneling for Mobile IP. Request for
Comments (Proposed Standard) 2344, Internet Engineering Task
Force, May 1998.
[10] G. Montenegro and V. Gupta. Sun's SKIP Firewall Traversal for
Mobile IP. Request for Comments (Informational) 2356, Internet
Engineering Task Force, June 1998.
Perkins, Calhoun Expires 6 July 2000 [Page 11]
Internet Draft Mobile IP Challenge/Response 6 January 2000
[11] T. Narten, E. Nordmark, and W. Simpson. Neighbor Discovery for
IP Version 6 (IPv6). Request for Comments (Draft Standard)
2461, Internet Engineering Task Force, December 1998.
[12] C. Perkins. IP Mobility Support. Request for Comments
(Proposed Standard) 2002, Internet Engineering Task Force,
October 1996.
[13] C. Perkins and D. Johnson. Route Optimization in Mobile IP.
Internet Draft, Internet Engineering Task Force.
draft-ietf-mobileip-optim-08.txt, February 1999. Work in
progress.
[14] R. Rivest. The MD5 Message-Digest Algorithm. Request for
Comments (Informational) 1321, Internet Engineering Task Force,
April 1992.
[15] W. Simpson. PPP Challenge Handshake Authentication Protocol
(CHAP). Request for Comments (Draft Standard) 1994, Internet
Engineering Task Force, August 1996.
Perkins, Calhoun Expires 6 July 2000 [Page 12]
Internet Draft Mobile IP Challenge/Response 6 January 2000
A. Verification Infrastructure
The Challenge extensions in this protocol specification are expected
to be useful to help the Foreign Agent manage connectivity for
visiting mobile nodes, even in situations where the foreign agent
does not have any security association with the mobile node or the
mobile node's home agent. In order to carry out the necessary
authentication, it is expected that the foreign agent will need the
assistance of external administrative systems, which have come to be
called AAA systems. For the purposes of this document, we call the
external administrative support the "verification infrastructure".
The verification infrastructure is described to motivate the design
of the protocol elements defined in this document, and is not
strictly needed for the protocol to work. The foreign agent is free
to use any means at its disposal to verify the credentials of the
mobile node. This could, for instance, rely on a separate protocol
between the foreign agent and the Mobile IP home agent, and still be
completely invisible to the mobile node.
In order to verify the credentials of the mobile node, we imagine
that the foreign agent has access to a verification infrastructure
that can return a secure notification to the foreign agent that
the authentication has been performed, along with the results of
that authentication. This infrastructure may be visualized as
shown in figure 4. For an example of another protocol that has
been specified to actually carry out the challenge verification
operations, see [3, 2].
+----------------------------------------------------+
| |
| Verification and Key Management Infrastructure |
| |
+----------------------------------------------------+
^ | ^ |
| | | |
| v | v
+---------------+ +---------------+
| | | |
| Foreign Agent | | Home Agent |
| | | |
+---------------+ +---------------+
Figure 4: The Verification Infrastructure
Perkins, Calhoun Expires 6 July 2000 [Page 13]
Internet Draft Mobile IP Challenge/Response 6 January 2000
After the foreign agent gets the Challenge authentication, it MAY
pass the authentication to the (here unspecified) infrastructure,
and await a Registration Reply. If the Reply has a positive status
(indicating that the registration was accepted), the foreign agent
accepts the registration. If the Reply contains the Code value
BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions
indicated for rejected registrations.
Implicit in this picture, is the important observation that the
Foreign Agent and the Home Agent have to be equipped to make use
of whatever protocol is made available to them by the challenge
verification and key management infrastructure shown in the figure.
The protocol messages for handling the authentication within the
verification infrastructure, and identity of the agent performing the
verification of the Foreign Agent challenge, are not specified in
this document, because those operations do not have to be performed
by any Mobile IP entity.
Addresses
The working group can be contacted via the current chairs:
Basavaraj Patil Phil Roberts
Nortel Networks Inc. Motorola
2201 Lakeside Blvd. 1501 West Shure Drive
Richardson, TX. 75082-4399 Arlington Heights, IL 60004
USA USA
Phone: +1 972-684-1489 Phone: +1 847-632-3148
EMail: bpatil@nortelnetworks.com EMail: QA3445@email.mot.com
Questions about this memo can be directed to:
Charles E. Perkins Pat R. Calhoun
Nokia Research Center Sun Microsystems Laboratories
313 Fairchild Drive 15 Network Circle
Mountain View, California 94043 Menlo Park, California 94025
USA USA
Phone: +1-650 625-2986 Phone: +1 650-786-7733
EMail: charliep@iprg.nokia.com EMail: pcalhoun@eng.sun.com
Fax: +1 650 625-2502 Fax: +1 650-786-6445
Perkins, Calhoun Expires 6 July 2000 [Page 14]
| PAFTECH AB 2003-2026 | 2026-04-21 09:28:12 |