One document matched: draft-laganier-mext-cga-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc3775 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3775.xml'>
<!ENTITY rfc3971 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3971.xml'>
<!ENTITY rfc3972 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3972.xml'>
<!ENTITY rfc5533 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5533.xml'>
<!ENTITY rfc4866 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4866.xml'>
<!ENTITY rfc4877 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4877.xml'>
<!ENTITY rfc5213 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5213.xml'>
<!ENTITY rfc5648 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5648.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<rfc category="exp" ipr="trust200902">
<!--rfc category="std" ipr="pre5378Trust200902"-->
<front>
<title abbrev="MIPv6 Binding Updates CGA Authorization">
Authorizing Mobile IPv6 Binding Update with Cryptographically Generated Addresses
</title>
<author initials="J." surname="Laganier" fullname="Julien Laganier">
<organization abbrev="Qualcomm Inc.">
Qualcomm Incorporated
</organization>
<address> <postal>
<street>5775 Morehouse Drive
</street>
<city>San Diego</city>
<region>CA</region>
<code>92121</code>
<country>USA</country>
</postal>
<phone>+1 858 658 3538</phone>
<email>julienl@qualcomm.com</email>
</address>
</author>
<date year="2010"/>
<abstract>
<t>
The standard RFC 3775 mechanism to secure Mobile IPv6 Binding Updates
sent by a Mobile Node to its Home Agent relies on the use of a pair of
unidirectional IPsec security associations between these two nodes.
The standard mechanism to secure Mobile IPv6 Binding Updates sent by a
Mobile Node to one of its Correspondent Nodes relies on the use of a
return routability test that involves the Correspondent Node verifying
reachability of the Mobile Node at both its Home Address and its
Care-of Address. The mechanism also requires the correspondent node to
send keying material to both of these addresses.
</t>
<t>
RFC 4866 specifies a standard track mecanism that allows a Mobile Node
that has configured a Cryptographically Generated Address (RFC 3972) as
its Home Address to secure Mobile IPv6 Binding Updates sent its
Correspondent Nodes based on the properties of its Cryptographically
Generated Addresses. Note that Cryptographically Generated Addresses
have also been used to counter similar security issues in the context
of SHIM6 (RFC 5533) and Secure Neighbor Discovery (RFC 3971.)
</t>
<t>
This memo proposes a mechanism that would let a Mobile Node use a
similar mechanism to secure Mobile IPv6 Binding Updates its sent to its
Home Agent with a similar technique based on the use of
Cryptographically Generated Addresses.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The standard <xref target="RFC3775">RFC 3775</xref> mechanism to secure
Mobile IPv6 Binding Updates sent by a Mobile Node to its Home Agent
relies on the use of a pair of unidirectional IPsec security
associations between these two nodes <xref target="RFC4877"/>. The
standard mechanism to secure Mobile IPv6 Binding Updates sent by a
Mobile Node to one of its Correspondent Nodes relies on the use of a
return routability test that involves the Correspondent Node verifying
reachability of the Mobile Node at both its Home Address and its
Care-of Address. The mechanism also requires the correspondent node to
send keying material to both of these addresses.
</t>
<t>
<xref target="RFC4866">RFC 4866</xref> specifies a standard track
mecanism that allows a Mobile Node that has configured a
Cryptographically Generated Address <xref target="RFC3972"/> as its
Home Address to secure Mobile IPv6 Binding Updates sent its
Correspondent Nodes based on the properties of its Cryptographically
Generated Addresses. Note that Cryptographically Generated Addresses
have also been used to counter similar security issues in the context
of SHIM6 <xref target="RFC5533"/> and Secure Neighbor Discovery <xref
target="RFC3971"/>.
</t>
<t>
This memo proposes a mechanism that would let a Mobile Node use a
similar mechanism to secure Mobile IPv6 Binding Updates its sent to its
Home Agent with a similar technique based on the use of
Cryptographically Generated Addresses.
</t>
</section>
<section title="Disclaimer">
<t> This is Internet Draft is Work in Progress. </t>
</section>
<section title="Requirement Levels Key Words">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119"/>.
</t>
</section>
<section title="Terminology">
<t>
Other terms used throughout this document are defined in the
relevant documents: <xref target="RFC3775"/>, <xref
target="RFC4866"/>, <xref target="RFC3972"/>.
</t>
</section>
<section title="Usage Scenario">
<t>
The mechanism described herein is useful in situations where
there is a desire not to depend on IPsec for protection of the
Mobile IPv6 signaling between the Mobile Node and the Home Agent.
</t>
</section>
<section title="Mobile Node Operation">
<t>
A Mobile Node creates and updates a Binding with its Home Agent
by sending a Binding Update to its Home Agent. The Binding
Update MUST include:
<list style="symbols">
<t>a monotically increasing Sequence Number as per <xref target="RFC3775"/>.</t>
<t>a CGA Parameters option for the Cryptographically Generated Home Address of the Mobile Node as per <xref target="RFC4866"/>.</t>
<t>a Timestamp option as per <xref target="RFC5213"/>.</t>
<t>an Alternate Care-of Address option as per <xref target="RFC3775"/>.</t>
<t>a Signature option as per <xref target="RFC4866"/>.</t>
</list>
</t>
</section>
<section title="Home Agent Operation">
<t>
A Home Agent MUST accept a Binding Update from a Mobile Node
and maintain accordingly the corresponding Binding Cache Entry
if the Binding Update includes all of the following:
<list style="symbols">
<t>a valid Sequence Number <xref target="RFC3775"/>. That is, if there is no existing Binding Cache Entry and the Timestamp is valid, the Sequence Number is accepted and recorded in the Binding Cache Entry. If there exists a Binding Cache Entry, the Sequence Number MUST be greater than the value recorded in the Binding Cache Entry.</t>
<t>a CGA Parameters option for the Cryptographically Generated Home Address of the Mobile Node as per <xref target="RFC4866"/>.</t>
<t>a valid Timestamp option <xref target="RFC5213"/>.
That is, if there is no existing Binding Cache
Entry, the time offset between the Timestamp and
local Home Agent clock is recorded in the
Binding Cache Entry. If there exists a Binding
Cache Entry, the Timestamp MUST not differ from
the local Home Agent clock for more than 1.5
times the time offset recorded in the Binding
Cache Entry.</t>
<t>an Alternate Care-of Address option as per <xref target="RFC3775"/>.</t>
<t>a valid Signature option as per <xref target="RFC4866"/>.</t>
</list>
</t>
</section>
<section title="IANA Considerations">
<t>
There are no IANA considerations yet for this specification.
</t>
</section>
<section title="Security Considerations">
<t>
There are no security considerations yet for this document.
</t>
</section>
<section title="Acknowledgment">
<t>
The author acknowledge prior work in the area of Mobile IPv6
security based on Cryptographically Generated Addresses,
Statistically Unique and Crypgraphically Verifiable Identifiers,
and more.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc3775;
&rfc3972;
&rfc4866;
&rfc5213;
</references>
<references title="Informative References">
&rfc3971;
&rfc4877;
&rfc5533;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:59:17 |