draft-ietf-mip4-rfc3012bis-05.txt   rfc4721.txt 
Network Working Group Charles E. Perkins Network Working Group C. Perkins
Internet-Draft Nokia Research Center Request for Comments: 4721 Nokia Research Center
Expires: August 3, 2006 Pat R. Calhoun Obsoletes: 3012 P. Calhoun
Cisco Systems, Inc. Updates: 3344 Cisco Systems, Inc.
Jayshree. Bharatia Category: Standards Track J. Bharatia
Nortel Networks Nortel Networks
January 30, 2006 January 2007
Mobile IPv4 Challenge/Response Extensions (revised)
draft-ietf-mip4-rfc3012bis-05.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Mobile IPv4 Challenge/Response Extensions (Revised)
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at Status of This Memo
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 3, 2006. This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
Mobile IP, as originally specified, defines an authentication Mobile IP, as originally specified, defines an authentication
extension (the Mobile-Foreign Authentication extension) by which a extension (the Mobile-Foreign Authentication extension) by which a
mobile node can authenticate itself to a foreign agent. mobile node can authenticate itself to a foreign agent.
Unfortunately, that extension does not provide the foreign agent any Unfortunately, that extension does not provide the foreign agent any
direct guarantee that the protocol is protected from replays, and direct guarantee that the protocol is protected from replays and does
does not allow for the use of existing techniques (such as CHAP) for not allow for the use of existing techniques (such as Challenge
authenticating portable computer devices. Handshake Authentication Protocol (CHAP)) for authenticating portable
computer devices.
In this specification, we define extensions for the Mobile IP Agent In this specification, we define extensions for the Mobile IP Agent
Advertisements and the Registration Request that allow a foreign Advertisements and the Registration Request that allow a foreign
agent to use a challenge/response mechanism to authenticate the agent to use a challenge/response mechanism to authenticate the
mobile node. mobile node.
Furthermore, this document updates RFC3344 by including new Furthermore, this document updates RFC 3344 by including a new
authentication extension called the Mobile-AAA Authentication authentication extension called the Mobile-Authentication,
extension. This new extension is provided so that a mobile node can Authorization, and Accounting (AAA) Authentication extension. This
supply credentials for authorization using commonly available AAA new extension is provided so that a mobile node can supply
infrastructure elements. This Authorization-enabling extension MAY credentials for authorization, using commonly available AAA
co-exist in the same Registration Request with Authentication infrastructure elements. This authorization-enabling extension MAY
co-exist in the same Registration Request with authentication
extensions defined for Mobile IP Registration by RFC3344. This extensions defined for Mobile IP Registration by RFC3344. This
document obsoletes RFC3012. document obsoletes RFC3012.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction ....................................................2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology ................................................3
2. Mobile IP Agent Advertisement Challenge Extension . . . . . . 6 2. Mobile IP Agent Advertisement Challenge Extension ...............4
2.1. Handling of Solicited Agent Advertisements . . . . . . . . 6 2.1. Handling of Solicited Agent Advertisements .................4
3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Operation .......................................................5
3.1. Mobile Node Processing of Registration Requests . . . . . 8 3.1. Mobile Node Processing of Registration Requests ............5
3.2. Foreign Agent Processing of Registration Requests . . . . 9 3.2. Foreign Agent Processing of Registration Requests ..........6
3.2.1. Foreign Agent Algorithm for Tracking Used 3.2.1. Foreign Agent Algorithm for Tracking Used
Challenges . . . . . . . . . . . . . . . . . . . . . . 11 Challenges .........................................8
3.3. Foreign Agent Processing of Registration Replies . . . . . 11 3.3. Foreign Agent Processing of Registration Replies ...........9
3.4. Home Agent Processing of Challenge Extensions . . . . . . 13 3.4. Home Agent Processing of Challenge Extensions .............10
3.5. Mobile Node Processing of Registration Replies . . . . . . 13 3.5. Mobile Node Processing of Registration Replies ............11
4. Mobile-Foreign Challenge Extension . . . . . . . . . . . . . . 14 4. Mobile-Foreign Challenge Extension .............................11
5. Generalized Mobile IP Authentication Extension . . . . . . . . 15 5. Generalized Mobile IP Authentication Extension .................12
6. Mobile-AAA Authentication subtype . . . . . . . . . . . . . . 17 6. Mobile-AAA Authentication Subtype ..............................13
7. Reserved SPIs for Mobile IP . . . . . . . . . . . . . . . . . 18 7. Reserved SPIs for Mobile IP ....................................14
8. SPIs for RADIUS AAA Servers . . . . . . . . . . . . . . . . . 19 8. SPIs for RADIUS AAA Servers ....................................14
9. Configurable Parameters . . . . . . . . . . . . . . . . . . . 20 9. Configurable Parameters ........................................15
10. Error Values . . . . . . . . . . . . . . . . . . . . . . . . . 21 10. Error Values ..................................................16
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 11. IANA Considerations ...........................................16
12. Security Considerations . . . . . . . . . . . . . . . . . . . 23 12. Security Considerations .......................................17
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 13. Acknowledgements ..............................................18
14. Normative References . . . . . . . . . . . . . . . . . . . . . 24 14. Normative References ..........................................18
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 25 Appendix A. Changes since RFC 3012 ................................20
Appendix B. Verification Infrastructure . . . . . . . . . . . . . 26 Appendix B. Verification Infrastructure ...........................21
Appendix C. Message Flow for FA Challenge Messaging with Appendix C. Message Flow for FA Challenge Messaging with
Mobile-AAA Extension . . . . . . . . . . . . . . . . 28 Mobile-AAA Extension ..................................22
Appendix D. Message Flow for FA Challenge Messaging with Appendix D. Message Flow for FA Challenge Messaging with
MN-FA Authentication . . . . . . . . . . . . . . . . 30 MN-FA Authentication ..................................23
Appendix E. Example Pseudo-Code for Tracking Used Challenges . . 31 Appendix E. Example Pseudo-code for Tracking Used Challenges ......24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32
Intellectual Property and Copyright Statements . . . . . . . . . . 33
1. Introduction 1. Introduction
Mobile IP defines the Mobile-Foreign Authentication extension to Mobile IP defines the Mobile-Foreign Authentication extension to
allow a mobile node to authenticate itself to a foreign agent. Such allow a mobile node to authenticate itself to a foreign agent. Such
authentication mechanisms are mostly external to the principal authentication mechanisms are mostly external to the principal
operation of Mobile IP, since the foreign agent can easily route operation of Mobile IP, since the foreign agent can easily route
packets to and from a mobile node whether or not the mobile node is packets to and from a mobile node whether or not the mobile node is
reporting a legitimately owned home address to the foreign agent. reporting a legitimately owned home address to the foreign agent.
Unfortunately, that extension does not provide the foreign agent any Unfortunately, that extension does not provide the foreign agent any
direct guarantee that the protocol is protected from replays, and direct guarantee that the protocol is protected from replays and does
does not allow for the use of CHAP [RFC1994] for authenticating not allow for the use of CHAP [RFC1994] for authenticating portable
portable computer devices. In this specification, we define computer devices. In this specification, we define extensions for
extensions for the Mobile IP Agent Advertisements and the the Mobile IP Agent Advertisements and the Registration Request that
Registration Request that allow a foreign agent to use challenge/ allow a foreign agent to use a challenge/ response mechanism to
response mechanism to authenticate the mobile node. Furthermore, an authenticate the mobile node. Furthermore, an additional
additional authentication extension, the Mobile-AAA authentication authentication extension, the Mobile-AAA authentication extension, is
extension, is provided so that a mobile node can supply credentials provided so that a mobile node can supply credentials for
for authorization using commonly available AAA infrastructure authorization using commonly available AAA infrastructure elements.
elements. The foreign agent may be able to interact with an AAA The foreign agent may be able to interact with an AAA infrastructure
infrastructure (using protocols outside the scope of this document) (using protocols outside the scope of this document) to obtain a
to obtain a secure indication that the mobile node is authorized to secure indication that the mobile node is authorized to use the local
use the local network resources. network resources.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses the term Security Parameters Index (SPI) as This document uses the term Security Parameters Index (SPI) as
defined in the base Mobile IP protocol specification [RFC3344]. All defined in the base Mobile IP protocol specification [RFC3344]. All
SPI values defined in this document refer to values for the SPI as SPI values defined in this document refer to values for the SPI as
defined in that specification. defined in that specification.
The following additional terminology is used in addition to that The following additional terminology is used in addition to that
defined in [RFC3344]: defined in [RFC3344]:
previously used challenge: previously used challenge:
The challenge is a previously used challenge if the mobile node The challenge is a previously used challenge if the mobile node
sent the same challenge to the foreign agent in a previous sent the same challenge to the foreign agent in a previous
Registration Request, and that previous Registration Request Registration Request, and if that previous Registration Request
passed all validity checks performed by the foreign agent. The passed all validity checks performed by the foreign agent. The
foreign agent may not be able to keep records for all foreign agent may not be able to keep records for all previously
previously used challenges, but see Section 3.2 for minimal used challenges, but see Section 3.2 for minimal requirements.
requirements.
security association: security association:
A "mobility security association", as defined in [RFC3344]. A "mobility security association", as defined in [RFC3344].
unknown challenge: unknown challenge:
Any challenge from a particular mobile node that the foreign Any challenge from a particular mobile node that the foreign agent
agent has no record of having put either into one of its recent has no record of having put either into one of its recent Agent
Agent Advertisements or into a registration reply message to Advertisements or into a registration reply message to that mobile
that mobile node. node.
unused challenge: unused challenge:
A challenge that has not been already accepted by the foreign A challenge that has not already been accepted by the foreign
agent from the mobile node in the Registration Request -- i.e., agent from the mobile node in the Registration Request, i.e., a
a challenge that is neither unknown nor previously used. challenge that is neither unknown nor previously used.
2. Mobile IP Agent Advertisement Challenge Extension 2. Mobile IP Agent Advertisement Challenge Extension
This section defines a new extension to the Router Discovery Protocol This section defines a new extension to the Router Discovery Protocol
[RFC1256] for use by foreign agents that need to issue a challenge [RFC1256] for use by foreign agents that need to issue a challenge
for authenticating mobile nodes. for authenticating mobile nodes.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge ... | Type | Length | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The Challenge Extension Figure 1. The Challenge Extension
Type: Type:
24 24
Length: Length:
The length of the Challenge value in bytes; SHOULD be at least The length of the Challenge value in octets; SHOULD be at least 4.
4
Challenge: Challenge:
A random value that SHOULD be at least 32 bits A random value that SHOULD be at least 32 bits.
The Challenge extension, illustrated in Figure 1, is inserted in the The Challenge extension, illustrated in Figure 1, is inserted in the
Agent Advertisements by the foreign agent, in order to communicate a Agent Advertisements by the foreign agent in order to communicate a
previously unused challenge value that can be used by the mobile node previously unused challenge value that can be used by the mobile node
to compute an authentication for its next registration request to compute an authentication for its next registration request
message. The challenge is selected by the foreign agent to provide message. The challenge is selected by the foreign agent to provide
local assurance that the mobile node is not replaying any earlier local assurance that the mobile node is not replaying any earlier
registration request. Eastlake, et al. [RFC1750] provides more registration request. Eastlake et al. [RFC4086] provides more
information on generating pseudo-random numbers suitable for use as information on generating pseudo-random numbers suitable for use as
values for the challenge. values for the challenge.
Note that the storage of different Challenges received in Agent Note that the storage of different Challenges received in Agent
Advertisements from multiple foreign agents is implementation Advertisements from multiple foreign agents is implementation
specific and hence, out of scope for this specification. specific and hence out of scope for this specification.
2.1. Handling of Solicited Agent Advertisements 2.1. Handling of Solicited Agent Advertisements
When a foreign agent generates an Agent Advertisement in response to When a foreign agent generates an Agent Advertisement in response to
a Router Solicitation [RFC1256], some additional considerations come a Router Solicitation [RFC1256], some additional considerations come
into play. According to the Mobile IP base specification [RFC3344], into play. According to the Mobile IP base specification [RFC3344],
the resulting Agent Advertisement may be either multicast or unicast. the resulting Agent Advertisement may be either multicast or unicast.
If the solicited Agent Advertisement is multicast, it MUST NOT If the solicited Agent Advertisement is multicast, the foreign agent
generate a new Challenge value and update its window of remembered MUST NOT generate a new Challenge value and update its window of
advertised Challenges. It must instead re-use the most recent of the remembered advertised Challenges. It must instead re-use the most
CHALLENGE_WINDOW Advertisement Challenge values (Section 9). recent of the CHALLENGE_WINDOW Advertisement Challenge values
(Section 9).
If the agent advertisement is unicast back to the soliciting mobile If the agent advertisement is unicast back to the soliciting mobile
node, it MUST be handled as follows: If the challenge most recently node, it MUST be handled as follows: If the challenge most recently
unicast to the soliciting mobile node has not been previously used unicast to the soliciting mobile node has not been previously used
(as defined in Section 1.1), it SHOULD be repeated in the newly (as defined in Section 1.1), it SHOULD be repeated in the newly
issued unicast agent advertisement, otherwise a new challenge MUST be issued unicast agent advertisement. Otherwise, a new challenge MUST
generated and remembered as the most recent challenge issued to the be generated and remembered as the most recent challenge issued to
mobile node. For further discussion of this, see Section 12. the mobile node. For further discussion of this, see Section 12.
3. Operation 3. Operation
This section describes modifications to the Mobile IP registration This section describes modifications to the Mobile IP registration
process [RFC3344] which may occur after the foreign agent issues a process [RFC3344] that may occur after the foreign agent issues a
Mobile IP Agent Advertisement containing the Challenge on its local Mobile IP Agent Advertisement containing the Challenge on its local
link. See Appendix C for a diagram showing the canonical message link. See Appendix C for a diagram showing the canonical message
flow for messages related to the processing of the foreign agent flow for messages related to the processing of the foreign agent
challenge values. challenge values.
3.1. Mobile Node Processing of Registration Requests 3.1. Mobile Node Processing of Registration Requests
Retransmission behavior for Registration Requests is identical to Retransmission behavior for Registration Requests is identical to
that specified in Mobile IP specification [RFC3344]. A retransmitted that specified in Mobile IP specification [RFC3344]. A retransmitted
Registration Request MAY use the same Challenge value as given in the Registration Request MAY use the same Challenge value as given in the
skipping to change at page 8, line 36 skipping to change at page 5, line 50
foreign agent, it SHOULD include the Challenge value in its foreign agent, it SHOULD include the Challenge value in its
Registration Request message. Registration Request message.
If the mobile node has a security association with the Foreign Agent, If the mobile node has a security association with the Foreign Agent,
it MUST include a Mobile-Foreign Authentication extension in its it MUST include a Mobile-Foreign Authentication extension in its
Registration Request message, according to the base Mobile IP Registration Request message, according to the base Mobile IP
specification [RFC3344]. When the Registration Request contains the specification [RFC3344]. When the Registration Request contains the
Mobile-Foreign Challenge extension specified in Section 4, the Mobile-Foreign Challenge extension specified in Section 4, the
Mobile-Foreign Authentication MUST follow the Challenge extension in Mobile-Foreign Authentication MUST follow the Challenge extension in
the Registration Request. The mobile node MAY also include the the Registration Request. The mobile node MAY also include the
Mobile-AAA Authentication extension. If both the Mobile-Foreign Mobile-AAA Authentication extension.
Authentication and the Mobile-AAA Authentication extensions are
present, the Mobile-Foreign Challenge extension MUST precede the If both the Mobile-Foreign Authentication and the Mobile-AAA
Mobile-AAA Authentication extension and the Mobile-AAA Authentication Authentication extensions are present, the Mobile-Foreign Challenge
extension MUST precede the Mobile-Foreign Authentication extension. extension MUST precede the Mobile-AAA Authentication extension, and
the Mobile-AAA Authentication extension MUST precede the Mobile-
Foreign Authentication extension.
If the mobile node does not have a security association with the If the mobile node does not have a security association with the
foreign agent, the mobile node MUST include the Mobile-AAA foreign agent, the mobile node MUST include the Mobile-AAA
Authentication extension as defined in Section 6 when it includes the Authentication extension as, defined in Section 6, when it includes
Mobile-Foreign Challenge extension. In addition, the mobile node the Mobile-Foreign Challenge extension. In addition, the mobile node
SHOULD include the NAI extension [RFC2794], to enable the foreign SHOULD include the NAI extension [RFC2794] to enable the foreign
agent to make use of available verification infrastructure which agent to make use of available verification infrastructure that
requires this. The SPI field of the Mobile-AAA Authentication requires this. The SPI field of the Mobile-AAA Authentication
extension specifies the particular secret and algorithm (shared extension specifies the particular secret and algorithm (shared
between the mobile node and the verification infrastructure) that between the mobile node and the verification infrastructure) that
must be used to perform the authentication. If the SPI value is must be used to perform the authentication. If the SPI value is
chosen as CHAP_SPI (see Section 9), then the mobile node specifies chosen as CHAP_SPI (see Section 9), then the mobile node specifies
CHAP-style authentication [RFC1994] using MD5 [RFC1321]. CHAP-style authentication [RFC1994] using MD5 [RFC1321].
In either case, the Mobile-Foreign Challenge extension followed by In either case, the Mobile-Foreign Challenge extension followed by
one of the above specified authentication extensions MUST follow the one of the above specified authentication extensions MUST follow the
Mobile-Home Authentication extension, if present. Mobile-Home Authentication extension, if present.
A mobile node MAY include the Mobile-AAA Authentication extension in A mobile node MAY include the Mobile-AAA Authentication extension in
the Registration Request when the mobile node registers directly with the Registration Request when the mobile node registers directly with
its home agent (using a co-located care-of address). In this case, its home agent (using a co-located care-of address). In this case,
the mobile node uses an SPI value of CHAP_SPI (Section 8) in the MN- the mobile node uses an SPI value of CHAP_SPI (Section 8) in the
AAA Authentication extension and MUST NOT include the Mobile-Foreign Mobile Node-Authentication, Authorization, and Accounting (MN-AAA)
Authentication extension and MUST NOT include the Mobile-Foreign
Challenge extension. Also, replay protection for the Registration Challenge extension. Also, replay protection for the Registration
Request in this case is provided by the Identification field defined Request in this case is provided by the Identification field defined
by [RFC3344]. by [RFC3344].
3.2. Foreign Agent Processing of Registration Requests 3.2. Foreign Agent Processing of Registration Requests
Upon receipt of the Registration Request, if the foreign agent has Upon receipt of the Registration Request, if the foreign agent has
issued a Challenge as part of its Agent Advertisements, and if it issued a Challenge as part of its Agent Advertisements, and if it
does not have a security association with the mobile node, then the does not have a security association with the mobile node, then the
foreign agent SHOULD check that the Mobile-Foreign Challenge foreign agent SHOULD check that the Mobile-Foreign Challenge
extension exists, and that it contains a challenge value previously extension exists, and that it contains a challenge value previously
unused by the mobile node. This ensures that the mobile node is not unused by the mobile node. This ensures that the mobile node is not
attempting to replay a previous advertisement and authentication. In attempting to replay a previous advertisement and authentication. In
this case, if the Registration Request does not include a Challenge this case, if the Registration Request does not include a Challenge
extension, the foreign agent MUST send a Registration Reply with the extension, the foreign agent MUST send a Registration Reply with the
Code field set to set to MISSING_CHALLENGE. Code field set to missing_challenge.
If a mobile node retransmits a Registration Request with the same If a mobile node retransmits a Registration Request with the same
Challenge extension, and the foreign agent still has a pending Challenge extension, and if the foreign agent still has a pending
Registration Request record in effect for the mobile node, then the Registration Request record in effect for the mobile node, then the
foreign agent forwards the Registration Request to the Home Agent foreign agent forwards the Registration Request to the Home Agent
again. The foreign agent SHOULD check that the mobile node is again. The foreign agent SHOULD check that the mobile node is
actually performing a retransmission, by verifying that the relevant actually performing a retransmission, by verifying that the relevant
fields of the retransmitted request (including, if present, the fields of the retransmitted request (including, if present, the
mobile node NAI Extension [RFC2794]) are the same as represented in mobile node NAI extension [RFC2794]) are the same as represented in
the visitor list entry for the pending Registration Request (section the visitor list entry for the pending Registration Request (Section
3.7.1 of [RFC3344]). This verification MUST NOT include the 3.7.1 of [RFC3344]). This verification MUST NOT include the
"remaining Lifetime of the pending registration", or the "remaining Lifetime of the pending registration" or the
Identification field since those values are likely to change even for Identification field, since those values are likely to change even
requests that are merely retransmissions and not new Registration for requests that are merely retransmissions and not new Registration
Requests. In all other circumstances, if the foreign agent receives Requests. In all other circumstances, if the foreign agent receives
a Registration Request with a Challenge extension containing a a Registration Request with a Challenge extension containing a
Challenge value previously used by that mobile node, the foreign Challenge value previously used by that mobile node, the foreign
agent SHOULD send a Registration Reply to the mobile node containing agent SHOULD send a Registration Reply to the mobile node, containing
the Code value STALE_CHALLENGE. the Code value stale_challenge.
The foreign agent MUST NOT accept any Challenge in the Registration The foreign agent MUST NOT accept any Challenge in the Registration
Request unless it was offered in the last Registration Reply or Request unless it was offered in the last Registration Reply or
unicast Agent Advertisement sent to the mobile node, or else unicast Agent Advertisement sent to the mobile node or advertised as
advertised as one of the last CHALLENGE_WINDOW (see Section 9) one of the last CHALLENGE_WINDOW (see Section 9) Challenge values
Challenge values inserted into the immediately preceding Agent inserted into the immediately preceding Agent Advertisements. If the
advertisements. If the Challenge is not one of the recently Challenge is not one of the recently advertised values, the foreign
advertised values, the foreign Agent SHOULD send a Registration Reply Agent SHOULD send a Registration Reply with Code value
with Code value UNKNOWN_CHALLENGE (see Section 10). The foreign unknown_challenge (see Section 10). The foreign agent MUST maintain
agent MUST maintain the last challenge used by each mobile node that the last challenge used by each mobile node that has registered using
has registered using any one of the last CHALLENGE_WINDOW challenge any one of the last CHALLENGE_WINDOW challenge values. This last
values. This last challenge value can be stored as part of the challenge value can be stored as part of the mobile node's
mobile node's registration records. Also, see Section 3.2.1 for a registration records. Also, see Section 3.2.1 for a possible
possible algorithm that can be used to satisfy this requirement. algorithm that can be used to satisfy this requirement.
Furthermore, the foreign agent MUST check that there is either a Furthermore, the foreign agent MUST check that there is either a
Mobile-Foreign, or a Mobile-AAA Authentication extension after the Mobile-Foreign or a Mobile-AAA Authentication extension after the
Challenge extension. Any registration message containing the Challenge extension. Any registration message containing the
Challenge extension without either of these authentication extensions Challenge extension without either of these authentication extensions
MUST be silently discarded. If the registration message contains a MUST be silently discarded. If the registration message contains a
Mobile-Foreign Authentication extension with an incorrect Mobile-Foreign Authentication extension with an incorrect
authenticator that fails verification, the foreign agent MAY send a authenticator that fails verification, the foreign agent MAY send a
Registration Reply to the mobile node with Code value Registration Reply to the mobile node with Code value mobile node
BAD_AUTHENTICATION (see Section 10). failed authentication (see Section 10).
If the Mobile-AAA Authentication extension (see Section 6) is present If the Mobile-AAA Authentication extension (see Section 6) is present
in the message, or if an NAI extension is included indicating that in the message, or if a Network Access Identifier (NAI) extension is
the mobile node belongs to a different administrative domain, the included indicating that the mobile node belongs to a different
foreign agent may take actions outside the scope of this protocol administrative domain, the foreign agent may take actions outside the
specification to carry out the authentication of the mobile node. If scope of this protocol specification to carry out the authentication
the registration message contains a Mobile-AAA Authentication of the mobile node. If the registration message contains a Mobile-
extension with an incorrect authenticator that fails verification, AAA Authentication extension with an incorrect authenticator that
the foreign agent MAY send a Registration Reply to the mobile node fails verification, the foreign agent MAY send a Registration Reply
with Code value FA_BAD_AAA_AUTH. If the Mobile-AAA Authentication to the mobile node with Code value fa_bad_aaa_auth. If the Mobile-
Extension is present in the Registration Request, the foreign agent AAA Authentication extension is present in the Registration Request,
MUST NOT remove the Mobile-AAA Authentication Extension and the the foreign agent MUST NOT remove the Mobile-AAA Authentication
Mobile-Foreign Challenge extension from the Registration Request, extension and the Mobile-Foreign Challenge extension from the
before forwarding to the home agent. Appendix C provides an example Registration Request before forwarding to the home agent. Appendix C
of an action that could be taken by a foreign agent. provides an example of an action that could be taken by a foreign
agent.
In the event that the Challenge extension is authenticated through In the event that the Challenge extension is authenticated through
the Mobile-Foreign Authentication extension and the Mobile-AAA the Mobile-Foreign Authentication extension and the Mobile-AAA
Authentication extension is not present, the foreign agent MAY remove Authentication extension is not present, the foreign agent MAY remove
the Challenge extension from the Registration Request without the Challenge extension from the Registration Request without
disturbing the authentication value used for the computation. If the disturbing the authentication value used for the computation. If the
Mobile-AAA Authentication extension is present and a security Mobile-AAA Authentication extension is present and a security
association exists between the foreign agent and the home agent, the association exists between the foreign agent and the home agent, the
Mobile-Foreign Challenge extension and the Mobile-AAA Authentication Mobile-Foreign Challenge extension and the Mobile-AAA Authentication
extension MUST precede the Foreign-Home Authentication extension. extension MUST precede the Foreign-Home Authentication extension.
If the foreign agent does remove the Challenge extension and If the foreign agent does remove the Challenge extension and
applicable authentication from the Registration Request message, then applicable authentication from the Registration Request message, then
it SHOULD store the Identification field from the Registration it SHOULD store the Identification field from the Registration
Request message as part of its record-keeping information about the Request message as part of its record-keeping information about the
particular mobile node in order to protect against replays. particular mobile node in order to protect against replays.
3.2.1. Foreign Agent Algorithm for Tracking Used Challenges 3.2.1. Foreign Agent Algorithm for Tracking Used Challenges
If the foreign agent maintains a large CHALLENGE_WINDOW, it becomes If the foreign agent maintains a large CHALLENGE_WINDOW, it becomes
more important for scalability purposes to efficiently compare more important for scalability purposes to compare incoming
incoming challenges against the set of Challenge values which have challenges efficiently against the set of Challenge values that have
been advertised recently. This can be done by keeping the Challenge been advertised recently. This can be done by keeping the Challenge
values in order of advertisement, and by making use of the mandated values in order of advertisement, and by making use of the mandated
behavior that mobile nodes MUST NOT use Challenge values which were behavior that mobile nodes MUST NOT use Challenge values that were
advertised before the last advertised Challenge value that the mobile advertised before the last advertised Challenge value that the mobile
node has attempted to use. The pseudo-code in Appendix E node attempted to use. The pseudo-code in Appendix E accomplishes
accomplishes this objective. The maximum amount of total storage this objective. The maximum amount of total storage required by this
required by this algorithm is equal to Size*(CHALLENGE_WINDOW + algorithm is equal to Size*(CHALLENGE_WINDOW + (2*N)), where N is the
(2*N)), where N is the current number of mobile nodes for which the current number of mobile nodes for which the foreign agent is storing
foreign agent is storing challenge values. Note that, whenever the challenge values. Note that whenever the stored challenge value is
stored challenge value is no longer in the CHALLENGE_WINDOW, it can no longer in the CHALLENGE_WINDOW, it can be deleted from the foreign
be deleted from the foreign agent's records, perhaps along with all agent's records, perhaps along with all other registration
other registration information for the mobile node if it is no longer information for the mobile node if it is no longer registered.
registered.
It is presumed that the foreign agent keeps an array of advertised It is presumed that the foreign agent keeps an array of advertised
Challenges, a record of the last advertised challenge used by a Challenges, a record of the last advertised challenge used by a
mobile node, and also a record of the last challenge provided to a mobile node, and also a record of the last challenge provided to a
mobile node in a Registration Reply or unicast Agent Advertisement. mobile node in a Registration Reply or unicast Agent Advertisement.
To meet the security obligations outlined in Section 12, the foreign To meet the security obligations outlined in Section 12, the foreign
agent SHOULD use one of the already stored, previously unused agent SHOULD use one of the already stored, previously unused
challenges when responding to an unauthenticated Registration Request challenges when responding to an unauthenticated Registration Request
or Agent Solicitation. If none of the already stored challenges are or Agent Solicitation. If none of the already stored challenges are
previously unused, the foreign agent SHOULD generate a new challenge, previously unused, the foreign agent SHOULD generate a new challenge,
include it in the response, and store it in the per-Mobile data include it in the response, and store it in the per-Mobile data
structure. structure.
3.3. Foreign Agent Processing of Registration Replies 3.3. Foreign Agent Processing of Registration Replies
The foreign agent SHOULD include a new Mobile-Foreign Challenge The foreign agent SHOULD include a new Mobile-Foreign Challenge
Extension in any Registration Reply, successful or not. If the extension in any Registration Reply, successful or not. If the
foreign agent includes this extension in a successful Registration foreign agent includes this extension in a successful Registration
Reply, the extension SHOULD precede a Mobile-Foreign authentication Reply, the extension SHOULD precede a Mobile-Foreign authentication
extension if present. Suppose the Registration Reply includes a extension if present. Suppose that the Registration Reply includes a
Challenge extension from the home agent, and the foreign agent wishes Challenge extension from the home agent, and that the foreign agent
to include another Challenge extension with the Registration Reply wishes to include another Challenge extension with the Registration
for use by the mobile node. In that case, the foreign agent MUST Reply for use by the mobile node. In that case, the foreign agent
delete the Challenge extension from the home agent from the MUST delete the Challenge extension from the home agent from the
Registration Reply, along with any Foreign-Home authentication Registration Reply, along with any Foreign-Home authentication
extension, before appending the new Challenge extension to the extension, before appending the new Challenge extension to the
Registration Reply. Registration Reply.
One example of a situation where the foreign agent MAY omit the One example of a situation where the foreign agent MAY omit the
inclusion of a Mobile-Foreign Challenge extension in the Registration inclusion of a Mobile-Foreign Challenge extension in the Registration
Reply would be when a new challenge has been multicast recently. Reply would be when a new challenge has been multicast recently.
If a foreign agent has conditions in which it omits the inclusion of If a foreign agent has conditions in which it omits the inclusion of
a Mobile-Foreign Challenge extension in the Registration Reply, it a Mobile-Foreign Challenge extension in the Registration Reply, it
still MUST respond with an agent advertisement containing a still MUST respond with an agent advertisement containing a
previously unused challenge in response to a subsequent agent previously unused challenge in response to a subsequent agent
solicitation from the same mobile node. Otherwise (when the said solicitation from the same mobile node. Otherwise (when the said
conditions are not met) the foreign agent MUST include a previously conditions are not met), the foreign agent MUST include a previously
unused challenge in any Registration Reply, successful or not. unused challenge in any Registration Reply, successful or not.
If the foreign agent does not remove the Challenge extension from the If the foreign agent does not remove the Challenge extension from the
Registration Request received from the mobile node then the foreign Registration Request received from the mobile node, then the foreign
agent SHOULD store the Challenge value as part of the pending agent SHOULD store the Challenge value as part of the pending
registration request list [RFC3344]. Also, if the Registration Reply registration request list [RFC3344]. Also, if the Registration Reply
coming from the home agent does not include the Challenge extension, coming from the home agent does not include the Challenge extension,
the foreign agent SHOULD NOT reject the Registration Request message. the foreign agent SHOULD NOT reject the registration request. If the
If the Challenge Extension is present in the Registration Reply, it Challenge extension is present in the Registration Reply, it MUST be
MUST be the same Challenge value that was included in the the same Challenge value that was included in the Registration Reply
Registration Request. If the Challenge value differs in the received from the home agent, the foreign agent MUST insert a Foreign
Registration Reply received from the home agent, the foreign agent Agent (FA) Error extension with Status value ha_wrong_challenge in
MUST insert an FA Error extension with Status value the Registration Reply sent to the mobile node (see Section 10).
HA_WRONG_CHALLENGE in the Registration Reply sent to the mobile node
(see Section 10).
A mobile node MUST be prepared to use a challenge from a unicast or A mobile node MUST be prepared to use a challenge from a unicast or
multicast Agent Advertisement in lieu of one returned in a multicast Agent Advertisement in lieu of one returned in a
Registration Reply, and MUST solicit for one if it has not already Registration Reply, and it MUST solicit for one if it has not already
received one in a Registration Reply. received one either in a Registration Reply or a recent
advertisement.
If the foreign agent receives a Registration Reply with the Code If the foreign agent receives a Registration Reply with the Code
value HA_BAD_AAA_AUTH, the Registration Reply with this Code value value ha_bad_aaa_auth, the Registration Reply with this Code value
MUST be relayed to the mobile node. In this document, whenever the MUST be relayed to the mobile node. In this document, whenever the
foreign agent is required to reject a Registration Request, it MUST foreign agent is required to reject a Registration Request, it MUST
put the given code in the usual Code field of the Registration Reply, put the given code in the usual Code field of the Registration Reply,
unless the Registration Reply has already been received from the home unless the Registration Reply has already been received from the home
agent. In this case the foreign agent MUST preserve the value of the agent. In this case, the foreign agent MUST preserve the value of
Code field set by the home agent and MUST put its own rejection code the Code field set by the home agent and MUST put its own rejection
in the Status field of the FA Error extension (defined in [FAERR]). code in the Status field of the FA Error extension (defined in
[RFC4636]).
3.4. Home Agent Processing of Challenge Extensions 3.4. Home Agent Processing of Challenge Extensions
If the home agent receives a Registration Request with the Mobile- If the home agent receives a Registration Request with the Mobile-
Foreign Challenge extension, and recognizes the extension, the home Foreign Challenge extension and recognizes the extension, the home
agent MUST include the Challenge extension in the Registration Reply. agent MUST include the Challenge extension in the Registration Reply.
The Challenge extension MUST be placed after the Mobile-Home The Challenge extension MUST be placed after the Mobile-Home
authentication extension, and the extension SHOULD be authenticated authentication extension, and the extension SHOULD be authenticated
by a Foreign-Home Authentication extension. by a Foreign-Home Authentication extension.
The home agent may receive a Registration Request with the Mobile-AAA The home agent may receive a Registration Request with the Mobile-AAA
Authentication extension. If the Mobile-AAA Authentication extension Authentication extension. If the Mobile-AAA Authentication extension
is used by the home agent as an authorization-enabling extension and is used by the home agent as an authorization-enabling extension and
the verification fails due to incorrect authenticator, the home agent the verification fails due to an incorrect authenticator, the home
MAY reject the Registration Reply with the error code agent MAY reject the Registration Reply with the error code
HA_BAD_AAA_AUTH. ha_bad_aaa_auth.
Since the extension type for the Challenge extension is within the Since the extension type for the Challenge extension is within the
range 128-255, the home agent MUST process such a Registration range 128-255, the home agent MUST process such a Registration
Request even if it does not recognize the Challenge extension Request even if it does not recognize the Challenge extension
[RFC3344]. In this case, the home agent will send a Registration [RFC3344]. In this case, the home agent will send a Registration
Reply to the foreign agent that does not include the Challenge Reply to the foreign agent that does not include the Challenge
extension. extension.
3.5. Mobile Node Processing of Registration Replies 3.5. Mobile Node Processing of Registration Replies
skipping to change at page 13, line 41 skipping to change at page 11, line 18
from the foreign agent as a response to the Registration Request. from the foreign agent as a response to the Registration Request.
The error codes are defined in Section 10. The error codes are defined in Section 10.
In any case, if the mobile node attempts to register again after such In any case, if the mobile node attempts to register again after such
an error, it MUST use a new Challenge value in such a registration, an error, it MUST use a new Challenge value in such a registration,
obtained either from an Agent Advertisement, or from a Challenge obtained either from an Agent Advertisement, or from a Challenge
extension to the Registration Reply containing the error. extension to the Registration Reply containing the error.
In the co-located care-of address mode, the mobile node receives a In the co-located care-of address mode, the mobile node receives a
Registration Reply without the Challenge extension and processes the Registration Reply without the Challenge extension and processes the
Registration Reply as specified in [RFC3344]. In this case, the Registration Reply as specified in [RFC3344]. In this case, when the
mobile node includes the MN-AAA Authentication Extension, the
Challenge value 0 is recommended for the authenticator computation Challenge value 0 is recommended for the authenticator computation
mentioned in Section 8. mentioned in Section 8.
4. Mobile-Foreign Challenge Extension 4. Mobile-Foreign Challenge Extension
This section specifies a new Mobile IP Registration extension that is This section specifies a new Mobile IP Registration extension that is
used to satisfy a Challenge in an Agent Advertisement. The Challenge used to satisfy a Challenge in an Agent Advertisement. The Challenge
extension to the Registration Request message is used to indicate the extension to the Registration Request message is used to indicate the
challenge that the mobile node is attempting to satisfy. challenge that the mobile node is attempting to satisfy.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge ... | Type | Length | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The Mobile-Foreign Challenge Extension Figure 2. The Mobile-Foreign Challenge Extension
Type: Type:
132 (skippable) (see [RFC3344]) 132 (skippable). (See [RFC3344]).
Length: Length:
Length of the Challenge value Length of the Challenge value.
Challenge: Challenge:
The Challenge field is copied from the Challenge field found in The Challenge field is copied from the Challenge field found in
the received Challenge extension. the received Challenge extension.
Suppose the mobile node has successfully registered using one of the Suppose that the mobile node has successfully registered using one of
Challenge Values within the CHALLENGE_WINDOW values advertised by the the Challenge Values within the CHALLENGE_WINDOW values advertised by
foreign agent. In that case, in any new Registration Request the the foreign agent. In that case, in any new Registration Request the
mobile node MUST NOT use any Challenge Value which was advertised by mobile node MUST NOT use any Challenge Value that was advertised by
the foreign agent before the Challenge Value in the mobile node's the foreign agent before the Challenge Value in the mobile node's
last Registration Request. last Registration Request.
5. Generalized Mobile IP Authentication Extension 5. Generalized Mobile IP Authentication Extension
Several new authentication extensions have been designed for various Several new authentication extensions have been designed for various
control messages proposed for extensions to Mobile IP. A new control messages proposed for extensions to Mobile IP. A new
authentication extension is required for a mobile node to present its authentication extension is required for a mobile node to present its
credentials to any other entity other than the ones already defined; credentials to any other entity other than the ones already defined;
the only entities defined in the base Mobile IP specification the only entities defined in the base Mobile IP specification
skipping to change at page 15, line 27 skipping to change at page 12, line 31
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Length | | Type | Subtype | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI | | SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator ... | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The Generalized Mobile IP Authentication Extension Figure 3. The Generalized Mobile IP Authentication Extension
Type: Type:
36 (not skippable) (see [RFC3344]) 36 (not skippable). (See [RFC3344]).
Subtype: Subtype:
A number assigned to identify the kind of endpoints or other A number assigned to identify the kind of endpoints or other
characteristics of the particular authentication strategy characteristics of the particular authentication strategy.
Length: Length:
4 plus the number of bytes in the Authenticator; MUST be at 4 plus the number of octets in the Authenticator; MUST be at least
least 20. 20.
SPI: SPI:
Security Parameters Index Security Parameters Index
Authenticator: Authenticator:
The variable length Authenticator field The variable length Authenticator field
In this document, only one subtype is defined: In this document, only one subtype is defined:
1 Mobile-AAA Authentication subtype (see Section 6) 1 Mobile-AAA Authentication subtype
(Hashed Message Authentication Code-MD5 (HMAC-MD5))
(see Section 6).
6. Mobile-AAA Authentication subtype 6. Mobile-AAA Authentication Subtype
The Generalized Authentication extension with subtype 1 will be The Generalized Authentication extension with subtype 1 will be
referred to as a Mobile-AAA Authentication extension. The mobile referred to as a Mobile-AAA Authentication extension. The mobile
node MAY include a Mobile-AAA Authentication extension in any node MAY include a Mobile-AAA Authentication extension in any
Registration Request. This extension MAY co-exist in the same Registration Request. This extension MAY co-exist in the same
Registration Request with Authentication extensions defined for Registration Request with Authentication extensions defined for
Mobile IP Registration ([RFC3344]). If the mobile node does not Mobile IP Registration ([RFC3344]). If the mobile node does not
include a Mobile-Foreign Authentication extension, then it MUST include a Mobile-Foreign Authentication extension, then it MUST
include the Mobile-AAA Authentication extension whenever the include the Mobile-AAA Authentication extension whenever the
Challenge extension is present. If both are present, the Mobile-AAA Challenge extension is present. If both are present, the Mobile-AAA
Authentication extension MUST precede the Mobile-Foreign Authentication extension MUST precede the Mobile-Foreign
Authentication extension. Authentication extension.
If the Mobile-AAA Authentication extension is present, the Mobile- If the Mobile-AAA Authentication extension is present, the Mobile-
Home Authentication Extension MUST appear prior to the Mobile-AAA Home Authentication extension MUST appear prior to the Mobile-AAA
Authentication extension. The corresponding response MUST include Authentication extension. The corresponding response MUST include
the Mobile-Home Authentication Extension, and MUST NOT include the the Mobile-Home Authentication extension and MUST NOT include the
Mobile-AAA Authentication Extension. Mobile-AAA Authentication extension.
The default algorithm for computation of the authenticator is HMAC- The default algorithm for computation of the authenticator is HMAC-
MD5 [RFC2104] computed on the following data, in the order shown: MD5 [RFC2104] computed on the following data, in the order shown:
Preceding Mobile IP data || Type, Subtype, Length, SPI Preceding Mobile IP data || Type, Subtype, Length, SPI
where the Type, Length, Subtype, and SPI are as shown in Section 5. where the Type, Length, Subtype, and SPI are as shown in Section 5.
The Preceding Mobile IP data refers to the UDP payload (the The Preceding Mobile IP data refers to the UDP payload (the
Registration Request or Registration Reply data) and all prior Registration Request or Registration Reply data) and all prior
Extensions in their entirely. The resulting function call, as extensions in their entirety. The resulting function call, as
described in [RFC2104], would be: described in [RFC2104], would be:
hmac_md5(data, datalen, Key, KeyLength, authenticator); hmac_md5(data, datalen, Key, KeyLength, authenticator);
Each mobile node MUST support the ability to produce the Each mobile node MUST support the ability to produce the
authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, it authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, it
must be possible to configure the use of any arbitrary 32-bit SPI must be possible to configure the use of any arbitrary 32-bit SPI
outside of the SPIs in the reserved range 0-255 for selection of this outside of the SPIs in the reserved range 0-255 for selection of this
default algorithm. default algorithm.
7. Reserved SPIs for Mobile IP 7. Reserved SPIs for Mobile IP
Mobile IP defines several authentication extensions for use in Mobile IP defines several authentication extensions for use in
Registration Requests and Replies. Each authentication extension Registration Requests and Replies. Each authentication extension
carries a Security Parameters Index (SPI) which should be used to carries a Security Parameters Index (SPI) that should be used to
index a table of security associations. Values in the range 0 - 255 index a table of security associations. Values in the range 0 - 255
are reserved for special use. A list of reserved SPI numbers is to are reserved for special use. A list of reserved SPI numbers is to
be maintained by IANA at the following URL: be maintained by IANA at the following URL:
http://www.iana.org/numbers.html http://www.iana.org/assignments/mobileip-numbers
8. SPIs for RADIUS AAA Servers 8. SPIs for RADIUS AAA Servers
Some AAA servers only admit a single security association, and thus Some AAA servers only admit a single security association and thus do
do not use the SPI numbers for Mobile IP authentication extensions not use the SPI numbers for Mobile IP authentication extensions for
for use when determining the security association that would be use when determining the security association that would be necessary
necessary for verifying the authentication information included with for verifying the authentication information included with the
the Authentication extension. Authentication extension.
SPI number CHAP_SPI (see Section 9) is reserved for indicating the SPI number CHAP_SPI (see Section 9) is reserved for indicating the
following procedure for computing authentication data (called the following procedure for computing authentication data (called the
"authenticator"), which is used by many RADIUS servers [RFC2138] "authenticator"), which is used by many RADIUS servers [RFC2865]
today. today.
To compute the authenticator, apply MD5 [RFC1321] computed on the To compute the authenticator, apply MD5 [RFC1321] computed on the
following data, in the order shown: following data, in the order shown:
High-order byte from Challenge || Key || High-order octet from Challenge || Key ||
MD5(Preceding Mobile IP data || MD5(Preceding Mobile IP data ||
Type, Subtype (if present), Length, SPI) || Type, Subtype (if present), Length, SPI) ||
Least-order 237 bytes from Challenge Least-order 237 octets from Challenge
where the Type, Length, SPI, and possibly Subtype, are the fields of where Type, Length, SPI, and possibly Subtype are the fields of the
the authentication extension in use. For instance, all four of these authentication extension in use. For instance, all four of these
fields would be in use when SPI == CHAP_SPI is used with the fields would be in use when SPI == CHAP_SPI is used with the
Generalized Authentication extension. Also, in case of co-located Generalized Authentication extension. In case of co-located care-of
care-of address, the Challenge value 0 is used (refer Section address, the Challenge value 0 is used (refer to Section 3.5). Since
Section 3.5). Since the RADIUS protocol cannot carry attributes of the RADIUS protocol cannot carry attributes of length greater than
length greater than 253, the preceding Mobile IP data, type, subtype 253, the preceding Mobile IP data, type, subtype (if present),
(if present), length and SPI are hashed using MD5. Finally, the length, and SPI are hashed using MD5. Finally, the least significant
least significant 237 bytes of the challenge are concatenated. If 237 octets of the challenge are concatenated. If the challenge has
the challenge has fewer than 238 bytes, this algorithm includes the fewer than 238 octets, this algorithm includes the high-order octet
high-order byte in the computation twice, but ensures that the in the computation twice but ensures that the challenge is used
challenge is used exactly as is. Additional padding is never used to exactly as is. Additional padding is never used to increase the
increase the length of the challenge; the input data is allowed to be length of the challenge; the input data is allowed to be shorter than
shorter than 237 bytes long. 237 octets long.
9. Configurable Parameters 9. Configurable Parameters
Every Mobile IP agent supporting the extensions defined in this Every Mobile IP agent supporting the extensions defined in this
document SHOULD be able to configure each parameter in the following document SHOULD be able to configure each parameter in the following
table. Each table entry contains the name of the parameter, the table. Each table entry contains the name of the parameter, the
default value, and the section of the document in which the parameter default value, and the section of the document in which the parameter
first appears. first appears.
+------------------+---------------+---------------------+ +------------------+---------------+---------------------+
| Parameter Name | Default Value | Section of Document | | Parameter Name | Default Value | Section of Document |
+------------------+---------------+---------------------+ +------------------+---------------+---------------------+
| CHALLENGE_WINDOW | 2 | 3.2 | | CHALLENGE_WINDOW | 2 | 3.2 |
| | | | | | | |
| CHAP_SPI | 2 | 8 | | CHAP_SPI | 2 | 8 |
+------------------+---------------+---------------------+ +------------------+---------------+---------------------+
Table 1: Configurable Parameters Table 1. Configurable Parameters
Note that CHALLENGE_WINDOW SHOULD be at least 2. This makes it far Note that CHALLENGE_WINDOW SHOULD be at least 2. This makes it far
less likely that mobile nodes will register using a Challenge value less likely that mobile nodes will register using a Challenge value
that is outside the set of values allowable by the foreign agent. that is outside the set of values allowable by the foreign agent.
10. Error Values 10. Error Values
Each entry in the following table contains the name of the Code Each entry in the following table contains the name of the Code
[RFC3344] to be returned in a Registration Reply, the value for the [RFC3344] to be returned in a Registration Reply, the value for the
Code, and the section in which the error is mentioned in this Code, and the section in which the error is mentioned in this
specification. specification.
+--------------------+-------+--------------------------+ +--------------------+-------+--------------------------+
| Error Name | Value | Section of Document | | Error Name | Value | Section of Document |
+--------------------+-------+--------------------------+ +--------------------+-------+--------------------------+
| UNKNOWN_CHALLENGE | 104 | 3.2 | | unknown_challenge | 104 | 3.2 |
| | | | | | | |
| BAD_AUTHENTICATION | 67 | 3.2 - also see [RFC3344] | | mobile node failed | 67 | 3.2; also see [RFC3344] |
| authentication | | |
| | | | | | | |
| MISSING_CHALLENGE | 105 | 3.1, 3.2 | | missing_challenge | 105 | 3.1, 3.2 |
| | | | | | | |
| STALE_CHALLENGE | 106 | 3.2 | | stale_challenge | 106 | 3.2 |
| | | | | | | |
| FA_BAD_AAA_AUTH | TBD | 3.2 | | fa_bad_aaa_auth | 108 | 3.2 |
| | | | | | | |
| HA_BAD_AAA_AUTH | TBD | 3.4 | | ha_bad_aaa_auth | 144 | 3.4 |
| | | | | | | |
| HA_WRONG_CHALLENGE | TBD | 3.2 | | ha_wrong_challenge | 109 | 3.2 |
+--------------------+-------+--------------------------+ +--------------------+-------+--------------------------+
Table 2: Error Values Table 2. Error Values
11. IANA Considerations 11. IANA Considerations
The following are currently assigned by IANA for RFC 3012 ([RFC3012]) The following are currently assigned by IANA for RFC 3012 [RFC3012]
which are applicable to this document. IANA should record these and are applicable to this document. IANA has recorded these values
values as part of this document. as part of this document.
The Generalized Mobile IP Authentication extension defined in The Generalized Mobile IP Authentication extension defined in
Section Section 5 is a Mobile IP registration extension. IANA has Section 5 is a Mobile IP registration extension. IANA has
assigned a value of 36 for this extension. assigned a value of 36 for this extension.
A new number space is to be created for enumerating subtypes of A new number space is to be created for enumerating subtypes of
the Generalized Authentication extension (see section Section 5). the Generalized Authentication extension (see Section 5). New
New subtypes of the Generalized Authentication extension, other subtypes of the Generalized Authentication extension, other than
than the number (1) for the MN-AAA authentication extension the number (1) for the MN-AAA authentication extension specified
specified in section Section 6, must be specified and approved by in Section 6, must be specified and approved by a designated
a designated expert. expert.
The MN-FA Challenge extension defined in Section Section 4 is a The Mobile Node - Foreign Agent (MN-FA) Challenge extension,
router advertisement extension as defined in RFC 1256 [[RFC1256]] defined in Section 4, is a router advertisement extension as
and extended in RFC 3344 [[RFC3344]]. IANA should assign a value defined in RFC 1256 [RFC1256] and extended in RFC 3344 [RFC3344].
of 132 for this purpose. IANA has assigned a value of 132 for this purpose.
The Code values defined in section Section 10 are error codes as The Code values defined in Section 10 are error codes as defined
defined in RFC 3344 ([RFC3344]). They correspond to error values in RFC 3344 ([RFC3344]). They correspond to error values
conventionally associated with rejection by the foreign agent conventionally associated with rejection by the foreign agent
(i.e., values from the range 64-127). The Code value 67 is a pre- (i.e., values from the range 64-127). The Code value 67 is a
existing value which is to be used in some cases with the pre-existing value that is to be used in some cases with the
extension defined in this specification. IANA should record the extension defined in this specification. IANA has recorded the
values as defined in section Section 10. values as defined in Section 10.
A new section for enumerating algorithms identified by specific A new section for enumerating algorithms identified by specific
SPIs within the range 0-255 is added by IANA. The CHAP_SPI number SPIs within the range 0-255 has been added by IANA. The CHAP_SPI
(2) discussed in section Section 8 is assigned from this range of number (2) discussed in Section 8 is assigned from this range of
reserved SPI numbers. New assignments from this reserved range reserved SPI numbers. New assignments from this reserved range
must be specified and approved by the Mobile IP working group. must be specified and approved by the Mobile IP working group.
SPI number 1 should not be assigned unless in the future the SPI number 1 should not be assigned unless in the future the
Mobile IP working group decides that SKIP is not important for Mobile IP working group decides that SKIP is not important for
enumeration in the list of reserved numbers. SPI number 0 should enumeration in the list of reserved numbers. SPI number 0 should
not be assigned. not be assigned.
Additionally, new error codes FA_BAD_AAA_AUTH, HA_BAD_AAA_AUTH, and Additionally, the new error codes fa_bad_aaa_auth, ha_bad_aaa_auth,
HA_WRONG_CHALLENGE are defined by this document. Among these, and ha_wrong_challenge are defined by this document. Among these,
HA_WRONG_CHALLENGE may appear in the Status code of the FA Error ha_wrong_challenge may appear in the Status code of the FA Error
extension defined in [FAERR]. extension, defined in [RFC4636].
12. Security Considerations 12. Security Considerations
In the event that a malicious mobile node attempts to replay the In the event that a malicious mobile node attempts to replay the
authenticator for an old Mobile-Foreign Challenge, the foreign agent authenticator for an old Mobile-Foreign Challenge, the foreign agent
would detect it since the agent always checks whether it has recently would detect it, since the agent always checks whether it has
advertised the Challenge (see Section 3.2). Allowing mobile nodes recently advertised the Challenge (see Section 3.2). Allowing mobile
with different IP addresses or NAIs to use the same Challenge value nodes with different IP addresses or NAIs to use the same Challenge
does not represent a security vulnerability, because the value does not represent a security vulnerability, as the
authentication data provided by the mobile node will be computed over authentication data provided by the mobile node will be computed over
data that is different (at least the mobile nodes' IP address will data that is different (at least the mobile node's IP address will
vary). vary).
If the foreign agent chooses a Challenge value (see Section 2) with If the foreign agent chooses a Challenge value (see Section 2) with
fewer than 4 bytes, the foreign agent SHOULD include the value of the fewer than 4 octets, the foreign agent SHOULD include the value of
Identification field in the records it maintains for the mobile node. the Identification field in the records it maintains for the mobile
The foreign agent can then determine whether the Registration node. The foreign agent can then determine whether the Registration
messages using the short Challenge value are in fact unique, and thus messages using the short Challenge value are in fact unique and thus
assuredly not replayed from any earlier registration. assuredly not replayed from any earlier registration.
Section 8 (SPI For RADIUS AAA Servers) defines a method of computing Section 8 (SPI For RADIUS AAA Servers) defines a method of computing
the Generalized Mobile IP Authentication Extension's authenticator the Generalized Mobile IP Authentication extension's authenticator
field using MD5 in a manner that is consistent with RADIUS [RFC2138]. field, using MD5 in a manner that is consistent with RADIUS
The use of MD5 in the method described in Section 8 is less secure [RFC2865]. The use of MD5 in the method described in Section 8 is
than HMAC-MD5 [RFC2104], and MUST be avoided whenever possible. less secure than HMAC-MD5 [RFC2104] and MUST be avoided whenever
possible.
Note that an active attacker may try to prevent successful Note that an active attacker may try to prevent successful
registrations by sending a large number of Agent Solicitations or registrations by sending a large number of Agent Solicitations or
bogus Registration Requests, each of which could cause the foreign bogus Registration Requests, each of which could cause the foreign
agent to respond with a fresh challenge, invalidating the challenge agent to respond with a fresh challenge, invalidating the challenge
that the MN is currently trying to use. To prevent such attacks, the that the MN is currently trying to use. To prevent such attacks, the
foreign agent MUST NOT invalidate previously unused challenges when foreign agent MUST NOT invalidate previously unused challenges when
responding to unauthenticated Registration Requests or Agent responding to unauthenticated Registration Requests or Agent
Solicitations. In addition, the foreign agent MUST NOT allocate new Solicitations. In addition, the foreign agent MUST NOT allocate new
storage when responding to such messages, because this would also storage when responding to such messages, as this would also create
create the possibility of denial of service. the possibility of denial of service.
The Challenge extension specified in this document need not be used The Challenge extension specified in this document need not be used
for co-located care-of address mode. In this case, replay protection for co-located care-of address mode. In this case, replay protection
is provided by the Identification field in the Registration Request is provided by the Identification field in the Registration Request
message [RFC3344]. message [RFC3344].
13. Acknowledgments The Generalized Mobile IP Authentication extension includes a subtype
field that is used to identify characteristics of the particular
authentication strategy. This document only defines one subtype, the
Mobile-AAA Authentication subtype that uses HMAC-MD5. If it is
necessary to move to a new message authentication algorithm in the
future, this could be accomplished by defining a new subtype that
uses a different one.
13. Acknowledgements
The authors would like to thank Pete McCann, Ahmad Muhanna, Henrik The authors would like to thank Pete McCann, Ahmad Muhanna, Henrik
Levkowetz, Kent Leung, Alpesh Patel, Madjid Nakhjiri, Gabriel Levkowetz, Kent Leung, Alpesh Patel, Madjid Nakhjiri, Gabriel
Montenegro, Jari Arkko and other MIP4 WG participants for their Montenegro, Jari Arkko, and other MIP4 WG participants for their
useful discussions. useful discussions.
14. Normative References 14. Normative References
[FAERR] Perkins, C., "Foreign Agent Error Extension for Mobile
IPv4", draft-perkins-mip4-faerr-02.txt (work in progress),
January 2004.
[RFC1256] Deering, S., "ICMP Router Discovery Messages", RFC 1256, [RFC1256] Deering, S., "ICMP Router Discovery Messages", RFC 1256,
September 1991. September 1991.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC1750] Eastlake, D., Crocker, S., and J. Schiller, "Randomness
Recommendations for Security", RFC 1750, December 1994.
[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication
Protocol (CHAP)", RFC 1994, August 1996. Protocol (CHAP)", RFC 1994, August 1996.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104, February
February 1997. 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2138] Rigney, C., Rigney, C., Rubens, A., Simpson, W., and S. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
Willens, "Remote Authentication Dial In User Service "Remote Authentication Dial In User Service (RADIUS)", RFC
(RADIUS)", RFC 2138, April 1997. 2865, June 2000.
[RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access [RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access
Identifier Extension for IPv4", RFC 2794, March 2000. Identifier Extension for IPv4", RFC 2794, March 2000.
[RFC3012] Perkins, C. and P. Calhoun, "Mobile IPv4 Challenge/ [RFC3012] Perkins, C. and P. Calhoun, "Mobile IPv4
Response Extensions", RFC 3012, November 2000. Challenge/Response Extensions", RFC 3012, November 2000.
[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
August 2002. August 2002.
Appendix A. Change History [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
June 2005.
[RFC4636] Perkins, C., "Foreign Agent Error Extension for Mobile
IPv4", RFC 4636, October 2006.
Appendix A. Changes since RFC 3012
The following is the list of changes from RFC 3012 ([RFC3012]): The following is the list of changes from RFC 3012 ([RFC3012]):
o Foreign agent recommended to include a Challenge in every o Foreign agent recommended to include a Challenge in every
Registration Reply, so that mobile node can re-register without Registration Reply, so that mobile node can re-register without
waiting for an Advertisement. waiting for an Advertisement.
o Foreign agent MUST record applicable challenge values used by each o Foreign agent MUST record applicable challenge values used by each
mobile node. mobile node.
skipping to change at page 25, line 28 skipping to change at page 20, line 28
for a registration. for a registration.
o Challenge definitions are cleaned up. o Challenge definitions are cleaned up.
o Programming suggestion added as an appendix. o Programming suggestion added as an appendix.
o HMAC_CHAP_SPI option is added for Generalized Mobile IP o HMAC_CHAP_SPI option is added for Generalized Mobile IP
Authentication extension. Upon receipt of HMAC_CHAP_SPI, HMAC-MD5 Authentication extension. Upon receipt of HMAC_CHAP_SPI, HMAC-MD5
is used instead of MD5 for computing the authenticator. is used instead of MD5 for computing the authenticator.
o Added FA_BAD_AAA_AUTH and HA_BAD_AAA_AUTH error codes to report o Added fa_bad_aaa_auth and ha_bad_aaa_auth error codes to report
authentication errors caused while processing Mobile-AAA authentication errors caused while processing Mobile-AAA
Authentication extension. Also, added the error code Authentication extension. Also, added the error code
HA_WRONG_CHALLENGE to indicate that Challenge value differs in the ha_wrong_challenge to indicate that Challenge value differs in the
Registration Reply received from the home agent compare to the one Registration Reply received from the home agent compare to the one
sent to the home agent in the Registration Request. sent to the home agent in the Registration Request.
o Processing of the Mobile-AAA Authentication extension is clarified o Processing of the Mobile-AAA Authentication extension is clarified
for the foreign agent and the home agent. for the foreign agent and the home agent.
o Co-existence of the Mobile-AAA Authentication extension in the o Co-existence of the Mobile-AAA Authentication extension in the
same Registration Request is made explicit. same Registration Request is made explicit.
o The situation in which the foreign agent sets MISSING_CHALLENGE is o The situation in which the foreign agent sets missing_challenge is
clarified further. clarified further.
o The use of Mobile-AAA Authentication Extension is allowed by the o The use of Mobile-AAA Authentication extension is allowed by the
mobile node with co-located care-of address. mobile node with co-located care-of address.
o Added protection against bogus Registration Reply and Agent o Added protection against bogus Registration Reply and Agent
Advertisement. Also, the processing of the Challenge is clarified Advertisement. Also, the processing of the Challenge is clarified
if it is received in the multicast/unicast Agent Advertisement. if it is received in the multicast/unicast Agent Advertisement.
o Added reference of FA Error extension in the References section o Added reference of FA Error extension in the References section
and also updated relevant text in section 3.2 and section 11. and also updated relevant text in section 3.2 and section 11.
Appendix B. Verification Infrastructure Appendix B. Verification Infrastructure
skipping to change at page 26, line 17 skipping to change at page 21, line 17
The Challenge extensions in this protocol specification are expected The Challenge extensions in this protocol specification are expected
to be useful to help the foreign agent manage connectivity for to be useful to help the foreign agent manage connectivity for
visiting mobile nodes, even in situations where the foreign agent visiting mobile nodes, even in situations where the foreign agent
does not have any security association with the mobile node or the does not have any security association with the mobile node or the
mobile node's home agent. In order to carry out the necessary mobile node's home agent. In order to carry out the necessary
authentication, it is expected that the foreign agent will need the authentication, it is expected that the foreign agent will need the
assistance of external administrative systems, which have come to be assistance of external administrative systems, which have come to be
called AAA systems. For the purposes of this document, we call the called AAA systems. For the purposes of this document, we call the
external administrative support the "verification infrastructure". external administrative support the "verification infrastructure".
The verification infrastructure is described to motivate the design The verification infrastructure is described to motivate the design
of the protocol elements defined in this document, and is not of the protocol elements defined in this document and is not strictly
strictly needed for the protocol to work. The foreign agent is free needed for the protocol to work. The foreign agent is free to use
to use any means at its disposal to verify the credentials of the any means at its disposal to verify the credentials of the mobile
mobile node. This could, for instance, rely on a separate protocol node. It could, for instance, rely on a separate protocol between
between the foreign agent and the Mobile IP home agent, and still be the foreign agent and the Mobile IP home agent and still not require
completely invisible to the mobile node. any modification to the mobile node.
In order to verify the credentials of the mobile node, we assume that In order to verify the credentials of the mobile node, we assume that
the foreign agent has access to a verification infrastructure that the foreign agent has access to a verification infrastructure that
can return a secure notification to the foreign agent that the can return a secure notification to the foreign agent that the
authentication has been performed, along with the results of that authentication has been performed, along with the results of that
authentication. This infrastructure may be visualized as shown in authentication. This infrastructure may be visualized as shown in
Figure 4. Figure 4.
+----------------------------------------------------+ +----------------------------------------------------+
| | | |
skipping to change at page 26, line 45 skipping to change at page 21, line 45
+----------------------------------------------------+ +----------------------------------------------------+
^ | ^ | ^ | ^ |
| | | | | | | |
| v | v | v | v
+---------------+ +---------------+ +---------------+ +---------------+
| | | | | | | |
| foreign agent | | home agent | | foreign agent | | home agent |
| | | | | | | |
+---------------+ +---------------+ +---------------+ +---------------+
Figure 4: The Verification Infrastructure Figure 4. The Verification Infrastructure
After the foreign agent gets the Challenge authentication, it MAY After the foreign agent gets the Challenge authentication, it MAY
pass the authentication to the (here unspecified) infrastructure, and pass the authentication to the (here unspecified) infrastructure and
await a Registration Reply. If the Reply has a positive status await a Registration Reply. If the Reply has a positive status
(indicating that the registration was accepted), the foreign agent (indicating that the registration was accepted), the foreign agent
accepts the registration. If the Reply contains the Code value accepts the registration. If the Reply contains the Code value
BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions
indicated for rejected registrations. indicated for rejected registrations.
Implicit in this picture, is the important observation that the Implicit in this picture is the important observation that the
foreign agent and the home agent have to be equipped to make use of foreign agent and the home agent have to be equipped to make use of
whatever protocol is made available to them by the challenge whatever protocol is required by the challenge verification and key
verification and key management infrastructure shown in the figure. management infrastructure shown in the figure.
The protocol messages for handling the authentication within the The protocol messages for handling the authentication within the
verification infrastructure, and identity of the agent performing the verification infrastructure and the identity of the agent performing
verification of the foreign agent challenge, are not specified in the verification of the foreign agent challenge are not specified in
this document, because those operations do not have to be performed this document, as those operations do not have to be performed by any
by any Mobile IP entity. Mobile IP entity.
Appendix C. Message Flow for FA Challenge Messaging with Mobile-AAA Appendix C. Message Flow for FA Challenge Messaging with Mobile-AAA
Extension Extension
MN FA Verification home agent MN FA Verification home agent
|<-- Adv+Challenge--| Infrastructure | |<-- Adv+Challenge--| Infrastructure |
| (if needed) | | | | (if needed) | | |
| | | | | | | |
|-- RReq+Challenge->| | | |-- RReq+Challenge->| | |
| + Auth.Ext. | | | | + Auth.Ext. | | |
skipping to change at page 28, line 27 skipping to change at page 22, line 40
| | |-- Challenge -->| | | |-- Challenge -->|
| | | | | | | |
| | | | | | | |
| | |<--- RRep ----- | | | |<--- RRep ----- |
| | Authorization, incl. | | | | Authorization, incl. | |
| |<-- RRep + Auth.Ext.-----| | | |<-- RRep + Auth.Ext.-----| |
| | | | | | | |
|<-- RRep+Auth.Ext--| | | |<-- RRep+Auth.Ext--| | |
| + New Challenge | | | | + New Challenge | | |
Figure 5: Message Flows for FA Challenge Messaging Figure 5. Message Flows for FA Challenge Messaging
In Figure 5, the following informational message flow is illustrated: In Figure 5, the following informational message flow is illustrated:
1. The foreign agent includes a Challenge Value in a unicast Agent 1. The foreign agent includes a Challenge Value in a unicast Agent
Advertisement if needed. This advertisement MAY have been Advertisement, if needed. This advertisement MAY have been
produced after receiving an Agent Solicitation from the mobile produced after receiving an Agent Solicitation from the mobile
node (not shown in the diagram). node (not shown in the diagram).
2. The mobile node creates a Registration Request including the 2. The mobile node creates a Registration Request including the
advertised Challenge Value in the Challenge extension, along with advertised Challenge Value in the Challenge extension, along with
an Mobile-AAA authentication extension. a Mobile-AAA authentication extension.
3. The foreign agent relays the Registration Request either to the 3. The foreign agent relays the Registration Request either to the
home agent specified by the mobile node, or else to its locally home agent specified by the mobile node or to its locally
configured Verification Infrastructure (see Appendix B), configured Verification Infrastructure (see Appendix B),
according to local policy. according to local policy.
4. The foreign agent receives a Registration Reply with the 4. The foreign agent receives a Registration Reply with the
appropriate indications for authorizing connectivity for the appropriate indications for authorizing connectivity for the
mobile node. mobile node.
5. The foreign agent relays the Registration Reply to the mobile 5. The foreign agent relays the Registration Reply to the mobile
node, possibly along with a new Challenge Value to be used by the node, often along with a new Challenge Value to be used by the
mobile node in its next Registration Request message. mobile node in its next Registration Request message.
Appendix D. Message Flow for FA Challenge Messaging with MN-FA Appendix D. Message Flow for FA Challenge Messaging with MN-FA
Authentication Authentication
MN FA home agent MN FA home agent
|<-- Adv+Challenge--| | |<-- Adv+Challenge--| |
| (if needed) | | | (if needed) | |
| | | | | |
|-- RReq+Challenge->| | |-- RReq+Challenge->| |
| + Auth.Ext. | | | + Auth.Ext. | |
| |--- RReq + Challenge --->| | |--- RReq + Challenge --->|
| | + HA-FA Auth.Ext | | | + HA-FA Auth.Ext |
| | | | | |
| |<-- RRep + Challenge ----| | |<-- RRep + Challenge ----|
| | + HA-FA Auth.Ext | | | + HA-FA Auth.Ext |
| | | | | |
|<-- RRep+Auth.Ext--| | |<-- RRep+Auth.Ext--| |
| + New Challenge | | | + New Challenge | |
Figure 6: Message Flows for FA Challenge Messaging with MN-FA Figure 6. Message Flows for FA Challenge Messaging with MN-FA
Authentication Authentication
In Figure 6, the following informational message flow is illustrated: In Figure 6, the following informational message flow is illustrated:
1. The foreign agent disseminates a Challenge Value in an Agent 1. The foreign agent disseminates a Challenge Value in an Agent
Advertisement if needed. This advertisement MAY have been Advertisement, if needed. This advertisement MAY have been
produced after receiving an Agent Solicitation from the mobile produced after receiving an Agent Solicitation from the mobile
node (not shown in the diagram). node (not shown in the diagram).
2. The mobile node creates a Registration Request including the 2. The mobile node creates a Registration Request including the
advertised Challenge Value in the Challenge extension, along with advertised Challenge Value in the Challenge extension, along with
an Mobile-Foreign Authentication extension. a Mobile-Foreign Authentication extension.
3. The foreign agent relays the Registration Request to the home 3. The foreign agent relays the Registration Request to the home
agent specified by the mobile node. agent specified by the mobile node.
4. The foreign agent receives a Registration Reply with the 4. The foreign agent receives a Registration Reply with the
appropriate indications for authorizing connectivity for the appropriate indications for authorizing connectivity for the
mobile node. mobile node.
5. The foreign agent relays the Registration Reply to the mobile 5. The foreign agent relays the Registration Reply to the mobile
node, possibly along with a new Challenge Value to be used by the node, possibly along with a new Challenge Value to be used by the
mobile node in its next Registration Request message. If the mobile node in its next Registration Request message. If the
Reply contains the Code value HA_BAD_AAA_AUTH (see Section 10), Reply contains the Code value ha_bad_aaa_auth (see Section 10),
the foreign agent takes actions indicated for rejected the foreign agent takes actions indicated for rejected
registrations. registrations.
Appendix E. Example Pseudo-Code for Tracking Used Challenges Appendix E. Example Pseudo-Code for Tracking Used Challenges
current_chal := RegistrationRequest.challenge_extension_value current_chal := RegistrationRequest.challenge_extension_value
last_chal := mobile_node_record.last_used_adv_chal last_chal := mobile_node_record.last_used_adv_chal
if (current_chal == mobile_node_record.RegReply_challenge) { if (current_chal == mobile_node_record.RegReply_challenge) {
update (mobile_node_record, current_chal) update (mobile_node_record, current_chal)
skipping to change at page 32, line 14 skipping to change at page 25, line 14
Authors' Addresses Authors' Addresses
Charles E. Perkins Charles E. Perkins
Nokia Research Center Nokia Research Center
Communications Systems Lab Communications Systems Lab
313 Fairchild Drive 313 Fairchild Drive
Mountain View, California 94043 Mountain View, California 94043
Phone: +1 650 625-2986 Phone: +1 650 625-2986
Email: charles.perkins@nokia.com EMail: charles.perkins@nokia.com
Pat R. Calhoun Pat R. Calhoun
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
Phone: +1 408-853-5269 Phone: +1 408-853-5269
Email: pcalhoun@cisco.com EMail: pcalhoun@cisco.com
Jayshree Bharatia Jayshree Bharatia
Nortel Networks Nortel Networks
2221, Lakeside Blvd 2221, Lakeside Blvd
Richardson, TX 75082 Richardson, TX 75082
Phone: +1 972-684-5767 Phone: +1 972-684-5767
Email: jayshree@nortel.com EMail: jayshree@nortel.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST,
AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 33, line 29 skipping to change at page 26, line 46
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity Acknowledgement
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 128 change blocks. 
352 lines changed or deleted 349 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/