diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5419.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5419.txt')
-rw-r--r-- | doc/rfc/rfc5419.txt | 1067 |
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc5419.txt b/doc/rfc/rfc5419.txt new file mode 100644 index 0000000..a9f9f80 --- /dev/null +++ b/doc/rfc/rfc5419.txt @@ -0,0 +1,1067 @@ + + + + + + +Network Working Group B. Patil +Request for Comments: 5419 Nokia +Category: Informational G. Dommety + Cisco + January 2009 + + +Why the Authentication Data Suboption is Needed for Mobile IPv6 (MIPv6) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (c) 2009 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents (http://trustee.ietf.org/ + license-info) in effect on the date of publication of this document. + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. + +Abstract + + Mobile IPv6 defines a set of signaling messages that enable the + mobile node (MN) to authenticate and perform registration with its + home agent (HA). These authentication signaling messages between the + mobile node and home agent are secured by an IPsec security + association (SA) that is established between the MN and HA. The MIP6 + working group has specified a mechanism to secure the Binding Update + (BU) and Binding Acknowledgement (BAck) messages using an + authentication option, similar to the authentication option in Mobile + IPv4, carried within the signaling messages that are exchanged + between the MN and HA to establish a binding. This document provides + the justifications as to why the authentication option mechanism is + needed for Mobile IPv6 deployment in certain environments. + + + + + + + + + + + +Patil & Dommety Informational [Page 1] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + +Table of Contents + + 1. Introduction ....................................................2 + 2. Conventions Used in This Document ...............................3 + 3. Background ......................................................3 + 4. Applicability Statement .........................................3 + 5. Justification for the Use of the Authentication Option ..........5 + 5.1. Motivation for Use of the Authentication Option in + CDMA2000 ...................................................5 + 5.2. Additional Arguments for the Use of the + Authentication Option ......................................6 + 6. Application of Mobile IPv6 in CDMA Networks .....................9 + 6.1. IPv4-Based Mobility Architecture in CDMA2000 Networks ......9 + 6.2. IPv6-Based Mobility Architecture in CDMA2000 Networks .....11 + 6.2.1. Overview of the Mobility Operation in + IPv6-Based CDMA2000 Networks .......................11 + 6.2.2. Authentication and Security Details ................12 + 7. Limitations of the Authentication Protocol Option ..............14 + 8. Security Considerations ........................................16 + 9. Conclusion .....................................................16 + 10. Acknowledgements ..............................................17 + 11. References ....................................................17 + 11.1. Normative References .....................................17 + 11.2. Informative References ...................................18 + +1. Introduction + + Mobile IPv6 relies on the IPsec Security Association between the + Mobile Node (MN) and the Home Agent (HA) for authentication of the MN + to its HA before a binding cache can be created at the HA. An + alternate mechanism that does not rely on the existence of the IPsec + SA between the MN and HA for authenticating the MN is needed in + certain deployment environments. Such an alternate mechanism is + outlined in [RFC4285]. This document is intended to capture for + archival purposes the reasoning behind the need for the + authentication protocol [RFC4285]. It should be noted that the + alternate solution does not imply that the IPsec-based solution will + be deprecated. It simply means that in certain deployment scenarios + there is a need for supporting MIPv6 without an IPsec SA between the + MN and HA. So the alternate solution is in addition to the IPsec- + based mechanism specified in the base RFCs, i.e., [RFC3775], + [RFC3776], and [RFC4877]. It has been noted that some of the + challenges of deploying MIPv6 in certain types of networks arose from + dependence on the Internet Key Exchange (IKE), which did not + integrate well with an Authentication, Authorization, and Accounting + (AAA) backend infrastructure. IKEv2 solves this problem. However, + at the time of discussion on the need for the authentication + + + + +Patil & Dommety Informational [Page 2] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + protocol, "Mobile IPv6 Operation with IKEv2 and the Revised IPsec + Architecture" [RFC4877] was still a work in progress and, as a + result, an alternative solution was needed. + + It should be noted that some of the arguments for justifying the + specification of the authentication protocol have been made redundant + as a result of the specification of Mobile IPv6 operation with IKEv2 + [RFC4877]. However, some of the arguments discussed in this document + are still applicable and justify usage of the authentication protocol + in certain deployment environments. + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +3. Background + + Mobile IPv6 signaling involves several messages. These include: + + o The Binding Update/Binding Acknowledgment between the mobile node + and the home agent. + + o The route optimization signaling messages, which include the + HoTI-HoT (Home Test Init/Home Test), CoTI-CoT (Care-of Test Init/ + Care-of Test), and BU-BAck messages between the MN and CN. HoTI + and HoT signaling messages are routed through the MN's HA. + + o Mobile prefix solicitation and advertisements between the MN and + HA. + + o Home agent discovery by MNs. + + The signaling messages between the MN and HA are secured using the + IPsec SA that is established between these entities. The exception + to this are the messages involved in the home agent discovery + process. [RFC4877] specifies the establishment of the IPsec SA using + IKEv2. + +4. Applicability Statement + + The authentication option specified in "Authentication Protocol for + MIPv6" [RFC4285] provides a solution for MIPv6 deployment in + environments in which an operator may not require IPsec-based + security for the signaling. The reasons for an operator choosing to + + + + + +Patil & Dommety Informational [Page 3] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + deploy MIPv6 without mandating IPsec-based security for signaling + messages between the MN and HA could be many. Some of these are, for + example: + + 1. Operators deploying MIPv6 in cellular networks may consider IPsec + and IKEv2 as adding overhead to the limited bandwidth over the + air interface. The overhead here is in terms of the bytes that + IPsec and IKEv2 introduce to the signaling. + + 2. Operators may consider the number of messages between the MN and + HA that are required to establish the IPsec SA as too many. The + number of transactions chew into the capacity of limited + bandwidth air interfaces when MIPv6 is used in such environments. + It also adds additional latency to the establishment of the + binding. + + 3. In many deployments, authentication credentials already exist in + a AAA server. These credentials are used for authenticating a + user and authorizing network access. The same credentials and + security parameters cannot be reused for MIPv6 security as well, + if IKEv1 is used. + + 4. Dynamic assignment of home agents is needed in certain + deployments to minimize the latency of the backhaul. This is + done by allocating an HA in a visited network, for example. + Requiring IPsec SAs with home agents that are dynamically + assigned is an overhead, especially when the HA is in a visited + network. + + 5. In certain deployments, signaling messages between the MN and HA + may be over secure link layers. The lower layers provide + ciphering and security for the messages, and hence the need for + IPsec to do the same for MIPv6 messages does not exist. + + One example of networks that have such characteristics are Code + Division Multiple Access (CDMA) networks as defined in the 3GPP2 + [3GPP2 X.S0011-002-D] specification. Mobile WiMAX (Worldwide + Interoperability for Microwave Access), which is based on IEEE + 802.16e, also specifies in the network architecture the use of MIPv6, + with the default security for signaling being the authentication + protocol [RFC4285]. The WiMAX network architecture specifications + are available at [WiMAX-NWG]. + + + + + + + + + +Patil & Dommety Informational [Page 4] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + +5. Justification for the Use of the Authentication Option + + The following two sections provide the reasoning for why the + authentication option-based registration process for Mobile IPv6 is + needed. Section 5.1 provides key arguments for the use of the + authentication option. Section 5.2 provides further explanation and + additional motivations for the authentication option. + +5.1. Motivation for Use of the Authentication Option in CDMA2000 + Wireless Networks + + CDMA2000 networks deployed and operational today use Mobile IPv4 for + IP mobility. Operators have gained a significant amount of + operational experience in the process of deploying and operating + these networks. 3GPP2 has specified Mobile IPv6 operation in the + [3GPP2 X.S0011-002-D] specification. The following are the + deployment constraints that existing CDMA networks have to deal with + when deploying mobility service based on IPv6: + + o Operators intend to leverage the Mobile IPv4 deployment and + operational experience by ensuring that Mobile IPv6 has a similar + deployment and operating model. + + o Operators will have two parallel networks: one that offers IPv4 + mobility with MIPv4 and another providing IPv6 mobility using + MIPv6. + + o The same backend subscriber profile database, security keys, etc. + are intended to be used for both Mobile IPv4 and Mobile IPv6 + service. However, from a security standpoint, the reuse of the + same keys with multiple algorithms/protocols is a bad idea. + + o The same user-configuration information, i.e., the identity and + keys associated with a user, will be used for IP mobility service + in IPv4 and/or IPv6 networks. The only security association that + is preconfigured is a shared secret between the mobile node and + the home AAA server. This is in contrast with an earlier version + of the Mobile IPv6 model, which required an IPsec SA between the + MN and HA. At the time of this writing, the IKEv2-based solution + for establishing an IPsec SA [RFC4877] was not available. IKEv2 + does enable integration with a AAA backend. + + o At the time of specifying the authentication protocol, the Mobile + IPv6 specification did not support the dynamic assignment of home + agent and home address. However, work done in the MIP6 working + group on bootstrapping of Mobile IPv6 as specified in [RFC5026] + and "MIPv6-Bootstrapping for the Integrated Scenario" [BOOT] + addresses this deficiency. The mechanism defined in + + + +Patil & Dommety Informational [Page 5] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + "Authentication Protocol for Mobile IPv6" [RFC4285] is capable of + handling authentication even in the case of dynamic assignments + (and is similar to what is used in current MIPv4 deployments). + + Consequently, MIPv6 as specified at the time the authentication + protocol was being specified, did not satisfy many of the deployment + requirements. "Authentication Protocol for MIPv6" [RFC4285] along + with "MN Identifier Option for MIPv6" [RFC4283] are enabling the + deployment of Mobile IPv6 in a manner that is similar to what is + deployed in CDMA2000 networks today. This authentication model is + very similar to the one adopted by the MIP4 WG. This is explained in + detail in [3GPP2 X.S0011-002-D]. + + The earlier MIPv6 deployment model, which requires an IPsec SA that + is either configured manually or established using IKE, does not have + synergy with the deployment models of 3GPP2 or WiMAX networks. This + issue has however been alleviated with the publication of RFC 4877, + which enables the establishment of an IPsec SA using IKEv2 and which + is also able to integrate with the backend AAA infrastructure that is + responsible for the authentication of the MN in 3GPP2 and WiMAX + networks. + +5.2. Additional Arguments for the Use of the Authentication Option + + The use of IPsec for performing Registration with a home agent is not + always an optimal solution. While it is true that IPsec is viewed as + an integral part of the IPv6 stack, it is still a considerable + overhead from a deployment perspective of using IPsec as the security + mechanism for the signaling messages between the MN and HA. This + statement is a result of experience gained from deployment of Mobile + IPv4. MIPv4 does not rely on IPsec for securing the Registration + signaling messages. + + Deployment of Mobile IPv6 on a large scale is possible only when the + protocol is flexible for being adapted to various scenarios. The + scenario being considered is the deployment in CDMA2000 networks or + WiMAX networks. CDMA2000 networks are currently deployed in many + countries today. WiMAX deployments in many countries began in 2008. + The packet data network architecture of CDMA2000 [3GPP2 + X.S0011-002-D] includes a MIPv4 foreign agent/home agent and a + RADIUS-based AAA infrastructure for Authentication, Authorization, + and Accounting purposes. The AAA infrastructure provides + authentication capability in the case of Mobile IPv4. + + Typically, the mobile node shares a security association with the + AAA-Home entity. This is the preferred mode of operation over having + a shared secret between the MN and HA because the AAA-Home entity + provides a central location for provisioning and administering the + + + +Patil & Dommety Informational [Page 6] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + shared secrets for a large number of mobiles (millions). This mode + of operation also makes dynamic home address and dynamic home agent + assignment easier. A similar approach is needed for the deployment + of Mobile IPv6 in these networks. There is no practical mechanism to + use IPsec directly with the AAA infrastructure without the use of + IKEv2 or some other mechanism that enables the establishment of the + IPsec SA between the MN and HA. + + Mobile IPv6 as specified in [RFC3775] and [RFC3776] is based on a + very specific model for deployment. It anticipates the mobile node's + having a static home IPv6 address and a designated home agent. This + is not practical in most deployment scenarios being considered. An + IPsec SA is expected to be created via manual keying or established + dynamically via IKE or IKEv2. These assumptions do not necessarily + fit in very well for the deployment model envisioned in CDMA2000 or + WiMAX networks. These limitations have however been overcome as a + result of the bootstrapping specifications as per [RFC5026] and + "MIPv6-Bootstrapping for the Integrated Scenario" [BOOT]. + + CDMA2000 and WiMAX networks would prefer to allocate home addresses + to MNs on a dynamic basis. The advantage of doing so is the fact + that the HA can be assigned on a link that is close to the MN's point + of attachment. While route optimization negates the benefit of + having a home agent on a link close to the MN, it cannot always be + guaranteed that the MN and correspondent node (CN) will use or + support route optimization. There may also be instances where the + operator prefers to not allow route optimization for various reasons, + such as accounting aggregation or enforcing service contracts. In + such cases, an HA that is close to the MN's point of attachment + reduces the issues of latency, etc. of forward and reverse tunnelling + of packets between the MN and HA. + + CDMA2000 networks that are operational today have large numbers of + subscribers who are authenticated via the AAA infrastructure. + Deployment of Mobile IPv6 should leverage the existing AAA + infrastructure. The security model needed in these networks is an SA + between the MN and AAA-Home entity. This is the primary security + association that should be used for authenticating and authorizing + users to utilize MIPv6 service. This SA is then used for + establishing session keys between the MN and the dynamically assigned + HA for authenticating subsequent Binding Updates and Binding + Acknowledgements between them. Establishing an IPsec SA between the + MN and HA using AAA infrastructure was not specified for Mobile IPv6 + at the time the authentication protocol was being specified. RFC + 3776 explains how IKE is used for establishing the SA between the MN + and HA. [RFC4877] has been published subsequently and hence the + issue of establishing an IPsec SA dynamically between the MN and HA + no longer exists. CDMA2000 network operators would prefer to assign + + + +Patil & Dommety Informational [Page 7] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + home addresses to the MN on a dynamic basis -- preferably using the + AAA infrastructure, which contains subscriber profile and capability + information. This was not possible prior to the specification of the + bootstrapping mechanism in [RFC5026]. + + A large subset of MNs in CDMA2000 networks do not have IKE + capability. As a result, the use of RFC 3776 for setting up the + MN-HA IPsec SA is not an option. It should also be noted that IKE + requires several transactions before it is able to establish the + IPsec SA. [RFC4877] specifies the establishment of an IPsec SA + between the MN and HA using IKEv2. It is possible that not all MNs + in a deployment will support IKEv2, and hence an alternative + mechanism provides the needed flexibility. + + CDMA2000 network operators are extremely conscious in terms of the + number of messages sent and received over the air interface for + signaling. The overhead associated with sending/receiving a large + number of signaling messages over the air interface has a direct + impact on the overall capacity and cost for the operator. + Optimization of the number of messages needed for using a service + like Mobile IPv6 is of great concern. As a result, the use of IKE + for Mobile IPv6 deployment is considered as being suboptimal in + certain network architectures and deployment scenarios from the + perspective of message overhead. + + Another downside of IKE for setting up the IPsec SA between the MN + and HA is that IKE does not integrate very well with the RADIUS-based + AAA backend. Since operators rely on the AAA infrastructure to + provision subscribers as well as define profiles, keys, etc. in the + AAA-Home, there is no getting away from the use of AAA in CDMA2000 + networks. IKEv2 does address this problem. However, from a timeline + perspective, the availability of IKEv2 specifications for "Mobile + IPv6 Operation with IKEv2 and the Revised IPsec Architecture" + [RFC4877] and its implementations did not meet the need of operators + that were relying on 3GPP2 specifications. With the specification of + IKEv2 and publication of RFC 4877, integration with AAA backends is + no longer an issue. + + In summary, the model of Mobile IPv6 deployment that mandated the + existence of an IPsec SA between the MN and HA, as specified in RFCs + 3775 and 3776, was too rigid and did not meet the requirements of + operators building networks based on the CDMA2000 [3GPP2 + X.S0011-002-D] specifications. To address this shortcoming, the + authentication protocol [RFC4285] was specified. + + + + + + + +Patil & Dommety Informational [Page 8] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + +6. Application of Mobile IPv6 in CDMA Networks + + Sections 6.1 and 6.2 describe the IPv4- and IPv6-based mobility + architectures in CDMA networks, respectively. For further details + associated with the description below, please refer to Section 5, + "MIP6 Operation", in the 3GPP2 specification [3GPP2 X.S0011-002-D]. + +6.1. IPv4-Based Mobility Architecture in CDMA2000 Networks + + The figure below shows a high level view of the key network elements + that play a role in providing IP mobility using Mobile IPv4. + + +--------------+ +----------------------+ + | +------+ | | +------+ | + | | | | | | | | + | |F-AAA | | | |H-AAAH| | + | | +-------------------+ | | + | +---+--+ | | +--+---+ | + | | | | | | + | | | | | | + +------+ | +---+--+ | | +--+---+ | + | | | | | | | | | | + | MN +- -|- -+ PDSN + -- -- -- -- - + HA | | + | | | | /FA | | | | | | + +------+ | +------+ | | +------+ | + | | | | + +--------------+ +----------------------+ + + Figure 1: CDMA2000 Packet Data Network Architecture with Mobile IPv4 + + The CDMA mobility architecture based on MIPv4 is explained below. In + this architecture, mobility is tightly integrated with the AAA + infrastructure. The Mobile Node is configured with an NAI (Network + Access Identifier) and an MN-AAA key. The MN-AAA key is a shared key + that is shared between the MN and the home AAA server. + + Below is the access link setup procedure: + + (1) Bring up the PPP on the MN/PDSN (access router link). PPP + authentication is skipped. Mobile IP authentication is + performed via the FA (Foreign Agent). + + (2) The PDSN (Packet Data Serving Node) sends a Mobile IP challenge + to the MN on the PPP link (RFC 3012). + + + + + + + +Patil & Dommety Informational [Page 9] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + (3) The MN sends a MIP Registration Request (RRQ), which includes + the user's NAI, challenge, and MN-AAA extension that has a + challenge response, and an MN-HA extension, which is generated + based on the MN-HA key. + + (4) The PDSN extracts the MIP NAI, challenge, and the response to + the challenge, from the MIP MN-AAA extension, and sends an + Access Request to the F-AAA (challenge/response using MD5). + + (5) The F-AAA (Foreign AAA) may forward it to the H-AAA (Home AAA) + if needed (based on realm). + + (6) AAA authenticates the CHAP-challenge/response and returns + "success" if authentication succeeds. + + (7) The PDSN forwards the Registration Request (RRQ) to the HA. + + (8) The HA authenticates the RRQ (MHAE (Mobile-Home Authentication + Extension)). The HA may optionally authenticate with the AAA + infrastructure (just like the PDSN in #4). + + (9) If authentication is successful, the HA creates a binding and + sends a success Registration Reply (RRP) to the PDSN. + + (10) The PDSN creates a visitor entry and forwards the RRP to the MN. + + + + + + + + + + + + + + + + + + + + + + + + + + +Patil & Dommety Informational [Page 10] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + +6.2. IPv6-Based Mobility Architecture in CDMA2000 Networks + + Due to the need for co-existence with MIPv4, and having the same + operational model, the 3GPP2 standards body is adopting the following + mobility architecture for MIPv6. + + Access Domain Home Domain + +--------------+ +----------------------+ + | +------+ | | +------+ | + | | | | | | | | + | |F-AAA | | | |H-AAA | | + | | +-------------------+ | | + | +---+--+ | | +--+---+ | + | | | | | | + | | | | | | + +------+ | +---+--+ | | +--+---+ | + | | | | | | | | | | + | MN +- -|- -+ PDSN + -- -- -- -- - + HA | | + | | | | /AR | | | | | | + +------+ | +------+ | | +------+ | + | | | | + +--------------+ +----------------------+ + + Figure 2: CDMA2000 Packet Data Network Architecture with Mobile IPv6 + + The Mobile Node is configured with an NAI (Network Access Identifier) + and an MN-AAA key. The MN-AAA key is a shared key between the MN and + the home AAA server. + +6.2.1. Overview of the Mobility Operation in IPv6-Based CDMA2000 + Networks + + The following steps explain at a very generic level the operation of + IP mobility in CDMA2000 networks: + + (1) The MN performs link-layer establishment. This includes setting + up the PPP link. PPP-CHAP authentication is performed. This is + authenticated by the PDSN/AR (Access Router) by sending an + Access Request to the F-AAA (and to the H-AAA when/if needed). + Optionally, the MN acquires bootstrap information from the Home + Network (via the PDSN; the PDSN receives this information in + Access Accept). The bootstrap information includes home address + and home agent assignment. The MN uses stateless DHCPv6 + [RFC3736] to obtain the bootstrap information from the PDSN. + + + + + + + +Patil & Dommety Informational [Page 11] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + (2) The MN begins to use the home address (HoA) that was assigned in + step 1. If no HoA was assigned at step 1, the MN generates + (auto-configures) an IPv6 global unicast address based on the + prefix information received at step 1. + + (3) The MN sends a Binding Update to the selected home agent. In + the BU, the MN includes the NAI option, timestamp option, and + MN-AAA auth option. + + (4) The HA extracts the NAI, authenticator, etc. from the BU and + sends an Access Request to the Home RADIUS server. + + (5) The Home RADIUS server authenticates and authorizes the user and + sends back a RADIUS Access Accept to the HA indicating + successful authentication and authorization. + + (6) The HA performs a replay check with the ID field in the received + BU. The HA also performs proxy Duplicate Address Detection + (DAD) on the MN's home address (global) using proxy Neighbor + Solicitation as specified in [RFC4861]. + + (7) Assuming that proxy DAD is successful, the HA sends back a + Binding Acknowledgment to the MN. In this BAck message, the HA + includes the MN-HA mobility option, NAI mobility option, and ID + mobility option. + +6.2.2. Authentication and Security Details + + Access Link Setup, Access Authentication, and Bootstrapping: + + (1) The MN brings up a PPP session. The PDSN triggers the MN to + perform CHAP authentication, as part of access authentication, + while bringing up the PPP link. + + (2) The MN is authenticated using the PPP-CHAP by the H-AAA (Home + AAA), via the F-AAA (Foreign AAA). + + (3) The H-AAA may optionally send the HoA and HA IP address to the + PDSN for bootstrapping the MN (skipping details). + + + + + + + + + + + + +Patil & Dommety Informational [Page 12] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + Mobile IPv6 Authentication: + + The call flow for the initial authentication (the numbers in the + parentheses correspond to the explanation below): + + MN HA H-AAA + | BU to HA (4) | RADIUS Access-ReQ(5) + |------------------------------------>|------------------->|(6) + | (includes NAI option, MN-ID option, | | + | Mesg ID option, MN-AAA auth option) |RADIUS Access Accept|(7) + | + |<-------------------| + | | | + | HA/AAAH authenticates MN + | + | |(8) + | + | | + | + | BAck to MN (9) | + | + |<------------------------------------|--------------------| + | (including MN-ID option, | (10) + | Message ID option, | + | MN-HA auth options) | | + + Figure 3: Flow Diagram for Initial Authentication + + (4) The MN sends a Binding Update (BU) to the HA. The Binding + Update is authenticated using the MN-AAA option. The + authenticator in the MN-AAA option is calculated using the hash + of the BU and MN-AAA shared key. It uses the HMAC_SHA1 + algorithm. The Security Parameter Index (SPI) field in MN-AAA + is set to 3 (as per [RFC4285]). The BU also includes the NAI + and timestamp, among other details. The hash of the BU includes + the 'timestamp' option and thus provides proof of liveness to + prevent replay. + + (5) The HA, on receiving the BU, extracts the NAI, timestamp, and + authenticator from the MN-AAA option, and generates the hash of + the BU. The HA sends an Access Request to the AAA and puts this + information in 3GPP2-defined VSAs (Vendor Specific Attributes). + The NAI is inserted in the username option in the Access Request + message. The other attributes sent are: the timestamp option, + the hash of the BU (till SPI field of MN-AAA auth option), and + the authentication data from the MN-AAA auth option. + + + + + +Patil & Dommety Informational [Page 13] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + (6) AAA (RADIUS server that interprets these attributes) + authenticates the MN based on the hash of the BU and the + authenticator. Proceed to step 7. + + (7) AAA calculates a session key based on the MN-AAA shared secret + and timestamp, and sends this to the HA in an Access Accept (in + a 3GPP2-defined VSA). + + (8) The HA creates a binding and a security association per + Authentication Protocol for MIPv6 [RFC4285]. The key for this + association is retrieved from the Access Accept and is referred + to as the session key. The HA associates a fixed SPI of 5 with + this SA, and is associated with the binding for the MN. (The + description of this step skips the details for timestamp + processing at the HA.) + + (9) The HA sends a Binding Acknowledgement (BAck) to the MN. The + BAck has the MN-HA authentication option, authenticated using + the session key. This option has the SPI set to 5. + + (10) On receiving a BAck, the MN calculates the session key (using + the same method as AAA) and associates it with an SPI value of + 5. + + The MN derives the session key and SA using the timestamp in the BU + that the MN sent and the MN-AAA shared key. The MN uses this key to + authenticate the MN-HA option in the Binding Ack. If authentication + is successful, the MN creates a security association with SPI=5. + This key is used to authenticate further BUs to the HA using the + MN-HA auth option. Once the binding lifetime expires and the binding + is deleted, the binding as well as the security association based on + the integrity key is removed at the MN and HA. + + Migration from MobileIPv4 to MobileIPv6 utilizes the same network + architecture and, specifically, the same AAA infrastructure. Thus, + it is natural to have similar signaling in MIPv6 as in MIPv4, + specifically the authentication with AAA infrastructure. + +7. Limitations of the Authentication Protocol Option + + While the authentication protocol as specified in [RFC4285] provides + Mobile IPv6 [RFC3775] deployments a certain degree of flexibility, it + does have a few disadvantages as well. These are: + + (1) The route optimization feature specified in RFC 3775 requires a + secure transport (IPsec/ESP (Encapsulating Security Payload) + mode) between the MN and HA. In cases where the authentication + protocol [RFC4285] is used as the means for securing the MIPv6 + + + +Patil & Dommety Informational [Page 14] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + signaling between the MN and HA, route optimization should be + switched off unless the security of the signaling between the MN + and HA can be guaranteed via other means (such as link-layer + security in the case of 3GPP2 networks). + + (2) The MIPv6 protocol is responsible for the security of the + signaling messages as opposed to relying on IPsec for providing + the security. + + (3) In 3GPP2 networks, link-layer security mechanisms, ingress + filtering at the PDSN, and various network domain security + mechanisms largely ensure that reverse tunnelled packets + received by the HA do not have spoofed source addresses, and + that their contents have not been modified. This implies the HA + can determine the specific MN that sent the packet simply by + verifying the outer-source IP address matches the currently + registered care-of address. Authentication of payload packets + can be necessary for, e.g.: + + - Authenticating signaling messages other than BU/BAck + between the MN and HA, such as ICMPv6, MLD, and DHCPv6. + + - Enforcing access control to the network behind the HA. + + - Accounting or other flow-specific processing performed by + the HA. + + This means the authentication option is of limited + applicability in environments where the HA can receive + reverse-tunneled packets with spoofed source IP addresses + and/or modified contents. + + (4) As described in [RFC4285], the authentication option assumes + that the MN-AAA shared key and security association are created + by out-of-band mechanisms. These mechanisms are specific to + specific deployment environments. IKEv2, on the other hand, + supports a wide range of authentication mechanisms, such as + certificates and Extensible Authentication Protocol (EAP) + methods, and is independent of the access network technology + being used. However, it would be possible to specify a similar + authentication and key management protocol for the + authentication option in the future. + + (5) Sending the long-term user identity (NAI) in the clear raises + privacy concerns. These concerns are addressed by access + network and network domain security mechanisms in 3GPP2 + networks, but do limit the applicability in networks where + sniffing other users' traffic is possible. + + + +Patil & Dommety Informational [Page 15] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + (6) RFC 4285 does not specify a mechanism for creating the MN-HA + shared key and SA from the MN-AAA SA (unlike similar Mobile IPv4 + mechanisms defined in [RFC3957]), and thus relies on deployment- + specific mechanisms not standardized in the IETF. + + (7) The authentication option does not support negotiation of + cryptographic algorithms. + + (8) The replay protection mechanisms in [RFC4285] rely on + timestamps, and thus require reasonably synchronized clocks (by + default, +/- 7 seconds). This assumes the MN implements, and is + configured to use, some mechanism for synchronizing its clock. + +8. Security Considerations + + When MIPv6 signaling messages use IPsec with ESP encapsulation, they + are accorded privacy on the links over which the messages traverse. + When MIPv6 signaling messages are secured using the authentication + protocol, such ciphering capability will have to be enabled by the + underlying link layers. It should be noted that the MIPv6 signaling + messages are susceptible to snooping/sniffing when the authentication + protocol [RFC4285] is used. Route optimization messages need to be + secured between the MN and HA and this is not possible with the + authentication protocol. However, route optimization is not + supported in the current specification of the authentication protocol + in [RFC4285]. + + Security issues with RFC 4285 are specifically: + + 1. Key length. This is being addressed in [AUTH-PRO]. + + 2. The keys used for securing the signaling between the MN and HA + are derived from a security association that exists between the + MN and AAA. The MIPv6 keys, which are bootstrapped from the MN- + AAA SA, are transient. Limiting the lifetime of the keys to + shorter periods should be recommended. + + 3. Location privacy is an issue in the absence of lower-layer + security in the case of shared links. + +9. Conclusion + + Mobile IPv6 was published as a Standards Track RFC [RFC3775] in 2004. + Deployment of this protocol on a large scale is in the interest of + the IETF and the working group, as well as that of many people who + have worked on this. A rigid model for deployment will cause the + protocol to be limited to an academic exercise only. It is extremely + critical that the working group consider the needs of the industry + + + +Patil & Dommety Informational [Page 16] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + + and the deployment scenarios, and address them accordingly. This + document captures the reasoning behind the need for the + authentication protocol, which has been published as RFC 4285. RFC + 4877 has alleviated some of the issues that have been of primary + concern and were motivators for the authentication protocol. + However, the IETF should consider the architectures of networks such + as 3GPP2 and WiMAX and their security models, and enable deployment + of Mobile IPv6 without requiring IPsec. + +10. Acknowledgements + + The authors would like to thank Alpesh Patel, AC Mahendra, Kuntal + Chowdhury, and Vijay Devarapalli for their input and discussions. + Jari Arkko has reviewed the ID and provided valuable feedback. + Thomas Narten has provided valuable reviews and made significant + improvements to the text in this document. In his role as the IETF + liaison to 3GPP2, Thomas Narten has ensured that the IETF understands + the 3GPP2 requirements. Pasi Eronen, in his role as the Security AD, + has reviewed and helped improve the document. Vidya Narayanan has + reviewed the document from a security directorate perspective and + provided input that has been incorporated. + +11. References + +11.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to + Indicate Requirement Levels", BCP 14, + RFC 2119, March 1997. + + [RFC3736] Droms, R., "Stateless Dynamic Host + Configuration Protocol (DHCP) Service for + IPv6", RFC 3736, April 2004. + + [RFC3775] Johnson, D., Perkins, C., and J. Arkko, + "Mobility Support in IPv6", RFC 3775, + June 2004. + + [RFC3776] Arkko, J., Devarapalli, V., and F. Dupont, + "Using IPsec to Protect Mobile IPv6 Signaling + Between Mobile Nodes and Home Agents", + RFC 3776, June 2004. + + [RFC4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., + and K. Chowdhury, "Mobile Node Identifier + Option for Mobile IPv6 (MIPv6)", RFC 4283, + November 2005. + + + + +Patil & Dommety Informational [Page 17] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + +11.2. Informative References + + [3GPP2 X.S0011-002-D] 3GPP2 X.S0011-002-D, "cdma2000 Wireless IP + Network Standard: Simple IP and Mobile IP + Access Services", http://www.3gpp2.org/ + Public_html/specs/ + X.S0011-002-D_v1.0_060301.pdf, February 2006. + + [AUTH-PRO] Patel, A., Leung, K., Khalil, M., Akhtar, H., + and K. Chowdhury, "Authentication Protocol for + Mobile IPv6", Work in Progress, July 2008. + + [BOOT] Chowdhury, K. and A. Yegin, "MIP6- + Bootstrapping for the Integrated Scenario", + Work in Progress, April 2008. + + [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. + Soliman, "Neighbor Discovery for IP version 6 + (IPv6)", RFC 4861, September 2007. + + [RFC3957] Perkins, C. and P. Calhoun, "Authentication, + Authorization, and Accounting (AAA) + Registration Keys for Mobile IPv4", RFC 3957, + March 2005. + + [RFC4285] Patel, A., Leung, K., Khalil, M., Akhtar, H., + and K. Chowdhury, "Authentication Protocol for + Mobile IPv6", RFC 4285, January 2006. + + [RFC4877] Devarapalli, V. and F. Dupont, "Mobile IPv6 + Operation with IKEv2 and the Revised IPsec + Architecture", RFC 4877, April 2007. + + [RFC5026] Giaretta, G., Kempf, J., and V. Devarapalli, + "Mobile IPv6 Bootstrapping in Split Scenario", + RFC 5026, October 2007. + + [WiMAX-NWG] "WiMAX Network Architecture - WiMAX End-to-End + Network Systems Architecture", May 2008, <http + ://www.wimaxforum.org/documents/documents/ + WiMAX_Forum_Network_Architecture_Stage_2- + 3_Rel_1v1.2.zip>. + + + + + + + + + +Patil & Dommety Informational [Page 18] + +RFC 5419 Why Authdata Option for MIPv6 January 2009 + + +Authors' Addresses + + Basavaraj Patil + Nokia + 6021 Connection Drive + Irving, TX 75039 + USA + + EMail: basavaraj.patil@nokia.com + + + Gopal Dommety + Cisco + 170 West Tasman Drive + San Jose, CA 95134 + USA + + EMail: gdommety@cisco.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Patil & Dommety Informational [Page 19] + |