diff options
Diffstat (limited to 'doc/rfc/rfc3543.txt')
-rw-r--r-- | doc/rfc/rfc3543.txt | 1851 |
1 files changed, 1851 insertions, 0 deletions
diff --git a/doc/rfc/rfc3543.txt b/doc/rfc/rfc3543.txt new file mode 100644 index 0000000..dd7142a --- /dev/null +++ b/doc/rfc/rfc3543.txt @@ -0,0 +1,1851 @@ + + + + + + +Network Working Group S. Glass +Request for Comments: 3543 Sun Microsystems +Category: Standards Track M. Chandra + Cisco Systems + August 2003 + + + Registration Revocation in Mobile IPv4 + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + This document defines a Mobile IPv4 Registration Revocation mechanism + whereby a mobility agent involved in providing Mobile IP services to + a mobile node can notify the other mobility agent providing Mobile IP + services to the same mobile node of the termination of this + registration. The mechanism is also usable by a home agent to notify + a co-located mobile node of the termination of its binding as well. + Moreover, the mechanism provides for this notification to be + acknowledged. A signaling mechanism already defined by the Mobile + IPv4 protocol is leveraged as a way to inform a mobile node of the + revocation of its binding. + +Table of Contents + + 1. Introduction and Applicability . . . . . . . . . . . . . . . . 2 + 2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Registration Revocation Extensions and Messages. . . . . . . . 4 + 3.1. Advertising Registration Revocation Support. . . . . . . 5 + 3.2. Revocation Support Extension . . . . . . . . . . . . . . 6 + 3.3. Registration Revocation Message. . . . . . . . . . . . . 8 + 3.4. Registration Revocation Acknowledgment Message . . . . . 11 + 3.5. Replay Protection. . . . . . . . . . . . . . . . . . . . 14 + 4. Registration Revocation Overview . . . . . . . . . . . . . . . 15 + 4.1. Mobile Node Notification . . . . . . . . . . . . . . . . 15 + 4.2. Registration Revocation Mechanism - Agent Notification . 17 + 4.2.1. Negotiating Revocation Support . . . . . . . . . 17 + + + +Glass & Chandra Standards Track [Page 1] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + 4.2.2. Home Domain Revoking a Registration. . . . . . . 19 + 4.2.2.1. Home Agent Responsibilities. . . . . . 19 + 4.2.2.2. Foreign Agent Responsibilities . . . . 20 + 4.2.2.3. 'Direct' Co-located Mobile Node + Responsibilities . . . . . . . . . . . 20 + 4.2.3. Foreign Domain Revoking a Registration . . . . . 21 + 4.2.3.1. Foreign Agent Responsibilities . . . . 21 + 4.2.3.2. Home Agent Responsibilities. . . . . . 22 + 4.2.4. Mobile Node Deregistering a Registration . . . . 23 + 4.3. Mobile IP Registration Bits in the Revocation Process. . 23 + 4.3.1. The 'R' Bit in Use . . . . . . . . . . . . . . . 23 + 4.3.2. The 'D' Bit in Use (co-located mobile nodes) . . 23 + 5. Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . 24 + 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 24 + 6.1. Agent Advertisements . . . . . . . . . . . . . . . . . . 24 + 6.2. Revocation Messages. . . . . . . . . . . . . . . . . . . 25 + 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 27 + 7.1. New Message Types. . . . . . . . . . . . . . . . . . . . 27 + 7.2. New Extension Values . . . . . . . . . . . . . . . . . . 27 + 7.3. New Error Codes. . . . . . . . . . . . . . . . . . . . . 27 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 8.1. Normative (Numerical References) . . . . . . . . . . . . 27 + 8.2. Informational (Alphabetical References). . . . . . . . . 28 + Appendix A An Example of the New Messages in Use. . . . . . . . . 29 + A.1. The Registration Phase . . . . . . . . . . . . . 29 + A.2. The Revocation Phase . . . . . . . . . . . . . . 29 + Appendix B Disparate Address, and Receiver Considerations . . . . 30 + Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . 32 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32 + Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 33 + +1. Introduction and Applicability + + Mobile IP [1] defines registration of a mobile node's location to + provide connectivity between the mobile node and its home domain, + facilitating communication between mobile nodes and any correspondent + node. At any time, either the home or foreign agent may wish to + cease servicing a mobile node, or for administrative reasons may no + longer be required to service a mobile node. + + This document defines a general registration revocation mechanism for + Mobile IPv4, whereby a mobility agent can notify another mobility + agent (or a 'direct' co-located mobile node) of the termination of + mobility bindings. A mobility agent that receives a revocation + notification no longer has to provide services to the mobile node + whose registration has been revoked. A signaling mechanism already + defined by the Mobile IPv4 protocol [1] is leveraged as a way to + inform a mobile node of the revocation of its binding. + + + +Glass & Chandra Standards Track [Page 2] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + The registration revocation protocol provides the following + advantages: + + 1. Timely release of Mobile IP resources. Resources being consumed + to provide Mobile IP services for a mobile node that has stopped + receiving Mobile IP services by one agent, can be reclaimed by the + other agent in a more timely fashion than if it had to wait for + the binding to expire. This also applies to the case in which a + mobile node roams away from a foreign agent to another foreign + agent. Notification to the previous foreign agent would allow it + to reclaim resources. + + 2. Accurate accounting. This has a favorable impact on resolving + accounting issues with respect to the length of mobility bindings + in both domains, as the actual end of the registration is relayed. + + 3. Earlier adoption of domain policy changes with regards to services + offered/required of a Mobile IP binding. For example, the home + domain may now require reverse tunnels [C], yet there are existing + bindings that do not use them. Without a revocation mechanism, + new services can only be put in place or removed as bindings are + re-registered. + + 4. Timely notification to a mobile node that it is no longer + receiving mobility services, thereby significantly shortening any + 'black-hole' periods to facilitate a more robust recovery. + + The revocation protocol is an active, yet unobtrusive mechanism + allowing more timely communication between the three Mobile IP + entities in the various administrative domains. Since many mobile + nodes may not understand the concept of revocation, care has been + taken to ensure backwards compatibility with [1]. + + The registration revocation protocol does not replace the methods + described in [1] for Mobile IP deregistration, as the purpose of + these mechanisms is fundamentally different. Deregistration messages + are used by a mobile node to inform its home agent that it has e.g., + roamed back to its home subnet, whereas revocation messages are used + between mobility agents to signal the termination of mobility + bindings. More specifically, the revocation message defined here is + NOT for use by 'direct' co-located mobile nodes that are terminating + their registration as deregistration messages are already sufficient + for this purpose. A 'direct' co-located mobile node, however, may + wish to process revocation messages as it is a useful mechanism to + trigger the re-negotiation of required services from the home domain. + + + + + + +Glass & Chandra Standards Track [Page 3] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +2. Terminology + + It is assumed that the reader is familiar with the terminology used + in [1]. In addition, the following terms are defined: + + 'Direct' Co-located Mobile Node + + A mobile node registering directly with its home agent, with the + 'D' bit set in its registration request, and NOT registering + through a foreign agent. + + Mobile IP Resources + + Various functional elements allocated by a mobility agent to + support a Mobile IP binding, e.g., memory. + + Mobile IP Services + + Various responsibilities of a mobility agent in supporting a + mobile node as defined in [1], e.g., encapsulation of packets + addressed to a mobile node by a home agent, decapsulation of these + packets by a foreign agent for delivery to a mobile node, etc. + + Mobility Agent + + The home agent or foreign agent as specified in [1]. + + Revocation + + Premature termination of a mobility binding. + + The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in BCP 14, RFC 2119 [3]. + +3. Registration Revocation Extensions and Messages + + Registration revocation in Mobile IPv4 is accomplished via the + following: + + - Advertising Registration Revocation Support (Section 3.1.): + + o A flag in the Agent Advertisement extension has been reserved + for agents to advertise their support of revocation messages. + + + + + + + +Glass & Chandra Standards Track [Page 4] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + - Revocation Support Extension (Section 3.2.): + + o This extension is appended to a registration request or + registration reply by a mobility agent to indicate its support + of registration revocation. + + o This extension is appended to a registration request by a + 'direct' co-located mobile node to indicate its understanding + of revocation messages. + + - Registration Revocation Message (Section 3.3.): + + o A message sent by a mobility agent to inform another mobility + agent, or a 'direct' co-located mobile node, that it has + revoked the binding of a mobile node. + + - Registration Revocation Acknowledgment Message (Section 3.4.): + + o A message sent by mobility agents or 'direct' co-located mobile + nodes to indicate the receipt of a revocation message. + + Security considerations related to the above messages and extensions + are covered in Section 6. + +3.1. Advertising Registration Revocation Support + + Mobility agents can advertise their support of registration + revocation with a modification to the Mobility Agent Advertisement + extension described in [1]. An 'X' bit is introduced to indicate an + agent's support for Registration Revocation. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Sequence Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Registration Lifetime |R|B|H|F|M|G|r|T|U|X| reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | zero or more Care-of Addresses | + | ... | + + X The mobility agent supports Registration Revocation + + A foreign agent that sets the 'X' bit in an agent advertisement + extension MUST support registration revocation messages on that link, + specifically the Revocation Support Extension (section 3.2.), + Revocation Messages (section 3.3.), and Revocation Acknowledgment + + + + +Glass & Chandra Standards Track [Page 5] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + (section 3.4.). It is not required that all agents advertising on + the same link support registration revocation, nor is it required + that an agent advertise this support on all of its links. + + Note that using this information, a mobile node can select a foreign + agent that supports Registration Revocation. Should a mobile node + not understand this bit, it simply ignores it as per [1]. + + As a bit in the agent advertisement, use of the 'X' bit has no impact + on other messages, such as e.g., Challenge-Response [2]. + +3.2. Revocation Support Extension + + The Mobile IP revocation support extension indicates support of + registration revocation, and so MUST be attached to a registration + request or registration reply by any entity that wants to receive + revocation messages. Normally, this is either a foreign agent, or a + home agent. However a 'direct' co-located mobile node MAY also + include a revocation support extension in its registration request. + A mobile node which is not co-located MUST NOT include a Revocation + Support Extension in its registration. + + A foreign agent advertising the 'X' bit on the link on which the + registration request was received, and that has a security + relationship with the home agent identified in the same registration + request, MUST attach a revocation support extension to the forwarded + registration request. A home agent that receives a registration + request that does not contain a revocation extension SHOULD NOT + include a revocation support extension in the associated registration + reply. + + The format of the revocation support extension is based on the Type- + Length-Value Extension Format given in [1] and is defined as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length |I| Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Timestamp | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type 137 + + + + + + + + +Glass & Chandra Standards Track [Page 6] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + Length + Length (in bytes, currently 6). Does NOT include Type + and Length fields (in accordance with section 1.9. of + [1]). This allows for a longer extension length should + more bits be required in the future. + + Timestamp + Current 4-byte timestamp of the mobility agent or + 'direct' co-located mobile node. This is used to + identify the ordering of registrations as they are + forwarded, how they relate to the sending of any + revocation messages, and to identify the approximate + offset between the clocks of the mobility agents + providing support for this binding, or between a 'direct' + co-located mobile node and its home agent. + + 'I' Bit + This bit is set to '1' by a mobility agent to indicate it + supports the use of the 'I' bit in revocation messages + (section 3.3.) + + When sent by a foreign agent in a registration request: + + If set to 1, the FA is willing to have the home agent use + the 'I' bit in the revocation process to determine + whether the mobile node should be informed of the + revocation or not. + + If set to 0, indicates to the home agent that the foreign + agent will follow its own policy with regards to + informing the mobile node in the event of a revocation. + + When sent by a home agent in response to a revocation + extension in which the 'I' bit was set to '1': + + If set to 1, the home agent agrees to use the 'I' bit in + the revocation process to indicate to the foreign agent + whether or not the mobile node should be informed. + + If set to 0, the home agent will not use the 'I' bit in + the revocation process, thereby yielding to the foreign + agent's default behavior with regard to informing the + mobile node. + + To preserve the robustness of the protocol, the + recommended default behavior for a foreign agent is to + inform the mobile node of its revocation as described in + Section 4.1. + + + +Glass & Chandra Standards Track [Page 7] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + Reserved + Reserved for future use. MUST be set to 0 on sending, + MUST be ignored on receiving. + + When appearing in a registration request, or registration reply, the + Mobile IP revocation support extension MUST be protected either by a + foreign-home authentication extension, a mobile-home authentication + extension, or any other equivalent mechanism [1], e.g., via AAA [A], + [B], or perhaps IPsec. If the extension appearing in either of these + registration messages is NOT protected, the appropriate action as + described by [1] (Sections 3.8.2.1. and Sections 3.7.3.1.) MUST be + taken. + + Support of the 'I' bit is OPTIONAL. If a mobility agent does not + support the specified functionality, it MUST set the 'I' bit to zero. + Note that the home agent setting the 'I' bit to '1' in response to a + revocation extension from the foreign agent in which the 'I' bit was + set to '0' is undefined, and SHOULD NOT be done. + + 'I' bit support has been negotiated when both agents have set the 'I' + bit to '1' in their revocation support extensions. + + It is important to note that this extension is skippable (i.e., if + the receiving mobility agent does not understand this extension, it + MUST skip it, and continue processing the remainder of the + registration request). + +3.3. Registration Revocation Messages + + A revocation message is sent by a mobility agent to inform another + mobility agent, or a 'direct' co-located mobile node, that it is + revoking the binding of a mobile node. + + IP Fields: + + Source Address In the case of the home agent issuing the + registration revocation, the address + registered with the care-of address as that + of the home agent (that is the address + identified as the home address of this + binding). + + In the case of the foreign agent issuing the + registration revocation, the address + registered with the home agent as the care-of + address. + + + + + +Glass & Chandra Standards Track [Page 8] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + Destination Address In the case of the home agent issuing the + registration revocation, the source address + of the last approved registration request for + this binding, i.e., the destination address + of the last registration reply indicating + success for this binding. + + In the case of the foreign agent issuing the + registration revocation, the address + registered as that of the home agent by the + mobile node whose registration is being + revoked. + + UDP Fields: + + Source Port variable + + Destination Port 434 + + The UDP header is followed by the Mobile IP fields shown below: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Reserved |A|I| Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Home Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Home Domain Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Foreign Domain Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Revocation Identifier | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Extensions... + +-+-+-+-+-+-+-+-+-+-+-+-+- + | Authenticator... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Type 7 + + Reserved MUST be sent as 0, ignored when received. + + A Agent bit ('direction' bit). + + This bit identifies the role of the agent sending the + revocation, that is the 'direction' of the revocation + message. This is useful for detecting reflection + + + +Glass & Chandra Standards Track [Page 9] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + attacks, particularly when symmetric keying is being + used. + + Set to '0' if the revoking agent is servicing this + binding as a foreign agent. + + Set to '1' if the revoking agent is servicing this + binding as a home agent. + + I Inform bit. + + This bit MUST NOT be set to '1' unless 'I' bit support + was negotiated in the revocation extension messages + passed in the registration process, otherwise the results + can be unpredictable. + + When sent by the home agent to a foreign agent: + + Set to '0' to request that the mobile node SHOULD NOT be + informed of the revocation, or because the use of the 'I' + bit was not agreed upon. + + Set to '1' to request that the mobile node be informed of + the revocation. + + When sending a revocation message to a 'direct' co- + located mobile node, this bit is essentially irrelevant, + but SHOULD be set to '1'. + + When sent by the foreign agent: + + Set to '0' to indicate that the foreign agent is using + foreign domain policy as to whether or not the mobile + node should be informed of the revocation, or because 'I' + bit support was not agreed upon. + + Set to '1' to ask the home agent if the mobile node + should be informed of the revocation. + + Reserved + MUST be sent as 0, ignored when received. + + Home Address + The home IP address of the mobile node whose registration + is being revoked. + + + + + + +Glass & Chandra Standards Track [Page 10] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + Foreign Domain Address + The relevant IP address in the foreign domain to identify + which binding is being revoked. This is one of the + following: (i) the foreign agent's IP address, or (ii) + the co-located care-of address. + + Home Domain Address + The IP address of the home agent to identify which + binding is being revoked. + + Revocation Identifier + Protects against replay attacks. The revoking agent MUST + insert its current 4-byte timestamp running off the same + clock as it is using to fill in the timestamp in its + revocation extensions. See section 3.5. + + A registration revocation message MUST be protected by either a valid + authenticator as specified in [1], namely a home-foreign + authenticator, if the communication is between home and foreign + agents, or a mobile-home authenticator if the communication is being + sent from a home agent to a 'direct' co-located mobile node, or + another security mechanism at least as secure, and agreed upon by the + home and foreign domains, e.g., IPsec. If any agent, or 'direct' + co-located mobile node, receives a registration revocation message + that does not contain a valid authenticator, and is not adequately + protected, the revocation message MUST be ignored, and silently + discarded. + + A revocation message MUST NOT be sent for any registration that has + expired, and MAY only be sent prior to the expiration of a mobile + node's registration. Note, however, due to the nature of datagram + delivery, this does not guarantee these messages will arrive before + the natural expiration of any binding. + + An agent MUST NOT send more than one revocation message or + registration message per second for the same binding. Note that this + updates [1] by including revocation messages in the rate limit + specified in [1], i.e., that an agent MUST NOT send more than one + registration message per second for the same binding. + + An example of the use of revocation messages is given in Appendix A. + +3.4. Registration Revocation Acknowledgment Message + + A revocation acknowledgment message is sent by mobility agents or + 'direct' co-located mobile nodes to indicate the successful receipt + of a revocation message. + + + + +Glass & Chandra Standards Track [Page 11] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + IP fields: + + Source Address Copied from the destination address of the + received registration revocation message for + which this registration revocation + acknowledgment message is being generated. + + Destination Address Copied from the source address of the + received registration revocation message for + which this registration revocation + acknowledgment message is being generated. + + UDP fields: + + Source Port 434 (copied from the destination port of the + revocation message). + + Destination Port Copied from the source port of the revocation + message. + + The UDP header is followed by the Mobile IP fields shown below: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Reserved |I| Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Home Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Revocation Identifier | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Extensions... + +-+-+-+-+-+-+-+-+-+-+-+-+- + | Authenticator... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Type 15 + + Reserved + MUST be sent as 0, ignored when received. + + I Inform bit. + + The 'I' bit MUST NOT be set to '1' in the revocation + acknowledgment messages unless it was set to '1' in the + revocation message. If an agent receives a revocation + acknowledgment message in which the 'I' bit is set to + '1', but for which the revocation message being + + + +Glass & Chandra Standards Track [Page 12] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + acknowledged had the 'I' bit set to '0', the 'I' bit in + the revocation acknowledgment message MUST be ignored. + + When sent by the home agent: + + Set to '1' by the home agent to request the foreign agent + inform the mobile node of the revocation. + + Set to '0' by the home agent to request the foreign agent + not inform the mobile node of the revocation. + + When sent by a foreign agent: + + Set to '1' to indicate to the home agent that the mobile + node was informed. + + Set to '0' to indicate to the home agent that the foreign + agent used local policy to determine whether or not the + mobile node should be informed. For purposes of protocol + robustness, it is highly recommended that such a default + be set for the foreign agent to inform the mobile node of + the revocation. + + Reserved + MUST be sent as 0, ignored when received. + + Home Address + The home address copied from the revocation message for + which this acknowledgment is being sent. + + Revocation Identifier + Copied from the Revocation Identifier of the revocation + message for which this acknowledgment is being sent. See + Section 3.5. + + A registration revocation acknowledgment message MUST be sent in + response to a valid and authenticated registration revocation + message. + + A registration acknowledgment message MUST be protected by either a + valid authenticator as specified in [1], namely a home-foreign + authenticator if the communication is between home and foreign + agents, or a mobile-home authenticator if the communication is + between home agent and 'direct' co-located mobile node, or another + security mechanism at least as secure and agreed upon by the home and + foreign domains, e.g., IPsec. + + + + + +Glass & Chandra Standards Track [Page 13] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + An example of the use of Revocation Acknowledgment Messages is given + in Appendix A. + +3.5. Replay Protection + + As registration revocation messages are designed to terminate service + for a mobile node, or multiple mobile nodes simultaneously, replay + protection is crucial to prevent denial of service attacks by + "malicious repeaters" - those who store datagrams with the intent of + replaying them at a later time, or by "malicious reflectors" - those + who reflect packets back at their original source (both a form of + "active" attack). See Section 6. for a discussion of these security + considerations. + + All Revocation Messages and Revocation Acknowledgment Messages MUST + be authenticated as well be replay-protected. The order in which + they are done, however, is up to implementation. + + Replay protection is handled with a simple timestamp mechanism, using + a single 32-bit identifier field in the registration revocation + message, in conjunction with the home address field, to associate any + revocation acknowledgment messages with its revocation messages. To + do this: + + - The revoking agent sets the 'A' bit to its agent-type, and the + Revocation Identifier field in the registration revocation message + to a valid 32-bit timestamp from the same clock it is using to set + the timestamp field of its revocation extensions included in + registration messages. + + - Upon receipt of an authenticated revocation message, the receiving + agent (or 'direct' co-located mobile node) MUST check the value of + the 'A' bit, and Revocation Identifier to make sure this + revocation message is not a replay of an old revocation message + received from the same agent. The receiving agent MUST also check + that the message is not a reflection of a revocation message it + sent in relation to the identified binding. If the 'A' bit and + Identifier field imply this packet is a replay, the revocation + message MUST be silently discarded. + + - When building a revocation acknowledgment message, the + acknowledging agent (or 'direct' co-located mobile node) copies + the values of the Home Address and Revocation Identifier fields + from the revocation message into the Home Address and the + Revocation Identifier of the revocation acknowledgment message. + This is so the revoking agent can match this revocation + acknowledgment to its corresponding revocation message. + + + + +Glass & Chandra Standards Track [Page 14] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + - Upon receiving a valid revocation acknowledgment, the revoking + agent MUST check the Home Address and Identifier fields to make + sure they match those fields from a corresponding revocation + message it sent to the acknowledging agent. If not, this + revocation acknowledgment message MUST be silently discarded. + + Note that since the Identifier in an incoming revocation message is a + 32-bit timestamp, it is possible for an agent to check the validity + of the Identifier fields without having to remember all identifiers + sent by that corresponding agent. + + Note: as it is possible for a mobile node to register at different + times with different home agents, and at different times with + different foreign agents, it is crucial that it not be required that + the Identifier fields be unique in messages from different agents as + there is no guarantee that clocks on different agents will be + synchronized. For example, if a mobile node has simultaneous + bindings with multiple foreign agents, and if revocation messages are + received by more than one such foreign agent "simultaneously", it is + possible the revocation message from one of these foreign agents may + contain Identifier fields that happen to match those of any or all + the other foreign agents. This MUST NOT result in any of these + revocation messages being ignored. + +4. Registration Revocation Overview + + Registration Revocation consists of two distinct pieces: a signaling + mechanism between tunnel endpoints, and a signaling mechanism between + foreign agent and mobile node. A 'direct' co-located mobile node MAY + implement revocation extensions and revocation acknowledgment in + order to receive and respond to revocation messages from its home + agent, however, a 'direct' co-located mobile node MUST NOT send a + revocation message as de-registration messages defined in [1] are + sufficient for this purpose. + + For further discussion on security issues related to registration + revocation, refer to Section 6. + +4.1. Mobile Node Notification + + A mechanism which provides a foreign agent a way to actively notify a + mobile node that its binding has been reset already exists in [1], + though it has been overlooked for this purpose. + + A brief overview of the mechanics of the sequence number in agent + advertisement from [1] is given so that the mechanism by which the + foreign agent 'implies' to the mobile node that its binding is no + longer active is clearly understood. + + + +Glass & Chandra Standards Track [Page 15] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + When a foreign agent begins sending agent advertisements, it starts + with a sequence number of 0, and [monotonically] increments the + sequence number with each subsequent agent advertisement. In order + for a mobile node to be able to distinguish between a foreign agent + that has simply exhausted the sequence number space from one which + has been reset, when the agent increments the sequence number counter + past its maximum value, it sets the sequence number to 256 instead of + rolling to 0 [1]. In this way, a mobile node would have to miss, at + that time, 256 advertisements in a row to mistake a reset as a roll- + over. Moreover, the lifetimes contained within an agent + advertisement should be set in such a way that when a mobile node + believes it has missed 3 beacons, the entry for this foreign agent + should time out, and if the mobile node is registered there, it + should send an agent solicitation [1]. If, however, an agent is + somehow reset, it will begin advertising with a sequence number of 0, + and the mobile node can presume this foreign agent has lost its + binding, and the mobile node SHOULD re-register to make sure it is + still obtaining Mobile IP services through this foreign agent. + + Leveraging this mechanism, a foreign agent may consciously notify all + mobile nodes currently bound to it that it has "reset" all of their + bindings, even if the agent itself has not been reset, by simply + [re]setting the sequence number of the next agent advertisement to 0. + Moreover, a foreign agent may inform all mobile nodes currently bound + to it that they should re-register with a different foreign agent by + simultaneously setting the 'B' bit in the advertisement to 1, + indicating this foreign agent is busy and is not accepting new + registrations [1]. In these situations, any mobile node in + compliance with [1] will presume this foreign agent has lost its + binding, and must re-register if they wish to re-establish Mobile IP + functionality with their home subnet. + + To indicate to any registered mobile node that its binding no longer + exists, the foreign agent with which the mobile node is registered + may unicast an agent advertisement with the sequence number set to 0 + to the mobile node [1], [D]. Moreover, if such a foreign agent + wishes to indicate to the mobile node that its binding has been + revoked, and that the mobile node should not attempt to renew its + registration with it, the foreign agent MAY also set the 'B' bit to 1 + in these agent advertisements, indicating it is busy, and is not + accepting new registrations [1]. All mobile nodes compliant with [1] + will understand that this means the agent is busy, and MAY either + immediately attempt to re-register with another agent in their + foreign agent cache, or MAY solicit for additional agents. In the + latter case, a foreign agent can optionally remember the mobile + node's binding was revoked, and respond to the solicit in the same + way, namely with the 'B' bit set to 1. It should be noted, though, + that since the foreign agent is likely to not be setting the 'B' bit + + + +Glass & Chandra Standards Track [Page 16] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + to 1 in its broadcasted agent advertisements (sent to the entire + link), the revoked mobile node, upon hearing this agent's multicast + agent advertisement without the 'B' bit set, may attempt to + [re]register with it. If this happens, depending on foreign domain + policy, the foreign agent can simply deny the mobile node with an + appropriate error code (e.g., "administratively prohibited"). At + this time, a mobile node can use foreign agent fallback to attempt to + register with a different foreign agent as described in [1]. + + Mobile nodes which understand the revocation mechanism described by + this document may understand that a unicast agent advertisement with + the sequence number reset to 0 could indicate a revocation, and may + attempt to re-register with the same foreign agent, or register with + a different foreign agent, or co-locate. + + Agent Advertisements unicast to a mobile node MUST be sent as + described in [1] in addition to any methods currently in use on the + link to make them secure or authenticatable to protect from denial- + of-service attacks. + +4.2. Registration Revocation Mechanism - Agent Notification + + A foreign agent that is currently supporting registration revocation + on a link MUST set the 'X' bit in its Agent Advertisement Extensions + being sent on that link. This allows mobile nodes requiring + Registration Revocation services to register with those foreign + agents advertising its support. + +4.2.1. Negotiation of Revocation Support + + During the registration process, if the foreign agent wishes to + participate in revocation messages with the home domain, it MUST have + an existing security association with the home agent identified in + the registration request, and append a revocation support extension + (defined in Section 3.2.) to it. If the corresponding registration + reply from this home agent does not contain a revocation support + extension, the foreign agent SHOULD assume the home agent does not + understand registration revocation, or is unwilling to participate. + If this is unacceptable to the foreign agent, it MAY deny the + registration with e.g., "Administratively Prohibited". Note that in + this case, where a security association exists, as specified in [1], + both registration request and registration reply MUST still contain + home-foreign authenticators. + + If a home agent wishes to be able to exchange revocation messages + with the foreign domain, it MUST have an existing security + association with the foreign agent who relayed the registration + request, and it MUST append a revocation support extension to the + + + +Glass & Chandra Standards Track [Page 17] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + registration reply. If the registration request from a foreign agent + did not contain a revocation support extension, the home agent SHOULD + assume the foreign agent does not understand registration revocation, + or is unwilling to participate specifically for this binding. If + this is unacceptable to the home agent, it MAY deny the registration + with e.g., "Administratively Prohibited". The home agent MAY include + a revocation support extension in the registration reply. + + If a 'direct' co-located mobile node wishes to be informed of a + released binding by its home agent, it MUST insert a revocation + support extension into the registration request. If this is + acceptable to the home agent, it MUST include a revocation support + extension in its registration reply. Note that if this is not + acceptable, the home agent MAY deny the registration, or it MAY + simply not include a revocation support extension in its registration + reply indicating to the mobile node that it will not participate in + revocation for this binding. A home agent which receives a + registration request from a 'direct' co-located mobile node which + does not contain a revocation support extension MAY deny the + registration with e.g., "Administratively Prohibited" and also MAY or + MAY NOT include a revocation support extension in the registration + reply. + + Note that a non-colocated mobile node MUST NOT insert a revocation + support extension into its registration request. If a foreign agent + receives such a registration request, it MUST silently discard it, + and MAY log it as a protocol error. + + The 'I' bit in the revocation extension is used to indicate whether + or not the decision to inform the mobile node that its binding is + terminated will be left to the home agent. This functionality is + offered by the foreign agent, and accepted by the home agent. More + precisely, by sending a revocation extension attached to a + registration request in which the 'I' bit is set to 1, the foreign + agent is indicating to the home agent that it MAY leave the decision + to inform this mobile node that its registration is terminated up to + the home agent. (The term "MAY" is used here because it is + recognized that domain policy may change during the lifetime of any + registration). The home agent can acknowledge that it wishes to do + this by setting the 'I' bit to 1, or it can indicate it will not do + so by setting the 'I' bit to 0, in the revocation extension appearing + in the registration reply. + + Revocation support is considered to be negotiated for a binding when + both sides have included a revocation support extension during a + successful registration exchange. + + + + + +Glass & Chandra Standards Track [Page 18] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +4.2.2. Home Domain Revoking/Releasing a Registration + + The following section details the responsibilities of each party + depending on the functionality negotiated in the revocation support + extensions when the home domain is revoking a registration. + +4.2.2.1. Home Agent Responsibilities + + In the case where a home agent is revoking a mobile node's binding, + and revocation support has been negotiated, the home agent MUST + notify the foreign domain address it is terminating the tunnel entry + point by sending a revocation message. Note that the foreign domain + address can either be the foreign agent care-of address, or the co- + located care-of address of a 'direct' co-located mobile node. + + As a home agent, it MUST set the 'A' bit to '1', indicating this + packet is coming from the home agent servicing this binding. + + When a revocation message is being sent to a foreign agent, and the + use of the 'I' bit was negotiated in the registration process, the + home agent MUST set the 'I' bit to 1 if the home agent would like the + foreign agent to inform the mobile node of the revocation. + Conversely, if the home agent does not want the mobile node notified, + it MUST set the 'I' bit to 0. Note that the home agent could also + set the 'I' bit to '0' because it knows the mobile node has + registered with a different foreign agent, and so there is no need + for the foreign agent to attempt a notification. + + The home agent MUST set the Identifier field as defined in Section + 3.5., and MUST include a valid authenticator as specified in Section + 3.3. + + If the home agent does not receive a revocation acknowledgment + message within a reasonable amount of time, it MUST retransmit the + revocation message. How long the home agent waits to retransmit, and + how many times the message is retransmitted is limited by the + requirement that: + + - every time the home agent is about to retransmit the revocation + message, it MUST update the value of the timestamp in the + revocation identifier with a current value from the same clock + used to generate the timestamps in the revocation extensions sent + to this foreign agent. Note that this also necessarily means + updating any fields derived using the revocation identifier (e.g., + a home-foreign authenticator). + + - the home agent MUST NOT send more than one revocation per second + for a particular binding, + + + +Glass & Chandra Standards Track [Page 19] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + - the time between retransmissions SHOULD fall-back in analogy with + the registration guidelines in [1], namely exponential backoff, + and + + - the home agent MUST NOT retransmit revocation messages beyond the + normal life of the binding identified by the revocation message. + +4.2.2.2. Foreign Agent Responsibilities + + Upon receiving a registration revocation message, the foreign agent + MUST check that the validity of the authenticator, the 'A' bit, and + the identifier field against replay as defined by Section 3.5. The + foreign agent MUST also identify the binding described by the home + agent as being released using the information in the revocation + message, namely the addresses identified by the mobile node address, + the foreign domain address, the home domain address, as well as the + timestamp in the revocation message, and also the timestamp in the + last accepted registration message; revocations are only valid for + existing registrations, and so the timestamp of a registration MUST + precede the revocation message (note that both of those timestamps + were set by the same home agent). Upon locating the binding, the + foreign agent MUST revoke it, and MUST respond with a revocation + acknowledgment sent to the source address of the revocation message. + If the 'I' bit was negotiated, the foreign agent MUST check the value + of the 'I' bit in the revocation message and act accordingly. + + If notifying the mobile node by the methods described in Section + 4.1., the foreign agent MUST set the 'I' bit to '1' in the revocation + acknowledgment to be sent to the home agent, or if not notifying the + mobile node, the foreign agent MUST set the 'I' bit to '0'. + + The foreign agent may discontinue all Mobile IP services by the + former binding at this time, and free up any resources that were + being used by it. + + The foreign agent MUST then generate a revocation acknowledgment, + setting the Home Address and Identifier field in the revocation + acknowledgment message as described by Section 3.5., and protect it + with a valid authenticator as specified in Section 3.3. + +4.2.2.3. 'Direct' co-located mobile node Responsibilities + + Upon receiving a revocation message, the 'direct' co-located mobile + node MUST validate the authenticator, and check the home address and + identifier specified in the revocation message for replay. If the + packet passes authentication, and the identifier reveals this + revocation to be new, the mobile node MUST verify that the + information contained in the revocation messages identifies the home + + + +Glass & Chandra Standards Track [Page 20] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + agent with which it has a current binding, that this binding + identifies correctly this mobile node and any foreign domain address + it is currently using. If the mobile node is able to identify such a + binding, the mobile node SHOULD first generate a revocation + acknowledgment message which MUST be sent to the IP source address of + the revocation message. The mobile node may then terminate any + reverse tunnel encapsulation [C] it is using to this home agent, and + consider its binding revoked, and free up any other resources + associated with the former binding. + +4.2.3. Foreign Domain Revoking/Releasing a Registration + + The following section details the responsibilities of each party + depending on the functionality negotiated in the revocation support + extensions when the foreign domain is revoking a registration. Note + that revocation support for a co-located mobile node registering via + a foreign agent (because the 'R' bit was set in the agent's + advertisement) is not supported. See Section 4.3.1. for details. + +4.2.3.1. Foreign Agent Responsibilities + + If the use of the 'I' bit was negotiated, and the foreign domain + policy of informing the mobile node has not changed since the last + successful registration exchange, the foreign agent MUST NOT inform + any mobile node of its revocation at this time. Instead, the foreign + agent MUST set the 'I' bit to '1' in the revocation message, thereby + asking the home agent to use the 'I' bit in the revocation + acknowledgment to indicate if it should notify the effected mobile + nodes. If the policy on the foreign domain was to not notify the + mobile node, or if it has changed since the most recent successful + registration, and the foreign agent is no longer able to use the 'I' + bit, the foreign agent MUST set the 'I' bit to '0', and follow the + policies of the foreign domain with regard to notifying the mobile + node. + + Note that the 'A' bit MUST be set to '0' to indicate that the + revocation message is coming from the foreign agent servicing this + binding. + + Before transmitting the revocation message, the foreign agent MUST + set the revocation identifier as described by section 3.5., and MUST + include an authenticator as described by section 3.3. + + If the foreign agent does not receive a revocation acknowledgment + message within a reasonable amount of time, it MUST retransmit the + revocation message. How long the foreign agent waits to retransmit, + and how many times the message is retransmitted is only limited by + the following specifications: + + + +Glass & Chandra Standards Track [Page 21] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + - every time the foreign agent is about to retransmit the revocation + message, it MUST update the value of the timestamp in the + revocation identifier with a current value from the same clock + used to generate the timestamps in the revocation extensions sent + to this home agent. Note that this also necessarily means + updating any fields derived using the revocation identifier (e.g., + a home-foreign authenticator). + + - MUST NOT send more than one revocation per second for a particular + binding, + + - SHOULD set its retransmissions to fall-back in analogy with the + registration guidelines in [1], namely exponential backoff, and + + - MUST NOT retransmit revocation messages beyond the normal life of + the binding identified by the revocation message. + +4.2.3.2. Home Agent Responsibilities + + Upon receiving a registration revocation message, the home agent MUST + check the 'A' bit, and identifier field, as well as the + authenticator. If the packet is acceptable, the home agent MUST + locate the binding identified by the foreign agent as being released + using the information in the revocation message, namely the addresses + identified by the home address, the foreign domain address and the + home domain address fields. As revocations are only valid for + existing registrations, the timestamp of a registration MUST precede + the revocation message (note that both of those timestamps were set + by the same foreign agent). Since this binding is no longer active, + the home agent can free up any resources associated with the former + binding and discontinue all Mobile IP services for it. + + Upon processing a valid registration revocation message, the home + agent MUST send a revocation acknowledgment to the IP source address + of the registration revocation message. + + If use of the 'I' bit was negotiated, and the 'I' bit is set to '1' + in the revocation message, the home agent should decide if it wants + the mobile node informed of the revocation of this binding. If it + does want the mobile node informed, it MUST set the 'I' bit in the + revocation acknowledgment message to '1'. If it does not want the + mobile node informed, it MUST set the 'I' bit to '0'. + + The home agent MUST set the Home Address, and Revocation Identifier + fields as described by Section 3.5., and protect the revocation + acknowledgment message with a valid authenticator as specified in + Section 3.3. + + + + +Glass & Chandra Standards Track [Page 22] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +4.2.4. Mobile Node Deregistering a Registration + + The cases where a mobile node is registered with its home agent, + whether it is registered directly with its home agent ('direct' co- + located mobile node), or registered via a foreign agent, and wishes + to terminate its own binding, the mobile node MUST NOT send a + revocation message, but SHOULD simply deregister the appropriate + care-of address with its home agent as described by [1]. + +4.3. Mobile IP Registration Bits in the Revocation Process + + Several of the bits used in the registration process need special + consideration when using the revocation mechanism. + +4.3.1. The 'R' Bit in Use + + If the foreign agent wishes to be able to revoke a mobile node's + registration, it MUST set the 'R' bit in its agent advertisements. + (A foreign agent advertising the 'R' bit requests every mobile node, + even one that is co-located (and whose registration would otherwise + by-pass the foreign agent), to register with the foreign agent.) + However, in this case, the foreign agent SHOULD deny a registration + request as "Administratively Prohibited" from a mobile node that is + registering in a co-located fashion. The reason being that the + foreign agent will not be able to revoke the binding of a co-located + mobile node due to reasons outlined in Section 4.3.2. + + How the foreign agent and/or foreign domain enforce the 'R' bit is + beyond the scope of this document. + +4.3.2. The 'D' bit in Use + + A mobile node registering directly with its home agent in a co- + located fashion with the 'D' bit set in its registration request is + supported in registration revocation. However, support for a co- + located mobile node (with the 'D' bit set in its registration + request) registering via a foreign agent is not supported for the + following reasons. + + Registration requests where the 'D' bit is set, and which are relayed + through a foreign agent (e.g., due to the advertising of the 'R' bit) + should theoretically contain the foreign agent address as the source + address of the registration request when received by the home agent. + A home agent may conclude that the source address of this + registration request is not the same as the co-located care-of + address contained in the registration request, and is therefore + likely to be the address of the foreign agent. However, since there + is no way to guarantee that this IP source address is in fact an + + + +Glass & Chandra Standards Track [Page 23] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + address of the foreign agent servicing the mobile node, accepting a + revocation message from this IP source address may lead to a denial- + of-service attack by a man-in-the-middle on the mobile node. + + Moreover, there is currently no method for the foreign agent + servicing the mobile node to identify itself to the home agent during + the Mobile IP registration phase. Even if a foreign agent could + identify itself, the co-located mobile node would also need to + authorize that this foreign agent is indeed the agent that is + providing it the Mobile IP services. This is to thwart a denial-of- + service attack on the mobile node by a foreign agent that has a + security association with the home agent, and is on the path between + the co-located mobile node and the home agent. + +5. Error Codes + + As the intent of a registration revocation message is not a request + to discontinue services, but is a notification that Mobile IP + services are discontinued, there are no new error codes. + +6. Security Considerations + + There are two potential vulnerabilities, one in the agent + advertisement mechanism, and one related to unauthorized revocation + messages. + +6.1. Agent Advertisements + + Although the mechanisms defined by this document do not introduce + this problem, it has been recognized that agent advertisements as + defined in [1] subject mobile nodes to a denial-of-service potential. + This is because the agent advertisement as defined in [1] may be + spoofed by other machines residing on the link. This makes it + possible for such nodes to trick the mobile node into believing its + registration has been revoked either by unicasting an advertisement + with a reset sequence number to the link-local address of the mobile + node, or by broadcasting it to the subnet, thereby tricking all + mobile nodes registered with a particular foreign agent into + believing all their registrations have been lost. + + There has been some work in this working group and others (e.g., + IPsec) to secure such router advertisements, though at the time of + this publication, no solutions have become common practice. To help + circumvent possible denial of service issues here, bringing their + potential for disruption to a minimum, mobile node implementors + should ensure that any agent advertisement which doesn't conform to a + strict adherence to [1], specifically those whose TTL is not 1, or + which do not emanate from the same link-address (when present) as + + + +Glass & Chandra Standards Track [Page 24] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + other agent advertisements supposedly from the same agent, or even + that of the last successful registration reply, be silently + discarded. + +6.2. Revocation Messages + + As registration revocation, when performed, terminates Mobile IP + services being provided to the mobile node, it is crucial that all + security and replay protection mechanisms be verified before a + mobility agent believes that the other agent has revoked a binding. + Messages which are sent link-local (e.g., between mobile node and + foreign agent) MAY also be secured by methods outlined in [1], namely + the use of mobile-foreign authenticators, but these have no direct + relation to registration revocation. + + RFC 3344 [1] defines a security mechanism that MUST be used between + home agents and mobile nodes, and MAY used between home agents and + foreign agents, namely the use of authenticators. All foreign and + home agents MUST support protection of revocation messages via the + foreign-home authenticators defined in [1]. They MAY implement other + mechanisms of equal or greater strength; if such mechanisms are known + to be available to both parties, they MAY be used instead. + + Revocation messages are at least as secure as registration messages + passed between home and foreign agents and containing home-foreign + authenticators as defined in [1]. Thus, there are no new security + threats introduced by the revocation mechanism other than those + present in [1] with respect to the compromise of the shared secret + which is used to generate the home-foreign authenticators. + + That said, there are two types of active attacks which use messages + captured "in flight" by a man-in-the-middle between the home and + foreign agents - "malicious repeaters" and "malicious reflectors". + + In the case of a "malicious repeater", a man-in-the-middle captures a + revocation message, then replays it to the same IP destination + address at a later time. Presuming the authenticator of the original + packet was deemed valid, without replay protection, the home-foreign + authenticator of the replayed packet will (again) pass + authentication. Note that since datagrams are not guaranteed to + arrive unduplicated, a replay may occur by "design". + + In the case of a "malicious reflector," a man-in-the-middle captures + a revocation message, then returns it to its originator at a later + time. If the security association between home and foreign domains + uses a security association involving a (single) shared secret which + only protects the contents of the UDP portion of the packet (such as + home-foreign authenticators as defined by [1]), without replay + + + +Glass & Chandra Standards Track [Page 25] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + protection, the sender of the packet will also believe the revocation + message to be authentic. + + The replay protection mechanism used by the revocation messages + defined by this document is designed to protect against both of these + active attacks. As a benefit, by using a 32-bit timestamp it can be + more quickly determined if revocation messages are replays, though + the reader is advised to use caution in this approach. An agent + which receives an authenticated revocation message can compare the + Identifier field to that of a previously received revocation message, + and if the timestamp in the new message is found to have been + generated after that of the time-stamp in the last revocation message + received, it can immediately be determined as not being a replay. + Note however that since datagrams are not guaranteed to arrive in + order, it should not be presumed that because the values contained in + an Identifier field are timestamps that they will necessarily be + increasing with each successive revocation message received. Should + an implementor decide to base his replay detection mechanism on + increasing timestamps, and therefore increasing Identifier values, a + suitable time window should be defined in which revocation messages + can be received. At worst, ignoring any revocation message should + result in the retransmission of another revocation message, this time + with timestamp later than the last one received. + + Note that any registration request or reply can be replayed. With + the exchanging of time-stamps by agents in revocation extensions, an + agent should have a belief that such messages have been delivered in + a timely manner. For purposes of registration revocation, the + timeliness of a registration packet is simply based on the + granularity of each registration. Since [1] provides a replay + mechanism for the home agent to use, it has a way to tell if the + registration request being presented to it is new. The foreign + agent, however, has no such mechanism in place with the mobile node. + Foreign agents are advised to continue to consider registrations + 'outstanding' until the associated registration reply is returned + from the home agent before using the information in any of its + visitor entries. Even so, this leaves the foreign agent open to a + potential denial of service attack in which registration requests and + replies are replayed by multiple nodes. When this happens, the + foreign agent could be lead to believe such registrations are active, + but with old information, which can have adverse effects on them, as + well as to the ability of that agent to successfully use the + procedures outlined in this document. Sufficient protection against + this scenario is offered by the challenge-response mechanism [2] by + which a foreign agent generates a live challenge to a mobile node for + the purposes of making sure, among other things, that the + registration request is not a replay. + + + + +Glass & Chandra Standards Track [Page 26] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +7. IANA Considerations + + This document defines an additional set of messages between the home + and foreign agent specific to the services being provided to the same + mobile node, or sub-set of mobile nodes. To ensure correct + interoperation based on this specification, IANA has reserved values + in the Mobile IP number space for two new message types, and a single + new extension. + +7.1. New Message Types + + The following message types are introduced by this specification: + + Registration Revocation: A new Mobile IP control message, using UDP + port 434, type 7. This value has been taken from the same number + space as Mobile IP Registration Request (Type = 1), and Mobile IP + Registration Reply (Type = 3). + + Registration Revocation Acknowledgment: A new Mobile IP control + message, using UDP port 434, type 15. This value has been taken from + the same number space as Mobile IP Registration Request (Type = 1), + and Mobile IP Registration Reply (Type = 3). + +7.2. New Extension Values + + The following extensions are introduced by this specification: + + Revocation Support Extension: A new Mobile IP Extension, appended to + a Registration Request, or Registration Reply. The value assigned is + 137. This extension is derived from the Extension number space. It + MUST be in the 'skippable' (128 - 255) range as defined in RFC 3344. + +7.3. New Error Codes + + There are no new Mobile IP error codes introduced by this document. + +8. References + +8.1. Normative References (Numerical) + + [1] Perkins, C., Ed., "IP Mobility Support for IPv4", RFC 3344, + August 2002. + + [2] Perkins, C. and P. Calhoun, "Mobile IPv4 Challenge/Response + Extensions", RFC 3012, November 2000. + + [3] Bradner, S., "Key Words for us in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + + +Glass & Chandra Standards Track [Page 27] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +8.2. Informational References (Alphabetical) + + [A] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP + Authentication, Authorization, and Accounting Requirements", RFC + 2977, October 2000. + + [B] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., + Shiino, H., Walsh, P., Zorn, G., Dommety, G., Perkins, C., Patil, + B., Mitton, D., Manning, S., Beadles, M., Chen, X., Sivalingham, + S., Hameed, A., Munson, M., Jacobs, S., Lim, B., Hirschman, B., + Hsu, R., Koo, H., Lipford, M., Campbell, E., Xu, Y., Baba, S. and + E. Jaques, "Criteria for Evaluating AAA Protocols for Network + Access", RFC 2989, November 2000. + + [C] Montenegro, G., Ed., "Reverse Tunneling for Mobile IP, revised", + RFC 3024, January 2001. + + [D] Deering, S., Ed., "ICMP Router Discovery Messages", RFC 1256, + September 1991. + + [E] Calhoun, P. and C. Perkins, "Mobile IP Network Access Identifier + Extension for IPv4", RFC 2794, March 2000. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Glass & Chandra Standards Track [Page 28] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +Appendix A: An Example of the Revocation Messages in Use + + For clarity, the following example is meant to illustrate the use of + the new messages in the registration phase, and the revocation phase. + In this example, a foreign agent and home agent will negotiate + revocation during the registration phase. During the revocation + phase, the foreign agent will revoke the binding of a mobile node. + +A.1. The Registration Phase + + Consider a foreign agent that supports registration revocation, and + has a security association with a home agent to which it is + forwarding a registration request. The foreign agent will include + the revocation support extension after the mobile-home authenticator. + Assume that the foreign agent supports the use of the 'I' bit, and is + willing to let the home agent decide if the mobile node should be + informed of the revocation of its registration. Thus, the foreign + agent will set the 'I' bit to '1'. The foreign agent will append a + foreign-home authenticator to the registration request. + + Upon receiving the registration request containing a revocation + extension, the home agent will include a revocation support extension + in the registration reply. Since the foreign agent set the 'I' bit + to '1' in its revocation extension, and the home agent supports the + use of the 'I' bit, the home agent will set the 'I' bit in its + registration extension to '1'. Additionally, the home agent will + append a home-foreign authenticator to the registration request. + + Upon receiving the authenticated registration reply, the foreign + agent will check the revocation support extension and note that the + home agent wants to decide if the mobile node should be notified in + the event this registration is revoked, i.e., since the home agent + set the 'I' bit in the return revocation extension. + +A.2. The Revocation Phase + + The foreign agent revokes a mobile node's binding, and generates a + revocation message to be sent to the mobile node's home agent. Since + the 'I' bit was negotiated in the revocation extensions, and the + foreign agent is still willing to let the home agent indicate whether + this mobile node should be informed about the revocation, it will set + the 'I' bit to '1' in the revocation message. The foreign agent also + makes sure the 'A' bit is set to '0'. + + The foreign agent will also place the address of the mobile node + whose registration it wishes to revoke in the home address field, the + address that the mobile node registered as the care-of address in the + foreign domain field, and the address registered as the home agent in + + + +Glass & Chandra Standards Track [Page 29] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + the home domain address field. The foreign agent will set the + Revocation Identifier to the current 32-bit timestamp, and append the + foreign-home authenticator. + + Upon receiving the above revocation message, the home agent uses the + address identified as the foreign domain address to identify the + security association, and authenticate the revocation message. After + authenticating the message, the home agent will check to make sure + the 'A' bit and Identifier indicate that this revocation is not a + replay. The home agent then uses the mobile node home address, + foreign domain address, and home domain address to locate the mobile + node whose registration is being revoked. + + Upon processing a valid registration revocation message, the home + agent generates a revocation acknowledgment message. Since the 'I' + bit was set to '1' in the revocation message and the home agent + wishes for the identified mobile node to be informed of the + revocation, it will set the 'I' bit in the revocation acknowledgment + to '1'. The home agent then copies the home address and the + Revocation Identifier field into the revocation acknowledgement. The + home agent protects the revocation acknowledgment with a home-foreign + authenticator. + + Upon receiving a valid revocation acknowledgment (in which the + authenticator and Identifier fields are acceptable), the foreign + agent checks the state of the 'I' bit. Since the 'I' bit is set to + '1', the foreign agent will notify the mobile node of the revocation. + +Appendix B: Disparate Address, and Receiver Considerations + + Since the registration revocation message comes from a source address + that is topologically routable from the interface receiving the + datagram, the agents, by definition, are topologically connected (if + this were not the case, the initial registration mechanism would have + failed). If either are the ultimate hop from this topologically + connected region to one or more disparate address spaces, no problems + are foreseen. In order for the mobile node to have successfully + registered with its home agent, it MUST have provided to the network + (foreign agent) to which it is currently attached a routable address + of its home agent. Conversely, the care-of address being used by the + mobile node must also be topologically significant to the home agent + in order for the registration reply to have been received, and the + tunnel initiated. By definition, then, the home agent address and + the care-of address must each be significant, and either address must + form a unique pair in the context of this mobile node to both agents. + + + + + + +Glass & Chandra Standards Track [Page 30] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + + Another way of understanding this is that the tunnel endpoints are in + some way connected, and hence each are unique as far as the other end + is concerned. The address at the other end of the tunnel, in + combination with the address of the mobile node, must therefore form + a unique pair that can be identified by the agent receiving the + registration revocation message. + + As an example, consider a mobile node who's home address lies in + disparate address space A behind its home agent. In the following + diagram, [*] indicates an interface of the entity in which it + appears. + + MN[a]-----[c]FA[b]=====((()))=====[b]HA[a]-----[a]CN + + Address Some topologically Address + Space C connected network Space A + + We presume a binding for MN exists, and hence a tunnel between FA[b] + and HA[b] exists. Then, since the address assigned to MN[a] MUST be + unique in address space A, the pair {FA[b],MN[a]} is guaranteed to be + unique in the binding table of HA, and the pair {HA[b],MN[a]} is + guaranteed to be unique in the foreign agent's visitor list. + + As a result, a home agent receiving a registration revocation message + and foreign-home authenticator for MN[a] from FA[b] is able to + determine the unique mobile node address being deregistered. + Conversely a foreign agent receiving a registration revocation + message and home-foreign authenticator for MN[a] from HA[b] is able + to determine the exact mobile node address being deregistered. For + this reason, if a foreign agent receives a registration revocation + message with the home domain field set to the zero address it MUST be + silently discarded. This is to prevent confusion in the case of + overlapping private addresses; when multiple mobile nodes are + registered via the same care-of address and coincidentally using the + same (disparate/private) home address, the home agent address + appearing in the home domain field is the only way a foreign agent + can discern the difference between these mobile nodes. + + + + + + + + + + + + + + +Glass & Chandra Standards Track [Page 31] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +Acknowledgments + + The authors would like to thank Rajesh Bhalla, Kent Leung, and Alpesh + Patel for their contributions to the concepts detailed in + draft-subbarao-mobileip-resource-00.txt, "Releasing Resources in + Mobile IP," from which the revocation support extension, and the + acknowledgment mechanism contained in this document were derived. + + The authors would also like to thank Pete McCann for his discussions + on replay mechanisms, and security concerns, and Ahmad Muhanna for + pointing out a problem with the initial replay mechanism, which + eventually lead to the addition of a time stamp to the Revocation + Extension. + + The authors would also like to acknowledge Henrik Levkowetz for his + detailed review of the document, and Michael Thomas for his review of + the replay mechanism described herein. + +Authors' Addresses + + Steven M. Glass + Solaris Network Technologies + Sun Microsystems + 1 Network Drive + Burlington, MA. 01801 + + Phone: +1.781.442.0000 + Fax: +1.781.442.1706 + EMail: steven.glass@sun.com + + + Madhavi W. Chandra + IOS Technologies Division + Cisco Systems + 7025 Kit Creek Road + Research Triangle Park, NC 27709 + + Phone: +1.919.392.8387 + EMail: mchandra@cisco.com + + + + + + + + + + + + +Glass & Chandra Standards Track [Page 32] + +RFC 3543 Registration Revocation in Mobile IPv4 August 2003 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Glass & Chandra Standards Track [Page 33] + |