1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
Network Working Group C. Perkins
Request for Comments: 4636 Nokia Research Center
Category: Standards Track October 2006
Foreign Agent Error Extension for Mobile IPv4
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document specifies a new extension for use by Foreign Agents
operating Mobile IP for IPv4. Currently, a foreign agent cannot
supply status information without destroying the ability for a mobile
node to verify authentication data supplied by the home agent. The
new extension solves this problem by making a better place for the
foreign agent to provide its status information to the mobile node.
Perkins Standards Track [Page 1]
^L
RFC 4636 FA Error Extension October 2006
1. Introduction
This document specifies a new non-skippable extension for use by
Foreign Agents operating Mobile IP for IPv4 [4]. The new extension
option allows a foreign agent to supply an error code without
disturbing the data supplied by the Home Agent within the
Registration Reply message. In this way, the mobile node can verify
that the Registration Reply message was generated by the Home Agent
even in cases where the foreign agent is required by protocol to
insert new status information into the Registration Reply message.
2. Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. Other
terminology is used as already defined in [4].
3. FA Error Extension Format
The format of the FA Error Extension conforms to the Short Extension
format specified for Mobile IPv4 [4]. The FA Error Extension is not
skippable.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sub-Type | Status |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
45
Length
2
Sub-Type
0
Status
A status code used by the foreign agent to supply status
information to the mobile node.
Perkins Standards Track [Page 2]
^L
RFC 4636 FA Error Extension October 2006
4. Operation and Use of the FA Error Extension
The FA Error Extension is only valid for use within Mobile IPv4
Registration Reply messages. The FA Error Extension is not
skippable. A mobile node that cannot correctly interpret the
contents of the FA Error Extension MUST NOT use the care-of address
provided in the Registration Reply message, until another
Registration Request message has been sent and a successful
Registration Reply message received.
Status codes allowable for use within the FA Error Extension are
within the range 64-127. The currently specified codes are as
follows:
64 reason unspecified
65 administratively prohibited
66 insufficient resources
68 home agent failed authentication
71 poorly formed Reply
77 invalid care-of address
78 registration timeout
as defined in RFC 3344 [4] for use by the Foreign Agent. Status
codes for use with the FA Error extensions must not be differently
defined for use in the Code field of Registration Reply messages.
When a foreign agent appends a FA Error Extension to the Registration
Reply as received from the Home Agent, it has to update the UDP
Length field in the UDP header [5] to account for the extra 4 bytes
of length.
This document updates the Mobile IP base specification [4] regarding
the procedures followed by the foreign agent in the case that the
home agent fails authentication. Instead of modifying the "status"
field of the Registration Reply to contain the value 68, now the
foreign agent should append the Foreign Agent Error Extension
containing the status value 68.
5. Mobile Node Considerations
If a mobile node receives a successful Registration Reply (status
code 0 or 1), with a FA Error Extension indicating that the foreign
agent is not honoring said Registration Reply, the mobile node SHOULD
then send a deregistration message to the home agent. In this way,
the home agent will not maintain a registration status that is
inconsistent with the status maintained by the foreign agent.
Perkins Standards Track [Page 3]
^L
RFC 4636 FA Error Extension October 2006
6. Foreign Agent Considerations
When denying a successful Registration Reply, the Foreign Agent
SHOULD send a Registration Revocation message [2] to the Home Agent
if a mobility security association exists between them. For cases
when the foreign agent does have the required security association,
this way of informing the home agent does not have the vulnerability
from detrimental actions by malicious foreign agents, as noted in
section 8.
7. IANA Considerations
This specification reserves one number for the FA Error Extension
(see section 3) from the space of numbers for non-skippable mobility
extensions (i.e., 0-127) defined in the specification for Mobile IPv4
[4].
This specification also creates a new number space of sub-types for
the type number of this extension. Sub-type zero is to be allocated
from this number space for the protocol extension specified in this
document. Similar to the procedures specified for Mobile IP [4]
number spaces, future allocations from this number space require
expert review [3].
The status codes that are allowable in the FA Error Extension are a
subset of the status codes defined in the specification for Mobile
IPv4 [4]. If, in the future, additional status codes are defined for
Mobile IPv4, the definition for each new status code must indicate
whether the new status code is allowable for use in the FA Error
Extension.
8. Security Considerations
The extension in this document improves the security features of
Mobile IPv4 by allowing the mobile node to be assured of the
authenticity of the information supplied within a Registration
Request. Previously, whenever the foreign agent was required to
provide status information to the mobile node, it could only do so by
destroying the ability of the mobile device to verify the Mobile-Home
Authentication Extension data.
In many common cases, the mobile node will not have a security
association with the foreign agent that has sent the extension.
Thus, the mobile node will be unable to ascertain that the foreign
agent sending the extended Registration Reply message is the same
foreign agent that earlier received the associated Registration
Request from the mobile node. Because of this, a malicious foreign
agent could cause a mobile node to operate as if the registration had
Perkins Standards Track [Page 4]
^L
RFC 4636 FA Error Extension October 2006
failed, when in fact its home agent and a correctly operating foreign
agent had both accepted the mobile node's Registration Request. In
order to reduce the vulnerability to such maliciously transmitted
Registration Reply messages with the unauthenticated extension, the
mobile node MAY delay processing of such denied Registration Reply
messages for a short while in order to determine whether another
successful Registration Reply might be received from the foreign
agent.
9. Acknowledgements
Thanks to Kent Leung and Henrik Lefkowetz for suggested improvements
to this specification.
10. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Glass, S. and M. Chandra, "Registration Revocation in Mobile
IPv4", RFC 3543, August 2003.
[3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[4] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August
2002.
[5] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August
1980.
Author's Address
Charles E. Perkins
Palo Alto Systems Research Lab
Nokia Research Center
975 Page Mill Road, Suite 200
Palo Alto, CA 94304-1003
Phone: +1 650-496-4402
Fax: +1-650-739-0779
EMail: charles.perkins@nokia.com
Perkins Standards Track [Page 5]
^L
RFC 4636 FA Error Extension October 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Perkins Standards Track [Page 6]
^L
|