Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

To: Mobile IPv4 Mailing List <mip4 at ietf.org>
Subject: Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication
From: "Charles E. Perkins" <charles.perkins at earthlink.net>
Date: Tue, 30 Sep 2008 09:41:41 -0700
Delivered-to: ietfarch-mip4-web-archive at core3.amsl.com
Delivered-to: mip4 at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=CilFgFuimTKYDQEfgx581C4kbgqz7921xqKK11O/5tfIh+icfM9lAmtgCWsuT02I; h=Received:Message-ID:Date:From:Organization:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
List-archive: <https://www.ietf.org/mailman/private/mip4>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
Organization: Wichorus Inc.
Sender: mip4-bounces at ietf.org
User-agent: Thunderbird 2.0.0.17 (Windows/20080914)


Hello folks,

There has been some intermittent discussion about how to
handle Code 132 in  a way that is both properly informative
and yet not so likely to reward behavior of malicious nodes
pestering the home agent.

I have prepared a new revision of rfc3344bis with the
following changes, reflecting the suggestions made on this
list during the last couple of months.

============================================

In section 3.7.2.2,

change:
 o  It MUST append the Foreign-Home Authentication Extension, if the
    foreign agent shares a mobility security association with the home
    agent.

to:
 o  If the foreign agent shares a mobility security association with
    the home agent, and the Request has lifetime != 0, then it MUST
    append the Foreign-Home Authentication Extension,

=============================================

In section 3.8.2.

change:

Otherwise

 (the home agent denies the Request), it SHOULD send a Registration
 Reply with an appropriate Code specifying the reason the Request was
 denied.

to:

Otherwise

 (the home agent has denied the Request), it SHOULD in most cases send
 a Registration Reply with an appropriate Code specifying the reason
 the Request was denied.


=============================================


In section 3.8.3,

change:
                                                Otherwise (the home agent
 has denied the Request), it SHOULD send a Registration Reply with an
 appropriate Code specifying the reason the Request was denied.

to:
                                                 Otherwise (the home agent
 has denied the Request), it it SHOULD in most cases send a
 Registration Reply with an appropriate Code specifying the reason the
 Request was denied.

=============================================

In section 3.8.2.1.  Validity Checks

change:

If no authorization-enabling extension isfound, or

     if the Authenticator is invalid, the home agent MUST reject the
     mobile node's registration and SHOULD send a Registration Reply
     to the mobile node with Code 131.  The home agent MUST then
     discard the Request and SHOULD log the error as a security
     exception.  If the home agent receives a Registration Request
     without a Mobile-Home Authentication extension from a Mobile Node
     that has a security association with this home agent, the home
     agent MUST discard the Mobile Node's Registration Request.

to:
                       If the home agent receives a Registration Request
     without a Mobile-Home Authentication extension from a Mobile Node
     that has a security association with this home agent, or if no
     authorization-enabling extension is found, the home agent MUST
     silently discard the Mobile Node's Registration Request.
     Otherwise, if the Authenticator is invalid, the home agent MUST
     reject the mobile node's registration; further action to be taken
     in this case depends upon whether the Request has a valid
     Foreign-Home authentication extension (see below).  If there is a
     valid Foreign-Home authentication extension, the home agent MUST
     send a Registration Reply with Code 131.  Otherwise, if there is
     no Foreign-Home security association, the home agent MAY send a
     Registration Reply to the mobile node with Code 131.  The home
     agent MUST then discard the Request and SHOULD log the error as a
     security exception.

Also, add new list item:
 d.  If the home agent and the foreign agent do not share a mobility
     security association, and the Registration contains a Foreign-
     Home Authentication Extension, the home agent MUST discard the
     Request and SHOULD log the error as a security exception.


=============================================

If there aren't any objections to this, I'll send it out a revised version
oif rfc3344bis soon.

Regards,
Charlie P.

PS. In my earlier email from August, I made a major typo.
    At the end of my message, I typed "RREQ" a couple of
    times when I meant "RREP".  Sorry 'bout that!

--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Prev by Date: Google Adwords pad lock and encryption features help to ensure you
Next by Date: [Mip4] HPCNCS-09 call for papers
Previous by thread: Google Adwords pad lock and encryption features help to ensure you
Next by thread: [Mip4] HPCNCS-09 call for papers
Index(es):
- Date
- Thread

Re: [Mip4] RFC 3344 - Home Agent Registration Code 132 -foreignagent failed authentication

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.