Mobile IP Working Group Charles E. Perkins INTERNET DRAFT Nokia Research Center 21 May 2002 Pat R. Calhoun Black Storm Networks Mobile IPv4 Challenge/Response Extensions draft-ietf-mobileip-rfc3012bis-03.txt Status of This Memo This document is a submission by the mobile-ip Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mobile-ip@sunroof.eng.sun.com mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html. Abstract Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent. Unfortunately, this extension does not provide ironclad replay protection for the foreign agent, and does not allow for the use of existing techniques (such as CHAP) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to use a challenge/response mechanism to authenticate the mobile node. Perkins, Calhoun Expires 21 November 2002 [Page i] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 Contents Status of This Memo i Abstract i 1. Introduction 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 2. Mobile IP Agent Advertisement Challenge Extension 3 3. Operation 3 3.1. Mobile Node Processing for Registration Requests . . . . 3 3.2. Foreign Agent Processing for Registration Requests . . . 5 3.3. Foreign Agent Processing for Registration Replies . . . . 7 3.4. Home Agent Processing for the Challenge Extensions . . . 7 4. Mobile-Foreign Challenge Extension 8 5. Generalized Mobile IP Authentication Extension 8 6. Mobile-AAA Authentication subtype 9 7. Reserved SPIs for Mobile IP 10 8. SPI For RADIUS AAA Servers 10 9. Configurable Parameters 12 10. Error Values 12 11. IANA Considerations 12 12. Security Considerations 12 13. Acknowledgments 13 A. Changes since Last Revision 15 B. Verification Infrastructure 15 C. Message Flow for FA Challenge Messaging 16 D. Foreign Agent Algorithm for Tracking Used Challenges 17 Addresses 19 Perkins, Calhoun Expires 21 November 2002 [Page 1] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 1. Introduction Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent. Unfortunately, this extension does not provide ironclad replay protection, from the point of view of the foreign agent, and does not allow for the use of existing techniques (such as CHAP [11]) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to a use challenge/response mechanism to authenticate the mobile node. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. All SPI values defined in this document refer to values for the Security Parameter Index, as defined in the base Mobile IP protocol specification [7]. The following additional terminology is used in addition to that defined in [7]: previously used challenge Any challenge that has been used by the mobile node in a Registration Request message and processed by the Foreign Agent by relaying or generating a corresponding Registration Reply message. stale challenge Same as "previously used challenge". The Foreign Agent may not be able to keep records for all stale challenges, but see section 3.2 for minimal requirements. unknown challenge Any challenge that the foreign agent has no record of having put either into one of its Agent Advertisements or a corresponding registration reply message. unused challenge A challenge that has not been already accepted by the Foreign Agent challenge in a corresponding Registration Reply message -- i.e., a challenge that is neither unknown nor previously used. Perkins, Calhoun Expires 21 November 2002 [Page 2] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 2. Mobile IP Agent Advertisement Challenge Extension This section defines a new extension to the Router Discovery Protocol [4] for use by foreign agents that need to issue a challenge for authenticating mobile nodes. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: The Challenge Extension Type 24 Length The length of the Challenge value in bytes; SHOULD be at least 4 Challenge A random value that SHOULD be at least 32 bits. The Challenge extension, illustrated in figure 1, is inserted in the Agent Advertisements by the Foreign Agent, in order to communicate the latest challenge value that can be used by the mobile node to compute an authentication for its next registration request message. The challenge is selected by the foreign agent to provide local assurance that the mobile node is not replaying any earlier registration request. Eastlake, et al. [5] provides more information on generating pseudo-random numbers suitable for use as values for the challenge. 3. Operation This section describes modifications to the Mobile IP registration process which may occur after the Foreign Agent issues a Mobile IP Agent Advertisement containing the Challenge on its local link. See appendix C for a diagram showing the canonical message flow for messages related to the processing of the Foreign Agent challenge values. 3.1. Mobile Node Processing for Registration Requests Whenever the Agent Advertisement contains the Challenge extension, if the mobile node does not have a security association with the Foreign Perkins, Calhoun Expires 21 November 2002 [Page 3] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 Agent, then it MUST include the Challenge value in a Mobile-Foreign Challenge extension to the Registration Request message. If, on the other hand, the mobile node does have a security association with the foreign agent, it SHOULD include the Challenge value in its Registration Request message. If the Mobile Node has a security association with the Foreign Agent, it MUST include a Mobile-Foreign Authentication extension in its Registration Request message, according to the base Mobile IP specification [7]. When the Registration Request contains the Mobile-Foreign Challenge extension specified in section 4, the Mobile-Foreign Authentication MUST follow the Challenge extension in the Registration Request. If the Mobile Node does not have a security association with the Foreign Agent, the Mobile Node MUST include the Mobile-AAA Authentication extension as defined in section 6. In addition, the Mobile Node SHOULD include the NAI extension [2], to enable the foreign agent to make use of any available verification infrastructure. The SPI field of the Mobile-AAA Authentication extension specifies the particular secret and algorithm (shared between the Mobile Node and the verification infrastructure) that must be used to perform the authentication. If the SPI value is chosen as CHAP_SPI (see section 9), then the mobile node specifies CHAP-style authentication [11] using MD5 [10]. In either case, the Mobile-Foreign Challenge extension followed by one of the above specified authentication extensions MUST follow the Mobile-Home Authentication extension, if present. A Registration Reply from the Foreign Agent SHOULD include a new Challenge value (see section 3.3). The Mobile Node MAY use either the value found in the latest Advertisement, or the one found in the last Registration Reply from the Foreign Agent. This approach enables the Mobile Node to make use of the challenge without having to wait for advertisements. A Mobile Node might receive an UNKNOWN_CHALLENGE error (see section 9) if it moves to a new Foreign Agent that cannot validate the challenge provided in the Registration Request. In such instances, the Mobile Node MUST use a new Challenge value in any new registration, obtained either from an Agent Advertisement, or from a Challenge extension to the Registration Reply containing the error. A Mobile Node that does not include a Challenge when the Mobile-Foreign Authentication extension is present may receive a MISSING_CHALLENGE (see section 10) error. In this case, the foreign agent will not process the request from the mobile node unless the request contains an unused Challenge. Perkins, Calhoun Expires 21 November 2002 [Page 4] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 A Mobile Node that receives a BAD_AUTHENTICATION Code value (see section 10) SHOULD include the Mobile-AAA Authentication Extension in the next Registration Request. This will make it possible for the Foreign Agent to use its AAA infrastructure in order to authenticate the Mobile Node. 3.2. Foreign Agent Processing for Registration Requests Upon receipt of the Registration Request, if the Foreign Agent has issued a Challenge as part of its Agent Advertisements, and it does not have a security association with the mobile node, then the Foreign Agent SHOULD check that the Mobile-Foreign Challenge extension exists, and that it contains a challenge value previously unused by the Mobile Node. This ensures that the mobile node is not attempting to replay a previous advertisement and authentication. If the challenge extension is needed and does not exist, the Foreign Agent MUST send a Registration Reply to the mobile node with the Code value MISSING_CHALLENGE. A foreign agent that sends Agent Advertisements containing a Challenge value MAY send a Registration Reply message with a MISSING_CHALLENGE error if the mobile node sends a Registration Request with a Mobile-Foreign Authentication extension without including a Challenge. In other words, such a foreign agent MAY refuse to process a Registration Request from the mobile node unless the request contains an unused Challenge. If a mobile node retransmits a Registration Request with the same Challenge extension, and the Foreign Agent still has a pending Registration Request record in effect for the mobile node, then the Foreign Agent forwards the Registration Request to the Home Agent again. The Foreign Agent SHOULD check that the mobile node is actually performing a retransmission, by verifying that the relevant fields of the retransmitted request (including, if present, the Mobile Node NAI Extension [2]) are the same as represented in the visitor list entry for the pending Registration Request (section 3.7.1 of [7]). This verification MUST NOT include the "remaining Lifetime of the pending registration", or the Identification field since those values are likely to change even for requests that are merely retransmissions and not new Registration Requests. In all other circumstances, if the Foreign Agent receives a Registration Request with a Challenge extension containing a Challenge value previously used by that mobile node, the Foreign Agent SHOULD send a Registration Reply to the mobile node containing the Code value STALE_CHALLENGE. The Foreign Agent MUST NOT accept any Challenge in the Registration Request unless it was offered in last Registration Reply issued Perkins, Calhoun Expires 21 November 2002 [Page 5] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 to the Mobile Node, or else advertised as one of the last CHALLENGE_WINDOW (see section 9) Challenge values inserted into the immediately preceding Agent advertisements. If the Challenge is not one of the recently advertised values, the foreign Agent SHOULD send a Registration Reply with Code value UNKNOWN_CHALLENGE (see section 10). The Foreign Agent MUST maintain the last challenge used by each Mobile Node that has registered using any one of the last CHALLENGE_WINDOW challenge values. This last challenge value can be stored as part of the mobile node's registration records. Also, see appendix D for a possible algorithm that can be used to satisfy this requirement. Furthermore, the Foreign Agent MUST check that there is either a Mobile-Foreign, or a Mobile-AAA Authentication extension after the Challenge extension. Any registration message containing the Challenge extension without either of these authentication extensions MUST be silently discarded. If the registration message contains a Mobile-Foreign Authentication extension with an incorrect authenticator that fails verification, the Foreign Agent MAY send a Registration Reply to the mobile node with Code value BAD_AUTHENTICATION (see Section 10). If the Mobile-AAA Authentication extension (see Section 6) is present in the message, or if an NAI extension is included indicating that the mobile node belongs to a different administrative domain, the foreign agent may take actions outside the scope of this protocol specification to carry out the authentication of the mobile node. The Foreign Agent MUST NOT remove the Mobile-AAA Authentication Extension from the Registration Request prior to the completion of the authentication performed by the AAA infrastructure. The appendix provides an example of an action that could be taken by a foreign agent. In the event that the Challenge extension is authenticated through the Mobile-Foreign Authentication Extension, the Foreign Agent MAY remove the Challenge Extension from the Registration Request without disturbing the authentication value computed by the Mobile Node for use by the AAA or the Home Agent. If the Challenge extension is not removed, it MUST precede the Foreign-Home Authentication extension. If the Foreign Agent does not remove the Challenge extension, then the Foreign Agent SHOULD store the Challenge value as part of the pending registration request list [7]. Also in this case, the Foreign Agent MUST reject any Registration Reply message coming from the Home Agent that does not also include the Challenge Extension with the same Challenge Value that was included in the Registration Request. The Foreign Agent MUST send the rejected Registration message to the mobile node, and change the status in the Registration Reply to the Code value MISSING_CHALLENGE (see section 10). Perkins, Calhoun Expires 21 November 2002 [Page 6] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 If the Foreign Agent does remove the Challenge extension and applicable authentication from the Registration Request message, then it SHOULD insert the Identification field from the Registration Request message along with its record-keeping information about the particular Mobile Node in order to protect against replays. 3.3. Foreign Agent Processing for Registration Replies The Foreign Agent SHOULD include a new Challenge extension in any Registration Reply, successful or not. If the foreign agent includes this extension in a successful Registration Reply, the extension SHOULD precede a Mobile-Foreign authentication extension. Suppose the Registration Reply includes a Challenge extension from the Home Agent, and the foreign agent wishes to include another Challenge extension with the Registration Reply for use by the mobile node. In that case, the foreign agent MUST delete the Challenge extension from the Home Agent from the Registration Reply, along with any Foreign-Home authentication extension, before appending the new Challenge extension to the Registration Reply. 3.4. Home Agent Processing for the Challenge Extensions If the Home Agent receives a Registration Request with the Mobile-Foreign Challenge extension, and recognizes the extension, the Home Agent MUST include the Challenge extension in the Registration Reply. The Challenge Extension MUST be placed after the Mobile-Home authentication extension, and the extension SHOULD be authenticated by a Foreign-Home Authentication extension. Since the extension type for the Challenge extension is within the range 128-255, the Home Agent MUST process such a Registration Request even if it does not recognize the Challenge extension [7]. In this case, the Home Agent will send a Registration Reply to the Foreign Agent that does not include the Challenge extension. Perkins, Calhoun Expires 21 November 2002 [Page 7] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 4. Mobile-Foreign Challenge Extension This section specifies a new Mobile IP Registration extension that is used to satisfy a Challenge in an Agent Advertisement. The Challenge extension to the Registration Request message is used to indicate the challenge that the mobile node is attempting to satisfy. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: The Mobile-Foreign Challenge Extension Type 132 (skippable) (see [7]) Length Length of the Challenge value Challenge The Challenge field is copied from the Challenge field found in the Agent Advertisement Challenge extension (see section 2). Suppose the Mobile Node has successfully registered using one of the Challenge Values within the CHALLENGE_WINDOW values advertised by the Foreign Agent. In that case, in any new Registration Request the Mobile Node MUST NOT use any Challenge Value which was advertised by the Foreign Agent before the Challenge Value in the mobile node's last Registration Request. 5. Generalized Mobile IP Authentication Extension Several new authentication extensions have been designed for various control messages proposed for extensions to Mobile IP (see, for example, [8]). A new authentication extension is required for a mobile node to present its credentials to any other entity other than the ones already defined; the only entities defined in the base Mobile IP specification [7] are the home agent and the foreign agent. It is the purpose of the generalized authentication extension defined here to collect together data for all such new authentication applications into a single extension type with subtypes. Perkins, Calhoun Expires 21 November 2002 [Page 8] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Subtype | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: The Generalized Mobile IP Authentication Extension Type 36 (not skippable) (see [7]) Subtype a number assigned to identify the kind of endpoints or the other characteristics of the particular authentication strategy Length 4 plus the number of bytes in the Authenticator; MUST be at least 20. SPI Security Parameters Index Authenticator The variable length Authenticator field In this document, only one subtype is defined: 1 Mobile-AAA Authentication subtype (see section 6) 6. Mobile-AAA Authentication subtype The Generalized Authentication extension with subtype 1 will be referred to as a Mobile-AAA Authentication extension. If the mobile node does not include a Mobile-Foreign Authentication [7] extension, then it MUST include the Mobile-AAA Authentication extension whenever the Challenge extension is present. If the Mobile-AAA Authentication extension is present, then the Registration Message sent by the mobile node MUST contain the Mobile-Home Authentication extension [7] if it shares a security association with the Home Agent. If present, the Mobile-Home Authentication Extension MUST appear prior to the Mobile-AAA Authentication extension. The mobile node MAY include a Mobile-AAA Authentication extension in any Registration Request. The corresponding response MUST include the Mobile-Home Authentication Extension, and MUST NOT include the Mobile-AAA Authentication Extension. Perkins, Calhoun Expires 21 November 2002 [Page 9] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 The default algorithm for computation of the authenticator is HMAC-MD5 [6] computed on the following data, in the order shown: Preceding Mobile IP data || Type, Subtype, Length, SPI where the Type, Length, Subtype, and SPI are as shown in section 5. The resulting function call, as described in [6], would be: hmac_md5(data, datalen, Key, KeyLength, authenticator); Each mobile node MUST support the ability to produce the authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, this default algorithm MUST be able to be configured for selection at any arbitrary 32-bit SPI outside of the SPIs in the reserved range 0-255. 7. Reserved SPIs for Mobile IP Mobile IP defines several authentication extensions for use in Registration Requests and Replies. Each authentication extension carries a Security Parameters Index (SPI) which should be used to index a table of security associations. Values in the range 0 - 255 are reserved for special use. A list of reserved SPI numbers is to be maintained by IANA at the following URL: http://www.iana.org/numbers.html From that URL, follow the hyperlinks to [M] within the "Directory of General Assigned Numbers", and subsequently to the specific section for "Mobile IP Numbers". 8. SPI For RADIUS AAA Servers Some AAA servers only admit a single security association, and thus do not use the SPI numbers for Mobile IP authentication extensions for use when determining the security association that would be necessary for verifying the authentication information included with the Authentication extension. SPI number CHAP_SPI (see section 9) is reserved (see section 7) for indicating the following procedure for computing authentication data (called the "authenticator"), which is used by many RADIUS servers [9] today. To compute the authenticator, apply MD5 [10] computed on the following data, in the order shown: Perkins, Calhoun Expires 21 November 2002 [Page 10] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 High-order byte from Challenge || Key || MD5(Preceding Mobile IP data || Type, Subtype (if present), Length, SPI) || Least-order 237 bytes from Challenge where the Type, Length, SPI, and possibly Subtype, are the fields of the authentication extension in use. For instance, all four of these fields would be in use when SPI == CHAP_SPI is used with the Generalized Authentication extension. Since the RADIUS protocol cannot carry attributes greater than 253 in size, the preceding Mobile IP data, type, subtype (if present), length and SPI are hashed using MD5. Finally, the least significant 237 bytes of the challenge are concatenated. If the challenge has fewer than 238 bytes, this algorithm includes the high-order byte in the computation twice, but ensures that the challenge is used exactly as is. Additional padding is never used to increase the length of the padding; the input data is allowed to be shorter than 237 bytes long. Perkins, Calhoun Expires 21 November 2002 [Page 11] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 9. Configurable Parameters Every Mobile IP agent supporting the extensions defined in this document SHOULD be able to configure each parameter in the following table. Each table entry contains the name of the parameter, the default value, and the section of the document in which the parameter first appears. Parameter Name Default Value Section(s) of Document -------------- ------------- ---------------------- CHALLENGE_WINDOW 2 3.2 CHAP_SPI 2 8 Note that CHALLENGE_WINDOW SHOULD be at least 2. This makes it far less likely that mobile nodes will register using a Challenge value that is outside the set of values allowable by the foreign agent. 10. Error Values Each entry in the following table contains the name of Code [7] to be returned in a Registration Reply, the value for the Code, and the section in which the error is first mentioned in this specification. Error Name Value Section of Document ---------------------- ----- ------------------- UNKNOWN_CHALLENGE 104 3.2 BAD_AUTHENTICATION 67 3.2 - also see [7] MISSING_CHALLENGE 105 3.1,3.2 STALE_CHALLENGE 106 3.2 11. IANA Considerations All protocol values in this specification are to be the same as defined in RFC 3012 [3]. 12. Security Considerations In the event that a malicious mobile node attempts to replay the authenticator for an old Mobile-Foreign Challenge, the Foreign Agent would detect it since the agent always checks whether it has recently advertised the Challenge (see section 3.2). Allowing mobile nodes with different IP addresses or NAIs to use the same Challenge value does not represent a security vulnerability, because the authentication data provided by the mobile node will be computed over Perkins, Calhoun Expires 21 November 2002 [Page 12] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 data that is different (at least by the bytes of the mobile nodes' IP addresses). Whenever a Foreign Agent updates a field of the Registration Reply (as suggested in section 3.2), it invalidates the authentication data supplied by the Home Agent in the Mobile-Home Authentication extension to the Registration Reply. Thus, this opens up a security exposure whereby a node might try to supply a bogus Registration Reply to a mobile node that causes the mobile node to act as if its Registration Reply were rejected. This might happen when, in fact, a Registration Reply showing acceptance of the registration might soon be received by the mobile node. If the foreign agent chooses a Challenge value (see section 2) with fewer than 4 bytes, the foreign agent SHOULD include the value of the Identification field in the records it maintains for the mobile node. The foreign agent can then determine whether the Registration messages using the short Challenge value are in fact unique, and thus assuredly not replayed from any earlier registration. Section 8 (SPI For RADIUS AAA Servers) defines a method of computing the Generalized Mobile IP Authentication Extension's authenticator field using MD5 in a manner that is consistent with RADIUS [9]. The use of MD5 in the method described in Section 8 is less secure than HMAC-MD5 [6], and should be avoided whenever possible. 13. Acknowledgments The authors would like to thank Tom Hiller, Mark Munson, the TIA TR45-6 WG, Gabriel Montenegro, Vipul Gupta, Pete McCann, Robert Marks, Ahmad Muhanna, and Luca Salgarelli for their useful discussions. A recent draft by Mohamed Khalil, Raja Narayanan, Emad Qaddoura, and Haseeb Akhtar has also suggested the definition of a generalized authentication extension similar to the specification contained in section 5. Perkins, Calhoun Expires 21 November 2002 [Page 13] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 References [1] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. Request for Comments (Best Current Practice) 2119, Internet Engineering Task Force, March 1997. [2] P. Calhoun and C. Perkins. Mobile IP Network Access Identifier Extension for IPv4. Request for Comments (Proposed Standard) 2794, Internet Engineering Task Force, January 2000. [3] P. Calhoun and C. E. Perkins. Mobile IP Foreign Agent Challenge/Response Extension. Request for Comments (Proposed Standard) 3012, Internet Engineering Task Force, December 2000. [4] S. Deering. ICMP Router Discovery Messages. Request for Comments (Proposed Standard) 1256, Internet Engineering Task Force, September 1991. [5] D. Eastlake, 3rd, S. Crocker, and J. Schiller. Randomness Recommendations for Security. Request for Comments (Informational) 1750, Internet Engineering Task Force, December 1994. [6] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. Request for Comments (Informational) 2104, Internet Engineering Task Force, February 1997. [7] C. Perkins. IP Mobility Support. Request for Comments (Proposed Standard) 3220, Internet Engineering Task Force, December 2001. [8] C. Perkins and D. Johnson. Route Optimization in Mobile IP (work in progress). Internet Draft, Internet Engineering Task Force. draft-ietf-mobileip-optim-11.txt, September 2001. [9] C. Rigney, A. Rubens, W. Simpson, and S. Willens. Remote Authentication Dial In User Service (RADIUS). Request for Comments (Proposed Standard) 2138, Internet Engineering Task Force, April 1997. [10] R. Rivest. The MD5 Message-Digest Algorithm. Request for Comments (Informational) 1321, Internet Engineering Task Force, April 1992. [11] W. Simpson. PPP Challenge Handshake Authentication Protocol (CHAP). Request for Comments (Draft Standard) 1994, Internet Engineering Task Force, August 1996. Perkins, Calhoun Expires 21 November 2002 [Page 14] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 A. Changes since Last Revision Here is a list of the important changes since the previous revision of this document. - Foreign agent recommended to include a Challenge in every Registration Reply, so that mobile node can re-register without waiting for an Advertisement. - Foreign agent mandated to record applicable challenge values used by each mobile node - Mobile node forbidden to use Challenge values which were advertised previous to the last Challenge value which it had used for a registration. - terminology for stale challenge vs. unused challenge clarified - terminology for "valid" challenge deleted in favor of "unused challenge" - Programming suggestion added as an appendix B. Verification Infrastructure The Challenge extensions in this protocol specification are expected to be useful to help the Foreign Agent manage connectivity for visiting mobile nodes, even in situations where the foreign agent does not have any security association with the mobile node or the mobile node's home agent. In order to carry out the necessary authentication, it is expected that the foreign agent will need the assistance of external administrative systems, which have come to be called AAA systems. For the purposes of this document, we call the external administrative support the "verification infrastructure". The verification infrastructure is described to motivate the design of the protocol elements defined in this document, and is not strictly needed for the protocol to work. The foreign agent is free to use any means at its disposal to verify the credentials of the mobile node. This could, for instance, rely on a separate protocol between the foreign agent and the Mobile IP home agent, and still be completely invisible to the mobile node. In order to verify the credentials of the mobile node, we imagine that the foreign agent has access to a verification infrastructure that can return a secure notification to the foreign agent that the authentication has been performed, along with the results of that authentication. This infrastructure may be visualized as shown in figure 4. Perkins, Calhoun Expires 21 November 2002 [Page 15] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 +----------------------------------------------------+ | | | Verification and Key Management Infrastructure | | | +----------------------------------------------------+ ^ | ^ | | | | | | v | v +---------------+ +---------------+ | | | | | Foreign Agent | | Home Agent | | | | | +---------------+ +---------------+ Figure 4: The Verification Infrastructure After the foreign agent gets the Challenge authentication, it MAY pass the authentication to the (here unspecified) infrastructure, and await a Registration Reply. If the Reply has a positive status (indicating that the registration was accepted), the foreign agent accepts the registration. If the Reply contains the Code value BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions indicated for rejected registrations. Implicit in this picture, is the important observation that the Foreign Agent and the Home Agent have to be equipped to make use of whatever protocol is made available to them by the challenge verification and key management infrastructure shown in the figure. The protocol messages for handling the authentication within the verification infrastructure, and identity of the agent performing the verification of the Foreign Agent challenge, are not specified in this document, because those operations do not have to be performed by any Mobile IP entity. C. Message Flow for FA Challenge Messaging In figure 5, the following message flow is illustrated: 1. The foreign agent disseminates a Challenge Value in an Agent Advertisement if needed. This advertisement MAY have been produced after receiving an Agent Solicitation from the mobile node (not shown in the diagram). Perkins, Calhoun Expires 21 November 2002 [Page 16] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 MN FA Verification Home Agent |<-- Adv+Challenge--| Infrastructure | | (if needed) | | | | | | | |-- RReq+Challenge->| | | | + Auth.Ext. | | | | | Auth. Request, incl. | | | |--- RReq + Challenge --->| | | | + Auth.Ext | RReq + | | | |-- Challenge -->| | | | | | | | | | | |<--- RRep ----- | | | Authorization, incl. | | | |<-- RRep + Auth.Ext.-----| | | | | | |<-- RRep+Auth.Ext--| | | | + Challenge | | | Figure 5: Message Flows for FA Challenge Messaging 2. The mobile node creates a Registration Request including the advertised Challenge Value in the Challenge Extension, along with an authorization-enabling authentication extension. 3. The foreign agent relays the Registration Request either to the home agent specified by the mobile node, or else to its locally configured Verification Infrastructure (see appendix B), according to local policy. 4. The foreign agent receives a Registration Reply with the appropriate indications for authorizing connectivity for the mobile node. 5. The foreign agent relays the Registration Reply to the mobile node, possibly along with a new Challenge Value to be used by the mobile node in its next Registration Reply message. D. Foreign Agent Algorithm for Tracking Used Challenges If the foreign agent maintains a large CHALLENGE_WINDOW, it becomes more important for scalability purposes to efficiently compare incoming challenges against the set of Challenge values which have been advertised recently. This can be done by keeping the Challenge values in order of advertisement, and by making use of the mandated Perkins, Calhoun Expires 21 November 2002 [Page 17] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 behavior that mobile nodes MUST NOT use Challenge values which were advertised before the last advertised Challenge value that the mobile node has attempted to use. The following stylized programmatic algorithm accomplishes this objective. The maximum amount of total storage required by this algorithm is equal to Size*(CHALLENGE_WINDOW + (2*N)), where N is the current number of mobile nodes for which the foreign agent is storing challenge values. Note that, whenever the stored challenge value is no longer in the CHALLENGE_WINDOW, it can be deleted from the foreign agent's records, perhaps along with all other registration information for the mobile node if it is no longer registered. In the program fragment, it is presumed that the foreign agent keeps an array of advertised Challenges ("VALID_ADV_CHALLENGES"), a record of the last advertised challenge used by a mobile node, and also a record of the last challenge provided to a mobile node in a Registration Reply. current_chal := RegistrationRequest.challenge_extension_value last_chal := mobile_node_record.last_used_adv_chal if (current_chal == mobile_node_record.RegReply_challenge) { update (mobile_node_record, current_chal) return (OK) } else if (current_chal "among" VALID_ADV_CHALLENGES[]{ if (last_chal "among" VALID_ADV_CHALLENGES[]) { if (current_chal is "before" last_chal) { send_error(STALE_CHALLENGE) return (FAILURE) } else { update (mobile_node_record, current_chal) return (OK) } } else { update (mobile_node_record, current_chal) return (OK) } } else { send_error(UNKNOWN_CHALLENGE); } Perkins, Calhoun Expires 21 November 2002 [Page 18] Internet Draft Mobile IPv4 Challenge/Response, revised 21 May 2002 Addresses The working group can be contacted via the current chairs: Basavaraj Patil Phil Roberts Nokia Megisto Corp. 6000 Connection Dr. Suite 120 20251 Century Blvd Irving, TX. 75039 Germantown MD 20874 USA USA Phone: +1 972-894-6709 Phone: +1 847-202-9314 Email: Basavaraj.Patil@nokia.com Email: PRoberts@MEGISTO.com Questions about this memo can also be directed to the authors: Charles E. Perkins Pat R. Calhoun Communications Systems Lab Nokia Research Center Black Storm Networks 313 Fairchild Drive 250 Cambridge Avenue, Suite 200 Mountain View, California 94043 Palo Alto, California, 94306 USA USA Phone: +1-650 625-2986 Phone: +1 650-617-2932 EMail: charliep@iprg.nokia.com Email: pcalhoun@diameter.org Fax: +1 650 625-2502 Fax: +1 720-293-7501 Perkins, Calhoun Expires 21 November 2002 [Page 19]