Network Working Group K. Chowdhury Internet-Draft J. Bharatia Expires: April 15, 2005 Nortel Networks October 15, 2004 DHCP Relay Agent Option to Support Mobile IPv6 bootstrapping draft-chowdhury-dhc-mip6-agentop-00.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 15, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document defines a new DHCPv6 option and number of sub-options for DHCP Relay Agent to facilitate Mobile IPv6 bootstrapping along with a AAA infrastructure. Chowdhury & Bharatia Expires April 15, 2005 [Page 1] Internet-Draft October 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Home Agent . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Home Link Prefix . . . . . . . . . . . . . . . . . . . . . 6 2.3 Home Address . . . . . . . . . . . . . . . . . . . . . . . 6 2.4 Home Link Prefix Length . . . . . . . . . . . . . . . . . 6 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. DHC Relay Agent Option to carry Mobile IPv6 parameters . . . . 8 4.1 Home Agent sub-option . . . . . . . . . . . . . . . . . . 8 4.2 Home Link Prefix sub-option . . . . . . . . . . . . . . . 9 4.3 Home Address sub-option . . . . . . . . . . . . . . . . . 9 4.4 Home Link Prefix Length sub-option . . . . . . . . . . . . 10 4.5 Authenticity sub-option . . . . . . . . . . . . . . . . . 10 5. DHC Client Operation Considerations . . . . . . . . . . . . . 12 6. DHC Relay agent Considerations . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 10. Normative References . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 16 Intellectual Property and Copyright Statements . . . . . . . . 17 Chowdhury & Bharatia Expires April 15, 2005 [Page 2] Internet-Draft October 2004 1. Introduction In an access network, typically the user's device (Mobile Node) provides authentication credentials to the Access Device for authentication and authorization (e.g. PAP/CHAP). This Access Device may be the Network Access Server (NAS) or an Access Router (AR). Upon receipt of this authentication and authorization information from the user, the Access Device relays it to the Home AAA server. Based on the home network's policy, the Home AAA server verifies the user's profile and includes a set of Mobile IPv6 specific information in the resulting response to the Access Device. Upon receiving the set of information from the Home AAA server, the Access Device needs to convey them to the user. In the networks where DHCPv6 [RFC3315] is used for configuration purposes, the Access Device may act as a DHCPv6 relay agent. In this context the Access Device can relay the received information to the DHCP Client (MN) while sending REPLY message or ADVERTISE message to the DHCP client. An example call flow is shown below: Chowdhury & Bharatia Expires April 15, 2005 [Page 3] Internet-Draft October 2004 MN/DHCC NAS/DHCR AAA DHCS | 1. access auth-req | | | |---------------------->| 2.auth-req | | | |--------------------->| | | | | | | | 3.auth-rep[HA, HoA] | | | 4.access auth-rep |<---------------------| | |<----------------------| | | | | | | | 5.Store [HA,HoA] | | | | | | | 6.DHC Request | | | |---------------------->| | | | | | | | | 7.RELAY-FORW | | | |------------------------------->| | | | | | | 8.RELAY-REPL | | | |<-------------------------------| | | | | | 9.DHC Reply [HA, HoA]| | | |<----------------------| | | | | | | In this example call flow: 1. The Mobile Node sends an access-authentication request to the NAS. 2. The NAS sends an authentication and authorization request (e.g. Access-Request for RADIUS or AA-Request for DIAMETER). 3. The AAA server authenticates and authorizes the MN and assigns Home Agent (HA) and Home Address for the Mobile Node(MN)'s subsequent Mobile IPv6 access. 4. The NAS responds to the MN. At this step the network access authentication and authorization is complete. 5. The NAS stores the received HA and HoA information. 6. The DHC client (DHCC) in the MN sends a DHCP Request to the DHC relay agents anycast address. The NAS/DHC Relay Agent (DHCR) receives the request. 7. The DHCR relays the Request to the DHC Server (DHCS). Chowdhury & Bharatia Expires April 15, 2005 [Page 4] Internet-Draft October 2004 8. The DHCS responds back to the DHCR. 9. The DHCR responds back to the DHCC with a DHC Reply message. Along with the message the DHCR appends the DHC Relay Agent Option for Mobile IPv6 to convey HA and HoA information to the MN. The AAA procedures using RADIUS is defined in [MIP6-RADIUS]. Chowdhury & Bharatia Expires April 15, 2005 [Page 5] Internet-Draft October 2004 2. Overview In the typical Mobile IPv6 access scenario, the MN attaches in an access network for IPv6 service prior to performing Mobile IPv6 home registration. During this attach procedure, the NAS authenticates and authorizes the MN for IPv6 access service. At the time of authorizing the user, the Home AAA server detects that the user is authorized for Mobile IPv6 access. Based on Home network providers policy, the Home AAA server may allocate several parameters to the MN for user during the subsequent Mobile IPv6 access. A list of such parameters is described in this section. 2.1 Home Agent The Home network provider may decide to assign a Home Agent to the MN which is in close proximity to the point of attachment (NAS-ID). There may be other reasons for assigning Home Agents to the MN, e.g. load sharing in the network. The Home network may also assign a list of Home Agents for the MN to choose. 2.2 Home Link Prefix The Home network may assign a Home Link that is in close proximity to the point of attachment (NAS-ID). The reason for doing that are similar to that of the HA. The MN can perform [RFC3775] specific procedures to discover other information for Mobile IPv6 registration. 2.3 Home Address The Home AAA server may assign Home Address to the MN. This allows the network operator to support mobile devices that are not configured with static addresses. 2.4 Home Link Prefix Length The Home AAA server may indicate the prefix length of Mobile's assigned Home Link when assigning the Home Agent and/or Home Address to the MN. This assists the MN to infer the Home Link (HL) prefix information from the assigned HA and/or HoA values. Chowdhury & Bharatia Expires April 15, 2005 [Page 6] Internet-Draft October 2004 3. Terminology The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Chowdhury & Bharatia Expires April 15, 2005 [Page 7] Internet-Draft October 2004 4. DHC Relay Agent Option to carry Mobile IPv6 parameters This section defines format and syntax for the option that carries the Mobile IPv6 parameters described in section 2. The Relay Agent MAY append these options with the REPLY, ADVERTISE messages. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_MIP6-Option | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . sub-options . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ option-code OPTION_MIP6_option (TBD by IANA). option-len Length of OPTION_MIP6-Option. sub-options A series of sub-options carrying MIP6 information such as HA address, HoA, HL etc. 4.1 Home Agent sub-option This sub-option carries the assigned Home Agent to the DHCP Client. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sub-option=1 | sub-option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . assigned-MIP6-HA . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sub-option-code MIP6 Home Agent (1). option-len Length of assigned HA fields. assigned-MIP6-HA The address of the Home Agent Chowdhury & Bharatia Expires April 15, 2005 [Page 8] Internet-Draft October 2004 assigned by the AAA server. 4.2 Home Link Prefix sub-option This sub-option carries the assigned Home Link prefix to the DHC Client. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sub-option = 2 | sub-option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . assigned-MIP6-HL . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sub-option-code MIP6 Home Link Prefix (2). option-len Length of assigned HL fields. assigned-MIP6-HL The prefix of the Home Link that is assigned by the AAA server. 4.3 Home Address sub-option This sub-option carries the assigned Home Address by the AAA server to the DHC Client. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sub-option = 3 | sub-option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . assigned-MIP6-HoA . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sub-option-code MIP6 Home Address (3). Chowdhury & Bharatia Expires April 15, 2005 [Page 9] Internet-Draft October 2004 option-len Length of assigned HoA field. assigned-MIP6-HoA HoA assigned by the AAA server. 4.4 Home Link Prefix Length sub-option This sub-option carries the Home Link Prefix Length so that the MN can infer the Home Link prefix from the assigned HA and/or HoA. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sub-option = 4 | sub-option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . Home Link Prefix Length . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sub-option-code Home Link Prefix Length (4). option-len Length of assigned Home Link Prefix Length. Home Link Prefix Length of the Home Link Prefix in Length octets. 4.5 Authenticity sub-option This sub-option carries the secure checksum of the assigned values. The purpose is to allow the MN to validate that the received information is indeed from the Home AAA with which the MN shares a secret. The secure checksum is computed by: HMAC-SHA-1 (shared secret between MN and the Home AAA, assigned values). Chowdhury & Bharatia Expires April 15, 2005 [Page 10] Internet-Draft October 2004 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sub-option = 5 | sub-option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . authenticator . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sub-option-code Secure Checksum (6). option-len Length of authenticator. authenticator secure checksum. Chowdhury & Bharatia Expires April 15, 2005 [Page 11] Internet-Draft October 2004 5. DHC Client Operation Considerations Upon receiving the DHC Relay Agent Option carrying Mobile IPv6 parameters, the MN MUST look for the Authenticity sub-option. If included, the MN MUST validate the authenticator by computing an HMAC-SHA-1 of the received values in other sub-options. If the validation succeeds, the MN SHALL accept the received values for Mobile IPv6 registration. Chowdhury & Bharatia Expires April 15, 2005 [Page 12] Internet-Draft October 2004 6. DHC Relay agent Considerations The DHCP relay agent MUST append the DHC Relay Agent Option defined in this document while sending REPLY and ADVERTISEMENT messages to the DHC Client when the MIP6 informations are received from the Home AAA as per [MIP6-RADIUS]. Chowdhury & Bharatia Expires April 15, 2005 [Page 13] Internet-Draft October 2004 7. Security Considerations The options introduced in this document may be used by a rogue relay agent to insert data in the REPLY and ADVERTISE messages. The result could be that the MN may be mislead to send Mobile IPv6 BU to a wrong Home Agent. In this case the MN's security credentials could be exposed to a rogue HA. However, if the Authenticity sub-option is in use, the likelihood of a rouge relay agent inserting malicious data or modifying received parameters can be greatly mitigated. Therefore, it is strongly recommended that the authenticity sub-option be included in OPTION_MIP6-Option. Chowdhury & Bharatia Expires April 15, 2005 [Page 14] Internet-Draft October 2004 8. IANA Considerations IANA needs to assign the option code for OPTION_MIP6-Option. The IANA also needs to assign sub-option-codes for Home Agent, Home Link Prefix, Home Address, Home Link Prefix Length, and the Authenticity sub-options defined in this document. Chowdhury & Bharatia Expires April 15, 2005 [Page 15] Internet-Draft October 2004 9. Acknowledgements TBD. 10 Normative References [MIP6-RADIUS] Chowdhury et. al., K., "RADIUS Attributes for Mobile IPv6 bootstrapping", draft-chowdhury-mip6-bootstrap-radius-01 (work in progress), July 2004. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3775] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. Authors' Addresses Kuntal Chowdhury Nortel Networks 2221 Lakeside Blvd. Richardson, TX 75082 US Phone: +1 972-685-7788 EMail: chowdury@nortelnetworks.com Jayshree Bharatia Nortel Networks 2221 Lakeside Blvd. Richardson, TX 75082 US Phone: +1 972-684-5767 EMail: jayshree@nortelnetworks.com Chowdhury & Bharatia Expires April 15, 2005 [Page 16] Internet-Draft October 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Chowdhury & Bharatia Expires April 15, 2005 [Page 17]