Mobile IP Working Group Pat R. Calhoun INTERNET DRAFT Sun Microsystems, Inc. 25 February 1999 Charles E. Perkins Sun Microsystems, Inc. Mobile IP Network Address Identifier Extension draft-ietf-mobileip-mn-nai-00.txt Status of This Memo This document is a submission by the mobile-ip Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mobile-ip@smallworks.com mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html. Abstract AAA servers, such as RADIUS and DIAMETER, are in use within the Internet today to provide authentication and authorization services for dial-up computers. We propose that such services are equally valuable for mobile nodes using Mobile IP when the nodes are attempting to connect to foreign domains with AAA servers. Such AAA servers typically identify clients by using the Network Access Identifier (NAI). We propose that the NAI be allowed for use with Mobile IP when the mobile node issues a Registration Request. Calhoun, Perkins Expires 25 August 1999 [Page i] Internet Draft Mobile Node NAI 25 February 1999 1. Introduction AAA servers, such as RADIUS and DIAMETER, are in use within the Internet today to provide authentication and authorization services for dial-up computers. We propose that such services are equally valuable for mobile nodes using Mobile IP when the nodes are attempting to connect to foreign domains with AAA servers. Such AAA servers typically identify clients by using the Network Access Identifier (NAI). We propose that the NAI be allowed for use with Mobile IP when the mobile node issues a Registration Request. This draft specifies the Mobile-Node-NAI Extension to the Mobile IP Registration Request message from the Mobile Node. Since the NAI is typically used to identify the mobile node, the mobile node's home address is not always necessary to provide that function. Thus, it is possible for a mobile node to authenticate itself, and be authorized for connection to the foreign domain, without even having a home address. This draft introduces new entity named the Home Domain Allocation Agency (HDAA) that can dynamically assign a Home Address to the Mobile Node. A message containing the Mobile-Node-NAI extension MAY have the Home Address field in the Registration Request set to zero (0) to request that one be assigned. In the figure 1, we introduce the Home Domain Allocator Agency (HDAA), which receives messages from Foreign Agents and assigns a Home Address, and possibly a Home Agent, within the Home Domain. The HDAA does not perform any Mobile IP processing on the Registration Request, but simply forwards the request to a Home Agent within the network that is able to handle the request. Mobile IP [6] defines a method for a Mobile Node to be assigned a Home Agent dynamically through the use of a limited broadcast message. However, most corporate networks do not allow such packets to traverse their firewall. The use of the limited broadcast ensured that the Home Agent assigned to the Mobile Node resided on a specific subnet, therefore it was not necessary to assign a dynamic IP Address to the Mobile Node. With the Mobile-Node-NAI extension, we propose that the the HDAA may also assign a dynamic Home Agent to the Mobile Node. This alternative mechanism avoids the use of limited broadcast. A Registration Request with the Mobile-Node-NAI extension MAY have the Home Agent field set to zero (0) to request that a home agent be dynamically assigned. Such a registration MUST be forwarded to an HDAA, which is able to assign the Home Address. The domain portion of the NAI [1] is used to identify the Mobile Node's Home Domain, and thus to identify the HDAA which is the destination of the Registration Request. The DIAMETER Mobile IP extension [3] defines a Calhoun, Perkins Expires 25 August 1999 [Page 1] Internet Draft Mobile Node NAI 25 February 1999 method of resolving the Home Agent allocator, but this document will refer to a generic method for full generality. +------+ | | +---+ HA-1 | +------+ +------+ +------+ | | | | | | | | | | +------+ | MN |-------| FA |-------| HDAA +---+ ... | | | | | | | +------+ +------+ +------+ +------+ | | | +---+ HA-n | | | +------+ Figure 1: Home Domain Allocator Agency (HDAA) Upon receipt of the Registration Request, the Foreign Agent extracts the Mobile Node's NAI and finds the domain name associated with it. The Foreign Agent then finds the HDAA that handles requests for the Mobile Node's domain. The discovery protocol is outside of the scope of this specification. As an example, however, the FA might typically delegate the duty of finding a HDAA to a local AAA server. The Registration Reply from the Home Agent MUST include the Mobile- Node-NAI extension. The Registration Reply MUST include a nonzero Home Agent address and Mobile Node's Home Address. 2. Mobile-Node-NAI Extension The Mobile-Node-NAI Extension contains the user and/or host name following the format defined in [1]. The NAI is used to identify a user or host and can be used to find a HDAA within the requestor's home domain. When present in the Registration Request, the Home Agent and Home Address fields MAY be set to zero (0). Since the foreign agent cannot use the Home Address in the reply to identify the Mobile Node, it MUST use the NAI instead in its pending registration request records. If the foreign agent cannot manage pending registration request records in this way, it MUST return a Registration Reply with status 77 (unexpected extension). The Mobile-Node-NAI Extension, shown in figure 2, MUST appear before the Foreign-Home Authentication Extension. Calhoun, Perkins Expires 25 August 1999 [Page 2] Internet Draft Mobile Node NAI 25 February 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | MN-NAI ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: The Mobile-Node-NAI Extension Type TDB Length Mobile-Node-NAI Contains the username or host name in the format defined in [1]. 3. Security Considerations This document assumes that the Mobile IP messages are authenticated using a method defined by the Mobile IP protocol. This proposal does require that the Mobile Node's NAI be sent in the clear over the network, but that is not expected to be a security issue. 4. IPv6 considerations For mobile nodes using IPv6, there are no commonly deployed mechanisms by which a mobile node may verify credentials, such as there are with IPv4. Nevertheless, it may be the case that mobile nodes using IPv6 mobility would like to specify the domain in which their credentials may be checked, by using a NAI just as this specification proposes for IPv4. In the case of IPv6, however, there is no foreign agent in place to forward the mobile node's binding update, and thus to manage the verification of the credentials offered by the mobile node. In order for the NAI to serve the purpose of identifying the home AAA that has the expected relationship with the mobile node, the NAI would have to be forwarded to a local AAA by the local agent involved with configuring the care-of address of the mobile node. This local agent can be identified as either the router sending out Router Advertisements [5] for use by the mobile node with stateless address autoconfiguration, or as an appropriate DHCPv6 [2] server. In the former case, the ability to handle the NAI would be signaled by the router in question by attaching a new extension to the Router Advertisement. In the latter case, for managed links, the mobile Calhoun, Perkins Expires 25 August 1999 [Page 3] Internet Draft Mobile Node NAI 25 February 1999 node would include an NAI extension to the DHCP Solicitation for use by the DHCP server. The NAI extension would also be required on the subsequent DHCP Request unicast by the mobile node to the DHCP Server selected on the basis of received DHCP Advertisements. 5. Acknowledgements The authors would like to thank Gabriel Montenegro and Vipul Gupta for their useful discussions. References [1] B. Aboba and M. A. Beadles. The network access identifier. draft-ietf-roamops-nai-12.txt, November 1998. (work in progress). [2] J. Bound and C. Perkins. Dynamic Host Configuration Protocol for IPv6. draft-ietf-dhc-dhcpv6-14.txt, June 1998. (work in progress). [3] P. Calhoun and C. E. Perkins. DIAMETER Mobile IP Extensions. draft-calhoun-diameter-mobileip-01.txt, November 1998. (work in progress). [4] T. Narten, E. Nordmark, and W. Simpson. Neighbor Discovery for IP version 6 (IPv6). RFC 1970, August 1996. [5] T. Narten, E. Nordmark, and W. Simpson. RFC 2461: Neighbor discovery for IP Version 6 (IPv6), December 1998. Obsoletes RFC1970 [4]. Status: DRAFT STANDARD. [6] C. Perkins, Editor. IP Mobility Support. RFC 2002, October 1996. Chairs' Addresses The working group can be contacted via the current chairs: Jim Solomon Erik Nordmark Redback Networks, Inc. Sun Microsystems, Inc. 1301 E. Algonquin Road 17 Network Circle Schaumburg, IL 60196 Menlo Park, California 94025 USA USA Phone: +1-847-576-2753 Phone: +1 650 786-5166 Fax: Fax: +1 650 786-5896 Calhoun, Perkins Expires 25 August 1999 [Page 4] Internet Draft Mobile Node NAI 25 February 1999 E-mail: solomon@redbacknetworks.com E-mail: nordmark@sun.com Author's Addresses Questions about this memo can be directed to: Pat R. Calhoun Charles E. Perkins Sun Microsystems Laboratories Sun Microsystems Laboratories 15 Network Circle 15 Network Circle Menlo Park, CA 94025 Menlo Park, CA 94025 USA USA Phone: +1-650-786-7733 Phone: +1 650 786-6464 EMail: pat.calhoun@sun.com EMail: cperkins@eng.sun.com Fax: +1 650 786-6445 Calhoun, Perkins Expires 25 August 1999 [Page 5]