idnits 2.17.1 draft-ietf-mobileip-aaa-nai-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 1, 2003) is 7542 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 255 looks like a reference -- Missing reference section? '5' on line 268 looks like a reference -- Missing reference section? '3' on line 262 looks like a reference -- Missing reference section? '4' on line 265 looks like a reference -- Missing reference section? '2' on line 258 looks like a reference Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Mobile IP Working Group F. Johansson 3 Internet-Draft ipUnplugged 4 Expires: March 1, 2004 T. Johansson 5 Bytemobile 6 September 1, 2003 8 AAA NAI for Mobile IPv4 Extension 9 draft-ietf-mobileip-aaa-nai-06 11 Status of this Memo 13 This document is an Internet-Draft and is in full conformance with 14 all provisions of Section 10 of RFC2026. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at http:// 27 www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on March 1, 2004. 34 Copyright Notice 36 Copyright (C) The Internet Society (2003). All Rights Reserved. 38 Abstract 40 When a mobile node moves between two foreign networks it has to be 41 reauthenticated. If the home network has multiple AAA servers the 42 reauthentication request may not be received by the same AAAH as 43 previous authentication requests. 45 In order for the new AAAH to be able to forward the request to the 46 correct HA it has to know the identity of the HA. This document 47 defines an extension that enables the HA to pass its identity to the 48 mobile node which can in turn pass it to the AAA server when changing 49 point of attachment. This document specifies a NAI extension that 50 can carry these NAIs. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Requirements terminology . . . . . . . . . . . . . . . . . . . 3 58 3. AAA NAI Extension . . . . . . . . . . . . . . . . . . . . . . 4 59 3.1 Processing of the AAA NAI Extension . . . . . . . . . . . . . 5 61 4. HA Identity subtype . . . . . . . . . . . . . . . . . . . . . 5 63 5. AAAH Identity subtype . . . . . . . . . . . . . . . . . . . . 6 65 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 69 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 71 Noramtive References . . . . . . . . . . . . . . . . . . . . . 7 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 8 75 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 9 77 1. Introduction 79 When building networks one would like to be able to have redundancy. 80 In order to achieve this, one might place multiple AAA servers in one 81 domain. When a mobile node registers via a visited network the 82 authentication will be handled by one of the AAA servers in the home 83 domain. At a later point, when the mobile node moves to another 84 visited domain it again has to be authenticated. However, due to the 85 redundancy offered by the AAA protocol, it can not be guaranteed that 86 the authentication will be handled by the same AAAH server as the 87 previous one which can cause problems when trying to contact the HA 88 assigned during this session. 90 To solve this the home agent MUST include the AAAH NAI in the 91 registration reply message, sent via the AAA infrastructure, which 92 the mobile node then MUST include in every subsequent registration 93 request sent to a foreign agent when changing point of attachment. 95 Furthermore, the only information that is available about the home 96 agent in the registration request is the IP address as defined in RFC 97 3344 [1]. This is unfortunately not enough, since the AAA 98 infrastructure needs to know the FQDN identity of the home agent to 99 be able to correctly handle the assignment of the home agent. A 100 reverse DNS lookup would only disclose the identity of the Mobile IP 101 interface for that HA IP address, which may or may not be the same as 102 the AAA interface of the home agent. One way of solving this problem 103 would be for the home agent to include its identity in the 104 registration reply so that it can be included by the mobile node in 105 the coming registration requests when changing point of attachment. 107 2. Requirements terminology 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 111 document are to be interpreted as described in RFC 2119 [5]. 113 The Mobile IP related described in RFC 3344 [1] is used in this 114 document. 116 The Mobile IP related terminology described in RFC 3344 [1] is used 117 in this document. In addition, the following terms are used: 119 AAAH 120 One of possible several AAA Servers in the Home Network 122 FQDN 123 Fully Qualified Domain Name. 125 Identity 126 The identity of a node is equal to its FQDN. 128 NAI 129 Network Access Identifier [3]. 131 3. AAA NAI Extension 133 This section defines the AAA NAI Extension, which is carried in 134 Mobile IP Registration Request and Reply messages [1]. The extension 135 is used by any node that wants to inform about its identity in the 136 form a of a NAI [4]. 138 0 1 2 3 139 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 141 | Type | Length | Sub-Type | NAI ... 142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 Type 145 (Type to be assigned by IANA) (skippable) [1] 147 Length 8-bit unsigned integer. Length of the extension, in octets, 148 excluding the extension Type and the extension Length 149 fields. This field MUST be set to 1 plus the total length 150 of the NAI field. 152 Sub-Type This field describes the type of the entity which owns the 153 NAI. The following subtypes are defined: 155 1 HA Identity NAI HA Identity (Section 4) 157 2 AAAH Identity NAI AAAH Identity (Section 5) 159 NAI Contains the NAI [3] in a string format. 161 3.1 Processing of the AAA NAI Extension 163 When a mobile node or home agent adds an AAA NAI extension to a 164 registration message, the extension MUST appear prior to any 165 authentication extensions. 167 In the event the foreign agent adds an AAA NAI extension to a 168 registration message, the extension MUST appear prior to any 169 authentication extensions added by the FA. 171 If an HA appended an AAA-NAI extension to a Registration Reply to an 172 MN, and does not receive the AAA-NAI extensions in subsequent 173 Registration Request messages from the MN, the HA can assume that the 174 MN does not understand the AAA-NAI extensions. In this case, the HA 175 SHOULD NOT append the AAA-NAI to further Registration Reply messages 176 to the MN. 178 4. HA Identity subtype 180 The HA identity uses subtype 1 of the AAA NAI Extension. It contains 181 the NAI of the AAA interface of the HA in the form hostname@realm. 182 Together the hostname and realm forms the complete FQDN 183 (hostname.realm) of the HA's AAA interface. 185 The Home Agent MUST provide this in the first Registration Reply sent 186 to the Mobile Node destined through the AAA infrastructure. The 187 extension only need to be included in subsequent Registration Replies 188 if the same extension is included in Registration Requests received 189 from the same Mobile Node. 191 A mobile node that recieves this extension in a registration reply 192 message MUST provide it in every registration request when re- 193 authentication is needed. If the mobile node requests a specific 194 home agent and it has the information available it MUST provide this 195 extension in its initial registration request. 197 The foreign agent MUST provide it to the AAA server via RADIUS [2] or 198 other future AAA protocols where applicable. 200 5. AAAH Identity subtype 202 The AAAH identity uses subtype 2 of the AAA NAI Extension. It 203 contains the NAI of the home AAA server in the form hostname@realm. 204 Together the hostname and realm forms the complete FQDN 205 (hostname.realm) of the home AAA servers interface. 207 If there exists several AAA servers in the Home Network, the Home 208 Agent MUST provide this in the first Registration Reply sent to the 209 Mobile Node destined through the AAA infrastructure. The extension 210 only need to be included in subsequent Registration Replies if the 211 same extension is included in Registration Requests received from the 212 same Mobile Node. 214 A mobile node MUST always save the latest AAAH Identity received in 215 the registration reply message and MUST provide the AAAH Identity in 216 every registration request sent when re-authenticating. 218 If the AAAH identity is present, the foreign agent MUST include this 219 identity when requesting the Mobile Node authentication through the 220 AAA infrastructure, e.g. RADIUS [2] or in other future AAA protocols 221 where applicable. 223 6. Security Considerations 225 This specification introduces new Mobile IP extensions that are used 226 to carry mobility agent and AAA server identities, in the form of 227 Network Access Identifiers. It is assumed that the Mobile IP 228 messages that would carry these extensions would be authenticated in 229 the manner that is described in [4], or any follow-on authentication 230 mechanisms. Therefore, this specification does not lessen the 231 security of Mobile IP messages. 233 It should be noted, that the identities sent in the extensions 234 specified herein MAY be sent in the clear over the network. However, 235 the authors do not envision that this information would create any 236 security issues. 238 7. IANA Considerations 240 The value assigned to the AAA NAI Extension should be taken from the 241 IANA number space for Mobile IPv4 skippable extensions. 243 8. Acknowledgements 245 Thanks to the original authors of the GNAIE draft, Mohamed M Khalil, 246 Emad Qaddoura, Haseeb Akhtar, Pat R. Calhoun. The original draft 247 was removed from the MIP WG charter when no use was seen for the 248 extension. The original ideas has been reused in this draft. 250 Also thanks to Henrik Levkowetz and Kevin Purser for valuable 251 feedback and help when writing this draft. 253 Noramtive References 255 [1] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 256 2002. 258 [2] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote 259 Authentication Dial In User Service (RADIUS)", RFC 2865, June 260 2000. 262 [3] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 263 2486, January 1999. 265 [4] Calhoun, P. and C. Perkins, "Mobile IP Network Access Identifier 266 Extension for IPv4", RFC 2794, March 2000. 268 [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement 269 Levels", BCP 14, RFC 2119, March 1997. 271 Authors' Addresses 273 Fredrik Johansson 274 ipUnplugged AB 275 Arenavagen 23 276 Stockholm S-121 28 277 SWEDEN 279 Phone: +46 8 725 5916 280 EMail: fredrik@ipunplugged.com 282 Tony Johansson 283 Bytemobile Inc 284 2029 Stierlin Court 285 Mountain View, CA 94043 286 USA 288 Phone: +1 650 862 0523 289 EMail: tony.johansson@bytemobile.com 291 Full Copyright Statement 293 Copyright (C) The Internet Society (2003). All Rights Reserved. 295 This document and translations of it may be copied and furnished to 296 others, and derivative works that comment on or otherwise explain it 297 or assist in its implementation may be prepared, copied, published 298 and distributed, in whole or in part, without restriction of any 299 kind, provided that the above copyright notice and this paragraph are 300 included on all such copies and derivative works. However, this 301 document itself may not be modified in any way, such as by removing 302 the copyright notice or references to the Internet Society or other 303 Internet organizations, except as needed for the purpose of 304 developing Internet standards in which case the procedures for 305 copyrights defined in the Internet Standards process must be 306 followed, or as required to translate it into languages other than 307 English. 309 The limited permissions granted above are perpetual and will not be 310 revoked by the Internet Society or its successors or assigns. 312 This document and the information contained herein is provided on an 313 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 314 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 315 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 316 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 317 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 319 Acknowledgement 321 Funding for the RFC Editor function is currently provided by the 322 Internet Society.