idnits 2.17.1 draft-patel-mipv6-auth-protocol-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 19. -- Found old boilerplate from RFC 3978, Section 5.5 on line 768. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 745. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 752. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 758. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 774), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 41. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 201: '... the HA. The MN SHOULD use NAI option...' RFC 2119 keyword, line 292: '... The MN SHOULD use NAI option [NAI]t...' RFC 2119 keyword, line 295: '... The MN MUST use either CHAP_SPI or ...' RFC 2119 keyword, line 315: '... mobility option MUST be verified by t...' RFC 2119 keyword, line 322: '...om the MN the HA SHALL extract the MN-...' (25 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 133 has weird spacing: '... This docum...' == Line 277 has weird spacing: '... The first ...' == Line 349 has weird spacing: '... For the i...' == Line 400 has weird spacing: '...dgement with ...' == Line 401 has weird spacing: '...CH. In this ...' == (1 more instance...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 24, 2004) is 7270 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC1700' is defined on line 680, but no explicit reference was found in the text == Unused Reference: 'RFC2486' is defined on line 687, but no explicit reference was found in the text == Outdated reference: A later version (-05) exists of draft-ietf-mip4-rfc3012bis-01 -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Normative reference to a draft: ref. 'NAI' ** Obsolete normative reference: RFC 1700 (Obsoleted by RFC 3232) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 2486 (Obsoleted by RFC 4282) Summary: 10 errors (**), 0 flaws (~~), 11 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Patel 3 Internet-Draft K. Leung 4 Expires: November 22, 2004 Cisco Systems 5 M. Khalil 6 H. Akhtar 7 K. Chowdhury 8 Nortel Networks 9 May 24, 2004 11 Authentication Protocol for Mobile IPv6 12 draft-patel-mipv6-auth-protocol-01.txt 14 Status of this Memo 16 By submitting this Internet-Draft, I certify that any applicable 17 patent or other IPR claims of which I am aware have been disclosed, 18 and any of which I become aware will be disclosed, in accordance with 19 RFC 3668. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as 24 Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on November 22, 2004. 39 Copyright Notice 41 Copyright (C) The Internet Society (2004). All Rights Reserved. 43 Abstract 45 This document defines new mobility options to enable authentication 46 between mobility entities. These options can be used in addition to 47 or in lieu of IPsec to authenticate mobility messages as defined in 48 the base Mobile IPv6 specification. 50 Table of Contents 52 1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 4. General Terms . . . . . . . . . . . . . . . . . . . . . . . . 6 56 5. Operational flow . . . . . . . . . . . . . . . . . . . . . . . 7 57 6. Mobility message authentication option . . . . . . . . . . . . 8 58 6.1 MN-HA authentication mobility option . . . . . . . . . . . 9 59 6.2 MN-AAA authentication mobility option . . . . . . . . . . 9 60 6.2.1 Processing considerations . . . . . . . . . . . . . . 10 61 7. Mobility message identification option . . . . . . . . . . . . 11 62 7.1 Processing considerations . . . . . . . . . . . . . . . . 12 63 7.1.1 Home Agent Considerations . . . . . . . . . . . . . . 12 64 7.1.2 Mobile Node Considerations . . . . . . . . . . . . . . 12 65 7.1.3 AAA server Considerations . . . . . . . . . . . . . . 12 66 8. Encrypted Home KeyGen Token Option . . . . . . . . . . . . . . 14 67 8.1 Processing Considerations . . . . . . . . . . . . . . . . 15 68 8.1.1 Home Agent Considerations . . . . . . . . . . . . . . 15 69 8.1.2 Mobile Node Considerations . . . . . . . . . . . . . . 15 70 9. Securing The Mobile Prefix Solicitation and Mobile Prefix 71 Advertisement messages . . . . . . . . . . . . . . . . . . . . 16 72 9.1 Prefix Encryption Option . . . . . . . . . . . . . . . . . 16 73 9.1.1 Processing Considerations . . . . . . . . . . . . . . 17 74 10. Security Considerations . . . . . . . . . . . . . . . . . . 19 75 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 20 76 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 77 13. Normative References . . . . . . . . . . . . . . . . . . . . 21 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21 79 Intellectual Property and Copyright Statements . . . . . . . . 23 81 1. Motivation 83 The base specification of Mobile IPv6 [BASE] mandates IPsec support 84 between MN and HA for authentication. Also, return routability 85 messages passing via the HA (HoT/HoTi) and mobile prefix discovery 86 messages must be protected using IPsec. 88 While IPsec (ESP) may offer strong protection (depending on the 89 algorithms used), use of IPsec may not be required/feasible in all 90 cases where Mobile IPv6 may be used. For small handheld devices, the 91 use of IPsec may be too taxing on battery and processor performance. 92 Also depending on the model of home agent deployment (HA deployed by 93 enterprise/service provider), MN may have to VPN back into the 94 enterprise (which may impose dual IPsec requirement on MN). 96 Also, having an authentication mechanism tied to the Mobile's home IP 97 address does not permit the mobility entity to derive or acquire a 98 dynamic home address based on the configured prefix. If the MN's 99 home address is dynamically configured based on a fixed prefix or 100 acquired during network access authentication (PPP, 802.1x etc.), 101 IPsec will most likely not work as the IPsec SAs are tied to the 102 address. The mechanism described in this draft is not tied with 103 mobility entities home IP address and therefore does not mandate SA 104 relationship with an IP address. 106 Another important motivation for this proposed mechanism is to allow 107 the MN to register with a Home Agent on a dynamically discovered Home 108 Link. This sort of Dynamic Home Link assignments will allow the 109 operators to leverage the true benefit of dynamic Home Agent 110 assignment. For example the operator may assign a Home Link or Home 111 Agent for the user that is closest to the subnet of attachment of the 112 user. There may be various other reasons for opportunistic Home 113 Agent assignment. The mechanisms described in the draft allows the 114 MN to register with any Home Agent in the home network as long as the 115 MN user shares security association with an entity in the home 116 network such as a AAA server. 118 2. Overview 120 This document presents a lightweight mechanism to authenticate the MN 121 at the HA or at the Home AAA based on a shared security association 122 between the MN and the respective authenticating entity. 124 As per the specification in the current MIPv6 draft [BASE], the 125 return routability messages are protected by IPsec between MN and HA. 126 Specifically, the Home KeyGen token sent by the CN to the MN (via) HA 127 needs to be protected to secure the messages from an eves-dropper on 128 the path between MN and HA. The extensions in this draft encrypts 129 the Home KeyGen token from the HA to MN (based on a shared secret 130 that is either derived, distributed or preconfigured between the MN 131 and the HA). Thus, the integrity of the HoT message is preserved. 133 This document introduces new mobility options to aid in 134 authentication of the MN and to protect the integrity and 135 confidentiality of return routability and mobile prefix solicitation 136 and advertisement messages. 138 3. Terminology 140 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 142 this document are to be interpreted as described in RFC 2119. 144 4. General Terms 146 MN Mobile Node 148 HA Home Agent 150 SA Security Association 152 CN Correspondent Node 154 IPsec IP Security protocol 156 ESP Encapsulating security protocol 158 BU Binding Update 160 BA Binding Acknowledgement 162 HoT Home Test Message (part of Return Routability test) 164 SPI Security Parameter Index 166 MH Mobility Header 168 HAAA Home Authentication Authorization Accounting server 170 CHAP CHallenge Authentication Protocol 172 HoA Home Address 174 AVP Attribute Value Pair 176 AAA Authentication Authorization Accounting 178 NAI Network Address Identifier 180 AES Advanced Encryption Standard 182 IV Initialization Vector 184 5. Operational flow 186 MN HA/HAAA 187 | BU to HA | 188 (a) |---------------------------------------------------->| 189 | (HoA option, NAI[optional], ID option, auth option) | 190 | | 191 | HA/HAAA authenticates MN 192 | | 193 | | 194 | BA to MN | 195 (b) |<----------------------------------------------------| 196 | (HoA option, NAI[optional], ID option, auth option) | 197 | | 198 | | 200 MN may use NAI option as defined in [NAI] to identify itself to the 201 HA while authenticating with the HA. The MN SHOULD use NAI option 202 [NAI] while authenticating with the AAA infrastructure. 204 6. Mobility message authentication option 206 This section defines the message authentication mobility option that 207 may be used to secure Binding Update and Binding Acknowledgement 208 messages. This extension can be used along with IPsec or preferably 209 as an alternate mechanism to authenticate binding update and binding 210 acknowledgement messages in absence of IPsec. This document also 211 defines subtype numbers, which identify the mode of authentication 212 and the peer entity to authenticate the message. Two subtype numbers 213 are specified in this document. It is expected that other subtypes 214 will be defined by other documents in the future. 216 0 1 2 3 217 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 219 | Option Type | Option Length | 220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 | Subtype | SPI | 222 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 223 | SPI | Authenticator . . . 224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 226 Option Type: 228 AUTH-OPTION-TYPE to be defined by IANA. An 8-bit identifier of 229 the type mobility option. 231 Option Length: 233 8-bit unsigned integer, representing the length in octets of 234 the sub-type, SPI and authenticator, not including the Option 235 Type and Option Length fields. 237 Subtype: 239 A number assigned to identify the entity and/or mechanism to be 240 used to authenticate the message. 242 SPI: 244 Used to identify the particular security association to use to 245 authenticate the message. 247 Authenticator: 249 This field has the information to authenticate the relevant 250 mobility entity. This protects the message beginning at the 251 Mobility Header upto and including the SPI field. 253 Alignment requirements : 255 TBD. 257 6.1 MN-HA authentication mobility option 259 The format of the MN-HA authentication mobility option is as defined 260 in section 6. This option uses the subtype value of 1. The MN-HA 261 authentication mobility option is used to authenticate the binding 262 update and binding acknowledgement messages based on the shared 263 security association between the MN and the HA. 265 This must be the last option in a message with mobility header. The 266 authenticator is calculated on the message starting from the mobility 267 header till the SPI value of this option. 269 Authenticator = First (96,HMAC_SHA1(MN-HA Shared key, Mobility 270 Data)) 272 Mobility Data = care-of address | home address | MH Data 274 MH Data is the content of the Mobility Header till the SPI field of 275 this extension. 277 The first 96 bits from the MAC result are used as the 278 Authenticator field. 280 6.2 MN-AAA authentication mobility option 282 The format of the MN-AAA authentication mobility option is as defined 283 in section 6. This option uses the subtype value of 2. The MN-AAA 284 authentication mobility option is used to authenticate the binding 285 update and binding acknowledgement messages based on the shared 286 security association between MN and HAAA. 288 This must be the last option in a message with mobility header. The 289 authenticator is calculated on the message starting from the mobility 290 header till the SPI value of this option. 292 The MN SHOULD use NAI option [NAI]to enable the Home Agent to make 293 use of available AAA infrastructure which requires NAI. 295 The MN MUST use either CHAP_SPI or HMAC_CHAP_SPI as defined in 296 [3012bis] to indicate CHAP style authentication. The authenticator 297 shall be calculated as follows: 299 Authenticator = First (96, HMAC_SHA1 (MN-AAA Shared key, MAC_Mobility 300 Data))). 302 SPI = CHAP_SPI: 304 MAC_Mobility Data = MD5 (care-of address | home address | MH Data). 306 SPI = HMAC_CHAP_SPI: 308 MAC_Mobility Data = HMAC_MD5 (care-of address | home address | MH 309 Data). 311 Nonces: TBD 313 6.2.1 Processing considerations 315 The MN-AAA authentication mobility option MUST be verified by the AAA 316 infrastructure that has the shared secret with the MN. The HA relays 317 the authenticating information to the HAAA. The HA relies on the 318 HAAA to admit or reject the home registration request from the MN. 320 6.2.1.1 Home Agent Considerations 322 Upon receiving a BU from the MN the HA SHALL extract the MN-AAA 323 authenticator and the SPI from the MN-AAA authentication mobility 324 option and extract the NAI from the NAI option [NAI]. The HA SHALL 325 include the extracted MN-AAA authenticator, SPI and the NAI in AAA 326 specific AVPs while initiating the authentication procedure via AAA 327 infrastructure. 329 7. Mobility message identification option 331 The identification option is used to prevent replay protection. The 332 Identification field carries either timestamps or nonces for replay 333 protection (support for timestamps is mandatory). This option can be 334 used in binding update and binding acknowledgement messages. 336 The default method for this purpose is the timestamp method; some 337 other methods may be utilized as well. If the MN uses 'timestamp' as 338 a measure against replay protection, it SHOULD insert the current 339 time of day. When the destination node receives the Binding Update, 340 it will make sure that the 'timestamp' (as included by the sender) is 341 close enough to its own time of the day. A default value of 500 342 milliseconds MAY be used as a reasonable offset (the time difference 343 between the sender and the receiver). 345 The low-order 32 bits of the identification option represents 346 fractional seconds, the rest of the bits SHOULD be generated from a 347 good source of randomness. 349 For the identification field to be valid, the 'timestamp' 350 contained in the Identification field MUST be close enough (as 351 determined by the system implementers) and greater than the HA's and/ 352 or HAAA's time of day clock. 354 The style of replay protection in effect between a mobile node and 355 the HA and/or the HAAA is part of the mobile security association. A 356 mobile node and the HA and/or the HAAA MUST agree on which method of 357 replay protection will be used. 359 0 1 2 3 360 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 | Option Type | Option Length | 363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 364 | Identification ... 365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 367 Option Type: 369 IDENT-OPTION-TYPE to be defined by IANA. An 8-bit identifier 370 of the type mobility option. 372 Option Length: 374 8-bit unsigned integer, representing the length in octets of 375 the Identification field. 377 Identification: 379 The Identification field carries either timestamps or nonces 380 for replay protection (support for timestamps is mandatory). 382 Alignment requirements : 384 TBD. 386 7.1 Processing considerations 388 The Identification field is used to let the HA and/or the HAAA verify 389 that a Binding Update message has been generated recently by the MN, 390 and it is not replayed by an attacker from some older registrations. 392 7.1.1 Home Agent Considerations 394 The HA processes this option only when MN-HA authentication mobility 395 option is used in the BU. In this case: 397 MN-HA Timestamps: After successful authentication of Binding Update, 398 the Home Agent must verify that the Identification field falls within 399 the replay protection window. If Identification field is not within 400 this window, HA MUST send a Binding Acknowledgement with error 401 code "TBD by IANA" MIPV6-ID-MISMATCH. In this case, HA must 402 include the correct identification field in the Binding 403 Acknowledgement message. 405 Nonces: TBD 407 7.1.2 Mobile Node Considerations 409 Timestamps: If MN receives a Binding Acknowledgement with the code 410 MIPV6-ID-MISMATCH, MN must adjust its timestamp and send subsequent 411 Binding Update using the updated value. 413 Nonces: TBD 415 7.1.3 AAA server Considerations 417 The HAAA processes this option only when MN-AAA authentication 418 mobility option is used in the BU. In this case: 420 MN-AAA Timestamps: After successful authentication of MN's 421 credentials contained in the AVPs, the Home AAA server MUST verify 422 that the Identification field falls within the replay protection 423 window. If Identification field is not within this window, HAAA MUST 424 reject the authentication and authorization request. In the reject 425 message the HAAA MUST include the latest timestamp. Upon receiving 426 the reject message from HAAA server, the HA MUST send a Binding 427 Acknowledgement with error code "TBD by IANA" MIPV6-ID-MISMATCH. In 428 this case, HA must include the correct identification field in the 429 Binding Acknowledgement message 431 Nonces: TBD 433 8. Encrypted Home KeyGen Token Option 435 This option is inserted by the HA in the HoT message if MN and HA are 436 using the authentication option defined in this document. If IPsec 437 is used as per [BASE], this processing does not apply. 439 HA must use the Home KeyGen token from the HoT message and encrypt it 440 as described below. The encrypted token is included in the HoT 441 message. HA must set the Home KeyGen token in the HoT message to 442 zero. 444 Encrypting the Home KeyGen token provides similar level of security 445 as provided by using IPsec for protecting the HoT messages. The Home 446 KeyGen Token is encrypted using AES [AES]. 448 0 1 2 3 449 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 450 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 451 | Option Type | Option Length | 452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 453 | SPI | 454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 455 | Nonce | 456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 457 | | 458 | | 459 | IV | 460 | | 461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 | Payload Data . . . 463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 Option Type: 467 KEYGEN-OPTION-TYPE to be defined by IANA. An 8-bit identifier 468 of the type mobility option. 470 Option Length: 472 8-bit unsigned integer, representing the length in octets of 473 the SPI, Nonce, IV and the payload data fields, not including 474 the Option Type and Option Length field. 476 SPI: 478 The SPI corresponds to the SPI of the security associations 479 between MN and HA. It is used to associate the right shared 480 key to decrypt the Home KeyGen token. 482 Nonce: 484 The Nonce field is 4 octets in length and is used to ensure the 485 uniqueness of the encryption key used to encrypt each instance 486 of the Home KeyGen Token option occurring in a given HoT 487 message. The contents of each Nonce field in a given HoT 488 message MUST be unique. 490 IV: 492 The Initialization Vector (IV) field is 16 octets in length. 493 This value is required to encrypt the first block of plaintext 494 data. 496 Payload data: 498 AES (Home KeyGen Token). 500 Alignment requirements: 502 TBD. 504 8.1 Processing Considerations 506 8.1.1 Home Agent Considerations 508 Home Agent must intercept the HoT message and if IPsec is not in use 509 between MN and HA as described in [BASE] (for authentication/ 510 encryption of control messages), MUST encrypt the Home KeyGen token 511 as described in section 8. 513 8.1.2 Mobile Node Considerations 515 When MN receives a HoT message, if IPsec is not in use between MN and 516 HA, MN must extract the Home KeyGen Token by decrypting the payload 517 data field with the IV, Nonce and the key. 519 9. Securing The Mobile Prefix Solicitation and Mobile Prefix 520 Advertisement messages 522 The [BASE] allows the MN to solicit home prefix from the HA. This 523 solicitation message SHOULD be authenticated at the HA before the HA 524 gives out home prefix details to the MN. In order to authenticate 525 the message The MN-HA authentication mobility option SHALL be used. 526 If IPsec is used as per [BASE], this processing does not apply. 528 In response to the prefix solicitation message, the HA sends Prefix 529 Advertisement Message back the MN. These prefixes SHOULD be 530 encrypted to protect the network from attacks. The prefixes 531 [RFC2461], section 4.6.2 SHOULD be encrypted using a suitable 532 encryption method such as AES [AES]. Encrypting the prefixes 533 provides similar level of security as provided by IPsec using ESP. 535 9.1 Prefix Encryption Option 537 to send encrypted prefixes the HA MUST use the following destination 538 option: 540 0 1 2 3 541 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 543 | Type | Length | Prefix Length |L|A| Reserved1 | 544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 545 | Valid Lifetime | 546 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 547 | Preferred Lifetime | 548 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 549 | Reserved2 | 550 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 551 | SPI | 552 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 553 | Nonce | 554 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 555 | | 556 | | 557 | IV | 558 | | 559 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 560 | payload data ... 561 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 562 Type: 564 PREFIX-OPTION-TYPE to be defined by IANA. An 8-bit identifier 565 of the type mobility option. 567 Length, Prefix Length, L and A-bit, Reserved1, Valid Lifetime, 568 Preferred Lifetime, Reserved2 are as defined in [RFC2461], section 569 4.6.2. 571 SPI: 573 The SPI corresponds to the SPI of the security associations 574 between MN and HA. It is used to associate the right shared 575 key to decrypt the Encrypted Prefix. 577 Nonce: 579 The Nonce field is 4 octets in length and is used to ensure the 580 uniqueness of the encryption key used to encrypt each instance 581 of the prefix encryption option occurring in a given prefix 582 advertisement message. The contents of each Nonce field in a 583 given prefix advertisement message MUST be unique. 585 IV: 587 The Initialization Vector (IV) field is 16 octets in length. 588 This value is required to encrypt the first block of plaintext 589 data. 591 Payload data: 593 AES (Prefix). 595 Alignment requirements: 597 TBD. 599 9.1.1 Processing Considerations 601 9.1.1.1 Home Agent Considerations 603 Upon receiving the Mobile Prefix Solicitation message from a MN, the 604 HA SHOULD authenticate the MN using the MN-HA authentication mobility 605 option that is included in the message. The processing consideration 606 for the MN-HA authentication mobility option is as described in 607 section 6.1. 609 While sending the Mobile Prefix Advertisement message back to the MN 610 in response to a solicitation or unsolicited but unicast way, the HA 611 SHOULD encrypt the prefix with a shared secret that is either derived 612 or provisioned between the HA and the MN and use IV and nonce. The 613 encrypted data should be included in the payload data field of the 614 prefix encryption option defined in 9.1. The IV and the nonce used 615 by the HA MUST be included in the respective fields in the prefix 616 encryption option. The HA SHOULD encrypt the prefix using the shared 617 secret, IV and Nonce and the AES mode as indexed by SPI. 619 9.1.1.2 Mobile Node Considerations 621 While sending a Mobile Prefix Solicitation message the MN SHOULD 622 include the MN-HA authentication mobility option. The calculation of 623 the authenticator can be performed as: 625 Authenticator = First (96,HMAC_SHA1(MN-HA Shared key, Data)). 627 Data = All fields in the IP header and the message body. 629 Upon receiving a Mobile Prefix Advertisement message from the HA in a 630 solicited or unsolicited manner, the MN SHOULD decrypt the prefix 631 using the shared secret, IV and Nonce and the AES mode as indexed by 632 SPI. 634 10. Security Considerations 636 This document proposes new authentication options to authenticate the 637 control message between MN, HA and/or HAAA (as an alternative to 638 IPsec). The new options provide for authentication of Binding Update 639 and Binding Acknowledgement messages. These do not provide ways for 640 encrypting these messages. 642 In terms of protecting the return routability messages, this 643 mechanism provides a way to encrypt the Home KeyGen token from CN to 644 MN on the path between HA and MN. 646 In terms of protecting Prefix Solicitation and Prefix Advertisement 647 messages this specification provides ways to calculate and include 648 message authenticators and provides ways to send encrypted prefixes 649 to the MN. 651 11. IANA Considerations 653 The option types AUTH-OPTION-TYPE, IDENT-OPTION-TYPE, KEYGEN- 654 OPTION-TYPE and PREFIX-OPTION-TYPE as defined in section 6, 7 and 8 655 respectively are new mobility options. MIPV6-ID-MISMATCH error code 656 also needs to be defined. IANA should record values for these new 657 mobility options and the new error code. 659 12. Acknowledgements 661 TBD. 663 13 Normative References 665 [3012bis] Perkins et. al., C., "Mobile IPv4 Challenge/Response 666 Extensions (revised)", draft-ietf-mip4-rfc3012bis-01 (work 667 in progress), April 2004. 669 [AES] "National Institute of Standards. FIPS Pub 197: Advanced 670 Encryption Standard (AES).", 26 November 2001. 672 [BASE] Perkins, C., Johnson, D. and J. Arkko, "Mobility Support 673 in IPv6", draft-ietf-mobileip-ipv6-24 (work in progress), 674 June 2003. 676 [NAI] Patel et. al., A., "Network Access Identifier Option for 677 Mobile IPv6", draft-patel-mipv6-nai-option-00.txt (work in 678 progress), February 2004. 680 [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700, 681 October 1994. 683 [RFC2461] Narten, T., Nordmark, E. and W. Simpson, "Neighbor 684 Discovery for IP Version 6 (IPv6)", RFC 2461, December 685 1998. 687 [RFC2486] Aboba, B. and M. Beadles, "The Network Access Identifier", 688 RFC 2486, January 1999. 690 Authors' Addresses 692 Alpesh Patel 693 Cisco Systems 694 170 W. Tasman Drive 695 San Jose, CA 95134 696 US 698 Phone: +1 408-853-9580 699 EMail: alpesh@cisco.com 700 Kent Leung 701 Cisco Systems 702 170 W. Tasman Drive 703 San Jose, CA 95134 704 US 706 Phone: +1 408-526-5030 707 EMail: kleung@cisco.com 709 Mohamed Khalil 710 Nortel Networks 711 2221 Lakeside Blvd. 712 Richardson, TX 75082 713 US 715 Phone: +1 972-685-0574 716 EMail: mkhalil@nortelnetworks.com 718 Haseeb Akhtar 719 Nortel Networks 720 2221 Lakeside Blvd. 721 Richardson, TX 75082 722 US 724 Phone: +1 972-684-4732 725 EMail: haseebak@nortelnetworks.com 727 Kuntal Chowdhury 728 Nortel Networks 729 2221 Lakeside Blvd. 730 Richardson, TX 75082 731 US 733 Phone: +1 972 685 7788 734 EMail: chowdury@nortelnetworks.com 736 Intellectual Property Statement 738 The IETF takes no position regarding the validity or scope of any 739 Intellectual Property Rights or other rights that might be claimed to 740 pertain to the implementation or use of the technology described in 741 this document or the extent to which any license under such rights 742 might or might not be available; nor does it represent that it has 743 made any independent effort to identify any such rights. Information 744 on the procedures with respect to rights in RFC documents can be 745 found in BCP 78 and BCP 79. 747 Copies of IPR disclosures made to the IETF Secretariat and any 748 assurances of licenses to be made available, or the result of an 749 attempt made to obtain a general license or permission for the use of 750 such proprietary rights by implementers or users of this 751 specification can be obtained from the IETF on-line IPR repository at 752 http://www.ietf.org/ipr. 754 The IETF invites any interested party to bring to its attention any 755 copyrights, patents or patent applications, or other proprietary 756 rights that may cover technology that may be required to implement 757 this standard. Please address the information to the IETF at 758 ietf-ipr@ietf.org. 760 Disclaimer of Validity 762 This document and the information contained herein are provided on an 763 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 764 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 765 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 766 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 767 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 768 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 770 Copyright Statement 772 Copyright (C) The Internet Society (2004). This document is subject 773 to the rights, licenses and restrictions contained in BCP 78, and 774 except as set forth therein, the authors retain all their rights. 776 Acknowledgment 778 Funding for the RFC Editor function is currently provided by the 779 Internet Society.