Technical Summary
Mobile IP, as originally specified, defines an authentication
extension (the Mobile-Foreign Authentication extension) by which a
mobile node can authenticate itself to a foreign agent.
Unfortunately, that extension does not provide the foreign agent any
direct guarantee that the protocol is protected from replays, and
does not allow for the use of existing techniques (such as CHAP) for
authenticating portable computer devices.
In this specification, we define extensions for the Mobile IP Agent
Advertisements and the Registration Request that allow a foreign
agent to use a challenge/response mechanism to authenticate the
mobile node.
Furthermore, this document updates RFC3344 by including new
authentication extension called the Mobile-AAA Authentication
extension. This new extension is provided so that a mobile node can
supply credentials for authorization using commonly available AAA
infrastructure elements. This Authorization-enabling extension MAY
co-exist in the same Registration Request with Authentication
extensions defined for Mobile IP Registration by RFC3344. This
document obsoletes RFC3012.
Working Group Summary
This document was produced by the MIP4 WG. The WG has consensus
to publish this document as a Proposed Standard.
Protocol Quality
This document was reviewed for the IESG by Margaret Wasserman.
Note to RFC Editor
Please replace all instances of "byte" with "octet".
Please modify the title page header to indicate that this document updates RFC
3344, and it obsoletes RFC 3012.
Please make the following change in section 5:
OLD:
1 Mobile-AAA Authentication subtype (see Section 6)
NEW:
1 Mobile-AAA Authentication subtype (HMAC-MD5)(see Section 6)
Please add the following paragraph to the end of the Security Consideratoins
section:
The Generalized Mobile IP Authentication Extension includes a subtype field
that is used to identify characteristics of the particular authentication
strategy. This document only defines one subtype, the Mobile-AAA Authenticationsubtype that uses HMAC-MD5. If it is necessary to move to a new message
authentication algorithm in the future, this could be accomplished by defining anew subtype that uses a different one.