Network Working Group M. Nakhjiri, Ed.
Internet-Draft Huawei USA
Intended status: Standards Track K. Chowdhury
Expires: August 4, 2007 Starent Networks
A. Lior
Bridgewater Systems
K. Leung
Cisco Systems
January 31, 2007
Mobile IPv4 RADIUS requirements
draft-ietf-mip4-radius-requirements-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 4, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Nakhjiri, et al. Expires August 4, 2007 [Page 1]
Internet-Draft MIP4REQ January 2007
Abstract
This document provides an applicability statement as well as a scope
definition for the specification provided in the document "RADIUS
Mobile IPv4 extension" and its future revisions hereby collectively
referred to as [I-D.nakhjiri-radius-mip4]. The goal is to justify
qualification of [I-D.nakhjiri-radius-mip4] as a IETF work item.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. IANA Considerations . . . . . . . . . . . . . . . . . . . . 4
2. security considerations . . . . . . . . . . . . . . . . . . . . 5
3. Normative References . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . . 8
Nakhjiri, et al. Expires August 4, 2007 [Page 2]
Internet-Draft MIP4REQ January 2007
1. Introduction
Mobile IPv4 working group has developed extensions for the
registration process[RFC3344]to allow the MN and mobility agents to
request assistance from the AAA server in authentication
[MIP4CHAL]and creation of security associations [RFC3957] all based
on the pre-established trust relationship between the MN and its home
AAA server. However, on the AAA side, currently only Diameter
provides specification for interaction with Mobile IP agents
[RFC4004]
In the absence of IETF standardized RADIUS attributes for support of
MIPv4, different wireless SDOs have taken the path of developing
VSAs. This will cause lack interoperability between these wireless
standards, potentially hindering mobility across these wireless
networks.
To respond to the described issue, the authors have developed a
document [I-D.nakhjiri-radius-mip4] that defines a set of attributes
to be used for dynamic bootstrapping of MIPv4 parameters through a
RADIUS based AAA infrastructure during the Mobile IPv4 Registration
procedure. The bootstrapping attributes can include configuration
parameters as well as material used for provisioning security of
Mobile IPv4 messaging (authentication) as defined by [RFC3957].
The scope of this work is to only standardize RADIUS attributes and
to define the procedure by which the Mobile IPv4 agents, e.g. Home
agent (HA) and Foreign Agent (FA) map the Mobile IP registration
message fields into the proposed RADIUS attributes and vice versa.
It is not the intention to extend the functionality of existing
RADIUS servers or protocol. More specifically, the following are
NON-GOALS:
Enhancing security properties of RADIUS (including key transport
capabilities) is non-goal. No new security mechanisms are defined in
the transport of such Access Requests. The
[I-D.nakhjiri-radius-mip4] uses existing RADIUS authentication
procedures, e.g. Message-Authenticator (80) described in RFC2869.
The security considerations for[I-D.nakhjiri-radius-mip4] are
described in a later section of this document.
Enhancing reliability or transport properties of RADIUS is a non-
goal. No new reliability mechanisms are defined in the transport of
such Access Requests.
Creating new RADIUS messages types is a non-goal.
[I-D.nakhjiri-radius-mip4] is not defining new RADIUS messages.
Diameter Mobile IP application[RFC4004] has defined new command codes
Nakhjiri, et al. Expires August 4, 2007 [Page 3]
Internet-Draft MIP4REQ January 2007
for support of Mobile IP signaling, depending on whether Diameter
server is dealing with a Mobile IP HA or an FA. RADIUS currently
does not have any messages that correspond to these Diameter
commands. Instead, [I-D.nakhjiri-radius-mip4]provides proposals for
new RADIUS attributes that facilitates Diameter-RADIUS messaging
translation without defining any new RADIUS messaging. At the same
time [I-D.nakhjiri-radius-mip4]is re-using Diameter AVPs to the
fullest extent possible.
Extend RADIUS in a way that fulfills the full list of requirements in
RFC 2977 is a non-goal
It is however required of the RADIUS servers (and possibly proxies)
to be able to understand and process the attributes described in this
specification to perform verification of authentication extensions
specified in [MIP4CHAL]
All RADIUS work MUST be backward compatible with existing RADIUS
RFCs, including RFCs 2618-2621, 2865-2869, 3162, 3575, 3576, 3579,
and 3580.
It is also required of the Mobile IP agents (FA and HA) to operate as
RADIUS clients (NASes in context of RFC 2865) when translating RADIUS
signaling into Mobile IP signaling and vice versa. Details on the
behavior of Mobile IP agents as RADIUS clients are to be provided in
[I-D.nakhjiri-radius-mip4]
1.1. Attributes
[I-D.nakhjiri-radius-mip4]describes the full set of attributes
required for RADIUS-Mobile IP interaction. Some of the attributes
are already standardized, while others will require standardization
and IANA type assignments.
1.2. IANA Considerations
[I-D.nakhjiri-radius-mip4] draft introduces new RADIUS attributes.
Therefore there is need for defining new attribute type numbers by
IANA.
Nakhjiri, et al. Expires August 4, 2007 [Page 4]
Internet-Draft MIP4REQ January 2007
2. security considerations
The concern of using AAA protocols that use hop-by-hop security
(Diameter/RADIUS) to distribute keys is nothing new. In both
Diameter and RADIUS the assumption is that intermediary nodes are
trusted. However, in the case of Diameter, if the operator chooses
not to trust intermediaries, Diameter provides a remedy by utilizing
its re-direction mechanism. Note that in the case of Diameter MIPv4
Application using re-directions is optional and not mandatory.
RADIUS does not possess a re-direction mechanism and since we are not
proposing to add a re-direction mechanism to RADIUS we have to rely
on the model that RADIUS intermediary nodes are to be trusted.
To protect against MITM attacks, RFC 2868 section 3.5 provides a
mechanism for encrypting RADIUS attributes (RFC 2868 section 3.5).
Diameter relies purely on IPsec to protect against MITM attacks. It
can be argued that the encryption mechanism provided by RADIUS is
weak and therefore it is recommended to protect RADIUS transactions
using IPsec (e.g. RADIUS protected by IPSec in [RFC3579]).
Nakhjiri, et al. Expires August 4, 2007 [Page 5]
Internet-Draft MIP4REQ January 2007
3. Normative References
[I-D.nakhjiri-radius-mip4]
Nakhjiri, M. and Et. Al., "RADIUS Mobile IPv4 extensions,
draft-nakhjiri-radius-mip4-02.txt", Internet
Draft draft-nakhjiri-radius-mip4-02, October 2005.
[MIP4CHAL]
Perkins, C. and P. Calhoun, "Mobile IP Challenge/Response
Extensions, draft-ietf-mip4-rfc3012bis-05.txt.",
January 2006.
[RFC2868] Zorn, G., "RADIUS Attributes for Tunnel Protocol Support",
June 2000.
[RFC2977] Glass, S. and Perkins, "Mobile IP Authentication,
Authorization, and Accounting Requirements", October 2000.
[RFC3344] Perkins, C., "IP Mobility Support", August 2002.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", September 2003.
[RFC3957] Perkins, C. and P. Calhoun, "AAA Registration Keys for
Mobile IP", March 2005.
[RFC4004] Calhoun, P. and C. Perkins, "Diameter Mobile IP
application", May 2004.
Nakhjiri, et al. Expires August 4, 2007 [Page 6]
Internet-Draft MIP4REQ January 2007
Authors' Addresses
Madjid Nakhjiri (editor)
Huawei USA
12040, 98th AVE NE, suite 200B,
Kirkland, WA 98033
USA
Email: mnakhjiri@huawei.com
Kuntal Chowdhury
Starent Networks
Email: kchowdhury@starentnetworks.com
Avi Lior
Bridgewater Systems
Email: avi@bridgewatersystems.com
Kent Leung
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134
US
Email: kleung@cisco.com
Nakhjiri, et al. Expires August 4, 2007 [Page 7]
Internet-Draft MIP4REQ January 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Nakhjiri, et al. Expires August 4, 2007 [Page 8]
