Mobile IP Working Group Pat R. Calhoun
INTERNET DRAFT Sun Microsystems, Inc.
25 February 1999 Charles E. Perkins
Sun Microsystems, Inc.
Mobile IP Network Address Identifier Extension
draft-ietf-mobileip-mn-nai-00.txt
Status of This Memo
This document is a submission by the mobile-ip Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the mobile-ip@smallworks.com mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at:
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at:
http://www.ietf.org/shadow.html.
Abstract
AAA servers, such as RADIUS and DIAMETER, are in use within the
Internet today to provide authentication and authorization services
for dial-up computers. We propose that such services are equally
valuable for mobile nodes using Mobile IP when the nodes are
attempting to connect to foreign domains with AAA servers. Such
AAA servers typically identify clients by using the Network Access
Identifier (NAI). We propose that the NAI be allowed for use with
Mobile IP when the mobile node issues a Registration Request.
Calhoun, Perkins Expires 25 August 1999 [Page i]
Internet Draft Mobile Node NAI 25 February 1999
1. Introduction
AAA servers, such as RADIUS and DIAMETER, are in use within the
Internet today to provide authentication and authorization services
for dial-up computers. We propose that such services are equally
valuable for mobile nodes using Mobile IP when the nodes are
attempting to connect to foreign domains with AAA servers. Such
AAA servers typically identify clients by using the Network Access
Identifier (NAI). We propose that the NAI be allowed for use with
Mobile IP when the mobile node issues a Registration Request. This
draft specifies the Mobile-Node-NAI Extension to the Mobile IP
Registration Request message from the Mobile Node.
Since the NAI is typically used to identify the mobile node, the
mobile node's home address is not always necessary to provide that
function. Thus, it is possible for a mobile node to authenticate
itself, and be authorized for connection to the foreign domain,
without even having a home address. This draft introduces new entity
named the Home Domain Allocation Agency (HDAA) that can dynamically
assign a Home Address to the Mobile Node. A message containing the
Mobile-Node-NAI extension MAY have the Home Address field in the
Registration Request set to zero (0) to request that one be assigned.
In the figure 1, we introduce the Home Domain Allocator Agency
(HDAA), which receives messages from Foreign Agents and assigns a
Home Address, and possibly a Home Agent, within the Home Domain. The
HDAA does not perform any Mobile IP processing on the Registration
Request, but simply forwards the request to a Home Agent within the
network that is able to handle the request.
Mobile IP [6] defines a method for a Mobile Node to be assigned
a Home Agent dynamically through the use of a limited broadcast
message. However, most corporate networks do not allow such packets
to traverse their firewall. The use of the limited broadcast ensured
that the Home Agent assigned to the Mobile Node resided on a specific
subnet, therefore it was not necessary to assign a dynamic IP
Address to the Mobile Node. With the Mobile-Node-NAI extension, we
propose that the the HDAA may also assign a dynamic Home Agent to the
Mobile Node. This alternative mechanism avoids the use of limited
broadcast.
A Registration Request with the Mobile-Node-NAI extension MAY have
the Home Agent field set to zero (0) to request that a home agent
be dynamically assigned. Such a registration MUST be forwarded
to an HDAA, which is able to assign the Home Address. The domain
portion of the NAI [1] is used to identify the Mobile Node's Home
Domain, and thus to identify the HDAA which is the destination of the
Registration Request. The DIAMETER Mobile IP extension [3] defines a
Calhoun, Perkins Expires 25 August 1999 [Page 1]
Internet Draft Mobile Node NAI 25 February 1999
method of resolving the Home Agent allocator, but this document will
refer to a generic method for full generality.
+------+
| |
+---+ HA-1 |
+------+ +------+ +------+ | | |
| | | | | | | +------+
| MN |-------| FA |-------| HDAA +---+ ...
| | | | | | | +------+
+------+ +------+ +------+ | | |
+---+ HA-n |
| |
+------+
Figure 1: Home Domain Allocator Agency (HDAA)
Upon receipt of the Registration Request, the Foreign Agent extracts
the Mobile Node's NAI and finds the domain name associated with it.
The Foreign Agent then finds the HDAA that handles requests for the
Mobile Node's domain. The discovery protocol is outside of the
scope of this specification. As an example, however, the FA might
typically delegate the duty of finding a HDAA to a local AAA server.
The Registration Reply from the Home Agent MUST include the Mobile-
Node-NAI extension. The Registration Reply MUST include a nonzero
Home Agent address and Mobile Node's Home Address.
2. Mobile-Node-NAI Extension
The Mobile-Node-NAI Extension contains the user and/or host name
following the format defined in [1]. The NAI is used to identify a
user or host and can be used to find a HDAA within the requestor's
home domain.
When present in the Registration Request, the Home Agent and Home
Address fields MAY be set to zero (0). Since the foreign agent
cannot use the Home Address in the reply to identify the Mobile Node,
it MUST use the NAI instead in its pending registration request
records. If the foreign agent cannot manage pending registration
request records in this way, it MUST return a Registration Reply with
status 77 (unexpected extension).
The Mobile-Node-NAI Extension, shown in figure 2, MUST appear before
the Foreign-Home Authentication Extension.
Calhoun, Perkins Expires 25 August 1999 [Page 2]
Internet Draft Mobile Node NAI 25 February 1999
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | MN-NAI ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The Mobile-Node-NAI Extension
Type TDB
Length
Mobile-Node-NAI Contains the username or host name in the format
defined in [1].
3. Security Considerations
This document assumes that the Mobile IP messages are authenticated
using a method defined by the Mobile IP protocol. This proposal does
require that the Mobile Node's NAI be sent in the clear over the
network, but that is not expected to be a security issue.
4. IPv6 considerations
For mobile nodes using IPv6, there are no commonly deployed
mechanisms by which a mobile node may verify credentials, such
as there are with IPv4. Nevertheless, it may be the case that
mobile nodes using IPv6 mobility would like to specify the domain
in which their credentials may be checked, by using a NAI just
as this specification proposes for IPv4. In the case of IPv6,
however, there is no foreign agent in place to forward the mobile
node's binding update, and thus to manage the verification of the
credentials offered by the mobile node. In order for the NAI to
serve the purpose of identifying the home AAA that has the expected
relationship with the mobile node, the NAI would have to be forwarded
to a local AAA by the local agent involved with configuring the
care-of address of the mobile node.
This local agent can be identified as either the router sending out
Router Advertisements [5] for use by the mobile node with stateless
address autoconfiguration, or as an appropriate DHCPv6 [2] server.
In the former case, the ability to handle the NAI would be signaled
by the router in question by attaching a new extension to the Router
Advertisement. In the latter case, for managed links, the mobile
Calhoun, Perkins Expires 25 August 1999 [Page 3]
Internet Draft Mobile Node NAI 25 February 1999
node would include an NAI extension to the DHCP Solicitation for use
by the DHCP server. The NAI extension would also be required on the
subsequent DHCP Request unicast by the mobile node to the DHCP Server
selected on the basis of received DHCP Advertisements.
5. Acknowledgements
The authors would like to thank Gabriel Montenegro and Vipul Gupta
for their useful discussions.
References
[1] B. Aboba and M. A. Beadles. The network access identifier.
draft-ietf-roamops-nai-12.txt, November 1998. (work in
progress).
[2] J. Bound and C. Perkins. Dynamic Host Configuration Protocol
for IPv6. draft-ietf-dhc-dhcpv6-14.txt, June 1998. (work in
progress).
[3] P. Calhoun and C. E. Perkins. DIAMETER Mobile IP Extensions.
draft-calhoun-diameter-mobileip-01.txt, November 1998. (work in
progress).
[4] T. Narten, E. Nordmark, and W. Simpson. Neighbor Discovery for
IP version 6 (IPv6). RFC 1970, August 1996.
[5] T. Narten, E. Nordmark, and W. Simpson. RFC 2461: Neighbor
discovery for IP Version 6 (IPv6), December 1998. Obsoletes
RFC1970 [4]. Status: DRAFT STANDARD.
[6] C. Perkins, Editor. IP Mobility Support. RFC 2002, October
1996.
Chairs' Addresses
The working group can be contacted via the current chairs:
Jim Solomon Erik Nordmark
Redback Networks, Inc. Sun Microsystems, Inc.
1301 E. Algonquin Road 17 Network Circle
Schaumburg, IL 60196 Menlo Park, California 94025
USA USA
Phone: +1-847-576-2753 Phone: +1 650 786-5166
Fax: Fax: +1 650 786-5896
Calhoun, Perkins Expires 25 August 1999 [Page 4]
Internet Draft Mobile Node NAI 25 February 1999
E-mail: solomon@redbacknetworks.com E-mail: nordmark@sun.com
Author's Addresses
Questions about this memo can be directed to:
Pat R. Calhoun Charles E. Perkins
Sun Microsystems Laboratories Sun Microsystems Laboratories
15 Network Circle 15 Network Circle
Menlo Park, CA 94025 Menlo Park, CA 94025
USA USA
Phone: +1-650-786-7733 Phone: +1 650 786-6464
EMail: pat.calhoun@sun.com EMail: cperkins@eng.sun.com
Fax: +1 650 786-6445
Calhoun, Perkins Expires 25 August 1999 [Page 5]