Mobile IP Working Group                               Charles E. Perkins
INTERNET DRAFT                                     Nokia Research Center
1 March  2002                                             Pat R. Calhoun
                                                    Black Storm Networks

               Mobile IPv4 Challenge/Response Extensions
                 draft-ietf-mobileip-rfc3012bis-01.txt


Status of This Memo

   This document is a submission by the mobile-ip Working Group of the
   Internet Engineering Task Force (IETF).  Comments should be submitted
   to the mobile-ip@sunroof.eng.sun.com mailing list.

   Distribution of this memo is unlimited.

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at:
        http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at:
        http://www.ietf.org/shadow.html.


Abstract

   Mobile IP, as originally specified, defines an authentication
   extension (the Mobile-Foreign Authentication extension) by
   which a mobile node can authenticate itself to a foreign agent.
   Unfortunately, this extension does not provide ironclad replay
   protection for the foreign agent, and does not allow for the use
   of existing techniques (such as CHAP) for authenticating portable
   computer devices.  In this specification, we define extensions for
   the Mobile IP Agent Advertisements and the Registration Request
   that allow a foreign agent to use a challenge/response mechanism to
   authenticate the mobile node.









Perkins, Calhoun            Expires 1 September 2002            [Page i]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002




                                Contents


Status of This Memo                                                    i

Abstract                                                               i

 1. Introduction                                                       2
     1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . .    2

 2. Mobile IP Agent Advertisement Challenge Extension                  3

 3. Operation                                                          3
     3.1. Mobile Node Processing for Registration Requests  . . . .    3
     3.2. Foreign Agent Processing for Registration Requests  . . .    5
     3.3. Foreign Agent Processing for Registration Replies . . . .    7
     3.4. Home Agent Processing for the Challenge Extensions  . . .    7

 4. Mobile-Foreign Challenge Extension                                 8

 5. Generalized Mobile IP Authentication Extension                     8

 6. Mobile-AAA Authentication subtype                                  9

 7. Reserved SPIs for Mobile IP                                       10

 8. SPI For RADIUS AAA Servers                                        10

 9. Configurable Parameters                                           12

10. Error Values                                                      12

11. IANA Considerations                                               12

12. Security Considerations                                           12

13. Acknowledgements                                                  13

 A. Changes since Last Revision                                       15

 B. Verification Infrastructure                                       15

 C. Message Flow for FA Challenge Messaging                           17

Addresses                                                             18





Perkins, Calhoun            Expires 1 September 2002            [Page 1]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


1. Introduction

   Mobile IP, as originally specified, defines an authentication
   extension (the Mobile-Foreign Authentication extension) by
   which a mobile node can authenticate itself to a foreign agent.
   Unfortunately, this extension does not provide ironclad replay
   protection, from the point of view of the foreign agent, and does
   not allow for the use of existing techniques (such as CHAP [11]) for
   authenticating portable computer devices.  In this specification,
   we define extensions for the Mobile IP Agent Advertisements and
   the Registration Request that allow a foreign agent to a use
   challenge/response mechanism to authenticate the mobile node.


1.1. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

   All SPI values defined in this document refer to values for the
   Security Parameter Index, as defined in the base Mobile IP protocol
   specification [7].

   The following additional terminology

      previously used challenge
               Any challenge that has been used by the mobile node in a
               Registration Request message and accepted by the Foreign
               Agent as a valid challenge by relaying or generating a
               corresponding Registration Reply message.

      stale challenge
               Same as "previously used challenge".  The Foreign Agent
               may not be able to keep records for all stale challenges.

      unknown challenge
               Any challenge that the foreign agent has no record of
               having put either into one of its Agent Advertisements or
               a corresponding registration reply message.

      unused challenge
               A challenge that has not been already accepted by the
               Foreign Agent as a valid challenge in a corresponding
               Registration Reply message -- i.e., a valid challenge
               that is neither unknown nor previously used.






Perkins, Calhoun            Expires 1 September 2002            [Page 2]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


2. Mobile IP Agent Advertisement Challenge Extension

   This section defines a new extension to the Router Discovery
   Protocol [4] for use by foreign agents that need to issue a challenge
   for authenticating mobile nodes.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |          Challenge ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


                   Figure 1: The Challenge Extension


      Type        24

      Length      The length of the Challenge value in bytes; SHOULD be
                  at least 4

      Challenge   A random value that SHOULD be at least 32 bits.

   The Challenge extension, illustrated in figure 1, is inserted in the
   Agent Advertisements by the Foreign Agent, in order to communicate
   the latest challenge value that can be used by the mobile node
   to compute an authentication for its next registration request
   message.  The challenge is selected by the foreign agent to provide
   local assurance that the mobile node is not replaying any earlier
   registration request.  Eastlake, et al. [5] provides more information
   on generating pseudo-random numbers suitable for use as values for
   the challenge.


3. Operation

   This section describes modifications to the Mobile IP registration
   process which may occur after the Foreign Agent issues a Mobile IP
   Agent Advertisement containing the Challenge on its local link.  See
   appendix C for a diagram showing the canonical message flow for
   messages related to the processing of the Foreign Agent challenge
   values.


3.1. Mobile Node Processing for Registration Requests

   Whenever the Agent Advertisement contains the Challenge extension, if
   the mobile node does not have a security association with the Foreign



Perkins, Calhoun            Expires 1 September 2002            [Page 3]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   Agent, then it MUST include the Challenge value in a Mobile-Foreign
   Challenge extension to the Registration Request message.  If, on
   the other hand, the mobile node does have a security association
   with the foreign agent, it SHOULD include the Challenge value in its
   Registration Request message.

   If the Mobile Node has a security association with the Foreign
   Agent, it MUST include a Mobile-Foreign Authentication extension
   in its Registration Request message, according to the base Mobile
   IP specification [7].  When the Registration Request contains the
   Mobile-Foreign Challenge extension specified in section 4, the
   Mobile-Foreign Authentication MUST follow the Challenge extension in
   the Registration Request.

   If the Mobile Node does not have a security association with
   the Foreign Agent, the Mobile Node MUST include the Mobile-AAA
   Authentication extension as defined in section 6.  In addition,
   the Mobile Node SHOULD include the NAI extension [2], to enable
   the foreign agent to make use of any available verification
   infrastructure.  The SPI field of the Mobile-AAA Authentication
   extension specifies the particular secret and algorithm (shared
   between the Mobile Node and the verification infrastructure) that
   must be used to perform the authentication.  If the SPI value is
   chosen as CHAP_SPI (see section 9), then the mobile node specifies
   CHAP-style authentication [11] using MD5 [10].

   In either case, the Mobile-Foreign Challenge extension followed by
   one of the above specified authentication extensions MUST follow the
   Mobile-Home Authentication extension, if present.

   A Registration Reply from the Foreign Agent MAY include a new
   Challenge value (see section 3.3).  The Mobile Node MAY use either
   the value found in the latest Advertisement, or the one found in
   the last Registration Reply from the Foreign Agent.  This approach
   enables the Mobile Node to make use of the challenge without having
   to wait for advertisements.

   A Mobile Node might receive an UNKNOWN_CHALLENGE error (see
   section 9) if it moves to a new Foreign Agent that cannot validate
   the challenge provided in the Registration Request.  In such
   instances, the Mobile Node MUST use a new Challenge value in any new
   registration, obtained either from an Agent Advertisement, or from a
   Challenge extension to the Registration Reply containing the error.

   A Mobile Node that does not include a Challenge when the
   Mobile-Foreign Authentication extension is present may receive a
   MISSING_CHALLENGE (see section 10) error.  In this case, the foreign
   agent will not process the request from the mobile node unless the
   request contains a valid Challenge.



Perkins, Calhoun            Expires 1 September 2002            [Page 4]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   A Mobile Node that receives a BAD_AUTHENTICATION Code value (see
   section 10) SHOULD include the Mobile-AAA Authentication Extension in
   the next Registration Request.  This will make it possible for the
   Foreign Agent to use its AAA infrastructure in order to authenticate
   the Mobile Node.


3.2. Foreign Agent Processing for Registration Requests

   Upon receipt of the Registration Request, if the Foreign Agent has
   issued a Challenge as part of its Agent Advertisements, and it
   does not have a security association with the mobile node, then
   the Foreign Agent SHOULD check that the Mobile-Foreign Challenge
   extension exists, and that it contains a challenge value previously
   unused by the Mobile Node.  This ensures that the mobile node is not
   attempting to replay a previous advertisement and authentication.  If
   the challenge extension is needed and does not exist, the Foreign
   Agent MUST send a Registration Reply to the mobile node with the Code
   value MISSING_CHALLENGE.

   A foreign agent that sends Agent Advertisements containing a
   Challenge value MAY send a Registration Reply message with a
   MISSING_CHALLENGE error if the mobile node sends a Registration
   Request with a Mobile-Foreign Authentication extension without
   including a Challenge.  In other words, such a foreign agent MAY
   refuse to process a Registration Request from the mobile node unless
   the request contains a valid Challenge.

   If a mobile node retransmits a Registration Request with the same
   Challenge extension, and the Foreign Agent still has a pending
   Registration Request record in effect for the mobile node, then
   the Foreign Agent forwards the Registration Request to the Home
   Agent again.  The Foreign Agent SHOULD check that the mobile node is
   actually performing a retransmission, by verifying that the relevant
   fields of the retransmitted request (including, if present, the
   Mobile Node NAI Extension [2]) are the same as represented in the
   visitor list entry for the pending Registration Request (section
   3.7.1 of [7]).  This verification MUST NOT include the "remaining
   Lifetime of the pending registration", or the Identification field
   since those values are likely to change even for requests that are
   merely retransmissions and not new Registration Requests.  In all
   other circumstances, if the Foreign Agent receives a Registration
   Request with a Challenge extension containing a Challenge value
   previously used by that mobile node, the Foreign Agent SHOULD send
   a Registration Reply to the mobile node containing the Code value
   STALE_CHALLENGE.

   The Foreign Agent MUST NOT accept any Challenge in the Registration
   Request unless it was offered in last Registration Reply issued



Perkins, Calhoun            Expires 1 September 2002            [Page 5]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   to the Mobile Node, or else advertised as one of the last
   CHALLENGE_WINDOW (see section 9) Challenge values inserted into the
   immediately preceding Agent advertisements.  If the Challenge is
   not one of the recently advertised values, the foreign Agent SHOULD
   send a Registration Reply with Code value UNKNOWN_CHALLENGE (see
   section 10).

   Furthermore, the Foreign Agent MUST check that there is either a
   Mobile-Foreign, or a Mobile-AAA Authentication extension after
   the Challenge extension.  Any registration message containing
   the Challenge extension without either of these authentication
   extensions MUST be silently discarded.  If the registration
   message contains a Mobile-Foreign Authentication extension with an
   incorrect authenticator that fails verification, the Foreign Agent
   MAY send a Registration Reply to the mobile node with Code value
   BAD_AUTHENTICATION (see Section 10).

   If the Mobile-AAA Authentication extension (see Section 6) is present
   in the message, or if an NAI extension is included indicating that
   the mobile node belongs to a different administrative domain, the
   foreign agent may take actions outside the scope of this protocol
   specification to carry out the authentication of the mobile node.
   The Foreign Agent MUST NOT remove the Mobile-AAA Authentication
   Extension from the Registration Request prior to the completion of
   the authentication performed by the AAA infrastructure.  The appendix
   provides an example of an action that could be taken by a foreign
   agent.

   In the event that the Challenge extension is authenticated through
   the Mobile-Foreign Authentication Extension, the Foreign Agent MAY
   remove the Challenge Extension from the Registration Request without
   disturbing the authentication value computed by the Mobile Node for
   use by the AAA or the Home Agent.  If the Challenge extension is not
   removed, it MUST precede the Foreign-Home Authentication extension.

   If the Foreign Agent does not remove the Challenge extension, then
   the Foreign Agent SHOULD store the Challenge value as part of the
   pending registration request list [7].  Also in this case, the
   Foreign Agent MUST reject any Registration Reply message coming from
   the Home Agent that does not also include the Challenge Extension
   with the same Challenge Value that was included in the Registration
   Request.  The Foreign Agent MUST send the rejected Registration
   message to the mobile node, and change the status in the Registration
   Reply to the Code value MISSING_CHALLENGE (see section 10).

   If the Foreign Agent does remove the Challenge extension and
   applicable authentication from the Registration Request message,
   then it SHOULD insert the Identification field from the Registration




Perkins, Calhoun            Expires 1 September 2002            [Page 6]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   Request message along with its record-keeping information about the
   particular Mobile Node in order to protect against replays.


3.3. Foreign Agent Processing for Registration Replies

   The Foreign Agent MAY include a new Challenge extension in any
   Registration Reply, successful or not.  If the foreign agent includes
   this extension in a successful Registration Reply, the extension
   SHOULD precede a Mobile-Foreign authentication extension.

   Suppose the Registration Reply includes a Challenge extension from
   the Home Agent, and the foreign agent wishes to include another
   Challenge extension with the Registration Reply for use by the mobile
   node.  In that case, the foreign agent MUST delete the Challenge
   extension from the Home Agent from the Registration Reply, along with
   any Foreign-Home authentication extension, before appending the new
   Challenge extension to the Registration Reply.


3.4. Home Agent Processing for the Challenge Extensions

   If the Home Agent receives a Registration Request with the
   Mobile-Foreign Challenge extension, and recognizes the extension, the
   Home Agent MUST include the Challenge extension in the Registration
   Reply.  The Challenge Extension MUST be placed after the Mobile-Home
   authentication extension, and the extension SHOULD be authenticated
   by a Foreign-Home Authentication extension.

   Since the extension type for the Challenge extension is within the
   range 128-255, the Home Agent MUST process such a Registration
   Request even if it does not recognize the Challenge extension [7].
   In this case, the Home Agent will send a Registration Reply to the
   Foreign Agent that does not include the Challenge extension.


















Perkins, Calhoun            Expires 1 September 2002            [Page 7]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


4. Mobile-Foreign Challenge Extension

   This section specifies a new Mobile IP Registration extension that is
   used to satisfy a Challenge in an Agent Advertisement.  The Challenge
   extension to the Registration Request message is used to indicate the
   challenge that the mobile node is attempting to satisfy.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |         Challenge...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


            Figure 2: The Mobile-Foreign Challenge Extension


      Type        132 (skippable) (see [7])

      Length      Length of the Challenge value

      Challenge   The Challenge field is copied from the Challenge field
                  found in the Agent Advertisement Challenge extension
                  (see section 2).


5. Generalized Mobile IP Authentication Extension

   Several new authentication extensions have been designed for various
   control messages proposed for extensions to Mobile IP (see, for
   example, [8]).  A new authentication extension is required for a
   mobile node to present its credentials to any other entity other
   than the ones already defined; the only entities defined in the
   base Mobile IP specification [7] are the home agent and the foreign
   agent.  It is the purpose of the generalized authentication extension
   defined here to collect together data for all such new authentication
   applications into a single extension type with subtypes.














Perkins, Calhoun            Expires 1 September 2002            [Page 8]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Subtype    |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                              SPI                              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Authenticator ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


      Figure 3: The Generalized Mobile IP Authentication Extension


      Type            36 (not skippable) (see [7])

      Subtype         a number assigned to identify the kind of
                      endpoints or the other characteristics of the
                      particular authentication strategy

      Length          4 plus the number of bytes in the Authenticator;
                      MUST be at least 20.

      SPI             Security Parameters Index

      Authenticator   The variable length Authenticator field

   In this document, only one subtype is defined:

      1               Mobile-AAA Authentication subtype (see section 6)


6. Mobile-AAA Authentication subtype

   The Generalized Authentication extension with subtype 1 will be
   referred to as a Mobile-AAA Authentication extension.  If the mobile
   node does not include a Mobile-Foreign Authentication [7] extension,
   then it MUST include the Mobile-AAA Authentication extension whenever
   the Challenge extension is present.  If the Mobile-AAA Authentication
   extension is present, then the Registration Message sent by the
   mobile node MUST contain the Mobile-Home Authentication extension [7]
   if it shares a security association with the Home Agent.  If present,
   the Mobile-Home Authentication Extension MUST appear prior to the
   Mobile-AAA Authentication extension.  The mobile node MAY include a
   Mobile-AAA Authentication extension in any Registration Request.  The
   corresponding response MUST include the Mobile-Home Authentication
   Extension, and MUST NOT include the Mobile-AAA Authentication
   Extension.




Perkins, Calhoun            Expires 1 September 2002            [Page 9]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   The default algorithm for computation of the authenticator is
   HMAC-MD5 [6] computed on the following data, in the order shown:

      Preceding Mobile IP data || Type, Subtype, Length, SPI

   where the Type, Length, Subtype, and SPI are as shown in section 5.
   The resulting function call, as described in [6], would be:

      hmac_md5(data, datalen, Key, KeyLength, authenticator);

   Each mobile node MUST support the ability to produce the
   authenticator by using HMAC-MD5 as shown.  Just as with Mobile IP,
   this default algorithm MUST be able to be configured for selection at
   any arbitrary 32-bit SPI outside of the SPIs in the reserved range
   0-255.


7. Reserved SPIs for Mobile IP

   Mobile IP defines several authentication extensions for use in
   Registration Requests and Replies.  Each authentication extension
   carries a Security Parameters Index (SPI) which should be used to
   index a table of security associations.  Values in the range 0 - 255
   are reserved for special use.  A list of reserved SPI numbers is to
   be maintained by IANA at the following URL:

      http://www.iana.org/numbers.html

   From that URL, follow the hyperlinks to [M] within the "Directory of
   General Assigned Numbers", and subsequently to the specific section
   for "Mobile IP Numbers".


8. SPI For RADIUS AAA Servers

   Some AAA servers only admit a single security association, and thus
   do not use the SPI numbers for Mobile IP authentication extensions
   for use when determining the security association that would be
   necessary for verifying the authentication information included with
   the Authentication extension.

   SPI number CHAP_SPI (see section 9) is reserved (see section 7) for
   indicating the following procedure for computing authentication
   data (called the "authenticator"), which is used by many RADIUS
   servers [9] today.

   To compute the authenticator, apply MD5 [10] computed on the
   following data, in the order shown:




Perkins, Calhoun           Expires 1 September 2002            [Page 10]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


      High-order byte from Challenge || Key ||
      MD5(Preceding Mobile IP data ||
      Type, Subtype (if present), Length, SPI) ||
      Least-order 237 bytes from Challenge

   where the Type, Length, SPI, and possibly Subtype, are the fields
   of the authentication extension in use.  For instance, all four of
   these fields would be in use when SPI == CHAP_SPI is used with the
   Generalized Authentication extension.  Since the RADIUS protocol
   cannot carry attributes greater than 253 in size, the preceding
   Mobile IP data, type, subtype (if present), length and SPI are hashed
   using MD5.  Finally, the least significant 237 bytes of the challenge
   are concatenated.  If the challenge has fewer than 238 bytes, this
   algorithm includes the high-order byte in the computation twice, but
   ensures that the challenge is used exactly as is.  Additional padding
   is never used to increase the length of the padding; the input data
   is allowed to be shorter than 237 bytes long.



































Perkins, Calhoun           Expires 1 September 2002            [Page 11]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


9. Configurable Parameters

   Every Mobile IP agent supporting the extensions defined in this
   document SHOULD be able to configure each parameter in the following
   table.  Each table entry contains the name of the parameter, the
   default value, and the section of the document in which the parameter
   first appears.

      Parameter Name     Default Value   Section(s) of Document
      --------------     -------------   ----------------------
      CHALLENGE_WINDOW   2               3.2
      CHAP_SPI           2               8




10. Error Values

   Each entry in the following table contains the name of Code [7] to
   be returned in a Registration Reply, the value for the Code, and the
   section in which the error is first mentioned in this specification.
      Error Name               Value   Section of Document
      ----------------------   -----   -------------------
      UNKNOWN_CHALLENGE        104     3.2
      BAD_AUTHENTICATION       67      3.2 - also see [7]
      MISSING_CHALLENGE        105     3.1,3.2
      STALE_CHALLENGE          106     3.2



11. IANA Considerations

   All protocol values in this specification are to be the same as
   defined in RFC 3012 [3].


12. Security Considerations

   In the event that a malicious mobile node attempts to replay the
   authenticator for an old Mobile-Foreign Challenge, the Foreign
   Agent would detect it since the agent always checks whether it has
   recently advertised the Challenge (see section 3.2).  Allowing mobile
   nodes with different IP addresses or NAIs to use the same Challenge
   value does not represent a security vulnerability, because the
   authentication data provided by the mobile node will be computed over
   data that is different (at least by the bytes of the mobile nodes' IP
   addresses).





Perkins, Calhoun           Expires 1 September 2002            [Page 12]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   Whenever a Foreign Agent updates a field of the Registration Reply
   (as suggested in section 3.2), it invalidates the authentication
   data supplied by the Home Agent in the Mobile-Home Authentication
   extension to the Registration Reply.  Thus, this opens up a security
   exposure whereby a node might try to supply a bogus Registration
   Reply to a mobile node that causes the mobile node to act as if its
   Registration Reply were rejected.  This might happen when, in fact, a
   Registration Reply showing acceptance of the registration might soon
   be received by the mobile node.

   If the foreign agent chooses a Challenge value (see section 2) with
   fewer than 4 bytes, the foreign agent SHOULD include the value of
   the Identification field in the records it maintains for the mobile
   node.  The foreign agent can then determine whether the Registration
   messages using the short Challenge value are in fact unique, and thus
   assuredly not replayed from any earlier registration.

   Section 8 (SPI For RADIUS AAA Servers) defines a method of computing
   the Generalized Mobile IP Authentication Extension's authenticator
   field using MD5 in a manner that is consistent with RADIUS [9].  The
   use of MD5 in the method described in Section 8 is less secure than
   HMAC-MD5 [6], and should be avoided whenever possible.


13. Acknowledgements

   The authors would like to thank Tom Hiller, Mark Munson, the TIA
   TR45-6 WG, Gabriel Montenegro, Vipul Gupta, Pete McCann, Robert
   Marks, and Ahmad Muhanna, for their useful discussions.  A recent
   draft by Mohamed Khalil, Raja Narayanan, Emad Qaddoura, and
   Haseeb Akhtar has also suggested the definition of a generalized
   authentication extension similar to the specification contained in
   section 5.


References

    [1] S. Bradner.  Key words for use in RFCs to Indicate Requirement
        Levels.  Request for Comments (Best Current Practice) 2119,
        Internet Engineering Task Force, March 1997.

    [2] P. Calhoun and C. Perkins.  Mobile IP Network Access Identifier
        Extension for IPv4.  Request for Comments (Proposed Standard)
        2794, Internet Engineering Task Force, January 2000.

    [3] P. Calhoun and C. E. Perkins.  Mobile IP Foreign Agent
        Challenge/Response Extension.  Request for Comments (Proposed
        Standard) 3012, Internet Engineering Task Force, December 2000.




Perkins, Calhoun           Expires 1 September 2002            [Page 13]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


    [4] S. Deering.  ICMP Router Discovery Messages.  Request for
        Comments (Proposed Standard) 1256, Internet Engineering Task
        Force, September 1991.

    [5] D. Eastlake, 3rd, S. Crocker, and J. Schiller.  Randomness
        Recommendations for Security.  Request for Comments
        (Informational) 1750, Internet Engineering Task Force, December
        1994.

    [6] H. Krawczyk, M. Bellare, and R. Canetti.  HMAC: Keyed-Hashing
        for Message Authentication.  Request for Comments
        (Informational) 2104, Internet Engineering Task Force,
        February 1997.

    [7] C. Perkins.  IP Mobility Support.  Request for Comments
        (Proposed Standard) 3220, Internet Engineering Task Force,
        December 2001.

    [8] C. Perkins and D. Johnson.  Route Optimization in Mobile IP
        (work in progress).  Internet Draft, Internet Engineering Task
        Force.
        draft-ietf-mobileip-optim-11.txt, September 2001.

    [9] C. Rigney, A. Rubens, W. Simpson, and S. Willens.  Remote
        Authentication Dial In User Service (RADIUS).  Request for
        Comments (Proposed Standard) 2138, Internet Engineering Task
        Force, April 1997.

   [10] R. Rivest.  The MD5 Message-Digest Algorithm.  Request for
        Comments (Informational) 1321, Internet Engineering Task Force,
        April 1992.

   [11] W. Simpson.  PPP Challenge Handshake Authentication Protocol
        (CHAP).  Request for Comments (Draft Standard) 1994, Internet
        Engineering Task Force, August 1996.

















Perkins, Calhoun           Expires 1 September 2002            [Page 14]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


A. Changes since Last Revision

   Here is a list of the important changes since the previous revision
   of this document.

    -  Changes section added.

    -  Clarified ordering rules for adding the Challenge extension in
       section 3.1.

    -  Definitions for Stale Challenge, etc.  in section 1.1 have been
       clarified to avoid misinterpretations that could cause dropped
       registrations.

    -  Used "Code value" field name instead of "error code" to be
       compatible with RFC 3220.

    -  Used Authentication Extension names compatible with RFC 3220.

    -  Updated document citations.

    -  Clarified nature of message to Authorization Infrastructure in
       appendix C.

    -  Added message flows to Home Agent in appendix C.

    -  Specified that NAI has to remain the same in order for a
       Registration Request to be considered a retransmission.

    -  Clarified that padding is NOT added if the input data is shorter
       than 237 bytes.

    -  Replaced IANA Considerations with a statement that the numbers
       should stay the same.


B. Verification Infrastructure

   The Challenge extensions in this protocol specification are expected
   to be useful to help the Foreign Agent manage connectivity for
   visiting mobile nodes, even in situations where the foreign agent
   does not have any security association with the mobile node or the
   mobile node's home agent.  In order to carry out the necessary
   authentication, it is expected that the foreign agent will need the
   assistance of external administrative systems, which have come to be
   called AAA systems.  For the purposes of this document, we call the
   external administrative support the "verification infrastructure".
   The verification infrastructure is described to motivate the design
   of the protocol elements defined in this document, and is not



Perkins, Calhoun           Expires 1 September 2002            [Page 15]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   strictly needed for the protocol to work.  The foreign agent is free
   to use any means at its disposal to verify the credentials of the
   mobile node.  This could, for instance, rely on a separate protocol
   between the foreign agent and the Mobile IP home agent, and still be
   completely invisible to the mobile node.

   In order to verify the credentials of the mobile node, we imagine
   that the foreign agent has access to a verification infrastructure
   that can return a secure notification to the foreign agent that the
   authentication has been performed, along with the results of that
   authentication.  This infrastructure may be visualized as shown in
   figure 4.


            +----------------------------------------------------+
            |                                                    |
            |  Verification and Key Management Infrastructure    |
            |                                                    |
            +----------------------------------------------------+
                   ^ |                                  ^ |
                   | |                                  | |
                   | v                                  | v
            +---------------+                    +---------------+
            |               |                    |               |
            | Foreign Agent |                    |   Home Agent  |
            |               |                    |               |
            +---------------+                    +---------------+


               Figure 4: The Verification Infrastructure



   After the foreign agent gets the Challenge authentication, it MAY
   pass the authentication to the (here unspecified) infrastructure,
   and await a Registration Reply.  If the Reply has a positive status
   (indicating that the registration was accepted), the foreign agent
   accepts the registration.  If the Reply contains the Code value
   BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions
   indicated for rejected registrations.

   Implicit in this picture, is the important observation that the
   Foreign Agent and the Home Agent have to be equipped to make use
   of whatever protocol is made available to them by the challenge
   verification and key management infrastructure shown in the figure.

   The protocol messages for handling the authentication within the
   verification infrastructure, and identity of the agent performing the
   verification of the Foreign Agent challenge, are not specified in



Perkins, Calhoun           Expires 1 September 2002            [Page 16]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


   this document, because those operations do not have to be performed
   by any Mobile IP entity.


C. Message Flow for FA Challenge Messaging


    MN                  FA                   Verification     Home Agent
     |<-- Adv+Challenge--|                  Infrastructure          |
     |    (if needed)    |                         |                |
     |                   |                         |                |
     |-- RReq+Challenge->|                         |                |
     |    + Auth.Ext.    |                         |                |
     |                   |   Auth. Request, incl.  |                |
     |                   |--- RReq + Challenge --->|                |
     |                   |      + Auth.Ext         |   RReq +       |
     |                   |                         |-- Challenge -->|
     |                   |                         |                |
     |                   |                         |                |
     |                   |                         |<--- RRep ----- |
     |                   |   Authorization, incl.  |                |
     |                   |<-- RRep + Auth.Ext.-----|                |
     |                   |                         |                |
     |<-- RRep+Auth.Ext--|                         |                |
     |     + Challenge   |                         |                |


           Figure 5: Message Flows for FA Challenge Messaging


   In figure 5, the following message flow is illustrated:

    1. The foreign agent disseminates a Challenge Value in an Agent
       Advertisement if needed.  This advertisement MAY have been
       produced after receiving an Agent Solicitation from the mobile
       node (not shown in the diagram).

    2. The mobile node creates a Registration Request including the
       advertised Challenge Value in the Challenge Extension, along with
       an authorization-enabling authentication extension.

    3. The foreign agent relays the Registration Request either to
       the home agent specified by the mobile node, or else to its
       locally configured Verification Infrastructure (see appendix B),
       according to local policy.

    4. The foreign agent receives a Registration Reply with the
       appropriate indications for authorizing connectvity for the
       mobile node.



Perkins, Calhoun           Expires 1 September 2002            [Page 17]


Internet Draft   Mobile IPv4 Challenge/Response, revised   1 March  2002


    5. The foreign agent relays the Registration Reply to the mobile
       node, possibly along with a new Challenge Value to be used by the
       mobile node in its next Registration Reply message.


Addresses

   The working group can be contacted via the current chairs:

      Basavaraj Patil                     Phil Roberts
      Nokia                               Megisto Corp.
      6000 Connection Dr.                 Suite 120
                                          20251 Century Blvd
      Irving, TX. 75039                   Germantown MD 20874
      USA                                 USA
      Phone:  +1 972-894-6709             Phone:  +1 847-202-9314
      Email:  Basavaraj.Patil@nokia.com   Email:  PRoberts@MEGISTO.com


   Questions about this memo can also be directed to the authors:

        Charles E. Perkins                Pat R. Calhoun
        Communications Systems Lab
        Nokia Research Center             Black Storm Networks
        313 Fairchild Drive               250 Cambridge Avenue, Suite 200
        Mountain View, California 94043   Palo Alto, California, 94306
        USA                               USA
        Phone:  +1-650 625-2986           Phone:  +1 650-617-2932
        EMail:  charliep@iprg.nokia.com   Email:  pcalhoun@diameter.org
        Fax:  +1 650 625-2502             Fax:  +1 720-293-7501






















Perkins, Calhoun           Expires 1 September 2002            [Page 18]