Internet Engineering Task Force Mohamed Khalil INTERNET-DRAFT Raja Narayanan <draft-mkhalil-mobileip-mier-00.txt> Emad Qaddoura Date: October, 1999 Haseeb Akhtar Expires: April, 2000 Nortel Networks Mobile IP Extensions Rationalization (MIER) Status of this memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract As the large scale Mobile IP deployment becomes fairly imminent, we see many drafts proposing new extensions for Mobile IP. Therefore there is a real need to conserve the type field in the extensions structure. MIER describes a new extensions structure to Mobile IP to make the extensions truly extensible and secure. 1. Introduction The type field in the Mobile IP extension structure can support Khalil, et al. Expires April 2000 [Page 1]
Internet-Draft MIER 16 October 1999 upto 255 uniquely identifiable extensions. With large scale deployment needs there is a strong possibility that the available space will run out. In addition the current extension format does not provide for encryption. Mobile IP Extensions Rationalization (MIER) describes a new extensions structure to solve this problem. MIER strategy is to initially aggregate certain types of extensions (e.g, NAI) and sub types (content type) to identify the precise sub type of the extension (example MN/User NAI, HA NAI etc). This will greatly reduce the usage of the type field. In addition MIER format provides a way for these extensions to be optionally encrypted thus providing a measure of security to the contents of the extension. MIER also specifies a specific type to be used when all the space in the type field is used up. 2. Terminology This document uses the following terminology: SA Security Association is the logical term used to capture the shared secret keys, secruity attributes and policy that needs to be defined in order to apply protection to traffic between any two nodes in a network. SPI (defined below) uniquely identifies a SA within the context of a host. MN Mobile Node [Perkins98] HA Home Agent [Perkins98] FA Foreign Agent [Perkins98] AAA Authentication, Authorization, and Accounting Server SPI Security Parameters Index is a 32 bit number to index a SA in a database. Khalil, et al. Expires April 2000 [Page 2]
Internet-Draft MIER 16 October 1999 3. Specification Language The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [2]. 4. Generic Mobile IP Extension format The Mobile IP Extension format is described below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | content-type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The type field MUST be used in a a way to aggregate extensions. The content-type field MUST identify the sub types. If E is set to 1 then the data is encrypted. SPI is the Security Parameter Index to identify the encryption attributes. SPI field MUST be dropped if the E field is set to 0. The rsv field is reserved for future use. 5. New Extension Specification Some of the extensions proposed in the following sections are under consideration in the Mobile IP WG by virtue of other drafts namely, MN NAI Extension [Calhoun99a], Vendor/Organization specific extension [Dommety99]. This draft proposes the same extensions in a format that reduces type field proliferation and provides optionality for encryption. 5.1. NAI Extension This section defines a general purpose NAI extension for different types of entities such MN, HA, FA etc. Khalil, et al. Expires April 2000 [Page 3]
Internet-Draft MIER 16 October 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | content-type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | NAI-INFO ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type NAI Aggregate type (TBD) length The length of the NAI-INFO field. content-type this field describes the type of the entity which owns the NAI. The following types are defined: 0 MN-NAI 1 FA-NAI 2 HA-NAI E if 1 then the contents of NAI-INFO field is encrypted. SPI Security Parameter Index. Defines the key and type of encrypted algorithm which used to encrypt the NAI. This parameter is included only if the E bit set ( E=1). NAI-INFO Contains the NAI string in an encrypted or regular string format. 5.2. Address Extension This section defines a general purpose L2 Address extension for different types of transport technologies. Khalil, et al. Expires April 2000 [Page 4]
Internet-Draft MIER 16 October 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | content-type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | L2-ADDRESS-INFO ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type Layer 2 Address Aggregate type (TBD) length The length of the L2 ADDRESS-INFO field. content-type this field describes the type of L2 addresses included in the extension. The following types are defined: 0 ETHERNET-ADDRESS 1 IMSI 2 MIN (Mobile Identification Number) E if 1 then the contents of L2-ADDRESS-INFO field is encrypted. SPI Security Parameter Index. Defines the key and type of encrypted algorithm which used to encrypt the L2-ADDRESS-INFO filed. This parameter is included only if the E bit set ( E=1). L2-ADDRESS-INFO Contains the L2 address in an encrypted of reqular format. 5.3. IP Extension This section defines a general purpose IP extension which carry IP addresses in encrypted or unencrypted format. Currently the MN Home IP address is carried in the clear. Under requirements for user privacy there MAY be need to send the MN's IP address encrypted and this extension provides a way to do that. Khalil, et al. Expires April 2000 [Page 5]
Internet-Draft MIER 16 October 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | content-type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP-INFO ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type IP Extension Aggregate type (TBD) length The length of the IP-INFO field. content-type defines the type of entity which owns the IP address: 0 MN-HOME-IP 1 DEFAULT-ROUTER-IP E if 1 then the contents of IP-INFO field is encrypted. SPI Security Parameter Index. Defines the key and type of encrypted algorithm which used to encrypt the IP-INFO filed. This parameter is included only if the E bit set ( E=1). IP-INFO Contains the IP address in an encrypted of reqular format. 5.4. Per Session Security Association Extension This section defines a general purpose security association extension which carrries information necessary to establish security association between different entities in the Mobile IP model (e.g. MN-FA SA and FA-HA SA). Khalil, et al. Expires April 2000 [Page 6]
Internet-Draft MIER 16 October 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | content-type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SA-INFO ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type Per Session SA Aggregate type (TBD) length The length of the SA-INFO field. content-type defines the type of entity which owns the IP address: 0 MN-FA-SA 1 FA-HA-SA E if 1 then the contents of SA-INFO field is encrypted. SPI Security Parameter Index. Defines the key and type of encrypted algorithm which used to encrypt the SA-INFO field. This parameter is included only if the E bit set ( E=1). SA-INFO This field encode the information to establish security association such as private key or session key. 5.5. Vendor/Organization Specific Extension This section defines a general purpose vendor/organization specific extension [Dommety99] Khalil, et al. Expires April 2000 [Page 7]
Internet-Draft MIER 16 October 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | content-type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type Vendor/organization Specific Aggregate Type (TBD) length The length of the Data field content-type defines the type of vendor/organization specific extension as critical or normal. 0 Critical 1 Normal Critical or Normal as as defined in Dommety99. Vendor ID Vendor ID is as referred to in Dommety99. E if 1 then the contents of SA-INFO field is encrypted. SPI Security Parameter Index. Defines the key and type of encrypted algorithm which used to encrypt the SA-INFO field. This parameter is included only if the E bit set ( E=1). Data This field contains the vendor specific data. 5.6. General Extension In the event when all the available type space is consumed the following format will further provide extensibility. This format MAY also be used in the event that a certain aggregation type requires the length field to be greater than one. Khalil, et al. Expires April 2000 [Page 8]
Internet-Draft MIER 16 October 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Actual-Type | Content-Type |E| rsv | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ..... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type The general type (TBD) Actual-Type The actual aggregate type length The length of the Data field. content-type Defines the sub type of aggregate type E if 1 then the contents of Data field is encrypted. SPI Security Parameter Index. Defines the key and type of encrypted algorithm which used to encrypt the SA-INFO field. This parameter is included only if the E bit set ( E=1). Data This field contains the actual data 6. IANA Considerations Assignment of the TBDs for the types, content types and actual types MUST occur in a non conflicting manner. 7. Security Considerations Each extension has a field using which the extension MAY be encrypted. The SPI field MUST be present if the extension is encrypted. Khalil, et al. Expires April 2000 [Page 9]
Internet-Draft MIER 16 October 1999 8. Acknowledgements The authors would like to acknowledge Basavaraj Patil for his input in writing this draft. Khalil, et al. Expires April 2000 [Page 10]
Internet-Draft MIER 16 October 1999 9. References [1] [Calhoun99a] Calhoun, Perkins, "Mobile IP Network Access Identifier Extension", draft-ietf-mobileip-mn-nai-04.txt [2] [Dommety99] Dommety, Leung, "Vendor/Organization Specific Extensions for Mobile IP", draft-dommety-mobileip-vendor-ext- 00.txt [3] [Perkins96] Perkins, "IP mobility Support", RFC 2002, Oct 96 [4] Bradner S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. 10. Authors' Addresses Questions about this document can be directed to: Mohamed Khalil Emad Qaddoura Nortel Networks Inc. Nortel Networks Inc. 2201 Lakeside Blvd 2201 Lakeside Blvd Richardson, TX 75082-4399 Richardson, TX 75082-4399 Phone: +1 972 685-0564 Phone: +1 972 684-2705 E-mail: mkhalil@nortelnetworks.com E-mail: emadq@nortelnetworks.com Raja Narayanan Haseeb Akhtar Nortel Networks Inc. Nortel Networks Inc. 2201 Lakeside Blvd 2201 Lakeside Blvd Richardson, TX 75082-4399 Richardson, TX 75082-4399 Phone: +1 972 684-5707 Phone: +1 972 684-8850 E-mail: raja@nortelnetworks.com E-mail: haseeb@nortelnetworks.com Khalil, et al. Expires April 2000 [Page 11]