JUNHYUK SONG
INTERNET DRAFT CHAEYOUNG CHONG
November 2001 SAMSUNG ELECTRONICS.
DONGKIE LEE
SK TELECOM
MIPv6 User Authentication support through AAA
draft-song-mobileip-mipv6-user-authentication-00.txt
Status of This Memo
Distribution of this memo is unlimited.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at:
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at:
http://www.ietf.org/shadow.html.
Abstract
The demand for wireless mobile networking has been dramatically
increased thanks to rapid development of Wireless technology and
de facto Mobile IP technology. Mobile IP, as originally specified,
defines the protocol enhancements that can provide IP mobility over
the Internet. The mobile node, identified by its Home Address
regardless its attaching point can have transparent routing of IP
datagrams. However it is also necessary to provide User Mobility in
nowadays wireless mobile network. The user authentication which is
defining in this document is to help user to originate and terminate
the packet regardless of the location of mobile terminal and
without home address through AAA infrastructure. This document
specifies the mechanism for the MN-AAA authentication in Mobile IPv6
for IP User Mobility support.
Song and Chong. Expires May 2002 [Page 1]
Internet Draft 14 November 2001
1. Introduction
The demand for wireless mobile networking has been dramatically
increased thanks to rapid development of Wireless technology and
de facto Mobile IP technology. Mobile IP, as originally specified,
defines the protocol enhancements that can provide IP mobility over
the Internet. The mobile node, identified by its Home Address
regardless its attaching point can have transparent routing of IP
datagrams. However it is also necessary to provide User Mobility in
nowadays wireless mobile network. The user authentication which is
defining in this document is to help user to originate and terminate
the packet. Even regardless of the location of mobile terminal and
without home address through AAA infrastructure. This document
specifies the mechanism for the UI-AAA authentication in Mobile IPv6
for IP User Mobility support.
Since the NAI [3] is already used in Mobile IPv4, this document
presumes the Mobile IP NAI extension [2] will continue to serve in
Mobile IPv6 world to identify the users for Authentication,
Authorization, and Accounting service.
1.2 Goal and Note
The goals of this document is to achieve user authentication
for Mobile IPv6 [8].
Detail description of destination options, described in this document
and other protocol mechanisms are out of the scope of this document
and will be described in some other documents.
1.3 Assumptions
This document assumes AAA based on DIAMETER protocol [7] that
supports Mobile IPv6, Mobile IPv6 user UI-AAA Authentication, and
Link Local Router Challenge (LLRC).
This document assumes the home AAA server and Mobile Node has mutual
trust and share the same secret key for UI-AAA Authentication.
This document assumes Mobile IPv6 will support NAI destination
option for the user mobility.
This document assumes the new IPv6 Agent Advertisement option which
is Link Local Router Challenge (LLRC).
Song and Chong. Expires May 2002 [Page 2]
Internet Draft 14 November 2001
1.4 Terminology
This document frequently users the following terms:
AAA
The server performing Authentication, Authorization, and
Accounting service
Link Local Router Challenge (LLRC)
The challenge selected by Link Local Router and inserted in
the Agent Advertisements as an option to prevent possible
replay attack
User Mobility Agent (UMA)
A router on user's Home Network which dynamically update the
location of the user, the entry for user identifier (UI) with
current IP address of mobile node
User Identifier (UI)
The identifier made of concatenation of User ID and realm.
This is used for user authentication for access permission,
indicating current location of user.
UI-AAA
The authentication of user toward to AAA
2. Basic Operation
2.1 MN-AAA Authentication generation
The link local router which is supporting MIPv6 [8] MAY send Agent
Advertisement with Link Local Router Challenge option (LLRC).
The challenge is at least 32 bits long and selected by Link Local
Router to prevent possible replay attack.
Upon receipt of Agent Advertisement, Mobile Node shall generate
Binding Update message with NAI and LLRC destination option.
Mobile Node shall compute MN-AAA authenticator from following fields
of IPv6 header and destination options. It will provide user
authentication and message integrity while preventing replay attack.
- Destination IP Address of the IPv6 header
- Care-of Address, in the Source IP Address of the IPv6 header
- Home Address, from the Home Address Destination option
(If available)
Song and Chong. Expires May 2002 [Page 3]
Internet Draft 14 November 2001
* NAI, from the NAI Destination option
* LLRC, from the Agent Advertisement
- Option Type of the Binding Update destination option
- Option Length of the Binding Update destination option
- All flags of the Binding Update destination option
- Reserved field of the Binding Update option
- Authentication Data Length of the Binding Update
- Lifetime of the Binding Update destination option
- Security Parameters Index (SPI) of the Binding Update
- Sequence Number Field of the Binding Update
- The entire data from all Binding Update Sub-Options, if any
[NOTE] * marked are newly defined option.
The calculated authenticator shall be placed in the Authentication
Data field of Binding Update option.
2.2 MN-AAA Authentication
Upon receipt of binding update message with new NAI destination
option. MIPv6 Link Local Router which is the client of AAAF shall
create AA-Mobile-Node-Request (AMR) message, which contains necessary
AVPs including LLRC and the whole binding update message.
The AMR message is then sent to AAAH via AAAF .
Upon receiving of AMR message, AAAH shall check MN-AAA
Authentication data which is placed in the Authentication Data field
of Binding Update option. AAA shall authenticate the Binding
update message according to SPI of the binding update message.
If the MN-AAA Authentication data is not valid, AAAH returns
AMA with reject code to let Link Local Router to terminate the
service. If the user is successfully authenticated, the AAAH
returns AMA with acceptance code while forwarding the Binding Update
message to Home Agent or sending HAR. (See Figure 1)
Song and Chong. Expires May 2002 [Page 4]
Internet Draft 14 November 2001
The security of communication between AAAH and Home Agent is
protected with IP security. The establishment of the security
association is outside the scope of this document.
+--------------+ AMR +--------------+
| |---------------->| |
| AAAF | | AAAH |
| |<----------------| |
+--------------+ AMA +--------------+
^ | ^
| | | HAR or
AMR| |AMA | Binding
| v v Update
+------+ Agent +--------------+ +--------------+
| |Advertisement | MobileIPv6 | | |
| | with LLRC | Link Local | | Mobile IPv6 |
| MN |<------------ | Router | | Home Agent |
| |------------> | | | |
| |Binding Update| | | |
| |with MN-AAA | | | |
| |<-------------| | | |
+------+ Binding Ack +--------------+ +--------------+
Figure 1: Binding Update Procedures
3. Link Local Router Challenge (LLRC)
The link local router which is supporting MIPv6 [8] MAY send Agent
Advertisement with Link Local Router Challenge option (LLRC).
The challenge is at least 32 bits long and selected by Link Local
Router to prevent possible replay attack. This new challenge option
[Figure 2] is inserted in Router Advertisement message.
Song and Chong. Expires May 2002 [Page 5]
Internet Draft 12 November 2001
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The Challenge option
Fields:
Type ?
Length The length of the Link Local Router challenge in
bytes; SHOULD be at least 32
Challenge A random value that SHOULD be at least 32 bits.
4. IANA Consideration
Requires new type number for new LLRC option for Agent Advertisement
Requires new SPI number for MN-AAA Authentication.
References
[1] C. Perkins, Editor. "IP Mobility Support". RFC 2002. October
1996.
[2] Bernard Aboba and Mark A. Beadles "The Network Access
Identifier". RFC 2486. January 1999.
[3] Calhoun, P. and C. Perkins. "Mobile IP Network Access Identifier
Extension for IPv4", RFC 2794, January 2000.
[4] Calhoun, P. and C. Perkins. "Mobile IPv4 Challenge/Response
Extensions", RFC 3012, November 2000.
[5] J.H Song and C.Y Chong, DK Lee
"draft-song-mobileip-mipv6-user-mobility-00.txt"
[6] J.H Song, C.Y Chong, DK Lee
"draft-song-network-user-mobility-00.txt"
[7] Pat R. Calhoun and C. Perkins. "Diameter Mobile IPv4
Application" draft-ietf-aaa-diameter-mobileip-07.txt
[8] David B. Johnson and C. Perkins. "Mobility Support in IPv6"
draft-ietf-mobileip-ipv6-14.txt
Song and Chong. Expires May 2002 [Page 6]
Internet Draft 12 November 2001
Addresses
Questions about this memo can be directed to the authors:
JUNHYUK SONG
SAMSUNG ELECTRONICS.
Mobile Development Team
Network Systems Division
Phone: +82-31-779-6822
Email: santajun@lycos.co.kr
FAX: +82-31-7798769
CHAEYOUNG CHONG
SAMSUNG ELECTRONICS.
Mobile Development Team
Network Systems Division
Phone: +82-31-779-6822
Email:cychong@samsung.com
DONGKIE LEIGH
SK TELECOM
Core Network Development Team
Network R&D Center
Phone +82-2-829-4640
Email: galahad@netsgo.com
FAX:+82-2-829-4612