Authentication Protocol for Mobile IPv6
RFC 4285
Network Working Group A. Patel
Request for Comments: 4285 K. Leung
Category: Informational Cisco Systems
M. Khalil
H. Akhtar
Nortel Networks
K. Chowdhury
Starent Networks
January 2006
Authentication Protocol for Mobile IPv6
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
IESG Note
This RFC is not a candidate for any level of Internet Standard. RFC
3775 and 3776 define Mobile IPv6 and its security mechanism. This
document presents an alternate security mechanism for Mobile IPv6
used in 3GPP2 networks.
The security properties of this mechanism have not been reviewed in
the IETF. Conducting this review proved difficult because the
standards-track security mechanism for Mobile IPv6 is tightly
integrated into the protocol; extensions to Mobile IPv6 and the core
documents make assumptions about the properties of the security model
without explicitly stating what assumptions are being made. There is
no documented service model. Thus it is difficult to replace the
security mechanism and see if the current protocol and future
extensions meet appropriate security requirements both under the
original and new security mechanisms. If a service model for Mobile
IPv6 security is ever formally defined and reviewed, a mechanism
similar to this one could be produced and fully reviewed.
Section 1.1 of this document provides an applicability statement for
this RFC. The IESG recommends against the usage of this
specification outside of environments that meet the conditions of
that applicability statement. In addition the IESG recommends those
Patel, et al. Informational [Page 1]
RFC 4285 Authentication Protocol for Mobile IPv6 January 2006
considering deploying or implementing this specification conduct a
sufficient security review to meet the conditions of the environments
in which this RFC will be used.
Abstract
IPsec is specified as the means of securing signaling messages
between the Mobile Node and Home Agent for Mobile IPv6 (MIPv6).
MIPv6 signaling messages that are secured include the Binding Updates
and Acknowledgement messages used for managing the bindings between a
Mobile Node and its Home Agent. This document proposes an alternate
method for securing MIPv6 signaling messages between Mobile Nodes and
Home Agents. The alternate method defined here consists of a
MIPv6-specific mobility message authentication option that can be
added to MIPv6 signaling messages.
Table of Contents
1. Introduction ....................................................3
1.1. Applicability Statement ....................................3
2. Overview ........................................................4
3. Terminology .....................................................5
3.1. General Terms ..............................................5
4. Operational Flow ................................................6
5. Mobility Message Authentication Option ..........................7
5.1. MN-HA Mobility Message Authentication Option ...............8
5.1.1. Processing Considerations ...........................9
5.2. MN-AAA Mobility Message Authentication Option ..............9
5.2.1. Processing Considerations ..........................10
5.3. Authentication Failure Detection at the Mobile Node .......11
6. Mobility Message Replay Protection Option ......................11
7. Security Considerations ........................................13
8. IANA Considerations ............................................14
9. Acknowledgements ...............................................15
10. References ....................................................15
10.1. Normative References .....................................15
10.2. Informative References ...................................15
Appendix A. Rationale for mobility message replay protection
option ................................................16
Patel, et al. Informational [Page 2]
RFC 4285 Authentication Protocol for Mobile IPv6 January 2006
1. Introduction
The base Mobile IPv6 specification [RFC3775] specifies the signaling
Show full document text