As per Relevance of the word standards, we have this rfc below:
Network Working Group C.
Request for Comments: 3012 Nokia Research
Category: Standards Track P.
Sun Microsystems
November 2000
Mobile IPv4 Challenge/Response
Status of this
This document specifies an Internet standards track protocol for
Internet community, and requests discussion and suggestions
improvements. Please refer to the current edition of the "
Official Protocol Standards" (STD 1) for the standardization
and status of this protocol. Distribution of this memo is unlimited
Copyright
Copyright (C) The Internet Society (2000). All Rights Reserved
Mobile IP, as originally specified, defines an
extension (the Mobile-Foreign Authentication extension) by which
mobile node can authenticate itself to a foreign agent
Unfortunately, this extension does not provide ironclad
protection for the foreign agent, and does not allow for the use
existing techniques (such as CHAP) for authenticating
computer devices. In this specification, we define extensions
the Mobile IP Agent Advertisements and the Registration Request
allow a foreign agent to use a challenge/response mechanism
authenticate the mobile node
Perkins & Calhoun Standards Track [Page 1]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
Table of
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Mobile IP Agent Advertisement Challenge Extension . . . . . 3
3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Mobile Node Processing for Registration Requests . . . 3
3.2. Foreign Agent Processing for Registration Requests . . 5
3.3. Foreign Agent Processing for Registration Replies . . 7
3.4. Home Agent Processing for the Challenge Extensions . . 7
4. MN-FA Challenge Extension . . . . . . . . . . . . . . . . . 7
5. Generalized Mobile IP Authentication Extension . . . . . . . 8
6. MN-AAA Authentication subtype. . . . . . . . . . . . . . . . 9
7. Reserved SPIs for Mobile IP. . . . . . . . . . . . . . . . . 9
8. SPI For RADIUS AAA Servers . . . . . . . . . . . . . . . . . 10
9. Configurable Parameters. . . . . . . . . . . . . . . . . . . 10
10. Error Values . . . . . . . . . . . . . . . . .. . . . . . . 10
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11
12. Security Considerations . . . . . . . . . . . . . . . . . . 12
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
A. Verification Infrastructure . . . . . . . . . . . . . . . . 14
Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 17
1.
Mobile IP, as originally specified, defines an
extension (the Mobile-Foreign Authentication extension) by which
mobile node can authenticate itself to a foreign agent
Unfortunately, this extension does not provide ironclad
protection, from the point of view of the foreign agent, and does
allow for the use of existing techniques (such as CHAP [12])
authenticating portable computer devices. In this specification,
define extensions for the Mobile IP Agent Advertisements and
Registration Request that allow a foreign agent to a
challenge/response mechanism to authenticate the mobile node
All SPI values defined in this document refer to values for
Security Parameter Index, as defined in RFC 2002 [8]. The key
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
are to be interpreted as described in [1].
Perkins & Calhoun Standards Track [Page 2]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
2. Mobile IP Agent Advertisement Challenge
This section defines a new extension to the Router Discovery
[3] for use by foreign agents that need to issue a challenge
authenticating mobile nodes
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The Challenge
Type 24
Length The length of the Challenge value in bytes; SHOULD
at least 4
Challenge A random value that SHOULD be at least 32 bits
The Challenge extension, illustrated in figure 1, is inserted in
Agent Advertisements by the Foreign Agent, in order to
the latest challenge value that can be used by the mobile node
compute an authentication for its registration request message.
challenge is selected by the foreign agent to provide local
that the mobile node is not replaying any earlier
request. Eastlake, et al. [4] provides more information
generating pseudo-random numbers suitable for use as values for
challenge
3.
This section describes modifications to the Mobile IP
process which may occur after the Foreign Agent issues a Mobile
Agent Advertisement containing the Challenge on its local link
3.1. Mobile Node Processing for Registration
Whenever the Agent Advertisement contains the Challenge extension,
the mobile node does not have a security association with the
Agent, then it MUST include the Challenge value in a MN-FA
extension to the Registration Request message. If, on the
hand, the mobile node does have a security association with
foreign agent, it SHOULD include the Challenge value in
Registration Request message
Perkins & Calhoun Standards Track [Page 3]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
If the Mobile Node has a security association with the Foreign Agent
it MUST include a Mobile-Foreign Authentication extension in
Registration Request message, according to the base Mobile
specification [8]. When the Registration Request contains the MN-
Challenge extension specified in section 4, the Mobile-
Authentication MUST follow the Challenge extension in
Registration Request
If the Mobile Node does not have a security association with
Foreign Agent, the Mobile Node MUST include the MN-AAA
extension as defined in section 6. In addition, the Mobile
SHOULD include the NAI extension [2], to enable the foreign agent
make use of any available verification infrastructure. The SPI
of the MN-AAA Authentication extension specifies the
secret and algorithm (shared between the Mobile Node and
verification infrastructure) that must be used to perform
authentication. If the SPI value is chosen as CHAP_SPI (see
9), then the mobile node specifies CHAP-style authentication [12]
using MD5 [11].
In either case, the MN-FA Challenge extension and one of the
specified authentication extensions MUST follow the Mobile-
Authentication extension, if present
A successful Registration Reply from the Foreign Agent MAY include
new Challenge value (see section 3.3). The Mobile Node MAY
either the value found in the latest Advertisement, or the one
in the last Registration Reply from the Foreign Agent. This
enables the Mobile Node to make use of the challenge without
to wait for advertisements
A Mobile Node might receive an UNKNOWN_CHALLENGE error (see
9) if it moves to a new Foreign Agent that cannot validate
challenge provided in the Registration Request. In such instances
the Mobile Node MUST use a new Challenge value in any
registration, obtained either from an Agent Advertisement, or from
Challenge extension to the Registration Reply containing the error
A Mobile Node that does not include a Challenge when the Mobile
Foreign Authentication extension is present may receive
MISSING_CHALLENGE (see section 10) error. In this case, the
agent will not process the request from the mobile node unless
request contains a valid Challenge
Perkins & Calhoun Standards Track [Page 4]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
A Mobile Node that receives a BAD_AUTHENTICATION error code (
section 10) SHOULD include the MN-AAA Authentication Extension in
next Registration Request. This will make it possible for
Foreign Agent to use its AAA infrastructure in order to
the Mobile Node
3.2. Foreign Agent Processing for Registration
Upon receipt of the Registration Request, if the Foreign Agent
issued a Challenge as part of its Agent Advertisements, and it
not have a security association with the mobile node, then
Foreign Agent MUST check that the MN-FA Challenge extension exists
and that it contains a challenge value previously unused by
Mobile Node. This ensures that the mobile node is not attempting
replay a previous advertisement and authentication. If the
extension is needed and does not exist, the Foreign Agent MUST send
Registration Reply to the mobile node with the error
MISSING_CHALLENGE
A foreign agent that sends Agent Advertisements containing
Challenge value MAY send a Registration Reply message with
MISSING_CHALLENGE error if the mobile node sends a
Request with a Mobile-Foreign Authentication extension
including a Challenge. In other words, such a foreign agent
refuse to process a Registration Request request from the mobile
unless the request contains a valid Challenge
If a mobile node retransmits a Registration Request with the
Identification field and the same Challenge extension, and
Foreign Agent still has a pending Registration Request record
effect for the mobile node, then the Foreign Agent forwards
Registration Request to the Home Agent again. In all
circumstances, if the Foreign Agent receives a Registration
with a Challenge extension containing a Challenge value
used by that mobile node, the Foreign Agent SHOULD send
Registration Reply to the mobile node containing the Code
STALE_CHALLENGE
The Foreign Agent MUST NOT accept any Challenge in the
Request unless it was offered in last successful Registration
issued to the Mobile Node, or else advertised as one of the
CHALLENGE_WINDOW (see section 9) Challenge values inserted into
immediately preceding Agent advertisements. If the Challenge is
one of the recently advertised values, the foreign Agent SHOULD
a Registration Reply with Code UNKNOWN_CHALLENGE (see section 10).
Perkins & Calhoun Standards Track [Page 5]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
Furthermore, the Foreign Agent MUST check that there is either
Mobile-Foreign, or a MN-AAA Authentication extension after
Challenge extension. Any registration message containing
Challenge extension without either of these authentication
MUST be silently discarded. If the registration message contains
Mobile-Foreign Authentication extension with an
authenticator that fails verification, the Foreign Agent MAY send
Registration Reply to the mobile node with Code
BAD_AUTHENTICATION (see Section 10).
If the MN-AAA Authentication extension (see Section 6) is present
the message, or if an NAI extension is included indicating that
mobile node belongs to a different administrative domain, the
agent may take actions outside the scope of this
specification to carry out the authentication of the mobile node
The Foreign Agent MUST NOT remove the MN-AAA Authentication
from the Registration Request prior to the completion of
authentication performed by the AAA infrastructure. The
provides an example of an action that could be taken by a
agent
In the event that the Challenge extension is authenticated
the Mobile-Foreign Authentication Extension, the Foreign Agent
remove the Challenge Extension from the Registration Request
disturbing the authentication value computed by the Mobile Node
use by the AAA or the Home Agent. If the Challenge extension is
removed, it MUST precede the Foreign-Home Authentication extension
If the Foreign Agent does not remove the Challenge extension,
the Foreign Agent SHOULD store the Challenge value as part of
pending registration request list [8]. Also in this case,
Foreign Agent MUST reject any Registration Reply message coming
the Home Agent that does not also include the Challenge
with the same Challenge Value that was included in the
Request. The Foreign Agent MUST send the rejected
message to the mobile node, and change the status in the
Reply to the value MISSING_CHALLENGE (see section 10).
If the Foreign Agent does remove the Challenge extension
applicable authentication from the Registration Request message,
it SHOULD insert the Identification field from the
Request message along with its record-keeping information about
particular Mobile Node in order to protect against replays
Perkins & Calhoun Standards Track [Page 6]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
3.3. Foreign Agent Processing for Registration
The Foreign Agent MAY include a new Challenge extension in
Registration Reply, successful or not. If the foreign agent
this extension in a successful Registration Reply, the
SHOULD precede a MN-FA authentication extension
Suppose the Registration Reply includes a Challenge extension
the Home Agent, and the foreign agent wishes to include
Challenge extension with the Registration Reply for use by the
node. In that case, the foreign agent MUST delete the
extension from the Home Agent from the Registration Reply, along
any FA-HA authentication extension, before appending the
Challenge extension to the Registration Reply
3.4. Home Agent Processing for the Challenge
If the Home Agent receives a Registration Request with the MN-
Challenge extension, and recognizes the extension, the Home
MUST include the Challenge extension in the Registration Reply.
Challenge Extension MUST be placed after the Mobile-
authentication extension, and the extension SHOULD be
by a Foreign-Home Authentication extension
Since the extension type for the Challenge extension is within
range 128-255, the Home Agent MUST process such a
Request even if it does not recognize the Challenge extension [8].
In this case, the Home Agent will send a Registration Reply to
Foreign Agent that does not include the Challenge extension
4. MN-FA Challenge
This section specifies a new Mobile IP Registration extension that
used to satisfy a Challenge in an Agent Advertisement. The
extension to the Registration Request message is used to indicate
challenge that the mobile node is attempting to satisfy
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Challenge...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The MN-FA Challenge
Type 132 (skippable) (see [8])
Length Length of the Challenge
Perkins & Calhoun Standards Track [Page 7]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
Challenge The Challenge field is copied from the Challenge
found in the Agent Advertisement Challenge
(see section 2).
5. Generalized Mobile IP Authentication
Several new authentication extensions have been designed for
control messages proposed for extensions to Mobile IP (see,
example, [9]). A new authentication extension is required for
mobile node to present its credentials to any other entity other
the ones already defined; the only entities defined in the
Mobile IP specification [8] are the home agent and the foreign agent
It is the purpose of the generalized authentication extension
here to collect together data for all such new
applications into a single extension type with subtypes
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The Generalized Mobile IP Authentication
Type 36 (not skippable) (see [8])
Subtype a number assigned to identify the kind
endpoints or characteristics of the
authentication
Length 4 plus the number of bytes in the Authenticator
MUST be at least 20.
SPI Security Parameters
Authenticator The variable length Authenticator
In this document, only one subtype is defined
1 MN-AAA Authentication subtype (see section 6)
Perkins & Calhoun Standards Track [Page 8]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
6. MN-AAA Authentication
The Generalized Authentication extension with subtype 1 will
referred to as a MN-AAA Authentication extension. If the mobile
does not include a Mobile-Foreign Authentication [8] extension,
it MUST include the MN-AAA Authentication extension whenever
Challenge extension is present. If the MN-AAA
extension is present, then the Registration Message sent by
mobile node MUST contain the Mobile-HA Authentication extension [8]
if it shares a security association with the Home Agent. If present
the Mobile-HA Authentication Extension MUST appear prior to the MN
AAA Authentication extension. The mobile node MAY include a MN-
Authentication extension in any Registration Request.
corresponding response MUST include the MN-HA
Extension, and MUST NOT include the MN-AAA Authentication Extension
The default algorithm for computation of the authenticator is HMAC
MD5 [5] computed on the following data, in the order shown
Preceding Mobile IP data || Type, Subtype, Length,
where the Type, Length, Subtype, and SPI are as shown in section 5.
The resulting function call, as described in [5], would be
hmac_md5(data, datalen, Key, KeyLength, authenticator);
Each mobile node MUST support the ability to produce
authenticator by using HMAC-MD5 as shown. Just as with Mobile IP
this default algorithm MUST be able to be configured for selection
any arbitrary 32-bit SPI outside of the SPIs in the reserved
0-255.
7. Reserved SPIs for Mobile
Mobile IP defines several authentication extensions for use
Registration Requests and Replies. Each authentication
carries a Security Parameters Index (SPI) which should be used
index a table of security associations. Values in the range 0 - 255
are reserved for special use. A list of reserved SPI numbers is
be maintained by IANA at the following URL
http://www.iana.org/numbers.
Perkins & Calhoun Standards Track [Page 9]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
8. SPI For RADIUS AAA
Some AAA servers only admit a single security association, and
do not use the SPI numbers for Mobile IP authentication
for use when determining the security association that would
necessary for verifying the authentication information included
the Authentication extension
SPI number CHAP_SPI (see section 9) is reserved (see section 7)
indicating the following procedure for computing authentication
(called the "authenticator"), which is used by many RADIUS
[10] today
To compute the authenticator, apply MD5 [11] computed on
following data, in the order shown
High-order byte from Challenge || Key ||
MD5(Preceding Mobile IP data ||
Type, Subtype (if present), Length, SPI) ||
Least-order 237 bytes from
where the Type, Length, SPI, and possibly Subtype, are the fields
the authentication extension in use. For instance, all four of
fields would be in use when SPI == CHAP_SPI is used with
Generalized Authentication extension. Since the RADIUS
cannot carry attributes greater than 253 in size, the
Mobile IP data, type, subtype (if present), length and SPI are
using MD5. Finally, the least significant 237 bytes of the
are concatenated
9. Configurable
Every Mobile IP agent supporting the extensions defined in
document SHOULD be able to configure each parameter in the
table. Each table entry contains the name of the parameter,
default value, and the section of the document in which the
first appears
Parameter Name Default Value Section(s) of
-------------- ------------- ----------------------
CHALLENGE_WINDOW 2 3.2
CHAP_SPI 2 8
10. Error
Each entry in the following table contains the name of Code [8] to
returned in a Registration Reply, the value for the Code, and
section in which the error is first mentioned in this specification
Perkins & Calhoun Standards Track [Page 10]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
Error Name Value Section of
---------------------- ----- -------------------
UNKNOWN_CHALLENGE 104 3.2
BAD_AUTHENTICATION 67 3.2 - also see [8]
MISSING_CHALLENGE 105 3.1,3.2
STALE_CHALLENGE 106 3.2
11. IANA
The Generalized Mobile IP Authentication extension defined in
5 is a Mobile IP registration extension as defined in RFC 2002 [8]
and extended in RFC 2356 [7]. IANA should assign a value of 36
this extension
A new number space is to be created for enumerating subtypes of
Generalized Authentication extension (see section 5). New
of the Generalized Authentication extension, other than the
(1) for the MN-AAA authentication extension specified in section 6,
must be specified and approved by a designated expert
The MN-FA Challenge Extension defined in Section 4 is a
advertisement extension as defined in RFC 1256 [3] and extended
RFC 2002 [8]. IANA should assign a value of 132 for this purpose
The Code values defined in Section 10 are error codes as defined
RFC 2002 [8] and extended in RFC 2344 [6] and RFC 2356 [7].
correspond to error values conventionally associated with
by the foreign agent (i.e., values from the range 64-127). The
value 67 is a pre-existing value which is to be used in some
with the extension defined in this specification. IANA should
the values as defined in Section 10.
A new section for enumerating algorithms identified by specific
within the range 0-255 is to be added
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers
The CHAP_SPI number (2) discussed in section 8 is to be assigned
this range of reserved SPI numbers. New assignments from
reserved range must be specified and approved by the Mobile
working group. SPI number 1 should not be assigned unless in
future the Mobile IP working group decides that SKIP is not
for enumeration in the list of reserved numbers. SPI number 0
not be assigned
Perkins & Calhoun Standards Track [Page 11]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
12. Security
In the event that a malicious mobile node attempts to replay
authenticator for an old MN-FA Challenge, the Foreign Agent
detect it since the agent always checks whether it has
advertised the Challenge (see section 3.2). Allowing mobile
with different IP addresses or NAIs to use the same Challenge
does not represent a security vulnerability, because
authentication data provided by the mobile node will be computed
data that is different (at least by the bytes of the mobile nodes'
addresses).
Whenever a Foreign Agent updates a field of the Registration
(as suggested in section 3.2), it invalidates the authentication
supplied by the Home Agent in the MN-HA Authentication extension
the Registration Reply. Thus, this opens up a security
whereby a node might try to supply a bogus Registration Reply to
mobile node that causes the mobile node to act as if its
Reply were rejected. This might happen when, in fact, a
Reply showing acceptance of the registration might soon be
by the mobile node
If the foreign agent chooses a Challenge value (see section 2)
fewer than 4 bytes, the foreign agent SHOULD maintain records
also the Identification field for the mobile node. The foreign
can then find assurance that the Registration messages using
short Challenge value are in fact unique, and thus assuredly
replayed from any earlier registration
Section 8 (SPI For RADIUS AAA Servers) defines a method of
the Generalized Mobile IP Authentication Extension's
field using MD5 in a manner that is consistent with RADIUS [10].
use of MD5 in the method described in Section 8 is less secure
HMAC-MD5 [5], and should be avoided whenever possible
13.
The authors would like to thank Tom Hiller, Mark Munson, the
TR45-6 WG, Gabriel Montenegro, Vipul Gupta, and Pete McCann for
useful discussions. A recent draft by Mohamed Khalil,
Narayanan, Emad Qaddoura, and Haseeb Akhtar has also suggested
definition of a generalized authentication extension similar to
specification contained in section 5.
Perkins & Calhoun Standards Track [Page 12]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
[1] Bradner, S., "Key words for use in RFCs to Indicate
Levels", BCP 14, RFC 2119, March 1997.
[2] Calhoun, P. and C. Perkins. "Mobile IP Network Access
Extension for IPv4", RFC 2794, January 2000.
[3] Deering, S., "ICMP Router Discovery Messages", RFC 1256,
September 1991.
[4] Eastlake, D., Crocker, S. and J. Schiller, "
Recommendations for Security", RFC 1750, December 1994.
[5] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
for Message Authentication", RFC 2104, February 1997.
[6] Montenegro, G., "Reverse Tunneling for Mobile IP", RFC 2344,
1998.
[7] Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal
Mobile IP", RFC 2356, June 1998.
[8] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[9] Perkins, C. and D. Johnson, "Route Optimization in Mobile IP",
Work in Progress
[10] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "
Authentication Dial In User Service (RADIUS)", RFC 2138,
1997.
[11] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
1992.
[12] Simpson, W., "PPP Challenge Handshake Authentication
(CHAP)", RFC 1994, August 1996.
Perkins & Calhoun Standards Track [Page 13]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
A. Verification
The Challenge extensions in this protocol specification are
to be useful to help the Foreign Agent manage connectivity
visiting mobile nodes, even in situations where the foreign
does not have any security association with the mobile node or
mobile node's home agent. In order to carry out the
authentication, it is expected that the foreign agent will need
assistance of external administrative systems, which have come to
called AAA systems. For the purposes of this document, we call
external administrative support the "verification infrastructure".
The verification infrastructure is described to motivate the
of the protocol elements defined in this document, and is
strictly needed for the protocol to work. The foreign agent is
to use any means at its disposal to verify the credentials of
mobile node. This could, for instance, rely on a separate
between the foreign agent and the Mobile IP home agent, and still
completely invisible to the mobile node
In order to verify the credentials of the mobile node, we
that the foreign agent has access to a verification
that can return a secure notification to the foreign agent that
authentication has been performed, along with the results of
authentication. This infrastructure may be visualized as shown
figure 4.
+----------------------------------------------------+
| |
| Verification and Key Management Infrastructure |
| |
+----------------------------------------------------+
^ | ^ |
| | | |
| v |
+---------------+ +---------------+
| | | |
| Foreign Agent | | Home Agent |
| | | |
+---------------+ +---------------+
Figure 4: The Verification
After the foreign agent gets the Challenge authentication, it
pass the authentication to the (here unspecified) infrastructure,
await a Registration Reply. If the Reply has a positive
(indicating that the registration was accepted), the foreign
Perkins & Calhoun Standards Track [Page 14]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
accepts the registration. If the Reply contains the Code
BAD_AUTHENTICATION (see Section 10), the foreign agent takes
indicated for rejected registrations
Implicit in this picture, is the important observation that
Foreign Agent and the Home Agent have to be equipped to make use
whatever protocol is made available to them by the
verification and key management infrastructure shown in the figure
The protocol messages for handling the authentication within
verification infrastructure, and identity of the agent performing
verification of the Foreign Agent challenge, are not specified
this document, because those operations do not have to be
by any Mobile IP entity
The working group can be contacted via the current chairs
Basavaraj
Nokia
6000 Connection
M/S M8-540
Irving, Texas 75039
Phone: +1 972-894-6709
Fax : +1 972-894-5349
EMail: Basavaraj.Patil@nokia.
Phil
1501 West Shure
Arlington Heights, IL 60004
Phone:+1 847-632-3148
EMail: QA3445@email.mot.
Perkins & Calhoun Standards Track [Page 15]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
Questions about this memo can also be directed to the authors
Charles E.
Communications Systems
Nokia Research
313 Fairchild
Mountain View, California 94043
Phone: +1-650 625-2986
Fax: +1 650 625-2502
EMail: charliep@iprg.nokia.
Pat R.
Network & Security
Sun Microsystems
15 Network
Menlo Park, California 94025
Phone: +1 650-786-7733
Fax: +1 650-786-6445
EMail: pcalhoun@eng.sun.
Perkins & Calhoun Standards Track [Page 16]
RFC 3012 Mobile IPv4 Challenge/Response November 2000
Full Copyright
Copyright (C) The Internet Society (2000). All Rights Reserved
This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English
The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns
This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
Funding for the RFC Editor function is currently provided by
Internet Society
Perkins & Calhoun Standards Track [Page 17]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
