RFC3012 日本語訳
3012 Mobile IPv4 Challenge/Response Extensions. C. Perkins, P.Calhoun. November 2000. (Format: TXT=37005 bytes) (Obsoleted by RFC4721) (Status: PROPOSED STANDARD)
プログラムでの自動翻訳です。
英語原文
Network Working Group C. Perkins Request for Comments: 3012 Nokia Research Center Category: Standards Track P. Calhoun Sun Microsystems Laboratories November 2000
Network Working Group C. Perkins Request for Comments: 3012 Nokia Research Center Category: Standards Track P. Calhoun Sun Microsystems Laboratories November 2000
Mobile IPv4 Challenge/Response Extensions
Mobile IPv4 Challenge/Response Extensions
Status of this Memo
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
Abstract
Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent. Unfortunately, this extension does not provide ironclad replay protection for the foreign agent, and does not allow for the use of existing techniques (such as CHAP) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to use a challenge/response mechanism to authenticate the mobile node.
Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent. Unfortunately, this extension does not provide ironclad replay protection for the foreign agent, and does not allow for the use of existing techniques (such as CHAP) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to use a challenge/response mechanism to authenticate the mobile node.
Perkins & Calhoun Standards Track [Page 1] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 1] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Table of Contents
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Mobile IP Agent Advertisement Challenge Extension . . . . . 3 3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Mobile Node Processing for Registration Requests . . . 3 3.2. Foreign Agent Processing for Registration Requests . . 5 3.3. Foreign Agent Processing for Registration Replies . . 7 3.4. Home Agent Processing for the Challenge Extensions . . 7 4. MN-FA Challenge Extension . . . . . . . . . . . . . . . . . 7 5. Generalized Mobile IP Authentication Extension . . . . . . . 8 6. MN-AAA Authentication subtype. . . . . . . . . . . . . . . . 9 7. Reserved SPIs for Mobile IP. . . . . . . . . . . . . . . . . 9 8. SPI For RADIUS AAA Servers . . . . . . . . . . . . . . . . . 10 9. Configurable Parameters. . . . . . . . . . . . . . . . . . . 10 10. Error Values . . . . . . . . . . . . . . . . .. . . . . . . 10 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11 12. Security Considerations . . . . . . . . . . . . . . . . . . 12 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A. Verification Infrastructure . . . . . . . . . . . . . . . . 14 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Mobile IP Agent Advertisement Challenge Extension . . . . . 3 3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Mobile Node Processing for Registration Requests . . . 3 3.2. Foreign Agent Processing for Registration Requests . . 5 3.3. Foreign Agent Processing for Registration Replies . . 7 3.4. Home Agent Processing for the Challenge Extensions . . 7 4. MN-FA Challenge Extension . . . . . . . . . . . . . . . . . 7 5. Generalized Mobile IP Authentication Extension . . . . . . . 8 6. MN-AAA Authentication subtype. . . . . . . . . . . . . . . . 9 7. Reserved SPIs for Mobile IP. . . . . . . . . . . . . . . . . 9 8. SPI For RADIUS AAA Servers . . . . . . . . . . . . . . . . . 10 9. Configurable Parameters. . . . . . . . . . . . . . . . . . . 10 10. Error Values . . . . . . . . . . . . . . . . .. . . . . . . 10 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11 12. Security Considerations . . . . . . . . . . . . . . . . . . 12 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A. Verification Infrastructure . . . . . . . . . . . . . . . . 14 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
1. Introduction
Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent.
Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent.
Unfortunately, this extension does not provide ironclad replay protection, from the point of view of the foreign agent, and does not allow for the use of existing techniques (such as CHAP [12]) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to a use challenge/response mechanism to authenticate the mobile node.
Unfortunately, this extension does not provide ironclad replay protection, from the point of view of the foreign agent, and does not allow for the use of existing techniques (such as CHAP [12]) for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to a use challenge/response mechanism to authenticate the mobile node.
All SPI values defined in this document refer to values for the Security Parameter Index, as defined in RFC 2002 [8]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1].
All SPI values defined in this document refer to values for the Security Parameter Index, as defined in RFC 2002 [8]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1].
Perkins & Calhoun Standards Track [Page 2] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 2] RFC 3012 Mobile IPv4 Challenge/Response November 2000
2. Mobile IP Agent Advertisement Challenge Extension
2. Mobile IP Agent Advertisement Challenge Extension
This section defines a new extension to the Router Discovery Protocol [3] for use by foreign agents that need to issue a challenge for authenticating mobile nodes.
This section defines a new extension to the Router Discovery Protocol [3] for use by foreign agents that need to issue a challenge for authenticating mobile nodes.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The Challenge Extension
Figure 1: The Challenge Extension
Type 24
Type 24
Length The length of the Challenge value in bytes; SHOULD be at least 4
Length The length of the Challenge value in bytes; SHOULD be at least 4
Challenge A random value that SHOULD be at least 32 bits.
Challenge A random value that SHOULD be at least 32 bits.
The Challenge extension, illustrated in figure 1, is inserted in the Agent Advertisements by the Foreign Agent, in order to communicate the latest challenge value that can be used by the mobile node to compute an authentication for its registration request message. The challenge is selected by the foreign agent to provide local assurance that the mobile node is not replaying any earlier registration request. Eastlake, et al. [4] provides more information on generating pseudo-random numbers suitable for use as values for the challenge.
The Challenge extension, illustrated in figure 1, is inserted in the Agent Advertisements by the Foreign Agent, in order to communicate the latest challenge value that can be used by the mobile node to compute an authentication for its registration request message. The challenge is selected by the foreign agent to provide local assurance that the mobile node is not replaying any earlier registration request. Eastlake, et al. [4] provides more information on generating pseudo-random numbers suitable for use as values for the challenge.
3. Operation
3. Operation
This section describes modifications to the Mobile IP registration process which may occur after the Foreign Agent issues a Mobile IP Agent Advertisement containing the Challenge on its local link.
This section describes modifications to the Mobile IP registration process which may occur after the Foreign Agent issues a Mobile IP Agent Advertisement containing the Challenge on its local link.
3.1. Mobile Node Processing for Registration Requests
3.1. Mobile Node Processing for Registration Requests
Whenever the Agent Advertisement contains the Challenge extension, if the mobile node does not have a security association with the Foreign Agent, then it MUST include the Challenge value in a MN-FA Challenge extension to the Registration Request message. If, on the other hand, the mobile node does have a security association with the foreign agent, it SHOULD include the Challenge value in its Registration Request message.
Whenever the Agent Advertisement contains the Challenge extension, if the mobile node does not have a security association with the Foreign Agent, then it MUST include the Challenge value in a MN-FA Challenge extension to the Registration Request message. If, on the other hand, the mobile node does have a security association with the foreign agent, it SHOULD include the Challenge value in its Registration Request message.
Perkins & Calhoun Standards Track [Page 3] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 3] RFC 3012 Mobile IPv4 Challenge/Response November 2000
If the Mobile Node has a security association with the Foreign Agent, it MUST include a Mobile-Foreign Authentication extension in its Registration Request message, according to the base Mobile IP specification [8]. When the Registration Request contains the MN-FA Challenge extension specified in section 4, the Mobile-Foreign Authentication MUST follow the Challenge extension in the Registration Request.
If the Mobile Node has a security association with the Foreign Agent, it MUST include a Mobile-Foreign Authentication extension in its Registration Request message, according to the base Mobile IP specification [8]. When the Registration Request contains the MN-FA Challenge extension specified in section 4, the Mobile-Foreign Authentication MUST follow the Challenge extension in the Registration Request.
If the Mobile Node does not have a security association with the Foreign Agent, the Mobile Node MUST include the MN-AAA Authentication extension as defined in section 6. In addition, the Mobile Node SHOULD include the NAI extension [2], to enable the foreign agent to make use of any available verification infrastructure. The SPI field of the MN-AAA Authentication extension specifies the particular secret and algorithm (shared between the Mobile Node and the verification infrastructure) that must be used to perform the authentication. If the SPI value is chosen as CHAP_SPI (see section 9), then the mobile node specifies CHAP-style authentication [12] using MD5 [11].
If the Mobile Node does not have a security association with the Foreign Agent, the Mobile Node MUST include the MN-AAA Authentication extension as defined in section 6. In addition, the Mobile Node SHOULD include the NAI extension [2], to enable the foreign agent to make use of any available verification infrastructure. The SPI field of the MN-AAA Authentication extension specifies the particular secret and algorithm (shared between the Mobile Node and the verification infrastructure) that must be used to perform the authentication. If the SPI value is chosen as CHAP_SPI (see section 9), then the mobile node specifies CHAP-style authentication [12] using MD5 [11].
In either case, the MN-FA Challenge extension and one of the above specified authentication extensions MUST follow the Mobile-Home Authentication extension, if present.
In either case, the MN-FA Challenge extension and one of the above specified authentication extensions MUST follow the Mobile-Home Authentication extension, if present.
A successful Registration Reply from the Foreign Agent MAY include a new Challenge value (see section 3.3). The Mobile Node MAY use either the value found in the latest Advertisement, or the one found in the last Registration Reply from the Foreign Agent. This approach enables the Mobile Node to make use of the challenge without having to wait for advertisements.
A successful Registration Reply from the Foreign Agent MAY include a new Challenge value (see section 3.3). The Mobile Node MAY use either the value found in the latest Advertisement, or the one found in the last Registration Reply from the Foreign Agent. This approach enables the Mobile Node to make use of the challenge without having to wait for advertisements.
A Mobile Node might receive an UNKNOWN_CHALLENGE error (see section 9) if it moves to a new Foreign Agent that cannot validate the challenge provided in the Registration Request. In such instances, the Mobile Node MUST use a new Challenge value in any new registration, obtained either from an Agent Advertisement, or from a Challenge extension to the Registration Reply containing the error.
A Mobile Node might receive an UNKNOWN_CHALLENGE error (see section 9) if it moves to a new Foreign Agent that cannot validate the challenge provided in the Registration Request. In such instances, the Mobile Node MUST use a new Challenge value in any new registration, obtained either from an Agent Advertisement, or from a Challenge extension to the Registration Reply containing the error.
A Mobile Node that does not include a Challenge when the Mobile- Foreign Authentication extension is present may receive a MISSING_CHALLENGE (see section 10) error. In this case, the foreign agent will not process the request from the mobile node unless the request contains a valid Challenge.
A Mobile Node that does not include a Challenge when the Mobile- Foreign Authentication extension is present may receive a MISSING_CHALLENGE (see section 10) error. In this case, the foreign agent will not process the request from the mobile node unless the request contains a valid Challenge.
Perkins & Calhoun Standards Track [Page 4] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 4] RFC 3012 Mobile IPv4 Challenge/Response November 2000
A Mobile Node that receives a BAD_AUTHENTICATION error code (see section 10) SHOULD include the MN-AAA Authentication Extension in the next Registration Request. This will make it possible for the Foreign Agent to use its AAA infrastructure in order to authenticate the Mobile Node.
A Mobile Node that receives a BAD_AUTHENTICATION error code (see section 10) SHOULD include the MN-AAA Authentication Extension in the next Registration Request. This will make it possible for the Foreign Agent to use its AAA infrastructure in order to authenticate the Mobile Node.
3.2. Foreign Agent Processing for Registration Requests
3.2. Foreign Agent Processing for Registration Requests
Upon receipt of the Registration Request, if the Foreign Agent has issued a Challenge as part of its Agent Advertisements, and it does not have a security association with the mobile node, then the Foreign Agent MUST check that the MN-FA Challenge extension exists, and that it contains a challenge value previously unused by the Mobile Node. This ensures that the mobile node is not attempting to replay a previous advertisement and authentication. If the challenge extension is needed and does not exist, the Foreign Agent MUST send a Registration Reply to the mobile node with the error code MISSING_CHALLENGE.
Upon receipt of the Registration Request, if the Foreign Agent has issued a Challenge as part of its Agent Advertisements, and it does not have a security association with the mobile node, then the Foreign Agent MUST check that the MN-FA Challenge extension exists, and that it contains a challenge value previously unused by the Mobile Node. This ensures that the mobile node is not attempting to replay a previous advertisement and authentication. If the challenge extension is needed and does not exist, the Foreign Agent MUST send a Registration Reply to the mobile node with the error code MISSING_CHALLENGE.
A foreign agent that sends Agent Advertisements containing a Challenge value MAY send a Registration Reply message with a MISSING_CHALLENGE error if the mobile node sends a Registration Request with a Mobile-Foreign Authentication extension without including a Challenge. In other words, such a foreign agent MAY refuse to process a Registration Request request from the mobile node unless the request contains a valid Challenge.
A foreign agent that sends Agent Advertisements containing a Challenge value MAY send a Registration Reply message with a MISSING_CHALLENGE error if the mobile node sends a Registration Request with a Mobile-Foreign Authentication extension without including a Challenge. In other words, such a foreign agent MAY refuse to process a Registration Request request from the mobile node unless the request contains a valid Challenge.
If a mobile node retransmits a Registration Request with the same Identification field and the same Challenge extension, and the Foreign Agent still has a pending Registration Request record in effect for the mobile node, then the Foreign Agent forwards the Registration Request to the Home Agent again. In all other circumstances, if the Foreign Agent receives a Registration Request with a Challenge extension containing a Challenge value previously used by that mobile node, the Foreign Agent SHOULD send a Registration Reply to the mobile node containing the Code value STALE_CHALLENGE.
If a mobile node retransmits a Registration Request with the same Identification field and the same Challenge extension, and the Foreign Agent still has a pending Registration Request record in effect for the mobile node, then the Foreign Agent forwards the Registration Request to the Home Agent again. In all other circumstances, if the Foreign Agent receives a Registration Request with a Challenge extension containing a Challenge value previously used by that mobile node, the Foreign Agent SHOULD send a Registration Reply to the mobile node containing the Code value STALE_CHALLENGE.
The Foreign Agent MUST NOT accept any Challenge in the Registration Request unless it was offered in last successful Registration Reply issued to the Mobile Node, or else advertised as one of the last CHALLENGE_WINDOW (see section 9) Challenge values inserted into the immediately preceding Agent advertisements. If the Challenge is not one of the recently advertised values, the foreign Agent SHOULD send a Registration Reply with Code UNKNOWN_CHALLENGE (see section 10).
The Foreign Agent MUST NOT accept any Challenge in the Registration Request unless it was offered in last successful Registration Reply issued to the Mobile Node, or else advertised as one of the last CHALLENGE_WINDOW (see section 9) Challenge values inserted into the immediately preceding Agent advertisements. If the Challenge is not one of the recently advertised values, the foreign Agent SHOULD send a Registration Reply with Code UNKNOWN_CHALLENGE (see section 10).
Perkins & Calhoun Standards Track [Page 5] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 5] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Furthermore, the Foreign Agent MUST check that there is either a Mobile-Foreign, or a MN-AAA Authentication extension after the Challenge extension. Any registration message containing the Challenge extension without either of these authentication extensions MUST be silently discarded. If the registration message contains a Mobile-Foreign Authentication extension with an incorrect authenticator that fails verification, the Foreign Agent MAY send a Registration Reply to the mobile node with Code value BAD_AUTHENTICATION (see Section 10).
Furthermore, the Foreign Agent MUST check that there is either a Mobile-Foreign, or a MN-AAA Authentication extension after the Challenge extension. Any registration message containing the Challenge extension without either of these authentication extensions MUST be silently discarded. If the registration message contains a Mobile-Foreign Authentication extension with an incorrect authenticator that fails verification, the Foreign Agent MAY send a Registration Reply to the mobile node with Code value BAD_AUTHENTICATION (see Section 10).
If the MN-AAA Authentication extension (see Section 6) is present in the message, or if an NAI extension is included indicating that the mobile node belongs to a different administrative domain, the foreign agent may take actions outside the scope of this protocol specification to carry out the authentication of the mobile node. The Foreign Agent MUST NOT remove the MN-AAA Authentication Extension from the Registration Request prior to the completion of the authentication performed by the AAA infrastructure. The appendix provides an example of an action that could be taken by a foreign agent.
If the MN-AAA Authentication extension (see Section 6) is present in the message, or if an NAI extension is included indicating that the mobile node belongs to a different administrative domain, the foreign agent may take actions outside the scope of this protocol specification to carry out the authentication of the mobile node. The Foreign Agent MUST NOT remove the MN-AAA Authentication Extension from the Registration Request prior to the completion of the authentication performed by the AAA infrastructure. The appendix provides an example of an action that could be taken by a foreign agent.
In the event that the Challenge extension is authenticated through the Mobile-Foreign Authentication Extension, the Foreign Agent MAY remove the Challenge Extension from the Registration Request without disturbing the authentication value computed by the Mobile Node for use by the AAA or the Home Agent. If the Challenge extension is not removed, it MUST precede the Foreign-Home Authentication extension.
In the event that the Challenge extension is authenticated through the Mobile-Foreign Authentication Extension, the Foreign Agent MAY remove the Challenge Extension from the Registration Request without disturbing the authentication value computed by the Mobile Node for use by the AAA or the Home Agent. If the Challenge extension is not removed, it MUST precede the Foreign-Home Authentication extension.
If the Foreign Agent does not remove the Challenge extension, then the Foreign Agent SHOULD store the Challenge value as part of the pending registration request list [8]. Also in this case, the Foreign Agent MUST reject any Registration Reply message coming from the Home Agent that does not also include the Challenge Extension with the same Challenge Value that was included in the Registration Request. The Foreign Agent MUST send the rejected Registration message to the mobile node, and change the status in the Registration Reply to the value MISSING_CHALLENGE (see section 10).
If the Foreign Agent does not remove the Challenge extension, then the Foreign Agent SHOULD store the Challenge value as part of the pending registration request list [8]. Also in this case, the Foreign Agent MUST reject any Registration Reply message coming from the Home Agent that does not also include the Challenge Extension with the same Challenge Value that was included in the Registration Request. The Foreign Agent MUST send the rejected Registration message to the mobile node, and change the status in the Registration Reply to the value MISSING_CHALLENGE (see section 10).
If the Foreign Agent does remove the Challenge extension and applicable authentication from the Registration Request message, then it SHOULD insert the Identification field from the Registration Request message along with its record-keeping information about the particular Mobile Node in order to protect against replays.
If the Foreign Agent does remove the Challenge extension and applicable authentication from the Registration Request message, then it SHOULD insert the Identification field from the Registration Request message along with its record-keeping information about the particular Mobile Node in order to protect against replays.
Perkins & Calhoun Standards Track [Page 6] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 6] RFC 3012 Mobile IPv4 Challenge/Response November 2000
3.3. Foreign Agent Processing for Registration Replies
3.3. Foreign Agent Processing for Registration Replies
The Foreign Agent MAY include a new Challenge extension in any Registration Reply, successful or not. If the foreign agent includes this extension in a successful Registration Reply, the extension SHOULD precede a MN-FA authentication extension.
The Foreign Agent MAY include a new Challenge extension in any Registration Reply, successful or not. If the foreign agent includes this extension in a successful Registration Reply, the extension SHOULD precede a MN-FA authentication extension.
Suppose the Registration Reply includes a Challenge extension from the Home Agent, and the foreign agent wishes to include another Challenge extension with the Registration Reply for use by the mobile node. In that case, the foreign agent MUST delete the Challenge extension from the Home Agent from the Registration Reply, along with any FA-HA authentication extension, before appending the new Challenge extension to the Registration Reply.
Suppose the Registration Reply includes a Challenge extension from the Home Agent, and the foreign agent wishes to include another Challenge extension with the Registration Reply for use by the mobile node. In that case, the foreign agent MUST delete the Challenge extension from the Home Agent from the Registration Reply, along with any FA-HA authentication extension, before appending the new Challenge extension to the Registration Reply.
3.4. Home Agent Processing for the Challenge Extensions
3.4. Home Agent Processing for the Challenge Extensions
If the Home Agent receives a Registration Request with the MN-FA Challenge extension, and recognizes the extension, the Home Agent MUST include the Challenge extension in the Registration Reply. The Challenge Extension MUST be placed after the Mobile-Home authentication extension, and the extension SHOULD be authenticated by a Foreign-Home Authentication extension.
If the Home Agent receives a Registration Request with the MN-FA Challenge extension, and recognizes the extension, the Home Agent MUST include the Challenge extension in the Registration Reply. The Challenge Extension MUST be placed after the Mobile-Home authentication extension, and the extension SHOULD be authenticated by a Foreign-Home Authentication extension.
Since the extension type for the Challenge extension is within the range 128-255, the Home Agent MUST process such a Registration Request even if it does not recognize the Challenge extension [8]. In this case, the Home Agent will send a Registration Reply to the Foreign Agent that does not include the Challenge extension.
Since the extension type for the Challenge extension is within the range 128-255, the Home Agent MUST process such a Registration Request even if it does not recognize the Challenge extension [8]. In this case, the Home Agent will send a Registration Reply to the Foreign Agent that does not include the Challenge extension.
4. MN-FA Challenge Extension
4. MN-FA Challenge Extension
This section specifies a new Mobile IP Registration extension that is used to satisfy a Challenge in an Agent Advertisement. The Challenge extension to the Registration Request message is used to indicate the challenge that the mobile node is attempting to satisfy.
This section specifies a new Mobile IP Registration extension that is used to satisfy a Challenge in an Agent Advertisement. The Challenge extension to the Registration Request message is used to indicate the challenge that the mobile node is attempting to satisfy.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The MN-FA Challenge Extension
Figure 2: The MN-FA Challenge Extension
Type 132 (skippable) (see [8])
Type 132 (skippable) (see [8])
Length Length of the Challenge value
Length Length of the Challenge value
Perkins & Calhoun Standards Track [Page 7] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 7] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Challenge The Challenge field is copied from the Challenge field found in the Agent Advertisement Challenge extension (see section 2).
Challenge The Challenge field is copied from the Challenge field found in the Agent Advertisement Challenge extension (see section 2).
5. Generalized Mobile IP Authentication Extension
5. Generalized Mobile IP Authentication Extension
Several new authentication extensions have been designed for various control messages proposed for extensions to Mobile IP (see, for example, [9]). A new authentication extension is required for a mobile node to present its credentials to any other entity other than the ones already defined; the only entities defined in the base Mobile IP specification [8] are the home agent and the foreign agent. It is the purpose of the generalized authentication extension defined here to collect together data for all such new authentication applications into a single extension type with subtypes.
Several new authentication extensions have been designed for various control messages proposed for extensions to Mobile IP (see, for example, [9]). A new authentication extension is required for a mobile node to present its credentials to any other entity other than the ones already defined; the only entities defined in the base Mobile IP specification [8] are the home agent and the foreign agent. It is the purpose of the generalized authentication extension defined here to collect together data for all such new authentication applications into a single extension type with subtypes.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Subtype | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Subtype | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: The Generalized Mobile IP Authentication Extension
Figure 3: The Generalized Mobile IP Authentication Extension
Type 36 (not skippable) (see [8])
Type 36 (not skippable) (see [8])
Subtype a number assigned to identify the kind of endpoints or characteristics of the particular authentication strategy
Subtype a number assigned to identify the kind of endpoints or characteristics of the particular authentication strategy
Length 4 plus the number of bytes in the Authenticator; MUST be at least 20.
Length 4 plus the number of bytes in the Authenticator; MUST be at least 20.
SPI Security Parameters Index
SPI Security Parameters Index
Authenticator The variable length Authenticator field
Authenticator The variable length Authenticator field
In this document, only one subtype is defined:
In this document, only one subtype is defined:
1 MN-AAA Authentication subtype (see section 6)
1 MN-AAA Authentication subtype (see section 6)
Perkins & Calhoun Standards Track [Page 8] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 8] RFC 3012 Mobile IPv4 Challenge/Response November 2000
6. MN-AAA Authentication subtype
6. MN-AAA Authentication subtype
The Generalized Authentication extension with subtype 1 will be referred to as a MN-AAA Authentication extension. If the mobile node does not include a Mobile-Foreign Authentication [8] extension, then it MUST include the MN-AAA Authentication extension whenever the Challenge extension is present. If the MN-AAA Authentication extension is present, then the Registration Message sent by the mobile node MUST contain the Mobile-HA Authentication extension [8] if it shares a security association with the Home Agent. If present, the Mobile-HA Authentication Extension MUST appear prior to the MN- AAA Authentication extension. The mobile node MAY include a MN-AAA Authentication extension in any Registration Request. The corresponding response MUST include the MN-HA Authentication Extension, and MUST NOT include the MN-AAA Authentication Extension.
The Generalized Authentication extension with subtype 1 will be referred to as a MN-AAA Authentication extension. If the mobile node does not include a Mobile-Foreign Authentication [8] extension, then it MUST include the MN-AAA Authentication extension whenever the Challenge extension is present. If the MN-AAA Authentication extension is present, then the Registration Message sent by the mobile node MUST contain the Mobile-HA Authentication extension [8] if it shares a security association with the Home Agent. If present, the Mobile-HA Authentication Extension MUST appear prior to the MN- AAA Authentication extension. The mobile node MAY include a MN-AAA Authentication extension in any Registration Request. The corresponding response MUST include the MN-HA Authentication Extension, and MUST NOT include the MN-AAA Authentication Extension.
The default algorithm for computation of the authenticator is HMAC- MD5 [5] computed on the following data, in the order shown:
The default algorithm for computation of the authenticator is HMAC- MD5 [5] computed on the following data, in the order shown:
Preceding Mobile IP data || Type, Subtype, Length, SPI
Preceding Mobile IP data || Type, Subtype, Length, SPI
where the Type, Length, Subtype, and SPI are as shown in section 5. The resulting function call, as described in [5], would be:
where the Type, Length, Subtype, and SPI are as shown in section 5. The resulting function call, as described in [5], would be:
hmac_md5(data, datalen, Key, KeyLength, authenticator);
hmac_md5(data, datalen, Key, KeyLength, authenticator);
Each mobile node MUST support the ability to produce the authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, this default algorithm MUST be able to be configured for selection at any arbitrary 32-bit SPI outside of the SPIs in the reserved range 0-255.
Each mobile node MUST support the ability to produce the authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, this default algorithm MUST be able to be configured for selection at any arbitrary 32-bit SPI outside of the SPIs in the reserved range 0-255.
7. Reserved SPIs for Mobile IP
7. Reserved SPIs for Mobile IP
Mobile IP defines several authentication extensions for use in Registration Requests and Replies. Each authentication extension carries a Security Parameters Index (SPI) which should be used to index a table of security associations. Values in the range 0 - 255 are reserved for special use. A list of reserved SPI numbers is to be maintained by IANA at the following URL:
Mobile IP defines several authentication extensions for use in Registration Requests and Replies. Each authentication extension carries a Security Parameters Index (SPI) which should be used to index a table of security associations. Values in the range 0 - 255 are reserved for special use. A list of reserved SPI numbers is to be maintained by IANA at the following URL:
http://www.iana.org/numbers.html
http://www.iana.org/numbers.html
Perkins & Calhoun Standards Track [Page 9] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 9] RFC 3012 Mobile IPv4 Challenge/Response November 2000
8. SPI For RADIUS AAA Servers
8. SPI For RADIUS AAA Servers
Some AAA servers only admit a single security association, and thus do not use the SPI numbers for Mobile IP authentication extensions for use when determining the security association that would be necessary for verifying the authentication information included with the Authentication extension.
Some AAA servers only admit a single security association, and thus do not use the SPI numbers for Mobile IP authentication extensions for use when determining the security association that would be necessary for verifying the authentication information included with the Authentication extension.
SPI number CHAP_SPI (see section 9) is reserved (see section 7) for indicating the following procedure for computing authentication data (called the "authenticator"), which is used by many RADIUS servers [10] today.
SPI number CHAP_SPI (see section 9) is reserved (see section 7) for indicating the following procedure for computing authentication data (called the "authenticator"), which is used by many RADIUS servers [10] today.
To compute the authenticator, apply MD5 [11] computed on the following data, in the order shown:
To compute the authenticator, apply MD5 [11] computed on the following data, in the order shown:
High-order byte from Challenge || Key || MD5(Preceding Mobile IP data || Type, Subtype (if present), Length, SPI) || Least-order 237 bytes from Challenge
High-order byte from Challenge || Key || MD5(Preceding Mobile IP data || Type, Subtype (if present), Length, SPI) || Least-order 237 bytes from Challenge
where the Type, Length, SPI, and possibly Subtype, are the fields of the authentication extension in use. For instance, all four of these fields would be in use when SPI == CHAP_SPI is used with the Generalized Authentication extension. Since the RADIUS protocol cannot carry attributes greater than 253 in size, the preceding Mobile IP data, type, subtype (if present), length and SPI are hashed using MD5. Finally, the least significant 237 bytes of the challenge are concatenated.
where the Type, Length, SPI, and possibly Subtype, are the fields of the authentication extension in use. For instance, all four of these fields would be in use when SPI == CHAP_SPI is used with the Generalized Authentication extension. Since the RADIUS protocol cannot carry attributes greater than 253 in size, the preceding Mobile IP data, type, subtype (if present), length and SPI are hashed using MD5. Finally, the least significant 237 bytes of the challenge are concatenated.
9. Configurable Parameters
9. Configurable Parameters
Every Mobile IP agent supporting the extensions defined in this document SHOULD be able to configure each parameter in the following table. Each table entry contains the name of the parameter, the default value, and the section of the document in which the parameter first appears.
Every Mobile IP agent supporting the extensions defined in this document SHOULD be able to configure each parameter in the following table. Each table entry contains the name of the parameter, the default value, and the section of the document in which the parameter first appears.
Parameter Name Default Value Section(s) of Document -------------- ------------- ---------------------- CHALLENGE_WINDOW 2 3.2 CHAP_SPI 2 8
Parameter Name Default Value Section(s) of Document -------------- ------------- ---------------------- CHALLENGE_WINDOW 2 3.2 CHAP_SPI 2 8
10. Error Values
10. Error Values
Each entry in the following table contains the name of Code [8] to be returned in a Registration Reply, the value for the Code, and the section in which the error is first mentioned in this specification.
Each entry in the following table contains the name of Code [8] to be returned in a Registration Reply, the value for the Code, and the section in which the error is first mentioned in this specification.
Perkins & Calhoun Standards Track [Page 10] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Perkins & Calhoun Standards Track [Page 10] RFC 3012 Mobile IPv4 Challenge/Response November 2000
Error Name Value Section of Document ---------------------- ----- ------------------- UNKNOWN_CHALLENGE 104 3.2 BAD_AUTHENTICATION 67 3.2 - also see [8] MISSING_CHALLENGE 105 3.1,3.2 STALE_CHALLENGE 106 3.2
Error Name Value Section of Document ---------------------- ----- ------------------- UNKNOWN_CHALLENGE 104 3.2 BAD_AUTHENTICATION 67 3.2 - also see [8] MISSING_CHALLENGE 105 3.1,3.2 STALE_CHALLENGE 106 3.2
11. IANA Considerations
11. IANA Considerations
The Generalized Mobile IP Authentication extension defined in Section 5 is a Mobile IP registration extension as defined in RFC 2002 [8] and extended in RFC 2356 [7]. IANA should assign a value of 36 for this extension.
The Generalized Mobile IP Authentication extension defined in Section 5 is a Mobile IP registration extension as defined in RFC 2002 [8] and extended in RFC 2356 [7]. IANA should assign a value of 36 for this extension.
A new number space is to be created for enumerating subtypes of the Generalized Authentication extension (see section 5). New subtypes of the Generalized Authentication extension, other than the number (1) for the MN-AAA authentication extension specified in section 6, must be specified and approved by a designated expert.
新しい数のスペースはGeneralized Authentication拡張子の血液型亜型を列挙するために作成される(セクション5を見てください)ことです。 セクション6で指定されたミネソタ-AAA認証拡大の数(1)を除いて、指定された専門家は、Generalized Authentication拡張子の新しい血液型亜型を指定されて、承認しなければなりません。
The MN-FA Challenge Extension defined in Section 4 is a router advertisement extension as defined in RFC 1256 [3] and extended in RFC 2002 [8]. IANA should assign a value of 132 for this purpose.
セクションで定義されたミネソタ-FA Challenge Extension4はRFC1256[3]で定義されて、RFC2002[8]で広げられるようにルータ通知拡大です。 IANAはこのために132の値を割り当てるはずです。
The Code values defined in Section 10 are error codes as defined in RFC 2002 [8] and extended in RFC 2344 [6] and RFC 2356 [7]. They correspond to error values conventionally associated with rejection by the foreign agent (i.e., values from the range 64-127). The Code value 67 is a pre-existing value which is to be used in some cases with the extension defined in this specification. IANA should record the values as defined in Section 10.
セクション10で定義されたCode値はRFC2002[8]で定義されて、RFC2344[6]とRFC2356[7]で広げられるようにエラーコードです。 彼らは慣習上外国人のエージェント(すなわち、範囲64-127からの値)による拒絶に関連している誤り値に対応します。 Code値67はいくつかの場合、この仕様に基づき定義される拡大と共に使用されることである先在の値です。 IANAはセクション10で定義されるように値を記録するはずです。
A new section for enumerating algorithms identified by specific SPIs within the range 0-255 is to be added to
範囲0-255の中の特定のSPIsによって特定されたアルゴリズムを列挙するための新しいセクションに追加されることになっています。
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers.
http://www.isi.edu/in-notes/iana/assignments/mobileip-numbers 。
The CHAP_SPI number (2) discussed in section 8 is to be assigned from this range of reserved SPI numbers. New assignments from this reserved range must be specified and approved by the Mobile IP working group. SPI number 1 should not be assigned unless in the future the Mobile IP working group decides that SKIP is not important for enumeration in the list of reserved numbers. SPI number 0 should not be assigned.
セクション8で議論したCHAP_SPI番号(2)はこの範囲の予約されたSPI番号から割り当てられることです。 モバイルIPワーキンググループは、この予約された範囲からの新しい課題を指定されて、承認しなければなりません。 モバイルIPワーキンググループが、将来予約された数のリストにおける列挙には、SKIPが重要でないと決めない場合、SPI No.1を割り当てるべきではありません。 SPI No.0を割り当てるべきではありません。
Perkins & Calhoun Standards Track [Page 11] RFC 3012 Mobile IPv4 Challenge/Response November 2000
IPv4挑戦/応答2000年11月のモバイルのパーキンスとカルフーン標準化過程[11ページ]RFC3012
12. Security Considerations
12. セキュリティ問題
In the event that a malicious mobile node attempts to replay the authenticator for an old MN-FA Challenge, the Foreign Agent would detect it since the agent always checks whether it has recently advertised the Challenge (see section 3.2). Allowing mobile nodes with different IP addresses or NAIs to use the same Challenge value does not represent a security vulnerability, because the authentication data provided by the mobile node will be computed over data that is different (at least by the bytes of the mobile nodes' IP addresses).
悪意があるモバイルノードが、古いミネソタ-FA Challengeのために固有識別文字を再演するのを試みる場合、エージェントが、いつもそれが最近Challengeの広告を出したかどうか(セクション3.2を見てください)チェックするので、Foreignエージェントはそれを検出するでしょう。 異なったIPのアドレスかNAIsとのモバイルノードが同じChallenge値を使用するのを許容するのがセキュリティの脆弱性を表しません、モバイルノードによって提供された認証データが異なった(少なくともモバイルノードのIPアドレスのバイトの)データに関して計算されるので。
Whenever a Foreign Agent updates a field of the Registration Reply (as suggested in section 3.2), it invalidates the authentication data supplied by the Home Agent in the MN-HA Authentication extension to the Registration Reply. Thus, this opens up a security exposure whereby a node might try to supply a bogus Registration Reply to a mobile node that causes the mobile node to act as if its Registration Reply were rejected. This might happen when, in fact, a Registration Reply showing acceptance of the registration might soon be received by the mobile node.
ForeignエージェントがRegistration Replyの分野をアップデートする(セクション3.2で示されるように)ときはいつも、それはホームのエージェントによってミネソタ-HA Authentication拡張子でRegistration Replyに提供された認証データを無効にします。 したがって、これはノードがまるでRegistration Replyが拒絶されるかのようにモバイルノードが行動するモバイルノードににせのRegistration Replyを供給しようとするかもしれないセキュリティ暴露を開けます。 事実上、すぐモバイルノードで登録の承認を示しているRegistration Replyを受け取るかもしれないとき、これは起こるかもしれません。
If the foreign agent chooses a Challenge value (see section 2) with fewer than 4 bytes, the foreign agent SHOULD maintain records that also the Identification field for the mobile node. The foreign agent can then find assurance that the Registration messages using the short Challenge value are in fact unique, and thus assuredly not replayed from any earlier registration.
外国人のエージェントが4バイト未満でChallenge値を選ぶなら(セクション2を見ます)、外国人のエージェントSHOULDは、記録がそれであると主張します。モバイルノードのためのIdentification分野も。 そして、外国人のエージェントは短いChallenge値を使用するRegistrationメッセージが事実上、ユニークであって、どんな以前の登録からもこのようにして確かに再演されていないという保証を見つけることができます。
Section 8 (SPI For RADIUS AAA Servers) defines a method of computing the Generalized Mobile IP Authentication Extension's authenticator field using MD5 in a manner that is consistent with RADIUS [10]. The use of MD5 in the method described in Section 8 is less secure than HMAC-MD5 [5], and should be avoided whenever possible.
セクション8(SPI For RADIUS AAA Servers)はRADIUS[10]と一致した方法でMD5を使用することでGeneralizedのモバイルIP Authentication Extensionの固有識別文字分野を計算するメソッドを定義します。 セクション8で説明されたメソッドにおけるMD5の使用は、HMAC-MD5[5]ほど安全でなく、可能であるときはいつも、避けられるべきです。
13. Acknowledgements
13. 承認
The authors would like to thank Tom Hiller, Mark Munson, the TIA TR45-6 WG, Gabriel Montenegro, Vipul Gupta, and Pete McCann for their useful discussions. A recent draft by Mohamed Khalil, Raja Narayanan, Emad Qaddoura, and Haseeb Akhtar has also suggested the definition of a generalized authentication extension similar to the specification contained in section 5.
作者は彼らの役に立つ議論についてTIA TR45-6 WG、ガブリエル・モンテネグロ・トム・ヒラー、マーク・ムンソン、Vipulグプタ、およびピートマッキャンに感謝したがっています。 また、モハメド・カリル、Rajaナラヤナン、Emad Qaddoura、およびHaseeb Akhtarによる最近の草稿はセクション5に含まれた仕様と同様の一般化された認証拡大の定義を示しました。
Perkins & Calhoun Standards Track [Page 12] RFC 3012 Mobile IPv4 Challenge/Response November 2000
IPv4挑戦/応答2000年11月のモバイルのパーキンスとカルフーン標準化過程[12ページ]RFC3012
References
参照
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] ブラドナー、S.、「Indicate Requirement LevelsへのRFCsにおける使用のためのキーワード」、BCP14、RFC2119、1997年3月。
[2] Calhoun, P. and C. Perkins. "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, January 2000.
[2] カルフーン、P.、およびC.パーキンス。 「IPv4"のためのモバイルIPネットワークアクセス識別子拡張子、RFC2794、2000年1月。」
[3] Deering, S., "ICMP Router Discovery Messages", RFC 1256, September 1991.
[3] デアリング、S.、「ICMPルータ発見メッセージ」、RFC1256、1991年9月。
[4] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.
[4] イーストレークとD.とクロッカーとS.とJ.シラー、「セキュリティのための偶発性推薦」、RFC1750、1994年12月。
[5] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[5]Krawczyk、H.、Bellare、M.、およびR.カネッティ、「HMAC:」 「通報認証のための合わせられた論じ尽くす」RFC2104、1997年2月。
[6] Montenegro, G., "Reverse Tunneling for Mobile IP", RFC 2344, May 1998.
[6] モンテネグロ(G.、「モバイルIPのための逆のトンネリング」、RFC2344)は1998がそうするかもしれません。
[7] Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal for Mobile IP", RFC 2356, June 1998.
[7] モンテネグロ、G.、および「モバイルIPのためのSunのスキップファイアウォール縦断」、RFC2356、1998年6月対グプタ
[8] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[8] パーキンス、C.、「IP移動性サポート」、RFC2002、1996年10月。
[9] Perkins, C. and D. Johnson, "Route Optimization in Mobile IP", Work in Progress.
[9] 「モバイルIPにおける経路最適化」というパーキンス、C.、およびD.ジョンソンは進行中で働いています。
[10] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[10]RigneyとC.とルーベンとA.とシンプソン、W.とS.ウィレンス、「ユーザサービス(半径)におけるリモート認証ダイヤル」RFC2138(1997年4月)。
[11] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[11] 1992年4月、最もRivestなR.、「MD5メッセージダイジェストアルゴリズム」RFC1321。
[12] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.
[12] シンプソン、W.、「pppチャレンジハンドシェイク式認証プロトコル(やつ)」、RFC1994、1996年8月。
Perkins & Calhoun Standards Track [Page 13] RFC 3012 Mobile IPv4 Challenge/Response November 2000
IPv4挑戦/応答2000年11月のモバイルのパーキンスとカルフーン標準化過程[13ページ]RFC3012
A. Verification Infrastructure
A。 検証インフラストラクチャ
The Challenge extensions in this protocol specification are expected to be useful to help the Foreign Agent manage connectivity for visiting mobile nodes, even in situations where the foreign agent does not have any security association with the mobile node or the mobile node's home agent. In order to carry out the necessary authentication, it is expected that the foreign agent will need the assistance of external administrative systems, which have come to be called AAA systems. For the purposes of this document, we call the external administrative support the "verification infrastructure". The verification infrastructure is described to motivate the design of the protocol elements defined in this document, and is not strictly needed for the protocol to work. The foreign agent is free to use any means at its disposal to verify the credentials of the mobile node. This could, for instance, rely on a separate protocol between the foreign agent and the Mobile IP home agent, and still be completely invisible to the mobile node.
このプロトコル仕様に基づくChallenge拡張子がForeignエージェントが訪問のモバイルノードのために接続性を管理するのを助けるために役に立つと予想されます、外国人のエージェントがモバイルノードとのどんなセキュリティ協会かモバイルノードのホームのエージェントもいない状況でさえ。 必要な認証を行うために、外国人のエージェントが、外部の管理システムの支援がAAAシステムと呼ばれる必要であると予想されます。システムは来ました。このドキュメントの目的のために、私たちは、外部の管理サポートを「検証インフラストラクチャ」と呼びます。 検証インフラストラクチャは、本書では定義されたプロトコル要素のデザインを動機づけるために説明されて、プロトコルが働くのに厳密に必要ではありません。 外国人のエージェントは自由にモバイルノードの資格証明書について確かめる自由におけるどんな手段も使用できます。 例えば、これは、外国人のエージェントとモバイルIPホームのエージェントの間で別々のプロトコルを当てにして、まだモバイルノードに完全に目に見えないかもしれません。
In order to verify the credentials of the mobile node, we imagine that the foreign agent has access to a verification infrastructure that can return a secure notification to the foreign agent that the authentication has been performed, along with the results of that authentication. This infrastructure may be visualized as shown in figure 4.
モバイルノードの資格証明書について確かめるために、私たちは、外国人のエージェントが認証が実行されたという外国人のエージェントへの安全な通知を返すことができる検証インフラストラクチャに近づく手段を持っていると想像します、その認証の結果と共に。 4が中で計算するのが示されるようにこのインフラストラクチャは想像されるかもしれません。
+----------------------------------------------------+ | | | Verification and Key Management Infrastructure | | | +----------------------------------------------------+ ^ | ^ | | | | | | v | v +---------------+ +---------------+ | | | | | Foreign Agent | | Home Agent | | | | | +---------------+ +---------------+
+----------------------------------------------------+ | | | 検証とKey Managementインフラストラクチャ| | | +----------------------------------------------------+ ^ | ^ | | | | | | v| +に対して---------------+ +---------------+ | | | | | 外国人のエージェント| | ホームのエージェント| | | | | +---------------+ +---------------+
Figure 4: The Verification Infrastructure
図4: 検証インフラストラクチャ
After the foreign agent gets the Challenge authentication, it MAY pass the authentication to the (here unspecified) infrastructure, and await a Registration Reply. If the Reply has a positive status (indicating that the registration was accepted), the foreign agent
外国人のエージェントがChallenge認証を得た後に、認証を通過するかもしれない、(ここ、不特定である、)、インフラストラクチャ、Registration Replyを待ってください。 Replyに陽性反応(登録が受け入れられたのを示す)、外国人のエージェントがいるなら
Perkins & Calhoun Standards Track [Page 14] RFC 3012 Mobile IPv4 Challenge/Response November 2000
IPv4挑戦/応答2000年11月のモバイルのパーキンスとカルフーン標準化過程[14ページ]RFC3012
accepts the registration. If the Reply contains the Code value BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions indicated for rejected registrations.
登録を受け入れます。 ReplyがCode値のBAD_AUTHENTICATIONを含んでいるなら(セクション10を見てください)、外国人のエージェントは拒絶された登録証明書のために示された行動を取ります。
Implicit in this picture, is the important observation that the Foreign Agent and the Home Agent have to be equipped to make use of whatever protocol is made available to them by the challenge verification and key management infrastructure shown in the figure.
この画像で暗黙であり、挑戦検証とかぎ管理インフラストラクチャでそれらに利用可能にされるどういったプロトコルを利用するためにForeignエージェントとホームのエージェントに持たせなければならないという重要な観測は図に示されますか?
The protocol messages for handling the authentication within the verification infrastructure, and identity of the agent performing the verification of the Foreign Agent challenge, are not specified in this document, because those operations do not have to be performed by any Mobile IP entity.
検証インフラストラクチャの中で認証を扱うことへのプロトコルメッセージ、およびForeignエージェント挑戦の検証を実行しているエージェントのアイデンティティは本書では指定されません、それらの操作がどんなモバイルIP実体によっても実行される必要はないので。
Addresses
アドレス
The working group can be contacted via the current chairs:
現在のいすを通してワーキンググループに連絡できます:
Basavaraj Patil Nokia Corporation 6000 Connection Drive M/S M8-540 Irving, Texas 75039 USA
Basavarajパティルノキア社6000の接続ドライブM/S M8-540テキサス75039アービング(米国)
Phone: +1 972-894-6709 Fax : +1 972-894-5349 EMail: Basavaraj.Patil@nokia.com
以下に電話をしてください。 +1 972-894-6709 ファックスで以下を送ってください。 +1 972-894-5349 メールしてください: Basavaraj.Patil@nokia.com
Phil Roberts Motorola 1501 West Shure Drive Arlington Heights, IL 60004 USA
西シュアー・Driveフィル・ロバーツ・モトローラ1501IL60004アーリントンハイツ(米国)
Phone:+1 847-632-3148 EMail: QA3445@email.mot.com
電話: +1 847-632-3148 メールしてください: QA3445@email.mot.com
Perkins & Calhoun Standards Track [Page 15] RFC 3012 Mobile IPv4 Challenge/Response November 2000
IPv4挑戦/応答2000年11月のモバイルのパーキンスとカルフーン標準化過程[15ページ]RFC3012
Questions about this memo can also be directed to the authors:
また、このメモに関する質問を作者に向けることができます:
Charles E. Perkins Communications Systems Lab Nokia Research Center 313 Fairchild Drive Mountain View, California 94043 USA
チャールズE.パーキンス通信網研究室ノキアリサーチセンター313フェアチャイルド・Driveカリフォルニア94043マウンテンビュー(米国)
Phone: +1-650 625-2986 Fax: +1 650 625-2502 EMail: charliep@iprg.nokia.com
以下に電話をしてください。 +1-650 625-2986Fax: +1 650 625-2502 メールしてください: charliep@iprg.nokia.com
Pat R. Calhoun Network & Security Center Sun Microsystems Laboratories 15 Network Circle Menlo Park, California 94025 USA
パットR.カルフーンネットワークとセキュリティセンターサン・マイクロシステムズ研究所15ネットワーク円のカリフォルニア94025メンローパーク(米国)
Phone: +1 650-786-7733 Fax: +1 650-786-6445 EMail: pcalhoun@eng.sun.com
以下に電話をしてください。 +1 650-786-7733Fax: +1 650-786-6445 メールしてください: pcalhoun@eng.sun.com
Perkins & Calhoun Standards Track [Page 16] RFC 3012 Mobile IPv4 Challenge/Response November 2000
IPv4挑戦/応答2000年11月のモバイルのパーキンスとカルフーン標準化過程[16ページ]RFC3012
Full Copyright Statement
完全な著作権宣言文
Copyright (C) The Internet Society (2000). All Rights Reserved.
Copyright(C)インターネット協会(2000)。 All rights reserved。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
それに関するこのドキュメントと翻訳は、コピーして、それが批評するか、またはそうでなければわかる他のもの、および派生している作品に提供するか、または準備されているかもしれなくて、コピーされて、発行されて、全体か一部分配された実装を助けるかもしれません、どんな種類の制限なしでも、上の版権情報とこのパラグラフがそのようなすべてのコピーと派生している作品の上に含まれていれば。 しかしながら、このドキュメント自体は何らかの方法で変更されないかもしれません、インターネット協会か他のインターネット組織の版権情報か参照を取り除くのなどように、それを英語以外の言語に翻訳するのが著作権のための手順がインターネットStandardsプロセスで定義したどのケースに従わなければならないか、必要に応じてさもなければ、インターネット標準を開発する目的に必要であるのを除いて。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上に承諾された限られた許容は、永久であり、インターネット協会、後継者または案配によって取り消されないでしょう。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
このドキュメントとそして、「そのままで」という基礎とインターネットの振興発展を目的とする組織に、インターネット・エンジニアリング・タスク・フォースが速達の、または、暗示しているすべての保証を放棄するかどうかというここにことであり、他を含んでいて、含まれて、情報の使用がここに侵害しないどんな保証も少しもまっすぐになるという情報か市場性か特定目的への適合性のどんな黙示的な保証。
Acknowledgement
承認
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC Editor機能のための基金は現在、インターネット協会によって提供されます。
Perkins & Calhoun Standards Track [Page 17]
パーキンスとカルフーン標準化過程[17ページ]
一覧
スポンサーリンク