Network Working Group M. Nakhjiri, Ed. Internet-Draft Huawei USA Intended status: Standards Track K. Chowdhury Expires: August 4, 2007 Starent Networks A. Lior Bridgewater Systems K. Leung Cisco Systems January 31, 2007 Mobile IPv4 RADIUS requirements draft-ietf-mip4-radius-requirements-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 4, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). Nakhjiri, et al. Expires August 4, 2007 [Page 1] Internet-Draft MIP4REQ January 2007 Abstract This document provides an applicability statement as well as a scope definition for the specification provided in the document "RADIUS Mobile IPv4 extension" and its future revisions hereby collectively referred to as [I-D.nakhjiri-radius-mip4]. The goal is to justify qualification of [I-D.nakhjiri-radius-mip4] as a IETF work item. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. IANA Considerations . . . . . . . . . . . . . . . . . . . . 4 2. security considerations . . . . . . . . . . . . . . . . . . . . 5 3. Normative References . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Intellectual Property and Copyright Statements . . . . . . . . . . 8 Nakhjiri, et al. Expires August 4, 2007 [Page 2] Internet-Draft MIP4REQ January 2007 1. Introduction Mobile IPv4 working group has developed extensions for the registration process[RFC3344]to allow the MN and mobility agents to request assistance from the AAA server in authentication [MIP4CHAL]and creation of security associations [RFC3957] all based on the pre-established trust relationship between the MN and its home AAA server. However, on the AAA side, currently only Diameter provides specification for interaction with Mobile IP agents [RFC4004] In the absence of IETF standardized RADIUS attributes for support of MIPv4, different wireless SDOs have taken the path of developing VSAs. This will cause lack interoperability between these wireless standards, potentially hindering mobility across these wireless networks. To respond to the described issue, the authors have developed a document [I-D.nakhjiri-radius-mip4] that defines a set of attributes to be used for dynamic bootstrapping of MIPv4 parameters through a RADIUS based AAA infrastructure during the Mobile IPv4 Registration procedure. The bootstrapping attributes can include configuration parameters as well as material used for provisioning security of Mobile IPv4 messaging (authentication) as defined by [RFC3957]. The scope of this work is to only standardize RADIUS attributes and to define the procedure by which the Mobile IPv4 agents, e.g. Home agent (HA) and Foreign Agent (FA) map the Mobile IP registration message fields into the proposed RADIUS attributes and vice versa. It is not the intention to extend the functionality of existing RADIUS servers or protocol. More specifically, the following are NON-GOALS: Enhancing security properties of RADIUS (including key transport capabilities) is non-goal. No new security mechanisms are defined in the transport of such Access Requests. The [I-D.nakhjiri-radius-mip4] uses existing RADIUS authentication procedures, e.g. Message-Authenticator (80) described in RFC2869. The security considerations for[I-D.nakhjiri-radius-mip4] are described in a later section of this document. Enhancing reliability or transport properties of RADIUS is a non- goal. No new reliability mechanisms are defined in the transport of such Access Requests. Creating new RADIUS messages types is a non-goal. [I-D.nakhjiri-radius-mip4] is not defining new RADIUS messages. Diameter Mobile IP application[RFC4004] has defined new command codes Nakhjiri, et al. Expires August 4, 2007 [Page 3] Internet-Draft MIP4REQ January 2007 for support of Mobile IP signaling, depending on whether Diameter server is dealing with a Mobile IP HA or an FA. RADIUS currently does not have any messages that correspond to these Diameter commands. Instead, [I-D.nakhjiri-radius-mip4]provides proposals for new RADIUS attributes that facilitates Diameter-RADIUS messaging translation without defining any new RADIUS messaging. At the same time [I-D.nakhjiri-radius-mip4]is re-using Diameter AVPs to the fullest extent possible. Extend RADIUS in a way that fulfills the full list of requirements in RFC 2977 is a non-goal It is however required of the RADIUS servers (and possibly proxies) to be able to understand and process the attributes described in this specification to perform verification of authentication extensions specified in [MIP4CHAL] All RADIUS work MUST be backward compatible with existing RADIUS RFCs, including RFCs 2618-2621, 2865-2869, 3162, 3575, 3576, 3579, and 3580. It is also required of the Mobile IP agents (FA and HA) to operate as RADIUS clients (NASes in context of RFC 2865) when translating RADIUS signaling into Mobile IP signaling and vice versa. Details on the behavior of Mobile IP agents as RADIUS clients are to be provided in [I-D.nakhjiri-radius-mip4] 1.1. Attributes [I-D.nakhjiri-radius-mip4]describes the full set of attributes required for RADIUS-Mobile IP interaction. Some of the attributes are already standardized, while others will require standardization and IANA type assignments. 1.2. IANA Considerations [I-D.nakhjiri-radius-mip4] draft introduces new RADIUS attributes. Therefore there is need for defining new attribute type numbers by IANA. Nakhjiri, et al. Expires August 4, 2007 [Page 4] Internet-Draft MIP4REQ January 2007 2. security considerations The concern of using AAA protocols that use hop-by-hop security (Diameter/RADIUS) to distribute keys is nothing new. In both Diameter and RADIUS the assumption is that intermediary nodes are trusted. However, in the case of Diameter, if the operator chooses not to trust intermediaries, Diameter provides a remedy by utilizing its re-direction mechanism. Note that in the case of Diameter MIPv4 Application using re-directions is optional and not mandatory. RADIUS does not possess a re-direction mechanism and since we are not proposing to add a re-direction mechanism to RADIUS we have to rely on the model that RADIUS intermediary nodes are to be trusted. To protect against MITM attacks, RFC 2868 section 3.5 provides a mechanism for encrypting RADIUS attributes (RFC 2868 section 3.5). Diameter relies purely on IPsec to protect against MITM attacks. It can be argued that the encryption mechanism provided by RADIUS is weak and therefore it is recommended to protect RADIUS transactions using IPsec (e.g. RADIUS protected by IPSec in [RFC3579]). Nakhjiri, et al. Expires August 4, 2007 [Page 5] Internet-Draft MIP4REQ January 2007 3. Normative References [I-D.nakhjiri-radius-mip4] Nakhjiri, M. and Et. Al., "RADIUS Mobile IPv4 extensions, draft-nakhjiri-radius-mip4-02.txt", Internet Draft draft-nakhjiri-radius-mip4-02, October 2005. [MIP4CHAL] Perkins, C. and P. Calhoun, "Mobile IP Challenge/Response Extensions, draft-ietf-mip4-rfc3012bis-05.txt.", January 2006. [RFC2868] Zorn, G., "RADIUS Attributes for Tunnel Protocol Support", June 2000. [RFC2977] Glass, S. and Perkins, "Mobile IP Authentication, Authorization, and Accounting Requirements", October 2000. [RFC3344] Perkins, C., "IP Mobility Support", August 2002. [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", September 2003. [RFC3957] Perkins, C. and P. Calhoun, "AAA Registration Keys for Mobile IP", March 2005. [RFC4004] Calhoun, P. and C. Perkins, "Diameter Mobile IP application", May 2004. Nakhjiri, et al. Expires August 4, 2007 [Page 6] Internet-Draft MIP4REQ January 2007 Authors' Addresses Madjid Nakhjiri (editor) Huawei USA 12040, 98th AVE NE, suite 200B, Kirkland, WA 98033 USA Email: mnakhjiri@huawei.com Kuntal Chowdhury Starent Networks Email: kchowdhury@starentnetworks.com Avi Lior Bridgewater Systems Email: avi@bridgewatersystems.com Kent Leung Cisco Systems 170 West Tasman Drive San Jose, CA 95134 US Email: kleung@cisco.com Nakhjiri, et al. Expires August 4, 2007 [Page 7] Internet-Draft MIP4REQ January 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Nakhjiri, et al. Expires August 4, 2007 [Page 8]