JUNHYUK SONG INTERNET DRAFT CHAEYOUNG CHONG November 2001 SAMSUNG ELECTRONICS. DONGKIE LEE SK TELECOM MIPv6 User Authentication support through AAA draft-song-mobileip-mipv6-user-authentication-00.txt Status of This Memo Distribution of this memo is unlimited. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html. Abstract The demand for wireless mobile networking has been dramatically increased thanks to rapid development of Wireless technology and de facto Mobile IP technology. Mobile IP, as originally specified, defines the protocol enhancements that can provide IP mobility over the Internet. The mobile node, identified by its Home Address regardless its attaching point can have transparent routing of IP datagrams. However it is also necessary to provide User Mobility in nowadays wireless mobile network. The user authentication which is defining in this document is to help user to originate and terminate the packet regardless of the location of mobile terminal and without home address through AAA infrastructure. This document specifies the mechanism for the MN-AAA authentication in Mobile IPv6 for IP User Mobility support. Song and Chong. Expires May 2002 [Page 1] Internet Draft 14 November 2001 1. Introduction The demand for wireless mobile networking has been dramatically increased thanks to rapid development of Wireless technology and de facto Mobile IP technology. Mobile IP, as originally specified, defines the protocol enhancements that can provide IP mobility over the Internet. The mobile node, identified by its Home Address regardless its attaching point can have transparent routing of IP datagrams. However it is also necessary to provide User Mobility in nowadays wireless mobile network. The user authentication which is defining in this document is to help user to originate and terminate the packet. Even regardless of the location of mobile terminal and without home address through AAA infrastructure. This document specifies the mechanism for the UI-AAA authentication in Mobile IPv6 for IP User Mobility support. Since the NAI [3] is already used in Mobile IPv4, this document presumes the Mobile IP NAI extension [2] will continue to serve in Mobile IPv6 world to identify the users for Authentication, Authorization, and Accounting service. 1.2 Goal and Note The goals of this document is to achieve user authentication for Mobile IPv6 [8]. Detail description of destination options, described in this document and other protocol mechanisms are out of the scope of this document and will be described in some other documents. 1.3 Assumptions This document assumes AAA based on DIAMETER protocol [7] that supports Mobile IPv6, Mobile IPv6 user UI-AAA Authentication, and Link Local Router Challenge (LLRC). This document assumes the home AAA server and Mobile Node has mutual trust and share the same secret key for UI-AAA Authentication. This document assumes Mobile IPv6 will support NAI destination option for the user mobility. This document assumes the new IPv6 Agent Advertisement option which is Link Local Router Challenge (LLRC). Song and Chong. Expires May 2002 [Page 2] Internet Draft 14 November 2001 1.4 Terminology This document frequently users the following terms: AAA The server performing Authentication, Authorization, and Accounting service Link Local Router Challenge (LLRC) The challenge selected by Link Local Router and inserted in the Agent Advertisements as an option to prevent possible replay attack User Mobility Agent (UMA) A router on user's Home Network which dynamically update the location of the user, the entry for user identifier (UI) with current IP address of mobile node User Identifier (UI) The identifier made of concatenation of User ID and realm. This is used for user authentication for access permission, indicating current location of user. UI-AAA The authentication of user toward to AAA 2. Basic Operation 2.1 MN-AAA Authentication generation The link local router which is supporting MIPv6 [8] MAY send Agent Advertisement with Link Local Router Challenge option (LLRC). The challenge is at least 32 bits long and selected by Link Local Router to prevent possible replay attack. Upon receipt of Agent Advertisement, Mobile Node shall generate Binding Update message with NAI and LLRC destination option. Mobile Node shall compute MN-AAA authenticator from following fields of IPv6 header and destination options. It will provide user authentication and message integrity while preventing replay attack. - Destination IP Address of the IPv6 header - Care-of Address, in the Source IP Address of the IPv6 header - Home Address, from the Home Address Destination option (If available) Song and Chong. Expires May 2002 [Page 3] Internet Draft 14 November 2001 * NAI, from the NAI Destination option * LLRC, from the Agent Advertisement - Option Type of the Binding Update destination option - Option Length of the Binding Update destination option - All flags of the Binding Update destination option - Reserved field of the Binding Update option - Authentication Data Length of the Binding Update - Lifetime of the Binding Update destination option - Security Parameters Index (SPI) of the Binding Update - Sequence Number Field of the Binding Update - The entire data from all Binding Update Sub-Options, if any [NOTE] * marked are newly defined option. The calculated authenticator shall be placed in the Authentication Data field of Binding Update option. 2.2 MN-AAA Authentication Upon receipt of binding update message with new NAI destination option. MIPv6 Link Local Router which is the client of AAAF shall create AA-Mobile-Node-Request (AMR) message, which contains necessary AVPs including LLRC and the whole binding update message. The AMR message is then sent to AAAH via AAAF . Upon receiving of AMR message, AAAH shall check MN-AAA Authentication data which is placed in the Authentication Data field of Binding Update option. AAA shall authenticate the Binding update message according to SPI of the binding update message. If the MN-AAA Authentication data is not valid, AAAH returns AMA with reject code to let Link Local Router to terminate the service. If the user is successfully authenticated, the AAAH returns AMA with acceptance code while forwarding the Binding Update message to Home Agent or sending HAR. (See Figure 1) Song and Chong. Expires May 2002 [Page 4] Internet Draft 14 November 2001 The security of communication between AAAH and Home Agent is protected with IP security. The establishment of the security association is outside the scope of this document. +--------------+ AMR +--------------+ | |---------------->| | | AAAF | | AAAH | | |<----------------| | +--------------+ AMA +--------------+ ^ | ^ | | | HAR or AMR| |AMA | Binding | v v Update +------+ Agent +--------------+ +--------------+ | |Advertisement | MobileIPv6 | | | | | with LLRC | Link Local | | Mobile IPv6 | | MN |<------------ | Router | | Home Agent | | |------------> | | | | | |Binding Update| | | | | |with MN-AAA | | | | | |<-------------| | | | +------+ Binding Ack +--------------+ +--------------+ Figure 1: Binding Update Procedures 3. Link Local Router Challenge (LLRC) The link local router which is supporting MIPv6 [8] MAY send Agent Advertisement with Link Local Router Challenge option (LLRC). The challenge is at least 32 bits long and selected by Link Local Router to prevent possible replay attack. This new challenge option [Figure 2] is inserted in Router Advertisement message. Song and Chong. Expires May 2002 [Page 5] Internet Draft 12 November 2001 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Challenge... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: The Challenge option Fields: Type ? Length The length of the Link Local Router challenge in bytes; SHOULD be at least 32 Challenge A random value that SHOULD be at least 32 bits. 4. IANA Consideration Requires new type number for new LLRC option for Agent Advertisement Requires new SPI number for MN-AAA Authentication. References [1] C. Perkins, Editor. "IP Mobility Support". RFC 2002. October 1996. [2] Bernard Aboba and Mark A. Beadles "The Network Access Identifier". RFC 2486. January 1999. [3] Calhoun, P. and C. Perkins. "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, January 2000. [4] Calhoun, P. and C. Perkins. "Mobile IPv4 Challenge/Response Extensions", RFC 3012, November 2000. [5] J.H Song and C.Y Chong, DK Lee "draft-song-mobileip-mipv6-user-mobility-00.txt" [6] J.H Song, C.Y Chong, DK Lee "draft-song-network-user-mobility-00.txt" [7] Pat R. Calhoun and C. Perkins. "Diameter Mobile IPv4 Application" draft-ietf-aaa-diameter-mobileip-07.txt [8] David B. Johnson and C. Perkins. "Mobility Support in IPv6" draft-ietf-mobileip-ipv6-14.txt Song and Chong. Expires May 2002 [Page 6] Internet Draft 12 November 2001 Addresses Questions about this memo can be directed to the authors: JUNHYUK SONG SAMSUNG ELECTRONICS. Mobile Development Team Network Systems Division Phone: +82-31-779-6822 Email: santajun@lycos.co.kr FAX: +82-31-7798769 CHAEYOUNG CHONG SAMSUNG ELECTRONICS. Mobile Development Team Network Systems Division Phone: +82-31-779-6822 Email:cychong@samsung.com DONGKIE LEIGH SK TELECOM Core Network Development Team Network R&D Center Phone +82-2-829-4640 Email: galahad@netsgo.com FAX:+82-2-829-4612