Network Working Group E. Tacsik Internet-Draft Nokia Expires: March 10, 2004 September 10, 2003 PPP Authentication for deploying Mobile IPv6 in cdma2000 draft-tacsik-mipv6pppauth-cdma2k-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 10, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Network access authentication is performed via various protocols. It is in most cases a function of the link layer protocol. Packet data network access authentication in cdma2000 networks is currently performed either by PPP or using Mobile IPv4). Support for Mobile IPv6 is planned for Revision D of "cdma2000 Wireless IP Network Standard [1]. This document proposes that the access authentication for Mobile IPv6 service in cdma2000 networks be performed using PPP. Tacsik Expires March 10, 2004 [Page 1] Internet-Draft PPP Auth in cdma2k September 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Authentication in cdma2000 networks . . . . . . . . . . . . . 4 3. Deploying Mobile IPv6 in cdma2000 . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 8 References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . 10 Tacsik Expires March 10, 2004 [Page 2] Internet-Draft PPP Auth in cdma2k September 2003 1. Introduction cdma2000 networks deployed today offer packet data services that are classified as: o Simple IPv4 o Simple IPv6 o Mobile IPv4 Simple IPv4 and Simple IPv6 service is similar to dial up network service offered by most ISPs. Mobile IPv4 service enables IP mobility and is based on RFC2002 [2] defined by the Mobile IP working group. Network access authentication for these services is performed by the Packet Data Serving Node (PDSN) which is the PPP termination end-point from the client. Authentication for Simple IPv4 and Simple IPv6 is based on PPP authentication. Mobile IPv4 service authentication utilizes the Mobile IP registration request and response messages. This document proposes the use of PPP authentication when Mobile IPv6 service is incorporated into cdma2000 networks. Tacsik Expires March 10, 2004 [Page 3] Internet-Draft PPP Auth in cdma2k September 2003 2. Authentication in cdma2000 networks cdma2000 networks can be simplistically viewed as a set of three primary entities. These include: The radio network, which consists of the Base Station (BS) and the Packet Control Function(PCF) The circuit switched core network which includes the MSCs (Mobile Switching Center), VLRs (Visited Location Register) and HLRs (Home Location Register). The packet data core network which consists of the PDSN, Home Agent (HA) and AAA infrastructure. Network access authentication in cdma2000 networks is be a two step process. The Mobile Node (MN) is first authenticated by the MSC/VLR . Authentication to the MSC/VLR is required for both access to the circuit switched network (voice service support) and access to the packet data network. The second step involves authentication to the packet data network via the PDSN and Radius based AAA infrastructure or Home Agent. This authentication allows the MN to access the packet data network. Currently PPP authentication (using PAP or CHAP) is used for authenticating users accessing Simple IP (v4 or v6) service. If the user is configured to use Mobile IPv4, authentication is not performed during PPP setup, but instead the PDSN (which includes the Foreign Agent (FA) functionality) relies on Mobile IP signaling, Registration Request and Response, for authenticating the MN. Mobile IPv4 service, authentication is based on a challenge response scheme defined in RFC3012 [3]. HMAC-MD5 is the algorithm used for computing the authenticator in the case of Mobile IPv4 service. In all cases the PDSN relies on a Radius backend AAA infrastructure for packet data network authentication. Tacsik Expires March 10, 2004 [Page 4] Internet-Draft PPP Auth in cdma2k September 2003 3. Deploying Mobile IPv6 in cdma2000 3GPP2 is targeting the inclusion of Mobile IPv6 service in Revision D of TIA835. Appling the access authentication mechanism used in MIPv4 presents a problem since Mobile IPv6 does not have the concept of a FA. Without FA functionality, the PDSN does not have a mechanism to request the Mobile IPv6 MN to authenticate itself (with the PDSN) prior to authentication with its HA . The PDSN can be considered as the access router in the home or visited network. Mobile IPv6 clients (MNs) have an IPsec based security association with their HA and this security association is the basis for authenticating a binding update sent by the MN to the HA. The MN relies on the access router only to obtain a Care-Of-Address (COA). As the COA, in the case of Mobile IPv6, is co-located, the role of the PDSN in offering IP mobility service is diminished. The fact that IPv6 mobility is enabled by the MN and the HA (not the PDSN) raises an issue for cdma2000 operators. Cdma2000 operators require the access network (radio network and the PDSN) to authenticate (and authorize) the MN (user) before accessing Mobile IPv6 service. Hence the MN should authenticate with the PDSN prior to initiating Mobile IPv6 signaling. PPP is the link-layer protocol for IP connectivity between the MN and the PDSN. In addition to CHAP and PAP, PPP supports other authentication schemes including EAP [4] through the authentication-protocol Configuration Option [5]. Hence cdma2000 networks can utilize the capability built into PPP to carry EAP in order to authenticate a MN which is requesting Mobile IPv6 service. The implication of this is the following two step authentication within the packet data network: 1. The MN authenticates via PPP with the PDSN using an EAP scheme 2. The MN sends the binding update to its HA and authenticates itself via the IPsec SA that exists between the MN and HA This accomplishes the requirement of the access network authenticating the Mobile IPv6 capable node. A succesful authentication of the MN during PPP setup (using the AAA backend) allows the access network to create the necessary charging identifiers in the PDSN and subsequently allow Mobile IPv6 service. The MN which configures an IPv6 COA as part of the IPCP phase of PPP then sends the binding update to its HA. One added advantage of using the EAP architecture is its flexibility. The EAP protocol can support multiple authentication mechanisms without having to pre-negotiate a particular one. Although EAP Type 4 Tacsik Expires March 10, 2004 [Page 5] Internet-Draft PPP Auth in cdma2k September 2003 (MD5-Challange) is analogous to using Chap (as used with Simple IP service), stronger authentications can easily be specified in the future. EAP also provides the capability for key derivation. Tacsik Expires March 10, 2004 [Page 6] Internet-Draft PPP Auth in cdma2k September 2003 4. Security Considerations This draft proposes the use of PPP and EAP for authenticating a MN requesting Mobile IPv6 service with the PDSN in cdma2000 networks. PPP and EAP specifications have already analysed the various threats associated with authentication at the link layer. Mobile IPv6 authentication is based on an IPsec SA between the MN and HA and the Mobile IPv6 specification has done an extensive analysis of the threats associated with this. No new threats are introduced by this proposal. Tacsik Expires March 10, 2004 [Page 7] Internet-Draft PPP Auth in cdma2k September 2003 References [1] "cdma2000 Wireless IP Network Standard", TIA 835, 2003. [2] Perkins, C., "IPv4 Mobility", RFC 2002, May 1995. [3] Perkins, C., "Mobile IPv4 Challenge/Response Extensions", RFC 3012, November 2000. [4] Vollbrecht, J., "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998. [5] Simpson, W., "The Point-to-Point Protocol", RFC 1661, July 1994. [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement levels", RFC 2119, March 1997. Author's Address Ernie Tacsik Nokia 6000 Connection Drive Irving, TX 75039 Phone: +1(972)894-4044 EMail: ernie.tacsik@nokia.com Tacsik Expires March 10, 2004 [Page 8] Internet-Draft PPP Auth in cdma2k September 2003 Appendix A. Acknowledgements The author gratefully acknowledges the contribution of Basavaraj Patil (Nokia) Tacsik Expires March 10, 2004 [Page 9] Internet-Draft PPP Auth in cdma2k September 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Tacsik Expires March 10, 2004 [Page 10] Internet-Draft PPP Auth in cdma2k September 2003 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Tacsik Expires March 10, 2004 [Page 11]