IETF Mobile IP Working Group C. Perkins
Internet-Draft WiChorus Inc.
Expires: April 15, 2010 October 12, 2009
Authentication Mandate for All Registration Reply Messages
draft-perkins-mip4-authreqd-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 15, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Perkins Expires April 15, 2010 [Page 1]
Internet-Draft Authentication Mandate for Reg Reply October 2009
Abstract
Some implementations of Mobile IP home agents have been observed to
supply zero authentication data when sending a Registration Reply to
the mobile node that contains rejection code 131 (Mobile Node Failed
Authentication). This creates a vulnerability whereby a mobile node
could be denied service from its home agent, and thus lose
connectivity to the Internet even though mobile node and home agent
were otherwise functioning properly.
Perkins Expires April 15, 2010 [Page 2]
Internet-Draft Authentication Mandate for Reg Reply October 2009
1. Introduction
When a mobile node sends a Registration Request to its home agent, it
expects a Registration Reply with a return code of 0 or 1. Other
return codes indicate that the registration was unsuccessful. All
registration messages, whether indicating success or failure, are
expected to be equipped with authentication data so that the mobile
node and home agent can verify that the information in the
registration messages is really supplied by the home agent or the
mobile node respectively.
This is true even for registration messages that indicate failure. A
mobile node should be able to verify that Registration Reply messages
containing a failure code are really generated by its home agent.
Otherwise, the mobile node might unnecessarily take the actions
corresponding to a failure to register, perhaps causing at least a
temporary disconnection. Even if the mobile node does retransmit the
Registration Reply message, the only result might be to receive
shortly thereafter yet another bogus Registration Reply message with
the same rejection code. Soon enough, the mobile node will give up
the attempt to register at its current care-of address, even though
the home agent had indeed registered the care-of address and sent a
Registration Reply message indicating success.
In the specific case of rejection Code 131, there is a likelihood
that the mobile node's security association with its home agent needs
to be refreshed, if the authentication data supplied with the
Registration Request message were not correct. It would be an
unfortunate error if a malicious agent were able to trigger re-
establishment of the mobile node's Mobility Security Association.
Since, for Code 131, there are no retries specified in the Mobile-IP
protocol specification [1]. a single malicious packet could trigger
the loss of even a newly established and valid Mobility Security
Association between the mobile node and the home agent. Worse, such
an action could trigger an exception condition in the home domain, if
the home domain policy excluded too-frequent attempts for the
establishment of such security associations.
Perkins Expires April 15, 2010 [Page 3]
Internet-Draft Authentication Mandate for Reg Reply October 2009
2. Mobile Node Handling for Unauthenticated Registration Replies
We propose that all Registration Reply messages MUST contain a valid
Mobile-Home Authentication Extension, with nonzero authentication
data generated according to the security algorithm indicated by the
SPI present in the Authentication extension. This is required
whether or not the Mobile Node is identified putely by its IP
address, or if the Mobile Node NAI extension is also supplied.
The registration message data protected by the Authentication Data in
the Mobile-Home Authentication Extension MUST be the same as
specified in [1].
As specified in section 3.6.2.1 of [1], if a Mobile Node receives a
Registration Reply message that does not contain a Mobile-Home
Authentication Extension, or one with zero authentication data, the
Mobile Node MUST silently discard that packet. According to the
meaning of "silently discard", the mobile node MUST NOT use that
packet as a trigger for retransmitting the Registration Request
message.
Perkins Expires April 15, 2010 [Page 4]
Internet-Draft Authentication Mandate for Reg Reply October 2009
3. Security Parameters Index
A mobility security association between the Home Agent and the Mobile
node MAY be configured especially For the purpose of supplying the
authentication data to the Mobile Node when a Registration Request is
rejected, This alternative security association MAY use a default SPI
number, or any other different SPI that may be convenient. This may
also include an SPI in the range of well-known SPI numbers, but not
any reserved value for the SPI.
Perkins Expires April 15, 2010 [Page 5]
Internet-Draft Authentication Mandate for Reg Reply October 2009
4. Foreign Agent Handling for Unauthenticated Registration Replies
Similarly, in accordance with section 3.7.3.1 of [1], when a Foreign
Agent has a security association with a Home Agent, each Registration
Reply from that home agent MUST contain a Foreign-Home Authentication
Extension with nonzero authentication data. Otherwise, when a
Foreign Agent has a security association with a Home Agent, that
Registration Reply MUST be silently discarded.
Perkins Expires April 15, 2010 [Page 6]
Internet-Draft Authentication Mandate for Reg Reply October 2009
5. Security Considerations
This document identifies a security exposure that might disrupt a
mobile node's ability to connect to the Internet, and proposes a
solution to eliminate this exposure. It does not create any new
security exposures.
Perkins Expires April 15, 2010 [Page 7]
Internet-Draft Authentication Mandate for Reg Reply October 2009
6. Normative References
[1] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
August 2002.
Perkins Expires April 15, 2010 [Page 8]
Internet-Draft Authentication Mandate for Reg Reply October 2009
Author's Address
Charles E. Perkins
WiChorus Inc.
3590 N. 1st Street, Suite 300
San Jose CA 95134
USA
Email: charliep@computer.org
Perkins Expires April 15, 2010 [Page 9]