RE: [Mip4] Query regarding MN-AAA authenticator calculation.
"McCann Peter-A001034" <pete.mccann@motorola.com> Tue, 07 November 2006 17:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GhUzc-000556-Sb; Tue, 07 Nov 2006 12:44:12 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GhUxt-0004TI-K7 for mip4@ietf.org; Tue, 07 Nov 2006 12:42:25 -0500
Received: from mail119.messagelabs.com ([216.82.241.179]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1GhUxq-0002iX-5w for mip4@ietf.org; Tue, 07 Nov 2006 12:42:25 -0500
X-VirusChecked: Checked
X-Env-Sender: pete.mccann@motorola.com
X-Msg-Ref: server-4.tower-119.messagelabs.com!1162921341!9494845!1
X-StarScan-Version: 5.5.10.7; banners=-,-,-
X-Originating-IP: [129.188.136.8]
Received: (qmail 16394 invoked from network); 7 Nov 2006 17:42:21 -0000
Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-4.tower-119.messagelabs.com with SMTP; 7 Nov 2006 17:42:21 -0000
Received: from il06exb01.corp.mot.com (il06exr04.mot.com [129.188.137.134]) by motgate8.mot.com (8.12.11/Motorola) with ESMTP id kA7HgLmX021715 for <mip4@ietf.org>; Tue, 7 Nov 2006 10:42:21 -0700 (MST)
Received: from de01exm67.ds.mot.com (de01exm67.am.mot.com [10.176.8.18]) by il06exb01.corp.mot.com (8.13.1/8.13.0) with ESMTP id kA7HgKAo001868 for <mip4@ietf.org>; Tue, 7 Nov 2006 11:42:20 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Mip4] Query regarding MN-AAA authenticator calculation.
Date: Tue, 07 Nov 2006 12:42:20 -0500
Message-ID: <BE4B07D4197BF34EB3B753DD34EBCD13011B06C0@de01exm67.ds.mot.com>
In-Reply-To: <653F3CF58193744C9DE59C217C072B5896D658@nilgiri.india.wirelessworld.airvananet.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Mip4] Query regarding MN-AAA authenticator calculation.
Thread-Index: AccB66vzD1uvoeyxTEe6mCzho4JntQASU/1AABeY49A=
From: McCann Peter-A001034 <pete.mccann@motorola.com>
To: Arun SG <arunsg@airvana.com>, mip4@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f0b5a4216bfa030ed8a6f68d1833f8ae
X-Mailman-Approved-At: Tue, 07 Nov 2006 12:44:11 -0500
Cc:
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Errors-To: mip4-bounces@ietf.org
Hi, Arun, Arun SG wrote: > Hello, > Please refer to the old thread pasted below. Can someone please > provide a few followup clarifications ? > > 1. What is the current status of 3012bis? 3012bis is currently in AUTH48, one of the very last stages before publication. I think we are still waiting on responses from a couple of the authors. > 2. This para in 3012 and 3012bis states: > > If the MN-AAA Authentication extension (see Section 6) is present in > the message, or if an NAI extension is included indicating that the > mobile node belongs to a different administrative domain, the foreign > agent may take actions outside the scope of this protocol > specification to carry out the authentication of the mobile node. > > Does this then mean that this specification is restricted to the case > when the MN, FA and AAA all belong to the same administrative domain? Certainly not. It just says that the action taken by the FA to validate the MN-AAA extension is outside the scope of this document. > 3. While CHAP_SPI declares that MD5 is to be used, I could not find a > description of how the "key" that is to be used in MD5 is obtained. > Is there an implicitly understanding that this is preshared, or > perhaps obtained through some other key exchange mechanims ? The "key" is a long-term secret shared between the MN and the home AAA server. It is configured using out-of-band mechanisms that are outside the scope of 3012. > > MD5 (High-order byte from Challenge || Key || <<<<------is this > thru' IKE or some other means? > MD5(Preceding Mobile IP data || > Type, Subtype (if present), Length, SPI) || > Least-order 237 bytes from Challenge)) > > Thanks in advance, > Arun Hope this helps. -Pete > > > RE: [Mip4] Query regarding MN-AAA authenticator calculation. > > ------------------------------------------------------------------------ > -------- > > To: Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjiri at motorola.com> > Subject: RE: [Mip4] Query regarding MN-AAA authenticator calculation. > From: Kent Leung <kleung at cisco.com> > Date: Fri, 04 Mar 2005 17:21:21 -0800 > Cc: "'Pete McCann'" <mccap at lucent.com>, Archana <archana_p at > huawei.com>, mip4 at ietf.org > In-reply-to: > <EBF631554F9CD7118D0B00065BF34DCB18379493@il27exm03.cig.mot .com> > List-help: <mailto:mip4-request@ietf.org?subject=help> > List-id: Mobility for IPv4 <mip4.ietf.org> > List-post: <mailto:mip4@ietf.org> > List-subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, > <mailto:mip4-request@ietf.org?subject=subscribe> > List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, > <mailto:mip4-request@ietf.org?subject=unsubscribe> > Sender: mip4-bounces at ietf.org > > ------------------------------------------------------------------------ > -------- > > Hi Madjid. The rfc3012bis draft covers the CCoA mode. > > > Based on local policy, a Mobile Node with co-located care-of-address > MAY include the Mobile-AAA Authentication extension in Registration > Request. In this case, if the Mobile Node uses SPI value of > CHAP_SPI or HMAC_CHAP_SPI (section 8) in the MN-AAA Authentication > extension, Mobile Node MUST include the Mobile-Foreign Challenge > extension prior to the Mobile-AAA Authentication extension. The > mechanism used by the Mobile Node to obtain the Challenge value is > outside the scope of this document. > > Kent > > > At 03:52 PM 3/4/2005 -0600, Nakhjiri Madjid-MNAKHJI1 wrote: > Hi, > > I have been meaning to respond to this as well. I agree there is no > RADIUS MD5. However, there is a problem with sending all the following > > > Preceding Mobile IP data || > Type, Subtype (if present), Length, SPI) || > Least-order 237 bytes from Challenge > > Over RADIUS messages, since RADIUS packets can be at most 4K long and > attributes at most 253 bytes (if I understood this correctly), which > means you do have to calculate a hash of the data above before packing > it over RADIUS messaging, if you want the AAA server to do the same > calculations. If anybody has a number on the number of bytes the data > above takes, I would appreciate it?? > We tried to explain this in our draft on RADIUS support for MIP-AAA > signaling. > > > http://www.ietf.org/internet-drafts/draft-nakhjiri-radius-mip4-00.txt > > We ran into another problem with this and that was: the challenge is > used only in conjunctions with FAs and when the MN uses a CcoA and > registers through HA directly, there won't be any challenge to > calculate > > > MD5 (High-order byte from Challenge || Key || > MD5(Preceding Mobile IP data || > Type, Subtype (if present), Length, SPI) || > Least-order 237 bytes from Challenge)) > > Our proposal based on Charlie's suggestion (no mean to push the blame, > Charlie :) ) was to include zero octets whenever challenge data was > needed in that case. > > > Any thoughts? > > Madjid > -----Original Message----- > From: mip4-bounces at ietf.org [mailto:mip4-bounces at ietf.org] On > Behalf Of Pete McCann > Sent: Friday, February 25, 2005 9:48 AM > To: Archana > Cc: mip4 at ietf.org > Subject: [Mip4] Query regarding MN-AAA authenticator calculation. > > > Hi, Archana, > > Archana writes: >> Hi >> According to RFC 3012, the MN-AAA authenticator is computed by >> applying MD5 on the following data >> >> High-order byte from Challenge || Key || >> MD5(Preceding Mobile IP data || >> Type, Subtype (if present), Length, SPI) || >> Least-order 237 bytes from Challenge >> >> I have the following queries regarding the above computation. Any >> help in the clarifying them will be highly appreciated. >> >> 1. What is meant by High-order and Least order ? > > > "High-order" means "most significant". You can also interpret it as > "leftmost" when looking at the encoding of the Challenge in a Mobile > IP Extension. > >> 2. How does the Radius MD5 algorithm differ in calculating the >> Authenticator from a MD5 algorithm > > > There is no special "Radius MD5" as far as I know. > > > MD5 is specified in RFC3121. It is a well-known hash function that > processes the input and produces a 16 octet hash. > > > The calculation shown above is compatible with existing RADIUS servers > that are used for authenticating PPP/CHAP, i.e., the code used for > PPP/CHAP can be re-used to compute the above authenticator, assuming > that the FA can precompute the inner MD5 and send it in an > Access-Request. > > > -Pete > > > > Thanks in advance > > Archana > > > -- > Mip4 mailing list: Mip4 at ietf.org > Web interface: https://www1.ietf.org/mailman/listinfo/mip4 > Charter page: http://www.ietf.org/html.charters/mip4-charter.html > Supplemental site: http://www.mip4.org/ > > > -- > Mip4 mailing list: Mip4 at ietf.org > Web interface: https://www1.ietf.org/mailman/listinfo/mip4 > Charter page: http://www.ietf.org/html.charters/mip4-charter.html > Supplemental site: http://www.mip4.org/ > > -- > | | Kent Leung > :|: :|: IP Mobility Development > :|||: :|||: Internet Technologies Division > :|||||||: :|||||||: Voice: 408.526.5030 > .:|||||||||:.:|||||||||:. Fax: 408.525.1653 > c i s c o S y s t e m s Email: kleung at cisco.com > > > -- > Mip4 mailing list: Mip4 at ietf.org > Web interface: https://www1.ietf.org/mailman/listinfo/mip4 > Charter page: http://www.ietf.org/html.charters/mip4-charter.html > Supplemental site: http://www.mip4.org/ > > > > > > ------------------------------------------------------------------------ > -------- > > Prev by Date: RE: [Mip4] Query regarding MN-AAA authenticator > calculation. > Next by Date: [Mip4] [Deadline Approaching] Final CFP: IEEE > WirelessCom > Symposium on Mobile Computing, 2005 > Previous by thread: RE: [Mip4] Query regarding MN-AAA authenticator > calculation. > Next by thread: RE: [Mip4] Query regarding MN-AAA authenticator > calculation. > Index(es): > Date > Thread > Note: Messages sent to this list are the opinions of the senders and > do > not imply endorsement by the IETF. -- Mip4 mailing list: Mip4@ietf.org Web interface: https://www1.ietf.org/mailman/listinfo/mip4 Charter page: http://www.ietf.org/html.charters/mip4-charter.html Supplemental site: http://www.mip4.org/
- RE: [Mip4] Query regarding MN-AAA authenticator c… Nakhjiri Madjid-MNAKHJI1
- RE: [Mip4] Query regarding MN-AAA authenticator c… Kent Leung
- RE: [Mip4] Query regarding MN-AAA authenticator c… Nakhjiri Madjid-MNAKHJI1
- RE: [Mip4] Query regarding MN-AAA authenticator c… Kent Leung
- RE: [Mip4] Query regarding MN-AAA authenticator c… Arun SG
- RE: [Mip4] Query regarding MN-AAA authenticator c… McCann Peter-A001034
- RE: [Mip4] Query regarding MN-AAA authenticator c… Arun SG
- RE: [Mip4] Query regarding MN-AAA authenticator c… McCann Peter-A001034
- RE: [Mip4] Query regarding MN-AAA authenticator c… Madjid Nakhjiri