IETF Logo Mail Archive

RE: [Mip4] draft on RADIUS support for Mobile IP

"Jayshree Bharatia" <jayshree@nortel.com> Sat, 26 March 2005 16:25 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA09039 for <mip4-web-archive@ietf.org>; Sat, 26 Mar 2005 11:25:06 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DFEC7-00034S-CS for mip4-web-archive@ietf.org; Sat, 26 Mar 2005 11:31:27 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DFE5D-0008RR-UT; Sat, 26 Mar 2005 11:24:19 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DEWkM-00042b-5j for mip4@megatron.ietf.org; Thu, 24 Mar 2005 13:07:54 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10359 for <mip4@ietf.org>; Thu, 24 Mar 2005 13:07:51 -0500 (EST)
Received: from zrtps0kp.nortelnetworks.com ([47.140.192.56]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DEWq4-000402-Ty for mip4@ietf.org; Thu, 24 Mar 2005 13:13:49 -0500
Received: from zrtpd0jn.us.nortel.com (zrtpd0jn.us.nortel.com [47.140.202.35]) by zrtps0kp.nortelnetworks.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id j2OI7Nm12391; Thu, 24 Mar 2005 13:07:23 -0500 (EST)
Received: by zrtpd0jn.us.nortel.com with Internet Mail Service (5.5.2653.19) id <GH4X0AKB>; Thu, 24 Mar 2005 13:07:24 -0500
Message-ID: <E3F9D87C63E2774390FE67C924EC99BB07DB4E3B@zrc2hxm1.corp.nortel.com>
From: Jayshree Bharatia <jayshree@nortel.com>
To: 'Kent Leung' <kleung@cisco.com>, 'Nakhjiri Madjid-MNAKHJI1' <Madjid.Nakhjiri@motorola.com>
Subject: RE: [Mip4] draft on RADIUS support for Mobile IP
Date: Thu, 24 Mar 2005 13:07:13 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5bfa71b340354e384155def5e70b13b
X-Mailman-Approved-At: Sat, 26 Mar 2005 11:24:18 -0500
Cc: "'kchowdhury@starentnetworks.com'" <kchowdhury@starentnetworks.com>, "'mip4@ietf.org'" <mip4@ietf.org>, "'avi@bridgewatersystems.com'" <avi@bridgewatersystems.com>
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Sender: mip4-bounces@ietf.org
Errors-To: mip4-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 83e9494d829b08cc3f644ef6ac1b9bd4

Hi Kent,

Regarding point 1 of your comments, this RADIUS draft can refer to the
latest version of RFC3012bis document (draft-ietf-mip4-rfc3012bis-03.txt). 

Regards,
Jayshree
-----Original Message-----
From: mip4-bounces@ietf.org [mailto:mip4-bounces@ietf.org] On Behalf Of Kent
Leung
Sent: Wednesday, March 23, 2005 7:06 PM
To: Nakhjiri Madjid-MNAKHJI1
Cc: Nakhjiri Madjid-MNAKHJI1; 'kchowdhury@starentnetworks.com';
'mip4@ietf.org'; 'avi@bridgewatersystems.com'
Subject: Re: [Mip4] draft on RADIUS support for Mobile IP


Hi Madjid et al.,

The draft looks pretty good overall.  Some comments.

1) Please reference draft-ietf-mobileip-rfc3012bis-06.txt in document.

2) Since the User-Name AVP will be populated with MN-NAI or MN-HoA,
    why are the MIP-MN-NAI and MIP-MN-HoA AVPs needed?  If all AVPs
    are supported, then how is the combination of them prioritized for
    user lookup?

3) For CCoA mode Authenticator calculation, refer to 3012bis.  The Challenge
    is non-zero.  The MFCE is part of the RRQ sent from MN to HA.

4) In 3.1 HA process RRQ section, since the NAS-IP and HA-IP addresses 
    may be different, shouldn't the MIP-HA-IP address or MIP-HA-NAI always 
    be included in the Access-Req?  The NAS-IP and the RADIUS server have
    a shared secret to protect communication between them 
    (Message-Authenticator).  The MIP-HA identifier serves a different
    function (e.g. possibly tag for HoA assignment).

5) General comments for clarity on labels.  XXX-REP to XXX-REPLAY, 
    XXX-LIFE to XXX-LIFETIME, XXX-ALGID to XXX-ALGORID.
    
6) Typo in "The HA receives the RADIUS Access Accept" bullet.  Remove
    "using and MN to HA MSAs".

7) Same 3.1 section, "The MN extracts" bullet, specify how the MN-HA key
    is derived (or reference [MIPKEYS]).

8) Figure 2a, label 1, 2, 3, etc. on the flow would be useful.

9) Sect 3.2 "The FA checks" bullet, missing ")" for MIP-FA-IP address.  Same
issue
    with NAS-IP and MIP-FA-IP address as above.  Should have FA-IP
identifier
    (either MIP-FA-IP-address or MIP-FA-NAI) in case HA in foreign network 
    assignment happens.  Also, why is the MIP-FA-NAI  added only if HA
address is 
    all 1s or 0s?  The value of MIP-HA-IP-address can be set to HA field in
RRQ.

10) "The AAAH compares this value" bullet, I think having a new
MIP-FA-HA-nonce
     is good to associate the 2 Access-Requests (one from FA, and other from
HA)
     to set up the FA-HA MSA.  Also, the MIP-MN-FA-nonce is missing in the
list for
     Access-Request.

11) "The FA retrieves the MN-FA key" bullet, typo "Access-Request" should be
      "Access-Accept".

12) "Upon receiving the reg" bullet, same issue with NAS-IP and MIP-HA
identifier.
     Also, why are MIP-FA-to-HA-SPI and MIP-FA-HA-Authenticator AVPs
included?
     See my opinion below.  May also want to have MIP-MN-FA-NAI as the FA
     identifier to index the MSA.  Another point to capture is the case when
the
     FA-HA MSA exists (e.g. created by another MN which registered
previously
     between the FA and HA).  Then the HA just authenticate the FHAE first
     before sending Access-Request to AAA server.

13) "The AAAH finds the FA-HA MSA" bullet, I think AAA should only be
     responsible to authenticate the MN and provide the keys to the HA,
which
     is responsible to authenticate FHAE and MHAE (if there).  So AAA server
     should authenticate MN using the MIP-MN-AAA-SPI and 
     MIP-MN-AAA-Authenticator.  Also, if the AAA server receives the
MIP-FA-HA-nonce,
     it can find the right FA-HA MSA to provide to HA.  

14) Same bullet as above, why does the Access-Accept include the
MIP-MN-FA-XXX
      AVPs?  These were already delivered to the FA in the RADIUS exchange
between
      FA and AAAF.

15) "The HA retreives the key materials" bullet, I don't think HA should be
putting
      MN-FA-nonce.  HA should only put the MN-HA-nonce in the KeyGenReplyExt
      protected by MHAE.

16) "The FA relays the RRP" bullet, I think the FA should put the
MN-FA-nonce in
      the appended KeyGenReplyExt protected by MFAE before sending to MN.

17) Sect 4.2, "the HA and FA may send their own IP addresses inside NAS-IP
      instead of MIP-[HA|FA]-IP-address".  I think the MIP-[HA|FA]
identifiers should
      always be in the Access Req.

18) Sect 5, MIP-HA-IP address, why "the FA this attribute MAY not be used in
      the Access-Request"?  The HA address could be helpful to for setting
up FA-HA
      MSA.

19) MIP-MN-AAA-SPI, String should be unsigned32 and Length should be 6.

20) Mobile IPv4 feature vector, if mapping to DIAMETER, then this should be
unsigned32.
     The "8-bit flag vector" should be called "bitflag vector" as current
allocation is already
     over 8 bits.  :)  Length would be 6.  

21) Why bit 8 Foreign-Home-Agent-Available not supported?  This could be set
by
      FA to notify to AAAH that AAAL can assign the HA when relaying the
Access-Accept.
      I'm not clear on usage of bit 2
Home-Address-Allocatable-Only-in-Home-Realm.
      Also, I'm not sure why we don't have bitflag to indicate if the
Access-Request is
      sent by FA or HA?  That might clarify some operations on the AAA
server?
      Let's say the Access-Request contains the NAS-IP for authentication
between NAS
      and AAA server and FA and HA identifiers to set up MSA, shouldn't AAA
need to
      know which is FA or HA to set up the directional SPI for MSA?

22) MIP-MN-to-HA SPI and MIP-HA-to-MN-SPI , String should be unsigned32 and
length is 6.

23) MIP-MN-HA-ALGID, not clear how algorithm identifier is mapped?  We have
keyed MD5
      and HMAC-MD5.  Having a string doesn't make sense.  Maybe unsigned8
and specify
      1 for keyed MD5 and 2 for HMAC-MD5?

24) MIP-MN-HA-REP, same issue with string.  Maybe unsigned8 and specifiy 1
for
      timestamp (with field for replay range) and 2 for nonce?

25) MIP-MN-HA-MSA-LIFE, integer should be unsigned32 and length is 6.
Should we
     allow 0xFFFFFFFF to mean infinite lifetime for MSA?  This means the MSA
remains
     for lifetime of one registration session (MSA deleted when registration
ends).

26) Remove bunch of AVPs above the format of FA to HA SPI.

27) FA to HA SPI and HA to FA SPI, string is unsigned32 and length is 6.

28) Would like to add new MIP-FA-HA-nonce AVP.

29) In 5.1, attribute list is missing MIP-FA-NAI, MIP-MN-HA SPI and
MIP-HA-to-MN-SPI
      should change "HA" to "FA" before "Encrypted", missing
Encrypted[MIP-MN-FA-key],
      new MIP-FA-HA-nonce, duplicate MIP-MN-HA-MSA-LIFE.

30) Sect 8, "We recommend that the AAAH also authenticates the nonce reply
     extensions with the AAA SA it shares with the MN".  This is for MITM
attack for
     msg from AAAH to HA/FA.  Doesn't the Message-Authenticator protect
tampering
     with the nonce value?

Kent

At 06:56 PM 2/7/2005 -0600, Nakhjiri Madjid-MNAKHJI1 wrote:


Hi folks,

 

Just wanted to let you know that we just submitted a draft proposing an
specification for support of RADIUS for Mobile IP key management procedures.
The draft goes through two cases of co-located mobile nodes and nodes behind
an FA and describes RADIUS messaging and attributes for each case. Since the
draft deals with both Mobile IPv4 and RADIUS, it needs to be examined by
both groups. We know that this is really more an extension to RADIUS than to
Mobile IP and should be standardized by RADIUS groups, but we would like to
make sure that we got the Mobile IP parts right first J.

 

So comments and guidance are very welcome.

 

Thanks and Regards,

 

Madjid Nakhjiri, Kuntal Chowdhury, Avi Lior

 

 

The draft can be found at 

 

http://www.ietf.org/internet-drafts/draft-nakhjiri-radius-mip4-00.txt

 

    

Abstract 

    

   Mobile IPv4 specifies mechanisms that need assistance from a AAA 

   server and a AAA infrastructure. Examples of such mechanisms are 

   those providing key management and authentication services during a 

   mobile node's registration process with MN-AAA authentication 

   extension. Although Diameter Mobile IP application is being specified 

   to support the needs of Mobile IPv4 from the AAA infrastructure's 

   point of view, such support does not exist within RADIUS framework. 

   This document defines the RADIUS attributes that provide support for 

   Mobile IPv4 operation. 

 

 
-- 
Mip4 mailing list: Mip4@ietf.org
    Web interface: https://www1.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/


--
     |           |                   Kent Leung
    :|:         :|:                  IP Mobility Development
   :|||:       :|||:                 Internet Technologies Division
  :|||||||:   :|||||||:              Voice: 408.526.5030
.:|||||||||:.:|||||||||:.             Fax:   408.525.1653
 c i s c o S y s t e m s             Email: kleung@cisco.com 

-- 
Mip4 mailing list: Mip4@ietf.org
    Web interface: https://www1.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

v2.23.0 | Report a Bug | By Email