RADIUS Mobile IPv4 RADIUS requirements February 2006 Internet Draft Madjid Nakhjiri draft-ietf-mip4-radius-requirements-00.txt Motorola Labs Category: Internet draft Kuntal Chowdhury Expires: August 2006 Starent Networks Avi Lior Bridgewater systems Kent Leung Cisco Systems February 2006 Mobile IPv4 RADIUS requirements Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire in July 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document provides an applicability statement as well as a scope definition for the specification provided in the document ‘‘RADIUS Nakhjiri et. al. Expires -May 2006 [Page 1] RADIUS Mobile IPv4 RADIUS requirements February 2006 Mobile IPv4 extension’’ and its future revisions hereby collectively referred to as [RADMIP]. The goal is to justify qualification of [RADMIP] as a IETF work item. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. Table of Contents 1. Introduction...................................................2 2. Attributes.....................................................4 3. IANA considerations............................................4 4. Security considerations........................................4 5. References.....................................................4 Acknowledgments...................................................5 Author's Addresses................................................5 1. Introduction Mobile IPv4 working group has developed extensions for the registration process [MIPv4] to allow the MN and mobility agents to request assistance from the AAA server in authentication [MIP4CHAL] and creation of security associations [MIPKEYS], all based on the pre-established trust relationship between the MN and its home AAA server. However, on the AAA side, currently only Diameter provides specification for interaction with Mobile IP agents [DIAMIP]. In the absence of IETF standardized RADIUS attributes for support of MIPv4, different wireless SDOs have taken the path of developing VSAs. This will cause lack interoperability between these wireless standards, potentially hindering mobility across these wireless networks. To respond to the described issue, the authors have developed a document [RADMIP] that defines a set of attributes to be used for dynamic bootstrapping of MIPv4 parameters through a RADIUS based AAA infrastructure during the Mobile IPv4 Registration procedure. The bootstrapping attributes can include configuration parameters as well as material used for provisioning security of Mobile IPv4 messaging (authentication) as defined by RFC 3957. The scope of this work is to only standardize RADIUS attributes and to define the procedure by which the Mobile IPv4 agents, e.g. Home Nakhjiri et. al. Expires - May 2006 [Page 2] RADIUS Mobile IPv4 RADIUS requirements February 2006 agent (HA) and Foreign Agent (FA) map the Mobile IP registration message fields into the proposed RADIUS attributes and vice versa. It is not the intention to extend the functionality of existing RADIUS servers or protocol. More specifically, the following are NON-GOALS: . Enhancing security properties of RADIUS (including key transport capabilities). . No new security or reliability mechanisms are defined in the transport of such Access Requests. The [RADMIP] uses existing RADIUS authentication procedures, e.g. Message-Authenticator (80) described in RFC2869. The security considerations for [RADMIP] are described in a later section of this document. . Enhancing reliability or transport properties of RADIUS. . Creating new RADIUS messages types. Diameter Mobile IP [DIAMIP] application has defined new command codes for support of Mobile IP signaling, depending on whether Diameter server is dealing with a Mobile IP HA or an FA. RADIUS currently does not have any messages that correspond to these Diameter commands. [RADMIP] is not defining new RADIUS messages. Instead, [RADMIP] provides proposals for new RADIUS attributes that facilitates Diameter-RADIUS messaging translation without defining any new RADIUS messaging. At the same time [RADMIP] is re-using Diameter AVPs to the fullest extent possible. . To extend RADIUS in a way that fulfills the full list of requirements in RFC 2977. It is however required of the RADIUS servers (and possibly proxies) to be able to understand and process the attributes described in this specification to perform verification of authentication extensions specified in [MIPCHAL]. All RADIUS work MUST be backward compatible with existing RADIUS RFCs, including RFCs 2618-2621, 2865-2869, 3162, 3575, 3576, 3579, and 3580. It is also required of the Mobile IP agents (FA and HA) to operate as RADIUS clients (NASes in context of RFC 2865) when translating RADIUS signaling into Mobile IP signaling and vice versa. Details on the behavior of Mobile IP agents as RADIUS clients are to be provided in [RADMIP]. Nakhjiri et. al. Expires - May 2006 [Page 3] RADIUS Mobile IPv4 RADIUS requirements February 2006 2. Attributes [RADMIP] describes the full set of attributes required for RADIUS- Mobile IP interaction. Some of the attributes are already standardized, while others will require standardization and IANA type assignments. 3. IANA considerations [RADMIP] draft introduces new RADIUS attributes. Therefore there is need for defining new attribute type numbers by IANA. 4. Security considerations The concern of using AAA protocols that use hop-by-hop security (Diameter/RADIUS) to distribute keys is nothing new. In both Diameter and RADIUS the assumption is that intermediary nodes are trusted. However, in the case of Diameter, if the operator chooses not to trust intermediaries, Diameter provides a remedy by utilizing its re-direction mechanism. Note that in the case of Diameter MIPv4 Application using re-directions is optional and not mandatory. RADIUS does not possess a re-direction mechanism and since we are not proposing to add a re-direction mechanism to RADIUS we have to rely on the model that RADIUS intermediary nodes are to be trusted. To protect against MITM attacks, RADIUS provides a mechanism for encrypting attribute (RFC 2868 section 3.5). Diameter relies purely on IPsec to protect against MITM attacks. It can be argued that the encryption mechanism provided by RADIUS is weak and therefore it is recommended to protect RADIUS transactions using IPsec (e.g. RADIUS protected by IPSec in RFC 3579). 5. References [RADMIP] M. Nakhjiri, Et. Al., RADIUS Mobile IPv4 extensions, draft-nakhjiri-radius-mip4-02.txt, October 2005. [MIPv4] C. Perkins, IP Mobility Support, IETF, RFC 3344, August 2002. [MIP4CHAL] C. Perkins, P. Calhoun, Mobile IP Challenge/Response Extensions, draft-ietf-mip4-rfc3012bis-04.txt., June 2005. [MIPKEYS] C. Perkins, P. Calhoun, AAA Registration Keys for Mobile IP, IETF, RFC 3957, March 2005. [DIAMIP] P. Calhoun, C. Perkins, Diameter Mobile IP application, IETF, RFC 4004, May 2004. Nakhjiri et. al. Expires - May 2006 [Page 4] RADIUS Mobile IPv4 RADIUS requirements February 2006 Acknowledgments The authors would like to give special thanks to Farid Adrangi for the initial discussions and recommendations on the attribute design work. The authors would also like to thank Charlie Perkins for consultation on the use of RFC 3012 procedures. Author's Addresses Madjid Nakhjiri Motorola Inc. Contact Email: Madjid.Nakhjiri@motorola.com Kuntal Chowdhury Starent Networks Contact Email: kchowdhury@starentnetworks.com Avi Lior Bridgewater systems Contact Email: avi@bridgewatersystems.com Kent Leung Cisco Systems Contact Email: kleung@cisco.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary Nakhjiri et. al. Expires - May 2006 [Page 5] RADIUS Mobile IPv4 RADIUS requirements February 2006 rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. This Internet-Draft will expire on August, 2006. Nakhjiri et. al. Expires- May 2006 [Page 6]