rfc2977.txt
字号:
For Mobile IP, the AAAL and the AAAH servers have the following
additional general tasks:
- enable [re]authentication for Mobile IP registration
Glass, et al. Informational [Page 11]
RFC 2977 Mobile IP AAA Requirements October 2000
- authorize the mobile node (once its identity has been established)
to use at least the set of resources for minimal Mobile IP
functionality, plus potentially other services requested by the
mobile node
- initiate accounting for service utilization
- use AAA protocol extensions specifically for including Mobile IP
registration messages as part of the initial registration sequence
to be handled by the AAA servers.
These tasks, and the resulting more specific tasks to be listed later
in this section, are beneficially handled and expedited by the AAA
servers shown in figure 1 because the tasks often happen together,
and task processing needs access to the same data at the same time.
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | | +------+ |
| | | | | | | |
| | AAAL | | | | AAAH | |
| | +-------------------+ | |
| +---+--+ | | +--+---+ |
| | | | | |
| | | | | |
+------+ | +---+--+ | | +--+---+ |
| | | | | | | | | |
| MN +- -|- -+ FA + -- -- -- -- - + HA | |
| | | | | | | | | |
+------+ | +------+ | | +------+ |
| | | |
+--------------+ +----------------------+
Figure 3: AAA Servers with Mobile IP agents
In the model in figure 1, the initial AAA transactions are handled
without needing the home agent, but Mobile IP requires every
registration to be handled between the home agent (HA) and the
foreign agent (FA), as shown by the sparse dashed (lower) line in
figure 3. This means that during the initial registration, something
has to happen that enables the home agent and foreign agent to
perform subsequent Mobile IP registrations. After the initial
registration, the AAAH and AAAL in figure 3 would not be needed, and
subsequent Mobile IP registrations would only follow the lower
control path between the foreign agent and the home agent.
Any Mobile IP data that is sent by FA through the AAAL to AAAH MUST
be considered opaque to the AAA servers. Authorization data needed
by the AAA servers then MUST be delivered to them by the foreign
Glass, et al. Informational [Page 12]
RFC 2977 Mobile IP AAA Requirements October 2000
agent from the data supplied by the mobile node. The foreign agent
becomes a translation agent between the Mobile IP registration
protocol and AAA.
As mentioned in section 3, nodes in two separate administrative
domains often must take additional steps to guarantee their security
and privacy,, as well as the security and privacy of the data they
are exchanging. In today's Internet, such security measures may be
provided by using several different algorithms. Some algorithms rely
on the existence of a public-key infrastructure [8]; others rely on
distribution of symmetric keys to the communicating nodes [9]. AAA
servers SHOULD be able to verify credentials using either style in
their interactions with Mobile IP entities.
In order to enable subsequent registrations, the AAA servers MUST be
able to perform some key distribution during the initial Mobile IP
registration process from any particular administrative domain.
This key distribution MUST be able to provide the following security
functions:
- identify or create a security association between MN and home
agent (HA); this is required for the MN to produce the
[re]authentication data for the MN--HA authentication extension,
which is mandatory on Mobile IP registrations.
- identify or create a security association between mobile node and
foreign agent, for use with subsequent registrations at the same
foreign agent, so that the foreign agent can continue to obtain
assurance that the same mobile node has requested the continued
authorization for Mobile IP services.
- identify or create a security association between home agent and
foreign agent, for use with subsequent registrations at the same
foreign agent, so that the foreign agent can continue to obtain
assurance that the same home agent has continued the authorization
for Mobile IP services for the mobile node.
- participate in the distribution of the security association (and
Security Parameter Index, or SPI) to the Mobile IP entities
- The AAA server MUST also be able to validate certificates provided
by the mobile node and provide reliable indication to the foreign
agent.
- The AAAL SHOULD accept an indication from the foreign agent about
the acceptable lifetime for its security associations with the
mobile node and/or the mobile node's home agent. This lifetime
for those security associations SHOULD be an integer multiple of
registration lifetime offered by the foreign agent to the mobile
node. This MAY allow for Mobile IP reauthentication to take place
Glass, et al. Informational [Page 13]
RFC 2977 Mobile IP AAA Requirements October 2000
without the need for reauthentication to take place on the AAA
level, thereby shortenning the time required for mobile node
reregistration.
- The AAA servers SHOULD be able to condition their acceptance of a
Mobile IP registration authorization depending upon whether the
registration requires broadcast or multicast service to the mobile
node tunneled through the foreign agent.
- In addition, reverse tunneling may also be a necessary requirement
for mobile node connectivity. Therefore, AAA servers SHOULD also
be able to condition their acceptance of Mobile IP registration
authorization depending upon whether the registration requires
reverse tunnelling support to the home domain through the foreign
agent.
The lifetime of any security associations distributed by the AAA
server for use with Mobile IP SHOULD be great enough to avoid too-
frequent initiation of the AAA key distribution, since each
invocation of this process is likely to cause lengthy delays between
[re]registrations [5]. Registration delays in Mobile IP cause
dropped packets and noticeable disruptions in service. Note that any
key distributed by AAAH to the foreign agent and home agent MAY be
used to initiate Internet Key Exchange (IKE) [7].
Note further that the mobile node and home agent may well have a
security association established that does not depend upon any action
by the AAAH.
5.1. Mobile IP with Dynamic IP Addresses
According to section 4, many people would like their mobile nodes to
be identified by their NAI, and to obtain a dynamically allocated
home address for use in the foreign domain. These people may often
be unconcerned with details about how their computers implement
Mobile IP, and indeed may not have any knowledge of their home agent
or any security association except that between themselves and the
AAAH (see figure 2). In this case the Mobile IP registration data
has to be carried along with the AAA messages. The AAA home domain
and the HA home domain have to be part of the same administrative
domain.
Mobile IP requires the home address assigned to the mobile node
belong to the same subnet as the Home Agent providing service to the
mobile node. For effective use of IP home addresses, the home AAA
(AAAH) SHOULD be able to select a home agent for use with the newly
allocated home address. In many cases, the mobile node will already
know the address of its home agent, even if the mobile node does not
already have an existing home address. Therefore, the home AAA
(AAAH) MUST be able to coordinate the allocation of a home address
Glass, et al. Informational [Page 14]
RFC 2977 Mobile IP AAA Requirements October 2000
with a home agent that might be designated by the mobile node.
Allocating a home address and a home agent for the mobile would
provide a further simplification in the configuration needs for the
client's mobile node. Currently, in the Proposed Standard Mobile IP
specification [13] a mobile node has to be configured with a home
address and the address of a home agent, as well as with a security
association with that home agent. In contrast, the proposed AAA
features would only require the mobile node to be configured with its
NAI and a secure shared secret for use by the AAAH. The mobile
node's home address, the address of its home agent, the security
association between the mobile node and the home agent, and even the
identity (DNS name or IP address) of the AAAH can all be dynamically
determined as part of Mobile IP initial registration with the
mobility agent in the foreign domain (i.e., a foreign agent with AAA
interface features). Nevertheless, the mobile node may choose to
include the MN-HA security extension as well as AAA credentials, and
the proposed Mobile IP and AAA server model MUST work when both are
present.
The reason for all this simplification is that the NAI encodes the
client's identity as well as the name of the client's home domain;
this follows existing industry practice for the way NAIs are used
today (see section 4). The home domain name is then available for
use by the local AAA (AAAL) to locate the home AAA serving the
client's home domain. In the general model, the AAAL would also have
to identify the appropriate security association for use with that
AAAH. Section 6 discusses a way to reduce the number of security
associations that have to be maintained between pairs of AAA servers
such as the AAAL and AAAH just described.
5.2. Firewalls and AAA
Mobile IP has encountered some deployment difficulties related to
firewall traversal; see for instance [11]. Since the firewall and
AAA server can be part of the same administrative domain, we propose
that the AAA server SHOULD be able to issue control messages and keys
to the firewall at the boundary of its administrative domain that
will configure the firewall to be permeable to Mobile IP registration
and data traffic from the mobile node.
Glass, et al. Informational [Page 15]
RFC 2977 Mobile IP AAA Requirements October 2000
5.3. Mobile IP with Local Home Agents
+-------------------------+ +--------------+
| +------+ +------+ | | +------+ |
| | | | | | | | | |
| | HA +----+ AAAL | | | | AAAH | |
| | | | +-------------------+ | |
| +-+----+ +---+--+ | | +------+ |
| | | | | Home Domain |
| | +- - - - - + | +--------------+
+------+ | +-+--+-+ |
| | | | | |
| MN +------+ FA | |
| | | | | Local Domain |
+------+ | +------+ |
+-------------------------+
Figure 4: Home Agent Allocated by AAAL
In some Mobile IP models, mobile nodes boot on subnets which are
technically foreign subnets, but the services they need are local,
and hence communication with the home subnet as if they were residing
on the home is not necessary. As long as the mobile node can get an
address routable from within the current domain (be it publicly, or
privately addressed) it can use mobile IP to roam around that domain,
calling the subnet on which it booted its temporary home. This
address is likely to be dynamically allocated upon request by the
mobile node.
In such situations, when the client is willing to use a dynamically
allocated IP address and does not have any preference for the
location of the home network (either geographical or topological),
the local AAA server (AAAL) may be able to offer this additional
allocation service to the client. Then, the home agent will be
located in the local domain, which is likely to be offer smaller
delays for new Mobile IP registrations.
In figure 4, AAAL has received a request from the mobile node to
allocate a home agent in the local domain. The new home agent
receives keys from AAAL to enable future Mobile IP registrations.
From the picture, it is evident that such a configuration avoids
problems with firewall protection at the domain boundaries, such as
were described briefly in section 5.2. On the other hand, this
configuration makes it difficult for the mobile node to receive data
from any communications partners in the mobile node's home
administrative domain. Note that, in this model, the mobile node's
home address is affiliated with the foreign domain for routing
purposes. Thus, any dynamic update to DNS, to associate the mobile
Glass, et al. Informational [Page 16]
RFC 2977 Mobile IP AAA Requirements October 2000
node's home FQDN (Fully Qualified Domain Name [10]) with its new IP
address, will require insertion of a foreign IP address into the home
DNS server database.
5.4. Mobile IP with Local Payments
Since the AAAL is expected to be enabled to allocate a local home
agent upon demand, we can make a further simplification. In cases
where the AAAL can manage any necessary authorization function
locally (e.g., if the client pays with cash or a credit card), then
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -