rfc3012.txt

<VC++网络游戏建摸与实现>源代码

   whereby a node might try to supply a bogus Registration Reply to a
   mobile node that causes the mobile node to act as if its Registration
   Reply were rejected.  This might happen when, in fact, a Registration
   Reply showing acceptance of the registration might soon be received
   by the mobile node.

   If the foreign agent chooses a Challenge value (see section 2) with
   fewer than 4 bytes, the foreign agent SHOULD maintain records that
   also the Identification field for the mobile node.  The foreign agent
   can then find assurance that the Registration messages using the
   short Challenge value are in fact unique, and thus assuredly not
   replayed from any earlier registration.

   Section 8 (SPI For RADIUS AAA Servers) defines a method of computing
   the Generalized Mobile IP Authentication Extension's authenticator
   field using MD5 in a manner that is consistent with RADIUS [10].  The
   use of MD5 in the method described in Section 8 is less secure than
   HMAC-MD5 [5], and should be avoided whenever possible.

13. Acknowledgements

   The authors would like to thank Tom Hiller, Mark Munson, the TIA
   TR45-6 WG, Gabriel Montenegro, Vipul Gupta, and Pete McCann for their
   useful discussions.  A recent draft by Mohamed Khalil, Raja
   Narayanan, Emad Qaddoura, and Haseeb Akhtar has also suggested the
   definition of a generalized authentication extension similar to the
   specification contained in section 5.








Perkins & Calhoun           Standards Track                    [Page 12]

RFC 3012             Mobile IPv4 Challenge/Response        November 2000


References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Calhoun, P. and C. Perkins. "Mobile IP Network Access Identifier
        Extension for IPv4", RFC 2794, January 2000.

   [3]  Deering, S., "ICMP Router Discovery Messages", RFC 1256,
        September 1991.

   [4]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
        Recommendations for Security", RFC 1750, December 1994.

   [5]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
        for Message Authentication", RFC 2104, February 1997.

   [6]  Montenegro, G., "Reverse Tunneling for Mobile IP", RFC 2344, May
        1998.

   [7]  Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal for
        Mobile IP", RFC 2356, June 1998.

   [8]  Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

   [9]  Perkins, C. and D. Johnson, "Route Optimization in Mobile IP",
        Work in Progress.

   [10] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
        Authentication Dial In User Service (RADIUS)", RFC 2138, April
        1997.

   [11] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
        1992.

   [12] Simpson, W., "PPP Challenge Handshake Authentication Protocol
        (CHAP)", RFC 1994, August 1996.














Perkins & Calhoun           Standards Track                    [Page 13]

RFC 3012             Mobile IPv4 Challenge/Response        November 2000


A. Verification Infrastructure

   The Challenge extensions in this protocol specification are expected
   to be useful to help the Foreign Agent manage connectivity for
   visiting mobile nodes, even in situations where the foreign agent
   does not have any security association with the mobile node or the
   mobile node's home agent.  In order to carry out the necessary
   authentication, it is expected that the foreign agent will need the
   assistance of external administrative systems, which have come to be
   called AAA systems.  For the purposes of this document, we call the
   external administrative support the "verification infrastructure".
   The verification infrastructure is described to motivate the design
   of the protocol elements defined in this document, and is not
   strictly needed for the protocol to work.  The foreign agent is free
   to use any means at its disposal to verify the credentials of the
   mobile node.  This could, for instance, rely on a separate protocol
   between the foreign agent and the Mobile IP home agent, and still be
   completely invisible to the mobile node.

   In order to verify the credentials of the mobile node, we imagine
   that the foreign agent has access to a verification infrastructure
   that can return a secure notification to the foreign agent that the
   authentication has been performed, along with the results of that
   authentication.  This infrastructure may be visualized as shown in
   figure 4.

             +----------------------------------------------------+
             |                                                    |
             |  Verification and Key Management Infrastructure    |
             |                                                    |
             +----------------------------------------------------+
                    ^ |                                  ^ |
                    | |                                  | |
                    | v                                  | v
             +---------------+                    +---------------+
             |               |                    |               |
             | Foreign Agent |                    |   Home Agent  |
             |               |                    |               |
             +---------------+                    +---------------+

                Figure 4: The Verification Infrastructure

   After the foreign agent gets the Challenge authentication, it MAY
   pass the authentication to the (here unspecified) infrastructure, and
   await a Registration Reply.  If the Reply has a positive status
   (indicating that the registration was accepted), the foreign agent





Perkins & Calhoun           Standards Track                    [Page 14]

RFC 3012             Mobile IPv4 Challenge/Response        November 2000


   accepts the registration.  If the Reply contains the Code value
   BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions
   indicated for rejected registrations.

   Implicit in this picture, is the important observation that the
   Foreign Agent and the Home Agent have to be equipped to make use of
   whatever protocol is made available to them by the challenge
   verification and key management infrastructure shown in the figure.

   The protocol messages for handling the authentication within the
   verification infrastructure, and identity of the agent performing the
   verification of the Foreign Agent challenge, are not specified in
   this document, because those operations do not have to be performed
   by any Mobile IP entity.

Addresses

   The working group can be contacted via the current chairs:

   Basavaraj Patil
   Nokia Corporation
   6000 Connection Drive
   M/S M8-540
   Irving, Texas 75039
   USA

   Phone:  +1 972-894-6709
   Fax :  +1 972-894-5349
   EMail:  Basavaraj.Patil@nokia.com


   Phil Roberts
   Motorola
   1501 West Shure Drive
   Arlington Heights, IL 60004
   USA

   Phone:+1 847-632-3148
   EMail:  QA3445@email.mot.com












Perkins & Calhoun           Standards Track                    [Page 15]

RFC 3012             Mobile IPv4 Challenge/Response        November 2000


   Questions about this memo can also be directed to the authors:

   Charles E. Perkins
   Communications Systems Lab
   Nokia Research Center
   313 Fairchild Drive
   Mountain View, California 94043
   USA

   Phone:  +1-650 625-2986
   Fax:  +1 650 625-2502
   EMail:  charliep@iprg.nokia.com



   Pat R. Calhoun
   Network & Security Center
   Sun Microsystems Laboratories
   15 Network Circle
   Menlo Park, California 94025
   USA

   Phone:  +1 650-786-7733
   Fax:  +1 650-786-6445
   EMail:  pcalhoun@eng.sun.com


























Perkins & Calhoun           Standards Track                    [Page 16]

RFC 3012             Mobile IPv4 Challenge/Response        November 2000


Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Perkins & Calhoun           Standards Track                    [Page 17]