rfc2977.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

   For Mobile IP, the AAAL and the AAAH servers have the following
   additional general tasks:

   - enable [re]authentication for Mobile IP registration




Glass, et al.                Informational                     [Page 11]

RFC 2977               Mobile IP AAA Requirements           October 2000


   -  authorize the mobile node (once its identity has been established)
      to use at least the set of resources for minimal Mobile IP
      functionality, plus potentially other services requested by the
      mobile node
   -  initiate accounting for service utilization
   -  use AAA protocol extensions specifically for including Mobile IP
      registration messages as part of the initial registration sequence
      to be handled by the AAA servers.

   These tasks, and the resulting more specific tasks to be listed later
   in this section, are beneficially handled and expedited by the AAA
   servers shown in figure 1 because the tasks often happen together,
   and task processing needs access to the same data at the same time.

                   Local Domain                  Home Domain
                 +--------------+           +----------------------+
                 |   +------+   |           |   +------+           |
                 |   |      |   |           |   |      |           |
                 |   | AAAL |   |           |   | AAAH |           |
                 |   |      +-------------------+      |           |
                 |   +---+--+   |           |   +--+---+           |
                 |       |      |           |      |               |
                 |       |      |           |      |               |
      +------+   |   +---+--+   |           |   +--+---+           |
      |      |   |   |      |   |           |   |      |           |
      |  MN  +- -|- -+  FA  + --  --  --  --  - +  HA  |           |
      |      |   |   |      |   |           |   |      |           |
      +------+   |   +------+   |           |   +------+           |
                 |              |           |                      |
                 +--------------+           +----------------------+


               Figure 3: AAA Servers with Mobile IP agents

   In the model in figure 1, the initial AAA transactions are handled
   without needing the home agent, but Mobile IP requires every
   registration to be handled between the home agent (HA) and the
   foreign agent (FA), as shown by the sparse dashed (lower) line in
   figure 3.  This means that during the initial registration, something
   has to happen that enables the home agent and foreign agent to
   perform subsequent Mobile IP registrations.  After the initial
   registration, the AAAH and AAAL in figure 3 would not be needed, and
   subsequent Mobile IP registrations would only follow the lower
   control path between the foreign agent and the home agent.

   Any Mobile IP data that is sent by FA through the AAAL to AAAH MUST
   be considered opaque to the AAA servers.  Authorization data needed
   by the AAA servers then MUST be delivered to them by the foreign



Glass, et al.                Informational                     [Page 12]

RFC 2977               Mobile IP AAA Requirements           October 2000


   agent from the data supplied by the mobile node.  The foreign agent
   becomes a translation agent between the Mobile IP registration
   protocol and AAA.

   As mentioned in section 3, nodes in two separate administrative
   domains often must take additional steps to guarantee their security
   and privacy,, as well as the security and privacy of the data they
   are exchanging.  In today's Internet, such security measures may be
   provided by using several different algorithms.  Some algorithms rely
   on the existence of a public-key infrastructure [8]; others rely on
   distribution of symmetric keys to the communicating nodes [9].  AAA
   servers SHOULD be able to verify credentials using either style in
   their interactions with Mobile IP entities.

   In order to enable subsequent registrations, the AAA servers MUST be
   able to perform some key distribution during the initial Mobile IP
   registration process from any particular administrative domain.

   This key distribution MUST be able to provide the following security
   functions:

   -  identify or create a security association between MN and home
      agent (HA); this is required for the MN to produce the
      [re]authentication data for the MN--HA authentication extension,
      which is mandatory on Mobile IP registrations.
   -  identify or create a security association between mobile node and
      foreign agent, for use with subsequent registrations at the same
      foreign agent, so that the foreign agent can continue to obtain
      assurance that the same mobile node has requested the continued
      authorization for Mobile IP services.
   -  identify or create a security association between home agent and
      foreign agent, for use with subsequent registrations at the same
      foreign agent, so that the foreign agent can continue to obtain
      assurance that the same home agent has continued the authorization
      for Mobile IP services for the mobile node.
   -  participate in the distribution of the security association (and
      Security Parameter Index, or SPI) to the Mobile IP entities
   -  The AAA server MUST also be able to validate certificates provided
      by the mobile node and provide reliable indication to the foreign
      agent.
   -  The AAAL SHOULD accept an indication from the foreign agent about
      the acceptable lifetime for its security associations with the
      mobile node and/or the mobile node's home agent.  This lifetime
      for those security associations SHOULD be an integer multiple of
      registration lifetime offered by the foreign agent to the mobile
      node.  This MAY allow for Mobile IP reauthentication to take place





Glass, et al.                Informational                     [Page 13]

RFC 2977               Mobile IP AAA Requirements           October 2000


      without the need for reauthentication to take place on the AAA
      level, thereby shortenning the time required for mobile node
      reregistration.
   -  The AAA servers SHOULD be able to condition their acceptance of a
      Mobile IP registration authorization depending upon whether the
      registration requires broadcast or multicast service to the mobile
      node tunneled through the foreign agent.
   -  In addition, reverse tunneling may also be a necessary requirement
      for mobile node connectivity.  Therefore, AAA servers SHOULD also
      be able to condition their acceptance of Mobile IP registration
      authorization depending upon whether the registration requires
      reverse tunnelling support to the home domain through the foreign
      agent.

   The lifetime of any security associations distributed by the AAA
   server for use with Mobile IP SHOULD be great enough to avoid too-
   frequent initiation of the AAA key distribution, since each
   invocation of this process is likely to cause lengthy delays between
   [re]registrations [5].  Registration delays in Mobile IP cause
   dropped packets and noticeable disruptions in service.  Note that any
   key distributed by AAAH to the foreign agent and home agent MAY be
   used to initiate Internet Key Exchange (IKE) [7].

   Note further that the mobile node and home agent may well have a
   security association established that does not depend upon any action
   by the AAAH.

5.1. Mobile IP with Dynamic IP Addresses

   According to section 4, many people would like their mobile nodes to
   be identified by their NAI, and to obtain a dynamically allocated
   home address for use in the foreign domain.  These people may often
   be unconcerned with details about how their computers implement
   Mobile IP, and indeed may not have any knowledge of their home agent
   or any security association except that between themselves and the
   AAAH (see figure 2).  In this case the Mobile IP registration data
   has to be carried along with the AAA messages.  The AAA home domain
   and the HA home domain have to be part of the same administrative
   domain.

   Mobile IP requires the home address assigned to the mobile node
   belong to the same subnet as the Home Agent providing service to the
   mobile node.  For effective use of IP home addresses, the home AAA
   (AAAH) SHOULD be able to select a home agent for use with the newly
   allocated home address.  In many cases, the mobile node will already
   know the address of its home agent, even if the mobile node does not
   already have an existing home address.  Therefore, the home AAA
   (AAAH) MUST be able to coordinate the allocation of a home address



Glass, et al.                Informational                     [Page 14]

RFC 2977               Mobile IP AAA Requirements           October 2000


   with a home agent that might be designated by the mobile node.

   Allocating a home address and a home agent for the mobile would
   provide a further simplification in the configuration needs for the
   client's mobile node.  Currently, in the Proposed Standard Mobile IP
   specification [13] a mobile node has to be configured with a home
   address and the address of a home agent, as well as with a security
   association with that home agent.  In contrast, the proposed AAA
   features would only require the mobile node to be configured with its
   NAI and a secure shared secret for use by the AAAH.  The mobile
   node's home address, the address of its home agent, the security
   association between the mobile node and the home agent, and even the
   identity (DNS name or IP address) of the AAAH can all be dynamically
   determined as part of Mobile IP initial registration with the
   mobility agent in the foreign domain (i.e., a foreign agent with AAA
   interface features).  Nevertheless, the mobile node may choose to
   include the MN-HA security extension as well as AAA credentials, and
   the proposed Mobile IP and AAA server model MUST work when both are
   present.

   The reason for all this simplification is that the NAI encodes the
   client's identity as well as the name of the client's home domain;
   this follows existing industry practice for the way NAIs are used
   today (see section 4).  The home domain name is then available for
   use by the local AAA (AAAL) to locate the home AAA serving the
   client's home domain.  In the general model, the AAAL would also have
   to identify the appropriate security association for use with that
   AAAH. Section 6 discusses a way to reduce the number of security
   associations that have to be maintained between pairs of AAA servers
   such as the AAAL and AAAH just described.

5.2. Firewalls and AAA

   Mobile IP has encountered some deployment difficulties related to
   firewall traversal; see for instance [11].  Since the firewall and
   AAA server can be part of the same administrative domain, we propose
   that the AAA server SHOULD be able to issue control messages and keys
   to the firewall at the boundary of its administrative domain that
   will configure the firewall to be permeable to Mobile IP registration
   and data traffic from the mobile node.











Glass, et al.                Informational                     [Page 15]

RFC 2977               Mobile IP AAA Requirements           October 2000


5.3. Mobile IP with Local Home Agents

                 +-------------------------+           +--------------+
                 |  +------+    +------+   |           |   +------+   |
                 |  |      |    |      |   |           |   |      |   |
                 |  |  HA  +----+ AAAL |   |           |   | AAAH |   |
                 |  |      |    |      +-------------------+      |   |
                 |  +-+----+    +---+--+   |           |   +------+   |
                 |    |             |      |           |  Home Domain |
                 |    |  +- - - - - +      |           +--------------+
      +------+   |  +-+--+-+               |
      |      |   |  |      |               |
      |  MN  +------+  FA  |               |
      |      |   |  |      | Local Domain  |
      +------+   |  +------+               |
                 +-------------------------+

                  Figure 4: Home Agent Allocated by AAAL

   In some Mobile IP models, mobile nodes boot on subnets which are
   technically foreign subnets, but the services they need are local,
   and hence communication with the home subnet as if they were residing
   on the home is not necessary.  As long as the mobile node can get an
   address routable from within the current domain (be it publicly, or
   privately addressed) it can use mobile IP to roam around that domain,
   calling the subnet on which it booted its temporary home.  This
   address is likely to be dynamically allocated upon request by the
   mobile node.

   In such situations, when the client is willing to use a dynamically
   allocated IP address and does not have any preference for the
   location of the home network (either geographical or topological),
   the local AAA server (AAAL) may be able to offer this additional
   allocation service to the client.  Then, the home agent will be
   located in the local domain, which is likely to be offer smaller
   delays for new Mobile IP registrations.

   In figure 4, AAAL has received a request from the mobile node to
   allocate a home agent in the local domain.  The new home agent
   receives keys from AAAL to enable future Mobile IP registrations.
   From the picture, it is evident that such a configuration avoids
   problems with firewall protection at the domain boundaries, such as
   were described briefly in section 5.2.  On the other hand, this
   configuration makes it difficult for the mobile node to receive data
   from any communications partners in the mobile node's home
   administrative domain.  Note that, in this model, the mobile node's
   home address is affiliated with the foreign domain for routing
   purposes.  Thus, any dynamic update to DNS, to associate the mobile



Glass, et al.                Informational                     [Page 16]

RFC 2977               Mobile IP AAA Requirements           October 2000


   node's home FQDN (Fully Qualified Domain Name [10]) with its new IP
   address, will require insertion of a foreign IP address into the home
   DNS server database.

5.4. Mobile IP with Local Payments

   Since the AAAL is expected to be enabled to allocate a local home
   agent upon demand, we can make a further simplification.  In cases
   where the AAAL can manage any necessary authorization function
   locally (e.g., if the client pays with cash or a credit card), then