next up previous
Next: Optional Authentication Up: Mobile Registration Previous: Mobile Registration

Mobile Node/Home Agent Authentication

If there is only authentication over control messages between the home agent and mobile node, it is assumed that foreign agents permit any mobile node attempt to register. During mobile registration, the mobile node sends authenticated messages to a home agent via the foreign agent. The foreign agent relies on the home agent's reply message which grants or denies permission for the registration. The security association between the mobile node and the home agent is based on a predetermined shared key or certificate.

The mobile registration request packet consists of the following fields: \( Type \vert Flags \vert Lifetime \vert Home Address \vert Home Agent
\vert CareOf Address \vert Id \vert Ext \)

and is preceded by an UDP header [10]. In this case, Type will indicate either a registration request of reply message. Home Address is the mobile node's address in its home subnet. Home Agent is the IP address of the home agent. Care Of Address is either the IP address of the foreign agent or a temporary ``co-located care of address" externally assigned to the mobile node within a foreign subnet. Id's are unique to each registration request. The Mobile-Home Authentication Extension is: \( Ext Type \vert Len \vert SPI \vert Authentication Data \)
For our purposes, the Ext Type indicates that the extension is either for Mobile-Home, Mobile-Foreign or Foreign-Home authentication. The Authentication Data is the result of using an authentication transform over parts of the UDP payload and has been referred to as the hash-value in this paper. A UDP mobile registration packet is: \( UDP Header \vert Type \vert Flags \vert Lifetime \vert Home Address \vert Home Agent \)
\( \vert CareOf Address \vert Id \vert Earlier Ext \vert Ext Type \vert Len \vert SPI \vert 
Authentication Data \)
In our abstract packet format, a registration message is: \( ( Mobile, data\!-\!list, 
( Type, Flags, Lifetime, Home Address, Home Agent, \)
\( CareOf Address, Id, Earlier Ext, Ext Type, Len ), ( )) \)

where data-list is the entire packet. The mobile registration reply packet consists of the following fields: \( Type \vert Code \vert Lifetime \vert Home Address \vert Home Agent
\vert CareOf Address \vert Id \vert Ext \)
and is preceded by an UDP header [10]. Code indicates the status of the registration request with the same Id. The Mobile-Home Authentication Extension format is the same as that for registration request messages. A UDP mobile registration reply packet is: \( UDP Header \vert Type \vert Code \vert Lifetime \vert Home Address \vert Home Agent \)
\( \vert CareOf Address \vert Id \vert Earlier Ext \vert Ext Type \vert Len \vert SPI \vert 
Authentication Data \)
In our abstract packet format a registration reply message is: \( ( Mobile, data\!-\!list, 
( Type, Code, Lifetime, Home Address, Home Agent, \)
\( CareOf Address, Id, Earlier Ext, Ext Type, Len ), ( )).\)

In either the case of registration or reply there is an authentication transform used over all of the fields in the UDP packet except the UDP Header, SPI and Authentication Data. As with the IP security headers, the SPI and, in this case, Home Address (or Home Agent for reply) are used to index information for the security association and specifically the key. Integrity is supplied directly over the UDP payload (except the SPI and Authentication Data) and indirectly over the SPI when the Authentication Data (hash-value) is computed correctly. Since there is integrity over the source address then the packet fields contained in the hash-data are authenticated.


next up previous
Next: Optional Authentication Up: Mobile Registration Previous: Mobile Registration