INTERNET DRAFT Mohamed M. Khalil Category: Standards Track Haseeb Akhtar Title: draft-mkhalil-mipv6-alloc-01.txt Nortel Networks Date: February 2004 Alpesh Patel Expires: August 2004 Kent Leung Cisco System Inc. Secure and Dynamic Allocation of Home Address for MIPv6 draft-mkhalil-mipv6-alloc-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 30, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Static configuration of the MN's (Mobile Node) home address is a very cumbersome task and a provisioning nightmare for the Service Providers. With millions of subscribers, a typical Service Provider stands to incur considerable expenses in order to manually configure all of its MN's home address. The ability to dynamically and securely allocate MN's home address, therefore, can immensely aid in providing a cost-effective and efficient device management alternative to the Service Providers. This draft provides a simple method for dynamically allocating MN's home address in a secure manner. Khalil et. al Expires August, 2004 [Page 1] Internet-Draft Secure and Dynamic Home Address for IPv6 February 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 2. Basic Operation. . . . . . . . . . . . . . . . . . . . . . 3 3. Mobile Node Obtaining a Home IP Address . . . . . . . . . 3 4. Mobile Node Operation. . . . . . . . . . . . . . . . . . . 4 5. Home Agent Operation . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction Static configuration of the MN's (Mobile Node) home address is a very cumbersome task and a provisioning nightmare for the Service Providers. With millions of subscribers, a typical Service Provider stands to incur considerable expenses in order to manually configure all of its MN's home address. The ability to dynamically and securely allocate MN's home address, therefore, can immensely aid in providing a cost-effective and efficient device management alternative to the Service Providers. This draft provides a simple method for dynamically allocating MN's home address in a secure manner. The proposed method achieves this objective by adding two new mobility options in the Binding Update message. While in a foreign network, the MN MUST add these new mobility options while sending the very first Binding Update message to the HA (Home Agent). 2. Basic Operation The following message flow shows the basic operation of the proposed method for dynamic and secure allocation of MN's home address. MN AR HA | | | (1)|<----Obtain a CoA---->| | | | | (2)|-----BU with Mobility Options of [4] & [5]----->| | | | | | (3) HA allocates/verifies | | MN's home address | | | (4)|<-----BA with Mobility Options of [4] & [5]-----| | | | (1) The MN obtains a Care-of Address using the methods described in [1]. Khalil et. al Expires August, 2004 [Page 2] Internet-Draft Secure and Dynamic Home Address for IPv6 February 2004 (2) The MN now has a Care-of Address. It sends the Binding Update (BU) message to the HA with the NAI option as described in [4] and with the mobility options as described in [5]. (3) The HA allocates a home address to the MN or verifies the MN's home address, in the case where the MN has already been allocated a home address. (4) The HA returns the MN's home address in the BA (Binding Acknowledgement) message with the mobility options as described in [4] and [5]. The MN node now has a valid home address. It MAY initiate an IPSec session with the HA as described in [2]. 3. Mobile Node Obtaining a Home IP address There are two mechanisms for the MN to obtain a Home IP Address. They are as follows: 3.1 Stateless Address Configuration The MN needs to acquire prefix information about its home network to construct a home IP address based on the stateless address configuration as defined in [6]. The MN uses the Prefix Configuration messages as described in [1]. Once the MN has obtained the set of home prefix information, it will contruct a stateless address as mentioned in [6]. If the MN is away from home, it will not be able to verify the uniqueness of its home IP address using DAD (Duplicate Address Detection) on the foreign sub-network. In that case, the MN should send a BU and include the Home IP address in the Home IP field of the Home Address option. The MN-NAI (as mentioned in [4]) MUST be included in the BU message. The BU MUST be authenticated by including the MN-HA Authentication option as described in [5]. When the HA receives the BU it will verify the authenticity of the message (as described in [5]), and perform DAD on the home sub-network for the home IP address. If the home IP address is unique, a successful BA message MUST be sent to the MN. The HA will then follow the registration steps stated in [1] to register the MN. Upon receiving a successful BA, the MN MAY start IKE/IPSec negotiation to establish a IPSec Security Association to be used in the future as stated in [1]. 3.2 Stateful Address Configuration This process is performed by the MN issuing a request to the HA for a home IP address. The MN will first send a BU with the MN-NAI option as mentioned in [4]. The BU MUST also include the MN-HA Authentication option as described in [5] Khalil et. al Expires August, 2004 [Page 3] Internet-Draft Secure and Dynamic Home Address for IPv6 February 2004 so that the MN can be authenticated by the HA. The MN MUST include zero (all zeros) in the home IP address field of the Home Destination option. Upon receiving the BU, the HA will first verify the authenticity of the BU as described in [5]. It will then attempt to allocate a unique IP address to the MN. If the allocation process is successful, the HA will follow the registration steps stated in [1] to register the MN. Upon receiving a successful BA, the MN MAY start IKE/IPSec negotiation to establish a IPSec Security Association to be used in the future as stated in [1]. 4.0 Mobile Node Operation MN MAY use the method proposed in this draft to acquire its home address dynamically in a secure manner. As soon as it attains the CoA (according to the procedures described in [1]), it MUST consturct a BU message with the NAI option as described in [4] and the authentication options as described in [5]. It MUST also set the home address field of the BU message to zero (all zeros). Upon receiving the BA message from the HA, the MN MUST verify the authenticity of the BA as described in [5]. The home address returned by the HA in the home address field of the BA message will be the MN's home address for this session. 5.0 Home Agent Operation Upon receiving a Binding Update message with the NAI option [4], the HA MAY use this information to identify the user (for example, locate its record from the subcribers database). Upon receiving a Binding Update message with the Authentication options as described in [5], the HA MUST verify the user according to the methods described in [5]. If and when the HA receives a valid Binding Update message with the MN's home address field set to zero along with the NAI option it MUST allocate an unique IP address and process the registration procedure as stated in [1]. If and when the HA receives a valid Binding Update message with the MN's home address field set to a nonzero value along with the NAI option, it MUST verify the uniqueness of the home address. If the home address is unique, the HA MUST process the registration procedure as stated in [1]. If the home address is not unique it MUST reject the Binding Update message and MUST a return a Binding Acknowledgment message to the MN with an error status code ZZZ (home IP address not unique). Khalil et. al Expires August, 2004 [Page 4] Internet-Draft Secure and Dynamic Home Address for IPv6 February 2004 References [1] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6", draft-ietf-mobileip-ipv6-24.txt (work in progress), June 2003. [2] Arkko, J., Devarapalli, V., and F. Dupont, ""Using IPsec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents", draft-ietf-mobileip-mipv6-ha-ipsec-06 (work in progress), June 2003. [3] Perkins, C., "IP Mobility Support for IPv4", RFC 3220, January 2002. [4] Patel, et al., "Network Access Identifier Option for Mobile IPv6", draft-patel-mipv6-nai-option-01.txt, (work in progress), February 2004. [5] Patel, et al., "Authentication Protocol for Mobile IPv6", draft-patel-mipv6-authentication-option-01.txt (work in progress), February 2004. [6] S. Thomson, T. Narten, IPv6 Stateless Address Autoconfiguration, RFC 2462, December 1998. Addresses The working group can be contacted via the current chairs: Basavaraj Patil Nokia Corporation 6000 Connection Drive M/S M8-540 Irving, TX 75039 USA Phone: +1 972-894-6709 Fax : +1 972-894-5349 Email: Basavaraj.Patil@nokia.com Gopal Dommety Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 Phone:+1 408 525 1404 E-Mail: gdommety@cisco.com Questions about this draft can be directed to the authors: Mohamed Khalil Nortel Networks 2221 Lakeside Blvd. Richardson, TX 75082 USA Phone: +1 972-685-0574 Email: mkhalil@nortelnetworks.com Khalil et. al Expires August, 2004 [Page 5] Internet-Draft Secure and Dynamic Home Address for IPv6 February 2004 Haseeb Akhtar Nortel Networks 2221 Lakeside Blvd. Richardson, TX 75082 USA Phone: +1 972-684-4732 Email: haseebak@nortelnetworks.com Alpesh Patel Cisco Systems 170 W. Tasman Drive, San Jose, CA 95134 USA Phone: +1 408-853-9580 Email: alpesh@cisco.com Kent Leung Cisco Systems 170 W. Tasman Drive, San Jose, CA 95134 USA Phone: +1 408-526-5030 Email: kleung@cisco.com Khalil et. al Expires August, 2004 [Page 6]