1. Introduction
The base Mobile IPv6 specification [RFC3775] specifies the signaling
messages, Binding Update (BU) and Binding Acknowledgement (BA),
between the Mobile Node (MN) and Home Agent (HA) to be secured by the
IPsec Security Associations (IPsec SAs) that are established between
these two entities.
This document proposes a solution for securing the Binding Update and
Binding Acknowledgment messages between the Mobile Node and Home
Agent using a mobility message authentication option that is included
in these messages. Such a mechanism enables IPv6 mobility in a host
without having to establish an IPsec SA with its Home Agent. A
Mobile Node can implement Mobile IPv6 without having to integrate it
with the IPsec module, in which case the Binding Update and Binding
Acknowledgement messages (between MN-HA) are secured with the
mobility message authentication option.
The authentication mechanism proposed here is similar to the
authentication mechanism used in Mobile IPv4 [RFC3344].
The mobility message authentication option specified in Section 5 is
applicable in certain types of networks that have the following
characteristics:
- Networks in which the authentication of the MN for network access
is done by an authentication server in the home network via the home
agent. The security association is established by the network
operator (provisioning methods) between the MN and a backend
authentication server (e.g., Authentication, Authorization, and
Accounting (AAA) home server). MIPv6 as per RFCs 3775 and 3776
relies on the IPsec SA between the MN and an HA. In cases where the
assignment of the HA is dynamic and the only static or long-term SA
is between the MN and a backend authentication server, the mobility
message authentication option is desirable.
- In certain deployment environments, the mobile node needs dynamic
assignment of a home agent and home address. The assignment of such
can be on a per-session basis or on a per-MN power-up basis. In such
scenarios, the MN relies on an identity such as a Network Access
Identifier (NAI) [RFC4283], and a security association with a AAA
server to obtain such bootstrapping information. The security
association is created via an out-of-band mechanism or by non Mobile
IPv6 signaling. The out-of-band mechanism can be specific to the
deployment environment of a network operator. In Code Division
Multiple Access (CDMA) network deployments, this information can be
obtained at the time of network access authentication via [3GPP2]
specific extensions to PPP or DHCPv6 on the access link and by AAA
extensions in the core. It should be noted that the out-of-band
mechanism is not within the scope of the mobility message
authentication option (Section 5) and hence is not described therein.
- Network deployments in which not all Mobile Nodes and Home Agents
have IKEv2 implementations and support for the integration of IKEv2
with backend AAA infrastructures. IKEv2 as a technology has yet to
reach maturity status and widespread implementations needed for
commercial deployments on a large scale. At the time of this
writing, [RFC4306] is yet to be published as an RFC. Hence from a
practical perspective that operators face, IKEv2 is not yet capable
of addressing the immediate need for MIPv6 deployment.
- Networks that expressly rely on the backend AAA infrastructure as
the primary means for identifying and authentication/authorizing a
mobile user for MIPv6 service.
- Networks in which the establishment of the security association
between the Mobile Node and the authentication server (AAA Home) is
established using an out-of-band mechanism and not by any key
exchange protocol. Such networks will also rely on out-of-band
mechanisms to renew the security association (between MN and AAA
Home) when needed.
- Networks that are bandwidth constrained (such as cellular wireless
networks) and for which there exists a strong desire to minimize the
number of signaling messages sent over such interfaces. MIPv6
signaling that relies on Internet Key Exchange (IKE) as the primary
means for setting up an SA between the MN and HA requires more
signaling messages compared with the use of an mobility message
authentication option carried in the BU/BA messages.
One such example of networks that have such characteristics are CDMA
networks as defined in [3GPP2].
