IETF Mobile IP Working Group C. Perkins Internet-Draft WiChorus Inc. Expires: April 15, 2010 October 12, 2009 Authentication Mandate for All Registration Reply Messages draft-perkins-mip4-authreqd-00.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 15, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Perkins Expires April 15, 2010 [Page 1] Internet-Draft Authentication Mandate for Reg Reply October 2009 Abstract Some implementations of Mobile IP home agents have been observed to supply zero authentication data when sending a Registration Reply to the mobile node that contains rejection code 131 (Mobile Node Failed Authentication). This creates a vulnerability whereby a mobile node could be denied service from its home agent, and thus lose connectivity to the Internet even though mobile node and home agent were otherwise functioning properly. Perkins Expires April 15, 2010 [Page 2] Internet-Draft Authentication Mandate for Reg Reply October 2009 1. Introduction When a mobile node sends a Registration Request to its home agent, it expects a Registration Reply with a return code of 0 or 1. Other return codes indicate that the registration was unsuccessful. All registration messages, whether indicating success or failure, are expected to be equipped with authentication data so that the mobile node and home agent can verify that the information in the registration messages is really supplied by the home agent or the mobile node respectively. This is true even for registration messages that indicate failure. A mobile node should be able to verify that Registration Reply messages containing a failure code are really generated by its home agent. Otherwise, the mobile node might unnecessarily take the actions corresponding to a failure to register, perhaps causing at least a temporary disconnection. Even if the mobile node does retransmit the Registration Reply message, the only result might be to receive shortly thereafter yet another bogus Registration Reply message with the same rejection code. Soon enough, the mobile node will give up the attempt to register at its current care-of address, even though the home agent had indeed registered the care-of address and sent a Registration Reply message indicating success. In the specific case of rejection Code 131, there is a likelihood that the mobile node's security association with its home agent needs to be refreshed, if the authentication data supplied with the Registration Request message were not correct. It would be an unfortunate error if a malicious agent were able to trigger re- establishment of the mobile node's Mobility Security Association. Since, for Code 131, there are no retries specified in the Mobile-IP protocol specification [1]. a single malicious packet could trigger the loss of even a newly established and valid Mobility Security Association between the mobile node and the home agent. Worse, such an action could trigger an exception condition in the home domain, if the home domain policy excluded too-frequent attempts for the establishment of such security associations. Perkins Expires April 15, 2010 [Page 3] Internet-Draft Authentication Mandate for Reg Reply October 2009 2. Mobile Node Handling for Unauthenticated Registration Replies We propose that all Registration Reply messages MUST contain a valid Mobile-Home Authentication Extension, with nonzero authentication data generated according to the security algorithm indicated by the SPI present in the Authentication extension. This is required whether or not the Mobile Node is identified putely by its IP address, or if the Mobile Node NAI extension is also supplied. The registration message data protected by the Authentication Data in the Mobile-Home Authentication Extension MUST be the same as specified in [1]. As specified in section 3.6.2.1 of [1], if a Mobile Node receives a Registration Reply message that does not contain a Mobile-Home Authentication Extension, or one with zero authentication data, the Mobile Node MUST silently discard that packet. According to the meaning of "silently discard", the mobile node MUST NOT use that packet as a trigger for retransmitting the Registration Request message. Perkins Expires April 15, 2010 [Page 4] Internet-Draft Authentication Mandate for Reg Reply October 2009 3. Security Parameters Index A mobility security association between the Home Agent and the Mobile node MAY be configured especially For the purpose of supplying the authentication data to the Mobile Node when a Registration Request is rejected, This alternative security association MAY use a default SPI number, or any other different SPI that may be convenient. This may also include an SPI in the range of well-known SPI numbers, but not any reserved value for the SPI. Perkins Expires April 15, 2010 [Page 5] Internet-Draft Authentication Mandate for Reg Reply October 2009 4. Foreign Agent Handling for Unauthenticated Registration Replies Similarly, in accordance with section 3.7.3.1 of [1], when a Foreign Agent has a security association with a Home Agent, each Registration Reply from that home agent MUST contain a Foreign-Home Authentication Extension with nonzero authentication data. Otherwise, when a Foreign Agent has a security association with a Home Agent, that Registration Reply MUST be silently discarded. Perkins Expires April 15, 2010 [Page 6] Internet-Draft Authentication Mandate for Reg Reply October 2009 5. Security Considerations This document identifies a security exposure that might disrupt a mobile node's ability to connect to the Internet, and proposes a solution to eliminate this exposure. It does not create any new security exposures. Perkins Expires April 15, 2010 [Page 7] Internet-Draft Authentication Mandate for Reg Reply October 2009 6. Normative References [1] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002. Perkins Expires April 15, 2010 [Page 8] Internet-Draft Authentication Mandate for Reg Reply October 2009 Author's Address Charles E. Perkins WiChorus Inc. 3590 N. 1st Street, Suite 300 San Jose CA 95134 USA Email: charliep@computer.org Perkins Expires April 15, 2010 [Page 9]