Network Working Group C. Perkins
Request for Comments: 4636 Nokia Research Center
Category: Standards Track October 2006
Network Working Group C. Perkins
Request for Comments: 4636 Nokia Research Center
Category: Standards Track October 2006
Foreign Agent Error Extension for Mobile IPv4
移动IPv4的外部代理错误扩展
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
This document specifies a new extension for use by Foreign Agents operating Mobile IP for IPv4. Currently, a foreign agent cannot supply status information without destroying the ability for a mobile node to verify authentication data supplied by the home agent. The new extension solves this problem by making a better place for the foreign agent to provide its status information to the mobile node.
本文档指定了一个新的扩展,供运行IPv4移动IP的外国代理使用。当前,外部代理无法在不破坏移动节点验证归属代理提供的身份验证数据的能力的情况下提供状态信息。新的扩展通过为外部代理向移动节点提供其状态信息提供更好的位置来解决此问题。
This document specifies a new non-skippable extension for use by Foreign Agents operating Mobile IP for IPv4 [4]. The new extension option allows a foreign agent to supply an error code without disturbing the data supplied by the Home Agent within the Registration Reply message. In this way, the mobile node can verify that the Registration Reply message was generated by the Home Agent even in cases where the foreign agent is required by protocol to insert new status information into the Registration Reply message.
本文档指定了一个新的不可跳过的扩展,供运行IPv4移动IP的外国代理使用[4]。新的扩展选项允许外部代理提供错误代码,而不会干扰注册回复消息中归属代理提供的数据。这样,即使在协议要求外部代理将新的状态信息插入注册回复消息的情况下,移动节点也可以验证注册回复消息是由归属代理生成的。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. Other terminology is used as already defined in [4].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[1]中所述进行解释。其他术语已在[4]中定义。
The format of the FA Error Extension conforms to the Short Extension format specified for Mobile IPv4 [4]. The FA Error Extension is not skippable.
FA错误扩展的格式符合为移动IPv4指定的短扩展格式[4]。FA错误扩展不可跳过。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sub-Type | Status |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sub-Type | Status |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
45
45
Length
长
2
2.
Sub-Type
子类型
0
0
Status
地位
A status code used by the foreign agent to supply status information to the mobile node.
外部代理用于向移动节点提供状态信息的状态代码。
The FA Error Extension is only valid for use within Mobile IPv4 Registration Reply messages. The FA Error Extension is not skippable. A mobile node that cannot correctly interpret the contents of the FA Error Extension MUST NOT use the care-of address provided in the Registration Reply message, until another Registration Request message has been sent and a successful Registration Reply message received.
FA错误扩展仅在移动IPv4注册回复消息中有效。FA错误扩展不可跳过。无法正确解释FA错误扩展内容的移动节点不得使用注册回复消息中提供的转交地址,直到发送了另一个注册请求消息并接收到成功的注册回复消息。
Status codes allowable for use within the FA Error Extension are within the range 64-127. The currently specified codes are as follows:
允许在FA错误扩展中使用的状态代码在64-127范围内。目前规定的代码如下:
64 reason unspecified 65 administratively prohibited 66 insufficient resources 68 home agent failed authentication 71 poorly formed Reply 77 invalid care-of address 78 registration timeout
64原因未指定65管理禁止66资源不足68归属代理身份验证失败71格式错误回复77无效转交地址78注册超时
as defined in RFC 3344 [4] for use by the Foreign Agent. Status codes for use with the FA Error extensions must not be differently defined for use in the Code field of Registration Reply messages.
如RFC 3344[4]中所定义,供外国代理使用。与FA错误扩展一起使用的状态代码不得在注册回复消息的代码字段中进行不同的定义。
When a foreign agent appends a FA Error Extension to the Registration Reply as received from the Home Agent, it has to update the UDP Length field in the UDP header [5] to account for the extra 4 bytes of length.
当外部代理将FA错误扩展附加到从归属代理收到的注册回复时,它必须更新UDP标头[5]中的UDP长度字段,以说明额外的4字节长度。
This document updates the Mobile IP base specification [4] regarding the procedures followed by the foreign agent in the case that the home agent fails authentication. Instead of modifying the "status" field of the Registration Reply to contain the value 68, now the foreign agent should append the Foreign Agent Error Extension containing the status value 68.
本文档更新了移动IP基础规范[4],涉及在归属代理身份验证失败的情况下外国代理所遵循的程序。现在,外部代理应该附加包含状态值68的外部代理错误扩展,而不是修改注册回复的“status”字段以包含值68。
If a mobile node receives a successful Registration Reply (status code 0 or 1), with a FA Error Extension indicating that the foreign agent is not honoring said Registration Reply, the mobile node SHOULD then send a deregistration message to the home agent. In this way, the home agent will not maintain a registration status that is inconsistent with the status maintained by the foreign agent.
如果移动节点接收到成功的注册回复(状态代码0或1),并且FA错误扩展指示外部代理未遵守所述注册回复,则移动节点应随后向归属代理发送注销消息。这样,本国代理将不会保持与外国代理保持的状态不一致的注册状态。
When denying a successful Registration Reply, the Foreign Agent SHOULD send a Registration Revocation message [2] to the Home Agent if a mobility security association exists between them. For cases when the foreign agent does have the required security association, this way of informing the home agent does not have the vulnerability from detrimental actions by malicious foreign agents, as noted in section 8.
当拒绝成功的注册回复时,如果它们之间存在移动安全关联,则外部代理应向归属代理发送注册撤销消息[2]。对于外国代理具有所需安全关联的情况,如第8节所述,这种通知本国代理的方式不存在恶意外国代理有害行为的漏洞。
This specification reserves one number for the FA Error Extension (see section 3) from the space of numbers for non-skippable mobility extensions (i.e., 0-127) defined in the specification for Mobile IPv4 [4].
本规范从移动IPv4规范[4]中定义的不可跳过移动扩展(即0-127)的数字空间中为FA错误扩展保留一个数字(见第3节)。
This specification also creates a new number space of sub-types for the type number of this extension. Sub-type zero is to be allocated from this number space for the protocol extension specified in this document. Similar to the procedures specified for Mobile IP [4] number spaces, future allocations from this number space require expert review [3].
此规范还为此扩展的类型编号创建子类型的新编号空间。子类型0将从该数字空间分配给本文件中指定的协议扩展。与移动IP[4]号码空间指定的程序类似,该号码空间的未来分配需要专家审查[3]。
The status codes that are allowable in the FA Error Extension are a subset of the status codes defined in the specification for Mobile IPv4 [4]. If, in the future, additional status codes are defined for Mobile IPv4, the definition for each new status code must indicate whether the new status code is allowable for use in the FA Error Extension.
FA错误扩展中允许的状态代码是移动IPv4规范[4]中定义的状态代码的子集。如果将来为移动IPv4定义了其他状态代码,则每个新状态代码的定义必须指明新状态代码是否允许在FA错误扩展中使用。
The extension in this document improves the security features of Mobile IPv4 by allowing the mobile node to be assured of the authenticity of the information supplied within a Registration Request. Previously, whenever the foreign agent was required to provide status information to the mobile node, it could only do so by destroying the ability of the mobile device to verify the Mobile-Home Authentication Extension data.
本文档中的扩展通过允许移动节点确保注册请求中提供的信息的真实性,改进了移动IPv4的安全特性。以前,每当外部代理被要求向移动节点提供状态信息时,它只能通过破坏移动设备验证移动归属认证扩展数据的能力来做到这一点。
In many common cases, the mobile node will not have a security association with the foreign agent that has sent the extension. Thus, the mobile node will be unable to ascertain that the foreign agent sending the extended Registration Reply message is the same foreign agent that earlier received the associated Registration Request from the mobile node. Because of this, a malicious foreign agent could cause a mobile node to operate as if the registration had
在许多常见情况下,移动节点不会与发送扩展的外部代理建立安全关联。因此,移动节点将无法确定发送扩展注册应答消息的外部代理是先前从移动节点接收到关联注册请求的同一外部代理。因此,恶意的外部代理可能会导致移动节点像注册失败一样运行
failed, when in fact its home agent and a correctly operating foreign agent had both accepted the mobile node's Registration Request. In order to reduce the vulnerability to such maliciously transmitted Registration Reply messages with the unauthenticated extension, the mobile node MAY delay processing of such denied Registration Reply messages for a short while in order to determine whether another successful Registration Reply might be received from the foreign agent.
失败,事实上,它的本地代理和正确操作的外部代理都接受了移动节点的注册请求。为了减少对具有未经认证的扩展的这种恶意发送的注册回复消息的脆弱性,移动节点可以将这种被拒绝的注册回复消息的处理延迟一小段时间,以便确定是否可以从外部代理接收到另一个成功的注册回复。
Thanks to Kent Leung and Henrik Lefkowetz for suggested improvements to this specification.
感谢Kent Leung和Henrik Lefkowetz对本规范提出的改进建议。
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[2] Glass, S. and M. Chandra, "Registration Revocation in Mobile IPv4", RFC 3543, August 2003.
[2] Glass,S.和M.Chandra,“移动IPv4中的注册撤销”,RFC 3543,2003年8月。
[3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[3] Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
[4] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002.
[4] Perkins,C.,“IPv4的IP移动支持”,RFC 3344,2002年8月。
[5] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
[5] Postel,J.,“用户数据报协议”,STD 6,RFC 768,1980年8月。
Author's Address
作者地址
Charles E. Perkins Palo Alto Systems Research Lab Nokia Research Center 975 Page Mill Road, Suite 200 Palo Alto, CA 94304-1003
Charles E.Perkins帕洛阿尔托系统研究实验室诺基亚研究中心加利福尼亚州帕洛阿尔托市米尔路975号200室,邮编94304-1003
Phone: +1 650-496-4402
Fax: +1-650-739-0779
EMail: charles.perkins@nokia.com
Phone: +1 650-496-4402
Fax: +1-650-739-0779
EMail: charles.perkins@nokia.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。