Network Working Group                                         C. Perkins
Request for Comments: 4721                         Nokia Research Center
Obsoletes: 3012                                               P. Calhoun
Updates: 3344                                        Cisco Systems, Inc.
Category: Standards Track                                    J. Bharatia
                                                         Nortel Networks
                                                            January 2007
        
Network Working Group                                         C. Perkins
Request for Comments: 4721                         Nokia Research Center
Obsoletes: 3012                                               P. Calhoun
Updates: 3344                                        Cisco Systems, Inc.
Category: Standards Track                                    J. Bharatia
                                                         Nortel Networks
                                                            January 2007
        

Mobile IPv4 Challenge/Response Extensions (Revised)

移动IPv4质询/响应扩展(修订版)

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

Abstract

摘要

Mobile IP, as originally specified, defines an authentication extension (the Mobile-Foreign Authentication extension) by which a mobile node can authenticate itself to a foreign agent. Unfortunately, that extension does not provide the foreign agent any direct guarantee that the protocol is protected from replays and does not allow for the use of existing techniques (such as Challenge Handshake Authentication Protocol (CHAP)) for authenticating portable computer devices.

最初指定的移动IP定义了一个身份验证扩展(移动外部身份验证扩展),通过该扩展,移动节点可以向外部代理进行自身身份验证。不幸的是,该扩展不向外部代理提供任何直接保证,即协议不受重放的保护,并且不允许使用现有技术(例如质询握手认证协议(CHAP))来认证便携式计算机设备。

In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to use a challenge/response mechanism to authenticate the mobile node.

在本规范中,我们定义了移动IP代理广告和注册请求的扩展,允许外部代理使用质询/响应机制对移动节点进行身份验证。

Furthermore, this document updates RFC 3344 by including a new authentication extension called the Mobile-Authentication, Authorization, and Accounting (AAA) Authentication extension. This new extension is provided so that a mobile node can supply credentials for authorization, using commonly available AAA infrastructure elements. This authorization-enabling extension MAY co-exist in the same Registration Request with authentication extensions defined for Mobile IP Registration by RFC 3344. This document obsoletes RFC 3012.

此外,本文档通过包括一个新的身份验证扩展名为移动身份验证、授权和计费(AAA)身份验证扩展名来更新RFC 3344。提供这个新的扩展,以便移动节点可以使用常用的AAA基础设施元素提供授权凭证。该授权启用扩展可以与RFC 3344为移动IP注册定义的认证扩展共存于同一注册请求中。本文件废除了RFC 3012。

Table of Contents

目录

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
   2. Mobile IP Agent Advertisement Challenge Extension ...............4
      2.1. Handling of Solicited Agent Advertisements .................4
   3. Operation .......................................................5
      3.1. Mobile Node Processing of Registration Requests ............5
      3.2. Foreign Agent Processing of Registration Requests ..........6
            3.2.1. Foreign Agent Algorithm for Tracking Used
                   Challenges .........................................8
      3.3. Foreign Agent Processing of Registration Replies ...........9
      3.4. Home Agent Processing of Challenge Extensions .............10
      3.5. Mobile Node Processing of Registration Replies ............11
   4. Mobile-Foreign Challenge Extension .............................11
   5. Generalized Mobile IP Authentication Extension .................12
   6. Mobile-AAA Authentication Subtype ..............................13
   7. Reserved SPIs for Mobile IP ....................................14
   8. SPIs for RADIUS AAA Servers ....................................14
   9. Configurable Parameters ........................................15
   10. Error Values ..................................................16
   11. IANA Considerations ...........................................16
   12. Security Considerations .......................................17
   13. Acknowledgements ..............................................18
   14. Normative References ..........................................18
   Appendix A. Changes since RFC 3012 ................................20
   Appendix B. Verification Infrastructure ...........................21
   Appendix C. Message Flow for FA Challenge Messaging with
               Mobile-AAA Extension ..................................22
   Appendix D. Message Flow for FA Challenge Messaging with
               MN-FA Authentication ..................................23
   Appendix E. Example Pseudo-code for Tracking Used Challenges ......24
        
   1. Introduction ....................................................2
      1.1. Terminology ................................................3
   2. Mobile IP Agent Advertisement Challenge Extension ...............4
      2.1. Handling of Solicited Agent Advertisements .................4
   3. Operation .......................................................5
      3.1. Mobile Node Processing of Registration Requests ............5
      3.2. Foreign Agent Processing of Registration Requests ..........6
            3.2.1. Foreign Agent Algorithm for Tracking Used
                   Challenges .........................................8
      3.3. Foreign Agent Processing of Registration Replies ...........9
      3.4. Home Agent Processing of Challenge Extensions .............10
      3.5. Mobile Node Processing of Registration Replies ............11
   4. Mobile-Foreign Challenge Extension .............................11
   5. Generalized Mobile IP Authentication Extension .................12
   6. Mobile-AAA Authentication Subtype ..............................13
   7. Reserved SPIs for Mobile IP ....................................14
   8. SPIs for RADIUS AAA Servers ....................................14
   9. Configurable Parameters ........................................15
   10. Error Values ..................................................16
   11. IANA Considerations ...........................................16
   12. Security Considerations .......................................17
   13. Acknowledgements ..............................................18
   14. Normative References ..........................................18
   Appendix A. Changes since RFC 3012 ................................20
   Appendix B. Verification Infrastructure ...........................21
   Appendix C. Message Flow for FA Challenge Messaging with
               Mobile-AAA Extension ..................................22
   Appendix D. Message Flow for FA Challenge Messaging with
               MN-FA Authentication ..................................23
   Appendix E. Example Pseudo-code for Tracking Used Challenges ......24
        
1. Introduction
1. 介绍

Mobile IP defines the Mobile-Foreign Authentication extension to allow a mobile node to authenticate itself to a foreign agent. Such authentication mechanisms are mostly external to the principal operation of Mobile IP, since the foreign agent can easily route packets to and from a mobile node whether or not the mobile node is reporting a legitimately owned home address to the foreign agent. Unfortunately, that extension does not provide the foreign agent any direct guarantee that the protocol is protected from replays and does not allow for the use of CHAP [RFC1994] for authenticating portable computer devices. In this specification, we define extensions for the Mobile IP Agent Advertisements and the Registration Request that allow a foreign agent to use a challenge/ response mechanism to authenticate the mobile node. Furthermore, an additional

移动IP定义移动外部身份验证扩展,以允许移动节点向外部代理进行自身身份验证。这种认证机制主要在移动IP的主要操作之外,因为无论移动节点是否向外部代理报告合法拥有的家庭地址,外部代理都可以容易地将分组路由到移动节点和从移动节点路由分组。不幸的是,该扩展没有为外部代理提供任何直接保证,即该协议不受重放的保护,并且不允许使用CHAP[RFC1994]对便携式计算机设备进行身份验证。在本规范中,我们定义了移动IP代理广告和注册请求的扩展,允许外部代理使用质询/响应机制对移动节点进行身份验证。此外,还有一个

authentication extension, the Mobile-AAA authentication extension, is provided so that a mobile node can supply credentials for authorization using commonly available AAA infrastructure elements. The foreign agent may be able to interact with an AAA infrastructure (using protocols outside the scope of this document) to obtain a secure indication that the mobile node is authorized to use the local network resources.

提供身份验证扩展,即移动AAA身份验证扩展,以便移动节点可以使用常用的AAA基础设施元素为授权提供凭据。外部代理可以与AAA基础设施交互(使用本文档范围之外的协议),以获得移动节点被授权使用本地网络资源的安全指示。

1.1. Terminology
1.1. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

This document uses the term Security Parameters Index (SPI) as defined in the base Mobile IP protocol specification [RFC3344]. All SPI values defined in this document refer to values for the SPI as defined in that specification.

本文档使用基本移动IP协议规范[RFC3344]中定义的术语安全参数索引(SPI)。本文件中定义的所有SPI值均指该规范中定义的SPI值。

The following additional terminology is used in addition to that defined in [RFC3344]:

除了[RFC3344]中定义的术语外,还使用了以下附加术语:

previously used challenge:

以前使用的挑战:

The challenge is a previously used challenge if the mobile node sent the same challenge to the foreign agent in a previous Registration Request, and if that previous Registration Request passed all validity checks performed by the foreign agent. The foreign agent may not be able to keep records for all previously used challenges, but see Section 3.2 for minimal requirements.

如果移动节点在先前的注册请求中向外部代理发送了相同的质询,并且先前的注册请求通过了外部代理执行的所有有效性检查,则质询是先前使用的质询。外国代理可能无法保存所有以前使用的挑战的记录,但最低要求见第3.2节。

security association:

保安协会:

A "mobility security association", as defined in [RFC3344].

[RFC3344]中定义的“移动安全关联”。

unknown challenge:

未知挑战:

Any challenge from a particular mobile node that the foreign agent has no record of having put either into one of its recent Agent Advertisements or into a registration reply message to that mobile node.

来自特定移动节点的任何质询,而外部代理没有将其放入其最近的代理广告之一或放入到该移动节点的注册回复消息中的记录。

unused challenge:

未使用的挑战:

A challenge that has not already been accepted by the foreign agent from the mobile node in the Registration Request, i.e., a challenge that is neither unknown nor previously used.

在注册请求中,外部代理尚未接受来自移动节点的质询,即,既非未知也非先前使用的质询。

2. Mobile IP Agent Advertisement Challenge Extension
2. 移动IP代理广告挑战扩展

This section defines a new extension to the Router Discovery Protocol [RFC1256] for use by foreign agents that need to issue a challenge for authenticating mobile nodes.

本节定义了路由器发现协议[RFC1256]的新扩展,供需要发出验证移动节点质询的外部代理使用。

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |          Challenge ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |          Challenge ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 1. The Challenge Extension

图1。挑战扩展

Type:

类型:

24

24

Length:

长度:

The length of the Challenge value in octets; SHOULD be at least 4.

挑战值的长度(以八位字节为单位);应至少为4。

Challenge:

挑战:

A random value that SHOULD be at least 32 bits.

至少应为32位的随机值。

The Challenge extension, illustrated in Figure 1, is inserted in the Agent Advertisements by the foreign agent in order to communicate a previously unused challenge value that can be used by the mobile node to compute an authentication for its next registration request message. The challenge is selected by the foreign agent to provide local assurance that the mobile node is not replaying any earlier registration request. Eastlake et al. [RFC4086] provides more information on generating pseudo-random numbers suitable for use as values for the challenge.

图1中所示的质询扩展由外部代理插入代理播发中,以便传递先前未使用的质询值,该质询值可由移动节点用于为其下一个注册请求消息计算认证。外部代理选择质询以提供本地保证,即移动节点不会重播任何先前的注册请求。Eastlake等人[RFC4086]提供了有关生成适合用作挑战值的伪随机数的更多信息。

Note that the storage of different Challenges received in Agent Advertisements from multiple foreign agents is implementation specific and hence out of scope for this specification.

请注意,在代理播发中从多个外部代理接收到的不同质询的存储是特定于实现的,因此超出了本规范的范围。

2.1. Handling of Solicited Agent Advertisements
2.1. 处理受邀代理广告

When a foreign agent generates an Agent Advertisement in response to a Router Solicitation [RFC1256], some additional considerations come into play. According to the Mobile IP base specification [RFC3344], the resulting Agent Advertisement may be either multicast or unicast.

当外部代理响应路由器请求[RFC1256]生成代理播发时,一些额外的考虑因素开始发挥作用。根据移动IP基本规范[RFC3344],产生的代理广告可以是多播或单播。

If the solicited Agent Advertisement is multicast, the foreign agent MUST NOT generate a new Challenge value and update its window of remembered advertised Challenges. It must instead re-use the most recent of the CHALLENGE_WINDOW Advertisement Challenge values (Section 9).

如果请求的代理播发是多播的,则外部代理不得生成新的质询值并更新其已记住的播发质询窗口。它必须重新使用最新的质询值(第9节)。

If the agent advertisement is unicast back to the soliciting mobile node, it MUST be handled as follows: If the challenge most recently unicast to the soliciting mobile node has not been previously used (as defined in Section 1.1), it SHOULD be repeated in the newly issued unicast agent advertisement. Otherwise, a new challenge MUST be generated and remembered as the most recent challenge issued to the mobile node. For further discussion of this, see Section 12.

如果代理播发是单播回请求移动节点,则必须按如下方式处理:如果之前未使用(如第1.1节中所定义)最近单播到请求移动节点的质询,则应在新发布的单播代理播发中重复该质询。否则,必须生成一个新的质询,并将其记为向移动节点发出的最新质询。有关这方面的进一步讨论,请参见第12节。

3. Operation
3. 活动

This section describes modifications to the Mobile IP registration process [RFC3344] that may occur after the foreign agent issues a Mobile IP Agent Advertisement containing the Challenge on its local link. See Appendix C for a diagram showing the canonical message flow for messages related to the processing of the foreign agent challenge values.

本节描述对移动IP注册过程[RFC3344]的修改,这些修改可能发生在外部代理在其本地链路上发布包含质询的移动IP代理公告之后。有关与外部代理质询值处理相关的消息的规范消息流的图表,请参见附录C。

3.1. Mobile Node Processing of Registration Requests
3.1. 移动节点处理注册请求

Retransmission behavior for Registration Requests is identical to that specified in Mobile IP specification [RFC3344]. A retransmitted Registration Request MAY use the same Challenge value as given in the original Registration Request.

注册请求的重传行为与移动IP规范[RFC3344]中规定的相同。重新传输的注册请求可以使用与原始注册请求中给定的相同质询值。

Whenever the Agent Advertisement contains the Challenge extension, if the mobile node does not have a security association with the foreign agent, then it MUST include the Challenge value in a Mobile-Foreign Challenge extension to the Registration Request message. If, on the other hand, the mobile node does have a security association with the foreign agent, it SHOULD include the Challenge value in its Registration Request message.

每当代理播发包含质询扩展时,如果移动节点与外部代理没有安全关联,则它必须在注册请求消息的移动外部质询扩展中包括质询值。另一方面,如果移动节点确实与外部代理具有安全关联,则它应该在其注册请求消息中包括质询值。

If the mobile node has a security association with the Foreign Agent, it MUST include a Mobile-Foreign Authentication extension in its Registration Request message, according to the base Mobile IP specification [RFC3344]. When the Registration Request contains the Mobile-Foreign Challenge extension specified in Section 4, the Mobile-Foreign Authentication MUST follow the Challenge extension in the Registration Request. The mobile node MAY also include the Mobile-AAA Authentication extension.

如果移动节点与外部代理具有安全关联,则根据基本移动IP规范[RFC3344],它必须在其注册请求消息中包含移动外部身份验证扩展。当注册请求包含第4节中指定的移动外部质询扩展时,移动外部认证必须遵循注册请求中的质询扩展。移动节点还可以包括移动AAA认证扩展。

If both the Mobile-Foreign Authentication and the Mobile-AAA Authentication extensions are present, the Mobile-Foreign Challenge extension MUST precede the Mobile-AAA Authentication extension, and the Mobile-AAA Authentication extension MUST precede the Mobile-Foreign Authentication extension.

如果同时存在移动外部身份验证和移动AAA身份验证扩展,则移动外部质询扩展必须位于移动AAA身份验证扩展之前,并且移动AAA身份验证扩展必须位于移动外部身份验证扩展之前。

If the mobile node does not have a security association with the foreign agent, the mobile node MUST include the Mobile-AAA Authentication extension as, defined in Section 6, when it includes the Mobile-Foreign Challenge extension. In addition, the mobile node SHOULD include the NAI extension [RFC2794] to enable the foreign agent to make use of available verification infrastructure that requires this. The SPI field of the Mobile-AAA Authentication extension specifies the particular secret and algorithm (shared between the mobile node and the verification infrastructure) that must be used to perform the authentication. If the SPI value is chosen as CHAP_SPI (see Section 9), then the mobile node specifies CHAP-style authentication [RFC1994] using MD5 [RFC1321].

当移动代理与外部身份验证部分6中定义的移动代理不包括外部身份验证时,移动代理必须包括外部身份验证部分。此外,移动节点应包括NAI扩展[RFC2794],以使外部代理能够利用需要此功能的可用验证基础设施。移动AAA身份验证扩展的SPI字段指定必须用于执行身份验证的特定秘密和算法(在移动节点和验证基础设施之间共享)。如果选择SPI值作为CHAP_SPI(参见第9节),则移动节点使用MD5[RFC1321]指定CHAP样式的身份验证[RFC1994]。

In either case, the Mobile-Foreign Challenge extension followed by one of the above specified authentication extensions MUST follow the Mobile-Home Authentication extension, if present.

在任何一种情况下,移动外部质询扩展(后跟上述指定的身份验证扩展之一)必须后跟移动家庭身份验证扩展(如果存在)。

A mobile node MAY include the Mobile-AAA Authentication extension in the Registration Request when the mobile node registers directly with its home agent (using a co-located care-of address). In this case, the mobile node uses an SPI value of CHAP_SPI (Section 8) in the Mobile Node-Authentication, Authorization, and Accounting (MN-AAA) Authentication extension and MUST NOT include the Mobile-Foreign Challenge extension. Also, replay protection for the Registration Request in this case is provided by the Identification field defined by [RFC3344].

当移动节点直接向其归属代理注册(使用共同定位的转交地址)时,移动节点可以在注册请求中包括移动AAA认证扩展。在这种情况下,移动节点在移动节点认证、授权和计费(MN-AAA)认证扩展中使用CHAP_SPI(第8节)的SPI值,并且不得包括移动外部质询扩展。此外,在这种情况下,注册请求的重播保护由[RFC3344]定义的标识字段提供。

3.2. Foreign Agent Processing of Registration Requests
3.2. 外国代理处理注册申请

Upon receipt of the Registration Request, if the foreign agent has issued a Challenge as part of its Agent Advertisements, and if it does not have a security association with the mobile node, then the foreign agent SHOULD check that the Mobile-Foreign Challenge extension exists, and that it contains a challenge value previously unused by the mobile node. This ensures that the mobile node is not attempting to replay a previous advertisement and authentication. In this case, if the Registration Request does not include a Challenge extension, the foreign agent MUST send a Registration Reply with the Code field set to missing_challenge.

在收到注册请求后,如果外部代理已发出质询作为其代理广告的一部分,并且如果其与移动节点没有安全关联,则外部代理应检查移动外部质询扩展是否存在,并且它包含移动节点先前未使用的质询值。这确保了移动节点不会试图重播以前的广告和身份验证。在这种情况下,如果注册请求不包括质询扩展,则外国代理必须发送一个注册回复,代码字段设置为missing_Challenge。

If a mobile node retransmits a Registration Request with the same Challenge extension, and if the foreign agent still has a pending Registration Request record in effect for the mobile node, then the foreign agent forwards the Registration Request to the Home Agent again. The foreign agent SHOULD check that the mobile node is actually performing a retransmission, by verifying that the relevant fields of the retransmitted request (including, if present, the mobile node NAI extension [RFC2794]) are the same as represented in the visitor list entry for the pending Registration Request (Section 3.7.1 of [RFC3344]). This verification MUST NOT include the "remaining Lifetime of the pending registration" or the Identification field, since those values are likely to change even for requests that are merely retransmissions and not new Registration Requests. In all other circumstances, if the foreign agent receives a Registration Request with a Challenge extension containing a Challenge value previously used by that mobile node, the foreign agent SHOULD send a Registration Reply to the mobile node, containing the Code value stale_challenge.

如果移动节点重新传输具有相同质询扩展的注册请求,并且如果外部代理仍然具有对移动节点有效的挂起注册请求记录,则外部代理再次将注册请求转发给归属代理。外部代理应通过验证重传请求的相关字段(包括,如果存在,移动节点NAI扩展[RFC2794])与待决注册请求的访客列表条目(RFC3344]第3.7.1节)中表示的相同,检查移动节点是否实际在执行重传。该验证不得包括“待决注册的剩余生命周期”或标识字段,因为这些值可能会更改,即使对于仅为重新传输而非新注册请求的请求也是如此。在所有其他情况下,如果外部代理接收到具有质询扩展的注册请求,该质询扩展包含该移动节点先前使用的质询值,则外部代理应向移动节点发送包含代码值stale_Challenge的注册回复。

The foreign agent MUST NOT accept any Challenge in the Registration Request unless it was offered in the last Registration Reply or unicast Agent Advertisement sent to the mobile node or advertised as one of the last CHALLENGE_WINDOW (see Section 9) Challenge values inserted into the immediately preceding Agent Advertisements. If the Challenge is not one of the recently advertised values, the foreign Agent SHOULD send a Registration Reply with Code value unknown_challenge (see Section 10). The foreign agent MUST maintain the last challenge used by each mobile node that has registered using any one of the last CHALLENGE_WINDOW challenge values. This last challenge value can be stored as part of the mobile node's registration records. Also, see Section 3.2.1 for a possible algorithm that can be used to satisfy this requirement.

外部代理不得接受注册请求中的任何质询,除非该质询是在发送到移动节点的最后一次注册回复或单播代理广告中提供的,或作为插入前一次代理广告中的最后质询_窗口(见第9节)质询值之一进行广告。如果质询不是最近公布的值之一,则外国代理应发送一份带有代码值unknown_质询的注册回复(见第10节)。外部代理必须维护每个移动节点使用的最后一个质询,该移动节点已使用最后一个质询_窗口质询值中的任何一个进行注册。最后一个质询值可以存储为移动节点注册记录的一部分。此外,有关可用于满足该要求的可能算法,请参见第3.2.1节。

Furthermore, the foreign agent MUST check that there is either a Mobile-Foreign or a Mobile-AAA Authentication extension after the Challenge extension. Any registration message containing the Challenge extension without either of these authentication extensions MUST be silently discarded. If the registration message contains a Mobile-Foreign Authentication extension with an incorrect authenticator that fails verification, the foreign agent MAY send a Registration Reply to the mobile node with Code value mobile node failed authentication (see Section 10).

此外,外部代理必须检查在质询扩展之后是否存在移动外部或移动AAA认证扩展。任何包含质询扩展但没有这些身份验证扩展的注册消息都必须以静默方式丢弃。如果注册消息包含一个移动外部认证扩展,该扩展具有一个不正确的认证器,该认证器未通过验证,则外部代理可以向移动节点发送一个注册回复,代码值为Mobile node failed Authentication(参见第10节)。

If the Mobile-AAA Authentication extension (see Section 6) is present in the message, or if a Network Access Identifier (NAI) extension is included indicating that the mobile node belongs to a different administrative domain, the foreign agent may take actions outside the scope of this protocol specification to carry out the authentication

如果消息中存在移动AAA认证扩展(参见第6节),或者如果包括网络接入标识符(NAI)扩展,指示移动节点属于不同的管理域,则外部代理可以采取本协议规范范围之外的操作来执行认证

of the mobile node. If the registration message contains a Mobile-AAA Authentication extension with an incorrect authenticator that fails verification, the foreign agent MAY send a Registration Reply to the mobile node with Code value fa_bad_aaa_auth. If the Mobile-AAA Authentication extension is present in the Registration Request, the foreign agent MUST NOT remove the Mobile-AAA Authentication extension and the Mobile-Foreign Challenge extension from the Registration Request before forwarding to the home agent. Appendix C provides an example of an action that could be taken by a foreign agent.

移动节点的安全性。如果注册消息包含移动AAA认证扩展,且认证器不正确,验证失败,则外部代理可以使用代码值fa_bad_AAA_auth向移动节点发送注册回复。如果注册请求中存在移动AAA认证扩展,则外部代理在转发到归属代理之前,不得从注册请求中删除移动AAA认证扩展和移动外部质询扩展。附录C提供了外国代理可以采取的行动的示例。

In the event that the Challenge extension is authenticated through the Mobile-Foreign Authentication extension and the Mobile-AAA Authentication extension is not present, the foreign agent MAY remove the Challenge extension from the Registration Request without disturbing the authentication value used for the computation. If the Mobile-AAA Authentication extension is present and a security association exists between the foreign agent and the home agent, the Mobile-Foreign Challenge extension and the Mobile-AAA Authentication extension MUST precede the Foreign-Home Authentication extension.

在通过移动外部认证扩展对质询扩展进行认证并且移动AAA认证扩展不存在的情况下,外部代理可以在不干扰用于计算的认证值的情况下从注册请求中移除质询扩展。如果存在移动AAA身份验证扩展,并且外部代理和归属代理之间存在安全关联,则移动外部质询扩展和移动AAA身份验证扩展必须位于外部归属身份验证扩展之前。

If the foreign agent does remove the Challenge extension and applicable authentication from the Registration Request message, then it SHOULD store the Identification field from the Registration Request message as part of its record-keeping information about the particular mobile node in order to protect against replays.

如果外部代理确实从注册请求消息中删除了质询扩展和适用的身份验证,那么它应该将注册请求消息中的标识字段存储为其关于特定移动节点的记录保存信息的一部分,以防止重播。

3.2.1. Foreign Agent Algorithm for Tracking Used Challenges
3.2.1. 用于跟踪已用挑战的外来代理算法

If the foreign agent maintains a large CHALLENGE_WINDOW, it becomes more important for scalability purposes to compare incoming challenges efficiently against the set of Challenge values that have been advertised recently. This can be done by keeping the Challenge values in order of advertisement, and by making use of the mandated behavior that mobile nodes MUST NOT use Challenge values that were advertised before the last advertised Challenge value that the mobile node attempted to use. The pseudo-code in Appendix E accomplishes this objective. The maximum amount of total storage required by this algorithm is equal to Size*(CHALLENGE_WINDOW + (2*N)), where N is the current number of mobile nodes for which the foreign agent is storing challenge values. Note that whenever the stored challenge value is no longer in the CHALLENGE_WINDOW, it can be deleted from the foreign agent's records, perhaps along with all other registration information for the mobile node if it is no longer registered.

如果外部代理维护一个较大的质询_窗口,则为了可伸缩性目的,更重要的是将传入的质询与最近公布的质询值集进行有效比较。这可以通过保持质询值按播发顺序来实现,并通过使用强制行为来实现,即移动节点不得使用在移动节点尝试使用的最后一次播发质询值之前播发的质询值。附录E中的伪代码实现了这一目标。此算法所需的最大总存储量等于Size*(CHALLENGE_WINDOW+(2*N)),其中N是外部代理正在为其存储质询值的移动节点的当前数量。请注意,只要存储的质询值不再在质询_窗口中,就可以将其从外部代理的记录中删除,如果移动节点不再注册,可能还会将其与所有其他注册信息一起删除。

It is presumed that the foreign agent keeps an array of advertised Challenges, a record of the last advertised challenge used by a mobile node, and also a record of the last challenge provided to a mobile node in a Registration Reply or unicast Agent Advertisement.

假定外部代理保留播发质询的阵列、移动节点使用的最后播发质询的记录,以及在注册应答或单播代理播发中提供给移动节点的最后质询的记录。

To meet the security obligations outlined in Section 12, the foreign agent SHOULD use one of the already stored, previously unused challenges when responding to an unauthenticated Registration Request or Agent Solicitation. If none of the already stored challenges are previously unused, the foreign agent SHOULD generate a new challenge, include it in the response, and store it in the per-Mobile data structure.

为了履行第12节中概述的安全义务,外国代理在响应未经验证的注册请求或代理请求时,应使用已存储的、以前未使用的挑战之一。如果先前未使用任何已存储的质询,则外部代理应生成新质询,将其包含在响应中,并将其存储在每个移动数据结构中。

3.3. Foreign Agent Processing of Registration Replies
3.3. 外国代理处理注册回复

The foreign agent SHOULD include a new Mobile-Foreign Challenge extension in any Registration Reply, successful or not. If the foreign agent includes this extension in a successful Registration Reply, the extension SHOULD precede a Mobile-Foreign authentication extension if present. Suppose that the Registration Reply includes a Challenge extension from the home agent, and that the foreign agent wishes to include another Challenge extension with the Registration Reply for use by the mobile node. In that case, the foreign agent MUST delete the Challenge extension from the home agent from the Registration Reply, along with any Foreign-Home authentication extension, before appending the new Challenge extension to the Registration Reply.

外国代理应在任何注册回复中包括新的移动外国挑战扩展,无论成功与否。如果外部代理在成功注册回复中包含此扩展,则该扩展应先于移动外部身份验证扩展(如果存在)。假设注册应答包括来自归属代理的质询扩展,并且外部代理希望将另一质询扩展与注册应答一起包括以供移动节点使用。在这种情况下,在将新的质询扩展添加到注册回复之前,外国代理必须从注册回复中删除来自本国代理的质询扩展以及任何外国本国身份验证扩展。

One example of a situation where the foreign agent MAY omit the inclusion of a Mobile-Foreign Challenge extension in the Registration Reply would be when a new challenge has been multicast recently.

当最近多播了新的质询时,外部代理可以省略在注册应答中包括移动外部质询扩展的情况的一个示例。

If a foreign agent has conditions in which it omits the inclusion of a Mobile-Foreign Challenge extension in the Registration Reply, it still MUST respond with an agent advertisement containing a previously unused challenge in response to a subsequent agent solicitation from the same mobile node. Otherwise (when the said conditions are not met), the foreign agent MUST include a previously unused challenge in any Registration Reply, successful or not.

如果外部代理具有在注册回复中省略包含移动外部质询扩展的条件,则其仍然必须使用包含先前未使用的质询的代理广告来响应来自同一移动节点的后续代理请求。否则(当不满足上述条件时),外国代理必须在任何注册回复中包括以前未使用的质询,无论是否成功。

If the foreign agent does not remove the Challenge extension from the Registration Request received from the mobile node, then the foreign agent SHOULD store the Challenge value as part of the pending registration request list [RFC3344]. Also, if the Registration Reply coming from the home agent does not include the Challenge extension, the foreign agent SHOULD NOT reject the registration request. If the Challenge extension is present in the Registration Reply, it MUST be the same Challenge value that was included in the Registration Reply

如果外部代理未从从移动节点接收的注册请求中删除质询扩展,则外部代理应将质询值存储为挂起注册请求列表的一部分[RFC3344]。此外,如果来自本国代理的注册回复不包括质询扩展,则外国代理不应拒绝注册请求。如果注册回复中存在质询扩展,则该质询扩展必须与注册回复中包含的质询值相同

received from the home agent, the foreign agent MUST insert a Foreign Agent (FA) Error extension with Status value ha_wrong_challenge in the Registration Reply sent to the mobile node (see Section 10).

从归属代理接收,外部代理必须在发送到移动节点的注册回复中插入状态值为ha_Error_challenge的外部代理(FA)错误扩展(参见第10节)。

A mobile node MUST be prepared to use a challenge from a unicast or multicast Agent Advertisement in lieu of one returned in a Registration Reply, and it MUST solicit for one if it has not already received one either in a Registration Reply or a recent advertisement.

移动节点必须准备好使用来自单播或多播代理播发的质询来代替注册回复中返回的质询,并且如果它尚未在注册回复或最近的播发中接收到质询,则必须请求质询。

If the foreign agent receives a Registration Reply with the Code value ha_bad_aaa_auth, the Registration Reply with this Code value MUST be relayed to the mobile node. In this document, whenever the foreign agent is required to reject a Registration Request, it MUST put the given code in the usual Code field of the Registration Reply, unless the Registration Reply has already been received from the home agent. In this case, the foreign agent MUST preserve the value of the Code field set by the home agent and MUST put its own rejection code in the Status field of the FA Error extension (defined in [RFC4636]).

如果外部代理接收到代码值为ha_bad_aaa_auth的注册回复,则必须将该代码值的注册回复中继到移动节点。在本文件中,当要求外国代理拒绝注册请求时,必须将给定代码放入注册回复的常用代码字段中,除非已从本国代理收到注册回复。在这种情况下,外国代理必须保留本国代理设置的代码字段的值,并且必须将其自己的拒绝代码放在FA错误扩展的状态字段中(在[RFC4636]中定义)。

3.4. Home Agent Processing of Challenge Extensions
3.4. 挑战扩展的归属代理处理

If the home agent receives a Registration Request with the Mobile-Foreign Challenge extension and recognizes the extension, the home agent MUST include the Challenge extension in the Registration Reply. The Challenge extension MUST be placed after the Mobile-Home authentication extension, and the extension SHOULD be authenticated by a Foreign-Home Authentication extension.

如果归属代理收到移动外部质询分机的注册请求并识别该分机,则归属代理必须在注册回复中包含质询分机。质询扩展必须放在移动家庭身份验证扩展之后,并且该扩展应该由外部家庭身份验证扩展进行身份验证。

The home agent may receive a Registration Request with the Mobile-AAA Authentication extension. If the Mobile-AAA Authentication extension is used by the home agent as an authorization-enabling extension and the verification fails due to an incorrect authenticator, the home agent MAY reject the Registration Reply with the error code ha_bad_aaa_auth.

归属代理可以接收具有移动AAA认证扩展的注册请求。如果归属代理将移动AAA身份验证扩展用作授权启用扩展,并且由于不正确的身份验证者而导致验证失败,则归属代理可能会拒绝错误代码为ha_bad_AAA_auth的注册回复。

Since the extension type for the Challenge extension is within the range 128-255, the home agent MUST process such a Registration Request even if it does not recognize the Challenge extension [RFC3344]. In this case, the home agent will send a Registration Reply to the foreign agent that does not include the Challenge extension.

由于质询扩展的扩展类型在128-255范围内,因此归属代理必须处理此类注册请求,即使它不识别质询扩展[RFC3344]。在这种情况下,本国代理将向不包括质询扩展的外国代理发送注册回复。

3.5. Mobile Node Processing of Registration Replies
3.5. 移动节点处理注册回复

A mobile node might receive the error code in the Registration Reply from the foreign agent as a response to the Registration Request. The error codes are defined in Section 10.

移动节点可能会从外部代理接收注册回复中的错误代码,作为对注册请求的响应。第10节定义了错误代码。

In any case, if the mobile node attempts to register again after such an error, it MUST use a new Challenge value in such a registration, obtained either from an Agent Advertisement, or from a Challenge extension to the Registration Reply containing the error.

在任何情况下,如果移动节点在这样的错误之后尝试再次注册,则它必须在这样的注册中使用新的质询值,该质询值可以从代理广告或从包含该错误的注册应答的质询扩展中获得。

In the co-located care-of address mode, the mobile node receives a Registration Reply without the Challenge extension and processes the Registration Reply as specified in [RFC3344]. In this case, when the mobile node includes the MN-AAA Authentication Extension, the Challenge value 0 is recommended for the authenticator computation mentioned in Section 8.

在同处转交地址模式中,移动节点接收不带质询扩展的注册回复,并按照[RFC3344]中的规定处理注册回复。在这种情况下,当移动节点包括MN-AAA认证扩展时,建议质询值0用于第8节中提到的认证器计算。

4. Mobile-Foreign Challenge Extension
4. 移动国外挑战扩展

This section specifies a new Mobile IP Registration extension that is used to satisfy a Challenge in an Agent Advertisement. The Challenge extension to the Registration Request message is used to indicate the challenge that the mobile node is attempting to satisfy.

本节指定一个新的移动IP注册扩展,用于满足代理广告中的质询。注册请求消息的质询扩展用于指示移动节点正试图满足的质询。

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |          Challenge ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |          Challenge ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 2. The Mobile-Foreign Challenge Extension

图2。移动国外挑战扩展

Type:

类型:

132 (skippable). (See [RFC3344]).

132(可跳过)。(见[RFC3344])。

Length:

长度:

Length of the Challenge value.

挑战值的长度。

Challenge:

挑战:

The Challenge field is copied from the Challenge field found in the received Challenge extension.

挑战字段是从收到的挑战扩展中找到的挑战字段复制而来的。

Suppose that the mobile node has successfully registered using one of the Challenge Values within the CHALLENGE_WINDOW values advertised by

假设移动节点已成功注册,使用的是

the foreign agent. In that case, in any new Registration Request the mobile node MUST NOT use any Challenge Value that was advertised by the foreign agent before the Challenge Value in the mobile node's last Registration Request.

外国特工。在这种情况下,在任何新的注册请求中,移动节点不得使用在移动节点的上次注册请求中的质询值之前由外部代理播发的任何质询值。

5. Generalized Mobile IP Authentication Extension
5. 广义移动IP认证扩展

Several new authentication extensions have been designed for various control messages proposed for extensions to Mobile IP. A new authentication extension is required for a mobile node to present its credentials to any other entity other than the ones already defined; the only entities defined in the base Mobile IP specification [RFC3344] are the home agent and the foreign agent. The purpose of the generalized authentication extension defined here is to collect together data for all such new authentication applications into a single extension type with subtypes.

针对移动IP扩展中提出的各种控制消息,设计了几种新的身份验证扩展。移动节点需要一个新的身份验证扩展来向除已定义的实体之外的任何其他实体提供其凭证;基本移动IP规范[RFC3344]中定义的唯一实体是本地代理和外部代理。此处定义的通用身份验证扩展的目的是将所有此类新身份验证应用程序的数据收集到一个具有子类型的扩展类型中。

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Subtype    |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                              SPI                              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Authenticator ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Subtype    |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                              SPI                              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Authenticator ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 3. The Generalized Mobile IP Authentication Extension

图3。广义移动IP认证扩展

Type:

类型:

36 (not skippable). (See [RFC3344]).

36(不可跳过)。(见[RFC3344])。

Subtype:

子类型:

A number assigned to identify the kind of endpoints or other characteristics of the particular authentication strategy.

分配用于标识端点类型或特定身份验证策略的其他特征的数字。

Length:

长度:

4 plus the number of octets in the Authenticator; MUST be at least 20.

4加上验证器中的八位字节数;必须至少20岁。

SPI:

SPI:

Security Parameters Index

安全参数索引

Authenticator:

验证者:

The variable length Authenticator field

可变长度验证器字段

In this document, only one subtype is defined:

在本文档中,仅定义了一个子类型:

1 Mobile-AAA Authentication subtype (Hashed Message Authentication Code-MD5 (HMAC-MD5)) (see Section 6).

1移动AAA认证子类型(哈希消息认证码-MD5(HMAC-MD5))(参见第6节)。

6. Mobile-AAA Authentication Subtype
6. 移动AAA认证子类型

The Generalized Authentication extension with subtype 1 will be referred to as a Mobile-AAA Authentication extension. The mobile node MAY include a Mobile-AAA Authentication extension in any Registration Request. This extension MAY co-exist in the same Registration Request with Authentication extensions defined for Mobile IP Registration ([RFC3344]). If the mobile node does not include a Mobile-Foreign Authentication extension, then it MUST include the Mobile-AAA Authentication extension whenever the Challenge extension is present. If both are present, the Mobile-AAA Authentication extension MUST precede the Mobile-Foreign Authentication extension.

子类型为1的通用身份验证扩展称为移动AAA身份验证扩展。移动节点可以在任何注册请求中包括移动AAA认证扩展。此扩展可能与为移动IP注册定义的身份验证扩展共存于同一注册请求中([RFC3344])。如果移动节点不包括移动外部认证扩展,则无论何时存在质询扩展,它都必须包括移动AAA认证扩展。如果两者都存在,则移动AAA身份验证扩展必须位于移动外部身份验证扩展之前。

If the Mobile-AAA Authentication extension is present, the Mobile-Home Authentication extension MUST appear prior to the Mobile-AAA Authentication extension. The corresponding response MUST include the Mobile-Home Authentication extension and MUST NOT include the Mobile-AAA Authentication extension.

如果存在移动AAA认证扩展,则移动家庭认证扩展必须出现在移动AAA认证扩展之前。相应的响应必须包括移动家庭身份验证扩展,且不得包括移动AAA身份验证扩展。

The default algorithm for computation of the authenticator is HMAC-MD5 [RFC2104] computed on the following data, in the order shown:

验证器计算的默认算法是HMAC-MD5[RFC2104],根据以下数据按所示顺序计算:

Preceding Mobile IP data || Type, Subtype, Length, SPI

前面的移动IP数据| |类型、子类型、长度、SPI

where the Type, Length, Subtype, and SPI are as shown in Section 5. The Preceding Mobile IP data refers to the UDP payload (the Registration Request or Registration Reply data) and all prior extensions in their entirety. The resulting function call, as described in [RFC2104], would be:

其中类型、长度、子类型和SPI如第5节所示。前面的移动IP数据指的是UDP有效负载(注册请求或注册回复数据)以及所有先前的扩展。如[RFC2104]所述,产生的函数调用将是:

hmac_md5(data, datalen, Key, KeyLength, authenticator);

hmac_md5(数据、数据长度、密钥、密钥长度、验证器);

Each mobile node MUST support the ability to produce the authenticator by using HMAC-MD5 as shown. Just as with Mobile IP, it must be possible to configure the use of any arbitrary 32-bit SPI outside of the SPIs in the reserved range 0-255 for selection of this default algorithm.

每个移动节点都必须支持使用HMAC-MD5生成验证器的能力,如图所示。与移动IP一样,必须能够配置使用保留范围0-255内SPI之外的任意32位SPI来选择此默认算法。

7. Reserved SPIs for Mobile IP
7. 移动IP的保留SPI

Mobile IP defines several authentication extensions for use in Registration Requests and Replies. Each authentication extension carries a Security Parameters Index (SPI) that should be used to index a table of security associations. Values in the range 0-255 are reserved for special use. A list of reserved SPI numbers is to be maintained by IANA at the following URL:

移动IP定义了几个用于注册请求和回复的身份验证扩展。每个身份验证扩展都带有一个安全参数索引(SPI),该索引应用于索引安全关联表。0-255范围内的值保留用于特殊用途。IANA将在以下URL维护保留SPI编号列表:

      http://www.iana.org/assignments/mobileip-numbers
        
      http://www.iana.org/assignments/mobileip-numbers
        
8. SPIs for RADIUS AAA Servers
8. RADIUS AAA服务器的SPI

Some AAA servers only admit a single security association and thus do not use the SPI numbers for Mobile IP authentication extensions for use when determining the security association that would be necessary for verifying the authentication information included with the Authentication extension.

一些AAA服务器仅允许单个安全关联,因此在确定验证包含在认证扩展中的认证信息所需的安全关联时,不使用移动IP认证扩展的SPI号码。

SPI number CHAP_SPI (see Section 9) is reserved for indicating the following procedure for computing authentication data (called the "authenticator"), which is used by many RADIUS servers [RFC2865] today.

SPI编号CHAP_SPI(见第9节)用于指示以下计算身份验证数据的过程(称为“身份验证程序”),目前许多RADIUS服务器[RFC2865]都在使用该程序。

To compute the authenticator, apply MD5 [RFC1321] computed on the following data, in the order shown:

要计算验证器,请按所示顺序应用根据以下数据计算的MD5[RFC1321]:

High-order octet from Challenge || Key ||

来自挑战| |键的高阶八位组||

MD5(Preceding Mobile IP data ||

MD5(先前的移动IP数据)||

Type, Subtype (if present), Length, SPI) ||

类型、子类型(如果存在)、长度、SPI)||

Least-order 237 octets from Challenge

挑战中最少订购237个八位字节

where Type, Length, SPI, and possibly Subtype are the fields of the authentication extension in use. For instance, all four of these fields would be in use when SPI == CHAP_SPI is used with the Generalized Authentication extension. In case of co-located care-of address, the Challenge value 0 is used (refer to Section 3.5). Since the RADIUS protocol cannot carry attributes of length greater than 253, the preceding Mobile IP data, type, subtype (if present), length, and SPI are hashed using MD5. Finally, the least significant 237 octets of the challenge are concatenated. If the challenge has fewer than 238 octets, this algorithm includes the high-order octet in the computation twice but ensures that the challenge is used

其中,Type、Length、SPI和可能的Subtype是正在使用的身份验证扩展的字段。例如,当SPI==CHAP_SPI与通用身份验证扩展一起使用时,将使用这四个字段。如果是同一位置的转交地址,则使用质询值0(参考第3.5节)。由于RADIUS协议不能携带长度大于253的属性,因此前面的移动IP数据、类型、子类型(如果存在)、长度和SPI使用MD5散列。最后,将挑战中最不重要的237个八位字节串联起来。如果质询少于238个八位元,则该算法在计算中包含高阶八位元两次,但确保使用质询

exactly as is. Additional padding is never used to increase the length of the challenge; the input data is allowed to be shorter than 237 octets long.

一模一样。不使用额外的填充来增加挑战的长度;输入数据长度允许小于237个八位字节。

9. Configurable Parameters
9. 可配置参数

Every Mobile IP agent supporting the extensions defined in this document SHOULD be able to configure each parameter in the following table. Each table entry contains the name of the parameter, the default value, and the section of the document in which the parameter first appears.

支持本文档中定义的扩展的每个移动IP代理都应该能够配置下表中的每个参数。每个表条目都包含参数的名称、默认值以及参数首次出现的文档部分。

      +------------------+---------------+---------------------+
      | Parameter Name   | Default Value | Section of Document |
      +------------------+---------------+---------------------+
      | CHALLENGE_WINDOW | 2             | 3.2                 |
      |                  |               |                     |
      | CHAP_SPI         | 2             | 8                   |
      +------------------+---------------+---------------------+
        
      +------------------+---------------+---------------------+
      | Parameter Name   | Default Value | Section of Document |
      +------------------+---------------+---------------------+
      | CHALLENGE_WINDOW | 2             | 3.2                 |
      |                  |               |                     |
      | CHAP_SPI         | 2             | 8                   |
      +------------------+---------------+---------------------+
        

Table 1. Configurable Parameters

表1。可配置参数

Note that CHALLENGE_WINDOW SHOULD be at least 2. This makes it far less likely that mobile nodes will register using a Challenge value that is outside the set of values allowable by the foreign agent.

挑战窗口至少应该是u。这使得移动节点使用质询值注册的可能性大大降低,质询值超出了外部代理允许的值集。

10. Error Values
10. 错误值

Each entry in the following table contains the name of the Code [RFC3344] to be returned in a Registration Reply, the value for the Code, and the section in which the error is mentioned in this specification.

下表中的每个条目都包含注册回复中要返回的代码[RFC3344]的名称、代码的值以及本规范中提到错误的部分。

      +--------------------+-------+--------------------------+
      | Error Name         | Value | Section of Document      |
      +--------------------+-------+--------------------------+
      | unknown_challenge  | 104   | 3.2                      |
      |                    |       |                          |
      | mobile node failed | 67    | 3.2; also see [RFC3344]  |
      | authentication     |       |                          |
      |                    |       |                          |
      | missing_challenge  | 105   | 3.1, 3.2                 |
      |                    |       |                          |
      | stale_challenge    | 106   | 3.2                      |
      |                    |       |                          |
      | fa_bad_aaa_auth    | 108   | 3.2                      |
      |                    |       |                          |
      | ha_bad_aaa_auth    | 144   | 3.4                      |
      |                    |       |                          |
      | ha_wrong_challenge | 109   | 3.2                      |
      +--------------------+-------+--------------------------+
        
      +--------------------+-------+--------------------------+
      | Error Name         | Value | Section of Document      |
      +--------------------+-------+--------------------------+
      | unknown_challenge  | 104   | 3.2                      |
      |                    |       |                          |
      | mobile node failed | 67    | 3.2; also see [RFC3344]  |
      | authentication     |       |                          |
      |                    |       |                          |
      | missing_challenge  | 105   | 3.1, 3.2                 |
      |                    |       |                          |
      | stale_challenge    | 106   | 3.2                      |
      |                    |       |                          |
      | fa_bad_aaa_auth    | 108   | 3.2                      |
      |                    |       |                          |
      | ha_bad_aaa_auth    | 144   | 3.4                      |
      |                    |       |                          |
      | ha_wrong_challenge | 109   | 3.2                      |
      +--------------------+-------+--------------------------+
        

Table 2. Error Values

表2。错误值

11. IANA Considerations
11. IANA考虑

The following are currently assigned by IANA for RFC 3012 [RFC3012] and are applicable to this document. IANA has recorded these values as part of this document.

IANA目前为RFC 3012[RFC3012]分配了以下内容,适用于本文件。IANA已将这些值记录为本文件的一部分。

The Generalized Mobile IP Authentication extension defined in Section 5 is a Mobile IP registration extension. IANA has assigned a value of 36 for this extension.

第5节中定义的通用移动IP认证扩展是移动IP注册扩展。IANA为此扩展指定了36的值。

A new number space is to be created for enumerating subtypes of the Generalized Authentication extension (see Section 5). New subtypes of the Generalized Authentication extension, other than the number (1) for the MN-AAA authentication extension specified in Section 6, must be specified and approved by a designated expert.

将创建一个新的数字空间,用于枚举通用身份验证扩展的子类型(请参见第5节)。通用认证扩展的新子类型(第6节中规定的MN-AAA认证扩展的编号(1))必须由指定专家指定和批准。

The Mobile Node - Foreign Agent (MN-FA) Challenge extension, defined in Section 4, is a router advertisement extension as defined in RFC 1256 [RFC1256] and extended in RFC 3344 [RFC3344]. IANA has assigned a value of 132 for this purpose.

第4节中定义的移动节点-外部代理(MN-FA)质询扩展是RFC 1256[RFC1256]中定义并在RFC 3344[RFC3344]中扩展的路由器播发扩展。IANA为此指定了一个值132。

The Code values defined in Section 10 are error codes as defined in RFC 3344 ([RFC3344]). They correspond to error values conventionally associated with rejection by the foreign agent (i.e., values from the range 64-127). The Code value 67 is a pre-existing value that is to be used in some cases with the extension defined in this specification. IANA has recorded the values as defined in Section 10.

第10节中定义的代码值是RFC 3344([RFC3344])中定义的错误代码。它们对应于通常与外国代理拒绝相关的错误值(即,范围64-127的值)。代码值67是预先存在的值,在某些情况下将与本规范中定义的扩展一起使用。IANA已记录了第10节中定义的值。

A new section for enumerating algorithms identified by specific SPIs within the range 0-255 has been added by IANA. The CHAP_SPI number (2) discussed in Section 8 is assigned from this range of reserved SPI numbers. New assignments from this reserved range must be specified and approved by the Mobile IP working group. SPI number 1 should not be assigned unless in the future the Mobile IP working group decides that SKIP is not important for enumeration in the list of reserved numbers. SPI number 0 should not be assigned.

IANA增加了一个新的部分,用于枚举0-255范围内特定SPI识别的算法。第8节中讨论的CHAP_SPI编号(2)是从该范围的保留SPI编号分配的。此保留范围内的新分配必须由移动IP工作组指定和批准。除非将来移动IP工作组决定跳过对于保留号码列表中的枚举不重要,否则不应分配SPI号码1。不应分配SPI编号0。

Additionally, the new error codes fa_bad_aaa_auth, ha_bad_aaa_auth, and ha_wrong_challenge are defined by this document. Among these, ha_wrong_challenge may appear in the Status code of the FA Error extension, defined in [RFC4636].

此外,本文档还定义了新的错误代码fa_bad_aaa_auth、ha_bad_aaa_auth和ha_error_challenge。其中,ha_错误_质询可能出现在[RFC4636]中定义的FA错误扩展的状态代码中。

12. Security Considerations
12. 安全考虑

In the event that a malicious mobile node attempts to replay the authenticator for an old Mobile-Foreign Challenge, the foreign agent would detect it, since the agent always checks whether it has recently advertised the Challenge (see Section 3.2). Allowing mobile nodes with different IP addresses or NAIs to use the same Challenge value does not represent a security vulnerability, as the authentication data provided by the mobile node will be computed over data that is different (at least the mobile node's IP address will vary).

如果恶意移动节点试图为旧的移动外部质询重播验证器,外部代理将检测到它,因为代理始终检查它最近是否公布了质询(请参见第3.2节)。允许具有不同IP地址或NAI的移动节点使用相同的质询值并不代表安全漏洞,因为移动节点提供的认证数据将根据不同的数据进行计算(至少移动节点的IP地址将发生变化)。

If the foreign agent chooses a Challenge value (see Section 2) with fewer than 4 octets, the foreign agent SHOULD include the value of the Identification field in the records it maintains for the mobile node. The foreign agent can then determine whether the Registration messages using the short Challenge value are in fact unique and thus assuredly not replayed from any earlier registration.

如果外部代理选择少于4个八位字节的质询值(参见第2节),则外部代理应在其为移动节点维护的记录中包含标识字段的值。然后,外部代理可以确定使用短质询值的注册消息是否实际上是唯一的,从而确保不会从任何先前的注册中重放。

Section 8 (SPI For RADIUS AAA Servers) defines a method of computing the Generalized Mobile IP Authentication extension's authenticator field, using MD5 in a manner that is consistent with RADIUS [RFC2865]. The use of MD5 in the method described in Section 8 is less secure than HMAC-MD5 [RFC2104] and MUST be avoided whenever possible.

第8节(RADIUS AAA服务器的SPI)定义了以与RADIUS一致的方式使用MD5计算通用移动IP认证扩展的验证器字段的方法[RFC2865]。在第8节所述方法中使用MD5的安全性不如HMAC-MD5[RFC2104],必须尽可能避免。

Note that an active attacker may try to prevent successful registrations by sending a large number of Agent Solicitations or bogus Registration Requests, each of which could cause the foreign agent to respond with a fresh challenge, invalidating the challenge that the MN is currently trying to use. To prevent such attacks, the foreign agent MUST NOT invalidate previously unused challenges when responding to unauthenticated Registration Requests or Agent Solicitations. In addition, the foreign agent MUST NOT allocate new storage when responding to such messages, as this would also create the possibility of denial of service.

请注意,主动攻击者可能会通过发送大量代理请求或虚假注册请求来阻止成功注册,每个请求都可能导致外部代理以新的质询进行响应,从而使MN当前尝试使用的质询无效。为防止此类攻击,外国代理在响应未经验证的注册请求或代理请求时,不得使以前未使用的质询无效。此外,外部代理在响应此类消息时不得分配新存储,因为这也会造成拒绝服务的可能性。

The Challenge extension specified in this document need not be used for co-located care-of address mode. In this case, replay protection is provided by the Identification field in the Registration Request message [RFC3344].

本文档中指定的质询扩展无需用于同处转交地址模式。在这种情况下,重播保护由注册请求消息[RFC3344]中的标识字段提供。

The Generalized Mobile IP Authentication extension includes a subtype field that is used to identify characteristics of the particular authentication strategy. This document only defines one subtype, the Mobile-AAA Authentication subtype that uses HMAC-MD5. If it is necessary to move to a new message authentication algorithm in the future, this could be accomplished by defining a new subtype that uses a different one.

通用移动IP认证扩展包括一个子类型字段,用于标识特定认证策略的特征。本文档仅定义了一个子类型,即使用HMAC-MD5的移动AAA认证子类型。如果将来需要使用新的消息身份验证算法,可以通过定义使用不同子类型的新子类型来实现。

13. Acknowledgements
13. 致谢

The authors would like to thank Pete McCann, Ahmad Muhanna, Henrik Levkowetz, Kent Leung, Alpesh Patel, Madjid Nakhjiri, Gabriel Montenegro, Jari Arkko, and other MIP4 WG participants for their useful discussions.

作者要感谢Pete McCann、Ahmad Muhanna、Henrik Levkowetz、Kent Leung、Alpesh Patel、Madjid Nakhjiri、Gabriel Montegon、Jari Arkko和其他MIP4工作组参与者的有益讨论。

14. Normative References
14. 规范性引用文件

[RFC1256] Deering, S., "ICMP Router Discovery Messages", RFC 1256, September 1991.

[RFC1256]Deering,S.,“ICMP路由器发现消息”,RFC 12561991年9月。

[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.

[RFC1321]Rivest,R.,“MD5消息摘要算法”,RFC13211992年4月。

[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.

[RFC1994]辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.

[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, March 2000.

[RFC2794]Calhoun,P.和C.Perkins,“IPv4移动IP网络访问标识符扩展”,RFC 27942000年3月。

[RFC3012] Perkins, C. and P. Calhoun, "Mobile IPv4 Challenge/Response Extensions", RFC 3012, November 2000.

[RFC3012]Perkins,C.和P.Calhoun,“移动IPv4挑战/响应扩展”,RFC3012,2000年11月。

[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002.

[RFC3344]Perkins,C.,“IPv4的IP移动支持”,RFC 3344,2002年8月。

[RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.

[RFC4086]伊斯特莱克,D.,3,席勒,J.和S.克罗克,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。

[RFC4636] Perkins, C., "Foreign Agent Error Extension for Mobile IPv4", RFC 4636, October 2006.

[RFC4636]Perkins,C.,“移动IPv4的外部代理错误扩展”,RFC4636,2006年10月。

Appendix A. Changes since RFC 3012
附录A.自RFC 3012以来的变化

The following is the list of changes from RFC 3012 ([RFC3012]):

以下是RFC 3012([RFC3012])的变更列表:

o Foreign agent recommended to include a Challenge in every Registration Reply, so that mobile node can re-register without waiting for an Advertisement.

o 建议外部代理在每个注册回复中包含质询,以便移动节点可以在不等待广告的情况下重新注册。

o Foreign agent MUST record applicable challenge values used by each mobile node.

o 外部代理必须记录每个移动节点使用的适用质询值。

o Mobile node forbidden to use Challenge values which were advertised previous to the last Challenge value which it had used for a registration.

o 移动节点禁止使用在其用于注册的最后一个质询值之前公布的质询值。

o Challenge definitions are cleaned up.

o 挑战定义已清理。

o Programming suggestion added as an appendix.

o 作为附录添加了编程建议。

o HMAC_CHAP_SPI option is added for Generalized Mobile IP Authentication extension. Upon receipt of HMAC_CHAP_SPI, HMAC-MD5 is used instead of MD5 for computing the authenticator.

o 添加HMAC_CHAP_SPI选项用于通用移动IP认证扩展。收到HMAC_CHAP_SPI后,将使用HMAC-MD5而不是MD5来计算验证器。

o Added fa_bad_aaa_auth and ha_bad_aaa_auth error codes to report authentication errors caused while processing Mobile-AAA Authentication extension. Also, added the error code ha_wrong_challenge to indicate that Challenge value differs in the Registration Reply received from the home agent compare to the one sent to the home agent in the Registration Request.

o 添加了fa_bad_aaa_auth和ha_bad_aaa_auth错误代码,以报告在处理移动aaa身份验证扩展时导致的身份验证错误。此外,还添加了错误代码ha_error_challenge,以表明从归属代理收到的注册回复中的质询值与注册请求中发送给归属代理的注册回复中的质询值不同。

o Processing of the Mobile-AAA Authentication extension is clarified for the foreign agent and the home agent.

o 为外部代理和本地代理澄清了移动AAA认证扩展的处理。

o Co-existence of the Mobile-AAA Authentication extension in the same Registration Request is made explicit.

o 明确了移动AAA认证扩展在同一注册请求中的共存性。

o The situation in which the foreign agent sets missing_challenge is clarified further.

o 进一步澄清了外国代理人提出“失踪”质疑的情况。

o The use of Mobile-AAA Authentication extension is allowed by the mobile node with co-located care-of address.

o 移动AAA认证扩展的使用由具有共同定位的转交地址的移动节点允许。

o Added protection against bogus Registration Reply and Agent Advertisement. Also, the processing of the Challenge is clarified if it is received in the multicast/unicast Agent Advertisement.

o 增加了对虚假注册回复和代理广告的保护。此外,如果在多播/单播代理播发中接收到质询,则澄清质询的处理。

o Added reference of FA Error extension in the References section and also updated relevant text in section 3.2 and section 11.

o 在参考章节中增加了FA错误扩展的参考,并更新了第3.2节和第11节中的相关文本。

Appendix B. Verification Infrastructure
附录B.核查基础设施

The Challenge extensions in this protocol specification are expected to be useful to help the foreign agent manage connectivity for visiting mobile nodes, even in situations where the foreign agent does not have any security association with the mobile node or the mobile node's home agent. In order to carry out the necessary authentication, it is expected that the foreign agent will need the assistance of external administrative systems, which have come to be called AAA systems. For the purposes of this document, we call the external administrative support the "verification infrastructure". The verification infrastructure is described to motivate the design of the protocol elements defined in this document and is not strictly needed for the protocol to work. The foreign agent is free to use any means at its disposal to verify the credentials of the mobile node. It could, for instance, rely on a separate protocol between the foreign agent and the Mobile IP home agent and still not require any modification to the mobile node.

本协议规范中的质询扩展预计将有助于帮助外部代理管理访问移动节点的连接,即使在外部代理与移动节点或移动节点的归属代理没有任何安全关联的情况下也是如此。为了进行必要的认证,预计外国代理将需要外部管理系统的协助,这些系统被称为AAA系统。在本文件中,我们将外部管理支持称为“验证基础设施”。描述验证基础设施是为了激励本文件中定义的协议元素的设计,协议的工作并不严格需要验证基础设施。外部代理可以自由使用其可支配的任何手段来验证移动节点的凭据。例如,它可以依赖于外部代理和移动IP归属代理之间的单独协议,并且仍然不需要对移动节点进行任何修改。

In order to verify the credentials of the mobile node, we assume that the foreign agent has access to a verification infrastructure that can return a secure notification to the foreign agent that the authentication has been performed, along with the results of that authentication. This infrastructure may be visualized as shown in Figure 4.

为了验证移动节点的凭据,我们假设外部代理可以访问验证基础设施,该基础设施可以向外部代理返回安全通知,告知已执行验证,以及该验证的结果。此基础结构可以可视化,如图4所示。

      +----------------------------------------------------+
      |                                                    |
      |  Verification and Key Management Infrastructure    |
      |                                                    |
      +----------------------------------------------------+
               ^ |                                  ^ |
               | |                                  | |
               | v                                  | v
        +---------------+                    +---------------+
        |               |                    |               |
        | foreign agent |                    |   home agent  |
        |               |                    |               |
        +---------------+                    +---------------+
        
      +----------------------------------------------------+
      |                                                    |
      |  Verification and Key Management Infrastructure    |
      |                                                    |
      +----------------------------------------------------+
               ^ |                                  ^ |
               | |                                  | |
               | v                                  | v
        +---------------+                    +---------------+
        |               |                    |               |
        | foreign agent |                    |   home agent  |
        |               |                    |               |
        +---------------+                    +---------------+
        

Figure 4. The Verification Infrastructure

图4。核查基础设施

After the foreign agent gets the Challenge authentication, it MAY pass the authentication to the (here unspecified) infrastructure and await a Registration Reply. If the Reply has a positive status (indicating that the registration was accepted), the foreign agent accepts the registration. If the Reply contains the Code value

在外部代理获得质询身份验证后,它可以将身份验证传递给(此处未指定)基础设施,并等待注册回复。如果回复状态为肯定(表明注册已被接受),则外国代理接受注册。如果回复包含代码值

BAD_AUTHENTICATION (see Section 10), the foreign agent takes actions indicated for rejected registrations.

错误的身份验证(见第10节),外国代理会针对被拒绝的注册采取指示的行动。

Implicit in this picture is the important observation that the foreign agent and the home agent have to be equipped to make use of whatever protocol is required by the challenge verification and key management infrastructure shown in the figure.

这幅图中隐含着一个重要的观察结果,即必须配备外国代理和本国代理,以使用图中所示的质询验证和密钥管理基础设施所需的任何协议。

The protocol messages for handling the authentication within the verification infrastructure and the identity of the agent performing the verification of the foreign agent challenge are not specified in this document, as those operations do not have to be performed by any Mobile IP entity.

本文档中未指定用于在验证基础设施内处理身份验证的协议消息以及执行外部代理质询验证的代理的身份,因为这些操作不必由任何移动IP实体执行。

Appendix C. Message Flow for FA Challenge Messaging with Mobile-AAA Extension

附录C.具有移动AAA扩展的FA质询消息的消息流

   MN                  FA                   Verification     home agent
    |<-- Adv+Challenge--|                  Infrastructure          |
    |    (if needed)    |                         |                |
    |                   |                         |                |
    |-- RReq+Challenge->|                         |                |
    |    + Auth.Ext.    |                         |                |
    |                   |   Auth. Request, incl.  |                |
    |                   |--- RReq + Challenge --->|                |
    |                   |      + Auth.Ext         |   RReq +       |
    |                   |                         |-- Challenge -->|
    |                   |                         |                |
    |                   |                         |                |
    |                   |                         |<--- RRep ----- |
    |                   |   Authorization, incl.  |                |
    |                   |<-- RRep + Auth.Ext.-----|                |
    |                   |                         |                |
    |<-- RRep+Auth.Ext--|                         |                |
    |  + New Challenge  |                         |                |
        
   MN                  FA                   Verification     home agent
    |<-- Adv+Challenge--|                  Infrastructure          |
    |    (if needed)    |                         |                |
    |                   |                         |                |
    |-- RReq+Challenge->|                         |                |
    |    + Auth.Ext.    |                         |                |
    |                   |   Auth. Request, incl.  |                |
    |                   |--- RReq + Challenge --->|                |
    |                   |      + Auth.Ext         |   RReq +       |
    |                   |                         |-- Challenge -->|
    |                   |                         |                |
    |                   |                         |                |
    |                   |                         |<--- RRep ----- |
    |                   |   Authorization, incl.  |                |
    |                   |<-- RRep + Auth.Ext.-----|                |
    |                   |                         |                |
    |<-- RRep+Auth.Ext--|                         |                |
    |  + New Challenge  |                         |                |
        

Figure 5. Message Flows for FA Challenge Messaging

图5。FA质询消息的消息流

In Figure 5, the following informational message flow is illustrated:

在图5中,说明了以下信息性消息流:

1. The foreign agent includes a Challenge Value in a unicast Agent Advertisement, if needed. This advertisement MAY have been produced after receiving an Agent Solicitation from the mobile node (not shown in the diagram).

1. 如果需要,外部代理在单播代理广告中包括质询值。该广告可能是在从移动节点(图中未示出)接收到代理请求之后产生的。

2. The mobile node creates a Registration Request including the advertised Challenge Value in the Challenge extension, along with a Mobile-AAA authentication extension.

2. 移动节点创建注册请求,包括质询扩展中的广告质询值以及移动AAA认证扩展。

3. The foreign agent relays the Registration Request either to the home agent specified by the mobile node or to its locally configured Verification Infrastructure (see Appendix B), according to local policy.

3. 根据本地策略,外部代理将注册请求转发给移动节点指定的归属代理或其本地配置的验证基础设施(参见附录B)。

4. The foreign agent receives a Registration Reply with the appropriate indications for authorizing connectivity for the mobile node.

4. 外部代理接收具有用于授权移动节点的连接的适当指示的注册应答。

5. The foreign agent relays the Registration Reply to the mobile node, often along with a new Challenge Value to be used by the mobile node in its next Registration Request message.

5. 外部代理将注册回复转发给移动节点,通常伴随着移动节点在其下一个注册请求消息中使用的新质询值。

Appendix D. Message Flow for FA Challenge Messaging with MN-FA Authentication

附录D.具有MN-FA身份验证的FA质询消息的消息流

         MN                  FA                     home agent
          |<-- Adv+Challenge--|                         |
          |    (if needed)    |                         |
          |                   |                         |
          |-- RReq+Challenge->|                         |
          |    + Auth.Ext.    |                         |
          |                   |--- RReq + Challenge --->|
          |                   |   + HA-FA Auth.Ext      |
          |                   |                         |
          |                   |<-- RRep + Challenge ----|
          |                   |   + HA-FA Auth.Ext      |
          |                   |                         |
          |<-- RRep+Auth.Ext--|                         |
          |  + New Challenge  |                         |
        
         MN                  FA                     home agent
          |<-- Adv+Challenge--|                         |
          |    (if needed)    |                         |
          |                   |                         |
          |-- RReq+Challenge->|                         |
          |    + Auth.Ext.    |                         |
          |                   |--- RReq + Challenge --->|
          |                   |   + HA-FA Auth.Ext      |
          |                   |                         |
          |                   |<-- RRep + Challenge ----|
          |                   |   + HA-FA Auth.Ext      |
          |                   |                         |
          |<-- RRep+Auth.Ext--|                         |
          |  + New Challenge  |                         |
        

Figure 6. Message Flows for FA Challenge Messaging with MN-FA Authentication

图6。具有MN-FA身份验证的FA质询消息的消息流

In Figure 6, the following informational message flow is illustrated:

在图6中,说明了以下信息性消息流:

1. The foreign agent disseminates a Challenge Value in an Agent Advertisement, if needed. This advertisement MAY have been produced after receiving an Agent Solicitation from the mobile node (not shown in the diagram).

1. 如果需要,外国代理在代理广告中传播挑战值。该广告可能是在从移动节点(图中未示出)接收到代理请求之后产生的。

2. The mobile node creates a Registration Request including the advertised Challenge Value in the Challenge extension, along with a Mobile-Foreign Authentication extension.

2. 移动节点创建注册请求,包括质询扩展中的播发质询值,以及移动外部认证扩展。

3. The foreign agent relays the Registration Request to the home agent specified by the mobile node.

3. 外部代理将注册请求转发给移动节点指定的归属代理。

4. The foreign agent receives a Registration Reply with the appropriate indications for authorizing connectivity for the mobile node.

4. 外部代理接收具有用于授权移动节点的连接的适当指示的注册应答。

5. The foreign agent relays the Registration Reply to the mobile node, possibly along with a new Challenge Value to be used by the mobile node in its next Registration Request message. If the Reply contains the Code value ha_bad_aaa_auth (see Section 10), the foreign agent takes actions indicated for rejected registrations.

5. 外部代理将注册应答转发给移动节点,可能还包括移动节点在其下一个注册请求消息中使用的新质询值。如果回复包含代码值ha_bad_aaa_auth(参见第10节),则外国代理将采取针对被拒绝注册的措施。

Appendix E. Example Pseudo-Code for Tracking Used Challenges
附录E.用于跟踪所用挑战的伪代码示例
   current_chal := RegistrationRequest.challenge_extension_value
   last_chal := mobile_node_record.last_used_adv_chal
        
   current_chal := RegistrationRequest.challenge_extension_value
   last_chal := mobile_node_record.last_used_adv_chal
        
   if (current_chal == mobile_node_record.RegReply_challenge) {
       update (mobile_node_record, current_chal)
       return (OK)
   }
   else if (current_chal "among" VALID_ADV_CHALLENGES[]{
      if (last_chal "among" VALID_ADV_CHALLENGES[]) {
         if (current_chal is "before" last_chal) {
             send_error(STALE_CHALLENGE)
             return (FAILURE)
         }
         else {
             update (mobile_node_record, current_chal)
             return (OK)
         }
      }
      else {
         update (mobile_node_record, current_chal)
         return (OK)
      }
   }
   else {
      send_error(UNKNOWN_CHALLENGE);
   }
        
   if (current_chal == mobile_node_record.RegReply_challenge) {
       update (mobile_node_record, current_chal)
       return (OK)
   }
   else if (current_chal "among" VALID_ADV_CHALLENGES[]{
      if (last_chal "among" VALID_ADV_CHALLENGES[]) {
         if (current_chal is "before" last_chal) {
             send_error(STALE_CHALLENGE)
             return (FAILURE)
         }
         else {
             update (mobile_node_record, current_chal)
             return (OK)
         }
      }
      else {
         update (mobile_node_record, current_chal)
         return (OK)
      }
   }
   else {
      send_error(UNKNOWN_CHALLENGE);
   }
        

Authors' Addresses

作者地址

Charles E. Perkins Nokia Research Center Communications Systems Lab 313 Fairchild Drive Mountain View, California 94043

Charles E.Perkins诺基亚研究中心通信系统实验室313 Fairchild Drive Mountain View,加利福尼亚94043

   Phone: +1 650 625-2986
   EMail: charles.perkins@nokia.com
        
   Phone: +1 650 625-2986
   EMail: charles.perkins@nokia.com
        

Pat R. Calhoun Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134

Pat R.Calhoun Cisco Systems,Inc.加利福尼亚州圣何塞市西塔斯曼大道170号,邮编95134

   Phone: +1 408-853-5269
   EMail: pcalhoun@cisco.com
        
   Phone: +1 408-853-5269
   EMail: pcalhoun@cisco.com
        

Jayshree Bharatia Nortel Networks 2221, Lakeside Blvd Richardson, TX 75082

德克萨斯州理查森湖畔大道Jayshree Bharatia Nortel Networks 2221号,邮编75082

   Phone: +1 972-684-5767
   EMail: jayshree@nortel.com
        
   Phone: +1 972-684-5767
   EMail: jayshree@nortel.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST, AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。