draft-ietf-mip6-bootstrapping-integrated-dhc-00.txt   draft-ietf-mip6-bootstrapping-integrated-dhc-01.txt 
Network Working Group K. Chowdhury, Editor Network Working Group K. Chowdhury, Editor
Internet-Draft Starent Networks Internet-Draft Starent Networks
Expires: April 19, 2006 A. Yegin Expires: December 11, 2006 A. Yegin
Samsung Samsung AIT
October 16, 2005 June 9, 2006
MIP6-bootstrapping via DHCPv6 for the Integrated Scenario MIP6-bootstrapping via DHCPv6 for the Integrated Scenario
draft-ietf-mip6-bootstrapping-integrated-dhc-00.txt draft-ietf-mip6-bootstrapping-integrated-dhc-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 19, 2006. This Internet-Draft will expire on December 11, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
The Mobile IPv6 bootstrapping problem statement describes two main The Mobile IPv6 bootstrapping problem statement describes two main
scenarios. In the first scenario (i.e. the split scenario), the scenarios. In the first scenario (i.e. the split scenario), the
mobile node's mobility service is authorized by a different service mobile node's mobility service is authorized by a different service
authorizer than the basic network access authorizer. In the second authorizer than the basic network access authorizer. In the second
scenario (i.e. the integrated scenario), the mobile node's mobility scenario (i.e. the integrated scenario), the mobile node's mobility
service is authorized by the same service authorizer as the basic service is authorized by the same service authorizer as the basic
network access service authorizer. This document defines a method network access service authorizer. This document defines a method
skipping to change at page 2, line 27 skipping to change at page 2, line 27
3.4 HoA and IKEv2 SA Bootstrapping in the Integrated 3.4 HoA and IKEv2 SA Bootstrapping in the Integrated
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . 10 Scenario . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.5 DHCPv6 options . . . . . . . . . . . . . . . . . . . . . . 10 3.5 DHCPv6 options . . . . . . . . . . . . . . . . . . . . . . 10
3.5.1 DHC Relay Agent Option to carry Mobile IPv6 3.5.1 DHC Relay Agent Option to carry Mobile IPv6
parameters . . . . . . . . . . . . . . . . . . . . . . 11 parameters . . . . . . . . . . . . . . . . . . . . . . 11
3.5.2 MIP6 home agent sub-option . . . . . . . . . . . . . . 11 3.5.2 MIP6 home agent sub-option . . . . . . . . . . . . . . 11
3.6 Mobile Node Behavior . . . . . . . . . . . . . . . . . . . 12 3.6 Mobile Node Behavior . . . . . . . . . . . . . . . . . . . 12
3.7 NAS, DHCP Relay Agent Behavior . . . . . . . . . . . . . . 13 3.7 NAS, DHCP Relay Agent Behavior . . . . . . . . . . . . . . 13
3.8 DHCP Server Behavior . . . . . . . . . . . . . . . . . . . 14 3.8 DHCP Server Behavior . . . . . . . . . . . . . . . . . . . 14
4. Security Considerations . . . . . . . . . . . . . . . . . . . 16 4. Security Considerations . . . . . . . . . . . . . . . . . . . 16
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 19 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8.1 Normative References . . . . . . . . . . . . . . . . . . . 20 8.1 Normative References . . . . . . . . . . . . . . . . . . . 21
8.2 Informative References . . . . . . . . . . . . . . . . . . 21 8.2 Informative References . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . . 22 Intellectual Property and Copyright Statements . . . . . . . . 23
1. Introduction and Scope 1. Introduction and Scope
The Mobile IPv6 protocol [RFC3775] requires the mobile node to have The Mobile IPv6 protocol [RFC3775] requires the mobile node to have
knowledge of its Home Address, the home agent address and the knowledge of its Home Address, the home agent address and the
cryptographic materials for establishing an IPsec security cryptographic materials for establishing an IPsec security
association with the home agent prior to performing home association with the home agent prior to performing home
registration. The mechanism via which the mobile node obtains these registration. The mechanism via which the mobile node obtains these
information is called Mobile IPv6 bootstrapping. In order to allow a information is called Mobile IPv6 bootstrapping. In order to allow a
flexible deployment model for Mobile IPv6, it is desirable to define flexible deployment model for Mobile IPv6, it is desirable to define
skipping to change at page 4, line 15 skipping to change at page 4, line 15
2. Terminology 2. Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in [RFC2119]. this document are to be interpreted as described in [RFC2119].
General mobility terminology can be found in [RFC3753]. The General mobility terminology can be found in [RFC3753]. The
following additional terms, as defined in [BOOT-PS], are used in this following additional terms, as defined in [BOOT-PS], are used in this
document: document:
Access Service Authorizer (ASA): Access Service Authorizer (ASA): A network operator that
A network operator that authenticates a mobile node and authenticates a mobile node and establishes the mobile node's
establishes the mobile node's authorization to receive Internet authorization to receive Internet service.
service.
Access Service Provider (ASP): Access Service Provider (ASP): A network operator that provides
A network operator that provides direct IP packet forwarding direct IP packet forwarding to and from the mobile node.
to and from the mobile node.
Mobility Service Authorizer (MSA): Mobility Service Authorizer (MSA): A service provider that authorizes
A service provider that authorizes Mobile IPv6 service. Mobile IPv6 service.
Mobility Service Provider (MSP): Mobility Service Provider (MSP): A service provider that provides
A service provider that provides Mobile IPv6 service. In order Mobile IPv6 service. In order to obtain such service, the mobile
to obtain such service, the mobile node must be authenticated node must be authenticated and authorized to obtain the Mobile IPv6
and authorized to obtain the Mobile IPv6 service. service.
Split scenario: Split scenario: A scenario where the mobility service and the network
A scenario where the mobility service and the network access access service are authorized by different entities.
service are authorized by different entities.
Integrated Scenario: Integrated Scenario: A scenario where the mobility service and the
A scenario where the mobility service and the network access network access service are authorized by the same entity.
service are authorized by the same entity.
3. Solution Overview 3. Solution Overview
3.1 Logical Diagram of the Integrated Scenario 3.1 Logical Diagram of the Integrated Scenario
In the integrated scenario the mobile node may use the security In the integrated scenario the mobile node may use the security
credentials for network access to bootstrap Mobile IPv6. As such, it credentials for network access to bootstrap Mobile IPv6. As such, it
is assumed that the access service authorizer is mobility service is assumed that the access service authorizer is mobility service
aware. This allows for Mobile IPv6 bootstrapping at the time of aware. This allows for Mobile IPv6 bootstrapping at the time of
access authentication and authorization. Also, the mechanism defined access authentication and authorization. Also, the mechanism defined
skipping to change at page 17, line 5 skipping to change at page 16, line 38
security mechanisms. An adversary that is able to modify home agent security mechanisms. An adversary that is able to modify home agent
information can force the mobile node to use a different home agent information can force the mobile node to use a different home agent
than intended by the MSA. However, this type of attack can be than intended by the MSA. However, this type of attack can be
detected by the security mechanism between the mobile node and the detected by the security mechanism between the mobile node and the
home agent. home agent.
Overall, the home agent information carried by the AAA protocols and Overall, the home agent information carried by the AAA protocols and
DHCP does not impose any new security concerns for the transport DHCP does not impose any new security concerns for the transport
protocols. protocols.
If the home agent selected by the mobile node is local or nearby, (as
in section 3.2.2), disclosing the mobile node's home address (e.g.,
by updating the mobile node's FQDN in the DNS) has the potential to
expose some information about the mobile node's location.
Just by knowing the mobile node's home address, an attacker cannot
determine whether the mobile node's home address belongs to a home
agent that is local, nearby or remote for the mobile node and, hence,
cannot determine where the mobile node is actually located. However,
if additional information such as the mobile node's home agent
selection policy and the home agent allocation policy of ASPs is
known by an attacker, this may be different. For instance, if an
attacker knows that the mobile node's home agent selection policy is
to bootstrap with a new local home agent whenever entering a new
network (e.g., because the mobile node wants to improve routing
efficiency in Bi-directional Tunneling mode), the attacker can track
the mobile node's movement if it is aware of the mobile node's
current home addresses. The accuracy of the revealed location
information depends on the deployment style of home agents and the
frequency of bootstrapping.
Consequently, if a high level of location privacy is desired, a
mobile node should not switch to local home agents in an eager manner
or should not reveal its home address to untrusted nodes.
Furthermore, the disclosure of policy information that can help
locating the mobile node should be carefully considered.
5. IANA Considerations 5. IANA Considerations
The following DHCP option code MUST be assigned by IANA: The following DHCP option code MUST be assigned by IANA:
option-code for OPTION_MIP6-RELAY-Option: TBD-1. option-code for OPTION_MIP6-RELAY-Option: TBD-1.
6. Acknowledgements 6. Acknowledgements
TBD. The authors would like to thank Kilian Weniger for his valuable
comment related to location privacy.
7. Contributors 7. Contributors
This contribution is a joint effort of the bootstrapping solution This contribution is a joint effort of the bootstrapping solution
design team of the MIP6 WG. The contributors include Gerardo design team of the MIP6 WG. The contributors include Gerardo
Giaretta, Basavaraj Patil, Alpesh Patel, Jari Arkko, James Kempf, Giaretta, Basavaraj Patil, Alpesh Patel, Jari Arkko, James Kempf,
Gopal Dommety, Alper Yegin, Junghoon Jee, Vijay Devarapalli, Kuntal Gopal Dommety, Alper Yegin, Junghoon Jee, Vijay Devarapalli, Kuntal
Chowdhury, Julien Bournelle, and Hannes Tschofenig. Chowdhury, Julien Bournelle, and Hannes Tschofenig.
The design team members can be reached at: The design team members can be reached at:
skipping to change at page 20, line 10 skipping to change at page 21, line 10
Julien Bournelle julien.bournelle@int-evry.fr Julien Bournelle julien.bournelle@int-evry.fr
Hannes Tschofenig hannes.tschofenig@siemens.com Hannes Tschofenig hannes.tschofenig@siemens.com
8. References 8. References
8.1 Normative References 8.1 Normative References
[BOOT-PS] Patel et. al., A., "Problem Statement for bootstrapping [BOOT-PS] Patel et. al., A., "Problem Statement for bootstrapping
Mobile IPv6.", draft-ietf-mip6-bootstrap-ps-03.txt (work Mobile IPv6.", draft-ietf-mip6-bootstrap-ps-05.txt (work
in progress), July 2005. in progress), May 2006.
[HAOPT] Hee Jang et. al., A., "DHCP Option for Home Agent [HAOPT] Hee Jang et. al., A., "DHCP Option for Home Agent
Discovery in MIPv6.", draft-jang-dhc-haopt-01.txt (work in Discovery in MIPv6.", draft-jang-dhc-haopt-02.txt (work in
progress), April 2005. progress), February 2006.
[MIP6-RADIUS] [MIP6-RADIUS]
Chowdhury et. al., K., "RADIUS Mobile IPv6 Support.", Chowdhury et. al., K., "RADIUS Mobile IPv6 Support.",
draft-chowdhury-mip6-radius-00.txt (work in progress), draft-chowdhury-mip6-radius-01.txt (work in progress),
October 2005. March 2006.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
skipping to change at page 21, line 11 skipping to change at page 22, line 11
August 2005. August 2005.
[RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for
the Dynamic Host Configuration Protocol (DHCP) Relay Agent the Dynamic Host Configuration Protocol (DHCP) Relay Agent
Option", RFC 4030, March 2005. Option", RFC 4030, March 2005.
8.2 Informative References 8.2 Informative References
[BOOT-SPLIT] [BOOT-SPLIT]
Giaretta et. al., A., "Mobile IPv6 bootstrapping in split Giaretta et. al., A., "Mobile IPv6 bootstrapping in split
scenario.", draft-ietf-mip6-bootstrapping-split-00.txt scenario.", draft-ietf-mip6-bootstrapping-split-02.txt
(work in progress), June 2005. (work in progress), March 2006.
[RELAY-IPSEC] [RELAY-IPSEC]
Droms, R., "Authentication of DHCP Relay Agent Options Droms, R., "Authentication of DHCP Relay Agent Options
Using IPsec.", draft-ietf-dhc-relay-agent-ipsec-02.txt Using IPsec.", draft-ietf-dhc-relay-agent-ipsec-02.txt
(work in progress), May 2005. (work in progress), May 2005.
Authors' Addresses Authors' Addresses
Kuntal Chowdhury Kuntal Chowdhury
Starent Networks Starent Networks
30 International Place 30 International Place
Tewksbury, MA 01876 Tewksbury, MA 01876
US US
Phone: +1 214-550-1416 Phone: +1 214-550-1416
Email: kchowdhury@starentnetworks.com Email: kchowdhury@starentnetworks.com
Alper Yegin Alper Yegin
Samsung Samsung AIT
Email: alper.yegin@yegin.org Istanbul,
Turkey
Phone:
Email: alper01.yegin@partner.samsung.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
skipping to change at page 22, line 41 skipping to change at page 23, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 19 change blocks. 
45 lines changed or deleted 73 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/