Table of Contents
Advertisement
Chapter 13: Configuring the Mobile IP Home Agent
authentication algorithm and key are retrieved by checking the security association
indexed by the security parameter index (SPI) value. This verification results in a
128-bit key and the authentication algorithm with which to compute an MD-5 message
digest over the registration request. The Mobile IP home agent supports both
HMAC-MD5 and keyed-MD5 authentication algorithms. When the result of this
computation matches the 128-bit authenticator, the mobile-home extension is
authenticated.
If a security association is configured for the foreign agent, the foreign-home
authentication extension is verified; otherwise, authentication success is based only
on the mobile-home authenticator.
The home agent checks the identification (ID) field used for matching registration
requests with response and protection against replay attacks. The home agent uses
timestamp-based replay protection and the ID field represents a 64-bit Network Time
Protocol (NTP)-formatted time value. By default, the timestamp must be within
7 seconds of the home agent configured time value.
AAA
You can store the security associations and configuration information remotely on
a RADIUS server. You can use the ip mobile secure host command and the ip mobile
secure foreign-agent command to configure the security association (MD-5 key) for
a specified user, or for a group of users (also known as a domain) for the home agent.
The home agent can configure the security association (MD-5 key) for a specified
user or a group of users (domain).
Authentication is accomplished either by generating an authentication, authorization,
and accounting (AAA) access-request or querying the locally configured security
parameters, depending on whether or not you use the aaa keyword when you issue
the ip mobile host command to configure the mobile node. For AAA authentication,
you must include the aaa keyword; for local authentication, do not include the aaa
keyword. If AAA authentication is enabled, AAA queries the security information
from the RADIUS server.
When both the network access identifier (NAI) and IP address of the mobile node
are present in the registration request, then the authentication request from Mobile
IP to AAA has the NAI as the user name and the IP address as the hint IP address. If
only the NAI is present in the registration request, then the NAI address is used as
the user name with no hint IP address in the authentication request. If only the IP
address (home address) is present in the registration request, then it is used as both
the user name and the hint IP address in the authentication request. If both the NAI
address and the IP address are missing from the registration request, then the
registration request is rejected.
If the optional aaa keyword is present in the ip mobile host command, then the
authentication parameters are obtained by querying AAA. The authentication
algorithm and security key are retrieved by AAA based on its configuration, depending
on the SPI provided in the registration request. If the aaa keyword is absent, then
the home agent uses authentication parameters configured locally on the router to
authenticate the registration request. In both cases, if security parameters are not
retrieved, then the request for mobility service is rejected, a security violation error
is logged, and no registration reply is generated.
317
Mobile IP Overview
Advertisement
Table of Contents
