Table of Contents
Advertisement
Chapter 13: Configuring the Mobile IP Home Agent
Authentication
The home agent authenticates the requests based on RFC 3344—IP Mobility Support
for IPv4 (August 2002). The mobile home authentication is verified and the authentication
algorithm and key are retrieved by checking the security association indexed by the
security parameter index (SPI) value. This verification results in a 128-bit key and the
authentication algorithm with which to compute an MD-5 message digest over the
registration request. The Mobile IP home agent supports both HMAC-MD5 and keyed-MD5
authentication algorithms. When the result of this computation matches the 128-bit
authenticator, the mobile-home extension is authenticated.
If a security association is configured for the foreign agent, the foreign-home
authentication extension is verified; otherwise, authentication success is based only on
the mobile-home authenticator.
The home agent checks the identification (ID) field used for matching registration requests
with response and protection against replay attacks. The home agent uses
timestamp-based replay protection and the ID field represents a 64-bit Network Time
Protocol (NTP)-formatted time value. By default, the timestamp must be within 7 seconds
of the home agent configured time value.
AAA
You can store the security associations and configuration information remotely on a
RADIUS server. You can use the ip mobile secure host command and the ip mobile
secure foreign-agent command to configure the security association (MD-5 key) for a
specified user, or for a group of users (also known as a domain) for the home agent. The
home agent can configure the security association (MD-5 key) for a specified user or a
group of users (domain).
Authentication is accomplished either by generating an authentication, authorization,
and accounting (AAA) access-request or querying the locally configured security
parameters, depending on whether or not you use the aaa keyword when you issue the
ip mobile host command to configure the mobile node. For AAA authentication, you
must include the aaa keyword; for local authentication, do not include the aaa keyword.
If AAA authentication is enabled, AAA queries the security information from the RADIUS
server.
When both the network access identifier (NAI) and IP address of the mobile node are
present in the registration request, then the authentication request from Mobile IP to
AAA has the NAI as the user name and the IP address as the hint IP address. If only the
NAI is present in the registration request, then the NAI address is used as the user name
with no hint IP address in the authentication request. If only the IP address (home address)
is present in the registration request, then it is used as both the user name and the hint
IP address in the authentication request. If both the NAI address and the IP address are
missing from the registration request, then the registration request is rejected.
If the optional aaa keyword is present in the ip mobile host command, then the
authentication parameters are obtained by querying AAA. The authentication algorithm
and security key are retrieved by AAA based on its configuration, depending on the SPI
provided in the registration request. If the aaa keyword is absent, then the home agent
uses authentication parameters configured locally on the router to authenticate the
Copyright © 2010, Juniper Networks, Inc.
305
Advertisement
Table of Contents
