| Mobility Extensions (MEXT) | J. Korhonen, Ed. |
| Internet-Draft | Nokia Siemens Networks |
| Intended status: Experimental Protocol | B. Patil |
| Expires: August 16, 2012 | Nokia |
| H. Tschofenig | |
| Nokia Siemens Networks | |
| D. Kroeselberg | |
| Siemens | |
| February 15, 2012 |
Transport Layer Security-based Mobile IPv6 Security Framework for Mobile Node to Home Agent Communication
draft-ietf-mext-mip6-tls-03.txt
Mobile IPv6 signaling between a mobile node and its home agent is secured using IPsec. The security association between a mobile node and the home agent is established using IKEv1 or IKEv2. The security model specified for Mobile IPv6, which relies on IKE/IPsec, requires interaction between the Mobile IPv6 protocol component and the IKE/IPsec module of the IP stack. This document proposes an alternate security framework for Mobile IPv6 and Dual-Stack Mobile IPv6, which relies on Transport Layer Security for establishing keying material and other bootstrapping parameters required to protect Mobile IPv6 signaling and data traffic between the mobile node and home agent.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 16, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Mobile IPv6 [RFC6275] signaling, and optionally user traffic, between a mobile node (MN) and home agent (HA) are secured by IPsec [RFC4301]. The current Mobile IPv6 security architecture is specified in [RFC3776] and [RFC4877]. This security model requires a tight coupling between the Mobile IPv6 protocol part and the IKE(v2)/IPsec part of the IP stack. Client implementation experience has shown that the use of IKE(v2)/IPsec with Mobile IPv6 is fairly complex.
This document proposes an alternate security framework for Mobile IPv6 and Dual-Stack Mobile IPv6. The objective is to simplify implementations as well as make it easy to deploy the protocol without compromising on security. Transport Layer Security (TLS) [RFC5246] is widely implemented in almost all major operating systems and extensively used by various applications. Instead of using IKEv2 to establish security associations, the security framework proposed in this document is based on TLS protected messages to exchange keys and bootstrapping parameters between the Mobile Node and a new functional entity called as the Home Agent Controller (HAC). The Mobile IPv6 signaling between the mobile node and home agent is subsequently secured using the resulting keys and negotiated cipher suite. The HAC can be co-located with the HA, or can be an independent entity. For the latter case, communication between HAC and HA is not defined by this document. Such communication could be built on top of AAA protocols such as Diameter, for instance.
The primary advantage of using TLS based establishment of Mobile IP6 security associations compared to IKEv2 is the ease of implementation while providing an equivalent level of security. For the protection of signaling messages and user plane traffic a solution is provided that decouples Mobile IPv6 security from IPsec, thereby reducing client implementation complexity.
The security framework proposed in this document is not intended to replace the currently specified architecture which relies on IPsec and IKEv2. It provides an alternative solution which is more optimal for certain deployment scenarios. This and other alternative security models have been considered by the MEXT working group at the IETF, and it has been decided that the alternative solutions should be published as Experimental RFCs, so that more implementation and deployment experience with these models can be gathered. The working group may reconsider the status of the different models in the future, if it becomes clear that one is superior to the others.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Mobile IPv6 design and specification was begun in the mid to late 90s. The security architecture of Mobile IPv6 was based on the understanding that IPsec is an inherent and integral part of the IPv6 stack and any protocol that needs security should use IPsec unless there is a good reason not to. As a result of this mindset the Mobile IP6 protocol relied on the use of IPsec for security between the MN and HA. While reuse of security components that are part of the IP stack is a good objective, in the case of Mobile IPv6, implementation complexity increases. It should be noted that Mobile IPv4 [RFC5944] for example does not use IPsec for security and instead has specified its own security solution. Mobile IPv4 has been implemented and deployed on a reasonably large scale and the security model has proven itself to be sound.
Mobile IPv6 standardization was completed in 2005 along with the security architecture using IKE/IPsec specified in RFC 3776 [RFC3776]. With the evolution to IKEv2 [RFC5996], Mobile IP6 security has also been updated to rely on the use of IKEv2 [RFC4877]. Implementation exercises of Mobile IPv6 and Dual-stack Mobile IPv6 [RFC5555] have identified the complexity of using IPsec and IKEv2 in conjunction with Mobile IPv6. Implementing Mobile IPv6 with IPsec and IKEv2 requires modifications to both the IPsec and IKEv2 components, due to the communication models that Mobile IPv6 uses and the changing IP addresses. For further details, see Section 7.1 in [RFC3776].
This document proposes a security framework based on TLS protected establishment of Mobile IPv6 security associations with reduced implementation complexity, while maintaining an equivalent (to IKEv2/ IPsec) level of security.
The security architecture proposed in this document relies on a secure TLS session established between the MN and the HAC for authentication and MN-HA security association bootstrapping. Authentication of the HAC is done via standard TLS operation wherein the HAC uses a TLS server certificate as its credentials. MN authentication is done by the HAC via signaling messages that are secured by the TLS connection. Any EAP method can be used for authenticating the MN to the HAC. Upon successful completion of authentication, the HAC generates keys which are delivered to the MN through the secure TLS channel. The same keys are also provided to the assigned HA. The HAC also provides the MN with MIP6 bootstrapping information such as the IPv6 and IPv4 address of the HA, the Home network prefix, the IPv6 and/or IPv4 HoA and, DNS server address.
The MN and HA use security associations based on the keys and SPIs generated by the HAC and delivered to the MN and HA to secure signaling and optionally user plane traffic. Figure 1 below is an illustration of the process.
Signaling messages and user plane traffic between the MN and HA are always UDP encapsulated. The packet formats for the signaling and user plane traffic is described in Sections 6.3 and 6.4.
MN HAC HA -- --- -- | | | | /-------------------------\ | | |/ \| | |\ TLS session setup /| | | \-------------------------/ | | | | | | /-------------------------\ | | |/ MN Authentication \| | |\ /| | | \-------------------------/ | | | | | | /-------------------------\ | | |/ HAC provisions the MN \| | |\ keys, SPI and MIP6 parms /| | | \-------------------------/ | | | |--MNID, keys, SPI->| | | | | /--------------------------------------------\ | |/ MN-HA SA established; Secures \ | |\ signaling and optionally user traffic / | | \--------------------------------------------/ | | | |------------BU(encrypted)----------------------->| | | |<---------BAck(encrypted)------------------------|
The TLS-based security architecture is shown in Figure 2. The signaling message exchange between the MN and the HAC is protected by TLS. It should be noted that a HAC, a AAA server and a HA are logically separate entities and can be collocated in all possible combinations. There MUST be a strong trust relationship between the HA and the HAC, and the communication between them MUST be both integrity and confidentially protected.
+------+ +------+ +------+
|Mobile| TLS |Home | AAA | AAA |
| Node |<----------->|Agent |<---------->|Server|
| | |Contrl| | |
+------+ +------+ +------+
^ ^ ^
| | |
| BU/BA/../ | e.g. AAA | AAA
| (Data) | |
| v |
| +---------+ |
| | MIPv6 | |
+--------------->| Home |<-------------+
| Agent(s)|
+---------+
Once the MN has contacted the HAC and mutual authentication has taken place between the MN and the HAC, the HAC securely provisions the MN with all security related information inside the TLS protected tunnel. This security related information constitutes a security association (SA) between the MN and the HA. The created SA MUST NOT be tied to the Care-of Address (CoA) of the MN.
The HAC may proactively distribute the SA information to HAs, or the HA may query the SA information from the HAC once the MN contacts the HA. If the HA requests SA information from the HAC, then the HA MUST be able to query/index the SA information from the HAC based on the Security Parameter Index (SPI) identifying the correct security association between the MN and the HA.
The HA may want the MN to re-establish the SA even if the existing SA is still valid. The HA can indicate this to the MN using a dedicated Status Code in a BA (value set to REINIT_SA_WITH_HAC). As a result, the MN SHOULD contact the HAC prior to the SA timing out, and the HAC would provision the MN and HAs with a new SA to be used subsequently.
The SA established between MN and HAC SHALL contain at least the following information:
When the MN contacts the HAC to distribute the security related information, the HAC may also provision the MN with various Mobile IPv6 related bootstrapping information. Bootstrapping of the following information SHOULD at least be possible:
The Mobile IPv6 related bootstrapping information is delivered from the HAC to the MN over the same TLS protected tunnel as the security related information.
The same integrity and confidentiality algorithms MUST be used to protect both binding management messages and reverse tunneled user data traffic between the MN and the HA. Generally, all binding management messages (BUs, BAs and so on) MUST be integrity protected and SHOULD be confidentially protected. The reverse tunneled user data traffic SHOULD be equivalently protected. Generally, the requirements stated in [RFC6275] concerning the protection of the traffic between the MN and the HA also apply to the mechanisms defined by this specification.
The MN and the HAC communicate with each other using a simple lock-step request-response protocol that is run inside the protected TLS-tunnel. A generic message container framing for the request messages and for the response messages is defined. The message containers are only meant to be exchanged on top of connection oriented TLS-layer. Therefore, the end of message exchange is determined by the other end closing the transport connection (assuming the "application layer" has also indicated the completion of the message exchange). The peer initiating the TLS-connection is always sending "Requests" and the peer accepting the TLS-connection is always sending "Responses". The format of the message container is shown in Figure 3.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Rsrvd | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Content portion.. ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
All data inside the Content portion of the message container MUST be encoded using octets. Fragmentation of message containers is not supported, which means one request or response at the "application layer" MUST NOT exceed the maximum size allowed by the message container format.
The three bit Ver field identifies the protocol version. The current version is 0 i.e. all bits are set to value 0 (zero).
The Rsrvd field MUST be set to value 0 (zero),
The Identifier field is meant for matching requests and responses. The valid Identifier values are between 1-255. The value 0 MUST NOT be used. The first request for each communication session between the MN and the HAC MUST have the Identifier values set to 1.
The Length field tells the length of the Content portion of the container (i.e. Reserved octet, Identifier octet and Length field are excluded). The Content portion length MUST always be at least one octet up to 65535 octets. The value is in network order.
The encoding of the message content is similar to HTTP header encoding, and complies to the augmented Backus-Naur Form (BNF) defined in Section 2.1 of [RFC2616]. All presented hexadecimal numbers are in network byte order. From now on, we use TypeValue header (TV-header) term to refer request-response message content HTTP-like headers.
The message exchange between the MN and the HAC is a simple lock-step request-response type as stated in Section 5.1. A request message includes monotonically increasing Identifier value that is copied to the corresponding response message. Each request MUST have a different Identifier value. Hence, a reliable connection oriented transport below the message container framing is assumed. The number of request-response message exchanges MUST NOT exceed 255.
Each new communication session between the MN and the HAC MUST reset the Identifier value to 1. The MN is also the peer that always sends only request messages and the HAC only sends response messages. Once the request-response message exchange completes, the HAC and the MN MUST close the transport connection and the corresponding TLS-tunnel.
In a case of a HAC side error, the HAC MUST send a response back to a MN with an appropriate status code and then close the transport connection.
The first request message - MHAuth-Init - (i.e. the Identifier is 1) MUST always contain at least the following parameters:
The first response message - MHAuth-Init - (i.e. the Identifier is 1) MUST contain at minimum the following parameters:
The last request message from the MN side - MHAuth-Done - MUST contain the following parameters:
The last response message - MHAuth-Done - that ends the request-response message exchange MUST contain the following parameters:
And in a case of successful authentication the following additional parameters:
All bootstrapping information, whether for setting up the SA or for bootstrapping Mobile IPv6 specific information, is exchanged between the MN and the HAC using the framing protocol defined in Section 5.1. The IP address of the HAC MAY be statically configured to the MN or may be dynamically discovered using DNS. In a case of DNS-based HAC discovery, the MN either queries an A/AAAA or a SRV record for the HAC IP address. The actual domain name used in queries is up to the deployment to decide and out of scope of this specification.
The grammar used in the following sections is the augmented Backus-Naur Form (BNF) same to that used by HTTP [RFC2616].
An identifier that identifies a MN. The Mobile Node Identifier is in form of a Network Access Identifier (NAI) [RFC4282].
The HAC is the peer that mandates the authentication method. The MN sends its authentication method proposal to the HAC. The HAC, upon receipt of the MN proposal returns the selected authentication method. The MN MUST propose at least one authentication method. The HAC MUST select exactly one authentication method, or return an error and then close the connection.
Each Extensible Authentication Protocol (EAP) [RFC3748] message is an encoded string of hexadecimal numbers. The "eap-payload" is completely transparent what EAP-method or EAP message is carried inside it. The "eap-payload" can appear in both request and response messages:
The "status-code" MUST only be present in the response message that ends the request-response message exchange. The "status-code" follows the principles of HTTP and the definitions found in Section 10 of RFC 2616 also apply for these status codes listed below:
The "auth" header contains data used for authentication purposes. It MUST be the last TV-header in the message and calculated over the whole message till the start of the "msg-header":
Random numbers generated by the MN and the HAC, respectively. The length of the random number MUST be 32 octets (before TV-header encoding):
During the Mobile IPv6 bootstrapping, the MN and the HAC negotiate a single ciphersuite for protecting the traffic between the MN and the HA. The allowed ciphersuites for this specification are a subset of those in TLS v1.2 (see Annex A.5 of [RFC5246]) as per Section 5.6.5. This might appear as a constraint as the HA and the HAC may have implemented different ciphersuites. These two nodes are, however, assumed to belong to the same administrative domain. In order to avoid exchanging supported MN-HA ciphersuites in the MN-HAC protocol and to reuse the TLS ciphersuite negotiation procedure we make this simplifying assumption. The selected ciphersuite MUST provide integrity and confidentiality protection.
Section 5.6.5 provides the mapping from the TLS ciphersuites to the integrity and encryption algorithms allowed for MN-HA protection. This mapping mainly ignores the authentication algorithm part that is not required within the context of this specification. For example, [RFC5246] defines a number of AES based ciphersuites for TLS including 'TLS_RSA_WITH_AES_128_CBC_SHA'. For this specification the relevant part is 'AES_128_CBC_SHA'.
All the parameters described in the following sections apply only to a request-response protocol response message to the MN. The MN has no way affecting to the provisioning decision of the HAC.
The 28-bit unsigned SPI number identifies the SA used between the MN and the HA. The value 0 (zero) is reserved and MUST NOT be used. Therefore, values ranging from 1 to 268435455 are valid.
The TV-header corresponding to the SPI number is:
The MN-HA shared integrity (ikey) and encryption (ekey) keys are used to protect the traffic between the MN and the HA. The length of these keys depend on the selected ciphersuite.
The TV-headers that carry these two parameters are:
The end of the SA validity time is encoded using the "rfc1123-date" format, as defined in Section 3.3.1 of [RFC2616].
The TV-header corresponding to the SA validity time value is:
The SA is applied either to Mobile IPv6 signaling messages only, or to both Mobile IPv6 signaling messages and data traffic. This policy MUST be agreed between the MN and HA prior to using the SA. Otherwise the receiving side would not be aware of whether the SA applies to data traffic and could not decide how to act when receiving unprotected packets of PType 1 (see Section 6.4).
where a value of “0” indicates that the SA does not protect data traffic and a value of “1” indicates that all data traffic MUST be protected by the SA. If the mip6-sas value of an SA is set to 1, any packet received with a PType value that does not match the mip6-sas value of the SA MUST be silently discarded.
The HAC is the peer that mandates the used security association scope. The MN sends its proposal to the HAC but eventually the security association scope returned from the HAC defines the used scope.
The ciphersuite negotiation between HAC and MN uses a subset of the TLS 1.2 ciphersuites and follows the TLS 1.2 numeric representation defined in Annex A.5 of [RFC5246]. The TV-headers corresponding to the selected ciphersuite and ciphersuite list are:
All other Ciphersuite values are reserved.
HMAC-SHA1-96 [RFC2404] AES-XCBC-MAC-96 [RFC3566]
The following integrity algorithms MUST be supported by all implementations:
The binding management messages between the MN and HA MUST be integrity protected. Implementations MUST NOT use a NULL integrity algorithm.
NULL [RFC2410] TripleDES-CBC [RFC2451] AES-CBC with 128-bit keys [RFC3602]
The following encryption algorithms MUST be supported:
Traffic between MN and HA MAY be encrypted. Any integrity-only CipherSuite makes use of the NULL encryption algorithm.
+-------------------+-----------------+--------------------------+ |Ciphersuite |Integ. Algorithm |Encr. Algorithm | +-------------------+-----------------+--------------------------+ |NULL_SHA |HMAC-SHA1-96 |NULL | |NULL_SHA256 |AES-XCBC-MAC-96 |NULL | |3DES_EDE_CBC_SHA |HMAC-SHA1-96 |TripleDES-CBC | |AES_128_CBC_SHA |HMAC-SHA1-96 |AES-CBC with 128-bit keys | |AES_128_CBC_SHA256 |AES-XCBC-MAC-96 |AES-CBC with 128-bit keys | +-------------------+----------------+---------------------------+
Note: In the present version, this document does not consider combined algorithms. The following table provides the mapping of each ciphersuite to a combination of integrity and encryption algorithms that are part of the negotiated SA between MN and HA.
In parallel with the SA bootstrapping, the HAC SHOULD provision the MN with relevant Mobile IPv6 related bootstrapping information.
ip6-addr = 7( word ":" ) word CRLF word = 1*4HEX ip6-prefix = ip6-addr "/" 1*2DIGIT ip4-addr = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT ip4-subnet = ip4-addr "/" 1*2DIGIT
The following generic BNFs are used to form IP addresses and prefixes. They are used in subsequent sections.
The HAC MAY provision the MN with an IPv4 or an IPv6 address of a HA, or both.
The HAC SHOULD provision the MN with an UDP port number, where the HA expects to receive UDP packets. If this parameter is not present, then the IANA reserved port number (HALTSEC) MUST be used instead.
The HAC MAY provision the MN with an IPv4 or an IPv6 home address, or both. The HAC MAY also provision the MN with its home network prefix.
The HAC may also provide the MN with DNS server configuration options. These DNS servers are reachable via the home agent.
This section describes the basic operation required for the MN-HAC mutual authentication and the channel binding. The authentication protocol described as part of this section is a simple exchange that follows the GPSK exchange used by EAP-GPSK [RFC5433]. It is secured by the TLS tunnel and is cryptographically bound to the TLS tunnel through channel binding based on [RFC5056] and on the channel binding type 'tls-server-endpoint' described in [RFC5929]. As a result of the channel binding type, this method can only be used with TLS ciphersuites that use server certificates and the Certificate handshake message. For example, TLS ciphersuites based on PSK or anonymous authentication cannot be used.
The authentication exchange MUST be performed through the encrypted TLS tunnel. It performs mutual authentication between the MN and the HAC based on a pre-shared key (PSK) or based on an EAP-method (see Section 5.9). The PSK protocol is described in this section. It consists of the message exchanges (MHAuth-Init, MHAuth-Mid, MHAuth-Done) in which both sides exchange nonces and their identities, and compute and exchange a message authenticator 'auth' over the previously exchanged values, keyed with the pre-shared key. The MHAuth-Done messages are used to deal with error situations. Key binding with the TLS tunnel is ensured by channel binding of the type "tls-server-endpoint" as described by [RFC5929] where the hash of the TLS server certificate serves as input to the 'auth' calculation of the MHAuth messages.
Note: The authentication exchange is based on the GPSK exchange used by EAP-GPSK. In comparison to GPSK, it does not support exchanging an encrypted container (it always runs through an already protected TLS tunnel). Furthermore, the initial request of the authentication exchange (MHAuth-Init) is sent by the MN (client side) and is comparable to EAP-Response/Identity, which reverses the roles of request and response messages compared to EAP-GPSK. Figure 8 shows a successful protocol exchange.
MN HAC | | | Request/MHAuth-Init (...) | |------------------------------------------------------>| | | | Response/MHAuth-Init (...) | |<------------------------------------------------------| | | | Request/MHAuth-Done (...) | |------------------------------------------------------>| | | | Response/MHAuth-Done (...) | |<------------------------------------------------------| | |
Where:
The length "mn-rand", "hac-rand" is 32 octets. Note that "|" indicates concatenation and optional parameters are shown in square brackets [..]. The square brackets can be nested.
The shared secret PSK can be variable length. 'msg-octets' includes all payload parameters of the respective message to be signed except the 'auth' payload. CB-octets is the channel binding input to the auth calculation that is the "TLS-server-endpoint" channel binding type. The content and algorithm (only required for the "TLS-server-endpoint" type) are the same as described in [RFC5929].
The MN starts by selecting a random number 'mn-rand' and choosing a list of supported authentication methods coded in 'auth-method'. The MN sends its identity 'mn-id', 'mn-rand' and 'auth-method' to the HAC in MHAuth-Init. The decision of which authentication method to offer and which to pick is policy- and implementation-dependent and, therefore, outside the scope of this document.
In MHAuth-Done, the HAC sends a random number 'hac-rand' and the selected ciphersuite. The selection MUST be one of the MN-supported ciphersuites as received in 'ciphersuite-list'. Furthermore, it repeats the received parameters of the MHAuth-Init message 'mn-rand'. It computes a message authenticator 'auth' over all the transmitted parameters except 'auth' itself. The HAC calculates 'auth' over all parameters and appends it to the message.
The MN verifies the received MAC and the consistency of the identities, nonces, and ciphersuite parameters transmitted in MHAuth-Auth. In case of successful verification, the MN computes a MAC over the session parameter and returns it to the HAC in MHAuth-Done. The HAC verifies the received MAC and the consistency of the identities, nonces, and ciphersuite parameters transmitted in MHAuth-Init. If the verification is successful, MHAuth-Done is prepared and sent by the HAC to confirm successful completion of the exchange.
Basic operation required for the MN-HAC mutual authentication using EAP-based methods.
MN HAC | | | Request/MHAuth-Init (...) | |------------------------------------------------------>| | | | Response/MHAuth-Init (..., | | eap-payload=EAP-Request/Identity) | |<------------------------------------------------------| | | | Request/MHAuth-Mid (eap-payload= | | EAP-Response/Identity) | |------------------------------------------------------>| | | | Response/MHAuth-Mid (eap-payload=EAP-Request/...) | |<------------------------------------------------------| | | : : : ..EAP-method specific exchanges.. : : : | | | Request/MHAuth-Done (eap-payload=EAP-Response/..., | | ..., auth) | |------------------------------------------------------>| | | | Response/MHAuth-Done (eap-payload=EAP-Success, | | ..., auth) | |<------------------------------------------------------| | |
Where:
In MHAuth-Init and MHAuth-Mid messages, shared-key is set to "1". If the EAP-method is key-deriving and creates a shared MSK key as a side effect of Authentication shared-key MUST be the MSK in all MHAuth-Done messages. This MSK MUST NOT be used for any other purpose. In case the EAP method does not generate an MSK key, shared-key is set to "1".
'msg-octets' includes all payload parameters of the respective message to be signed except the 'auth' payload. CB-octets is the channel binding input to the AUTH calculation that is the "TLS-server-endpoint" channel binding type. The content and algorithm (only required for the "TLS-server-endpoint" type) are the same as described in [RFC5929].
The following sections describe the packet formats used for the traffic between the MN and the HA. This traffic includes binding management messages (for example, BU and BA messages), reverse tunneled and encrypted user data, and reverse tunneled plain text user data. This specification defines a generic packet format, where everything is encapsulated inside UDP. See Section 6.3 and Section 6.4 for detailed illustrations of the corresponding packet formats.
The Mobile IPv6 service port number is where the HA expects to receive UDP packets. The same port number is used for both binding management messages and user data packets. The reason for multiplexing data and control messages over the same port number is due to the possibility of Network Address and Port Translators located along the path between the MN and the HA. The Mobile IPv6 service MAY use any ephemeral port number as the UDP source port, and MUST use the Mobile IPv6 service port number as the UDP destination port. The Mobile IPv6 service port is either dynamically assigned to the MN during the bootstrapping phase (i.e. the mip6-port parameter) or in absence of the bootstrapping parameter the IANA reserved port (HALTSEC) MUST be used.
The encapsulating UDP header is immediately followed by a 4-bit Packet Type (PType) field that defines whether the packet contains an encrypted mobility management message or a, an encrypted user data packet, or a plain text user data packet.
The Packet Type field is followed by a 28-bit SPI value, which identifies the correct SA concerning the encrypted packet. For any packet that is neither integrity protected nor encrypted (i.e. no SA is applied by the originator) the SPI MUST be set to 0 (zero). Mobility management messages MUST always be at least integrity protected. Hence, mobility management messages MUST NOT be sent with a SPI value of 0 (zero).
There is always only one SPI per MN-HA mobility session and the same SPI is used for all types of protected packets independent of the direction.
The SPI value is followed by a 32-bit Sequence Number value that is used to identify retransmissions of protected messages (integrity protected or both integrity protected and encrypted, see Figures and ) . Each endpoint in the security association maintains two "current" Sequence Numbers: the next one to be used for a packet it initiates and the next one it expects to see in a packet from the other end. If the MN and the HA ends initiate very different numbers of messages, the Sequence Numbers in the two directions can be very different. In a case data protection is not used (see Figure 13), the Sequence Number MUST be set to 0 (zero). Note that the HA SHOULD initiate a re-establishement of the SA before any of the Sequence Number cycle.
Finally, the Sequence Number field is followed by the data portion, whose content is identified by the Packet Type. The data portion may be protected.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PType | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The PType is a 4-bit field that indicates the Packet Type (PType) of the UDP encapsulated packet. The PType is followed by a a 28-bit SPI value. The PType and the SPI fields are treated as one 32-bit field during the integrity protection calculation.
The binding management messages that are only meant to be exchanged between the MN and the HA MUST be integrity protected and MAY be encrypted. They MUST use the packet format shown in Figure 11.
All packets that are specific to the Mobile IPv6 protocol, contain a Mobility Header (as defined in Section 6.1.1. of RFC 6275), and are used between the MN and the HA use the packet format shown in Figure 11. (This means that some Mobile IPv6 mobility management messages, such as the HoTI message, are treated as data packets and using encapsulation described in Section 6.4 and shown in Figures and ).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : IPv4 or IPv6 header (src-addr=Xa, dst-addr=Ya) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : UDP header (src-port=Xp,dst-port=Yp) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ |PType=8| SPI | ^Int. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | Sequence Number | |ered +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- | Payload Data* (variable) | | ^ : : | | | | |Conf. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | | Padding (0-255 bytes) | |ered* +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | Pad Length | Next Header | v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ | Integrity Check Value-ICV (variable) | : : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The PType value 8 (eight) identifies that the UDP encapsulated packet contains a RFC 6275 defined Mobility Header and other relevant IPv6 extension headers. Note, there is no additional IP header inside the encapsulated part. The Next Header field MUST be set to value of the first encapsulated header. The encapsulated headers follow the natural IPv6 and Mobile IPv6 extension header alignment and formatting rules.
The Padding, Pad Length, Next Header and ICV fields follow the rules of Section 2.4 to 2.8 of [RFC4303] unless otherwise stated in this document. For a SPI value of 0 (zero) that indicates an unprotected packet, the Padding, Pad Length, Next Header and ICV fields MUST NOT be present.
The source and destination IP addresses of the outer IP header (i.e. the src-addr and the dst-addr in Figure 11) use the current care-of address of the MN and the HA address.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : IPv4 or IPv6 header (src-addr=Xa, dst-addr=Ya) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : UDP header (src-port=Xp,dst-port=Yp) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |PType=1| SPI | ^Int. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | Sequence Number | |ered +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- | Payload Data* (variable) | | ^ : : | | | | |Conf. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | | Padding (0-255 bytes) | |ered* +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | Pad Length | Next Header | v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ | Integrity Check Value-ICV (variable) | : : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
There are two types of reverse tunneled user data packets between the MN and the HA. Those that are integrity protected and encrypted and those that are plaintext. The MN or the HA decide whether to apply integrity protection and encryption to a packet or to send it in plaintext based on the mip6-sas value in the SA. If the mip6-sas is set to 1 the originator MUST NOT send any plaintext packet, and the receiver MUST silently discard any packet with the PType set to 0 (unprotected). It is RECOMMENDED to apply confidentiality and integrity protection of user data traffic. The reverse tunneled IPv4 or IPv6 user data packets are encapsulated as-is inside the 'Payload Data' shown in Figures and .
The PType value 1 (one) identifies that the UDP encapsulated packet contains an encrypted tunneled IPv4/IPv6 user data packet. The Next Header field header MUST be set to value corresponding the tunneled IP packet (e.g., 41 for IPv6).
The Padding, Pad Length, Next Header and ICV fields follow the rules of Section 2.4 to 2.8 of [RFC4303] unless otherwise stated in this document. For a SPI value of 0 (zero) that indicates an unprotected packet, the Padding, Pad Length, Next Header and ICV fields MUST NOT be present.
The source and destination IP addresses of the outer IP header (i.e., the src-addr and the dst-addr in Figure 12) use the current care-of address of the MN and the HA address. The ESP protected inner IP header, which is not shown in Figure 12, uses the home address of the MN and the correspondent node (CN) address.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : IPv4 or IPv6 header (src-addr=Xa, dst-addr=Ya) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : UDP header (src-port=Xp,dst-port=Yp) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |PType=0| 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : Payload Data (plain IPv4 or IPv6 Packet) : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The PType value 0 (zero) identifies that the UDP encapsulated packet contains a plaintext tunneled IPv4/IPv6 user data packet. Also the SPI and the Sequence Number fields MUST be set to 0 (zero).
The source and destination IP addresses of the outer IP header (i.e., the src-addr and the dst-addr in Figure 13) use the current care-of address of the MN and the HA address. The plain text inner IP header uses the home address of the MN and the CN address.
Mobile IPv6 route optimization as described in [RFC6275] is not affected by this specification. Route optimization is possible only between an IPv6 MN and CN. UDP encapsulation of signaling and data traffic is only between the MN and HA. The return routability signaling messages such as HoTI/HoT and CoTI/CoT [RFC6275] are treated as data packets and encapsulation, when needed, is as per the description in Section 6.4 of this specification. The data packets between an MN and CN which have successfully completed the return routability test and created the appropriate entries in their binding cache are not UDP encapsulated using the packet formats defined in this specification but follow the [RFC6275] specification.
Packet Type | Value
----------------------------------+----------------------------------
non-encrypted IP packet | 0
encrypted IP packet | 1
mobility header | 8
IANA is requested to create a new registry under the [RFC6275] Mobile IPv6 parameters registry for the Packet Type as described in Section 6.1.
Following the allocation policies from [RFC5226] new values for the Packet Type AVP MUST be assigned based on the "RFC Required" policy.
REINIT_SA_WITH_HAC TBD1
A new Status Code (to be used in BA messages) is reserved for the cases where the HA wants to indicate to the MN that it needs to re-establish the SA information with the HAC. The Result Code is reserved from the 0-127 code space in [RFC6275] Status Codes registry:
HALTSEC TBD2
A new port number (HALTSEC) for UDP packets is reserved from the existing PORT NUMBERS registry.
This document describes and uses a number of building blocks that introduce security mechanisms and need to inter-work in a secure manner.
The following building blocks are considered from a security point of view:
No dynamic procedure for discovering the HAC by the MN is described in this document. As such, no specific security considerations apply to the scope of this document.
This document describes a simple authentication and MN-HA SA negotiation exchange over TLS. The TLS procedures remain unchanged; however, channel binding is provided.
The AAA backend infrastructure interworking is not defined in this document and therefore out-of-scope.
The authors would like to thank Pasi Eronen, Domagoj Premec, Julien Laganier, Jari Arkko and Christian Bauer for their comments.