This appendix describes extensions that have been added to the original Mobile IP protocol to address some of its shortcomings in meeting commercial service requirements such as AAA support and dynamic home address assignment, and to facilitate its use in cellular systems such as CDMA2000.
Mobile IP Challenge/Response extensions described in [RFC3012] are extensions to Mobile IP agent advertisements and registration requests defined in Chapter 2. They are designed to address some of the Mobile IP security problems, such as FA vulnerability to replay-based attacks.
The Challenge extension format is shown in Figure A.1. It is added to the agent advertisement message sent by an FA so that MNs that receive it can create a valid registration request message (that is, with the latest valid challenge value). This process allows it to be positively authenticated.
The MN-FA Challenge extension, shown in Figure A.2, is an extension to the MN registration request message that is issued in response to a challenge in an agent advertisement. The MN-FA Challenge includes the latest challenge value (identical to the one in the Challenge extension), indicating that this MN is not responding for a previously issued FA advertisement. Note that MN-FA Challenge extension is mandatory in CDMA2000 environment as per [IS835] and must be included in every agent advertisement.
[RFC3012] also defines the Generalized Authentication extension format designed to accommodate control messages for future Mobile IP extensions that may be used to exchange authentication information between the MN and other network elements such as AAA servers. Generalized Authentication extensions, depicted in Figure A.3, specify a new application type with subtypes into which the new authentication applications can be classified. In this figure the security parameter index (SPI) indexes the SA table.
For example, subtype 1 of the Generalized Authentication extension, also defined in [RFC3012], has been assigned to the MN-AAA authentication extension and may be used in place of (or together with) the Mobile-Foreign Authentication extension defined in the original [RFC2002] when the Challenge extension is included in FA advertisement message. Like the MN-FA the extension, MN-AAA extension is also mandatory for CDMA2000 systems compliant with [IS835].
Whenever the Challenge extension is used, the MS must include the latest challenge value in the MN-FA Challenge extension to its registration request whenever a security association with the FA is not pre-established. In this case MN-AAA and, optionally, NAI extensions (discussed in the next section) must also be included in the RRQ. The challenge value is optional, however, when the MN-FA security association exists.
The computation of the authenticator field of the MN-AAA extension is defined by the SPI value. Refer to [RFC3012] for further details.