List Info

Thread: 3344 Sending a Reg Reply when the Authenticator fails
3344 Sending a Reg Reply when the Authenticator fails
user name
 2006-06-21 15:13:24 
Hi,
 
While working a scenario in WiMAX I have run into some
ambiguity in
RFC3344.
 
The HA receives a Reg Request with MN-HA-AE and NAI
extension which it
fails to authenticate.  In particular 
the HA cant authenticate because it can't obtain the MN-HA
from the AAA
using the NAI.
 
>From section 3.8.2.1 RFC3344 states that a Registration
Reply should be
sent with code 131.

"if the Authenticator is invalid, the home agent MUST
reject 
the mobile node's registration and SHOULD send a
Registration 
Reply to the mobile node with Code 131"

And from section 3.6.2.1 describing the MN behavior we have:
 
   "If the Code field indicates an authentication
failure, either at the
   foreign agent or the home agent, then it is quite
possible that any
   authenticators in the Registration Reply will also be in
error.  This
   could happen, for example, if the shared secret between
the mobile
   node and home agent was erroneously configured.  The
mobile node
   SHOULD log such errors as security exceptions."
 
RFC3344 also states that Registration Reply MUST include a
MN-HA
authentication extension:
 
Section 3.8.3.3 says  " Note that items (a) and (c)
MUST appear in every
Registration Reply sent by the home agent."
 
where  (c) is  The Mobile-Home Authentication Extension.
 
The problem is that when MN-HA-AE fails at the HA there isnt
an
available MN-HA authentication extension to use.  So how can
one send a
registration reply?

Furthermore, if the HA cant not obtain an MN-HA for the
mobile, what
should happen?


Any help will be appreciated.


 
 
 

========================

Avi Lior                                    
Bridgewater Systems Corporation 
Phone :  +1 (613) 591-9104 x6417
Cell    :  +1 (613) 796-4183
E-mail : mailto:avibridgewatersystems.com
<mailto:avibridgewatersystems.com> 
www.bridgewatersystems.com <http://www.bri
dgewatersystems.com/>  


-- 
Mip4 mailing list: Mip4ietf.org
    Web interface: https://w
ww1.ietf.org/mailman/listinfo/mip4
     Charter page: h
ttp://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/
3344 Sending a Reg Reply when the Authenticator fails
user name
 2006-06-21 18:05:13 
if authentication fails, it is probably best to just
silently
discard the registration request.

Vijay

Avi Lior wrote:
> Hi,
>  
> While working a scenario in WiMAX I have run into some
ambiguity in
> RFC3344.
>  
> The HA receives a Reg Request with MN-HA-AE and NAI
extension which it
> fails to authenticate.  In particular 
> the HA cant authenticate because it can't obtain the
MN-HA from the AAA
> using the NAI.
>  
>>From section 3.8.2.1 RFC3344 states that a
Registration Reply should be
> sent with code 131.
> 
> "if the Authenticator is invalid, the home agent
MUST reject 
> the mobile node's registration and SHOULD send a
Registration 
> Reply to the mobile node with Code 131"
> 
> And from section 3.6.2.1 describing the MN behavior we
have:
>  
>    "If the Code field indicates an authentication
failure, either at the
>    foreign agent or the home agent, then it is quite
possible that any
>    authenticators in the Registration Reply will also
be in error.  This
>    could happen, for example, if the shared secret
between the mobile
>    node and home agent was erroneously configured.  The
mobile node
>    SHOULD log such errors as security
exceptions."
>  
> RFC3344 also states that Registration Reply MUST
include a MN-HA
> authentication extension:
>  
> Section 3.8.3.3 says  " Note that items (a) and
(c) MUST appear in every
> Registration Reply sent by the home agent."
>  
> where  (c) is  The Mobile-Home Authentication
Extension.
>  
> The problem is that when MN-HA-AE fails at the HA there
isnt an
> available MN-HA authentication extension to use.  So
how can one send a
> registration reply?
> 
> Furthermore, if the HA cant not obtain an MN-HA for the
mobile, what
> should happen?
> 
> 
> Any help will be appreciated.
> 
> 
>  
>  
>  
> 
> ========================
> 
> Avi Lior                                    
> Bridgewater Systems Corporation 
> Phone :  +1 (613) 591-9104 x6417
> Cell    :  +1 (613) 796-4183
> E-mail : mailto:avibridgewatersystems.com
> <mailto:avibridgewatersystems.com> 
> www.bridgewatersystems.com <http://www.bri
dgewatersystems.com/>  
> 
> 


-- 
Mip4 mailing list: Mip4ietf.org
    Web interface: https://w
ww1.ietf.org/mailman/listinfo/mip4
     Charter page: h
ttp://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/
3344 Sending a Reg Reply when the Authenticator fails
user name
 2006-06-21 19:55:42 

  


  

    
I agree.
FYI, in WiMAX forum NWG discussions, people were divided into two groups: some wanting HA to send RRP and some to ignore and they decided to ask it from Mip4 WG. I think the answer should be, yes 3344 is weakly allowing a RRP reply but  not replying seems to have gained consensus currently.

Regards,

--behcet 

----- Original Message ----
From: Vijay Devarapalli <vijay.devarapalliazairenet.com>
To: Avi Lior <avibridgewatersystems.com>
Cc: Mobile IPv4 Mailing List <mip4ietf.org&gt;
Sent: Wednesday, June 21, 2006 1:05:13 PM
Subject: Re: [Mip4] 3344 Sending a Reg Reply when the Authenticator
 fails

if authentication fails, it is probably best to just silently
discard the registration request.

Vijay

Avi Lior wrote:
>; Hi,
>&nbsp; 
> While working a scenario in WiMAX I have run into some ambiguity in
> RFC3344.
&gt; &nbsp;
> The HA receives a Reg Request with MN-HA-AE and NAI extension which it
> fails to authenticate. &nbsp;In particular 
> the HA cant authenticate because it can't obtain the MN-HA from the AAA
> using the NAI.
>&nbsp; 
>>From section 3.8.2.1 RFC3344 states that a Registration Reply should be
> sent with code 131.
> 
> "if the Authenticator is invalid, the home agent MUST reject 
> the mobile node's registration and SHOULD send a Registration 
> Reply to the mobile node with Code 131"
> 
> And from section 3.6.2.1 describing the MN behavior we
 have:
>  ;
; &nbsp; "If the Code field indicates an authentication failure, either at the
>&nbsp; &nbsp; foreign agent or the home agent, then it is quite possible that any
>&nbsp; &nbsp; authenticators in the Registration Reply will also be in error.&nbsp; This
; &nbsp; could happen, for example, if the shared secret between the mobile
>; &nbsp; &nbsp;node and home agent was erroneously configured. &nbsp;The mobile node
>&nbsp;   ;SHOULD log such errors as security exceptions."
>&nbsp; 
&gt; RFC3344 also states that Registration Reply MUST include a MN-HA
> authentication extension:
 
> Section 3.8.3.3 says  " Note that items (a) and (c) MUST appear in every
> Registration Reply sent by the home agent."
&gt; &nbsp;
> where ; (c) is &nbsp;The
 Mobile-Home Authentication Extension.
 
> The problem is that when MN-HA-AE fails at the HA there isnt an
> available MN-HA authentication extension to use.  So how can one send a
> registration reply?
>; 
> Furthermore, if the HA cant not obtain an MN-HA for the mobile, what
> should happen?
&gt; 
> 
> Any help will be appreciated.
> 
> 

>; &nbsp;
>&nbsp; 
&gt; 
> ========================
> 
> Avi Lior   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ;
> Bridgewater Systems Corporation 
> Phone : &nbsp;+1 (613) 591-9104 x6417
> Cell   ; :&nbsp; +1 (613) 796-4183
&gt; E-mail :
 mailto:avibridgewatersystems.com
> <mailto:avibridgewatersystems.com> 
> www.bridgewatersystems.com <http://www.bridgewatersystems.com/>&nbsp; 
&gt; 
> 


-- 
Mip4 mailing list: Mip4ietf.org
&nbsp;   ;Web interface: https://www1.ietf.org/mailman/listinfo/mip4
 &nbsp; &nbsp; Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/


  

  
  
   
     
    






 [1-3]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )