Cisco Support Community
Community Member

Authentication In Mobile IP

Dear all

I start learning about Mobile IP( read the RFC 3344) and some related RFC documents. Now i have a concern question, Hope that you  clear a canal of obstruction because it makes me getting mad.

As i know about Mobile IP like this:

+The Foreign Agent send advertisement messege periodically (ICMP)

+When the Mobile Node moves to a new place, It will receive the advertisement messege and send the Registration request. The registration request uses the IP of Mobile node ( in case of located- care-of address )  or NAI  ( in case of co-located care-of address) to authentication mobile node with Home agent.

There are some security problems here:

+ Replay Attacks: can be resisted by using identifier field in Registration request message

+ Modify the Packet : can be resisted by using the checksum and HMAC-MD5 to guarantee the packet integration

But i am a little bit confused with man-in-the-middle attack. I supposed that someone capture the registration request packet and he know the authention property (IP of mobile node or NAI) , after that he can use this authentication to use the service?

I'm thinking of the below scenario:

Mobile Node : The digest message A = HMAC-MD5(IP, identifier, Secret  key) and after that it sends to the Home Agent

Home Agent : Computer the digest messge B = HMAC-MD5(IP, Identifier ,Secrect  key' ) ( the IP, Identifier  from the registration message ) and it stores the secret key

We compare   The digest message A (in registration message ) with  the digest messge B . It will be ok if 2 of digest message are equal.

In this case, We consider 3 authentioncation scenario: Mobile Node -- Home Agent , Mobile Node - Foreign Agent and Foreign Agent -- Home Agent

How can we authenticate  Mobile Node - Foreign Agent ?

Please help me, I do appreciate your help.

CreatePlease to create content