Chapter 3. Mobile IP Security
The previous chapters characterized Mobile IP as a routing protocol, and when it comes to security, Mobile IP is no different. Just like other routing protocols, the security features in Mobile IP are designed to authenticate routing peers and ensure the integrity of routing update messages. As such, all the security methods in Mobile IP are designed to protect only the control plane traffic, namely, the Registration Request (RRQ) and Registration Reply (RRP).
In this chapter, we explore the two mechanisms that are used in Mobile IP to provide secure communication among the different Mobile IP entities: authentication extensions and replay protection. This chapter delves into the various components of the authentication extension and illustrates precisely how messages are secured. You see why some authentication extensions between certain Mobile IP entities (the Home Agent and Mobile Node) are mandatory while some are not. You also see why replay protection is needed in Mobile IP and how it is achieved with timestamps or nonces.
The most challenging trust relationship in Mobile IP is between the Mobile Node and Foreign Agent (FA), simply because the Mobile Node cannot have a security relationship with every FA to which it can roam. In this chapter, we look into clever mechanisms that afford security between a FA and its visiting Mobile Nodes without requiring preconfiguration of the Mobile IP entities.
The first part of the chapter assumes a static security relationship that is used in the authentication extensions. Later in the chapter, we investigate different approaches to dynamically administering a security association between Mobile IP entities. Specifically, we look into ways to change the security association dynamically, or even to set up a security association between Mobile IP entities when one does not already exist.
Mobile IP secures control traffic and does not interact with data traffic per se. However, Mobile IP can easily be combined with existing protocols designed to secure data traffic, for example, IP Security (IPSec). More detailed discussions of the integration of Mobile IP with IPSec are covered in Chapter 7, "Metro Mobility: Cisco Mobile Networks," and Chapter 8, "Deployment Scalability and Management."