If there is only authentication over control messages between the home agent and mobile node, it is assumed that foreign agents permit any mobile node attempt to register. During mobile registration, the mobile node sends authenticated messages to a home agent via the foreign agent. The foreign agent relies on the home agent's reply message which grants or denies permission for the registration. The security association between the mobile node and the home agent is based on a predetermined shared key or certificate.
The mobile registration request packet consists of the following fields:
and is preceded by an UDP header
[10].
In this case, Type will indicate either a registration request of reply
message.
Home Address is the mobile node's address in its home subnet.
Home Agent is the IP address of the home agent.
Care Of Address is either the IP address of the foreign agent or a temporary
``co-located care of address" externally
assigned to the mobile node within a foreign subnet.
Id's are unique to each registration request.
The Mobile-Home Authentication Extension is:
For our purposes, the Ext Type indicates that the extension is either for
Mobile-Home, Mobile-Foreign or Foreign-Home authentication.
The Authentication Data is the result of using an authentication transform
over parts of the UDP payload and has been referred to as the hash-value in
this paper.
A UDP mobile registration packet is:
In our abstract packet format, a registration message is:
where data-list is the entire packet.
The mobile registration reply packet consists of the following fields:
and is preceded by an UDP header
[10]. Code indicates the status of the registration
request with the same Id.
The Mobile-Home Authentication Extension format is
the same as that for registration request messages.
A UDP mobile registration reply packet is:
In our abstract packet format a registration reply message is:
In either the case of registration or reply there is an authentication transform used over all of the fields in the UDP packet except the UDP Header, SPI and Authentication Data. As with the IP security headers, the SPI and, in this case, Home Address (or Home Agent for reply) are used to index information for the security association and specifically the key. Integrity is supplied directly over the UDP payload (except the SPI and Authentication Data) and indirectly over the SPI when the Authentication Data (hash-value) is computed correctly. Since there is integrity over the source address then the packet fields contained in the hash-data are authenticated.