Cisco Systems OL-6918-01 manual Security Associations

Page 26

Chapter 4 Using Service Manager

Activating Services on HA Devices

Step 7 Perform one of these actions:

Click Finish to complete the configuration.

HA SM schedules a new job. A notification message displays the Job ID. After the job completes, you can view the details of the job in the Job Details window. See Viewing Job Details, page 4-15, for more information on the job details.

Click Cancel to exit the wizard.

Click Back to edit the configuration.

Security Associations

All registration messages between an MN and a HA are authenticated in Mobile IP to prevent denial-of-service and replay attacks. Security associations are used to authenticate the mobile device. A security association is a collection of security contexts between a pair of nodes, which may be applied to Mobile IP protocol messages that are exchanged between them. Each context indicates an authentication algorithm and mode, a secret (a shared key or appropriate public or private key pair), and a style of replay protection in use.

Message Digest 5 (MD5) is an algorithm that takes the registration message and a key to compute the smaller chunk of data, called a message digest, plus a secret key. The MN and HA have a copy of the key, called a symmetric key, and authenticate each other by comparing the results of the computation.

The authentication process begins when an MN sends the registration request. The MN adds the time stamp, computes the message digest, and appends the Mobile-Home Authentication Extension (MHAE) to the registration request. The HA receives the request, checks if the time stamp is valid, computes the message digest using the same key, and compares the message digest results. If the results match, the request is successfully authenticated. For the registration reply, the HA adds the time stamp, computes the message digest, and appends the Mobile-Home Authentication Extension MHAE to the registration reply. The MN authenticates the registration reply upon arrival from the HA.

Replay protection is enabled on the registration packets to protect the network from replay attacks. A replay attack occurs when an individual records an authentic message that was previously transmitted and replays it at a later time.

To display a list of security associations for the MN, Home Agent, or Foreign Agent that is configured in the HA Service Manager:

Step 1 Choose a device group (Choose Service Manager > Select Group). See Selecting an HA Device Group, page 4-3.

Step 2 Choose HA Service Manager > Service Activation > Security Associations.

User Guide for Cisco Home Agent Service Manager

4-26

OL-6918-01

 

 

Page 25 Page 27
Image 26
Page 25 Page 27
Contents Using Service Manager Service Manager Tasks Choose HA Service Manger Service Manager Select Group Selecting an HA Device GroupUsing Service Manager Selecting an HA Device Group Displaying an HA Configuration Choose Service Manager Display ConfigGenerating Sync Reports Checking Device Status Using Sync Report DashboardChoose Service Manager Sync Report Sync Report Dashboard Generating a Diff ReportSync Report Dashboard window contains Sync Report Config Diff Viewer Interpreting the Sync Report Config Diff Viewer Comparing the Configurations of Two Devices Choose Service Manager Sync Report Compare ConfigLocal IP Pools Select HA Service Manager Service ActivationChoose HA Service Manager Service Activation Local IP Pool Configuring Local IP Pools Field Description Viewing Job Details Job Details WindowField Description Execution Summary For more information, see Configuring Virtual Networks, Working With Virtual NetworksConfiguring Virtual Networks Home Address Assignment Assigning Home Addresses With NAIConfiguring Home Addresses With NAI Home Link AAA Assigning Home Addresses Without NAI Configuring Home Addresses Without NAI Their detailsField Description Security Associations Configuring Security Associations SPIFirst window of the Security Associations wizard contains Field Description Choose HA Service Manager Service Activation HA VRF VRF Support on HAConfiguring VRF Support on HA Devices Dialog Box Field Descriptions, page 4-33, for more detailsUsing Service Manager Activating Services on HA Devices VRF Definition Dialog Box Field Descriptions Choose HA Service Manager Service Activation Hot Lining Hot-LiningEnabling Hot-Lining Managing Batch Configurations Choose Service Manager Batch ConfigStarting a Batch Configuration Click DownloadOL-6918-01
Top Page Image Contents