Configuring Mobile IP

How Mobile IP Works

This authentication process begins when a MN sends the registration request. The MN adds the time stamp, computes the message digest, and appends the MHAE to the registration request. The HA receives the request, checks that the time stamp is valid, computes the message digest using the same key, and compares the message digest results. If the results match, the request is successfully authenticated. For the registration reply, the HA adds the time stamp, computes the message digest, and appends the MHAE to the registration reply. The MN authenticates the registration reply upon arrival from the HA.

MN-FA

Mobile IP does not require that communication between an MN and an FA be authenticated. Cisco IOS software supports the optional Mobile-Foreign Authentication Extension (MFAE). MFAE protects the communication between the MN and FA by keeping a shared key between them.

FA-HA

Mobile IP does not require that communication between an FA and an HA be authenticated. Cisco IOS software supports the optional Foreign-Home Authentication Extension (FHAE). FHAE protects the communication between the FA and HA by keeping a shared key between them.

HA-HA

Communication between an active HA and a standby HA in an HA redundancy topology must be authenticated. The authentication process works in the same manner as described in the previous “MN-HA”section. However, HA-HA authentication is an added Cisco-proprietary authentication extension needed to secure communication between peer HAs for HA redundancy. (Active HAs and standby HAs are peers to each other.)

Use the ip mobile secure home-agentglobal configuration command to configure the security associations between all peer HAs within a standby group for each of the other HAs within the standby group. The configuration is necessary because any HA within the standby group can become active HA or standby HA at any time. See the “Mobile IP HA Redundancy Configuration Task List” section later in this chapter for more information on HA-HA authentication.

Storing Security Associations

As discussed in the “Mobile IP Security” section earlier in this chapter, authentication between the MN and the HA involves keys. You can store the keys or security associations (SAs) on one of the following locations:

NVRAM of an HA

Authentication, authorization, and accounting (AAA) server that can be accessed using either TACACS+ or RADIUS

Because the NVRAM of an HA is typically limited, you should store the SAs on the HA only if your organization has a small number of MNs. If your organization has a large number of MNs, you should store the SAs on a AAA server.

Cisco IOS IP Configuration Guide

IPC-164

Page 210
Image 210
Cisco Systems 78-11741-02 manual Storing Security Associations, IPC-164