Cisco Systems OL-6918-01 manual Security Associations

Chapter 4 Using Service Manager

Activating Services on HA Devices

Step 7 Perform one of these actions:

•Click Finish to complete the configuration.

HA SM schedules a new job. A notification message displays the Job ID. After the job completes, you can view the details of the job in the Job Details window. See Viewing Job Details, page 4-15, for more information on the job details.

•Click Cancel to exit the wizard.

•Click Back to edit the configuration.

Security Associations

All registration messages between an MN and a HA are authenticated in Mobile IP to prevent denial-of-service and replay attacks. Security associations are used to authenticate the mobile device. A security association is a collection of security contexts between a pair of nodes, which may be applied to Mobile IP protocol messages that are exchanged between them. Each context indicates an authentication algorithm and mode, a secret (a shared key or appropriate public or private key pair), and a style of replay protection in use.

Message Digest 5 (MD5) is an algorithm that takes the registration message and a key to compute the smaller chunk of data, called a message digest, plus a secret key. The MN and HA have a copy of the key, called a symmetric key, and authenticate each other by comparing the results of the computation.

The authentication process begins when an MN sends the registration request. The MN adds the time stamp, computes the message digest, and appends the Mobile-Home Authentication Extension (MHAE) to the registration request. The HA receives the request, checks if the time stamp is valid, computes the message digest using the same key, and compares the message digest results. If the results match, the request is successfully authenticated. For the registration reply, the HA adds the time stamp, computes the message digest, and appends the Mobile-Home Authentication Extension MHAE to the registration reply. The MN authenticates the registration reply upon arrival from the HA.

Replay protection is enabled on the registration packets to protect the network from replay attacks. A replay attack occurs when an individual records an authentic message that was previously transmitted and replays it at a later time.

To display a list of security associations for the MN, Home Agent, or Foreign Agent that is configured in the HA Service Manager:

Step 1 Choose a device group (Choose Service Manager > Select Group). See Selecting an HA Device Group, page 4-3.

Step 2 Choose HA Service Manager > Service Activation > Security Associations.

User Guide for Cisco Home Agent Service Manager