Specifications

ManualsBrandsCisco ManualsComputer equipmentAironet 340 Series

131

132

133

134

135

136

137

138

139

140

Chapter 6 Configuring Proxy Mobile IP

Proxy Mobile IP

6-8

Cisco Aironet Access Point Software Configuration Guide

OL-0657-07

Data packets addressed to the visiting client are routed to its home network, where

the home agent intercepts and tunnels them to the care-of address toward the

visiting client. Tunneling has two primary functions: encapsulation of the data

packet to reach the tunnel endpoint, and decapsulation when the packet is

delivered at that endpoint. The tunnel mode that the access point supports is IP

Encapsulation within IP Encapsulation.

Typically, the visiting client sends packets as it normally would. The access point

intercepts these packets and sends them to the foreign agent, which routes them

to their final destination, the correspondent node.

Proxy Mobile IP Security

Mobile IP uses a strong authentication scheme to protect communications to and

from visiting clients. All registration messages between a visiting client and the

home agent must contain the mobile-home authentication extension (MHAE).

Proxy Mobile IP also implements this requirement in the registration messages

sent by the access point on behalf of the visiting clients to the home agent.

The integrity of the registration messages is protected by a shared 128-bit key

between the access point (on behalf of the visiting client) and the home agent. You

can enter the shared key on the access point or on a RADIUS server.

The keyed message digest algorithm 5 (MD5) in prefix+suffix mode is used to

compute the authenticator value in the appended MHAE. Mobile IP and proxy

Mobile IP also support the hash-based message authentication code

(HMAC-MD5). The receiver compares the authenticator value it computes over

the message with the value in the extension to verify the authenticity.

Optionally, the mobile-foreign authentication extension and the foreign-home

authentication extension are appended to protect message exchanges between a

visiting client and foreign agent and between a foreign agent and home agent,

respectively.

Replay protection uses the identification field in the registration messages as a

timestamp and sequence number. The home agent returns its time stamp to

synchronize the visiting client for registration. In proxy Mobile IP, the visiting

clients are not synchronized to their home agents because the access point

intercepts all home agent messages. If the timestamp in the first registration

request is out of the tolerance window (± 7 seconds), the request is rejected. The

access point uses the information from the rejection to create a valid value and

resends the registration request.