Dynamic Keying 69
authentication infrastructure allows a simpliﬁed deployment and management. Note that the
MN-AAA is not a replacement for the Mobile Node-Home Agent Authentication Extension.
The complexity of managing static preshared keys can be a daunting task, especially for larger
enterprises. Deploying a client-based Mobile IP solution would be cost prohibitive if each
Mobile Node needed to be manually conﬁgured with one or more keys. Couple this with the
fact that any static security key is usually reissued (rekeyed) periodically to prevent rogue nodes
from capturing a key and using it indeﬁnitely. Even if you consider a network with 100 Mobile
Nodes, each having 2 keys, that would result in 200 keys that an administrator would need to
manually conﬁgure. By the time she ﬁnished conﬁguring all the keys, it might be time to reissue
each of those keys!
Instead, wouldn’t it be nice if the mandatory Mobile Node-Home Agent key could be generated
dynamically? Or, even if a preshared key existed, wouldn’t it be nice if session keys could be
dynamically generated so that the Mobile Node and Home Agent wouldn’t need to be rekeyed
periodically. That is, a security key (session key) could be generated dynamically for each
Mobile IP session from a static key. Because the session key would be valid only for that
session, in a sense it is being rekeyed for each session.
Dynamic keying reduces the need to provision new keys on the Mobile Node and Home Agent
also protects against rogue nodes that are trying to crack the key. Remember, when it comes to
cryptography, it is not a matter of if the encryption can be broken but when. The goal is to make
the cracking so difﬁcult that the data is irrelevant by the time the encryption can be broken. For
example, if someone can capture your encrypted sales ﬁgures, but it takes him 1000 years to
read them, is that data relevant? To make the capturing of the encrypted data even more difﬁcult,
imagine that the sales report is split into ﬁve pieces—each encrypted using a different key. Then
it would take ﬁve times as long to read it! It is more difﬁcult to break the code if you have less
data and you have an effective cryptography system. The same premise is used for dynamic
keying systems in Mobile IP.
Standards-Based Dynamic Keying
An IETF draft, “AAA Registration Keys for Mobile IPv4,” authored by Perkins and Calhoun,
is nearing standardization to provide a replacement for the static preshared keys used in Mobile
IP authentication. This draft, while attempting to be AAA-server agnostic, does not appear to
be usable with a RADIUS server and is deﬁnitely not usable with existing AAA servers. The
draft is designed to use the advanced features of a Diameter server. (Diameter is designed to be
a replacement for RADIUS.) Diameter has not been widely adopted, and as such, this draft did
not seem like the ideal way to simplify enterprise deployment. In fact, without a larger Diameter
deployment base, this draft, though perhaps useful, will be limited in the places it can be used.