72 Chapter 3: Mobile IP Security
Authentication Response Extension
The authentication response extension carries the authenticator value computed over the RRQ
using MS CHAPv2 and a hash of the user password. This provides the bootstrap authentication
that authenticates the initial RRQ from which the dynamic Mobile Node-Home Agent keys can
be derived. This extension is mandatory but is only used in the initial RRQ. After the session
keys have been derived, they are used in the MHAE to authenticate registration update
While not related to the derivation or distribution of security associations, four more extensions
are deﬁned as part of Cisco Dynamic security association and Key Distribution to facilitate the
zero-conﬁguration client solution. These extensions are as follows:
• The Home network preﬁx extension allows the Home Agent to inform the Mobile Node
of the preﬁx or netmask that should be used with the assigned home address.
• The Domain Name System (DNS) server extensions provide the Mobile Node with DNS
servers it should use during the session.
• The DHCP server extension and the DHCP client identiﬁer extension are optional
parameters that allow the Mobile Node to acquire conﬁguration options from and
maintain a lease with the DHCP.
Beyond the basic concepts of authentication and authorization, location privacy often comes up
in Mobile IPSec discussions. The concern is that the Mobile IP registration process divulges too
much information about the location, both physically and logically, of a Mobile Node, its home
network, and as such, the person to whom the Mobile Node belongs. For example, if a delivery
company has Mobile Nodes in each vehicle, it could easily determine whether a driver had left
his route and gone home for lunch by evaluating the physical location of the CoA used by the
Mobile Node. The Mobile Node might also not want the foreign network to know where the
node is from.
However, the privacy implications in Mobile IP v4 are debatable. Because no support exists for
route optimization, only the operator of the Home Agent has direct access to the CoA
information. It is clearly possible to use a location-discovery mechanism like traceroute to
discover the location of a Mobile Node, but this can be blocked. While location privacy should
be considered when evaluating the security impacts of a Mobile IP solution, these impacts are
rarely formidable enough to preclude deployment.