Authentication is an important issue in all types of network communications. The ability to authenticate is especially critical when the communications are for the purpose of changing network communication parameters. The computer network environment of a computer may change so rapidly that it is rarely practical to configure a device to know beforehand the values of all the parameters it may need to use in communicating with other devices (here called “correspondents”). As an example of rapidly changing communication parameters, consider a mobile device such as a laptop computer equipped with a wireless network card. The network address of the laptop changes as it moves from one wireless network area to another. A correspondent wishing to communicate with the laptop cannot know beforehand what wireless network address the laptop will use. Even if the correspondent could discover the laptop's current network address, that address may become obsolete the next instant as the laptop moves to a new wireless network area.
To allow communications to proceed in the face of such flux, some communications protocols provide for update messages. Continuing the example of the mobile laptop computer, when the laptop changes its wireless network address, it sends update messages to all correspondents it intends to communicate with to inform them of the new network address. In this context, the new wireless network address is the communication parameter to be changed. Besides this direct publication of the new address, some protocols allow the address change to be published indirectly. To that end, the laptop has a fixed and routable “home address.” The home address serves as a unique identifier of the laptop on a “home network.” Correspondents send messages intended for the laptop to the laptop's fixed home address. A “home agent” on the home network receives the messages and forwards them to the current wireless network address of the laptop. In this indirect addressing method, the laptop's current wireless network address is called its “care-of address.” The laptop needs to inform only the home agent of changes to its care-of address, and the other correspondents continue to use the laptop's unchanged home address to communicate with the laptop. Similar direct and indirect methods are generally useful for publishing parameters other than changing addresses.
A serious concern regarding the use of update messages for changing communication parameters is caused by the risk of fraudulent publication. For example, in one scenario, a malicious attacker who wants to “tap” the communications intended for the laptop may send a fraudulent update message to the laptop's home agent to update the laptop's care-of address to be the address of the attacker. If the home agent is unable to detect the falsity of the fraudulent message and acts on the message to make the change, traffic intended for the laptop will be routed by the home agent to the attacker instead. The attacker can then read the traffic before sending it along to the laptop, thereby “tapping” its communications.
Protocols address the problem of fraudulent publication by implementing authentication services. The recipient of an update message uses the authentication services to verify the identity of the sender of the message and acts on the update message only if the authentication shows that the message was sent by a device with the authority to change the parameter. For example, the Internet Engineering Task Force Request for Comments (IETF RFC) 2401 “Security Architecture for the Internet Protocol” mandates the use of IPsec authentication for update messages in the Mobile Internet Protocol (MIPv6). Other protocols provide similar authentication services. However, one perceived difficulty in implementing the authentication functionality is that IPsec and other authentication services provide their security by means of quite complicated mechanisms. They come at a heavy price in terms of a significant investment in administrative and communicative overhead. This overhead may impede the growth of mobile networks. On the other hand, without a suitable authentication mechanism, the new networks are vulnerable to simple attacks.
What is needed is a lightweight, easily deployable, mechanism for authenticating parameter update messages that provides much of the security of heavyweight authentication mechanisms such as IPsec, but with lower administrative and communicative overhead.