Certainly this is non-ideal usage of challenge extension between the Foreign Agent and the Home Agent. Currently there is no standalone/explicit mechanism for the protection against the bogus Registration Reply received from the Home Agent if there is no SA between the FA and the HA. Also, removing this functionally will cause issue of backward compatibility with RFC3012. Hence, our current recommendation is to keep this functionality within RFC3012bis.
There are no modifications proposed for this issue in RFC3012bis draft.