INTERNET DRAFT                                            Pat R. Calhoun
Category: Standards Track                             Charles E. Perkins
Title: draft-calhoun-diameter-mobileip-00.txt     Sun Microsystems, Inc.
Date: July 1998



                               DIAMETER
                          Mobile IP Extensions
                <draft-calhoun-diameter-mobileip-00.txt>



Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as ``work in progress.''

   To learn the current status of any Internet-Draft, please check the
   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
   ftp.isi.edu (US West Coast).


Abstract

   DIAMETER is an Authentication, Authorization and Accounting (AAA)
   Policy Protocol that is used between two entities for various
   services.

   This document defines an extension that allow a DIAMETER Client to
   request authentication and receive autorization information for a
   Mobile IP Mobile Node.










Calhoun                   expires January 1999                  [Page 1]


INTERNET DRAFT                                                 July 1998


Table of Contents

      1.0  Introduction
      1.1  Specification of Requirements
      2.0  Command Codes
      2.1  AA-Mobile-Node-Request (AMR)
      2.2  AA-Mobile-Node-Answer (AMA)
      2.3  Home-Agent-MIP-Request
      2.4  Home-Agent-MIP-Answer
      3.0  DIAMETER AVPs
      3.1  MIP-Registration-Request
      3.2  MIP-Registration-Reply
      3.3  MN-FA-Challenge
      3.4  MN-FA-Response
      3.5  MN-FA-SPI
      3.6  MN-to-FA-Key
      3.7  FA-to-MN-Key
      3.8  FA-HA-SPI
      3.9  FA-to-HA-Key
      3.10 HA-to-FA-Key
      3.11 MN-HA-SPI
      3.12 MN-to-HA-Key
      3.13 HA-to-MN-Key
      3.14 Mobile-Node-Address
      3.15 Home-Agent-Address
      3.16 Session-Timeout
      4.0  Protocol Definition
      5.0  References
      6.0  Authors' Addresses


1.0  Introduction

   The Mobile IP [4] protocol defines a method that allows Mobile Nodes
   to change their point of attachments on the Internet without service
   disruption.  The protocol requires that all Mobility Agents share a
   pre-existing security association, which leads to scaling problems.
   The protocol also does not mention how Mobility Agents account for
   services rendered, which does not make it an attractive protocol for
   use by service providers.

   This draft describes an extension that allows cross-domain
   authentication and authorization, assignment of Mobile Node Home
   Addresses, assignment of Home Agent as well as Key Distribution to
   allows the Mobile IP network to scale in a large network.

   The dynamic assignment of Mobile Node and Home Agent addresses makes
   this extension useful for Service Providers wishing to provide Mobile



Calhoun                   expires January 1999                  [Page 2]


INTERNET DRAFT                                                 July 1998


   IP services for mobile nodes.

   The soon-to-be DIAMETER Accounting extension will be used to collect
   accounting information.

   This extension requires small modifications to the Mobile IP protocol
   [4], which already exists in the TEP protocol [8], to allow a Mobile
   Node to identify itself using an NAI [6] in addition to an IP
   address. The use of the NAI is consistent with the current roaming
   model which makes use of DIAMETER proxying [7].

   The Extension number for this draft is four (4). This value is used
   in the Extension-Id AVP as defined in [1].


1.1  Specification of Requirements

   In this document, several words are used to signify the requirements
   of the specification.  These words are often capitalized.

   MUST      This word, or the adjective "required", means that the
             definition is an absolute requirement of the
             specification.

   MUST NOT  This phrase means that the definition is an absolute
             prohibition of the specification.

   SHOULD    This word, or the adjective "recommended", means that
             there may exist valid reasons in particular circumstances
             to ignore this item, but the full implications must be
             understood and carefully weighed before choosing a
             different course.

   MAY       This word, or the adjective "optional", means that this
             item is one of an allowed set of alternatives.  An
             implementation which does not include this option MUST
             be prepared to interoperate with another implementation
             which does include the option.


2.0  Command Codes

   This document defines the following DIAMETER Commands. All DIAMETER
   implementations supporting this extension MUST support all of the
   following commands:






Calhoun                   expires January 1999                  [Page 3]


INTERNET DRAFT                                                 July 1998


      Command Name          Command Code
      -----------------------------------
      AA-Mobile-Node-Request    306
      AA-Mobile-Node-Answer     307
      Home-Agent-MIP-Request    308
      Home-Agent-MIP-Answer     309


2.1  AA-Mobile-Node-Request (AMR)

   Description

      The AA-Mobile-Node-Request is sent by a Foreign Agent acting as a
      DIAMETER client to a server to request authentication and
      authorization of a Mobile Node.

      The AA-Mobile-Node-Request message MUST include the MIP-
      Registration-Request, User-Name, MN-FA-Challenge, MN-FA-Response
      AVP as well as the Session-Id AVPs.

      When the Mobile-Node-Address AVP is absent from the AA-Mobile-
      Node-Request, it indicates that a Home Address should be assigned
      to the Mobile Node. When the Home-Agent-Address AVP is absent from
      the AA-Mobile-Node-Request, it indicates that a Home Agent should
      be assigned to the Mobile Node.

   Message Format

      <AA-Mobile-Node-Request>  ::= <DIAMETER Header>
                                    <AA-Mobile-Node-Request Command AVP>
                                    <Session-Id AVP>
                                    <User-Name AVP>
                                    <MIP-Registration-Request AVP>
                                    <MN-FA-Challenge AVP>
                                    <MN-FA-Response AVP>
                                    <Timestamp AVP>
                                    <Initialization-Vector AVP>
                                    {<Integrity-Check-Vector AVP> ||
                                     <Digital-Signature AVP> }

   AVP Format

      A summary of the AA-Mobile-Node-Request packet format is shown
      below. The fields are transmitted from left to right.







Calhoun                   expires January 1999                  [Page 4]


INTERNET DRAFT                                                 July 1998


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                           AVP Code                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          AVP Length           |     Reserved      |U|T|V|E|H|M|
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Command Code                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         256     DIAMETER Command

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Command Code

         The Command Code field MUST be set to 306 (AA-Mobile-Node-
         Request).


2.2  AA-Mobile-Node-Answer (AMA)

   Description

      The AA-Mobile-Node-Answer is sent by the DIAMETER Server to the
      client in response to the AA-Mobile-Node-Request message. The
      message MUST include the Session-Id, Result-Code, MIP-
      Registration-Reply as well as the various key and SPI AVPs (shown
      below) and MAY include the Home-Agent-Address and Mobile-Node-
      Address AVPs.

      When the Home-Agent-Address AVP is present in this message it
      contains the Home Agent that was assigned to the Mobile Node. When
      the Mobile-Node-Address AVP is present in this message it contains
      the Home Address that is being assigned to the Mobile Node.

      The following error codes are defined for this message:




Calhoun                   expires January 1999                  [Page 5]


INTERNET DRAFT                                                 July 1998


         DIAMETER_ERROR_UNKNOWN_DOMAIN       1
            This error code is used to indicate to the initiator of the
            request that the requested domain is unknown and cannot be
            resolved.

         DIAMETER_ERROR_USER_UNKNOWN         2
            This error code is used to indicate to the initiator that
            the username request is not valid.

         DIAMETER_ERROR_BAD_PASSWORD         3
            This error code indicates that the password provided is
            invalid.

         DIAMETER_ERROR_CANNOT_AUTHORIZE     4
            This error code is used to indicate that the user cannot be
            authorized due to the fact that the user has expended local
            resources. This could be a result that the server believes
            that the user has already spent the number of credits in
            his/her account, etc.

   Message Format

      <AA-Mobile-Node-Answer>  ::= <DIAMETER Header>
                                   <AA-Mobile-Node-Answer Command AVP>
                                   <Session-Id AVP>
                                   <Result-Code AVP>
                                   <MIP-Registration-Reply AVP>
                                   <MN-FA-SPI AVP>
                                   <FA-to-MN-Key AVP>
                                   <FA-HA-SPI AVP>
                                   <FA-to-HA-Key AVP>
                                   [<Home-Agent-Address AVP>]
                                   [<Mobile-Node-Address AVP>]
                                   <Timestamp AVP>
                                   <Initialization-Vector AVP>
                                   {<Integrity-Check-Vector AVP> ||
                                    <Digital-Signature AVP> }

   AVP Format

      A summary of the AA-Mobile-Node-Answer packet format is shown
      below. The fields are transmitted from left to right.









Calhoun                   expires January 1999                  [Page 6]


INTERNET DRAFT                                                 July 1998


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                           AVP Code                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          AVP Length           |     Reserved      |U|T|V|E|H|M|
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Command Code                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         256     DIAMETER Command

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Command Code

         The Command Code field MUST be set to 307 (AA-Mobile-Node-
         Answer).


2.3  Home-Agent-MIP-Request (HAR)

   Description

      The Home-Agent-MIP-Request is sent by the home DIAMETER server to
      the Home Agent overseeing the Mobile Node to process the Mobile IP
      Registration Request.

      The Home-Agent-MIP-Request message MUST include the MIP-
      Registration-Request, User-Name, Session-Id as well as the SPI and
      key AVPs (shown below) to be used by the Mobile Node and the Home
      Agent.

      When the Mobile-Node-Address AVP is absent from the request it
      indicates that the Home Agent MUST assign a Home Address for the
      Mobile Node, othewise the value in the Mobile-Node-Address AVP
      MUST be used.




Calhoun                   expires January 1999                  [Page 7]


INTERNET DRAFT                                                 July 1998


   Message Format

      <Home-Agent-MIP-Request>  ::= <DIAMETER Header>
                                    <Home-Agent-MIP-Request Command AVP>
                                    <Session-Id AVP>
                                    <User-Name AVP>
                                    <MIP-Registration-Request AVP>
                                    <MN-HA-SPI AVP>
                                    <HA-to-MN-Key AVP>
                                    <MN-to-HA-Key AVP>
                                    <FA-HA-SPI AVP>
                                    <HA-to-FA-Key AVP>
                                    <MN-FA-SPI AVP>
                                    <MN-to-FA-Key AVP>
                                    [<Mobile-Node-Address AVP>]
                                    <Timestamp AVP>
                                    <Initialization-Vector AVP>
                                    {<Integrity-Check-Vector AVP> ||
                                     <Digital-Signature AVP> }

   AVP Format

      A summary of the Home-Agent-MIP-Request packet format is shown
      below. The fields are transmitted from left to right.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                           AVP Code                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          AVP Length           |     Reserved      |U|T|V|E|H|M|
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Command Code                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         256     DIAMETER Command

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.



Calhoun                   expires January 1999                  [Page 8]


INTERNET DRAFT                                                 July 1998


      Command Code

         The Command Code field MUST be set to 308 (Home-Agent-MIP-
         Request).


2.4  Home-Agent-MIP-Answer (HAA)

   Description

      The Home-Agent-MIP-Answer is sent by the Home Agent to the home
      DIAMETER Server in response to the Home-Agent-MIP-Request. The
      message MUST include the Session-Id, Result-Code, MIP-
      Registration-Reply and MAY include the Mobile-Node-Address if the
      Home Agent was responsible for assigning an address to the Mobile
      Node.

      The following error codes are defined for this message:

         DIAMETER_ERROR_BAD_KEY             1
            This error code is used by the Home Agent to indicate to the
            local DIAMETER Server that the key generated is invalid.

         DIAMETER_ERROR_BAD_HOME_ADDRESS    2
            This error code is used by the Home Agent to indicate that
            the Home Address chosen by the Mobile Node or assigned by
            the local DIAMETER server cannot be handled.

         DIAMETER_ERROR_TOO_BUSY            3
            This error code is used by the Home Agent to inform the
            DIAMETER Server that it cannot handle an extra Mobile Node.
            Upon receiving this error the DIAMETER Server can try to use
            an alternate Home Agent if available.

         DIAMETER_ERROR_MIP_REPLY_FAILURE   4
            This error code is used by the Home Agent to inform the
            DIAMETER Server that the Registration Request was not
            successful.

   Message Format

      <Home-Agent-MIP-Answer>  ::= <DIAMETER Header>
                                   <Home-Agent-MIP-Answer Command AVP>
                                   <Session-Id AVP>
                                   <Result-Code AVP>
                                   <MIP-Registration-Reply AVP>
                                   [<Mobile-Node-Address AVP>]
                                   <Timestamp AVP>



Calhoun                   expires January 1999                  [Page 9]


INTERNET DRAFT                                                 July 1998


                                   <Initialization-Vector AVP>
                                   {<Integrity-Check-Vector AVP> ||
                                    <Digital-Signature AVP> }

   AVP Format

      A summary of the Home-Agent-MIP-Answer packet format is shown
      below. The fields are transmitted from left to right.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                           AVP Code                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          AVP Length           |     Reserved      |U|T|V|E|H|M|
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Command Code                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         256     DIAMETER Command

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Command Code

         The Command Code field MUST be set to 309 (Home-Agent-MIP-
         Answer).


3.0  DIAMETER AVPs

   This section will define the mandatory AVPs which MUST be supported
   by all DIAMETER implementations supporting this extension. The
   following AVPs are defined in this document:







Calhoun                   expires January 1999                 [Page 10]


INTERNET DRAFT                                                 July 1998


      Attribute Name       Attribute Code
      -----------------------------------
      MIP-Registration-Request  320
      MIP-Registration-Reply    321
      MN-FA-Challenge           322
      MN-FA-Response            323
      MN-FA-SPI                 324
      MN-to-FA-Key              325
      FA-to-MN-Key              326
      FA-HA-SPI                 327
      FA-to-HA-Key              328
      HA-to-FA-Key              329
      MN-HA-SPI                 330
      MN-to-HA-Key              331
      HA-to-MN-Key              332
      Mobile-Node-Address       333
      Home-Agent-Address        334
      Session-Timeout            27


3.1  MIP-Registration-Request

   Description

      This AVP is used to carry the Mobile IP Registration Request [4]
      sent by the Mobile Node to the Foreign Agent within a DIAMETER
      message.

   AVP Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         320     MIP-Registration-Request

      AVP Length

         The length of this attribute MUST be at least 9.




Calhoun                   expires January 1999                 [Page 11]


INTERNET DRAFT                                                 July 1998


      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the Mobile IP Registration Request.


3.2  MIP-Registration-Reply

   Description

      This AVP is used to carry the Mobile IP Registration Reply [4]
      sent by the Home Agent to the Foreign Agent within a DIAMETER
      message.

   AVP Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         321     MIP-Registration-Reply

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the Mobile IP Registration Reply.



Calhoun                   expires January 1999                 [Page 12]


INTERNET DRAFT                                                 July 1998


3.3  MN-FA-Challenge

   Description

      This AVP contains the Challenge generated by the Foreign Agent to
      the Mobile Node as defined in [5].

   AVP Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         322     MN-FA-Challenge

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the Foreign Agent's Challenge to the
         Mobile Node.


3.4  MN-FA-Response

   Description

      This AVP contains the Response generated by the Mobile Node as
      defined in [5]. The value is the result of the Challenge presented
      by the Foreign Agent hashed using the secret the Mobile Node
      shares with it's Home DIAMETER Server.




Calhoun                   expires January 1999                 [Page 13]


INTERNET DRAFT                                                 July 1998


   AVP Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         323     MN-FA-Response

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the Mobile Node's Challenge Response.


3.5  MN-FA-SPI

   Description

      The MN-FA-SPI is sent in both the Home-Agent-MIP-Request as well
      as the AA-Mobile-Node-Answer messages and contains the SPI value
      associated with the key generated by the home DIAMETER Server for
      use between the Foreign Agent and the Mobile Node (MN-to-FA-Key,
      FA-to-MN-Key).

   AVP Format









Calhoun                   expires January 1999                 [Page 14]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Integer32                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         324     MN-FA-SPI

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Integer32

         The Integer32 field contains the SPI value associated with the
         key shared between the Mobile Node and the Foreign Agent.


3.6  MN-to-FA-Key

   Description

      This AVP contains the Key generated by the home DIAMETER Server
      that must be used by the Mobile Node when computing the Mobile-
      Foreign- Authentication-Extension in the Mobile IP Registration
      Request [4].

   AVP Format











Calhoun                   expires January 1999                 [Page 15]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         325     MN-to-FA-Key

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the encrypted key to be used by the
         Mobile Node when generating the Mobile IP Mobile-Foreign-
         Authentication-Extension.


3.7  FA-to-MN-Key

   Description

      This AVP contains the Key generated by the home DIAMETER Server
      that must be used by the Foreign Agent when computing the Mobile-
      Foreign- Authentication-Extension in the Mobile IP Registration
      Reply [4].

   AVP Format










Calhoun                   expires January 1999                 [Page 16]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         326     FA-to-MN-Key

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the encrypted key to be used by the
         Foreign Agent when generating the Mobile IP Mobile-Foreign-
         Authentication-Extension.


3.8  FA-HA-SPI

   Description

      The FA-HA-SPI is sent in both the Home-Agent-MIP-Request as well
      as the AA-Mobile-Node-Answer messages and contains the SPI value
      associated with the key generated by the home DIAMETER Server for
      use between the Foreign Agent and the Home Agent (FA-to-HA-Key,
      HA-to-FA-Key).

   AVP Format









Calhoun                   expires January 1999                 [Page 17]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Integer32                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         327     FA-HA-SPI

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Integer32

         The Integer32 field contains the SPI value associated with the
         key shared between the Foreign Agent and the Home Agent.


3.9  FA-to-HA-Key

   Description

      This AVP contains the Key generated by the home DIAMETER Server
      that must be used by the Foreign Agent when computing the
      Foreign-Home Authentication-Extension in the Mobile IP
      Registration Request [4].

   AVP Format











Calhoun                   expires January 1999                 [Page 18]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         328     FA-to-HA-Key

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the encrypted key to be used by the
         Foreign Agent when generating the Mobile IP Foreign-Home-
         Authentication-Extension.


3.10  HA-to-FA-Key

   Description

      This AVP contains the Key generated by the home DIAMETER Server
      that must be used by the Home Agent when computing the Foreign-
      Home Authentication-Extension in the Mobile IP Registration Reply
      [4].

   AVP Format










Calhoun                   expires January 1999                 [Page 19]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         329     HA-to-FA-Key

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the encrypted key to be used by the
         Home Agent when generating the Mobile IP Foreign-Home-
         Authentication-Extension.


3.11  MN-HA-SPI

   Description

      The MN-HA-SPI is sent in both the Home-Agent-MIP-Request as well
      as the AA-Mobile-Node-Answer messages and contains the SPI value
      associated with the key generated by the home DIAMETER Server for
      use between the Mobile Node and the Home Agent (MN-to-HA-Key, HA-
      to-MN-Key).

   AVP Format









Calhoun                   expires January 1999                 [Page 20]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Integer32                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         330     MN-HA-SPI

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Integer32

         The Integer32 field contains the SPI value associated with the
         Session Key shared between the Mobile Node and the Home Agent.


3.12  MN-to-HA-Key

   Description

      This AVP contains the Key generated by the home DIAMETER Server
      that must be used by the Mobile Node when computing the Mobile-
      Home Authentication-Extension in the Mobile IP Registration
      Request [4].

   AVP Format











Calhoun                   expires January 1999                 [Page 21]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         331     MN-to-HA-Key

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the encrypted key to be used by the
         Mobile Node when generating the Mobile IP Mobile-Home-
         Authentication-Extension.


3.13  HA-to-MN-Key

   Description

      This AVP contains the Key generated by the home DIAMETER Server
      that must be used by the Home Agent when computing the Mobile-Home
      Authentication-Extension in the Mobile IP Registration Reply [4].

   AVP Format











Calhoun                   expires January 1999                 [Page 22]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Data ...
      +-+-+-+-+-+-+-+-+

      AVP Code

         332     HA-to-MN-Key

      AVP Length

         The length of this attribute MUST be at least 9.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Data

         The data field contains the encrypted key to be used by the
         Home Agent when generating the Mobile IP Mobile-Home-
         Authentication-Extension.


3.14  Mobile-Node-Address

   Description

      When used in the AA-Mobile-Node-Request it contains the Mobile
      Node's Home Address. When present in the MIP-Registration-Reply
      message it contains the Home Address assigned to the Mobile Node.

      The lack of this AVP in the AA-Mobile-Node-Request indicates that
      the Mobile Node is requesting that a Home Address be assigned to
      it.

   AVP Format







Calhoun                   expires January 1999                 [Page 23]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Address                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         333     Mobile-Node-Address

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Address

         The Address field contains the IP address assigned to the
         Mobile Node.


3.15  Home-Agent-Address

   Description

      When used in the AA-Mobile-Node-Request it contains the Mobile
      Node's requested Home Agent. When present in the MIP-
      Registration-Reply message it contains the Home Agent assigned to
      the Mobile Node.

      The lack of this AVP in the AA-Mobile-Node-Request indicates that
      the Mobile Node is requesting that a Home Agent be assigned to it.

   AVP Format








Calhoun                   expires January 1999                 [Page 24]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Address                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      AVP Code

         334     Home-Agent-Address

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Address

         The Address field contains the Home Agent address assigned to
         the Mobile Node.


3.16  Session-Timeout

      Description

         This AVP contains the number of seconds before the session keys
         expire.

   AVP Format

   A summary of the Session-Timeout Attribute format is shown below.
   The fields are transmitted from left to right.










Calhoun                   expires January 1999                 [Page 25]


INTERNET DRAFT                                                 July 1998


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           AVP Code                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          AVP Length           |     Reserved      |U|T|V|E|H|M|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Integer32                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

         27 for Session-Timeout.

      AVP Length

         The length of this attribute MUST be 12.

      AVP Flags

         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
         upon the security model used. The 'V', 'T' and the 'U' bits
         MUST NOT be set.

      Integer32

         The Integer32 field is 4 octets, containing a 32-bit unsigned
         integer with the number of seconds before the session keys
         expire.

         A value of zero means that the session keys have no expiration.


4.0  Protocol Definition

   This section will outline how the DIAMETER Mobile IP Extension can be
   used. The follwing diagram is an example of an inter-domain Mobile IP
   network.













Calhoun                   expires January 1999                 [Page 26]


INTERNET DRAFT                                                 July 1998


                            ISP                   Home Network
                        +--------+                 +--------+
                        | proxy  |      AMR/A      |  AAA   |
                        |  AAA   |<--------------->|        |
                        | server |  server-server  | server |
                        +--------+  communication  +--------+
                         /    /|                   /|(
                        /AMR/A | client-server       | HAR/A
                       /       | communication       |
                     |/_      /                   /
             +---------+       +---------+          +---------+
             | Foreign |       | Foreign |          |  Home   |
             |  Agent  |       |  Agent  |          |  Agent  |
             +---------+       +---------+          +---------+
                              /|(
                               | Mobile IP
                               |
                              /
                              +--------+
                              | Mobile |
                              | Node   |
                              +--------+



   The AA-Mobile-Node-Request is generated by the Foreign Agent and
   includes the AVPs defined in section 2.1. If the Home Address field
   in the Registration Request was set to a value other than zero the
   Mobile-Node-Address AVP is added to the DIAMETER request. If the Home
   Agent field in the Registration Request was set to a value other than
   zero the Home-Agent-Address AVP is added to the DIAMETER request. The
   DIAMETER request is then forwarded to the Foreign Agent's local
   DIAMETER Server.

   When the ISP's DIAMETER Server receives the message it looks at the
   User-Name AVP [1] to determine whether authentication and
   authorization can be handled locally. The User-Name format is
   consistent with the NAI described in [6] and the user's domain is
   used to determine the Mobile Node's home DIAMETER Server. In the
   example below the request cannot be processed locally, therefore the
   request is forwarded to the Mobile Node's home DIAMETER Server.

   The following is an example of the first Mobile IP and DIAMETER
   exchange which sets up the key. Note that this example is also valid
   when the session key expires and a new key needs to be generated.






Calhoun                   expires January 1999                 [Page 27]


INTERNET DRAFT                                                 July 1998


   Mobile Node   Foreign Agent   Proxy Server   Home Server   Home Agent
   -----------   -------------   ------------   -----------   ----------

             <-------Challenge
   Reg-Req(Response)->
                 AMR------------->
                                 AMR------------>
                                                HAR----------->
                                                          <----------HAA
                                            <-----------AMA
                             <------------AMA
             <-------Reg-Reply

   The home DIAMETER Server must first authenticate the user. This is
   done by fist validating the MN-FA-Challenge which contains a
   timstamp. The timestamp information is embedded within the challenge
   to prevent replay attacks.  The server then uses the user's secret or
   its public key and performs the hash on the the challenge and ensures
   that the result is identical with the value in the MN-FA-Response
   AVP. If both values are identical the user is authenticated,
   otherwise an error message is returned. See [5] for more information
   on the challenge format and how the hash is computed.

   If successfully authenticated, the DIAMETER Server checks whether the
   Home-Agent-Address AVP was part of the AA-Mobile-Node-Request. If so
   the server must validate the address to ensure that it is a known
   Home Agent.  If no such AVP was present in the request the server can
   allocate a known Home Agent for the Mobile Node. This can be done in
   a variety of ways including using a load balancing algorithm in order
   not to overburden any given Home Agent. Note that the existing Home
   Agent Discovery method described in [4] can still be used.

   If the request did not contain a Mobile-Node-Address AVP, the
   DIAMETER Server has the option to assign an address for the Mobile
   Node or leave it up to the Home Agent to assign an address. This is
   purely a local policy decision.

   The DIAMETER Server then generates three sets of short-lived session
   keys.  One that will be shared between the Home agent and the Foreign
   Agent, one between the Mobile Node and the Foreign Agent and one
   between the Mobile Node and the Home Agent.

   The keys destined for the Mobile Node are encrypted either using the
   Mobile Node's secret or its public key [1]. The keys destined for the
   Foreign Agent are encrypted either using the DIAMETER Secret shared
   between the Home DIAMETER Server and the ISP's proxy Server, or using
   public key cryptography [1]. The keys destined for the Home Agent can
   be either encrypted using the DIAMETER Secret, or if IPSEC's ESP is



Calhoun                   expires January 1999                 [Page 28]


INTERNET DRAFT                                                 July 1998


   in use no DIAMETER encryption is necessary. The Session-Timeout AVP
   is included and contains the number of seconds before the session
   keys expire.

   Note that this extension requires a departure from the existing SPI
   usage described in [4]. The DIAMETER Server generates SPI values for
   the Mobility Agents as opposed to a receiver choosing its own SPI
   value. The SPI values are used as a Key Identifier, meaning that each
   shared session key has its own SPI value and since two nodes share a
   session key they share an SPI as well.

   Take for example a scenario where a Mobile Node and a Foreign Agent
   share a key that was created by the DIAMETER Server. The Server also
   generated a corresponding SPI value of x. All Mobile-Foreign
   Authentication extensions must be computed by either entity using the
   shared session key and include the SPI value of x.

   The DIAMETER Server then sends a Home-Agent-MIP-Request to the
   assigned or requested Home Agent. The request contains the original
   MIP-Registration-Request as well as the keys and SPIs destined for
   the Home Agent (HA-to-MN-Key, MN-HA-SPI, HA-to-FA-Key and FA-HA-SPI
   AVPs) and the Mobile Node (MN-FA-SPI, MN-to-FA-Key, MN-HA-SPI and
   MN-to-HA-Key AVP). The Mobile-Node-Address AVP is present if the
   Mobile Node specified an address or if the home DIAMETER Server
   assigned an address, but not if the Home Agent assigns it.

   The Home Agent processes the DIAMETER Home-Agent-MIP-Request as well
   as the embedded Mobile IP Registration Request. If both are
   successfully processed, the Home Agent creates the Mobile IP
   Registration Reply and includes the keying material to be used by the
   Mobile Node (MN-FA SPI, MN-to-FA-Key, MN-HA-SPI and MN-to-HA-Key)
   which is attached as the MIP-Registration-Reply AVP. If no Mobile-
   Node-Address AVP was present in the request the Home Agent must
   assign an address for the Mobile Node. The Result-Code AVP is
   included and the Home-Agent-MIP-Answer is sent to the home DIAMETER
   Server.

   The home DIAMETER Server issues a AA-Mobile-Node-Answer to the
   Foreign Agent which includes the MIP-Registration-Reply, Result-Code
   and the Mobile-Node-Address AVP. The message also includes the keys
   and SPI AVPs used by the Foreign Agent (MN-FA-SPI, FA-to-MN-Key, FA-
   HA-SPI and the FA-to-HA-Key AVPs). The message is then transmitted to
   the ISP's proxy DIAMETER Server.

   Upon receipt of the successful AA-Mobile-Node-Answer the proxy server
   decrypts the FA-to-MN-Key and the FA-to-HA-Key AVPs. These keys are
   then re-encrypted using the DIAMETER secret, or are not encrypted if
   IPSEC's ESP is used between the Foreign Agent and the Proxy DIAMETER



Calhoun                   expires January 1999                 [Page 29]


INTERNET DRAFT                                                 July 1998


   Server. The message is transmitted to the Foreign Agent.

   The Foreign Agent, upon receipt of the AA-Mobile-Node-Answer, must
   decrypt the appropriate KEY AVPs, process the Mobile IP Registration
   Reply which is then forwarded to the Mobile Node.

   from this point on, all Registration Request and Replies no longer
   traverse through the DIAMETER proxy chain and the Foreign Agent can
   contact the Home Agent directly using the keys which were previously
   distributed. This can continue until the session keys expire, which
   is indicated in the Session-Timeout AVP.

   The following is an example of subsequent Mobile IP message exchange.

   Mobile Node                Foreign Agent                 Home Agent
   -----------                -------------                 ----------

   Reg-Req(MN-FA-Auth, MN-HA-Auth)-------->

                              Reg-Req(MN-HA-Auth, FA-HA-Auth)-------->

                              <--------Reg-Rep(MN-HA-Auth, FA-HA-Auth)

   <--------Reg-Rep(MN-HA-Auth, MN-FA-Auth)


5.0  References

    [1]  Calhoun, Rubens, "DIAMETER", Internet-Draft,
         draft-calhoun-diameter-04.txt, July 1998.

    [2]  Calhoun, Zorn, Pan, "DIAMETER Framework", Internet-
         Draft, draft-calhoun-diameter-framework-01.txt, August 1998

    [3]  P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment
         Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, March 1998.

    [4]  C. Perkins, Editor.  IP Mobility Support.  RFC 2002, October
         1996.

    [5]  C. Perkins, "Router Advertisement Challenge Extension",
         draft-ietf-mobileip-?????-00.txt, August 1998.

    [6]  B. Aboba. "The Network Access Identifier." draft-ietf-roamops-
         nai-11.txt, July 1998.

    [7]  Aboba, Zorn, "Roaming Requirements", draft-ietf-roamops-
         roamreq-09.txt, April 1998.



Calhoun                   expires January 1999                 [Page 30]


INTERNET DRAFT                                                 July 1998


    [8]  P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment
         Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, March 1998.



6.0  Authors' Addresses

   Questions about this memo can be directed to:

      Pat R. Calhoun
      Technology Development
      Sun Microsystems, Inc.
      15 Network Circle
      Menlo Park, California, 94025
      USA

       Phone:  1-650-786-7733
         Fax:  1-650-786-6445
      E-mail:  pcalhoun@eng.sun.com


      Charles E. Perkins
      Technology Development
      Sun Microsystems, Inc.
      15 Network Circle
      Menlo Park, California, 94025
      USA

       Phone:  1-650-786-6464
         Fax:  1-650-786-6445
      E-mail:  charles.perkins@eng.sun.com




















Calhoun                   expires January 1999                 [Page 31]