Diameter Maintenance and J. Korhonen
Extensions (DIME) TeliaSonera
Internet-Draft J. Bournelle
Expires: December 21, 2006 GET/INT
H. Tschofenig
Siemens
C. Perkins
Nokia
June 19, 2006
Diameter MIPv6 Bootstrapping for the Integrated Scenario
draft-ietf-dime-mip6-integrated-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 21, 2006.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
A Mobile IPv6 node requires a home agent address, a home address, and
IPsec security association with its home agent before it can start
utilizing Mobile IPv6 service. RFC 3775 requires that some or all of
Korhonen, et al. Expires December 21, 2006 [Page 1]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
these parameters are statically configured. Ongoing Mobile IPv6
bootstrapping work aims to make this information dynamically
available to the mobile node. An important aspect of the Mobile IPv6
bootstrapping solution is to support interworking with existing
authentication, authorization and accounting infrastructure. This
document describes the usage of Diameter to facilitate Mobile IPv6
bootstrapping for the integrated scenario.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and Abbreviations . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Commands, AVPs and Advertising Application Support . . . . . . 7
4.1 Advertising Application Support . . . . . . . . . . . . . 7
4.2 Command Codes . . . . . . . . . . . . . . . . . . . . . . 8
4.3 Diameter-EAP-Request (DER) . . . . . . . . . . . . . . . . 8
4.4 Diameter-EAP-Answer (DEA) . . . . . . . . . . . . . . . . 9
4.5 AA-Request (AAR) . . . . . . . . . . . . . . . . . . . . . 10
4.6 AA-Answer (AAA) . . . . . . . . . . . . . . . . . . . . . 11
4.7 New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.7.1 MIP6-Home-Agent-Address AVP . . . . . . . . . . . . . 12
4.7.2 MIP6-Home-Agent-FQDN AVP . . . . . . . . . . . . . . . 12
4.7.3 MIP4-Home-Agent-Address AVP . . . . . . . . . . . . . 12
4.7.4 MIPv6-Bootstrapping-Feature AVP . . . . . . . . . . . 13
5. Diameter Client and Server Behavior During MIPv6
Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1 Client (NAS) Behavior . . . . . . . . . . . . . . . . . . 14
5.2 Server Behavior . . . . . . . . . . . . . . . . . . . . . 15
5.3 Example Message Flows . . . . . . . . . . . . . . . . . . 16
6. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 18
6.1 DER and DEA Commands AVP Table . . . . . . . . . . . . . . 18
6.2 AAR and AAA Commands AVP Table . . . . . . . . . . . . . . 18
7. MIPv6 Bootstrapping Integrated AVPs . . . . . . . . . . . . . 19
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
8.1 AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 20
8.2 Application Identifier . . . . . . . . . . . . . . . . . . 20
8.3 Namespaces . . . . . . . . . . . . . . . . . . . . . . . . 20
9. Security Considerations . . . . . . . . . . . . . . . . . . . 21
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
11.1 Normative References . . . . . . . . . . . . . . . . . . . 23
11.2 Informative References . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . 26
Korhonen, et al. Expires December 21, 2006 [Page 2]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
1. Introduction
Mobile IPv6 specification [RFC3775] requires a Mobile Node (MN) to
perform registration with a home agent with information about its
current point of attachment (Care-of Address). The home agent
creates and maintains binding between the MN's Home Address and the
MN's Care-of Address.
In order to register with a home agent, the MN needs to know some
information such as, the Home Link prefix, the home agent Address,
the Home Address(es), the Home Link prefix Length and security
related information in order to later secure the Binding Update.
The aforementioned set of information may be statically provisioned
in the MN. However, static provisioning of this information has its
drawbacks. It increases provisioning and network maintenance becomes
easily burden for an operator. Moreover, static provisioning does
not allow load balancing, failover, opportunistic home link
assignment etc. For example, the user may be accessing the network
from a location that may be geographically far away from the
preconfigured home link; the administrative burden to configure the
MNs with the respective addresses is large and the ability to react
on environmental changes is minimal. In these situations static
provisioning may not be desirable.
Dynamic assignment of Mobile IPv6 home registration information is a
desirable feature for ease of deployment and network maintenance.
For this purpose, the Diameter infrastructure, which is used for
access authentication, can be leveraged to assign some or all of the
necessary parameters. The Diameter server in Access Service
Provider's (ASP) or in Mobility Service Provider's (MSP) network may
return these parameters to the AAA client. The AAA client might
either be the NAS, in case of the integrated scenario, or the home
agent, in case of the split scenario [I-D.ietf-mip6-bootstrapping-
split]. The terms integrated and split are described in the
terminology section and were introduced in
[I-D.ietf-mip6-bootstrap-ps] and [I-D.ietf-mip6-aaa-ha-goals].
Korhonen, et al. Expires December 21, 2006 [Page 3]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
2. Terminology and Abbreviations
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC2119].
General mobility terminology can be found in [RFC3753]. The
following additional terms, as defined in
[I-D.ietf-mip6-bootstrap-ps], are used in this document:
Access Service Authorizer (ASA):
A network operator that authenticates a mobile node and
establishes the mobile node's authorization to receive Internet
service.
Access Service Provider (ASP):
A network operator that provides direct IP packet forwarding to
and from the mobile node.
Mobility Service Authorizer (MSA):
A service provider that authorizes Mobile IPv6 service.
Mobility Service Provider (MSP):
A service provider that provides Mobile IPv6 service. In order to
obtain such service, the mobile node must be authenticated and
authorized to obtain the Mobile IPv6 service.
Split scenario:
A scenario where the mobility service and the network access
service are authorized by different entities.
Integrated Scenario:
A scenario where the mobility service and the network access
service are authorized by the same entity.
Korhonen, et al. Expires December 21, 2006 [Page 4]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
3. Overview
This document addresses the authentication, authorization and
accounting functionality required by for the MIPv6 bootstrapping as
outlined in the MIPv6 bootstrapping problem statement document (see
[I-D.ietf-mip6-bootstrap-ps]). This document focuses on the AAA
functionality for the integrated scenario. The AAA interaction for
the split scenario is conceptually simpler and described in
[I-D.tschofenig-mip6-aaa-ha-diameter].
The subsequent text outlines the AAA interaction between the
participating entities in the integrated scenario. In the integrated
scenario MIPv6 bootstrapping is provided as part of the network
access authentication procedure. Figure 1 shows the participating
entities. This document, however, only concentrates on the NAS,
possible local Diameter proxies and the home Diameter server.
+---------------------------+ +-----------------+
|Access Service Provider | |ASA/MSA/(MSP) |
|(Mobility Service Provider)| | |
| | | |
| +--------+ | | +--------+ |
| |Local | Diameter | | |Home | |
| |Diameter|<---------------------->|Diameter| |
| |Proxy | | | |Server | |
| +--------+ | | +--------+ |
| ^ | | ^ |
| | | | | |
| | | | | |
| |Diameter | | v |
| | +-------+ | | +-------+ |
| | |Home | | | |Home | |
| | +---->|Agent | | | |Agent | |
| | | |in ASP | | | |in MSP | |
| v v +-------+ | | +-------+ |
+-------+ IEEE | +-----------+ +-------+ | +-----------------+
|Mobile | 802.1X | |NAS/Relay | |DHCPv6 | |
|Node |----------+-|Diameter |---|Server | |
| | PANA,... | |Client | | | |
+-------+ DHCP | +-----------+ +-------+ |
+---------------------------+
Figure 1: Mobile IPv6 Bootstrapping in the Integrated Scenario
In a typical Mobile IPv6 access scenario, as shown above, the MN is
attached to an Access Service Provider's network. During the network
attachment procedure, the NAS/Diameter client interacts with the
Korhonen, et al. Expires December 21, 2006 [Page 5]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
mobile node. As shown in Figure 1, the authentication and
authorization happens via the Diameter infrastructure.
At the time of authorizing the user for the IPv6 access, the Diameter
server in the MSA detects that the user is authorized for Mobile IPv6
access. Based on the MSA's policy, the Diameter server may allocate
several parameters to the MN for use during the subsequent Mobile
IPv6 protocol interaction with the home agent.
Depending on the details of the solution interaction with the DHCPv6
server may be required, as described in [I-D.ietf-mip6-bootstrapping-
integrated-dhc]. However, the solution described in this document is
not dependant on the DHCPv6 as the only possible MIPv6 bootstrapping
method.
Korhonen, et al. Expires December 21, 2006 [Page 6]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
4. Commands, AVPs and Advertising Application Support
This section describes command codes, defines AVPs and advertised
application identifiers for the Diameter MIPv6 bootstrapping in the
integrated scenario.
4.1 Advertising Application Support
Diameter nodes conforming to this specification SHOULD include the
value of (TBD) in the Auth-Application-Id or the Acct-Application-Id
AVP of the Capabilities-Exchange-Request and Capabilities-Exchange-
Answer commands [RFC3588]. This application is referred as the
Diameter MIPv6 Bootstrapping Integrated scenario -- MIP6BSTI. From
the advertised Application ID the home Diameter server is able to
detect whether the Access Service Provider (and its NAS) supports
MIPv6 bootstrapping and MIPv6. If the NAS also supports the EAP
application and/or the Diameter NAS Application application
corresponding Application IDs should be advertised during the
capability exchange.
If the NAS receives a response with the Result-Code set to
DIAMETER_APPLICATION_UNSUPPORTED [RFC3588], it indicates that the
Diameter server in the ASA/MSA does not support MIPv6 Bootstrapping
Integrated application. In this case the NAS MAY attempt to fallback
to basic network access authentication without MIPv6 bootstrapping.
Whenever the mobile node authenticates using some EAP-based method
then the NAS SHOULD use the Diameter MIPv6 Bootstrapping Integrated
Application ID value of TBD in the Auth-Application-Id AVP in the
Diameter-EAP-Request command [RFC4072] and subsequently the answering
Diameter server in the Diameter-EAP-Answer command [RFC4072]. This
implies that the NAS and the Diameter server MUST support MIPv6
Bootstrapping Integrated application. If either end lacks the
required support, the NAS and subsequently also the Diameter server
falls back to the EAP application [RFC4072].
If the mobile node does not use EAP-based network access
authentication then the NAS SHOULD use the Diameter MIPv6
Bootstrapping Integrated Application ID value of TBD in the Auth-
Application-Id AVP in the AA-Request command [RFC4005] and
subsequently the answering Diameter server in the AA-Answer command
[RFC4005]. This implies that the NAS and the Diameter server MUST
support MIPv6 bootstrapping integrated application. If either end
lacks the required support, the NAS and subsequently also the
Diameter server falls back to the Diameter NAS application [RFC4005].
The value of zero (0) SHOULD be used as the Application-Id in all
STR/STA, ACR/ACA, ASR/ASA, and RAR/RAA commands, because these
Korhonen, et al. Expires December 21, 2006 [Page 7]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
commands are defined in the Diameter base protocol and no additional
mandatory AVPs for those commands are defined in this document.
4.2 Command Codes
This document re-uses the Diameter Base protocol [RFC3588], Diameter
NAS Application [RFC4072] and EAP commands . The following commands
are used to carry MIPv6 related bootstrapping AVPs:
Command-Name Abbrev. Code Reference Application
Diameter-EAP-Request DER 268 RFC 4072 MIP6BSTI
Diameter-EAP-Answer DEA 268 RFC 4072 MIP6BSTI
AA-Request AAR 265 RFC 4005 MIP6BSTI
AA-Answer AAA 265 RFC 4005 MIP6BSTI
Figure 2: MIPv6 Bootstrapping Integrated Application Command Codes
When the Re-Auth-Request (RAR), Re-Auth-Answer (RAA), Session-
Termination-Request (STR), Session-Termination-Answer (STA), Abort-
Session-Request (ASR), Abort-Session-Answer (ASA), Accounting-Request
(ACR), and Accounting-Answer (ACA) commands are used together with
the Diameter MIPv6 Bootstrapping Integrated application, they follow
the rules in the Diameter NAS [RFC4005], EAP [RFC4072] and BASE
[RFC3588] applications. The accounting commands use Application
Identifier value of 3 (Diameter Base Accounting); the others use 0
(Diameter Common Messages).
4.3 Diameter-EAP-Request (DER)
The Diameter-EAP-Request (DER) command [RFC4072], indicated by the
Command-Code field set to 268 and the 'R' bit set in the Command
Flags field, may be sent by the NAS to the Diameter server providing
network access authentication and authorization services. At the
same time with the network access authentication and authorization
the NAS MAY request home agent assignment, to authorize for mobility
service usage and optionally to indicate the support of possible
local home agent assignment. The NAS indicates the support for MIPv6
Bootstrapping Integrated application by setting the
Auth-Application-Id to value of TBD. The DER command MAY also carry
the DNS Update Mobility Option and the MIPv6 Bootstrapping Feature
attribute.
The message format is the same as defined in [RFC4072] with an
addition of MIPv6 Bootstrapping Integrated application AVPs. The
Korhonen, et al. Expires December 21, 2006 [Page 8]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
figure below shows the DER message used with the MIPv6 Bootstrapping
Integrated application:
<Diameter-EAP-Request> ::= < Diameter Header: 268, REQ, PXY >
< Session-Id >
{ Auth-Application-Id }
{ Origin-Host }
{ Origin-Realm }
{ Destination-Realm }
{ Auth-Request-Type }
[ MIPv6-Bootstrapping-Feature ]
[ Destination-Host ]
...
* [ AVP ]
Figure 3: Diameter EAP Request Command
4.4 Diameter-EAP-Answer (DEA)
The Diameter-EAP-Answer (DEA) message define in [RFC4072], indicated
by the Command- Code field set to 268 and 'R' bit cleared in the
Command Flags field is sent in response to the Diameter-EAP-Request
message (DER). If the mobility service is successfully authorized
and the Diameter server was able to fulfill the bootstrapping request
(if needed) then the response SHOULD include the MIP6-Home-Agent-
Address AVP, MIP6-Home-Agent-FQDN and MIP4-Home-Agent-address AVPs.
The message format is the same as defined in [RFC4072] with an
addition of MIPv6 Bootstrapping Integrated application AVPs. The
figure below shows the DEA message used with the MIPv6 Bootstrapping
Integrated application:
Korhonen, et al. Expires December 21, 2006 [Page 9]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
<Diameter-EAP-Answer> ::= < Diameter Header: 268, PXY >
< Session-Id >
{ Auth-Application-Id }
{ Auth-Request-Type }
{ Result-Code }
{ Origin-Host }
{ Origin-Realm }
[ MIP6-Home-Agent-Address ]
[ MIP6-Home-Agent-FQDN ]
[ MIP4-Home-Agent-address ]
[ User-Name ]
...
* [ AVP ]
Figure 4: Diameter EAP Answer Command
4.5 AA-Request (AAR)
The AA-Request (AAR) message, indicated by the Command-Code field set
to 265 and 'R' bit set in the Command Flags field, may be sent by
the NAS to the Diameter server providing network access configuration
services. At the same time with the network access configuration the
NAS MAY request home agent assignment, to authorize for mobility
service usage and optionally to indicate the support of possible
local home agent assignment. The NAS indicates the support for MIPv6
Bootstrapping Integrated application by setting the
Auth-Application-Id to value of (TBD). The AAR command MAY also
carry the DNS Update Mobility Option and the MIPv6 Bootstrapping
Feature attribute.
The message format is the same as defined in [RFC4005] with an
addition of MIPv6 Bootstrapping Integrated application AVPs. The
figure below shows the AAR message used with the MIPv6 Bootstrapping
Integrated application:
Korhonen, et al. Expires December 21, 2006 [Page 10]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
<AA-Request> ::= < Diameter Header: 265, REQ, PXY >
< Session-Id >
{ Auth-Application-Id }
{ Origin-Host }
{ Origin-Realm }
{ Destination-Realm }
{ Auth-Request-Type }
[ MIPv6-Bootstrapping-Feature ]
[ Destination-Host ]
...
* [ AVP ]
Figure 5: AA Request Command
4.6 AA-Answer (AAA)
The AA-Answer (AAA) message, indicated by the Command-Code field set
to 265 and 'R' bit cleared in the Command Flags field is sent in
response to the AA-Request (AAR) message for confirmation of the
result of MIPv6 HA bootstrapping. If the mobility service is
successfully authorized and the Diameter server was able to fulfill
the bootstrapping request (if needed) then the response SHOULD
include the MIP6-Home-Agent-Address AVP, MIP6-Home-Agent-FQDN and
MIP4-Home-Agent-address AVPs.
The message format is the same as defined in [RFC4005] with an
addition of MIPv6 Bootstrapping Integrated application AVPs. The
figure below shows the DEA message used with the MIPv6 Bootstrapping
Integrated application:
Korhonen, et al. Expires December 21, 2006 [Page 11]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
<AA-Answer> ::= < Diameter Header: 265, PXY >
< Session-Id >
{ Auth-Application-Id }
{ Auth-Request-Type }
{ Result-Code }
{ Origin-Host }
{ Origin-Realm }
[ MIP6-Home-Agent-Address ]
[ MIP6-Home-Agent-FQDN ]
[ MIP4-Home-Agent-address ]
[ User-Name ]
...
* [ AVP ]
Figure 6: AA Answer Command
4.7 New AVPs
4.7.1 MIP6-Home-Agent-Address AVP
The MIP6-Home-Agent-Address AVP (AVP Code TBD) is of type OctetString
and contains the Mobile IPv6 home agent address and the prefix length
of the said address. The AVP is a discriminated union, representing
IPv6 address in network byte order. The first two octets of this AVP
represents the home link prefix length followed by 16 octets of the
IPv6 address.
The Diameter server MAY decide to assign a MIPv6 home agent to the MN
that is in close proximity to the point of attachment (e.g.
determined by the NAS-Identifier). There may be other reasons for
dynamically assigning home agents to the MN, for example to share the
traffic load. The AVP also contains the prefix length so that the MN
can easily infer one of the possible Home Link prefixes from the home
agent address.
4.7.2 MIP6-Home-Agent-FQDN AVP
The MIP6-Home-Agent-FQDN AVP (AVP Code TBD) is of type UTF8String and
contains the FQDN of a Mobile IPv6 home agent.
4.7.3 MIP4-Home-Agent-Address AVP
The MIP4-Home-Agent-Address AVP (AVP Code TBD) is of type OctetString
and contains the IPv4 home agent address and the prefix length of the
said address. The AVP is a discriminated union, representing IPv4
Korhonen, et al. Expires December 21, 2006 [Page 12]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
address in network byte order. The first two octets of this AVP
represents the home link prefix length followed by 4 octets of the
IPv4 address.
The Diameter server MAY decide to assign a MIPv4 home agent to the MN
in a case where dual stack Mobile IP is supported [I-D.ietf-mip6-
nemo-v4traversal].
4.7.4 MIPv6-Bootstrapping-Feature AVP
The MIPv6-Bootstrapping-Feature AVP (AVP Code TBD) is of type
Unsigned32 and contains a 32 bits flags field of supported features
by the NAS and the ASP.
By using this payload the NAS indicates to the Diameter server
certain capabilities and features. For example, the NAS might want
to indicate that local home agent assignment can be provided.
Local-Home-Agent-Assignment 1
This flag is set when the NAS knows that a local home agent
located in the ASP can be provided for the MN.
Dual-Stack-MIP-supported 2
This flag is set when the NAS and the local access network
supports dual stack Mobile IP as defined in [I-D.ietf-mip6-nemo-
v4traversal] and bootstrapping functionality can also be provided
for the Mobile IPv4 Home Address.
Korhonen, et al. Expires December 21, 2006 [Page 13]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
5. Diameter Client and Server Behavior During MIPv6 Bootstrapping
This section describes the Diameter server and client behavior in
case of the MIPv6 bootstrapping in the integrated scenario. The text
does several assumptions for brevity.
o The Diameter server is assumed to support at least the Diameter
BASE, EAP and NAS applications.
o The Diameter client (i.e. the NAS) is assumed to support at least
the Diameter BASE, EAP and NAS applications.
o The MN uses such network access authentication method and
credentials that are supported by the NAS/ASP and ASA/MSA.
o The MN has been provisioned with Mobile IPv6 service.
o The capability exchange has already completed, thus the NAS and
the Diameter server share the knowledge of mutually supported
applications. Cases where the ASA/MSA do not support MIPv6
bootstrapping are not discussed. In these cases the NAS has no
other choice than to carry out the network access authentication
as defined in the Diameter EAP or NAS applications.
5.1 Client (NAS) Behavior
If the ASP/NAS does not support MIPv6 integrated scenario
bootstrapping and/or the corresponding application then the NAS
either selects the Diameter NAS or EAP application depending on which
authentication method the MN has to use to authenticate itself.
Naturally after a successful or a failed authentication the NAS does
not have to do any MIPv6 bootstrapping related procedures.
Next we describe two different scenarios for the network access
authentication when the ASP/NAS supports MIPv6 integrated scenario
bootstrapping and the corresponding application.
1) The MN uses some EAP-based method (e.g. 802.11i/802.1X) to
authenticate to the network. In this scenario the NAS uses
commands originally defined for the EAP application. However, the
Application IDs included in messages are set to the value of (TBD)
indicating the MIP6BSTI application. Depending on the ASP
capabilities the NAS may include the MIPv6-Bootstrapping-Feature
AVP in the first DER message. This AVP indicates whether it is
possible to allocate home agents locally and whether Mobile IPv4
bootstrapping is also supported.
Korhonen, et al. Expires December 21, 2006 [Page 14]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
2) The MN uses some other than EAP-based method to authenticate to
the network. In this scenario the NAS uses commands originally
defined for the Diameter NAS application. However, the
Application IDs included in messages are set to the value of (TBD)
indicating the MIP6BSTI application. Depending on the ASP
capabilities the NAS may include the MIPv6-Bootstrapping-Feature
AVP in the first DER message. This AVP indicates whether it is
possible to allocate home agents locally and whether Mobile IPv4
bootstrapping is also supported.
If the network access authentication failed the NAS receives
appropriate error codes as defined for the Diameter EAP or NAS
applications. The NAS does not allow the MN to access the network
and does not do any MIPv6 bootstrapping related procedures.
If the network access authentication completed successfully, the NAS
looks for home agent defining AVPs in the reply messages (either DEA
or AAA depending on the used authentication method). The NAS
associates the received bootstrapping information to the MN that
initiated the access authentication and stores the information
internally (storing time is determined by the ASP policy). The
stored bootstrapping information is then available for the NAS and
the DHCP relay for later step during the MN bootstrapping process.
The actual bootstrapping from the MN point of view takes place after
the network access authentication has completed. The bootstrapping
may be realized e.g. using DHCP as defined in [I-D.ietf-mip6-
bootstrapping-integrated-dhc] and [RFC2132].
The MN has actually no consistent way of indicating to the NAS that
it supports MIPv6 integrated scenario way of bootstrapping during the
network access authentication. Subsequently the NAS has no
possibilities to find out whether the terminal attempting to
authenticate is actually a MN with MIPv6 bootstrapping functionality
prior the network access authentication has completed. Thus it is
possible that the NAS initiates MIPv6 integrated scenario
bootstrapping configuration even if the MN is not able to make any
use of it later. The Diameter server in the ASA/MSA might be able to
detect this situation during the authentication phase based on MN's
identity -- assuming the ASA is able to verify from the MSA whether
the MN has been provisioned with a MIPv6 service.
5.2 Server Behavior
If the ASP/NAS does not support MIPv6 integrated scenario
bootstrapping and/or the corresponding application then the NAS
either selects the Diameter NAS or EAP application depending on which
access authentication method the MN has to use to authenticate. The
Korhonen, et al. Expires December 21, 2006 [Page 15]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
Diameter server in the ASA/MSA is able to detect this case (based on
used Application IDs) and does not have to do any MIPv6 bootstrapping
related procedures.
Next we describe two different scenarios for the network access
authentication using the MIPv6 integrated scenario bootstrapping and
the corresponding MIP6BSTI application.
1) The MN uses some EAP-based method to authenticate to the network.
In this scenario the NAS uses commands originally defined for the
EAP application. However, the Application IDs included in
messages are set to the value of (TBD) indicating the MIP6BSTI
application. Depending on the ASA/MSA policy the Diameter server
SHOULD assign a Mobile IPv6 home agent to the MN and include
corresponding MIP6-Home-Agent-Address and the MIP6-Home-Agent-FQDN
AVPs in the final DEA message. If the DER message received from
the NAS included MIPv6-Bootstrapping-Feature AVP with Dual-Stack-
MIP-supported flag set, the Diameter server MAY assign the MN with
a Mobile IPv4 home agent and include a corresponding MIP4-Home-
Agent-Address AVP in the final DEA message. If the MIPv6-
Bootstrapping-Feature AVP has the Local-Home-Agent-Assignment flag
set the Diameter server MAY attempt to assign a home agent located
in the ASP network to the MN.
2) The MN uses some other than EAP-based method to authenticate to
the network. In this scenario the NAS uses commands originally
defined for the Diameter NAS application. However, the
Application IDs included in messages are set to the value of (TBD)
indicating the MIP6BSTI application. Depending on the ASA/MSA
policy the Diameter server SHOULD assign the MN a Mobile IPv6 home
agent and include corresponding MIP6-Home-Agent-Address and the
MIP6-Home-Agent-FQDN AVPs in the final AAA message. If the AAR
message received from the NAS included MIPv6-Bootstrapping-Feature
AVP with Dual-Stack-MIP-supported flag set, the Diameter server
MAY assign the MN a Mobile IPv4 home agent and include a
corresponding MIP4-Home-Agent-Address AVP in the final AAA
message. If the MIPv6-Bootstrapping-Feature AVP has the Local-
Home-Agent-Assignment flag set the Diameter server MAY attempt to
assign a home agent located in the ASP network to the MN.
5.3 Example Message Flows
This section shows basic message flows of MIPv6 integrated scenario
bootstrapping and dynamic home agent assignment. In the Figure 7
network access authentication is based on EAP (e.g. 802.11i/802.1X).
The NAS informs home Diameter server that home agent assignment in
the foreign network is possible. The Diameter server assigns the MN
Korhonen, et al. Expires December 21, 2006 [Page 16]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
a home agent either in the home MSP or in the ASP. The assignment
procedure is out of scope of this document. The Diameter server then
replies to the NAS with home agent related bootstrapping information.
NAS Local proxy Home server
| | |
| Diameter-EAP-Request | |
| MIPv6-Bootstrapping-Feature=Local-Home-Agent-Assignment |
| Auth-Request-Type=AUTHORIZE_AUTHENTICATE |
| EAP-Payload(EAP Start) | |
|------------------------------->|------------------------------->|
| | |
| : |
: ...more EAP Request/Response pairs... :
| : |
| | |
| | Diameter-EAP-Answer |
| MIP6-Home-Agent-Address(IPv6 address) |
| MIP6-Home-Agent-FQDN=ha.example.com |
| | Result-Code=DIAMETER_SUCCESS |
| | EAP-Payload(EAP Success) |
| | EAP-Master-Session-Key |
| | (authorization AVPs) |
| | ... |
|<-------------------------------|<-------------------------------|
| | |
Figure 7: MIPv6 integrated scenario bootstrapping example when EAP is
used for access authentication
Korhonen, et al. Expires December 21, 2006 [Page 17]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
6. AVP Occurrence Tables
6.1 DER and DEA Commands AVP Table
The following table lists the additional MIPv6 Bootstrapping
Integrated application (MIP6BSTI) AVPs that may be present in the DER
and DEA Commands, as defined in this document and in [RFC4072].
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | DER | DEA |
-------------------------------+-------+-------+
MIP6-Home-Agent-Address | 0 | 1 |
MIP6-Home-Agent-FQDN | 0 | 0-1 |
MIP4-Home-Agent-address | 0 | 0-1 |
MIPv6-Bootstrapping-Feature | 0-1 | 0 |
+-------+-------+
Figure 8: DER and DEA Commands AVP table
6.2 AAR and AAA Commands AVP Table
The following table lists the additional MIPv6 Bootstrapping
Integrated application (MIP6BSTI) AVPs that may be present in the AAR
and AAA Commands, as defined in this document and in [RFC4005].
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | AAR | AAA |
-------------------------------|-------+-------|
MIP6-Home-Agent-Address | 0 | 1 |
MIP6-Home-Agent-FQDN | 0 | 0-1 |
MIP4-Home-Agent-address | 0 | 0-1 |
MIPv6-Bootstrapping-Feature | 0-1 | 0 |
+-------+-------+
Figure 9: AAR and AAA Commands AVP table
Korhonen, et al. Expires December 21, 2006 [Page 18]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
7. MIPv6 Bootstrapping Integrated AVPs
This section defines the AVPs that are specific to Diameter MIPv6
Bootstrapping Integrated application and that MAY be included in the
Diameter EAP [RFC4072] and the NAS [RFC4005] applications messages
listed in Section 4 of this document. The Diameter AVP rules are
defined in the Diameter Base [RFC3588], Section 4. These AVP rules
are observed in AVPs defined in this section.
The following table describes the Diameter AVPs defined in the
MIP6BSTI application, their AVP Code values, types, possible flag
values, and whether the AVP MAY be encrypted. The Diameter base
[RFC3588] specifies the AVP Flag rules for AVPs in section 4.5.
+--------------------+
| AVP Flag rules |
+----+-----+----+----+----+
AVP Section | | |SHLD|MUST| |
Attribute Name Code Defined Data Type |MUST| MAY | NOT|NOT |Encr|
-----------------------------------------+----+-----+----+----+----+
MIP6-Home-Agent- TBD x.y OctetString| M | P | | V | Y |
Address | | | | | |
MIP6-Home-Agent- TBD x.y UTF8String | M | P | | V | Y |
FQDN | | | | | |
MIP4-Home-Agent- TBD x.y OctetString| M | P | | V | Y |
address | | | | | |
MIPv6- TBD x.y Unsigned32 | M | P | | V | Y |
Bootstrapping-Feature | | | | | |
-----------------------------------------+----+-----+----+----+----+
Figure 10: AVP flag rules table
Korhonen, et al. Expires December 21, 2006 [Page 19]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
8. IANA Considerations
This document defines seven new Diameter AVPs, a new Diameter
application and two new namespaces.
8.1 AVP Codes
This specification defines the following new AVPs:
MIP6-Home-Agent-Address is set to TBD
MIP6-Home-Agent-FQDN is set to TBD
MIP4-Home-Agent-address is set to TBD
MIPv6-Bootstrapping-Feature is set to TBD
8.2 Application Identifier
This specification defines new Diameter application called "MIPv6
Bootstrapping Integrated application" i.e. MIP6BSTI. The
Application Identifier code for this application is set to TBD.
8.3 Namespaces
This specification defines a new namespace for the MIPv6-
Bootstrapping-Feature AVP flag values:
Local-Home-Agent-Assignment is set to 1
Dual-Stack-MIP-supported is set to 2
Korhonen, et al. Expires December 21, 2006 [Page 20]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
9. Security Considerations
The security considerations for the Diameter interaction required to
accomplish the integrated scenario are described in [I-D.ietf-mip6-
bootstrapping-integrated-dhc] . Additionally, the security
considerations of the Diameter base protocol [RFC3588], Diameter NAS
application [RFC4005] / Diameter EAP [RFC4072] application (with
respect to network access authentication and the transport of keying
material) are applicable to this document.
Korhonen, et al. Expires December 21, 2006 [Page 21]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
10. Acknowledgements
This document is heavily based on the ongoing work for RADIUS MIPv6
interaction. Hence, credits go to Kuntal Chowdhury and Avi Lior for
their work with draft-chowdhury-mip6-radius-00.txt. Furthermore, the
author would like to thank the authors of
draft-le-aaa-diameter-mobileipv6-04.txt (Franck Le, Basavaraj Patil,
Charles E. Perkins, Stefano Faccin) for their work in context of
MIPv6 Diameter interworking. Their work influenced this document.
Korhonen, et al. Expires December 21, 2006 [Page 22]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
11. References
11.1 Normative References
[I-D.ietf-mip6-aaa-ha-goals]
Giaretta, G., "Goals for AAA-HA interface",
draft-ietf-mip6-aaa-ha-goals-01 (work in progress),
January 2006.
[I-D.ietf-mip6-bootstrap-ps]
Giaretta, G. and A. Patel, "Problem Statement for
bootstrapping Mobile IPv6",
draft-ietf-mip6-bootstrap-ps-05 (work in progress),
May 2006.
[I-D.ietf-mip6-bootstrapping-integrated-dhc]
Chowdhury, K. and A. Yegin, "MIP6-bootstrapping via DHCPv6
for the Integrated Scenario",
draft-ietf-mip6-bootstrapping-integrated-dhc-01 (work in
progress), June 2006.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support
in IPv6", RFC 3775, June 2004.
11.2 Informative References
[I-D.ietf-mip6-bootstrapping-split]
Giaretta, G., "Mobile IPv6 bootstrapping in split
scenario", draft-ietf-mip6-bootstrapping-split-02 (work in
progress), March 2006.
[I-D.ietf-mip6-nemo-v4traversal]
Soliman, H., "Mobile IPv6 support for dual stack Hosts and
Routers (DSMIPv6)", draft-ietf-mip6-nemo-v4traversal-01
(work in progress), March 2006.
[I-D.jang-mip6-hiopt]
Jang, H., "DHCP Option for Home Information Discovery in
MIPv6", draft-jang-mip6-hiopt-00 (work in progress),
June 2006.
[I-D.tschofenig-mip6-aaa-ha-diameter]
Korhonen, et al. Expires December 21, 2006 [Page 23]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
Tschofenig, H., "Mobile IPv6 Bootstrapping using
Diameter", draft-tschofenig-mip6-aaa-ha-diameter-01 (work
in progress), October 2005.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997.
[RFC3753] Manner, J. and M. Kojo, "Mobility Related Terminology",
RFC 3753, June 2004.
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
"Diameter Network Access Server Application", RFC 4005,
August 2005.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072,
August 2005.
Authors' Addresses
Jouni Korhonen
TeliaSonera
Teollisuuskatu 13
Sonera FIN-00051
Finland
Email: jouni.korhonen@teliasonera.com
Julien Bournelle
GET/INT
9 rue Charles Fourier
Evry 91011
France
Email: julien.bournelle@int-evry.fr
Hannes Tschofenig
Siemens
Otto-Hahn-Ring 6
Munich, Bavaria 81739
Germany
Email: Hannes.Tschofenig@siemens.com
URI: http://www.tschofenig.com
Korhonen, et al. Expires December 21, 2006 [Page 24]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
Charles E. Perkins
Nokia
Email: charliep@iprg.nokia.com
Korhonen, et al. Expires December 21, 2006 [Page 25]
Internet-Draft Diameter MIPv6 Integrated Scenario June 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Korhonen, et al. Expires December 21, 2006 [Page 26]