[Mip4] RE: [Dime] RE: Issue 3: Diameter MIP4 Application vs. RADIUSArchitecture

["McCann Peter-A001034" <pete.mccann at motorola.com>]

Alper Yegin wrote:
> Pete,
>>
>> I don't think it's a hack.  When we have Mobile IP being used for
>> access authentication I think it makes sense to carry the RRQ in a
>> Diameter application.  EAP is a different case because then we have a
>> separate protocol doing access authentication.
> 
> Using a mobility protocol's AAA for network access AAA is another
> hack, IMHO. These are two separate services. That may explain why one
> protocol is tunneled inside another, but it does not justify.  

Well, this is the road we went down back in 1998.  There is at
least one SDO that is heavily dependent on the MN-NAI and MN-AAA
extensions.
 
> I understand these are all driven by performance improvements.

Yes.
 
>> The FA and HA might be part of different administrative domains.
>> I think the FA has just as much reason to authenticate the MN as the
>> HA.
> 
> MN is authenticated by the same entity (HAAA) whether requested by
> the FA or the HA. If HA and FA has some trust relationship (e.g.,
> using FA-HA AE, or IPsec), then I believe letting the HA authenticate
> the MN is sufficient.   

There is no scalable way to maintain trust relationships between
all pairs of (FA, HA).  One of the main purposes of the Diameter
MIPv4 application is to distribute keys for those (FA, HA)
relationships that are necessary based on the MNs that are
roaming to a given FA.  The FA needs to make sure that the
visited resources will be paid for, which is why it needs 
authorization from the AAA infrastructure.

-Pete


--
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www1.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/