Diameter Maintenance and J. Korhonen Extensions (DIME) TeliaSonera Internet-Draft J. Bournelle Expires: December 21, 2006 GET/INT H. Tschofenig Siemens C. Perkins Nokia June 19, 2006 Diameter MIPv6 Bootstrapping for the Integrated Scenario draft-ietf-dime-mip6-integrated-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 21, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract A Mobile IPv6 node requires a home agent address, a home address, and IPsec security association with its home agent before it can start utilizing Mobile IPv6 service. RFC 3775 requires that some or all of Korhonen, et al. Expires December 21, 2006 [Page 1] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 these parameters are statically configured. Ongoing Mobile IPv6 bootstrapping work aims to make this information dynamically available to the mobile node. An important aspect of the Mobile IPv6 bootstrapping solution is to support interworking with existing authentication, authorization and accounting infrastructure. This document describes the usage of Diameter to facilitate Mobile IPv6 bootstrapping for the integrated scenario. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology and Abbreviations . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Commands, AVPs and Advertising Application Support . . . . . . 7 4.1 Advertising Application Support . . . . . . . . . . . . . 7 4.2 Command Codes . . . . . . . . . . . . . . . . . . . . . . 8 4.3 Diameter-EAP-Request (DER) . . . . . . . . . . . . . . . . 8 4.4 Diameter-EAP-Answer (DEA) . . . . . . . . . . . . . . . . 9 4.5 AA-Request (AAR) . . . . . . . . . . . . . . . . . . . . . 10 4.6 AA-Answer (AAA) . . . . . . . . . . . . . . . . . . . . . 11 4.7 New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.7.1 MIP6-Home-Agent-Address AVP . . . . . . . . . . . . . 12 4.7.2 MIP6-Home-Agent-FQDN AVP . . . . . . . . . . . . . . . 12 4.7.3 MIP4-Home-Agent-Address AVP . . . . . . . . . . . . . 12 4.7.4 MIPv6-Bootstrapping-Feature AVP . . . . . . . . . . . 13 5. Diameter Client and Server Behavior During MIPv6 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . 14 5.1 Client (NAS) Behavior . . . . . . . . . . . . . . . . . . 14 5.2 Server Behavior . . . . . . . . . . . . . . . . . . . . . 15 5.3 Example Message Flows . . . . . . . . . . . . . . . . . . 16 6. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 18 6.1 DER and DEA Commands AVP Table . . . . . . . . . . . . . . 18 6.2 AAR and AAA Commands AVP Table . . . . . . . . . . . . . . 18 7. MIPv6 Bootstrapping Integrated AVPs . . . . . . . . . . . . . 19 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 8.1 AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 20 8.2 Application Identifier . . . . . . . . . . . . . . . . . . 20 8.3 Namespaces . . . . . . . . . . . . . . . . . . . . . . . . 20 9. Security Considerations . . . . . . . . . . . . . . . . . . . 21 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 11.1 Normative References . . . . . . . . . . . . . . . . . . . 23 11.2 Informative References . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24 Intellectual Property and Copyright Statements . . . . . . . . 26 Korhonen, et al. Expires December 21, 2006 [Page 2] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 1. Introduction Mobile IPv6 specification [RFC3775] requires a Mobile Node (MN) to perform registration with a home agent with information about its current point of attachment (Care-of Address). The home agent creates and maintains binding between the MN's Home Address and the MN's Care-of Address. In order to register with a home agent, the MN needs to know some information such as, the Home Link prefix, the home agent Address, the Home Address(es), the Home Link prefix Length and security related information in order to later secure the Binding Update. The aforementioned set of information may be statically provisioned in the MN. However, static provisioning of this information has its drawbacks. It increases provisioning and network maintenance becomes easily burden for an operator. Moreover, static provisioning does not allow load balancing, failover, opportunistic home link assignment etc. For example, the user may be accessing the network from a location that may be geographically far away from the preconfigured home link; the administrative burden to configure the MNs with the respective addresses is large and the ability to react on environmental changes is minimal. In these situations static provisioning may not be desirable. Dynamic assignment of Mobile IPv6 home registration information is a desirable feature for ease of deployment and network maintenance. For this purpose, the Diameter infrastructure, which is used for access authentication, can be leveraged to assign some or all of the necessary parameters. The Diameter server in Access Service Provider's (ASP) or in Mobility Service Provider's (MSP) network may return these parameters to the AAA client. The AAA client might either be the NAS, in case of the integrated scenario, or the home agent, in case of the split scenario [I-D.ietf-mip6-bootstrapping- split]. The terms integrated and split are described in the terminology section and were introduced in [I-D.ietf-mip6-bootstrap-ps] and [I-D.ietf-mip6-aaa-ha-goals]. Korhonen, et al. Expires December 21, 2006 [Page 3] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 2. Terminology and Abbreviations The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [RFC2119]. General mobility terminology can be found in [RFC3753]. The following additional terms, as defined in [I-D.ietf-mip6-bootstrap-ps], are used in this document: Access Service Authorizer (ASA): A network operator that authenticates a mobile node and establishes the mobile node's authorization to receive Internet service. Access Service Provider (ASP): A network operator that provides direct IP packet forwarding to and from the mobile node. Mobility Service Authorizer (MSA): A service provider that authorizes Mobile IPv6 service. Mobility Service Provider (MSP): A service provider that provides Mobile IPv6 service. In order to obtain such service, the mobile node must be authenticated and authorized to obtain the Mobile IPv6 service. Split scenario: A scenario where the mobility service and the network access service are authorized by different entities. Integrated Scenario: A scenario where the mobility service and the network access service are authorized by the same entity. Korhonen, et al. Expires December 21, 2006 [Page 4] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 3. Overview This document addresses the authentication, authorization and accounting functionality required by for the MIPv6 bootstrapping as outlined in the MIPv6 bootstrapping problem statement document (see [I-D.ietf-mip6-bootstrap-ps]). This document focuses on the AAA functionality for the integrated scenario. The AAA interaction for the split scenario is conceptually simpler and described in [I-D.tschofenig-mip6-aaa-ha-diameter]. The subsequent text outlines the AAA interaction between the participating entities in the integrated scenario. In the integrated scenario MIPv6 bootstrapping is provided as part of the network access authentication procedure. Figure 1 shows the participating entities. This document, however, only concentrates on the NAS, possible local Diameter proxies and the home Diameter server. +---------------------------+ +-----------------+ |Access Service Provider | |ASA/MSA/(MSP) | |(Mobility Service Provider)| | | | | | | | +--------+ | | +--------+ | | |Local | Diameter | | |Home | | | |Diameter|<---------------------->|Diameter| | | |Proxy | | | |Server | | | +--------+ | | +--------+ | | ^ | | ^ | | | | | | | | | | | | | | |Diameter | | v | | | +-------+ | | +-------+ | | | |Home | | | |Home | | | | +---->|Agent | | | |Agent | | | | | |in ASP | | | |in MSP | | | v v +-------+ | | +-------+ | +-------+ IEEE | +-----------+ +-------+ | +-----------------+ |Mobile | 802.1X | |NAS/Relay | |DHCPv6 | | |Node |----------+-|Diameter |---|Server | | | | PANA,... | |Client | | | | +-------+ DHCP | +-----------+ +-------+ | +---------------------------+ Figure 1: Mobile IPv6 Bootstrapping in the Integrated Scenario In a typical Mobile IPv6 access scenario, as shown above, the MN is attached to an Access Service Provider's network. During the network attachment procedure, the NAS/Diameter client interacts with the Korhonen, et al. Expires December 21, 2006 [Page 5] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 mobile node. As shown in Figure 1, the authentication and authorization happens via the Diameter infrastructure. At the time of authorizing the user for the IPv6 access, the Diameter server in the MSA detects that the user is authorized for Mobile IPv6 access. Based on the MSA's policy, the Diameter server may allocate several parameters to the MN for use during the subsequent Mobile IPv6 protocol interaction with the home agent. Depending on the details of the solution interaction with the DHCPv6 server may be required, as described in [I-D.ietf-mip6-bootstrapping- integrated-dhc]. However, the solution described in this document is not dependant on the DHCPv6 as the only possible MIPv6 bootstrapping method. Korhonen, et al. Expires December 21, 2006 [Page 6] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 4. Commands, AVPs and Advertising Application Support This section describes command codes, defines AVPs and advertised application identifiers for the Diameter MIPv6 bootstrapping in the integrated scenario. 4.1 Advertising Application Support Diameter nodes conforming to this specification SHOULD include the value of (TBD) in the Auth-Application-Id or the Acct-Application-Id AVP of the Capabilities-Exchange-Request and Capabilities-Exchange- Answer commands [RFC3588]. This application is referred as the Diameter MIPv6 Bootstrapping Integrated scenario -- MIP6BSTI. From the advertised Application ID the home Diameter server is able to detect whether the Access Service Provider (and its NAS) supports MIPv6 bootstrapping and MIPv6. If the NAS also supports the EAP application and/or the Diameter NAS Application application corresponding Application IDs should be advertised during the capability exchange. If the NAS receives a response with the Result-Code set to DIAMETER_APPLICATION_UNSUPPORTED [RFC3588], it indicates that the Diameter server in the ASA/MSA does not support MIPv6 Bootstrapping Integrated application. In this case the NAS MAY attempt to fallback to basic network access authentication without MIPv6 bootstrapping. Whenever the mobile node authenticates using some EAP-based method then the NAS SHOULD use the Diameter MIPv6 Bootstrapping Integrated Application ID value of TBD in the Auth-Application-Id AVP in the Diameter-EAP-Request command [RFC4072] and subsequently the answering Diameter server in the Diameter-EAP-Answer command [RFC4072]. This implies that the NAS and the Diameter server MUST support MIPv6 Bootstrapping Integrated application. If either end lacks the required support, the NAS and subsequently also the Diameter server falls back to the EAP application [RFC4072]. If the mobile node does not use EAP-based network access authentication then the NAS SHOULD use the Diameter MIPv6 Bootstrapping Integrated Application ID value of TBD in the Auth- Application-Id AVP in the AA-Request command [RFC4005] and subsequently the answering Diameter server in the AA-Answer command [RFC4005]. This implies that the NAS and the Diameter server MUST support MIPv6 bootstrapping integrated application. If either end lacks the required support, the NAS and subsequently also the Diameter server falls back to the Diameter NAS application [RFC4005]. The value of zero (0) SHOULD be used as the Application-Id in all STR/STA, ACR/ACA, ASR/ASA, and RAR/RAA commands, because these Korhonen, et al. Expires December 21, 2006 [Page 7] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 commands are defined in the Diameter base protocol and no additional mandatory AVPs for those commands are defined in this document. 4.2 Command Codes This document re-uses the Diameter Base protocol [RFC3588], Diameter NAS Application [RFC4072] and EAP commands . The following commands are used to carry MIPv6 related bootstrapping AVPs: Command-Name Abbrev. Code Reference Application Diameter-EAP-Request DER 268 RFC 4072 MIP6BSTI Diameter-EAP-Answer DEA 268 RFC 4072 MIP6BSTI AA-Request AAR 265 RFC 4005 MIP6BSTI AA-Answer AAA 265 RFC 4005 MIP6BSTI Figure 2: MIPv6 Bootstrapping Integrated Application Command Codes When the Re-Auth-Request (RAR), Re-Auth-Answer (RAA), Session- Termination-Request (STR), Session-Termination-Answer (STA), Abort- Session-Request (ASR), Abort-Session-Answer (ASA), Accounting-Request (ACR), and Accounting-Answer (ACA) commands are used together with the Diameter MIPv6 Bootstrapping Integrated application, they follow the rules in the Diameter NAS [RFC4005], EAP [RFC4072] and BASE [RFC3588] applications. The accounting commands use Application Identifier value of 3 (Diameter Base Accounting); the others use 0 (Diameter Common Messages). 4.3 Diameter-EAP-Request (DER) The Diameter-EAP-Request (DER) command [RFC4072], indicated by the Command-Code field set to 268 and the 'R' bit set in the Command Flags field, may be sent by the NAS to the Diameter server providing network access authentication and authorization services. At the same time with the network access authentication and authorization the NAS MAY request home agent assignment, to authorize for mobility service usage and optionally to indicate the support of possible local home agent assignment. The NAS indicates the support for MIPv6 Bootstrapping Integrated application by setting the Auth-Application-Id to value of TBD. The DER command MAY also carry the DNS Update Mobility Option and the MIPv6 Bootstrapping Feature attribute. The message format is the same as defined in [RFC4072] with an addition of MIPv6 Bootstrapping Integrated application AVPs. The Korhonen, et al. Expires December 21, 2006 [Page 8] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 figure below shows the DER message used with the MIPv6 Bootstrapping Integrated application: ::= < Diameter Header: 268, REQ, PXY > < Session-Id > { Auth-Application-Id } { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Request-Type } [ MIPv6-Bootstrapping-Feature ] [ Destination-Host ] ... * [ AVP ] Figure 3: Diameter EAP Request Command 4.4 Diameter-EAP-Answer (DEA) The Diameter-EAP-Answer (DEA) message define in [RFC4072], indicated by the Command- Code field set to 268 and 'R' bit cleared in the Command Flags field is sent in response to the Diameter-EAP-Request message (DER). If the mobility service is successfully authorized and the Diameter server was able to fulfill the bootstrapping request (if needed) then the response SHOULD include the MIP6-Home-Agent- Address AVP, MIP6-Home-Agent-FQDN and MIP4-Home-Agent-address AVPs. The message format is the same as defined in [RFC4072] with an addition of MIPv6 Bootstrapping Integrated application AVPs. The figure below shows the DEA message used with the MIPv6 Bootstrapping Integrated application: Korhonen, et al. Expires December 21, 2006 [Page 9] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 ::= < Diameter Header: 268, PXY > < Session-Id > { Auth-Application-Id } { Auth-Request-Type } { Result-Code } { Origin-Host } { Origin-Realm } [ MIP6-Home-Agent-Address ] [ MIP6-Home-Agent-FQDN ] [ MIP4-Home-Agent-address ] [ User-Name ] ... * [ AVP ] Figure 4: Diameter EAP Answer Command 4.5 AA-Request (AAR) The AA-Request (AAR) message, indicated by the Command-Code field set to 265 and 'R' bit set in the Command Flags field, may be sent by the NAS to the Diameter server providing network access configuration services. At the same time with the network access configuration the NAS MAY request home agent assignment, to authorize for mobility service usage and optionally to indicate the support of possible local home agent assignment. The NAS indicates the support for MIPv6 Bootstrapping Integrated application by setting the Auth-Application-Id to value of (TBD). The AAR command MAY also carry the DNS Update Mobility Option and the MIPv6 Bootstrapping Feature attribute. The message format is the same as defined in [RFC4005] with an addition of MIPv6 Bootstrapping Integrated application AVPs. The figure below shows the AAR message used with the MIPv6 Bootstrapping Integrated application: Korhonen, et al. Expires December 21, 2006 [Page 10] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 ::= < Diameter Header: 265, REQ, PXY > < Session-Id > { Auth-Application-Id } { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Request-Type } [ MIPv6-Bootstrapping-Feature ] [ Destination-Host ] ... * [ AVP ] Figure 5: AA Request Command 4.6 AA-Answer (AAA) The AA-Answer (AAA) message, indicated by the Command-Code field set to 265 and 'R' bit cleared in the Command Flags field is sent in response to the AA-Request (AAR) message for confirmation of the result of MIPv6 HA bootstrapping. If the mobility service is successfully authorized and the Diameter server was able to fulfill the bootstrapping request (if needed) then the response SHOULD include the MIP6-Home-Agent-Address AVP, MIP6-Home-Agent-FQDN and MIP4-Home-Agent-address AVPs. The message format is the same as defined in [RFC4005] with an addition of MIPv6 Bootstrapping Integrated application AVPs. The figure below shows the DEA message used with the MIPv6 Bootstrapping Integrated application: Korhonen, et al. Expires December 21, 2006 [Page 11] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 ::= < Diameter Header: 265, PXY > < Session-Id > { Auth-Application-Id } { Auth-Request-Type } { Result-Code } { Origin-Host } { Origin-Realm } [ MIP6-Home-Agent-Address ] [ MIP6-Home-Agent-FQDN ] [ MIP4-Home-Agent-address ] [ User-Name ] ... * [ AVP ] Figure 6: AA Answer Command 4.7 New AVPs 4.7.1 MIP6-Home-Agent-Address AVP The MIP6-Home-Agent-Address AVP (AVP Code TBD) is of type OctetString and contains the Mobile IPv6 home agent address and the prefix length of the said address. The AVP is a discriminated union, representing IPv6 address in network byte order. The first two octets of this AVP represents the home link prefix length followed by 16 octets of the IPv6 address. The Diameter server MAY decide to assign a MIPv6 home agent to the MN that is in close proximity to the point of attachment (e.g. determined by the NAS-Identifier). There may be other reasons for dynamically assigning home agents to the MN, for example to share the traffic load. The AVP also contains the prefix length so that the MN can easily infer one of the possible Home Link prefixes from the home agent address. 4.7.2 MIP6-Home-Agent-FQDN AVP The MIP6-Home-Agent-FQDN AVP (AVP Code TBD) is of type UTF8String and contains the FQDN of a Mobile IPv6 home agent. 4.7.3 MIP4-Home-Agent-Address AVP The MIP4-Home-Agent-Address AVP (AVP Code TBD) is of type OctetString and contains the IPv4 home agent address and the prefix length of the said address. The AVP is a discriminated union, representing IPv4 Korhonen, et al. Expires December 21, 2006 [Page 12] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 address in network byte order. The first two octets of this AVP represents the home link prefix length followed by 4 octets of the IPv4 address. The Diameter server MAY decide to assign a MIPv4 home agent to the MN in a case where dual stack Mobile IP is supported [I-D.ietf-mip6- nemo-v4traversal]. 4.7.4 MIPv6-Bootstrapping-Feature AVP The MIPv6-Bootstrapping-Feature AVP (AVP Code TBD) is of type Unsigned32 and contains a 32 bits flags field of supported features by the NAS and the ASP. By using this payload the NAS indicates to the Diameter server certain capabilities and features. For example, the NAS might want to indicate that local home agent assignment can be provided. Local-Home-Agent-Assignment 1 This flag is set when the NAS knows that a local home agent located in the ASP can be provided for the MN. Dual-Stack-MIP-supported 2 This flag is set when the NAS and the local access network supports dual stack Mobile IP as defined in [I-D.ietf-mip6-nemo- v4traversal] and bootstrapping functionality can also be provided for the Mobile IPv4 Home Address. Korhonen, et al. Expires December 21, 2006 [Page 13] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 5. Diameter Client and Server Behavior During MIPv6 Bootstrapping This section describes the Diameter server and client behavior in case of the MIPv6 bootstrapping in the integrated scenario. The text does several assumptions for brevity. o The Diameter server is assumed to support at least the Diameter BASE, EAP and NAS applications. o The Diameter client (i.e. the NAS) is assumed to support at least the Diameter BASE, EAP and NAS applications. o The MN uses such network access authentication method and credentials that are supported by the NAS/ASP and ASA/MSA. o The MN has been provisioned with Mobile IPv6 service. o The capability exchange has already completed, thus the NAS and the Diameter server share the knowledge of mutually supported applications. Cases where the ASA/MSA do not support MIPv6 bootstrapping are not discussed. In these cases the NAS has no other choice than to carry out the network access authentication as defined in the Diameter EAP or NAS applications. 5.1 Client (NAS) Behavior If the ASP/NAS does not support MIPv6 integrated scenario bootstrapping and/or the corresponding application then the NAS either selects the Diameter NAS or EAP application depending on which authentication method the MN has to use to authenticate itself. Naturally after a successful or a failed authentication the NAS does not have to do any MIPv6 bootstrapping related procedures. Next we describe two different scenarios for the network access authentication when the ASP/NAS supports MIPv6 integrated scenario bootstrapping and the corresponding application. 1) The MN uses some EAP-based method (e.g. 802.11i/802.1X) to authenticate to the network. In this scenario the NAS uses commands originally defined for the EAP application. However, the Application IDs included in messages are set to the value of (TBD) indicating the MIP6BSTI application. Depending on the ASP capabilities the NAS may include the MIPv6-Bootstrapping-Feature AVP in the first DER message. This AVP indicates whether it is possible to allocate home agents locally and whether Mobile IPv4 bootstrapping is also supported. Korhonen, et al. Expires December 21, 2006 [Page 14] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 2) The MN uses some other than EAP-based method to authenticate to the network. In this scenario the NAS uses commands originally defined for the Diameter NAS application. However, the Application IDs included in messages are set to the value of (TBD) indicating the MIP6BSTI application. Depending on the ASP capabilities the NAS may include the MIPv6-Bootstrapping-Feature AVP in the first DER message. This AVP indicates whether it is possible to allocate home agents locally and whether Mobile IPv4 bootstrapping is also supported. If the network access authentication failed the NAS receives appropriate error codes as defined for the Diameter EAP or NAS applications. The NAS does not allow the MN to access the network and does not do any MIPv6 bootstrapping related procedures. If the network access authentication completed successfully, the NAS looks for home agent defining AVPs in the reply messages (either DEA or AAA depending on the used authentication method). The NAS associates the received bootstrapping information to the MN that initiated the access authentication and stores the information internally (storing time is determined by the ASP policy). The stored bootstrapping information is then available for the NAS and the DHCP relay for later step during the MN bootstrapping process. The actual bootstrapping from the MN point of view takes place after the network access authentication has completed. The bootstrapping may be realized e.g. using DHCP as defined in [I-D.ietf-mip6- bootstrapping-integrated-dhc] and [RFC2132]. The MN has actually no consistent way of indicating to the NAS that it supports MIPv6 integrated scenario way of bootstrapping during the network access authentication. Subsequently the NAS has no possibilities to find out whether the terminal attempting to authenticate is actually a MN with MIPv6 bootstrapping functionality prior the network access authentication has completed. Thus it is possible that the NAS initiates MIPv6 integrated scenario bootstrapping configuration even if the MN is not able to make any use of it later. The Diameter server in the ASA/MSA might be able to detect this situation during the authentication phase based on MN's identity -- assuming the ASA is able to verify from the MSA whether the MN has been provisioned with a MIPv6 service. 5.2 Server Behavior If the ASP/NAS does not support MIPv6 integrated scenario bootstrapping and/or the corresponding application then the NAS either selects the Diameter NAS or EAP application depending on which access authentication method the MN has to use to authenticate. The Korhonen, et al. Expires December 21, 2006 [Page 15] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 Diameter server in the ASA/MSA is able to detect this case (based on used Application IDs) and does not have to do any MIPv6 bootstrapping related procedures. Next we describe two different scenarios for the network access authentication using the MIPv6 integrated scenario bootstrapping and the corresponding MIP6BSTI application. 1) The MN uses some EAP-based method to authenticate to the network. In this scenario the NAS uses commands originally defined for the EAP application. However, the Application IDs included in messages are set to the value of (TBD) indicating the MIP6BSTI application. Depending on the ASA/MSA policy the Diameter server SHOULD assign a Mobile IPv6 home agent to the MN and include corresponding MIP6-Home-Agent-Address and the MIP6-Home-Agent-FQDN AVPs in the final DEA message. If the DER message received from the NAS included MIPv6-Bootstrapping-Feature AVP with Dual-Stack- MIP-supported flag set, the Diameter server MAY assign the MN with a Mobile IPv4 home agent and include a corresponding MIP4-Home- Agent-Address AVP in the final DEA message. If the MIPv6- Bootstrapping-Feature AVP has the Local-Home-Agent-Assignment flag set the Diameter server MAY attempt to assign a home agent located in the ASP network to the MN. 2) The MN uses some other than EAP-based method to authenticate to the network. In this scenario the NAS uses commands originally defined for the Diameter NAS application. However, the Application IDs included in messages are set to the value of (TBD) indicating the MIP6BSTI application. Depending on the ASA/MSA policy the Diameter server SHOULD assign the MN a Mobile IPv6 home agent and include corresponding MIP6-Home-Agent-Address and the MIP6-Home-Agent-FQDN AVPs in the final AAA message. If the AAR message received from the NAS included MIPv6-Bootstrapping-Feature AVP with Dual-Stack-MIP-supported flag set, the Diameter server MAY assign the MN a Mobile IPv4 home agent and include a corresponding MIP4-Home-Agent-Address AVP in the final AAA message. If the MIPv6-Bootstrapping-Feature AVP has the Local- Home-Agent-Assignment flag set the Diameter server MAY attempt to assign a home agent located in the ASP network to the MN. 5.3 Example Message Flows This section shows basic message flows of MIPv6 integrated scenario bootstrapping and dynamic home agent assignment. In the Figure 7 network access authentication is based on EAP (e.g. 802.11i/802.1X). The NAS informs home Diameter server that home agent assignment in the foreign network is possible. The Diameter server assigns the MN Korhonen, et al. Expires December 21, 2006 [Page 16] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 a home agent either in the home MSP or in the ASP. The assignment procedure is out of scope of this document. The Diameter server then replies to the NAS with home agent related bootstrapping information. NAS Local proxy Home server | | | | Diameter-EAP-Request | | | MIPv6-Bootstrapping-Feature=Local-Home-Agent-Assignment | | Auth-Request-Type=AUTHORIZE_AUTHENTICATE | | EAP-Payload(EAP Start) | | |------------------------------->|------------------------------->| | | | | : | : ...more EAP Request/Response pairs... : | : | | | | | | Diameter-EAP-Answer | | MIP6-Home-Agent-Address(IPv6 address) | | MIP6-Home-Agent-FQDN=ha.example.com | | | Result-Code=DIAMETER_SUCCESS | | | EAP-Payload(EAP Success) | | | EAP-Master-Session-Key | | | (authorization AVPs) | | | ... | |<-------------------------------|<-------------------------------| | | | Figure 7: MIPv6 integrated scenario bootstrapping example when EAP is used for access authentication Korhonen, et al. Expires December 21, 2006 [Page 17] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 6. AVP Occurrence Tables 6.1 DER and DEA Commands AVP Table The following table lists the additional MIPv6 Bootstrapping Integrated application (MIP6BSTI) AVPs that may be present in the DER and DEA Commands, as defined in this document and in [RFC4072]. +---------------+ | Command-Code | |-------+-------+ Attribute Name | DER | DEA | -------------------------------+-------+-------+ MIP6-Home-Agent-Address | 0 | 1 | MIP6-Home-Agent-FQDN | 0 | 0-1 | MIP4-Home-Agent-address | 0 | 0-1 | MIPv6-Bootstrapping-Feature | 0-1 | 0 | +-------+-------+ Figure 8: DER and DEA Commands AVP table 6.2 AAR and AAA Commands AVP Table The following table lists the additional MIPv6 Bootstrapping Integrated application (MIP6BSTI) AVPs that may be present in the AAR and AAA Commands, as defined in this document and in [RFC4005]. +---------------+ | Command-Code | |-------+-------+ Attribute Name | AAR | AAA | -------------------------------|-------+-------| MIP6-Home-Agent-Address | 0 | 1 | MIP6-Home-Agent-FQDN | 0 | 0-1 | MIP4-Home-Agent-address | 0 | 0-1 | MIPv6-Bootstrapping-Feature | 0-1 | 0 | +-------+-------+ Figure 9: AAR and AAA Commands AVP table Korhonen, et al. Expires December 21, 2006 [Page 18] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 7. MIPv6 Bootstrapping Integrated AVPs This section defines the AVPs that are specific to Diameter MIPv6 Bootstrapping Integrated application and that MAY be included in the Diameter EAP [RFC4072] and the NAS [RFC4005] applications messages listed in Section 4 of this document. The Diameter AVP rules are defined in the Diameter Base [RFC3588], Section 4. These AVP rules are observed in AVPs defined in this section. The following table describes the Diameter AVPs defined in the MIP6BSTI application, their AVP Code values, types, possible flag values, and whether the AVP MAY be encrypted. The Diameter base [RFC3588] specifies the AVP Flag rules for AVPs in section 4.5. +--------------------+ | AVP Flag rules | +----+-----+----+----+----+ AVP Section | | |SHLD|MUST| | Attribute Name Code Defined Data Type |MUST| MAY | NOT|NOT |Encr| -----------------------------------------+----+-----+----+----+----+ MIP6-Home-Agent- TBD x.y OctetString| M | P | | V | Y | Address | | | | | | MIP6-Home-Agent- TBD x.y UTF8String | M | P | | V | Y | FQDN | | | | | | MIP4-Home-Agent- TBD x.y OctetString| M | P | | V | Y | address | | | | | | MIPv6- TBD x.y Unsigned32 | M | P | | V | Y | Bootstrapping-Feature | | | | | | -----------------------------------------+----+-----+----+----+----+ Figure 10: AVP flag rules table Korhonen, et al. Expires December 21, 2006 [Page 19] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 8. IANA Considerations This document defines seven new Diameter AVPs, a new Diameter application and two new namespaces. 8.1 AVP Codes This specification defines the following new AVPs: MIP6-Home-Agent-Address is set to TBD MIP6-Home-Agent-FQDN is set to TBD MIP4-Home-Agent-address is set to TBD MIPv6-Bootstrapping-Feature is set to TBD 8.2 Application Identifier This specification defines new Diameter application called "MIPv6 Bootstrapping Integrated application" i.e. MIP6BSTI. The Application Identifier code for this application is set to TBD. 8.3 Namespaces This specification defines a new namespace for the MIPv6- Bootstrapping-Feature AVP flag values: Local-Home-Agent-Assignment is set to 1 Dual-Stack-MIP-supported is set to 2 Korhonen, et al. Expires December 21, 2006 [Page 20] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 9. Security Considerations The security considerations for the Diameter interaction required to accomplish the integrated scenario are described in [I-D.ietf-mip6- bootstrapping-integrated-dhc] . Additionally, the security considerations of the Diameter base protocol [RFC3588], Diameter NAS application [RFC4005] / Diameter EAP [RFC4072] application (with respect to network access authentication and the transport of keying material) are applicable to this document. Korhonen, et al. Expires December 21, 2006 [Page 21] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 10. Acknowledgements This document is heavily based on the ongoing work for RADIUS MIPv6 interaction. Hence, credits go to Kuntal Chowdhury and Avi Lior for their work with draft-chowdhury-mip6-radius-00.txt. Furthermore, the author would like to thank the authors of draft-le-aaa-diameter-mobileipv6-04.txt (Franck Le, Basavaraj Patil, Charles E. Perkins, Stefano Faccin) for their work in context of MIPv6 Diameter interworking. Their work influenced this document. Korhonen, et al. Expires December 21, 2006 [Page 22] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 11. References 11.1 Normative References [I-D.ietf-mip6-aaa-ha-goals] Giaretta, G., "Goals for AAA-HA interface", draft-ietf-mip6-aaa-ha-goals-01 (work in progress), January 2006. [I-D.ietf-mip6-bootstrap-ps] Giaretta, G. and A. Patel, "Problem Statement for bootstrapping Mobile IPv6", draft-ietf-mip6-bootstrap-ps-05 (work in progress), May 2006. [I-D.ietf-mip6-bootstrapping-integrated-dhc] Chowdhury, K. and A. Yegin, "MIP6-bootstrapping via DHCPv6 for the Integrated Scenario", draft-ietf-mip6-bootstrapping-integrated-dhc-01 (work in progress), June 2006. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", March 1997. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003. [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. 11.2 Informative References [I-D.ietf-mip6-bootstrapping-split] Giaretta, G., "Mobile IPv6 bootstrapping in split scenario", draft-ietf-mip6-bootstrapping-split-02 (work in progress), March 2006. [I-D.ietf-mip6-nemo-v4traversal] Soliman, H., "Mobile IPv6 support for dual stack Hosts and Routers (DSMIPv6)", draft-ietf-mip6-nemo-v4traversal-01 (work in progress), March 2006. [I-D.jang-mip6-hiopt] Jang, H., "DHCP Option for Home Information Discovery in MIPv6", draft-jang-mip6-hiopt-00 (work in progress), June 2006. [I-D.tschofenig-mip6-aaa-ha-diameter] Korhonen, et al. Expires December 21, 2006 [Page 23] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 Tschofenig, H., "Mobile IPv6 Bootstrapping using Diameter", draft-tschofenig-mip6-aaa-ha-diameter-01 (work in progress), October 2005. [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997. [RFC3753] Manner, J. and M. Kojo, "Mobility Related Terminology", RFC 3753, June 2004. [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005. [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005. Authors' Addresses Jouni Korhonen TeliaSonera Teollisuuskatu 13 Sonera FIN-00051 Finland Email: jouni.korhonen@teliasonera.com Julien Bournelle GET/INT 9 rue Charles Fourier Evry 91011 France Email: julien.bournelle@int-evry.fr Hannes Tschofenig Siemens Otto-Hahn-Ring 6 Munich, Bavaria 81739 Germany Email: Hannes.Tschofenig@siemens.com URI: http://www.tschofenig.com Korhonen, et al. Expires December 21, 2006 [Page 24] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 Charles E. Perkins Nokia Email: charliep@iprg.nokia.com Korhonen, et al. Expires December 21, 2006 [Page 25] Internet-Draft Diameter MIPv6 Integrated Scenario June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Korhonen, et al. Expires December 21, 2006 [Page 26]