< draft-ietf-mip6-radius-03.txt   draft-ietf-mip6-radius-04.txt >
Network Working Group A. Lior Network Working Group A. Lior
Internet-Draft Bridgewater Systems Internet-Draft Bridgewater Systems
Intended status: Standards Track K. Chowdhury Intended status: Standards Track K. Chowdhury
Expires: May 21, 2008 Starent Networks Expires: August 28, 2008 Starent Networks
H. Tschofenig H. Tschofenig
Siemens Siemens
November 18, 2007 February 25, 2008
RADIUS Mobile IPv6 Support RADIUS Mobile IPv6 Support
draft-ietf-mip6-radius-03.txt draft-ietf-mip6-radius-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 21, 2008. This Internet-Draft will expire on August 28, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
Abstract Abstract
A Mobile IPv6 node requires a home agent(HA) address, a home This document defines new attributes to facilitate Mobile IPv6
address(HOA), and IPsec security association with its HA before it operationrs using RADIUS infratstructure. The operations include
can start utilizing Mobile IPv6 service. RFC 3775 requires that some bootstrapping of information required by the Mobile and the interface
or all of these parameters are statically configured. Ongoing work between the Home Agent and the RADIUS server used to assist MIP6
aims to make this information dynamically available to the mobile operations.
node. An important aspect of the Mobile IPv6 bootstrapping solution
is to support interworking with existing authentication,
authorization and accounting (AAA) infrastructure. This document
defines new attributes to facilitate Mobile IPv6 bootstrapping via a
RADIUS infrastructure. This information exchange may take place as
part of the initial network access authentication procedure or as
part of a separate protocol exchange between the mobile node, the HA
and the AAA infrastructure.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 6 3. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Integrated Scenario . . . . . . . . . . . . . . . . . . . 6 3.1. RADIUS Transaction in Integrated Scenario . . . . . . . . 7
3.2. Split Scenario . . . . . . . . . . . . . . . . . . . . . . 7 3.2. RADIUS Transactions in Split Scenario . . . . . . . . . . 8
4. RADIUS Attribute Overview . . . . . . . . . . . . . . . . . . 9 4. RADIUS Attribute Overview . . . . . . . . . . . . . . . . . . 11
4.1. MIP6-Feature-Vector . . . . . . . . . . . . . . . . . . . 9 4.1. MIP6-Feature-Vector . . . . . . . . . . . . . . . . . . . 11
4.2. MIP6-HA Attribute . . . . . . . . . . . . . . . . . . . . 9 4.2. MIP6-HA Attribute . . . . . . . . . . . . . . . . . . . . 11
4.3. MIP6-HA-FQDN Attribute . . . . . . . . . . . . . . . . . . 9 4.3. MIP6-HA-FQDN Attribute . . . . . . . . . . . . . . . . . . 11
4.4. MIP6-HL-Prefix Attribute . . . . . . . . . . . . . . . . . 9 4.4. MIP6-HL-Prefix Attribute . . . . . . . . . . . . . . . . . 11
4.5. MIP6-HOA Attribute . . . . . . . . . . . . . . . . . . . . 9 4.5. MIP6-HOA Attribute . . . . . . . . . . . . . . . . . . . . 11
4.6. MIP6-DNS-MO Attribute . . . . . . . . . . . . . . . . . . 10 4.6. MIP6-DNS-MO Attribute . . . . . . . . . . . . . . . . . . 12
4.7. Use of existing RADIUS Attributes . . . . . . . . . . . . 10 4.7. MIP6-Careof-Address . . . . . . . . . . . . . . . . . . . 12
4.7.1. User-Name . . . . . . . . . . . . . . . . . . . . . . 10 4.8. MIP6-MN-AAA-SPI . . . . . . . . . . . . . . . . . . . . . 12
4.7.2. Service-Type . . . . . . . . . . . . . . . . . . . . . 10 4.9. MIP6-Authenticator . . . . . . . . . . . . . . . . . . . . 12
4.7.3. NAS-Port-Type . . . . . . . . . . . . . . . . . . . . 10 4.10. MIP6-MAC-Mobility-Data . . . . . . . . . . . . . . . . . . 12
4.7.4. Calling-Station-Id . . . . . . . . . . . . . . . . . . 10 4.11. MIP6-Timestamp . . . . . . . . . . . . . . . . . . . . . . 13
4.7.5. Use of MS-MPPE-Recv-Key and MS-MPPE-Send-Key . . . . . 10 4.12. MIP6-MN-HA-SPI . . . . . . . . . . . . . . . . . . . . . . 13
5. RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . 11 4.13. MIP6-Algorithm-Type . . . . . . . . . . . . . . . . . . . 13
5.1. MIP6-Feature-Vector Attribute . . . . . . . . . . . . . . 11 4.14. MIP6-Replay-Mode . . . . . . . . . . . . . . . . . . . . . 13
5.2. MIP6-HA Attribute . . . . . . . . . . . . . . . . . . . . 12 4.15. MIP6-Nonce . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3. MIP6-HA-FQDN Attribute . . . . . . . . . . . . . . . . . . 13 5. Use of existing RADIUS Attributes . . . . . . . . . . . . . . 14
5.4. MIP6-HL-Prefix Attribute . . . . . . . . . . . . . . . . . 14 5.1. User-Name . . . . . . . . . . . . . . . . . . . . . . . . 14
5.5. MIP6-HOA Attribute . . . . . . . . . . . . . . . . . . . . 15 5.2. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 14
5.6. MIP6-DNS-MO Attribute . . . . . . . . . . . . . . . . . . 16 5.3. NAS-Port-Type . . . . . . . . . . . . . . . . . . . . . . 14
6. Message Flows . . . . . . . . . . . . . . . . . . . . . . . . 18 5.4. Calling-Station-Id . . . . . . . . . . . . . . . . . . . . 14
6.1. Integrated Scenario (MSA=ASA) . . . . . . . . . . . . . . 18 5.5. Use of MS-MPPE-Recv-Key and MS-MPPE-Send-Key . . . . . . . 14
6.1.1. HA allocation in the MSP . . . . . . . . . . . . . . . 18 5.6. Session-Timeout . . . . . . . . . . . . . . . . . . . . . 14
6.1.2. HA allocation in the ASP (visited network) . . . . . . 20 5.7. Message Authenticator . . . . . . . . . . . . . . . . . . 15
6. RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . 16
6.2. Split Scenario (MSA!=ASA) . . . . . . . . . . . . . . . . 20 6.1. MIP6-Feature-Vector Attribute . . . . . . . . . . . . . . 16
6.2.1. Mobile Service Provider and Mobile Service 6.2. MIP6-HA Attribute . . . . . . . . . . . . . . . . . . . . 17
Authorizer are the same entity. . . . . . . . . . . . 20 6.3. MIP6-HA-FQDN Attribute . . . . . . . . . . . . . . . . . . 18
6.2.2. Mobile Service Provider and Mobile Service 6.4. MIP6-HL-Prefix Attribute . . . . . . . . . . . . . . . . . 19
Authorizer are different entities. . . . . . . . . . . 23 6.5. MIP6-HOA Attribute . . . . . . . . . . . . . . . . . . . . 20
7. Goals for the HA-AAA Interface . . . . . . . . . . . . . . . . 24 6.6. MIP6-DNS-MO Attribute . . . . . . . . . . . . . . . . . . 21
7.1. General Goals . . . . . . . . . . . . . . . . . . . . . . 24 6.7. MIP6-Careof-Address . . . . . . . . . . . . . . . . . . . 22
7.2. Service Authorization . . . . . . . . . . . . . . . . . . 24 6.8. MIP6-MN-AAA-SPI . . . . . . . . . . . . . . . . . . . . . 23
7.3. Accounting . . . . . . . . . . . . . . . . . . . . . . . . 25 6.9. MIP6-Authenticator . . . . . . . . . . . . . . . . . . . . 24
7.4. MN Authentication . . . . . . . . . . . . . . . . . . . . 25 6.10. MIP6-MAC-Mobility-Data . . . . . . . . . . . . . . . . . . 24
7.5. Provisioning of Configuration Parameters . . . . . . . . . 25 6.11. MIP6-Timestamp . . . . . . . . . . . . . . . . . . . . . . 25
8. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 26 6.12. MIP6-MN-HA-SPI . . . . . . . . . . . . . . . . . . . . . . 25
9. Diameter Considerations . . . . . . . . . . . . . . . . . . . 27 6.13. MIP6-Algorithm-Type . . . . . . . . . . . . . . . . . . . 26
10. Security Considerations . . . . . . . . . . . . . . . . . . . 28 6.14. MIP6-Replay-Mode . . . . . . . . . . . . . . . . . . . . . 26
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 6.15. MIP6-Nonce . . . . . . . . . . . . . . . . . . . . . . . . 27
11.1. Registration of new AVPs . . . . . . . . . . . . . . . . . 29 7. Message Flows . . . . . . . . . . . . . . . . . . . . . . . . 29
11.2. New Registry: Mobility Capability . . . . . . . . . . . . 29 7.1. Use of RADIUS in Integrated Scenario (MSA=ASA) . . . . . . 29
11.3. Addition of existing values . . . . . . . . . . . . . . . 29 7.1.1. HA allocation in the MSP . . . . . . . . . . . . . . . 29
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30 7.1.2. HA allocation in the ASP (visited network) . . . . . . 31
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.2. Use of RADIUS In Split Scenario (MSA!=ASA) . . . . . . . . 31
13.1. Normative References . . . . . . . . . . . . . . . . . . . 31 7.2.1. Mobile Service Provider and Mobile Service
13.2. Informative References . . . . . . . . . . . . . . . . . . 31 Authorizer are the same entity. . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 7.2.2. Mobile Service Provider and Mobile Service
Intellectual Property and Copyright Statements . . . . . . . . . . 34 Authorizer are different entities. . . . . . . . . . . 34
8. Goals for the HA-AAA Interface . . . . . . . . . . . . . . . . 35
8.1. General Goals . . . . . . . . . . . . . . . . . . . . . . 35
8.2. Service Authorization . . . . . . . . . . . . . . . . . . 35
8.3. Accounting . . . . . . . . . . . . . . . . . . . . . . . . 36
8.4. MN Authentication . . . . . . . . . . . . . . . . . . . . 36
8.5. Provisioning of Configuration Parameters . . . . . . . . . 36
9. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 37
10. Diameter Considerations . . . . . . . . . . . . . . . . . . . 40
11. Security Considerations . . . . . . . . . . . . . . . . . . . 41
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
12.1. Registration of new AVPs . . . . . . . . . . . . . . . . . 42
12.2. New Registry: Mobility Capability . . . . . . . . . . . . 42
12.3. Addition of existing values . . . . . . . . . . . . . . . 42
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 43
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
14.1. Normative References . . . . . . . . . . . . . . . . . . . 44
14.2. Informative References . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 46
Intellectual Property and Copyright Statements . . . . . . . . . . 47
1. Introduction 1. Introduction
Mobile IPv6 specification [6] requires a Mobile Node (MN) to perform This document covers two aspects of MIP6 operations: bootstrapping of
information required by a Mobile IPv6 Mobile using the AAA
infrastructure and the interaction between the MIPv6 HA and the AAA
infrastructure.
Mobile IPv6 specification [10] requires a Mobile Node (MN) to perform
registration with an HA with information about its current point of registration with an HA with information about its current point of
attachment (Care-of Address). The HA creates and maintains binding attachment (Care-of Address). The HA creates and maintains binding
between the MN's HOA and the MN's Care-of Address. between the MN's HOA and the MN's Care-of Address.
In order to register with a HA, the MN needs to know some information In order to register with a HA, the MN needs to know some information
such as, the Home Link prefix, the HA Address, the HOA, the Home Link such as, the Home Link prefix, the HA Address, the HOA, the Home Link
prefix Length and security related information in order to secure the prefix Length and security related information in order to secure the
Binding Update. Binding Update.
The aforementioned set of information may be statically provisioned The aforementioned set of information may be statically provisioned
skipping to change at page 4, line 38 skipping to change at page 4, line 43
Dynamic assignment of Mobile IPv6 home registration information is a Dynamic assignment of Mobile IPv6 home registration information is a
desirable feature for ease of deployment and network maintenance. desirable feature for ease of deployment and network maintenance.
For this purpose, the RADIUS infrastructure, which is used for access For this purpose, the RADIUS infrastructure, which is used for access
authentication, can be leveraged to assign some or all of the authentication, can be leveraged to assign some or all of the
necessary parameters. The RADIUS server in the Access Service necessary parameters. The RADIUS server in the Access Service
Provider (ASP) or in the Mobility Service Provider's (MSP) network Provider (ASP) or in the Mobility Service Provider's (MSP) network
may return these parameters to the AAA client. The AAA client might may return these parameters to the AAA client. The AAA client might
either be the NAS, in case of the integrated scenario, or the HA, in either be the NAS, in case of the integrated scenario, or the HA, in
case of the split scenario. The terms integrated and split are case of the split scenario. The terms integrated and split are
described in the terminology section and were introduced in [7]. described in the terminology section and were introduced in [11].
The second aspect of MIP6 and RADIUS interworking is the interaction
between the HA and the AAA using the RADIUS AAA protocols. From a
mobility service provider (MSP) perspective, it is important to
verify that the MN is authenticated and authorized to utilize Mobile
IPv6 service and that such services are accounted for. Thus, prior
to processing the Mobile IPv6 registrations, the HA, participates in
the authentication of the MN to verify the MN's identity. The HA
alsoparticipates in the Mobile IPv6 authorization process involving
the RADIUS infrastructure. The HA, due to its role in traffic
forwarding, may also perform accounting for the Mobile IPv6 service
provided to the MN. This document specifies the interaction between
the HA and the RADIUS server and aligns with the work done in with
the Diameter specifications described in [12].
2. Terminology 2. Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1]. document are to be interpreted as described in [1].
General mobility terminology can be found in [8]. The following General mobility terminology can be found in [13]. The following
additional terms, as defined in [7], are used in this document: additional terms, as defined in [11], are used in this document:
Access Service Authorizer (ASA): Access Service Authorizer (ASA):
A network operator that authenticates a mobile node and A network operator that authenticates a mobile node and
establishes the mobile node's authorization to receive Internet establishes the mobile node's authorization to receive Internet
service. service.
Access Service Provider (ASP): Access Service Provider (ASP):
A network operator that provides direct IP packet forwarding to A network operator that provides direct IP packet forwarding to
skipping to change at page 6, line 8 skipping to change at page 7, line 8
service are authorized by different entities. service are authorized by different entities.
Integrated Scenario: Integrated Scenario:
A scenario where the mobility service and the network access A scenario where the mobility service and the network access
service are authorized by the same entity. service are authorized by the same entity.
3. Solution Overview 3. Solution Overview
This document addresses the authentication, authorization and This document addresses the authentication, authorization and
accounting functionality required by MIPv6 bootstrapping as outlined accounting functionality required by MIPv6 bootstrapping and
in the MIPv6 bootstrapping problem statement document (see [7]). As Authentication as outlined in the MIPv6 bootstrapping problem
such, the AAA functionality for the integrated and the split scenario statement document (see [11]). As such, the AAA functionality for
needs to be defined. This requires the ability to offer support for the integrated and the split scenario needs to be defined. This
the HA to AAA server and the network access server(NAS) to AAA server requires the ability to offer support for the HA to AAA server and
communication. the network access server(NAS) to AAA server communication.
To highlight the main use cases, we briefly describe the integrated To highlight the main use cases, we briefly describe the integrated
and the split scenarios in Section 3.1 and Section 3.2, respectively. and the split scenarios in Section 3.1 and Section 3.2, respectively.
3.1. Integrated Scenario 3.1. RADIUS Transaction in Integrated Scenario
In the integrated scenario MIPv6 bootstrapping is provided as part of In the integrated scenario MIPv6 bootstrapping is provided as part of
the network access authentication procedure. Figure 1 shows the the network access authentication procedure. Figure 1 shows the
participating entity. participating entity.
+---------------------------+ +-----------------+ +---------------------------+ +-----------------+
|Access Service Provider | |ASA/MSA/(/MSP) | |Access Service Provider | |ASA/MSA/(/MSP) |
|(Mobility Service Provider)| | | |(Mobility Service Provider)| | |
| | | +-------+ | | | | +-------+ |
| +-------+ | | |Remote | | | +-------+ | | |Remote | |
skipping to change at page 7, line 17 skipping to change at page 8, line 17
At the time of authorizing the user for IPv6 access, the RADIUS At the time of authorizing the user for IPv6 access, the RADIUS
server in the MSA detects that the user is authorized for Mobile IPv6 server in the MSA detects that the user is authorized for Mobile IPv6
access. Based on the MSA's policy, the RADIUS server may allocate access. Based on the MSA's policy, the RADIUS server may allocate
several parameters to the MN for use during the subsequent Mobile several parameters to the MN for use during the subsequent Mobile
IPv6 protocol interaction with the HA. IPv6 protocol interaction with the HA.
Depending on the details of the solution interaction with the DHCPv6 Depending on the details of the solution interaction with the DHCPv6
server may be required, as described in [2]. server may be required, as described in [2].
3.2. Split Scenario 3.2. RADIUS Transactions in Split Scenario
In the split scenario, Mobile IPv6 bootstrapping is not provided as In the split scenario, Mobile IPv6 bootstrapping is not provided as
part of the network access authentication procedure. The Mobile IPv6 part of the network access authentication procedure. Other RADIUS
bootstrapping procedure is executed with the Mobility Service transactions such as authentication and authorization, accounting and
Provider when desired by the MN. Two variations can be considered: parameter configuration for MIP6 service is provided by the HA to
RADIUS transactions.
The Mobile IPv6 RADIUS transaction are executed with the Mobility
Service Provider when desired by the MN. Two variations can be
considered:
1. the MSA and the MSP are the same entity. 1. the MSA and the MSP are the same entity.
2. the MSA and the MSP are different entities. 2. the MSA and the MSP are different entities.
Since scenario (2) is the more generic scenario we show it in Since scenario (2) is the more generic scenario we show it in
Figure 2. Figure 2.
+----------------------+ +----------------------+
| | | |
skipping to change at page 8, line 31 skipping to change at page 9, line 31
|Node |-------------|RADIUS |-------------- |RADIUS | | |Node |-------------|RADIUS |-------------- |RADIUS | |
| | IKEv2 | |Client | |Proxy | | | | IKEv2 | |Client | |Proxy | |
+-------+ | +-----------+ +-------+ | +-------+ | +-----------+ +-------+ |
+----------------------------------------+ +----------------------------------------+
Figure 2: Mobile IPv6 service access in the split scenario (MSA != Figure 2: Mobile IPv6 service access in the split scenario (MSA !=
MSP) MSP)
As shown in Figure 2 the interaction between the RADIUS client and As shown in Figure 2 the interaction between the RADIUS client and
the RADIUS server is triggered by the protocol interaction between the RADIUS server is triggered by the protocol interaction between
the MN and the HA/RADIUS client using IKEv2 (see [3] and [9]). The the MN and the HA/RADIUS client using IKEv2 [14] or MIPv6
HA / RADIUS Client interacts with the RADIUS infrastructure to Authentication Protocol [3]. The important aspect is, however, that
perform authentication, authorization, accounting and parameter for these two approaches several different authentication and key
bootstrapping. The exchange is triggered by the HA and an exchange solutions are available. To establish IPsec security
interaction with the RADIUS infrastructure is initiated. When the associations, protecting of Mobile IPv6 signaling messages IKEv2 is
protocol exchange is completed then the HA needs to possess the used [14]. IKEv2 supports EAP-based authentication, certificates and
Mobile IPv6 specific parameters (see [7]). pre-shared secrets. For protecting using the MIPv6 Authentication
Protocol [3] a mechanism has been designed that is very similar to
the one used by Mobile IPv4.
The ability to use different credentials has an impact on the
interaction between the HA (acting as a Diameter client) and the
RADIUS Server. For that reason this document illustrates the usage
of these authentication mechanisms with different subsections for:
o IKEv2 usage with EAP
o IKEv2 usage with certificates and pre-shared secrets
o MIPv6 Authentication Protocol
For accounting of Mobile IPv6 services provided to the MN, this
specification uses the accounting application defined in [4].
Additionally, the MN might instruct the RADIUS server (via the HA) to Additionally, the MN might instruct the RADIUS server (via the HA) to
perform a dynamic DNS update. perform a dynamic DNS update.
4. RADIUS Attribute Overview 4. RADIUS Attribute Overview
4.1. MIP6-Feature-Vector 4.1. MIP6-Feature-Vector
The MIP6-Feature-Vector when included in an Access-Request packet is The MIP6-Feature-Vector when included in an Access-Request packet is
used by the NAS to indicate supported MIP6 features. For example, used by the NAS or the HA to indicate supported MIP6 features. For
the NAS uses this attribute to indicate whether it can provide a example, a NAS uses this attribute to indicate whether it can provide
local home agent. a local home agent.
When included in an Access-Accept packet, the MIP6-Feature-Vector is When included in an Access-Accept packet, the MIP6-Feature-Vector is
used by the RADIUS Server to indicate supported MIP6 features and to used by the RADIUS Server to indicate supported MIP6 features and to
select advetized feature by the NAS. For example, if the NAS select advetized feature by the NAS. For example, if the NAS
indicated support for local home agent assignment, the RADIUS server indicated support for local home agent assignment, the RADIUS server
authorizes the NAS to support local home agent assignment by echoing authorizes the NAS to support local home agent assignment by echoing
the setting the same flag in the Access-Accept packet. the setting the same flag in the Access-Accept packet.
4.2. MIP6-HA Attribute 4.2. MIP6-HA Attribute
The RADIUS server may decide to assign a HA to the MN that is in In the case of bootstrapping, the RADIUS server may decide to assign
close proximity to the point of attachment (e.g., as determined by a HA to the MN that is in close proximity to the point of attachment
the NAS-ID). There may be other reasons for dynamically assigning (e.g., as determined by the NAS-ID). There may be other reasons for
HAs to the MN, for example to share the traffic load. The attribute dynamically assigning HAs to the MN, for example to share the traffic
also contains the prefix length so that the MN can easily infer the load. The attribute also contains the prefix length so that the MN
Home Link prefix from the HA address. can easily infer the Home Link prefix from the HA address.
The MIP-Home-Agent-Address AVP contains the IPv6 address of the Home
Agent. The Home Agent address is the same as in the received BU
message.
4.3. MIP6-HA-FQDN Attribute 4.3. MIP6-HA-FQDN Attribute
The RADIUS server may assign an FQDN of the HA to the MN. The mobile The RADIUS server may assign an FQDN of the HA to the MN. The mobile
node can perform DNS query with the FQDN to derive the HA address. node can perform DNS query with the FQDN to derive the HA address.
4.4. MIP6-HL-Prefix Attribute 4.4. MIP6-HL-Prefix Attribute
For the same reason as the HA assignment, the RADIUS server may For the same reason as the HA assignment, the RADIUS server may
assign a Home Link that is in close proximity to the point of assign a Home Link that is in close proximity to the point of
attachment (NAS-ID). The MN can perform [6] specific procedures to attachment (NAS-ID). The MN can perform [10] specific procedures to
discover other information for Mobile IPv6 registration. discover other information for Mobile IPv6 registration.
4.5. MIP6-HOA Attribute 4.5. MIP6-HOA Attribute
The RADIUS server may assign a HOA to the MN. This allows the In the bootstrapping case, the RADIUS server may assign a HOA to the
network operator to support mobile devices that are not configured MN. This allows the network operator to support mobile devices that
with static addresses. The attribute also contains the prefix length are not configured with static addresses. The attribute also
so that the MN can easily infer the Home Link prefix from the HA contains the prefix length so that the MN can easily infer the Home
address. Link prefix from the HA address.
In the case of interaction with the HA, the MIP6-HOA contains the
Home Agent assigned IPv6 Home Address of the Mobile Node.
If the MIP6-HOA AVP contains unspecified IPv6 address (0::0) in a
request message, then the Home Agent expects the RADIUS server to
assign the Home Address in a subsequent reply message. In case the
RADIUS server assigns only a Home Network Prefix to the Mobile Node
the lower 64 bits of the MIP-Mobile-Node-Address AVP provided address
MUST be set to zero.
4.6. MIP6-DNS-MO Attribute 4.6. MIP6-DNS-MO Attribute
By using this payload the RADIUS client instructs the RADIUS server By using this payload the RADIUS client instructs the RADIUS server
to perform a dynamic DNS update. When this payload is included in to perform a dynamic DNS update. When this payload is included in
the reverse direction, i.e., from the RADIUS server to the RADIUS the reverse direction, i.e., from the RADIUS server to the RADIUS
client, it informs about the status of the dynamic DNS update. When client, it informs about the status of the dynamic DNS update. When
the payload is sent from the RADIUS client to the RADIUS server then the payload is sent from the RADIUS client to the RADIUS server then
the response MUST include the MIP6-DNS-MO attribute. the response MUST include the MIP6-DNS-MO attribute.
4.7. Use of existing RADIUS Attributes 4.7. MIP6-Careof-Address
4.7.1. User-Name The MIP6-Careof-Address contains the IPv6 Care-of Address of the
Mobile Node. The Home Agent extracts this IP address from the
received BU message.
4.8. MIP6-MN-AAA-SPI
The MIP6-MN-AAA-SPI attribute contains an SPI code extracted from the
Mobility Message Authentication Option included in the received BU
message.
4.9. MIP6-Authenticator
The MIP6-Authenticator contains the Authenticator Data from the
received BU message. The Home Agent extracts this data from the MN-
AAA Mobility Message Authentication Option included in the received
BU message and sends it to the RADIUS Server.
The RADIUS server computes its own version of the Authenticator Data
from the received MIP6-MAC-Mobility-Data (see below) and compares it
to the value received in the MIP6-Authenticator from the HA. If the
values match then the Mobile Node is authenticated.
4.10. MIP6-MAC-Mobility-Data
The MIP6-MAC-Mobility-Data contains the calculated MAC_Mobility_Data,
as defined in [3].
4.11. MIP6-Timestamp
The MIP6-Timestamp contains the timestamp value from the Mobility
message replay protection option, defined in [3]. The Home Agent
extracts this value from the received BU message, if available.
The support for replay protection is an optional feature in [3].
When the RADIUS server checks the timestamp provided by the MN via
the HA and recognizes a clock-drift (outside a locally defined replay
protection window) then it MUST initiate the re-synchronization
procedure by returning an Access-Accept packet with Result-Code set
to MIP6-TIMESTAMP-MISMATCH and attaches the MIP6-Timestamp including
it's current time back to the HA.
4.12. MIP6-MN-HA-SPI
The MIP6-MN-HA-SPI is part of a group of attributes used with the
MIPv6 Authentication Protocol. The attributes contains an SPI code
provided by the RADIUS server for the Mobile IPv6 MN-HA.
4.13. MIP6-Algorithm-Type
The MIP6-Algorithm-Type is part of a group of attributes used with
the MIPv6 Authentication protocol and contains Algorithm identifier
for the associated Mobile IPv6 MN-HA Authentication Option. The
Diameter server selects the algorithm type. Existing algorithm types
are defined in RFC 4004 that also fulfill current RFC 4285
requirements.
4.14. MIP6-Replay-Mode
The MIP6-Replay-Mode is part of a group of attributes used with the
MIPv6 Authentication protocol and contains the replay modes as
defined in RFC4004 to be used by the HA.
4.15. MIP6-Nonce
The MIP6-Nonce is part of a group of attributes used with the MIPv6
Authentication protocol and contains the nonce to send to the Mobile.
5. Use of existing RADIUS Attributes
5.1. User-Name
If authentication via IKEv2 is used then the User-Name attribute If authentication via IKEv2 is used then the User-Name attribute
SHALL be set to the IDi payload received in the IKE_AUTH exchange. SHALL be set to the IDi payload received in the IKE_AUTH exchange.
4.7.2. Service-Type 5.2. Service-Type
If the HA uses Service-Type(6) is SHALL set its value to "Framed"(2). If the HA uses Service-Type(6) is SHALL set its value to "Framed"(2).
4.7.3. NAS-Port-Type 5.3. NAS-Port-Type
In order for the AAA to distingiues the source of the Access-Request In order for the AAA to distingiues the source of the Access-Request
NAS-Port-Type(61) is used as follows: NAS-Port-Type(61) is used as follows:
In the split scenario when the Access-Request originates from an MIP6 When the Access-Request originates from an MIP6 HA, NAS-Port-Type
HA, NAS-Port-Type MUST be included and its value set to HA6(IANA- MUST be included and its value set to HA6(IANA-TBD1).
TBD1).
4.7.4. Calling-Station-Id 5.4. Calling-Station-Id
In the split-scenario, the HA SHOULD use the Calling-Station-Id(31) In the split-scenario, the HA SHOULD use the Calling-Station-Id(31)
to send the MN's COA to the AAA. If used, the string value of the to send the MN's COA to the AAA. If used, the string value of the
Calling-Station-Id(31) should be set to the 128-bit MN IPv6 COA. Calling-Station-Id(31) should be set to the 128-bit MN IPv6 COA.
4.7.5. Use of MS-MPPE-Recv-Key and MS-MPPE-Send-Key 5.5. Use of MS-MPPE-Recv-Key and MS-MPPE-Send-Key
To transport the MSK from the RADIUS to the HA, RADIUS SHALL utilize To transport the MSK from the RADIUS to the HA, RADIUS SHALL utilize
the MS-MPPE-Recv-Key and the MS-MPPE-Send-Key as defined in [4]. The the MS-MPPE-Recv-Key and the MS-MPPE-Send-Key as defined in [5]. The
first up to 32 octets of the MSK is stored into the MS-MPPE-Recv-Key, first up to 32 octets of the MSK is stored into the MS-MPPE-Recv-Key,
and the next up to 32 octets are stored into the MS-MPPE-Send-Key. and the next up to 32 octets are stored into the MS-MPPE-Send-Key.
The encryption of these attributes is described in [4]. The encryption of these attributes is described in [5].
5. RADIUS attributes 5.6. Session-Timeout
The use of Session-Timeout attribue during bootstrapping operations
is covered by various RFC's.
The use of Session-Timeout attribute during the EAP exchanges between
the HA and the RADIUS server are as per [6].
In the case of the RADIUS server sending Session-Timeout to the HA in
the Access-Accept packet, the HA SHALL use this time as the MIP
Registration Lifetime.
5.7. Message Authenticator
The use of Message Authenticator is mandated during EAP AAA
procedures by [6]. In the case of the HA sending an Access-Request
where EAP is not used, then the HA MUST also include the Message
Autheticator attribute in the Access-Request packet.
6. RADIUS attributes
This section defines format and syntax for the attribute that carries This section defines format and syntax for the attribute that carries
the Mobile IPv6 parameters that are described in the previous the Mobile IPv6 parameters that are described in the previous
section. section.
The attributes MAY be present in Access-Request, Access-Accept, and The attributes MAY be present in Access-Request, Access-Accept, and
Accounting-Request packets. Accounting-Request packets.
5.1. MIP6-Feature-Vector Attribute 6.1. MIP6-Feature-Vector Attribute
Exactly one of this attribute MUST be sent by the NAS in an Access- Exactly one of this attribute MUST be sent by the NAS or HA in an
Request packet to inidcate support for MIP6. Access-Request packet to inidcate support for MIP6.
Exactly one of this attribute MUST be sent by the RADIUS server in an Exactly one of this attribute MUST be sent by the RADIUS server in an
Access-Accept packet to indicate support for MIP6 and to select Access-Accept packet to indicate support for MIP6 and to select
features advetized by the NAS. features advetized by the NAS or the HA.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | MIP6 Features Vectors | | Type | Length | MIP6 Features Vectors |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MIP6 Features Vectors cont. | | MIP6 Features Vectors cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MIP6 Features Vectors cont. | | MIP6 Features Vectors cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 11, line 50 skipping to change at page 16, line 50
Feature Flags: Feature Flags:
This field is of type String. Supporting the following values: This field is of type String. Supporting the following values:
MIP6_INTEGRATED (0x0000000000000001) MIP6_INTEGRATED (0x0000000000000001)
When this flag is set by the NAS then it means that the When this flag is set by the NAS then it means that the
Mobile IPv6 integrated scenario bootstrapping functionality Mobile IPv6 integrated scenario bootstrapping functionality
is supported by the NAS. When this flag is set by the is supported by the NAS. When this flag is set by the
Diameter server then the Mobile IPv6 integrated scenario RADIUS server then the Mobile IPv6 integrated scenario
bootstrapping is supported by the RADIUS server. bootstrapping is supported by the RADIUS server.
LOCAL_HOME_AGENT_ASSIGNMENT (0x0000000000000002) LOCAL_HOME_AGENT_ASSIGNMENT (0x0000000000000002)
When this flag is set by the NAS then a local home agent can When this flag is set by the NAS then a local home agent can
be assigned to the MN. When this flag is set by the be assigned to the MN. When this flag is set by the
Diameter server then the assignment of location HAs is Diameter server then the assignment of location HAs is
authorized by the Diameter server. authorized by the Diameter server.
5.2. MIP6-HA Attribute RO_SUPPORTED (0x0000000800000000)
Route optimization is supported. When the Home Agent sets
this bit, it indicates support for the route optimization.
If this bit is unset in the returned Mobility-Capability
AVP, the HAAA does not authorize route optimization for the
MN.
In a case the Home Agent or the HAAA cannot authorize the
use of route optimization then the Home Agent will send a
Binding Acknowledgement with a Status Code set to
ACCEPTED_BUT_NO_ROUTE_OPTIMIZATION (status code TBD). This
Status Code indicates that the binding registration
succeeded but the Home Agent will fail all possible
subsequent route optimization attempts because of
subscription or operator policy.
6.2. MIP6-HA Attribute
One or more of this attribute MAY be sent by the NAS to the RADIUS One or more of this attribute MAY be sent by the NAS to the RADIUS
server in an Access-Request packet as a proposal by the NAS to server in an Access-Request packet as a proposal by the NAS to
allocate a local HA to the MN. allocate a local HA to the MN.
One or more of this attribute MAY be sent by the RADIUS server to the One or more of this attribute MAY be sent by the RADIUS server to the
NAS in an Access-Accept packet. The attribute carries the HA address NAS in an Access-Accept packet. The attribute carries the HA address
that may be assigned to the MN. that may be assigned to the MN.
[EDITOR: WHAT IS THIS ABOUT?] This attribute MAY be MIP6-DNS-MO [EDITOR: WHAT IS THIS ABOUT?] This attribute MAY be MIP6-DNS-MO
Attribute sent by the NAS to the RADIUS server in an Access-Request Attribute sent by the NAS to the RADIUS server in an Access-Request
packet as a hint to suggest a dynamic HA that may be assigned to the packet as a hint to suggest a dynamic HA that may be assigned to the
MN. The RADIUS server MAY use this value or may ignore this MN. The RADIUS server MAY use this value or may ignore this
suggestion. suggestion.
If available at the NAS, at least MIP6-HA attribute and/or MIP6-HA- If available at the NAS, at least MIP6-HA attribute and/or MIP6-HA-
FQDN SHOULD appear in accounting packets to indicate the identity of FQDN SHOULD appear in accounting packets to indicate the identity of
the serving HA for this session. the serving HA for this session.
One and only one of this attribute SHALL be sent to the RADIUS server
by the HA. The value is set to the value of the Home Agent address
recieved in the BU.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length | | Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA | | IPv6 address of assigned HA |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
skipping to change at page 13, line 4 skipping to change at page 18, line 22
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA cont. | | IPv6 address of assigned HA cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: Type:
MIP6-HA-TYPE to be defined by IANA. MIP6-HA-TYPE to be defined by IANA.
Length: Length:
= 21 octets = 28 octets
Reserved: Reserved:
Reserved for future use. The bits MUST be set to zero by the Reserved for future use. The bits MUST be set to zero by the
sender, and MUST be ignored by the receiver. sender, and MUST be ignored by the receiver.
Prefix-Length: Prefix-Length:
This field indicates the prefix length of the Home Link. This field indicates the prefix length of the Home Link.
IPv6 address of assigned HA: IPv6 address of assigned HA:
128-bit IPv6 address of the assigned HA. 128-bit IPv6 address of the assigned HA.
5.3. MIP6-HA-FQDN Attribute 6.3. MIP6-HA-FQDN Attribute
One or more instance of this attribute MAY be sent by the NAS to the One or more instance of this attribute MAY be sent by the NAS to the
RADIUS server in an Access-Request packet as a hint to suggest a RADIUS server in an Access-Request packet as a hint to suggest a
dynamic HA that may be assigned to the MN. The RADIUS server MAY use dynamic HA that may be assigned to the MN. The RADIUS server MAY use
this value or may ignore this suggestion. this value or may ignore this suggestion.
One or more of this attribute is sent by the RADIUS server to the NAS One or more of this attribute is sent by the RADIUS server to the NAS
in an Access-Accept packet. The attribute carries the FQDN of the in an Access-Accept packet. The attribute carries the FQDN of the
assigned HA. assigned HA.
skipping to change at page 14, line 11 skipping to change at page 19, line 27
Type: Type:
ASSIGNED-HA-FQDN-TYPE to be defined by IANA. ASSIGNED-HA-FQDN-TYPE to be defined by IANA.
Length: Length:
Variable length. Variable length.
FQDN of the assigned HA: FQDN of the assigned HA:
The data field MUST contain a FQDN as described in [10]. The data field MUST contain a FQDN as described in [15].
5.4. MIP6-HL-Prefix Attribute 6.4. MIP6-HL-Prefix Attribute
This attribute is sent by the RADIUS-MIP server to the NAS in an This attribute is sent by the RADIUS-MIP server to the NAS in an
Access-Accept packet. The attribute carries the assigned Home Link Access-Accept packet and carries the assigned Home Link prefix.
prefix.
This attribute MAY be sent by the NAS to the RADIUS server in an This attribute MAY be sent by the NAS to the RADIUS server in an
Access-Request packet along with the MIP6-HA and/or MIP6-HA-FQDN Access-Request packet along with the MIP6-HA and/or MIP6-HA-FQDN
attribute as a hint to suggest a Home Link prefix that may be attribute as a hint to suggest a Home Link prefix that may be
assigned to the MN. The RADIUS server MUST use this value if it assigned to the MN. The RADIUS server MUST use this value if it
accepts the NAS's HA suggestion. accepts the NAS's HA suggestion.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 15, line 10 skipping to change at page 20, line 26
Prefix-Length: Prefix-Length:
This field indicates the prefix length of the Home Link. This field indicates the prefix length of the Home Link.
Home Link Prefix: Home Link Prefix:
Home Link prefix (upper order bits) of the assigned Home Link Home Link prefix (upper order bits) of the assigned Home Link
where the MN should send binding update. where the MN should send binding update.
5.5. MIP6-HOA Attribute 6.5. MIP6-HOA Attribute
This attribute is sent by the RADIUS server to the NAS in an Access- This attribute is sent by the RADIUS server to the NAS in an Access-
Accept packet. The attribute carries the assigned Home IPv6 Address Accept packet. The attribute carries the assigned Home IPv6 Address
for the MN. for the MN.
This attribute MAY be sent by the NAS to the RADIUS server in an This attribute MAY be sent by the NAS to the RADIUS server in an
Access-Request packet along with the MIP6-HA and/or MIP6-HA-FQDN Access-Request packet along with the MIP6-HA and/or MIP6-HA-FQDN
attribute as a hint to suggest a Home Address that may be assigned to attribute as a hint to suggest a Home Address that may be assigned to
the MN. The RADIUS server MUST use this value if it accepts the the MN. The RADIUS server MUST use this value if it accepts the
NAS's HA suggestion. NAS's HA suggestion.
skipping to change at page 16, line 11 skipping to change at page 21, line 25
sender, and MUST be ignored by the receiver. sender, and MUST be ignored by the receiver.
Prefix-Length: Prefix-Length:
This field indicates the prefix length of the Home Link. This field indicates the prefix length of the Home Link.
Assigned IPv6 HOA: Assigned IPv6 HOA:
IPv6 HOA that is assigned to the MN. IPv6 HOA that is assigned to the MN.
5.6. MIP6-DNS-MO Attribute 6.6. MIP6-DNS-MO Attribute
The MIP6-DNS-MO attribute is used for triggering a DNS update by the The MIP6-DNS-MO attribute is used for triggering a DNS update by the
RADIUS server and to return the result to the RADIUS client. The RADIUS server and to return the result to the RADIUS client. The
request MUST carry the MN's FQDN but the attribute carried in request MUST carry the MN's FQDN but the attribute carried in
response to the request MAY not carry a FQDN value. response to the request MAY not carry a FQDN value.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved-1 | Status | | Type | Length | Reserved-1 | Status |
skipping to change at page 16, line 42 skipping to change at page 22, line 8
Variable length. Variable length.
Reserved-1: Reserved-1:
Reserved for future use. The bits MUST be set to zero by the Reserved for future use. The bits MUST be set to zero by the
sender, and MUST be ignored by the receiver. sender, and MUST be ignored by the receiver.
Status: Status:
This 8 bit unsigned integer field indicates the result of the This 8 bit unsigned integer field indicates the result of the
dynamic DNS update procedure as defined in [3]. This field dynamic DNS update procedure as defined in [7]. This field
MUST be set to 0 and ignored by the RADIUS server when the MUST be set to 0 and ignored by the RADIUS server when the
MIP6-DNS-MO is sent from the RADIUS client to the RADIUS MIP6-DNS-MO is sent from the RADIUS client to the RADIUS
server. When the MIP6-DNS-MO is provided in the response, server. When the MIP6-DNS-MO is provided in the response,
values of the Status field less than 128 indicate that the values of the Status field less than 128 indicate that the
dynamic DNS update was performed successfully by the RADIUS dynamic DNS update was performed successfully by the RADIUS
server. Values greater than or equal to 128 indicate that the server. Values greater than or equal to 128 indicate that the
dynamic DNS update was not successfully completed. The dynamic DNS update was not successfully completed. The
following values for the Status field are currently defined: following values for the Status field are currently defined:
0 DNS update performed 0 DNS update performed
skipping to change at page 17, line 32 skipping to change at page 22, line 45
Reserved-2: Reserved-2:
Reserved for future use. The bits MUST be set to zero by the Reserved for future use. The bits MUST be set to zero by the
sender, and MUST be ignored by the receiver. sender, and MUST be ignored by the receiver.
FQDN of the MN: FQDN of the MN:
In an Access-Request packet the data field MUST contain a FQDN. In an Access-Request packet the data field MUST contain a FQDN.
In an Access-Accept packet the data field MAY contain an FQDN. In an Access-Accept packet the data field MAY contain an FQDN.
FQDN is described in [10]. FQDN is described in [15].
6. Message Flows 6.7. MIP6-Careof-Address
6.1. Integrated Scenario (MSA=ASA) This attribute is available to be sent from the HA to the RADIUS
Server. The value of the attribute is the IPv6 addresss of the
Care-of Address of the MN extracted from the BU message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| Assigned IPv6 COA |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-CAREOF-ADDRESS-TYPE to be defined by IANA.
Length:
= 20 octets.
Reserved:
Reserved for future use. The bits MUST be set to zero by the
sender, and MUST be ignored by the receiver.
Prefix-Length:
This field indicates the prefix length of the COA Link.
Assigned IPv6 COA:
IPv6 COA that is assigned to the MN.
6.8. MIP6-MN-AAA-SPI
Is available to be sent in an Access-Accept packet from the RADIUS
server to he HA. It is part of a group of attributes used with the
MIPv6 Authentication Protocol and contains the Security Parameter
Index used to reference the MN-HA mobility security association.
This attribute MUST be present in an Access-Request sent from the HA
to the RADIUS Server when using MIPv6 Authentication Protocol.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-MN-AAA-SPI-TYPE to be defined by IANA.
Length:
6 octets
Integer representing a Security Parameter Index.
6.9. MIP6-Authenticator
This attribute is sent from the HA to the RADIUS server and contains
the Authenticator data from the BU message. The HA extract the data
form the MN-AAA Mobility Message Authentication Option if included in
the received BU message.
This attribute MUST be present in an Access-Request sent from the HA
to the RADIUS Server when using MIPv6 Authentication Protocol.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Authenticator Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator Data cont ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-AUTHENTICATOR-TYPE to be defined by IANA.
Length:
Variable length
String. An octetstring representing authenticator data.
6.10. MIP6-MAC-Mobility-Data
Attribute is sent from the HA to the RADIUS Server. The attribute
contains the calculated MAC_Mobility_Data as defined in [3].
This attribute MUST be present in an Access-Request sent from the HA
to the RADIUS Server when using MIPv6 Authentication Protocol.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | MAC Mobility Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MAC Mobility Data cont ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-MAC-MOBILITY-DATA-TYPE to be defined by IANA.
Length:
Variable length
String. An octetstring representing authenticator data.
6.11. MIP6-Timestamp
This attribute is sent from the HA to the RADIUS server when
performing MIP6 Authentication protocol. The attribute MUST appear
in the Access-Request if the attribute is present in the Mobility
message replay protection. Otherwise the attribute MUST NOT appear
in the Access-Request packet.
TBD there is an issue here. In the diameter protocol, if there is a
time mismatch we return a result code that states that there was a
time mistmatch and we return this value. In RADIUS land we return an
Access-Reject but we cant really return any other attributes.
6.12. MIP6-MN-HA-SPI
Is available to be sent in an Access-Accept packet from the RADIUS
server to he HA. It is part of a group of attributes used with the
MIPv6 Authentication Protocol and contains the Security Parameter
Index used to reference the MN-HA mobility security association.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-MN-HA-SPI-TYPE to be defined by IANA.
Length:
6 octets
Integer representing a Security Parameter Index.
6.13. MIP6-Algorithm-Type
Is available to be sent in an Access-Accept packet from the RADIUS
server to the HA. It is part of a group of attributes used with the
MIPv6 Authentication protocol and contains the algorith type.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | enumeration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enumeration cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-ALGORITHM-TYPE to be defined by IANA.
Length:
6 octets
Integer representing an enumeration as supported by [16]:
2: HMAC-SHA-1 [8]
6.14. MIP6-Replay-Mode
Is available to be sent in an Access-Accept packet from the RADIUS
server to the HA. It is part of a group of attribute used with the
MIPv6 Authentication protocol and contains the replay mode as defined
in RFC4004 to be used by the HA.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | enumeration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enumeration cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-REPLAY-MODE-TYPE to be defined by IANA.
Length:
6 octets
Integer representing an enumeration as supported by [16]:
1: None.
2: Timestamps.
3: Nonces.
6.15. MIP6-Nonce
Is available to be sent in an Access-Accpet packet from the RADIUS
Server to the HA. It is part of a group of attributes used with the
MIPv6 Authentication protocol and contains the nonce to send to the
MN.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-MIP6-NONCE-TYPE to be defined by IANA.
Length:
Variable length
String. A binary string repesenting a nonce.
7. Message Flows
7.1. Use of RADIUS in Integrated Scenario (MSA=ASA)
This section is based on [2] and uses the previously defined RADIUS This section is based on [2] and uses the previously defined RADIUS
attributes. attributes.
6.1.1. HA allocation in the MSP 7.1.1. HA allocation in the MSP
RADIUS is used to authenticate the MN, to authorize it for the RADIUS is used to authenticate the MN, to authorize it for the
mobility service and to send information about the assigned HA to the mobility service and to send information about the assigned HA to the
NAS. NAS.
| |
--------------ASP------>|<--ASA+MSA-- --------------ASP------>|<--ASA+MSA--
| |
+----+ +------+ +-------+ +-------+ +----+ +------+ +-------+ +-------+
| | |RADIUS| | | | | | | |RADIUS| | | | |
skipping to change at page 19, line 9 skipping to change at page 30, line 9
HA allocation in the MSP HA allocation in the MSP
In step (1), the MN executes the normal network access authentication In step (1), the MN executes the normal network access authentication
procedure (e.g., IEEE 802.11i/802.1x, PANA) with the NAS. The NAS procedure (e.g., IEEE 802.11i/802.1x, PANA) with the NAS. The NAS
acts as an authenticator in "pass-through" mode, i.e., the endpoint acts as an authenticator in "pass-through" mode, i.e., the endpoint
of the authentication dialogue is the MN's home RADIUS server. This of the authentication dialogue is the MN's home RADIUS server. This
is the typical scenario in case the messages involved in the is the typical scenario in case the messages involved in the
authentication protocol are transported in EAP. authentication protocol are transported in EAP.
As per [11], the NAS encapsulates/decapsulates EAP packets into/from As per [6], the NAS encapsulates/decapsulates EAP packets into/from
RADIUS packets until an Access-Response (either an Access-Accept or RADIUS packets until an Access-Response (either an Access-Accept or
an Access/Reject packet is received by the NAS). This concludes the an Access/Reject packet is received by the NAS). This concludes the
network access authentication phase. network access authentication phase.
If the NAS has the ability to support MIP6 Bootstrapping it includes If the NAS has the ability to support MIP6 Bootstrapping it includes
the MIP6-Feature-Vector in the first Access-Request message and the MIP6-Feature-Vector in the first Access-Request message and
indicates whether it supports MIP6 bootstrapping and/or local home indicates whether it supports MIP6 bootstrapping and/or local home
agent assignment by setting the appropriate flags therein. agent assignment by setting the appropriate flags therein.
If the NAS indicates support for Local home agent assignment, then it If the NAS indicates support for Local home agent assignment, then it
skipping to change at page 20, line 10 skipping to change at page 31, line 10
In step (5), the DHCP server identifies the client (by DUID) and In step (5), the DHCP server identifies the client (by DUID) and
finds out that it requests HA information in the MSP (by the Home finds out that it requests HA information in the MSP (by the Home
Network Identifier Option = 1). The DHCP server extracts the HA Network Identifier Option = 1). The DHCP server extracts the HA
address from OPTION_MIP6-RELAY-Option and places it into Home Network address from OPTION_MIP6-RELAY-Option and places it into Home Network
Information Option in the Reply message. Information Option in the Reply message.
In step (6), the Relay Agent forwards the Reply Message to the MN. In step (6), the Relay Agent forwards the Reply Message to the MN.
On reception of this message, the HA address or the FQDN of the HA is On reception of this message, the HA address or the FQDN of the HA is
available at the MN. available at the MN.
6.1.2. HA allocation in the ASP (visited network) 7.1.2. HA allocation in the ASP (visited network)
This scenario is similar to the one described in Section 6.1.1. The This scenario is similar to the one described in Section 6.1.1. The
difference is in step (4), where the type-id field in the Home difference is in step (4), where the type-id field in the Home
Network Identifier Option is set to zero, indicating that a HA is Network Identifier Option is set to zero, indicating that a HA is
requested in the ASP instead of in the MSP. Thus, the information requested in the ASP instead of in the MSP. Thus, the information
received by the home RADIUS server, via the DHCP relay, in the received by the home RADIUS server, via the DHCP relay, in the
OPTION_MIP6-RELAY-Option (Information Request) is ignored. The DHCP OPTION_MIP6-RELAY-Option (Information Request) is ignored. The DHCP
server allocates a HA from its list of possible HAs and returns it in server allocates a HA from its list of possible HAs and returns it in
the Reply message (Home Network Information Option). the Reply message (Home Network Information Option).
6.2. Split Scenario (MSA!=ASA) 7.2. Use of RADIUS In Split Scenario (MSA!=ASA)
6.2.1. Mobile Service Provider and Mobile Service Authorizer are the 7.2.1. Mobile Service Provider and Mobile Service Authorizer are the
same entity. same entity.
The assumption in this scenario is that the MN has the domain name of The assumption in this scenario is that the MN has the domain name of
the MSP preconfigured. the MSP preconfigured.
In this scenario there is no relationship between the network access In this scenario there is no relationship between the network access
authentication procedure and the MIPv6 bootstrapping procedure. authentication procedure and the MIPv6 bootstrapping procedure.
In order to learn the IP address of the HA, the MN either performs a In order to learn the IP address of the HA, the MN either performs a
DNS lookup of the HA Name or a DNS lookup by service name. In the DNS lookup of the HA Name or a DNS lookup by service name. In the
first case, the MN is preconfigured with the FQDN of the HA, and thus first case, the MN is preconfigured with the FQDN of the HA, and thus
sends a DNS request, where QNAME = name of HA, QTYPE='AAAA' (request sends a DNS request, where QNAME = name of HA, QTYPE='AAAA' (request
for IPv6 address of HA). A DNS reply message is returned by the DNS for IPv6 address of HA). A DNS reply message is returned by the DNS
server with the HA address. server with the HA address.
The MN then runs IKEv2 [12] with the HA in order to set up IPsec SAs The MN then runs IKEv2 [17] with the HA in order to set up IPsec SAs
(MN-HA). As part of this,the MN authenticates itself to the RADIUS (MN-HA). As part of this,the MN authenticates itself to the RADIUS
server in the MSA domain, and obtains authorization for mobility server in the MSA domain, and obtains authorization for mobility
service (including the Home Address). service (including the Home Address).
The MN shares credentials with the RADIUS server in the MSA domain. The MN shares credentials with the RADIUS server in the MSA domain.
The RADIUS communication between the HA and the this RADIUS server is The RADIUS communication between the HA and the this RADIUS server is
also secured by RADIUS-specific mechanisms (e.g., IPsec). Using EAP also secured by RADIUS-specific mechanisms (e.g., IPsec). Using EAP
within IKEv2 [12], the MN is authenticated and authorized for the within IKEv2 [17], the MN is authenticated and authorized for the
IPv6 mobility service and is also assigned a HOA. IPv6 mobility service and is also assigned a HOA.
The setup of SAs and mutual authentication between MN and AAAH using The setup of SAs and mutual authentication between MN and AAAH using
RADIUS (and EAP) is similar to the one described for Diameter RADIUS (and EAP) is similar to the one described for Diameter
protocol in [13]. The described mechanism ensureas that common protocol in [12]. The described mechanism ensureas that common
keying material will be available at the MN and HA after successful keying material will be available at the MN and HA after successful
completion. completion.
----------------------------ASP--------->|<-----MSA/MSP ----------------------------ASP--------->|<-----MSA/MSP
+----+ IKEv2 +----+ RADIUS (EAP) +--------------------+ +----+ IKEv2 +----+ RADIUS (EAP) +--------------------+
| MN |<----------->| HA |<-------------------->|Remote RADIUS Server| | MN |<----------->| HA |<-------------------->|Remote RADIUS Server|
+----+ +----+ +--------------------+ +----+ +----+ +--------------------+
MN HA Remote RADIUS server MN HA Remote RADIUS server
skipping to change at page 23, line 6 skipping to change at page 34, line 6
HDR, SK{EAP-Success} HDR, SK{EAP-Success}
<------------------------------- <-------------------------------
HDR, SK{AUTH} HDR, SK{AUTH}
-------------------------------> ------------------------------->
HDR, SK {AUTH, SAr2, TSi, TSr } HDR, SK {AUTH, SAr2, TSi, TSr }
<------------------------------- <-------------------------------
Split Scenario Exchange Split Scenario Exchange
MN and HA start with an IKE_SA_INIT to setup the IKE SA (messages MN and HA start with an IKE_SA_INIT to setup the IKE SA (messages
defined in the IKEv2 specification [12], negotiating crypto defined in the IKEv2 specification [17], negotiating crypto
algorithms and running DH key exchange). IKEv2 supports integration algorithms and running DH key exchange). IKEv2 supports integration
with EAP. The MN indicates its desire to use EAP by not including with EAP. The MN indicates its desire to use EAP by not including
the AUTH payload in the third message. However, it indicates its the AUTH payload in the third message. However, it indicates its
identity (NAI) by using the IDi field. If the HA supports EAP for identity (NAI) by using the IDi field. If the HA supports EAP for
authentication, as per [11] it forwards the identity to the Remote authentication, as per [6] it forwards the identity to the Remote
RADIUS server by sending a RADIUS Access-Request packet containing RADIUS server by sending a RADIUS Access-Request packet containing
the identity in the EAP-Payload AVP and in the RADIUS User-Name the identity in the EAP-Payload AVP and in the RADIUS User-Name
attribute. Based on this identity, the Remote RADIUS server chooses attribute. Based on this identity, the Remote RADIUS server chooses
authentication method and sends the first EAP-Request in the RADIUS authentication method and sends the first EAP-Request in the RADIUS
Access-Challenge packet. During the EAP authentication phase, the HA Access-Challenge packet. During the EAP authentication phase, the HA
relays EAP packets between the MN and the Remote RADIUS server. If relays EAP packets between the MN and the Remote RADIUS server. If
the authentication succeeds and if the MN is authorized to use Mobile the authentication succeeds and if the MN is authorized to use Mobile
IPv6 service, the Remote RADIUS server sends a RADIUS Access-Accept IPv6 service, the Remote RADIUS server sends a RADIUS Access-Accept
packet containing the EAP-Success and the AAA-Key derived from the packet containing the EAP-Success and the AAA-Key derived from the
EAP authentication method. EAP authentication methods that do not EAP authentication method. EAP authentication methods that do not
derive keys are not recommended. This key is used by both MN and HA derive keys are not recommended. This key is used by both MN and HA
to generate the AUTH payload. In subsequent messages, MN and HA to generate the AUTH payload. In subsequent messages, MN and HA
setup IPsec SAs for Mobile IPv6. setup IPsec SAs for Mobile IPv6.
6.2.2. Mobile Service Provider and Mobile Service Authorizer are 7.2.2. Mobile Service Provider and Mobile Service Authorizer are
different entities. different entities.
The HA address discovery is performed as described in Section 6.2.1. The HA address discovery is performed as described in Section 6.2.1.
-----------ASP--------->|<-----MSP------------------->|<-----MSA-------- -----------ASP--------->|<-----MSP------------------->|<-----MSA--------
+----+ IKEv2 +----+ RADIUS (EAP)+------+ RADIUS(EAP)+------+ +----+ IKEv2 +----+ RADIUS (EAP)+------+ RADIUS(EAP)+------+
| MN |<----------> | HA |<----------->|Local |<---------->|Remote| | MN |<----------> | HA |<----------->|Local |<---------->|Remote|
+----+ +----+ |RADIUS| |RADIUS| +----+ +----+ |RADIUS| |RADIUS|
|Proxy | |Server| |Proxy | |Server|
+------+ +------+ +------+ +------+
MSP#MSA Exchange MSP#MSA Exchange
The scenario is similar to previously described scenarios with the The scenario is similar to previously described scenarios with the
difference of utilizing AAA roaming agreements between the MSP and difference of utilizing AAA roaming agreements between the MSP and
the MSA. the MSA.
7. Goals for the HA-AAA Interface 8. Goals for the HA-AAA Interface
Here, we follow the classification and labels listed in the MIPv6- Here, we follow the classification and labels listed in the MIPv6-
AAA-Goals document [14]. AAA-Goals document [18].
7.1. General Goals 8.1. General Goals
G1.1-G1.4 Security G1.1-G1.4 Security
These are standard requirements for a AAA protocol - mutual These are standard requirements for a AAA protocol - mutual
authentication, integrity, replay protection, confidentiality. IPsec authentication, integrity, replay protection, confidentiality. IPsec
can be used to achieve the goals. Goal G1.5 regarding inactive peer can be used to achieve the goals. Goal G1.5 regarding inactive peer
detection needs further investigations since heartbeat messages do detection needs further investigations since heartbeat messages do
not exist (like in the Diameter case, Watch-Dog-Request/Answer). not exist (like in the Diameter case, Watch-Dog-Request/Answer).
7.2. Service Authorization 8.2. Service Authorization
G2.1. The AAA-HA interface should allow the use of Network Access G2.1. The AAA-HA interface should allow the use of Network Access
Identifier (NAI) to identify the MN. The User-Name attribute can be Identifier (NAI) to identify the MN. The User-Name attribute can be
used for the purpose to carry the NAI. used for the purpose to carry the NAI.
G2.2 The HA should be able to query the AAAH server to verify Mobile G2.2 The HA should be able to query the AAAH server to verify Mobile
IPv6 service authorization for the MN. Any node implementing RADIUS IPv6 service authorization for the MN. Any node implementing RADIUS
functionality[5] can possibly initiate a request message. In functionality[9] can possibly initiate a request message. In
combination with the ability of the RADIUS protocol to carry EAP combination with the ability of the RADIUS protocol to carry EAP
messages [11] , our solution will enable an HA to query a RADIUS messages [6] , our solution will enable an HA to query a RADIUS
server and verify MIPv6 authorization for the MN. server and verify MIPv6 authorization for the MN.
G2.3 The AAAH server should be able to enforce explicit operational G2.3 The AAAH server should be able to enforce explicit operational
limitations and authorization restrictions on the HA (e.g., packet limitations and authorization restrictions on the HA (e.g., packet
filters, QoS parameters). Work in progress in the area, including filters, QoS parameters). Work in progress in the area, including
NAS-Filter-Rule, RADIUS quality of service support, prepaid NAS-Filter-Rule, RADIUS quality of service support, prepaid
extensions etc. is performed. The relevant attributes may be reused extensions etc. is performed. The relevant attributes may be reused
for providing required functionality over the AAAH-HA interface. for providing required functionality over the AAAH-HA interface.
G2.4 - G2.6. Issues addressing the maintenance of a Mobile IPv6 G2.4 - G2.6. Issues addressing the maintenance of a Mobile IPv6
skipping to change at page 25, line 9 skipping to change at page 36, line 9
reauthorize the user, the Termination-Action attribute can be reauthorize the user, the Termination-Action attribute can be
included, with value 1, meaning the NAS should send a new RADIUS- included, with value 1, meaning the NAS should send a new RADIUS-
Request packet. Additional AVPs for dealing with pre-paid sessions Request packet. Additional AVPs for dealing with pre-paid sessions
(e.g,. volume, resource used--VolumeQuota AVP, ResourceQuota AVP) are (e.g,. volume, resource used--VolumeQuota AVP, ResourceQuota AVP) are
specified in RADIUS prepaid extension. Exchanging of application specified in RADIUS prepaid extension. Exchanging of application
specific authorization request/answer messages provides extension of specific authorization request/answer messages provides extension of
the authorization session (e.g., Authorize Only Access-Request sent the authorization session (e.g., Authorize Only Access-Request sent
by the HA (NAS) to the RADIUS server). Initiation of the re- by the HA (NAS) to the RADIUS server). Initiation of the re-
authorization by both sides could be supported. Both sides could authorization by both sides could be supported. Both sides could
initiate session termination - the RADIUS server by sending initiate session termination - the RADIUS server by sending
Disconnect message [15]. Disconnect message [19].
7.3. Accounting 8.3. Accounting
G3.1 The AAA-HA interface must support the transfer of accounting G3.1 The AAA-HA interface must support the transfer of accounting
records needed for service control and charging. These include (but records needed for service control and charging. These include (but
may not be limited to): time of binding cache entry creation and may not be limited to): time of binding cache entry creation and
deletion, octets sent and received by the MN in bi-directional deletion, octets sent and received by the MN in bi-directional
tunneling, etc. tunneling, etc.
The requirements for accounting over the AAAH-HA interface does not The requirements for accounting over the AAAH-HA interface does not
require enhancements to the existing accounting functionality. require enhancements to the existing accounting functionality.
7.4. MN Authentication 8.4. MN Authentication
G4.1 The AAA-HA interface MUST support pass-through EAP G4.1 The AAA-HA interface MUST support pass-through EAP
authentication with the HA working as EAP authenticator operating in authentication with the HA working as EAP authenticator operating in
pass-through mode and the AAAH server working as back-end pass-through mode and the AAAH server working as back-end
authentication server. authentication server.
These issues require the functionality of AAAH server working as a These issues require the functionality of AAAH server working as a
back-end authentication server and HA working as NAS and EAP back-end authentication server and HA working as NAS and EAP
authenticator in pass-through mode for providing a MN authentication. authenticator in pass-through mode for providing a MN authentication.
This document suggests this mode of operation in the context of the This document suggests this mode of operation in the context of the
relevant scenarios. relevant scenarios.
7.5. Provisioning of Configuration Parameters 8.5. Provisioning of Configuration Parameters
G5.1 The HA should be able to communicate to the AAAH server the HOA G5.1 The HA should be able to communicate to the AAAH server the HOA
allocated to the MN (e.g. for allowing the AAAH server to perform DNS allocated to the MN (e.g. for allowing the AAAH server to perform DNS
update on behalf of the MN). update on behalf of the MN).
This document describes needed AVPs for this purpose, see section This document describes needed AVPs for this purpose, see section
"DNS Update Mobility Option Attribute" "DNS Update Mobility Option Attribute"
8. Table of Attributes 9. Table of Attributes
The following tables provides a guide to which attributes may be The following tables provides a guide to which attributes may be
found in RADIUS packet and in what number. found in RADIUS packet and in what number.
The following defines the meaning of the notation used in the following The following defines the meaning of the notation used in the following
tables: tables:
0 An instance of this attribute MUST NOT be present. 0 An instance of this attribute MUST NOT be present.
1 Exactly one instance of this attribute MUST be present 1 Exactly one instance of this attribute MUST be present
0-1 Zero or one instance of this attribute MAY be present. 0-1 Zero or one instance of this attribute MAY be present.
0+ Zero or more instance of this attriubte MAY be present 0+ Zero or more instance of this attriubte MAY be present
The table below describes the RADIUS messages used for bootstrapping and are
exchanged between the NAS and the RADIUS Server.
Request Accept Reject Challenge Type Attribute Request Accept Reject Challenge Type Attribute
1 1 0 0 MIP6-FV-TYPE MIP6-Feature-Vector 1 1 0 0 MIP6-FV-TYPE MIP6-Feature-Vector
0+[ac] 0+[a] 0 0 MIP6-HA-TYPE MIP6-HA 0+[ac] 0+[a] 0 0 MIP6-HA-TYPE MIP6-HA
0+[ac] 0+[a] 0 0 MIP6-HA-FQDN-TYPE MIP6-HA-FQDN 0+[ac] 0+[a] 0 0 MIP6-HA-FQDN-TYPE MIP6-HA-FQDN
0-1[b] 0-1 0 0 MIP6-HL-PREFIX-TYPE MIP6-HL-Prefix 0-1[b] 0-1 0 0 MIP6-HL-PREFIX-TYPE MIP6-HL-Prefix
0-1[b] 0-1 0 0 MIP6-HOA-TYPE MIP6-HOA 0-1[b] 0-1 0 0 MIP6-HOA-TYPE MIP6-HOA
0-1 0-1 0 0 MIP6-DNS-MO-TYPE MIP6-DNS-MO 0-1 0-1 0 0 MIP6-DNS-MO-TYPE MIP6-DNS-MO
Notes: Notes:
skipping to change at page 26, line 40 skipping to change at page 37, line 43
[b] If MIP6-HA or MIP6-HA-FQDN are present in the Access-Request [b] If MIP6-HA or MIP6-HA-FQDN are present in the Access-Request
then these attributes MUST also be present in the Access-Request. then these attributes MUST also be present in the Access-Request.
If the RADIUS server accepts the NAS suggestion for the HA, then If the RADIUS server accepts the NAS suggestion for the HA, then
the RADIUS server MUST also include the values received for these the RADIUS server MUST also include the values received for these
attributes in the Access-Accept. attributes in the Access-Accept.
[c] If these attributes are present in an Access-Request, then [c] If these attributes are present in an Access-Request, then
LOCAL_HOME_AGENT_ASSIGNMENT flag of the MIP6-Feature-Vector MUST be set. LOCAL_HOME_AGENT_ASSIGNMENT flag of the MIP6-Feature-Vector MUST be set.
Otherwise these attributes are ignored. Otherwise these attributes are ignored.
The following tables lists the commands and attributes used in the interaction
between the HA and RADIUS server. Each table corresponds to the different
authentication modes supported. These attributes are in addition to the any
other attributes specified by an other specification (for example, RADIUS EAP)
Table of attributes for IKEv2 and certificate or PSK-based Authentication:
Request Accept Reject Challenge Type Attribute
1 0 0 0 61 NAS-Port-Type
0-1 0 0 0 80 Message-Authenticator
0-1 0-1 0 0 MIP6-FV-TYPE MIP6-Feature-Vector
1 0-1 0 0 MIP6-HOA-TYPE MIP6-HOA
0 0 0 0 MIP6-CAREOF-ADDRESS-TYPE MIP6-Careof-Address
0 0 0 0 MIP6-MN-AAA-SPI-TYPE MIP6-MN-AAA-SPI
0-1 0 0 0 MIP6-HA-TYPE MIP6-HA
0-1 0 0 0 MIP6-AUTHENTICATOR-TYPE MIP6-Authenticator
0-1 0 0 0 MIP6-MAC-MOBILITY-DATA-TYPE MIP6-MAC-Mobility-Data
0 0 0 0 MIP6-TIMESTAMP-TYPE MIP6-Timestamp
0 0 0 0 MIP6-MN-HA-SPI-TYPE MIP6-MN-HA-SPI
0 0 0 0 MIP6-ALGORITH-TYPE MIP6-Algorithm-Type
0 0 0 0 MIP6-REPLY-MODE MIP6-Replay-Mode
0 0 0 0 MIP6-NONCE-TYPE MIP6-Nonce
Table of attributes for IKEv2 and EAP-based Authentication:
Request Accept Reject Challenge Type Attribute
1 0 0 0 61 NAS-Port-Type
1 0 0 0 80 Message-Authenticator
0-1 0-1 0 0 MIP6-FV-TYPE MIP6-Feature-Vector
1 0-1 0 0 MIP6-HOA-TYPE MIP6-HOA
0 0 0 0 MIP6-CAREOF-ADDRESS-TYPE MIP6-Careof-Address
0 0 0 0 MIP6-MN-AAA-SPI-TYPE MIP6-MN-AAA-SPI
0-1 0 0 0 MIP6-HA-TYPE MIP6-HA
0-1 0 0 0 MIP6-AUTHENTICATOR-TYPE MIP6-Authenticator
0-1 0 0 0 MIP6-MAC-MOBILITY-DATA-TYPE MIP6-MAC-Mobility-Data
0 0 0 0 MIP6-TIMESTAMP-TYPE MIP6-Timestamp
0 0 0 0 MIP6-MN-HA-SPI-TYPE MIP6-MN-HA-SPI
0 0 0 0 MIP6-ALGORITH-TYPE MIP6-Algorithm-Type
0 0 0 0 MIP6-REPLY-MODE MIP6-Replay-Mode
0 0 0 0 MIP6-NONCE-TYPE MIP6-Nonce
Table of attribute for MIPv6 Authentication Protocol:
Request Accept Reject Challenge Type Attribute
1 0 0 0 61 NAS-Port-Type
0-1 0 0 0 80 Message-Authenticator
0-1 0-1 0 0 MIP6-FV-TYPE MIP6-Feature-Vector
1 0-1 0 0 MIP6-HOA-TYPE MIP6-HOA
1 0 0 0 MIP6-CAREOF-ADDRESS-TYPE MIP6-Careof-Address
0-1 0 0 0 MIP6-MN-AAA-SPI-TYPE MIP6-MN-AAA-SPI
1 0 0 0 MIP6-HA-TYPE MIP6-HA
0-1 0 0 0 MIP6-AUTHENTICATOR-TYPE MIP6-Authenticator
0-1 0 0 0 MIP6-MAC-MOBILITY-DATA-TYPE MIP6-MAC-Mobility-Data
0-1 0 0-1[x] 0 MIP6-TIMESTAMP-TYPE MIP6-Timestamp
0 1 0 0 MIP6-MN-HA-SPI-TYPE MIP6-MN-HA-SPI
0 1 0 0 MIP6-ALGORITH-TYPE MIP6-Algorithm-Type
0 1 0 0 MIP6-REPLY-MODE MIP6-Replay-Mode
0 1 0 0 MIP6-NONCE-TYPE MIP6-Nonce
[x] THIS IS A PROBLEM. CANT HAVE ATTRIBS IN REJECT.
As used in accounting packets: As used in accounting packets:
Request Interim Stop Type Attribute Request Interim Stop Type Attribute
0-1 0-1 0-1 MIP6-HA-TYPE MIP6-HA Attribute 0-1 0-1 0-1 MIP6-HA-TYPE MIP6-HA Attribute
0-1 0-1 0-1 MIP6-HA-FQDN-TYPE MIP6-HA-FQDN Attribute 0-1 0-1 0-1 MIP6-HA-FQDN-TYPE MIP6-HA-FQDN Attribute
0 0 0 MIP6-HL-PREFIX-TYPE MIP6-HL-Prefix Attribute 0 0 0 MIP6-HL-PREFIX-TYPE MIP6-HL-Prefix Attribute
0-1 0-1 0-1 MIP6-HOA-TYPE MIP6-HOA Attribute 0-1 0-1 0-1 MIP6-HOA-TYPE MIP6-HOA Attribute
0 0 0 MIP6-DNS-MO-TYPE MIP6-DNS-MO Attribute 0 0 0 MIP6-DNS-MO-TYPE MIP6-DNS-MO Attribute
9. Diameter Considerations 10. Diameter Considerations
When used in Diameter, the attributes defined in this specification When used in Diameter, the attributes defined in this specification
can be used as Diameter AVPs from the Code space 1-255 (RADIUS can be used as Diameter AVPs from the Code space 1-255 (RADIUS
attribute compatibility space). No additional Diameter Code values attribute compatibility space). No additional Diameter Code values
are therefore allocated. The data types and flag rules for the are therefore allocated. The data types and flag rules for the
attributes are as follows: attributes are as follows:
+---------------------+ +---------------------+
| AVP Flag rules | | AVP Flag rules |
|----+-----+----+-----|----+ |----+-----+----+-----|----+
skipping to change at page 27, line 29 skipping to change at page 40, line 29
MIP6-HA Address | M | P | | V | Y | MIP6-HA Address | M | P | | V | Y |
MIP6-HA-FQDN UTF8String | M | P | | V | Y | MIP6-HA-FQDN UTF8String | M | P | | V | Y |
MIP6-HL-Prefix OctetString| M | P | | V | Y | MIP6-HL-Prefix OctetString| M | P | | V | Y |
MIP6-HOA Address | M | P | | V | Y | MIP6-HOA Address | M | P | | V | Y |
MIP6-DNS-MO OctetString| M | P | | V | Y | MIP6-DNS-MO OctetString| M | P | | V | Y |
-------------------------------|----+-----+----+-----|----| -------------------------------|----+-----+----+-----|----|
Other than MIP6-HA and HOA-IPv6, the attributes in this specification Other than MIP6-HA and HOA-IPv6, the attributes in this specification
have no special translation requirements for Diameter to RADIUS or have no special translation requirements for Diameter to RADIUS or
RADIUS to Diameter gateways; they are copied as is, except for RADIUS to Diameter gateways; they are copied as is, except for
changes relating to headers, alignment, and padding. See also [16] changes relating to headers, alignment, and padding. See also [4]
Section 4.1 and [17] Section 9. MIP6-HA and HOA-IPv6 must be Section 4.1 and [20] Section 9. MIP6-HA and HOA-IPv6 must be
translated between their RADIUS representation of String to a translated between their RADIUS representation of String to a
Diameter Address format which requires that the AddressType field be Diameter Address format which requires that the AddressType field be
set to 2 for IP6 (IP version 6) set to 2 for IP6 (IP version 6)
What this specification says about the applicability of the What this specification says about the applicability of the
attributes for RADIUS Access-Request packets applies in Diameter to attributes for RADIUS Access-Request packets applies in Diameter to
AA-Request [17] or Diameter-EAP-Request [18]. What is said about AA-Request [20] or Diameter-EAP-Request [21]. What is said about
Access-Challenge applies in Diameter to AA-Answer [17] or Diameter- Access-Challenge applies in Diameter to AA-Answer [20] or Diameter-
EAP-Answer [18] with Result-Code AVP set to EAP-Answer [21] with Result-Code AVP set to
DIAMETER_MULTI_ROUND_AUTH. DIAMETER_MULTI_ROUND_AUTH.
What is said about Access-Accept applies in Diameter to AA-Answer or What is said about Access-Accept applies in Diameter to AA-Answer or
Diameter-EAP-Answer messages that indicate success. Similarly, what Diameter-EAP-Answer messages that indicate success. Similarly, what
is said about RADIUS Access-Reject packets applies in Diameter to AA- is said about RADIUS Access-Reject packets applies in Diameter to AA-
Answer or Diameter-EAP-Answer messages that indicate failure. Answer or Diameter-EAP-Answer messages that indicate failure.
What is said about Accounting-Request applies to Diameter Accounting- What is said about Accounting-Request applies to Diameter Accounting-
Request [17] as well. Request [20] as well.
10. Security Considerations 11. Security Considerations
Assignment of these values to a user should be based on successful Assignment of these values to a user should be based on successful
authentication of the user at the NAS and/or at the HA. The RADIUS authentication of the user at the NAS and/or at the HA. The RADIUS
server should only assign these values to a user who is authorized server should only assign these values to a user who is authorized
for Mobile IPv6 service (this check could be performed with the for Mobile IPv6 service (this check could be performed with the
user's subscription profile in the Home Network). user's subscription profile in the Home Network).
The NAS and the HA to the RADIUS server transactions must be The NAS and the HA to the RADIUS server transactions must be
adequately secured. Otherwise there is a possibility that the user adequately secured. Otherwise there is a possibility that the user
may receive fraudulent values from a rogue RADIUS server potentially may receive fraudulent values from a rogue RADIUS server potentially
hijacking the user's Mobile IPv6 session. hijacking the user's Mobile IPv6 session.
These new attributes do not introduce additional security These new attributes do not introduce additional security
considerations besides the ones identified in [5]. considerations besides the ones identified in [9].
11. IANA Considerations 12. IANA Considerations
11.1. Registration of new AVPs 12.1. Registration of new AVPs
This specification defines the following new RADIUS attributes: This specification defines the following new RADIUS attributes:
MIP6-Feature-Vector is set to MIP6-FV-TYPE MIP6-Feature-Vector is set to MIP6-FV-TYPE
MIP6-HA is set to MIP6-HA-TYPE MIP6-HA is set to MIP6-HA-TYPE
MIP6-HA-FQDN is set to MIP6-HA-FQDN-TYPE MIP6-HA-FQDN is set to MIP6-HA-FQDN-TYPE
MIP6-HL-Prefix is set to MIP6-HL-PREFIX-TYPE MIP6-HL-Prefix is set to MIP6-HL-PREFIX-TYPE
MIP6-HOA is set to MIP6-HOsA-TYPE MIP6-HOA is set to MIP6-HOsA-TYPE
MIP6-DNS-MO is set to MIP6-DNS-MO-TYPE MIP6-DNS-MO is set to MIP6-DNS-MO-TYPE
11.2. New Registry: Mobility Capability 12.2. New Registry: Mobility Capability
For MIP6-FV-TYPE flag values must be generated: For MIP6-FV-TYPE flag values must be generated:
Token | Value | Description Token | Value | Description
----------------------------------+----------------------+------------ ----------------------------------+----------------------+------------
MIP6_INTEGRATED | 0x0000000000000001 | [RFC TBD] MIP6_INTEGRATED | 0x0000000000000001 | [RFC TBD]
LOCAL_HOME_AGENT_ASSIGNMENT | 0x0000000000000002 | [RFC TBD] LOCAL_HOME_AGENT_ASSIGNMENT | 0x0000000000000002 | [RFC TBD]
Available for Assignment via IANA | 2^x | Available for Assignment via IANA | 2^x |
Allocation rule: Only numeric values that are 2^x (power of two) are Allocation rule: Only numeric values that are 2^x (power of two) are
skipping to change at page 29, line 46 skipping to change at page 42, line 46
Following the policies outlined in [1] new values with a description Following the policies outlined in [1] new values with a description
of their semantic for usage with the MIP6-Feature-Vector AVP together of their semantic for usage with the MIP6-Feature-Vector AVP together
with a Token will be assigned after Expert Review initiated by the with a Token will be assigned after Expert Review initiated by the
O&M Area Directors in consultation with the DIME working group chairs O&M Area Directors in consultation with the DIME working group chairs
or the working group chairs of a designated successor working group. or the working group chairs of a designated successor working group.
Updates can be provided based on expert approval only. A designated Updates can be provided based on expert approval only. A designated
expert will be appointed by the O&M Area Directors. No mechanism to expert will be appointed by the O&M Area Directors. No mechanism to
mark entries as "deprecated" is envisioned. Based on expert approval mark entries as "deprecated" is envisioned. Based on expert approval
it is possible to delete entries from the registry. it is possible to delete entries from the registry.
11.3. Addition of existing values 12.3. Addition of existing values
A new value HA6(IANA-TBD1) MUST be assigned to NAS-Port-Type(61) A new value HA6(IANA-TBD1) MUST be assigned to NAS-Port-Type(61)
12. Acknowledgements 13. Acknowledgements
We would like to thank the following individuals for their review and We would like to thank the following individuals for their review and
constructive comments during the development of this document: constructive comments during the development of this document:
Florian Kohlmayer, Mark Watson, Jayshree Bharatia, Dimiter Milushev, Florian Kohlmayer, Mark Watson, Jayshree Bharatia, Dimiter Milushev,
Andreas Pashalidis, Rafa Marin Lopez and Pasi Eronen. Andreas Pashalidis, Rafa Marin Lopez and Pasi Eronen.
13. References 14. References
13.1. Normative References 14.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Chowdhury, K. and A. Yegin, "MIP6-bootstrapping for the [2] Chowdhury, K. and A. Yegin, "MIP6-bootstrapping for the
Integrated Scenario", Integrated Scenario",
draft-ietf-mip6-bootstrapping-integrated-dhc-05 (work in draft-ietf-mip6-bootstrapping-integrated-dhc-05 (work in
progress), July 2007. progress), July 2007.
[3] Giaretta, G., "Mobile IPv6 bootstrapping in split scenario", [3] Patel, A., "Authentication Protocol for Mobile IPv6",
draft-patel-mip6-rfc4285bis-00 (work in progress),
October 2006.
[4] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko,
"Diameter Base Protocol", RFC 3588, September 2003.
[5] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
RFC 2548, March 1999.
[6] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial
In User Service) Support For Extensible Authentication Protocol
(EAP)", RFC 3579, September 2003.
[7] Giaretta, G., "Mobile IPv6 bootstrapping in split scenario",
draft-ietf-mip6-bootstrapping-split-07 (work in progress), draft-ietf-mip6-bootstrapping-split-07 (work in progress),
July 2007. July 2007.
[4] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", [8] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
RFC 2548, March 1999. for Message Authentication", RFC 2104, February 1997.
[5] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote [9] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, Authentication Dial In User Service (RADIUS)", RFC 2865,
June 2000. June 2000.
13.2. Informative References 14.2. Informative References
[6] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in [10] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
IPv6", RFC 3775, June 2004. IPv6", RFC 3775, June 2004.
[7] Patel, A. and G. Giaretta, "Problem Statement for bootstrapping [11] Patel, A. and G. Giaretta, "Problem Statement for bootstrapping
Mobile IPv6 (MIPv6)", RFC 4640, September 2006. Mobile IPv6 (MIPv6)", RFC 4640, September 2006.
[8] Manner, J. and M. Kojo, "Mobility Related Terminology", [12] Tschofenig, H., "Mobile IPv6 Bootstrapping using Diameter",
draft-tschofenig-mip6-aaa-ha-diameter-01 (work in progress),
October 2005.
[13] Manner, J. and M. Kojo, "Mobility Related Terminology",
RFC 3753, June 2004. RFC 3753, June 2004.
[9] Dupont, F. and V. Devarapalli, "Mobile IPv6 Operation with [14] Dupont, F. and V. Devarapalli, "Mobile IPv6 Operation with
IKEv2 and the revised IPsec Architecture", IKEv2 and the revised IPsec Architecture",
draft-ietf-mip6-ikev2-ipsec-08 (work in progress), draft-ietf-mip6-ikev2-ipsec-08 (work in progress),
December 2006. December 2006.
[10] Mockapetris, P., "Domain names - implementation and [15] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[11] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial [16] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
In User Service) Support For Extensible Authentication Protocol August 2002.
(EAP)", RFC 3579, September 2003.
[12] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", [17] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005. RFC 4306, December 2005.
[13] Tschofenig, H., "Mobile IPv6 Bootstrapping using Diameter", [18] Giaretta, G., "AAA Goals for Mobile IPv6",
draft-tschofenig-mip6-aaa-ha-diameter-01 (work in progress),
October 2005.
[14] Giaretta, G., "AAA Goals for Mobile IPv6",
draft-ietf-mip6-aaa-ha-goals-03 (work in progress), draft-ietf-mip6-aaa-ha-goals-03 (work in progress),
September 2006. September 2006.
[15] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, [19] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba,
"Dynamic Authorization Extensions to Remote Authentication Dial "Dynamic Authorization Extensions to Remote Authentication Dial
In User Service (RADIUS)", RFC 3576, July 2003. In User Service (RADIUS)", RFC 3576, July 2003.
[16] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, [20] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter
"Diameter Base Protocol", RFC 3588, September 2003.
[17] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter
Network Access Server Application", RFC 4005, August 2005. Network Access Server Application", RFC 4005, August 2005.
[18] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible [21] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072, Authentication Protocol (EAP) Application", RFC 4072,
August 2005. August 2005.
[19] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, [22] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033, "DNS Security Introduction and Requirements", RFC 4033,
March 2005. March 2005.
[20] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to [23] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to
Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Protect Mobile IPv6 Signaling Between Mobile Nodes and Home
Agents", RFC 3776, June 2004. Agents", RFC 3776, June 2004.
[21] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic [24] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
Updates in the Domain Name System (DNS UPDATE)", RFC 2136, Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
April 1997. April 1997.
Authors' Addresses Authors' Addresses
Avi Lior Avi Lior
Bridgewater Systems Bridgewater Systems
303 Terry Fox Drive, Suite 100 303 Terry Fox Drive, Suite 100
Ottawa, Ontario Ottawa, Ontario
Canada K2K 3J1 Canada K2K 3J1
skipping to change at page 34, line 7 skipping to change at page 47, line 7
Hannes Tschofenig Hannes Tschofenig
Siemens Siemens
Otto-Hahn-Ring 6 Otto-Hahn-Ring 6
Munich, Bavaria 81739 Munich, Bavaria 81739
Germany Germany
Email: Hannes.Tschofenig@siemens.com Email: Hannes.Tschofenig@siemens.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
 End of changes. 103 change blocks. 
205 lines changed or deleted 691 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/