idnits 2.17.1 draft-calhoun-diameter-mobileip-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 30 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 31 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 105: '... MUST This word, or the adjecti...' RFC 2119 keyword, line 109: '... MUST NOT This phrase means that th...' RFC 2119 keyword, line 112: '... SHOULD This word, or the adjecti...' RFC 2119 keyword, line 118: '... MAY This word, or the adjecti...' RFC 2119 keyword, line 120: '...hich does not include this option MUST...' (74 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 1998) is 9416 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '2' is defined on line 1286, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 1289, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-calhoun-diameter-04 -- Possible downref: Normative reference to a draft: ref. '1' == Outdated reference: A later version (-09) exists of draft-calhoun-diameter-framework-01 -- Possible downref: Normative reference to a draft: ref. '2' -- Possible downref: Normative reference to a draft: ref. '3' ** Obsolete normative reference: RFC 2002 (ref. '4') (Obsoleted by RFC 3220) -- No information found for draft-ietf-mobileip- - is the name correct? -- Possible downref: Normative reference to a draft: ref. '5' == Outdated reference: A later version (-12) exists of draft-ietf-roamops-nai-11 == Outdated reference: A later version (-10) exists of draft-ietf-roamops-roamreq-09 ** Downref: Normative reference to an Informational draft: draft-ietf-roamops-roamreq (ref. '7') -- Duplicate reference: draft-ietf-mobileip-calhoun-tep, mentioned in '8', was also mentioned in '3'. -- Possible downref: Normative reference to a draft: ref. '8' Summary: 12 errors (**), 0 flaws (~~), 8 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET DRAFT Pat R. Calhoun 3 Category: Standards Track Charles E. Perkins 4 Title: draft-calhoun-diameter-mobileip-00.txt Sun Microsystems, Inc. 5 Date: July 1998 7 DIAMETER 8 Mobile IP Extensions 9 11 Status of this Memo 13 This document is an Internet-Draft. Internet-Drafts are working 14 documents of the Internet Engineering Task Force (IETF), its areas, 15 and its working groups. Note that other groups may also distribute 16 working documents as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference 21 material or to cite them other than as ``work in progress.'' 23 To learn the current status of any Internet-Draft, please check the 24 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 25 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 26 munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or 27 ftp.isi.edu (US West Coast). 29 Abstract 31 DIAMETER is an Authentication, Authorization and Accounting (AAA) 32 Policy Protocol that is used between two entities for various 33 services. 35 This document defines an extension that allow a DIAMETER Client to 36 request authentication and receive autorization information for a 37 Mobile IP Mobile Node. 39 Table of Contents 41 1.0 Introduction 42 1.1 Specification of Requirements 43 2.0 Command Codes 44 2.1 AA-Mobile-Node-Request (AMR) 45 2.2 AA-Mobile-Node-Answer (AMA) 46 2.3 Home-Agent-MIP-Request 47 2.4 Home-Agent-MIP-Answer 48 3.0 DIAMETER AVPs 49 3.1 MIP-Registration-Request 50 3.2 MIP-Registration-Reply 51 3.3 MN-FA-Challenge 52 3.4 MN-FA-Response 53 3.5 MN-FA-SPI 54 3.6 MN-to-FA-Key 55 3.7 FA-to-MN-Key 56 3.8 FA-HA-SPI 57 3.9 FA-to-HA-Key 58 3.10 HA-to-FA-Key 59 3.11 MN-HA-SPI 60 3.12 MN-to-HA-Key 61 3.13 HA-to-MN-Key 62 3.14 Mobile-Node-Address 63 3.15 Home-Agent-Address 64 3.16 Session-Timeout 65 4.0 Protocol Definition 66 5.0 References 67 6.0 Authors' Addresses 69 1.0 Introduction 71 The Mobile IP [4] protocol defines a method that allows Mobile Nodes 72 to change their point of attachments on the Internet without service 73 disruption. The protocol requires that all Mobility Agents share a 74 pre-existing security association, which leads to scaling problems. 75 The protocol also does not mention how Mobility Agents account for 76 services rendered, which does not make it an attractive protocol for 77 use by service providers. 79 This draft describes an extension that allows cross-domain 80 authentication and authorization, assignment of Mobile Node Home 81 Addresses, assignment of Home Agent as well as Key Distribution to 82 allows the Mobile IP network to scale in a large network. 84 The dynamic assignment of Mobile Node and Home Agent addresses makes 85 this extension useful for Service Providers wishing to provide Mobile 86 IP services for mobile nodes. 88 The soon-to-be DIAMETER Accounting extension will be used to collect 89 accounting information. 91 This extension requires small modifications to the Mobile IP protocol 92 [4], which already exists in the TEP protocol [8], to allow a Mobile 93 Node to identify itself using an NAI [6] in addition to an IP 94 address. The use of the NAI is consistent with the current roaming 95 model which makes use of DIAMETER proxying [7]. 97 The Extension number for this draft is four (4). This value is used 98 in the Extension-Id AVP as defined in [1]. 100 1.1 Specification of Requirements 102 In this document, several words are used to signify the requirements 103 of the specification. These words are often capitalized. 105 MUST This word, or the adjective "required", means that the 106 definition is an absolute requirement of the 107 specification. 109 MUST NOT This phrase means that the definition is an absolute 110 prohibition of the specification. 112 SHOULD This word, or the adjective "recommended", means that 113 there may exist valid reasons in particular circumstances 114 to ignore this item, but the full implications must be 115 understood and carefully weighed before choosing a 116 different course. 118 MAY This word, or the adjective "optional", means that this 119 item is one of an allowed set of alternatives. An 120 implementation which does not include this option MUST 121 be prepared to interoperate with another implementation 122 which does include the option. 124 2.0 Command Codes 126 This document defines the following DIAMETER Commands. All DIAMETER 127 implementations supporting this extension MUST support all of the 128 following commands: 130 Command Name Command Code 131 ----------------------------------- 132 AA-Mobile-Node-Request 306 133 AA-Mobile-Node-Answer 307 134 Home-Agent-MIP-Request 308 135 Home-Agent-MIP-Answer 309 137 2.1 AA-Mobile-Node-Request (AMR) 139 Description 141 The AA-Mobile-Node-Request is sent by a Foreign Agent acting as a 142 DIAMETER client to a server to request authentication and 143 authorization of a Mobile Node. 145 The AA-Mobile-Node-Request message MUST include the MIP- 146 Registration-Request, User-Name, MN-FA-Challenge, MN-FA-Response 147 AVP as well as the Session-Id AVPs. 149 When the Mobile-Node-Address AVP is absent from the AA-Mobile- 150 Node-Request, it indicates that a Home Address should be assigned 151 to the Mobile Node. When the Home-Agent-Address AVP is absent from 152 the AA-Mobile-Node-Request, it indicates that a Home Agent should 153 be assigned to the Mobile Node. 155 Message Format 157 ::= 158 159 160 161 162 163 164 165 166 { || 167 } 169 AVP Format 171 A summary of the AA-Mobile-Node-Request packet format is shown 172 below. The fields are transmitted from left to right. 174 0 1 2 3 175 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 176 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 177 | AVP Code | 178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 | AVP Length | Reserved |U|T|V|E|H|M| 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 181 | Command Code | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 AVP Code 186 256 DIAMETER Command 188 AVP Length 190 The length of this attribute MUST be 12. 192 AVP Flags 194 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 195 upon the security model used. The 'V', 'T' and the 'U' bits 196 MUST NOT be set. 198 Command Code 200 The Command Code field MUST be set to 306 (AA-Mobile-Node- 201 Request). 203 2.2 AA-Mobile-Node-Answer (AMA) 205 Description 207 The AA-Mobile-Node-Answer is sent by the DIAMETER Server to the 208 client in response to the AA-Mobile-Node-Request message. The 209 message MUST include the Session-Id, Result-Code, MIP- 210 Registration-Reply as well as the various key and SPI AVPs (shown 211 below) and MAY include the Home-Agent-Address and Mobile-Node- 212 Address AVPs. 214 When the Home-Agent-Address AVP is present in this message it 215 contains the Home Agent that was assigned to the Mobile Node. When 216 the Mobile-Node-Address AVP is present in this message it contains 217 the Home Address that is being assigned to the Mobile Node. 219 The following error codes are defined for this message: 221 DIAMETER_ERROR_UNKNOWN_DOMAIN 1 222 This error code is used to indicate to the initiator of the 223 request that the requested domain is unknown and cannot be 224 resolved. 226 DIAMETER_ERROR_USER_UNKNOWN 2 227 This error code is used to indicate to the initiator that 228 the username request is not valid. 230 DIAMETER_ERROR_BAD_PASSWORD 3 231 This error code indicates that the password provided is 232 invalid. 234 DIAMETER_ERROR_CANNOT_AUTHORIZE 4 235 This error code is used to indicate that the user cannot be 236 authorized due to the fact that the user has expended local 237 resources. This could be a result that the server believes 238 that the user has already spent the number of credits in 239 his/her account, etc. 241 Message Format 243 ::= 244 245 246 247 248 249 250 251 252 [] 253 [] 254 255 256 { || 257 } 259 AVP Format 261 A summary of the AA-Mobile-Node-Answer packet format is shown 262 below. The fields are transmitted from left to right. 264 0 1 2 3 265 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 | AVP Code | 268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 269 | AVP Length | Reserved |U|T|V|E|H|M| 270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 271 | Command Code | 272 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 274 AVP Code 276 256 DIAMETER Command 278 AVP Length 280 The length of this attribute MUST be 12. 282 AVP Flags 284 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 285 upon the security model used. The 'V', 'T' and the 'U' bits 286 MUST NOT be set. 288 Command Code 290 The Command Code field MUST be set to 307 (AA-Mobile-Node- 291 Answer). 293 2.3 Home-Agent-MIP-Request (HAR) 295 Description 297 The Home-Agent-MIP-Request is sent by the home DIAMETER server to 298 the Home Agent overseeing the Mobile Node to process the Mobile IP 299 Registration Request. 301 The Home-Agent-MIP-Request message MUST include the MIP- 302 Registration-Request, User-Name, Session-Id as well as the SPI and 303 key AVPs (shown below) to be used by the Mobile Node and the Home 304 Agent. 306 When the Mobile-Node-Address AVP is absent from the request it 307 indicates that the Home Agent MUST assign a Home Address for the 308 Mobile Node, othewise the value in the Mobile-Node-Address AVP 309 MUST be used. 311 Message Format 313 ::= 314 315 316 317 318 319 320 321 322 323 324 325 [] 326 327 328 { || 329 } 331 AVP Format 333 A summary of the Home-Agent-MIP-Request packet format is shown 334 below. The fields are transmitted from left to right. 336 0 1 2 3 337 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 338 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 339 | AVP Code | 340 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 341 | AVP Length | Reserved |U|T|V|E|H|M| 342 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 343 | Command Code | 344 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 346 AVP Code 348 256 DIAMETER Command 350 AVP Length 352 The length of this attribute MUST be 12. 354 AVP Flags 356 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 357 upon the security model used. The 'V', 'T' and the 'U' bits 358 MUST NOT be set. 360 Command Code 362 The Command Code field MUST be set to 308 (Home-Agent-MIP- 363 Request). 365 2.4 Home-Agent-MIP-Answer (HAA) 367 Description 369 The Home-Agent-MIP-Answer is sent by the Home Agent to the home 370 DIAMETER Server in response to the Home-Agent-MIP-Request. The 371 message MUST include the Session-Id, Result-Code, MIP- 372 Registration-Reply and MAY include the Mobile-Node-Address if the 373 Home Agent was responsible for assigning an address to the Mobile 374 Node. 376 The following error codes are defined for this message: 378 DIAMETER_ERROR_BAD_KEY 1 379 This error code is used by the Home Agent to indicate to the 380 local DIAMETER Server that the key generated is invalid. 382 DIAMETER_ERROR_BAD_HOME_ADDRESS 2 383 This error code is used by the Home Agent to indicate that 384 the Home Address chosen by the Mobile Node or assigned by 385 the local DIAMETER server cannot be handled. 387 DIAMETER_ERROR_TOO_BUSY 3 388 This error code is used by the Home Agent to inform the 389 DIAMETER Server that it cannot handle an extra Mobile Node. 390 Upon receiving this error the DIAMETER Server can try to use 391 an alternate Home Agent if available. 393 DIAMETER_ERROR_MIP_REPLY_FAILURE 4 394 This error code is used by the Home Agent to inform the 395 DIAMETER Server that the Registration Request was not 396 successful. 398 Message Format 400 ::= 401 402 403 404 405 [] 406 407 408 { || 409 } 411 AVP Format 413 A summary of the Home-Agent-MIP-Answer packet format is shown 414 below. The fields are transmitted from left to right. 416 0 1 2 3 417 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 418 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 419 | AVP Code | 420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 421 | AVP Length | Reserved |U|T|V|E|H|M| 422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 423 | Command Code | 424 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 426 AVP Code 428 256 DIAMETER Command 430 AVP Length 432 The length of this attribute MUST be 12. 434 AVP Flags 436 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 437 upon the security model used. The 'V', 'T' and the 'U' bits 438 MUST NOT be set. 440 Command Code 442 The Command Code field MUST be set to 309 (Home-Agent-MIP- 443 Answer). 445 3.0 DIAMETER AVPs 447 This section will define the mandatory AVPs which MUST be supported 448 by all DIAMETER implementations supporting this extension. The 449 following AVPs are defined in this document: 451 Attribute Name Attribute Code 452 ----------------------------------- 453 MIP-Registration-Request 320 454 MIP-Registration-Reply 321 455 MN-FA-Challenge 322 456 MN-FA-Response 323 457 MN-FA-SPI 324 458 MN-to-FA-Key 325 459 FA-to-MN-Key 326 460 FA-HA-SPI 327 461 FA-to-HA-Key 328 462 HA-to-FA-Key 329 463 MN-HA-SPI 330 464 MN-to-HA-Key 331 465 HA-to-MN-Key 332 466 Mobile-Node-Address 333 467 Home-Agent-Address 334 468 Session-Timeout 27 470 3.1 MIP-Registration-Request 472 Description 474 This AVP is used to carry the Mobile IP Registration Request [4] 475 sent by the Mobile Node to the Foreign Agent within a DIAMETER 476 message. 478 AVP Format 480 0 1 2 3 481 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 482 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 483 | AVP Code | 484 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 485 | AVP Length | Reserved |U|T|V|E|H|M| 486 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 487 | Data ... 488 +-+-+-+-+-+-+-+-+ 490 AVP Code 492 320 MIP-Registration-Request 494 AVP Length 496 The length of this attribute MUST be at least 9. 498 AVP Flags 500 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 501 upon the security model used. The 'V', 'T' and the 'U' bits 502 MUST NOT be set. 504 Data 506 The data field contains the Mobile IP Registration Request. 508 3.2 MIP-Registration-Reply 510 Description 512 This AVP is used to carry the Mobile IP Registration Reply [4] 513 sent by the Home Agent to the Foreign Agent within a DIAMETER 514 message. 516 AVP Format 518 0 1 2 3 519 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 520 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 521 | AVP Code | 522 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 523 | AVP Length | Reserved |U|T|V|E|H|M| 524 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 525 | Data ... 526 +-+-+-+-+-+-+-+-+ 528 AVP Code 530 321 MIP-Registration-Reply 532 AVP Length 534 The length of this attribute MUST be at least 9. 536 AVP Flags 538 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 539 upon the security model used. The 'V', 'T' and the 'U' bits 540 MUST NOT be set. 542 Data 544 The data field contains the Mobile IP Registration Reply. 546 3.3 MN-FA-Challenge 548 Description 550 This AVP contains the Challenge generated by the Foreign Agent to 551 the Mobile Node as defined in [5]. 553 AVP Format 555 0 1 2 3 556 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 557 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 558 | AVP Code | 559 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 560 | AVP Length | Reserved |U|T|V|E|H|M| 561 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 562 | Data ... 563 +-+-+-+-+-+-+-+-+ 565 AVP Code 567 322 MN-FA-Challenge 569 AVP Length 571 The length of this attribute MUST be at least 9. 573 AVP Flags 575 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 576 upon the security model used. The 'V', 'T' and the 'U' bits 577 MUST NOT be set. 579 Data 581 The data field contains the Foreign Agent's Challenge to the 582 Mobile Node. 584 3.4 MN-FA-Response 586 Description 588 This AVP contains the Response generated by the Mobile Node as 589 defined in [5]. The value is the result of the Challenge presented 590 by the Foreign Agent hashed using the secret the Mobile Node 591 shares with it's Home DIAMETER Server. 593 AVP Format 595 0 1 2 3 596 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 597 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 598 | AVP Code | 599 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 600 | AVP Length | Reserved |U|T|V|E|H|M| 601 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 602 | Data ... 603 +-+-+-+-+-+-+-+-+ 605 AVP Code 607 323 MN-FA-Response 609 AVP Length 611 The length of this attribute MUST be at least 9. 613 AVP Flags 615 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 616 upon the security model used. The 'V', 'T' and the 'U' bits 617 MUST NOT be set. 619 Data 621 The data field contains the Mobile Node's Challenge Response. 623 3.5 MN-FA-SPI 625 Description 627 The MN-FA-SPI is sent in both the Home-Agent-MIP-Request as well 628 as the AA-Mobile-Node-Answer messages and contains the SPI value 629 associated with the key generated by the home DIAMETER Server for 630 use between the Foreign Agent and the Mobile Node (MN-to-FA-Key, 631 FA-to-MN-Key). 633 AVP Format 634 0 1 2 3 635 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 637 | AVP Code | 638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 639 | AVP Length | Reserved |U|T|V|E|H|M| 640 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 641 | Integer32 | 642 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 644 AVP Code 646 324 MN-FA-SPI 648 AVP Length 650 The length of this attribute MUST be 12. 652 AVP Flags 654 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 655 upon the security model used. The 'V', 'T' and the 'U' bits 656 MUST NOT be set. 658 Integer32 660 The Integer32 field contains the SPI value associated with the 661 key shared between the Mobile Node and the Foreign Agent. 663 3.6 MN-to-FA-Key 665 Description 667 This AVP contains the Key generated by the home DIAMETER Server 668 that must be used by the Mobile Node when computing the Mobile- 669 Foreign- Authentication-Extension in the Mobile IP Registration 670 Request [4]. 672 AVP Format 673 0 1 2 3 674 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 675 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 676 | AVP Code | 677 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 678 | AVP Length | Reserved |U|T|V|E|H|M| 679 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 680 | Data ... 681 +-+-+-+-+-+-+-+-+ 683 AVP Code 685 325 MN-to-FA-Key 687 AVP Length 689 The length of this attribute MUST be at least 9. 691 AVP Flags 693 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 694 upon the security model used. The 'V', 'T' and the 'U' bits 695 MUST NOT be set. 697 Data 699 The data field contains the encrypted key to be used by the 700 Mobile Node when generating the Mobile IP Mobile-Foreign- 701 Authentication-Extension. 703 3.7 FA-to-MN-Key 705 Description 707 This AVP contains the Key generated by the home DIAMETER Server 708 that must be used by the Foreign Agent when computing the Mobile- 709 Foreign- Authentication-Extension in the Mobile IP Registration 710 Reply [4]. 712 AVP Format 713 0 1 2 3 714 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 715 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 716 | AVP Code | 717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 718 | AVP Length | Reserved |U|T|V|E|H|M| 719 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 720 | Data ... 721 +-+-+-+-+-+-+-+-+ 723 AVP Code 725 326 FA-to-MN-Key 727 AVP Length 729 The length of this attribute MUST be at least 9. 731 AVP Flags 733 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 734 upon the security model used. The 'V', 'T' and the 'U' bits 735 MUST NOT be set. 737 Data 739 The data field contains the encrypted key to be used by the 740 Foreign Agent when generating the Mobile IP Mobile-Foreign- 741 Authentication-Extension. 743 3.8 FA-HA-SPI 745 Description 747 The FA-HA-SPI is sent in both the Home-Agent-MIP-Request as well 748 as the AA-Mobile-Node-Answer messages and contains the SPI value 749 associated with the key generated by the home DIAMETER Server for 750 use between the Foreign Agent and the Home Agent (FA-to-HA-Key, 751 HA-to-FA-Key). 753 AVP Format 754 0 1 2 3 755 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 756 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 757 | AVP Code | 758 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 759 | AVP Length | Reserved |U|T|V|E|H|M| 760 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 761 | Integer32 | 762 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 764 AVP Code 766 327 FA-HA-SPI 768 AVP Length 770 The length of this attribute MUST be 12. 772 AVP Flags 774 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 775 upon the security model used. The 'V', 'T' and the 'U' bits 776 MUST NOT be set. 778 Integer32 780 The Integer32 field contains the SPI value associated with the 781 key shared between the Foreign Agent and the Home Agent. 783 3.9 FA-to-HA-Key 785 Description 787 This AVP contains the Key generated by the home DIAMETER Server 788 that must be used by the Foreign Agent when computing the 789 Foreign-Home Authentication-Extension in the Mobile IP 790 Registration Request [4]. 792 AVP Format 793 0 1 2 3 794 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 795 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 796 | AVP Code | 797 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 798 | AVP Length | Reserved |U|T|V|E|H|M| 799 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 800 | Data ... 801 +-+-+-+-+-+-+-+-+ 803 AVP Code 805 328 FA-to-HA-Key 807 AVP Length 809 The length of this attribute MUST be at least 9. 811 AVP Flags 813 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 814 upon the security model used. The 'V', 'T' and the 'U' bits 815 MUST NOT be set. 817 Data 819 The data field contains the encrypted key to be used by the 820 Foreign Agent when generating the Mobile IP Foreign-Home- 821 Authentication-Extension. 823 3.10 HA-to-FA-Key 825 Description 827 This AVP contains the Key generated by the home DIAMETER Server 828 that must be used by the Home Agent when computing the Foreign- 829 Home Authentication-Extension in the Mobile IP Registration Reply 830 [4]. 832 AVP Format 833 0 1 2 3 834 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 835 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 836 | AVP Code | 837 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 838 | AVP Length | Reserved |U|T|V|E|H|M| 839 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 840 | Data ... 841 +-+-+-+-+-+-+-+-+ 843 AVP Code 845 329 HA-to-FA-Key 847 AVP Length 849 The length of this attribute MUST be at least 9. 851 AVP Flags 853 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 854 upon the security model used. The 'V', 'T' and the 'U' bits 855 MUST NOT be set. 857 Data 859 The data field contains the encrypted key to be used by the 860 Home Agent when generating the Mobile IP Foreign-Home- 861 Authentication-Extension. 863 3.11 MN-HA-SPI 865 Description 867 The MN-HA-SPI is sent in both the Home-Agent-MIP-Request as well 868 as the AA-Mobile-Node-Answer messages and contains the SPI value 869 associated with the key generated by the home DIAMETER Server for 870 use between the Mobile Node and the Home Agent (MN-to-HA-Key, HA- 871 to-MN-Key). 873 AVP Format 874 0 1 2 3 875 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 876 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 877 | AVP Code | 878 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 879 | AVP Length | Reserved |U|T|V|E|H|M| 880 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 881 | Integer32 | 882 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 884 AVP Code 886 330 MN-HA-SPI 888 AVP Length 890 The length of this attribute MUST be 12. 892 AVP Flags 894 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 895 upon the security model used. The 'V', 'T' and the 'U' bits 896 MUST NOT be set. 898 Integer32 900 The Integer32 field contains the SPI value associated with the 901 Session Key shared between the Mobile Node and the Home Agent. 903 3.12 MN-to-HA-Key 905 Description 907 This AVP contains the Key generated by the home DIAMETER Server 908 that must be used by the Mobile Node when computing the Mobile- 909 Home Authentication-Extension in the Mobile IP Registration 910 Request [4]. 912 AVP Format 913 0 1 2 3 914 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 915 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 916 | AVP Code | 917 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 918 | AVP Length | Reserved |U|T|V|E|H|M| 919 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 920 | Data ... 921 +-+-+-+-+-+-+-+-+ 923 AVP Code 925 331 MN-to-HA-Key 927 AVP Length 929 The length of this attribute MUST be at least 9. 931 AVP Flags 933 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 934 upon the security model used. The 'V', 'T' and the 'U' bits 935 MUST NOT be set. 937 Data 939 The data field contains the encrypted key to be used by the 940 Mobile Node when generating the Mobile IP Mobile-Home- 941 Authentication-Extension. 943 3.13 HA-to-MN-Key 945 Description 947 This AVP contains the Key generated by the home DIAMETER Server 948 that must be used by the Home Agent when computing the Mobile-Home 949 Authentication-Extension in the Mobile IP Registration Reply [4]. 951 AVP Format 952 0 1 2 3 953 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 955 | AVP Code | 956 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 957 | AVP Length | Reserved |U|T|V|E|H|M| 958 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 959 | Data ... 960 +-+-+-+-+-+-+-+-+ 962 AVP Code 964 332 HA-to-MN-Key 966 AVP Length 968 The length of this attribute MUST be at least 9. 970 AVP Flags 972 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 973 upon the security model used. The 'V', 'T' and the 'U' bits 974 MUST NOT be set. 976 Data 978 The data field contains the encrypted key to be used by the 979 Home Agent when generating the Mobile IP Mobile-Home- 980 Authentication-Extension. 982 3.14 Mobile-Node-Address 984 Description 986 When used in the AA-Mobile-Node-Request it contains the Mobile 987 Node's Home Address. When present in the MIP-Registration-Reply 988 message it contains the Home Address assigned to the Mobile Node. 990 The lack of this AVP in the AA-Mobile-Node-Request indicates that 991 the Mobile Node is requesting that a Home Address be assigned to 992 it. 994 AVP Format 995 0 1 2 3 996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 997 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 998 | AVP Code | 999 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1000 | AVP Length | Reserved |U|T|V|E|H|M| 1001 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1002 | Address | 1003 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1005 AVP Code 1007 333 Mobile-Node-Address 1009 AVP Length 1011 The length of this attribute MUST be 12. 1013 AVP Flags 1015 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1016 upon the security model used. The 'V', 'T' and the 'U' bits 1017 MUST NOT be set. 1019 Address 1021 The Address field contains the IP address assigned to the 1022 Mobile Node. 1024 3.15 Home-Agent-Address 1026 Description 1028 When used in the AA-Mobile-Node-Request it contains the Mobile 1029 Node's requested Home Agent. When present in the MIP- 1030 Registration-Reply message it contains the Home Agent assigned to 1031 the Mobile Node. 1033 The lack of this AVP in the AA-Mobile-Node-Request indicates that 1034 the Mobile Node is requesting that a Home Agent be assigned to it. 1036 AVP Format 1037 0 1 2 3 1038 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1039 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1040 | AVP Code | 1041 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1042 | AVP Length | Reserved |U|T|V|E|H|M| 1043 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1044 | Address | 1045 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1047 AVP Code 1049 334 Home-Agent-Address 1051 AVP Length 1053 The length of this attribute MUST be 12. 1055 AVP Flags 1057 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1058 upon the security model used. The 'V', 'T' and the 'U' bits 1059 MUST NOT be set. 1061 Address 1063 The Address field contains the Home Agent address assigned to 1064 the Mobile Node. 1066 3.16 Session-Timeout 1068 Description 1070 This AVP contains the number of seconds before the session keys 1071 expire. 1073 AVP Format 1075 A summary of the Session-Timeout Attribute format is shown below. 1076 The fields are transmitted from left to right. 1078 0 1 2 3 1079 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1080 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1081 | AVP Code | 1082 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1083 | AVP Length | Reserved |U|T|V|E|H|M| 1084 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1085 | Integer32 | 1086 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1088 Type 1090 27 for Session-Timeout. 1092 AVP Length 1094 The length of this attribute MUST be 12. 1096 AVP Flags 1098 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1099 upon the security model used. The 'V', 'T' and the 'U' bits 1100 MUST NOT be set. 1102 Integer32 1104 The Integer32 field is 4 octets, containing a 32-bit unsigned 1105 integer with the number of seconds before the session keys 1106 expire. 1108 A value of zero means that the session keys have no expiration. 1110 4.0 Protocol Definition 1112 This section will outline how the DIAMETER Mobile IP Extension can be 1113 used. The follwing diagram is an example of an inter-domain Mobile IP 1114 network. 1116 ISP Home Network 1117 +--------+ +--------+ 1118 | proxy | AMR/A | AAA | 1119 | AAA |<--------------->| | 1120 | server | server-server | server | 1121 +--------+ communication +--------+ 1122 / /| /|( 1123 /AMR/A | client-server | HAR/A 1124 / | communication | 1125 |/_ / / 1126 +---------+ +---------+ +---------+ 1127 | Foreign | | Foreign | | Home | 1128 | Agent | | Agent | | Agent | 1129 +---------+ +---------+ +---------+ 1130 /|( 1131 | Mobile IP 1132 | 1133 / 1134 +--------+ 1135 | Mobile | 1136 | Node | 1137 +--------+ 1139 The AA-Mobile-Node-Request is generated by the Foreign Agent and 1140 includes the AVPs defined in section 2.1. If the Home Address field 1141 in the Registration Request was set to a value other than zero the 1142 Mobile-Node-Address AVP is added to the DIAMETER request. If the Home 1143 Agent field in the Registration Request was set to a value other than 1144 zero the Home-Agent-Address AVP is added to the DIAMETER request. The 1145 DIAMETER request is then forwarded to the Foreign Agent's local 1146 DIAMETER Server. 1148 When the ISP's DIAMETER Server receives the message it looks at the 1149 User-Name AVP [1] to determine whether authentication and 1150 authorization can be handled locally. The User-Name format is 1151 consistent with the NAI described in [6] and the user's domain is 1152 used to determine the Mobile Node's home DIAMETER Server. In the 1153 example below the request cannot be processed locally, therefore the 1154 request is forwarded to the Mobile Node's home DIAMETER Server. 1156 The following is an example of the first Mobile IP and DIAMETER 1157 exchange which sets up the key. Note that this example is also valid 1158 when the session key expires and a new key needs to be generated. 1160 Mobile Node Foreign Agent Proxy Server Home Server Home Agent 1161 ----------- ------------- ------------ ----------- ---------- 1163 <-------Challenge 1164 Reg-Req(Response)-> 1165 AMR-------------> 1166 AMR------------> 1167 HAR-----------> 1168 <----------HAA 1169 <-----------AMA 1170 <------------AMA 1171 <-------Reg-Reply 1173 The home DIAMETER Server must first authenticate the user. This is 1174 done by fist validating the MN-FA-Challenge which contains a 1175 timstamp. The timestamp information is embedded within the challenge 1176 to prevent replay attacks. The server then uses the user's secret or 1177 its public key and performs the hash on the the challenge and ensures 1178 that the result is identical with the value in the MN-FA-Response 1179 AVP. If both values are identical the user is authenticated, 1180 otherwise an error message is returned. See [5] for more information 1181 on the challenge format and how the hash is computed. 1183 If successfully authenticated, the DIAMETER Server checks whether the 1184 Home-Agent-Address AVP was part of the AA-Mobile-Node-Request. If so 1185 the server must validate the address to ensure that it is a known 1186 Home Agent. If no such AVP was present in the request the server can 1187 allocate a known Home Agent for the Mobile Node. This can be done in 1188 a variety of ways including using a load balancing algorithm in order 1189 not to overburden any given Home Agent. Note that the existing Home 1190 Agent Discovery method described in [4] can still be used. 1192 If the request did not contain a Mobile-Node-Address AVP, the 1193 DIAMETER Server has the option to assign an address for the Mobile 1194 Node or leave it up to the Home Agent to assign an address. This is 1195 purely a local policy decision. 1197 The DIAMETER Server then generates three sets of short-lived session 1198 keys. One that will be shared between the Home agent and the Foreign 1199 Agent, one between the Mobile Node and the Foreign Agent and one 1200 between the Mobile Node and the Home Agent. 1202 The keys destined for the Mobile Node are encrypted either using the 1203 Mobile Node's secret or its public key [1]. The keys destined for the 1204 Foreign Agent are encrypted either using the DIAMETER Secret shared 1205 between the Home DIAMETER Server and the ISP's proxy Server, or using 1206 public key cryptography [1]. The keys destined for the Home Agent can 1207 be either encrypted using the DIAMETER Secret, or if IPSEC's ESP is 1208 in use no DIAMETER encryption is necessary. The Session-Timeout AVP 1209 is included and contains the number of seconds before the session 1210 keys expire. 1212 Note that this extension requires a departure from the existing SPI 1213 usage described in [4]. The DIAMETER Server generates SPI values for 1214 the Mobility Agents as opposed to a receiver choosing its own SPI 1215 value. The SPI values are used as a Key Identifier, meaning that each 1216 shared session key has its own SPI value and since two nodes share a 1217 session key they share an SPI as well. 1219 Take for example a scenario where a Mobile Node and a Foreign Agent 1220 share a key that was created by the DIAMETER Server. The Server also 1221 generated a corresponding SPI value of x. All Mobile-Foreign 1222 Authentication extensions must be computed by either entity using the 1223 shared session key and include the SPI value of x. 1225 The DIAMETER Server then sends a Home-Agent-MIP-Request to the 1226 assigned or requested Home Agent. The request contains the original 1227 MIP-Registration-Request as well as the keys and SPIs destined for 1228 the Home Agent (HA-to-MN-Key, MN-HA-SPI, HA-to-FA-Key and FA-HA-SPI 1229 AVPs) and the Mobile Node (MN-FA-SPI, MN-to-FA-Key, MN-HA-SPI and 1230 MN-to-HA-Key AVP). The Mobile-Node-Address AVP is present if the 1231 Mobile Node specified an address or if the home DIAMETER Server 1232 assigned an address, but not if the Home Agent assigns it. 1234 The Home Agent processes the DIAMETER Home-Agent-MIP-Request as well 1235 as the embedded Mobile IP Registration Request. If both are 1236 successfully processed, the Home Agent creates the Mobile IP 1237 Registration Reply and includes the keying material to be used by the 1238 Mobile Node (MN-FA SPI, MN-to-FA-Key, MN-HA-SPI and MN-to-HA-Key) 1239 which is attached as the MIP-Registration-Reply AVP. If no Mobile- 1240 Node-Address AVP was present in the request the Home Agent must 1241 assign an address for the Mobile Node. The Result-Code AVP is 1242 included and the Home-Agent-MIP-Answer is sent to the home DIAMETER 1243 Server. 1245 The home DIAMETER Server issues a AA-Mobile-Node-Answer to the 1246 Foreign Agent which includes the MIP-Registration-Reply, Result-Code 1247 and the Mobile-Node-Address AVP. The message also includes the keys 1248 and SPI AVPs used by the Foreign Agent (MN-FA-SPI, FA-to-MN-Key, FA- 1249 HA-SPI and the FA-to-HA-Key AVPs). The message is then transmitted to 1250 the ISP's proxy DIAMETER Server. 1252 Upon receipt of the successful AA-Mobile-Node-Answer the proxy server 1253 decrypts the FA-to-MN-Key and the FA-to-HA-Key AVPs. These keys are 1254 then re-encrypted using the DIAMETER secret, or are not encrypted if 1255 IPSEC's ESP is used between the Foreign Agent and the Proxy DIAMETER 1256 Server. The message is transmitted to the Foreign Agent. 1258 The Foreign Agent, upon receipt of the AA-Mobile-Node-Answer, must 1259 decrypt the appropriate KEY AVPs, process the Mobile IP Registration 1260 Reply which is then forwarded to the Mobile Node. 1262 from this point on, all Registration Request and Replies no longer 1263 traverse through the DIAMETER proxy chain and the Foreign Agent can 1264 contact the Home Agent directly using the keys which were previously 1265 distributed. This can continue until the session keys expire, which 1266 is indicated in the Session-Timeout AVP. 1268 The following is an example of subsequent Mobile IP message exchange. 1270 Mobile Node Foreign Agent Home Agent 1271 ----------- ------------- ---------- 1273 Reg-Req(MN-FA-Auth, MN-HA-Auth)--------> 1275 Reg-Req(MN-HA-Auth, FA-HA-Auth)--------> 1277 <--------Reg-Rep(MN-HA-Auth, FA-HA-Auth) 1279 <--------Reg-Rep(MN-HA-Auth, MN-FA-Auth) 1281 5.0 References 1283 [1] Calhoun, Rubens, "DIAMETER", Internet-Draft, 1284 draft-calhoun-diameter-04.txt, July 1998. 1286 [2] Calhoun, Zorn, Pan, "DIAMETER Framework", Internet- 1287 Draft, draft-calhoun-diameter-framework-01.txt, August 1998 1289 [3] P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment 1290 Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, March 1998. 1292 [4] C. Perkins, Editor. IP Mobility Support. RFC 2002, October 1293 1996. 1295 [5] C. Perkins, "Router Advertisement Challenge Extension", 1296 draft-ietf-mobileip-?????-00.txt, August 1998. 1298 [6] B. Aboba. "The Network Access Identifier." draft-ietf-roamops- 1299 nai-11.txt, July 1998. 1301 [7] Aboba, Zorn, "Roaming Requirements", draft-ietf-roamops- 1302 roamreq-09.txt, April 1998. 1304 [8] P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment 1305 Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, March 1998. 1307 6.0 Authors' Addresses 1309 Questions about this memo can be directed to: 1311 Pat R. Calhoun 1312 Technology Development 1313 Sun Microsystems, Inc. 1314 15 Network Circle 1315 Menlo Park, California, 94025 1316 USA 1318 Phone: 1-650-786-7733 1319 Fax: 1-650-786-6445 1320 E-mail: pcalhoun@eng.sun.com 1322 Charles E. Perkins 1323 Technology Development 1324 Sun Microsystems, Inc. 1325 15 Network Circle 1326 Menlo Park, California, 94025 1327 USA 1329 Phone: 1-650-786-6464 1330 Fax: 1-650-786-6445 1331 E-mail: charles.perkins@eng.sun.com