idnits 2.17.1 draft-calhoun-diameter-mobileip-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1621 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 108: '... MUST This word, or the adjecti...' RFC 2119 keyword, line 112: '... MUST NOT This phrase means that th...' RFC 2119 keyword, line 115: '... SHOULD This word, or the adjecti...' RFC 2119 keyword, line 121: '... MAY This word, or the adjecti...' RFC 2119 keyword, line 123: '...hich does not include this option MUST...' (79 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 1998) is 9294 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '2' is defined on line 1477, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 1481, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-calhoun-diameter-07 -- Possible downref: Normative reference to a draft: ref. '1' == Outdated reference: A later version (-09) exists of draft-calhoun-diameter-framework-01 -- Possible downref: Normative reference to a draft: ref. '2' -- Possible downref: Normative reference to a draft: ref. '3' ** Obsolete normative reference: RFC 2002 (ref. '4') (Obsoleted by RFC 3220) == Outdated reference: A later version (-13) exists of draft-ietf-mobileip-challenge-00 == Outdated reference: A later version (-12) exists of draft-ietf-roamops-nai-11 == Outdated reference: A later version (-10) exists of draft-ietf-roamops-roamreq-09 ** Downref: Normative reference to an Informational draft: draft-ietf-roamops-roamreq (ref. '7') -- No information found for draft-ietf-mobileip-ha-alloc - is the name correct? -- Possible downref: Normative reference to a draft: ref. '8' == Outdated reference: A later version (-04) exists of draft-calhoun-diameter-proxy-00 -- Possible downref: Normative reference to a draft: ref. '9' Summary: 12 errors (**), 0 flaws (~~), 9 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET DRAFT Pat R. Calhoun 2 Category: Standards Track Charles E. Perkins 3 Title: draft-calhoun-diameter-mobileip-01.txt Sun Laboratories, Inc. 4 Date: November 1998 6 DIAMETER Mobile IP Extensions 8 Status of this Memo 10 Comments should be submitted to the diameter@ipass.com mailing list. 12 Distribution of this memo is unlimited. 14 This document is an Internet-Draft. Internet-Drafts are working 15 documents of the Internet Engineering Task Force (IETF), its areas, 16 and its working groups. Note that other groups may also distribute 17 working documents as Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet- Drafts as reference 22 material or to cite them other than as ``work in progress.'' 24 To view the entire list of current Internet-Drafts, please check the 25 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 26 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern 27 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific 28 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 30 Abstract 32 DIAMETER is an Authentication, Authorization and Accounting (AAA) 33 Policy Protocol that is used between two entities for various 34 services. This document defines an extension that allow a DIAMETER 35 Client to request authentication and receive autorization information 36 for a Mobile IP Mobile Node. 38 Table of Contents 40 1.0 Introduction 41 1.1 Specification of Requirements 42 2.0 Command Codes 43 2.1 AA-Mobile-Node-Request (AMR) 44 2.2 AA-Mobile-Node-Answer (AMA) 45 2.3 Home-Agent-MIP-Request 46 2.4 Home-Agent-MIP-Answer 47 3.0 DIAMETER AVPs 48 3.1 MIP-Registration-Request 49 3.2 MIP-Registration-Reply 50 3.3 MN-FA-Challenge 51 3.4 MN-FA-Response 52 3.5 MN-FA-SPI 53 3.6 MN-to-FA-Key 54 3.7 FA-to-MN-Key 55 3.8 FA-HA-SPI 56 3.9 FA-to-HA-Key 57 3.10 HA-to-FA-Key 58 3.11 MN-HA-SPI 59 3.12 MN-to-HA-Key 60 3.13 HA-to-MN-Key 61 3.14 Mobile-Node-Address 62 3.15 Home-Agent-Address 63 3.16 Previous-FA-NAI 64 3.17 Foreign-Home-Agent-Available 65 4.0 Protocol Definition 66 4.1 Inter-Domain Mobile IP 67 4.2 Allocation of Home Agent in Foreign Network 68 5.0 References 69 6.0 Authors' Addresses 71 1.0 Introduction 73 The Mobile IP [4] protocol defines a method that allows a Mobile Node 74 to change its point of attachment to the Internet without service 75 disruption. The protocol requires that all Mobility Agents share a 76 pre-existing security association, which leads to scaling and 77 configuration problems. Mobile IP also does not mention how Mobility 78 Agents account for services rendered, which does not make it an 79 attractive protocol for use by service providers. 81 This document specifies extensions to DIAMETER that allow cross- 82 domain authentication and authorization, assignment of Mobile Node 83 Home Addresses, assignment of Home Agent, as well as Key Distribution 84 to allow the Mobile IP network to scale in a large network of service 85 providers. 87 The dynamic assignment of Mobile Node and Home Agent addresses are 88 useful for Service Providers wishing to provide Mobile IP services 89 for mobile nodes. 91 The DIAMETER Accounting extension [x] will be used to collect 92 accounting information. 94 Small modifications to the Mobile IP protocol [4], which already 95 exists in the TEP protocol [8], to allow a Mobile Node to identify 96 itself using an NAI [6] in addition to an IP address. The use of the 97 Network Access Identifier (NAI) [6] is consistent with the current 98 roaming model which makes use of DIAMETER proxying [7]. 100 The Extension number for this draft is four (4). This value is used 101 in the Extension-Id Attribute value Pair (AVP) as defined in [1]. 103 1.1 Specification of Requirements 105 In this document, several words are used to signify the requirements 106 of the specification. These words are often capitalized. 108 MUST This word, or the adjective "required", means that the 109 definition is an absolute requirement of the 110 specification. 112 MUST NOT This phrase means that the definition is an absolute 113 prohibition of the specification. 115 SHOULD This word, or the adjective "recommended", means that 116 there may exist valid reasons in particular circumstances 117 to ignore this item, but the full implications must be 118 understood and carefully weighed before choosing a 119 different course. 121 MAY This word, or the adjective "optional", means that this 122 item is one of an allowed set of alternatives. An 123 implementation which does not include this option MUST 124 be prepared to interoperate with another implementation 125 which does include the option. 127 2.0 Command Codes 129 This section will define the Commands [1] for DIAMETER 130 implementations supporting the Mobile IP extension. 132 Command Name Command Code 133 ----------------------------------- 134 AA-Mobile-Node-Request 306 135 AA-Mobile-Node-Answer 307 136 Home-Agent-MIP-Request 308 137 Home-Agent-MIP-Answer 309 139 2.1 AA-Mobile-Node-Request (AMR) 141 Description 143 The AA-Mobile-Node-Request is sent by a Foreign Agent acting as a 144 DIAMETER client to a server to request authentication and 145 authorization of a Mobile Node. 147 The AA-Mobile-Node-Request message MUST include the MIP- 148 Registration-Request, User-Name, MN-FA-Challenge, MN-FA-Response 149 AVP as well as the Session-ID AVPs. 151 The Mobile-Node-Address AVP contains the the Home Address found in 152 the Mobile Node's Registration Request. The Home-Agent-Address AVP 153 contains the Home Address found in the Registration Request. If 154 the Home Address is zero, it indicates that the Mobile Node is 155 requesting that an address be allocated to it. 157 The User-Name AVP contains the NAI found in the Mobile IP 158 Registration Request's Mobile-Node-NAI Extension. 160 If the Previous-FA-NAI AVP is found in the request, the DIAMETER 161 Client is requesting that the Server return the Session Key that 162 was assigned to the previous Foreign Agent for use with the Mobile 163 Node. The Session Key is identified through the use of the 164 Mobile-Foreign-SPI AVP. 166 Message Format 168 ::= 169 170 171 172 173 174 175 176 177 [] 178 [] 179 180 181 { || 182 } 184 AVP Format 186 The AA-Mobile-Node-Request Command AVP format is shown below. The 187 fields are transmitted from left to right. 189 0 1 2 3 190 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 192 | AVP Code | 193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 194 | AVP Length | Reserved |P|T|V|E|H|M| 195 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 | Command Code | 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 199 AVP Code 201 256 DIAMETER-Command 203 AVP Length 205 The length of this AVP MUST be at exactly 12. 207 AVP Flags 209 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 210 upon the security model used. The 'V', 'T' and the 'P' bits 211 MUST NOT be set. 213 Command Code 215 The Command Code field MUST be set to 306 (AA-Mobile-Node- 216 Request). 218 2.2 AA-Mobile-Node-Answer (AMA) 220 Description 222 The AA-Mobile-Node-Answer is sent by the DIAMETER Server to the 223 client in response to the AA-Mobile-Node-Request message. The 224 message MUST include the Session-Id, Result-Code, MIP- 225 Registration-Reply as well as the various key and SPI AVPs (see 226 section 3.0) and MAY include the Home-Agent-Address and Mobile- 227 Node-Address AVPs. 229 The Home-Agent-Address AVP contains the Home Agent assigned to the 230 Mobile Node. If the AVP contains a zero address, it is a request 231 to allocate a Home Agent locally. 233 The Home-Agent-Address AVP contains the IP Address assigned to the 234 Mobile Node. If this AVP contains a zero address, it is a request 235 to allocate a Home Address for the Mobile Node. 237 The following error codes are defined for this message for use in 238 the Error-Code AVP [1]: 240 DIAMETER_ERROR_UNKNOWN_DOMAIN 1 241 This error code is used to indicate to the initiator of the 242 request that the requested domain is unknown and cannot be 243 resolved. 245 DIAMETER_ERROR_USER_UNKNOWN 2 246 This error code is used to indicate to the initiator that 247 the username request is not valid. 249 DIAMETER_ERROR_BAD_PASSWORD 3 250 This error code indicates that the password provided is 251 invalid. 253 DIAMETER_ERROR_CANNOT_AUTHORIZE 4 254 This error code is used to indicate that the user cannot be 255 authorized due to the fact that the user has expended local 256 resources. This could be a result that the server believes 257 that the user has already spent the number of credits in 258 his/her account, etc. 260 Message Format 262 ::= 263 264 265 266 [] 267 268 269 270 271 272 273 274 275 276 277 { || 278 } 280 AVP Format 282 The AA-Mobile-Node-Answer Command AVP format is shown below. The 283 fields are transmitted from left to right. 285 0 1 2 3 286 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 287 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 288 | AVP Code | 289 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 290 | AVP Length | Reserved |P|T|V|E|H|M| 291 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 292 | Command Code | 293 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 295 AVP Code 297 256 DIAMETER-Command 299 AVP Length 301 The length of this AVP MUST be at exactly 12. 303 AVP Flags 305 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 306 upon the security model used. The 'V', 'T' and the 'P' bits 307 MUST NOT be set. 309 Command Code 311 The Command Code field MUST be set to 307 (AA-Mobile-Node- 312 Answer). 314 2.3 Home-Agent-MIP-Request (HAR) 316 Description 318 The Home-Agent-MIP-Request is sent by the home DIAMETER server to 319 the Home Agent overseeing the Mobile Node to process the Mobile IP 320 Registration Request. 322 The Home-Agent-MIP-Request message MUST include the MIP- 323 Registration-Request, User-Name, Session-ID as well as the SPI and 324 key AVPs (see section 3.0) to be used by the Mobile Node and the 325 Home Agent. 327 If the Mobile-Node-Address AVP is set to a zero Address, it is a 328 request to the Home Agent to allocate a Home Address to the Mobile 329 Node. 331 Message Format 333 ::= 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 { || 351 } 353 AVP Format 355 The Home-Agent-MIP-Request Command AVP format is shown below. The 356 fields are transmitted from left to right. 358 0 1 2 3 359 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 | AVP Code | 362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 363 | AVP Length | Reserved |P|T|V|E|H|M| 364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 365 | Command Code | 366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 368 AVP Code 370 256 DIAMETER-Command 372 AVP Length 374 The length of this AVP MUST be at exactly 12. 376 AVP Flags 378 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 379 upon the security model used. The 'V', 'T' and the 'P' bits 380 MUST NOT be set. 382 Command Code 384 The Command Code field MUST be set to 308 (Home-Agent-MIP- 385 Request). 387 2.4 Home-Agent-MIP-Answer (HAA) 389 Description 391 The Home-Agent-MIP-Answer is sent by the Home Agent to the home 392 DIAMETER Server in response to the Home-Agent-MIP-Request. The 393 message MUST include the Session-Id, Result-Code, MIP- 394 Registration-Reply and the Mobile-Node-Address. 396 The following error codes are defined for this message for use in 397 the Error-Code AVP [1]: 399 DIAMETER_ERROR_BAD_KEY 1 400 This error code is used by the Home Agent to indicate to the 401 local DIAMETER Server that the key generated is invalid. 403 DIAMETER_ERROR_BAD_HOME_ADDRESS 2 404 This error code is used by the Home Agent to indicate that 405 the Home Address chosen by the Mobile Node or assigned by 406 the local DIAMETER server is unavailable. 408 DIAMETER_ERROR_TOO_BUSY 3 409 This error code is used by the Home Agent to inform the 410 DIAMETER Server that it cannot handle an extra Mobile Node. 411 Upon receiving this error the DIAMETER Server can try to use 412 an alternate Home Agent if one is available. 414 DIAMETER_ERROR_MIP_REPLY_FAILURE 4 415 This error code is used by the Home Agent to inform the 416 DIAMETER Server that the Registration Request failed. 418 Message Format 420 ::= 421 422 423 424 [] 425 426 427 428 429 430 { || 431 } 433 AVP Format 435 The Home-Agent-MIP-Answer Command AVP format is shown below. The 436 fields are transmitted from left to right. 438 0 1 2 3 439 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 440 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 441 | AVP Code | 442 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 443 | AVP Length | Reserved |P|T|V|E|H|M| 444 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 | Command Code | 446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 448 AVP Code 450 256 DIAMETER-Command 452 AVP Length 454 The length of this AVP MUST be at exactly 12. 456 AVP Flags 458 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 459 upon the security model used. The 'V', 'T' and the 'P' bits 460 MUST NOT be set. 462 Command Code 464 The Command Code field MUST be set to 309 (Home-Agent-MIP- 465 Answer). 467 3.0 DIAMETER AVPs 469 This section will define the mandatory AVPs which MUST be supported 470 by all DIAMETER implementations supporting this extension. The 471 following AVPs are defined in this document: 473 Attribute Name Attribute Code 474 ----------------------------------- 475 MIP-Registration-Request 320 476 MIP-Registration-Reply 321 477 MN-FA-Challenge 322 478 MN-FA-Response 323 479 MN-FA-SPI 324 480 MN-to-FA-Key 325 481 FA-to-MN-Key 326 482 FA-HA-SPI 327 483 FA-to-HA-Key 328 484 HA-to-FA-Key 329 485 MN-HA-SPI 330 486 MN-to-HA-Key 331 487 HA-to-MN-Key 332 488 Mobile-Node-Address 333 489 Home-Agent-Address 334 490 Previous-FA-NAI 335 492 3.1 MIP-Registration-Request 494 Description 496 This AVP is used to carry the Mobile IP Registration Request [4] 497 sent by the Mobile Node to the Foreign Agent within a DIAMETER 498 message. 500 AVP Format 502 A summary of the MIP-Registration-Request AVP format is shown 503 below. 505 0 1 2 3 506 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 507 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 508 | AVP Code | 509 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 510 | AVP Length | Reserved |P|T|V|E|H|M| 511 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 512 | Data ... 513 +-+-+-+-+-+-+-+-+ 515 Type 517 320 MIP-Registration-Request 519 AVP Length 521 The length of this attribute MUST be at least 9. 523 AVP Flags 525 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 526 upon the security model used. The 'V', 'T' and the 'P' bits 527 MUST NOT be set. 529 Data 531 The data field contains the Mobile IP Registration Request. 533 3.2 MIP-Registration-Reply 535 Description 537 This AVP is used to carry the Mobile IP Registration Reply [4] 538 sent by the Home Agent to the Foreign Agent within a DIAMETER 539 message. 541 AVP Format 543 A summary of the MIP-Registration-Reply AVP format is shown below. 545 0 1 2 3 546 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 547 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 548 | AVP Code | 549 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 550 | AVP Length | Reserved |P|T|V|E|H|M| 551 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 552 | Data ... 553 +-+-+-+-+-+-+-+-+ 555 AVP Code 557 321 MIP-Registration-Reply 559 AVP Length 561 The length of this attribute MUST be at least 9. 563 AVP Flags 565 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 566 upon the security model used. The 'V', 'T' and the 'P' bits 567 MUST NOT be set. 569 Data 571 The data field contains the Mobile IP Registration Reply. 573 3.3 MN-FA-Challenge 575 Description 577 The Challenge field consists of a 32 bit NTP timstamp followed by 578 a random value of at least 32 bits. The random value SHOULD be at 579 least 96 bits in length [5]. 581 AVP Format 583 A summary of the MN-FA-Challenge AVP format is shown below. 585 0 1 2 3 586 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 587 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 588 | AVP Code | 589 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 590 | AVP Length | Reserved |P|T|V|E|H|M| 591 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 592 | Data ... 593 +-+-+-+-+-+-+-+-+ 595 AVP Code 597 322 MN-FA-Challenge 599 AVP Length 601 The length of this attribute MUST be at least 16. 603 AVP Flags 605 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 606 upon the security model used. The 'V', 'T' and the 'P' bits 607 MUST NOT be set. 609 Data 611 The data field contains the Foreign Agent's Challenge to the 612 Mobile Node. 614 3.4 MN-FA-Response 616 Description 618 This AVP contains the Response generated by the Mobile Node as 619 defined in the Mobile-Node Response extension [5]. The value is 620 the result of the Challenge presented by the Foreign Agent hashed 621 using the secret the Mobile Node shares with its Home DIAMETER 622 Server. 624 AVP Format 626 A summary of the MN-FA-Response AVP format is shown below. 628 0 1 2 3 629 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 631 | AVP Code | 632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 633 | AVP Length | Reserved |P|T|V|E|H|M| 634 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 635 | Data ... 636 +-+-+-+-+-+-+-+-+ 638 AVP Code 640 323 MN-FA-Response 642 AVP Length 644 The length of this attribute MUST be at least 9. 646 AVP Flags 648 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 649 upon the security model used. The 'V', 'T' and the 'P' bits 650 MUST NOT be set. 652 Data 654 The data field contains the Mobile Node's Challenge Response. 656 3.5 MN-FA-SPI 658 Description 660 The MN-FA-SPI is sent in both the Home-Agent-MIP-Request as well 661 as the AA-Mobile-Node-Answer messages and contains the SPI value 662 associated with the key generated by the home DIAMETER Server for 663 use between the Foreign Agent and the Mobile Node (MN-to-FA-Key, 664 FA-to-MN-Key). 666 AVP Format 668 A summary of the MN-FA-SPI AVP format is shown below. 670 0 1 2 3 671 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 672 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 673 | AVP Code | 674 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 675 | AVP Length | Reserved |P|T|V|E|H|M| 676 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 677 | SPI | 678 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 680 AVP Code 682 324 MN-FA-SPI 684 AVP Length 686 The length of this attribute MUST be 12. 688 AVP Flags 690 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 691 upon the security model used. The 'V', 'T' and the 'P' bits 692 MUST NOT be set. 694 Integer32 696 The Integer32 field contains the SPI value associated with the 697 key shared between the Mobile Node and the Foreign Agent. 699 3.6 MN-to-FA-Key 701 Description 703 This AVP contains the Key generated by the home DIAMETER Server 704 that must be used by the Mobile Node when computing the Mobile- 705 Foreign Authentication extension in the Mobile IP Registration 706 Request [4]. 708 AVP Format 710 A summary of the MN-to-FA-Key AVP format is shown below. 712 0 1 2 3 713 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 714 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 715 | AVP Code | 716 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 717 | AVP Length | Reserved |P|T|V|E|H|M| 718 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 719 | Data ... 720 +-+-+-+-+-+-+-+-+ 722 AVP Code 724 325 MN-to-FA-Key 726 AVP Length 728 The length of this attribute MUST be at least 9. 730 AVP Flags 732 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 733 upon the security model used. The 'V', 'T' and the 'P' bits 734 MUST NOT be set. 736 Data 738 The data field contains the encrypted key to be used by the 739 Mobile Node when generating the Mobile IP Mobile-Foreign- 740 Authentication-Extension. 742 3.7 FA-to-MN-Key 744 Description 746 This AVP contains the Key generated by the home DIAMETER Server 747 that must be used by the Foreign Agent when computing the Mobile- 748 Foreign- Authentication extension in the Mobile IP Registration 749 Reply [4]. 751 AVP Format 753 A summary of the FA-to-MN-Key AVP format is shown below. 755 0 1 2 3 756 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 757 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 758 | AVP Code | 759 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 760 | AVP Length | Reserved |P|T|V|E|H|M| 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 762 | Data ... 763 +-+-+-+-+-+-+-+-+ 765 AVP Code 767 326 FA-to-MN-Key 769 AVP Length 771 The length of this attribute MUST be at least 9. 773 AVP Flags 775 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 776 upon the security model used. The 'V', 'T' and the 'P' bits 777 MUST NOT be set. 779 Data 781 The data field contains the encrypted key to be used by the 782 Foreign Agent when generating the Mobile IP Mobile-Foreign- 783 Authentication-Extension. 785 3.8 FA-HA-SPI 787 Description 789 The FA-HA-SPI is sent in both the Home-Agent-MIP-Request as well 790 as the AA-Mobile-Node-Answer messages and contains the SPI value 791 associated with the key generated by the home DIAMETER Server for 792 use between the Foreign Agent and the Home Agent (FA-to-HA-Key, 793 HA-to-FA-Key). 795 AVP Format 797 A summary of the FA-HA-SPI AVP format is shown below. 799 0 1 2 3 800 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 801 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 802 | AVP Code | 803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 804 | AVP Length | Reserved |P|T|V|E|H|M| 805 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 806 | SPI | 807 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 809 AVP Code 811 327 FA-HA-SPI 813 AVP Length 815 The length of this attribute MUST be 12. 817 AVP Flags 819 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 820 upon the security model used. The 'V', 'T' and the 'P' bits 821 MUST NOT be set. 823 SPI 825 The SPI field contains the SPI value associated with the key 826 shared between the Foreign Agent and the Home Agent. 828 3.9 FA-to-HA-Key 830 Description 832 This AVP contains the Key generated by the home DIAMETER Server 833 that must be used by the Foreign Agent when computing the 834 Foreign-Home Authentication extension in the Mobile IP 835 Registration Request [4]. 837 AVP Format 839 A summary of the FA-to-HA-Key AVP format is shown below. 841 0 1 2 3 842 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 843 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 844 | AVP Code | 845 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 846 | AVP Length | Reserved |P|T|V|E|H|M| 847 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 848 | Data ... 849 +-+-+-+-+-+-+-+-+ 851 AVP Code 853 328 FA-to-HA-Key 855 AVP Length 857 The length of this attribute MUST be at least 9. 859 AVP Flags 861 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 862 upon the security model used. The 'V', 'T' and the 'P' bits 863 MUST NOT be set. 865 Data 867 The data field contains the encrypted key to be used by the 868 Foreign Agent when generating the Mobile IP Foreign-Home- 869 Authentication-Extension. 871 3.10 HA-to-FA-Key 873 Description 875 This AVP contains the Key generated by the home DIAMETER Server 876 that must be used by the Home Agent when computing the Foreign- 877 Home Authentication extension in the Mobile IP Registration Reply 878 [4]. 880 AVP Format 882 A summary of the HA-to-FA-Key AVP format is shown below. 884 0 1 2 3 885 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 886 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 887 | AVP Code | 888 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 889 | AVP Length | Reserved |P|T|V|E|H|M| 890 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 891 | Data ... 892 +-+-+-+-+-+-+-+-+ 894 AVP Code 896 329 HA-to-FA-Key 898 AVP Length 900 The length of this attribute MUST be at least 9. 902 AVP Flags 904 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 905 upon the security model used. The 'V', 'T' and the 'P' bits 906 MUST NOT be set. 908 Data 910 The data field contains the encrypted key to be used by the 911 Home Agent when generating the Mobile IP Foreign-Home- 912 Authentication-Extension. 914 3.11 MN-HA-SPI 916 Description 918 The MN-HA-SPI is sent in both the Home-Agent-MIP-Request as well 919 as the AA-Mobile-Node-Answer messages and contains the SPI value 920 associated with the key generated by the home DIAMETER Server for 921 use between the Mobile Node and the Home Agent (MN-to-HA-Key, HA- 922 to-MN-Key). 924 AVP Format 926 A summary of the MN-HA-SPI AVP format is shown below. 928 0 1 2 3 929 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 930 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 931 | AVP Code | 932 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 933 | AVP Length | Reserved |P|T|V|E|H|M| 934 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 935 | SPI | 936 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 938 AVP Code 940 330 MN-HA-SPI 942 AVP Length 944 The length of this attribute MUST be 12. 946 AVP Flags 948 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 949 upon the security model used. The 'V', 'T' and the 'P' bits 950 MUST NOT be set. 952 Integer32 954 The Integer32 field contains the SPI value associated with the 955 Session Key shared between the Mobile Node and the Home Agent. 957 3.12 MN-to-HA-Key 959 Description 961 This AVP contains the Key generated by the home DIAMETER Server 962 that must be used by the Mobile Node when computing the Mobile- 963 Home Authentication extension in the Mobile IP Registration 964 Request [4]. 966 AVP Format 968 A summary of the MN-to-HA-Key AVP format is shown below. 970 0 1 2 3 971 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 972 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 973 | AVP Code | 974 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 975 | AVP Length | Reserved |P|T|V|E|H|M| 976 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 977 | Data ... 978 +-+-+-+-+-+-+-+-+ 980 AVP Code 982 331 MN-to-HA-Key 984 AVP Length 986 The length of this attribute MUST be at least 9. 988 AVP Flags 990 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 991 upon the security model used. The 'V', 'T' and the 'P' bits 992 MUST NOT be set. 994 Data 996 The data field contains the encrypted key to be used by the 997 Mobile Node when generating the Mobile IP Mobile-Home- 998 Authentication-Extension. 1000 3.13 HA-to-MN-Key 1002 Description 1004 This AVP contains the Key generated by the home DIAMETER Server 1005 that must be used by the Home Agent when computing the Mobile-Home 1006 Authentication extension in the Mobile IP Registration Reply [4]. 1008 AVP Format 1010 A summary of the HA-to-MN-Key AVP format is shown below. 1012 0 1 2 3 1013 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1014 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1015 | AVP Code | 1016 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1017 | AVP Length | Reserved |P|T|V|E|H|M| 1018 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1019 | Data ... 1020 +-+-+-+-+-+-+-+-+ 1022 AVP Code 1024 332 HA-to-MN-Key 1026 AVP Length 1028 The length of this attribute MUST be at least 9. 1030 AVP Flags 1032 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1033 upon the security model used. The 'V', 'T' and the 'P' bits 1034 MUST NOT be set. 1036 Data 1038 The data field contains the encrypted key to be used by the 1039 Home Agent when generating the Mobile IP Mobile-Home- 1040 Authentication-Extension. 1042 3.14 Mobile-Node-Address 1044 Description 1046 The Mobile-Node-Address AVP contains the Mobile Node's Home 1047 Address. When this AVP has a NULL Address (0.0.0.0), it is a 1048 request that a Home Address be allocated to the Mobile Node. 1050 AVP Format 1052 A summary of the Mobile-Node-Address AVP format is shown below. 1054 0 1 2 3 1055 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1056 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1057 | AVP Code | 1058 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1059 | AVP Length | Reserved |P|T|V|E|H|M| 1060 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1061 | Address | 1062 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1064 AVP Code 1066 333 Mobile-Node-Address 1068 AVP Length 1070 The length of this attribute MUST be 12. 1072 AVP Flags 1074 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1075 upon the security model used. The 'V', 'T' and the 'P' bits 1076 MUST NOT be set. 1078 Address 1080 The Address field contains the IP address assigned to the 1081 Mobile Node, or 0.0.0.0 if one is requested. 1083 3.15 Home-Agent-Address 1085 Description 1087 The Home-Agent-Addess AVP contains the Mobile Node's Home Agent 1088 Address. When this AVP has a NULL address (0.0.0.0), it is a 1089 request that a Home Agent be allocated to the Mobile Node. 1091 AVP Format 1093 A summary of the Home-Agent-Address AVP format is shown below. 1095 0 1 2 3 1096 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1097 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1098 | AVP Code | 1099 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1100 | AVP Length | Reserved |P|T|V|E|H|M| 1101 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1102 | Address | 1103 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1105 AVP Code 1107 334 Home-Agent-Address 1109 AVP Length 1111 The length of this attribute MUST be 12. 1113 AVP Flags 1115 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1116 upon the security model used. The 'V', 'T' and the 'P' bits 1117 MUST NOT be set. 1119 Address 1121 The Address field contains the Home Agent address assigned to 1122 the Mobile Node. If the address is set to 0.0.0.0, the Mobile 1123 Node is requesting that a Home Agent be allocated either in the 1124 foreign network or in its home network. If the address is set 1125 to 255.255.255.255 the Mobile Node is requesting that the Home 1126 Agent be allocated only within its home network. 1128 3.16 Previous-FA-NAI 1130 Description 1132 The Previous-FA-NAI AVP contains the Network Access Identifier of 1133 the Mobile Node's old Foreign Agent. The Mobile Node will include 1134 this information in the Registration Request when it moves it 1135 point of attachment to a new foreign agent under the same 1136 administrative domain as the old FA (identified by the domain part 1137 of the NAI). 1139 When this AVP is present in the AA-Mobile-Node-Request, it 1140 indicates that the local DIAMETER Server overseeing the Foreign 1141 Agent should attempt to return the session key that was previously 1142 allocated to the old Foreign Agent for the Mobile Node. The 1143 session key is identified through the use of the MN-FA-SPI AVP, 1144 which MUST be present if this extension is present. 1146 This allows the Mobile Node to move from one Foreign Agent to 1147 another within the same administrative domain without having to 1148 send the request back to the Mobile Node's Home DIAMETER Server. 1150 AVP Format 1152 A summary of the Previous-FA-NAI AVP format is shown below. 1154 0 1 2 3 1155 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1156 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1157 | AVP Code | 1158 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1159 | AVP Length | Reserved |P|T|V|E|H|M| 1160 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1161 | String ... 1162 +-+-+-+-+-+-+-+-+ 1164 AVP Code 1166 335 Previous-FA-NAI 1168 AVP Length 1170 The length of this attribute MUST be at least 9. 1172 AVP Flags 1174 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1175 upon the security model used. The 'V', 'T' and the 'P' bits 1176 MUST NOT be set. 1178 String 1180 The String field contains the Mobile Node's old Foreign Agent's 1181 NAI. 1183 3.167 Foreign-Home-Agent-Available 1185 Description 1187 The Foreign-Home-Agent-Available AVP is added by the AAAF owned by 1188 the same adminitrative domain as the Foreign Agent if it is 1189 willing and able to allocate a Home Agent within the Foreign 1190 network for the Mobile Node. 1192 If this extension is present in the AMR and the Home-Agent-Address 1193 AVP is set to 0.0.0.0, the AAAH MAY allow the AAAF to assign a 1194 Home Agent for the Mobile Node. This is done by including the 1195 Home-Agent-Address AVP with a value of 0.0.0.0 in the AMR. 1197 AVP Format 1199 A summary of the Foreign-Home-Agent-Available AVP format is shown 1200 below. 1202 0 1 2 3 1203 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1205 | AVP Code | 1206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1207 | AVP Length | Reserved |P|T|V|E|H|M| 1208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1209 | Integer32 | 1210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1212 AVP Code 1214 335 Foreign-Home-Agent-Available 1216 AVP Length 1218 The length of this attribute MUST be at least 9. 1220 AVP Flags 1222 The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending 1223 upon the security model used. The 'V', 'T' and the 'P' bits 1224 MUST NOT be set. 1226 Integer32 1228 The Integer32 field MUST be set to 1 to inform the AAAH that 1229 the AAAF is able and willing to allocate a Home Agent for the 1230 Mobile Node. 1232 4.0 Protocol Definition 1234 This section will outline how the DIAMETER Mobile IP Extension can be 1235 used. 1237 4.1 Inter-Domain Mobile IP 1239 The following diagram is an example of an inter-domain Mobile IP 1240 network. 1242 ISP Home Network 1243 +--------+ +--------+ 1244 | | AMR/A | | 1245 | AAAF |<--------------->| AAAH | 1246 | server | server-server | server | 1247 +--------+ communication +--------+ 1248 / /|\ /|\ 1249 /AMR/A | client-server | HAR/A 1250 / | communication | 1251 |/_ \|/ \|/ 1252 +---------+ +---------+ +---------+ 1253 | Foreign | | Foreign | | Home | 1254 | Agent | | Agent | | Agent | 1255 +---------+ +---------+ +---------+ 1256 /|\ 1257 | Mobile IP 1258 | 1259 \|/ 1260 +--------+ 1261 | Mobile | 1262 | Node | 1263 +--------+ 1265 The AA-Mobile-Node-Request (AMR) is generated by the Foreign Agent 1266 and includes the AVPs defined in section 2.1. The Mobile-Node-Address 1267 AVP's value is copied from the Registration Request's Home Address 1268 field. The Home-Agent-Address AVP's value is copied from the 1269 Registration Request's Home Agent field. The value of the User-Name 1270 AVP is taken from the Mobile-Node-NAI extension as described in [8]. 1271 The request is then forwarded to the Foreign Agent's local DIAMETER 1272 server, known as the AAA-Foreign, or AAAF. 1274 When the AAAF receives the message, it uses the User-Name AVP [1] to 1275 determine whether authentication and authorization can be handled 1276 locally. The User-Name format is consistent with the NAI described in 1277 [6] and the user's domain is used to determine the Mobile Node's home 1278 DIAMETER Server (or AAAH). In the example below, the request cannot 1279 be processed by the AAAF, therefore the request is proxied [9] to the 1280 AAAH. Note that this exchange is only required when the Mobile Node 1281 attempts to gain service with a new Foreign Agent, or if the keys 1282 previously distributed expire. 1284 Mobile Node Foreign Agent AAAF AAAH Home Agent 1285 ----------- ------------- ------------ ---------- ---------- 1287 <-------Challenge 1288 Reg-Req(Response)-> 1289 AMR-------------> 1290 AMR------------> 1291 HAR-----------> 1292 <----------HAA 1293 <-----------AMA 1294 <------------AMA 1295 <-------Reg-Reply 1297 The AAAH must first authenticate the user by validating the MN-FA- 1298 Challenge which contains a timestamp, which is described in [5]. If 1299 the timestamp information is valid, the AAAH uses the security 1300 association shared between the itself and the Mobile Node in order to 1301 validate the MN-FA-Response. If the response is invalid, the AAAH 1302 returns the AA-Mobile-Node-Answer (AMA, see section 2.2) with a 1303 Result-Code set to the appropriate value. 1305 If the Mobile Node was successfully authenticated, the AAAH checks 1306 whether the Home-Agent-Address AVP specified a Home Agent. If one was 1307 specified, the AAAH must validate the address to ensure that it is a 1308 known Home Agent. If no Home Agent was specified the AAAH SHOULD 1309 allocate one on behalf of the Mobile Node. This can be done in a 1310 variety of ways, including using a load balancing algorithm in order 1311 to keep the load on all Home Agents equal. The actual algorithm used 1312 and the method of discovering the Home Agents is outside of this 1313 specification, but the method proposed in [4] can be used. 1315 If the AMR's Mobile-Node-Address AVP did not specify an address, the 1316 AAAH has the option of assigning an address for the Mobile Node, or 1317 it can leave this up to the Home Agent. This is purely a local policy 1318 decision. 1320 The AAAH then proceeds to generate three short-lived session keys; 1321 one which is shared between the Mobile Node and the Home Agent, one 1322 between the Mobile Node and the Foreign Agent, and one between the 1323 Foreign Agent and the Home Agent. 1325 The keys destined for the Mobile Node are encrypted either using the 1326 Mobile Node's secret or its public key [1]. The keys destined for the 1327 Foreign Agent are encrypted either using the secret shared between 1328 the AAAH and the AAAF, or using public key cryptography [1]. The keys 1329 destined for the Home Agent can be either encrypted using the secret 1330 it shares with the AAAH. The Session-Timeout AVP is included and 1331 contains the number of seconds before the session keys expire. A 1332 value of zero indicates that the session keys have no expiration. 1334 Note that this extension requires a departure from the existing SPI 1335 usage described in [4]. The AAAH generates SPI values for the 1336 Mobility Agents as opposed to a receiver choosing its own SPI value. 1337 The SPI values are used as Key Identifiers, meaning that each short- 1338 lived session key has its own SPI value and since two nodes share a 1339 session key they share an SPI as well. 1341 Suppose a Mobile Node and a Foreign Agent share a key that was 1342 created by the AAAH. The AAAH also generated a corresponding SPI 1343 value of 37,496. All Mobile-Foreign Authentication extensions must be 1344 computed by either entity using the shared session key would then 1345 include the SPI value of 37,496. 1347 The AAAH then sends a Home-Agent-MIP-Request (HAR) to the assigned or 1348 requested Home Agent. The HAR contains the MIP-Registration-Request 1349 as well as the keys and SPIs destined for the Home Agent (HA-to-MN- 1350 Key, MN-HA-SPI, HA-to-FA-Key and FA-HA-SPI AVPs) and the Mobile Node 1351 (MN-FA-SPI, MN-to-FA-Key, MN-HA-SPI and MN-to-HA-Key AVP). The 1352 Mobile-Node-Address AVP contains an address if the Mobile Node 1353 specified a home address or if the AAAH assigned an address, but no 1354 address would be specified if the Home Agent were to assign one. 1356 The Home Agent processes the DIAMETER Home-Agent-MIP-Request as well 1357 as the embedded Mobile IP Registration Request. If both are 1358 successfull, the Home Agent creates the Mobile IP Registration Reply, 1359 and furthermore includes the keying material to be used by the Mobile 1360 Node (MN-FA SPI, MN-to-FA-Key, MN-HA-SPI and MN-to-HA-Key) in the 1361 MIP-Registration-Reply AVP. If no Mobile-Node-Address AVP was present 1362 in the request the Home Agent must assign an address for the Mobile 1363 Node. The Result-Code AVP is included and the Home-Agent-MIP-Answer 1364 is sent to the AAAH. 1366 The AAAH then issues a AA-Mobile-Node-Answer to the AAAF which 1367 includes the MIP-Registration-Reply, Result-Code and the Mobile- 1368 Node-Address AVP. The message also includes the keys and SPI AVPs 1369 used by the Foreign Agent (MN-FA-SPI, FA-to-MN-Key, FA-HA-SPI and the 1370 FA-to-HA-Key AVPs). 1372 Upon receipt of the successful AA-Mobile-Node-Answer the AAAF 1373 decrypts the FA-to-MN-Key and the FA-to-HA-Key AVPs. These keys are 1374 then re-encrypted using the DIAMETER secret, unless IPSEC's ESP [x] 1375 is used between the Foreign Agent and the AAAF. The message is 1376 transmitted to the Foreign Agent. 1378 The Foreign Agent, upon receipt of the AA-Mobile-Node-Answer, 1379 decrypts the appropriate KEY AVPs, and processes the Mobile IP 1380 Registration Reply which is then forwarded to the Mobile Node. 1382 From this point on, all Registration Request and Replies need rely on 1383 the DIAMETER proxy chain, the Foreign Agent can contact the Home 1384 Agent directly using the keys which were previously distributed. This 1385 can continue until the session keys expire, as indicated in the Key- 1386 Lifetime AVP. 1388 The following is an example of subsequent Mobile IP message exchange. 1390 Mobile Node Foreign Agent Home Agent 1391 ----------- ------------- ---------- 1393 Reg-Req(MN-FA-Auth, MN-HA-Auth)--------> 1395 Reg-Req(MN-HA-Auth, FA-HA-Auth)--------> 1397 <--------Reg-Rep(MN-HA-Auth, FA-HA-Auth) 1399 <--------Reg-Rep(MN-HA-Auth, MN-FA-Auth) 1401 Note that subsequent registrations MUST use the MN-FA Authentication 1402 extension[4]. 1404 4.2 Allocation of Home Agent in Foreign Network 1406 When the AAAF receives the AMR message, it can add the Foreign-Home- 1407 Agent-Available AVP to inform the AAAH that it is able and willing to 1408 assign a Home Agent for the Mobile Node. The AAAH will only allow 1409 this if the Home-Agent-Address in the AMR is set to zero (0). The 1410 AAAH does this by sending the AMA message to the AAAF with the Home- 1411 Agent-Address AVP set to zero (0). The AMA message still includes all 1412 of the keying information that was previously discussed, except that 1413 the keys for the Home Agent are encrypted using the security 1414 association the AAAH shares with the AAAF. 1416 ISP Home Network 1417 +--------+ +--------+ 1418 | | AMR/A | | 1419 | AAAF |<--------------->| AAAH | 1420 | server | server-server | server | 1421 +--------+ communication +--------+ 1422 / /|\ 1423 HAR/A /AMR/A | client-server 1424 / | communication 1425 |/_ \|/ 1426 +---------+ +---------+ 1427 | Home | | Foreign | 1428 | Agent | | Agent | 1429 +---------+ +---------+ 1430 /|\ 1431 | Mobile IP 1432 | 1433 \|/ 1434 +--------+ 1435 | Mobile | 1436 | Node | 1437 +--------+ 1439 Upon receipt of such a message, the AAAF issues the HAR message to 1440 the Home Agent. Upon receipt of the response from the Home Agent the 1441 AAAF issues the AMA message to the Foreign Agent in the same method 1442 described earlier. 1444 Mobile Node Foreign Agent AAAF Home Agent AAAH 1445 ----------- ------------- ------------- ---------- ---------- 1447 <-------Challenge 1448 Reg-Req(Response)-> 1449 AMR-------------> 1450 AMR--------------------------> 1451 <------------------------AMA 1452 HAR-------------> 1453 <----------HAA 1454 <------------AMA 1455 <-------Reg-Reply 1457 If the Mobile Node moves to another Foreign Network, which it detects 1458 from the Router Advertisement message, it can either request to keep 1459 the same Home Agent within the old foreign network, or it can request 1460 that a new one be assigned. If the Home-Agent-Address AVP is set to a 1461 value, it indicates that the same Home Agent should be used. 1463 In this case the new AAAF would issue the AMR message towards the 1464 Mobile Node's AAAH, which would create the keys as previously 1465 defined. In this case all of the keys destined for the Home Agent 1466 would be encrypted using the security association it shares with the 1467 old Foreign Network's AAAF, while the keys for the Foreign Agent 1468 would be encrypted using the security association shared with the new 1469 Foreign Network's AAAF. 1471 5.0 References 1473 [1] Calhoun, Rubens, "DIAMETER", Internet-Draft, 1474 draft-calhoun-diameter-07.txt, Work in Progress, 1475 November 1998. 1477 [2] Calhoun, Zorn, Pan, "DIAMETER Framework", Internet- 1478 Draft, draft-calhoun-diameter-framework-01.txt, 1479 Work in Progress, August 1998 1481 [3] P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment 1482 Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, 1483 Work in Progress, March 1998. 1485 [4] C. Perkins, Editor. IP Mobility Support. RFC 2002, October 1486 1996. 1488 [5] P. Calhoun, C. Perkins, "Mobile IP Challenge/Response", 1489 draft-ietf-mobileip-challenge-00.txt, Work in Progress, 1490 November 1998. 1492 [6] B. Aboba. "The Network Access Identifier." draft-ietf-roamops- 1493 nai-11.txt, Work in Progress, July 1998. 1495 [7] Aboba, Zorn, "Roaming Requirements", draft-ietf-roamops- 1496 roamreq-09.txt, Work in Progress, April 1998. 1498 [8] P. Calhoun, C. Perkins, "Mobile IP Dynamic Home Agent 1499 Allocation", draft-ietf-mobileip-ha-alloc-00.txt, 1500 Work in Progress, November 1998. 1502 [9] P. Calhoun, W. Bulley, "DIAMETER Proxy Server Extensions", 1503 draft-calhoun-diameter-proxy-00.txt, Work in Progress, 1504 August 1998. 1506 6.0 Authors' Addresses 1508 Questions about this memo can be directed to: 1510 Pat R. Calhoun 1511 Technology Development 1512 Sun Microsystems, Inc. 1513 15 Network Circle 1514 Menlo Park, California, 94025 1515 USA 1517 Phone: 1-650-786-7733 1518 Fax: 1-650-786-6445 1519 E-mail: pcalhoun@eng.sun.com 1521 Charles E. Perkins 1522 Technology Development 1523 Sun Microsystems, Inc. 1524 15 Network Circle 1525 Menlo Park, California, 94025 1526 USA 1528 Phone: 1-650-786-6464 1529 Fax: 1-650-786-6445 1530 E-mail: charles.perkins@eng.sun.com