idnits 2.17.1 draft-ietf-dime-pmip6-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 711 has weird spacing: '...Address is s...' -- The document date (September 22, 2009) is 5328 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'MN1' is mentioned on line 188, but not defined == Missing Reference: 'MN2' is mentioned on line 188, but not defined == Missing Reference: 'RFC TBD' is mentioned on line 725, but not defined ** Obsolete normative reference: RFC 3588 (Obsoleted by RFC 6733) ** Obsolete normative reference: RFC 4005 (Obsoleted by RFC 7155) ** Obsolete normative reference: RFC 4282 (Obsoleted by RFC 7542) == Outdated reference: A later version (-14) exists of draft-ietf-mext-binding-revocation-12 == Outdated reference: A later version (-08) exists of draft-ietf-netlmm-lma-discovery-02 == Outdated reference: A later version (-18) exists of draft-ietf-netlmm-pmip6-ipv4-support-17 -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3775 (Obsoleted by RFC 6275) Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Diameter Maintenance and J. Korhonen, Ed. 3 Extensions (DIME) Nokia Siemens Network 4 Internet-Draft J. Bournelle 5 Intended status: Standards Track Orange Labs 6 Expires: March 26, 2010 K. Chowdhury 7 Starent Networks 8 A. Muhanna 9 Nortel 10 U. Meyer 11 RWTH Aachen 12 September 22, 2009 14 Diameter Proxy Mobile IPv6: Mobile Access Gateway and Local Mobility 15 Anchor Interaction with Diameter Server 16 draft-ietf-dime-pmip6-04.txt 18 Status of this Memo 20 This Internet-Draft is submitted to IETF in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on March 26, 2010. 41 Copyright Notice 43 Copyright (c) 2009 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents in effect on the date of 48 publication of this document (http://trustee.ietf.org/license-info). 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. 52 Abstract 54 This specification defines Authentication, Authorization, and 55 Accounting interactions between Proxy Mobile IPv6 entities (both 56 Mobile Access Gateway and Local Mobility Anchor) and an 57 Authentication, Authorization, and Accounting server within a Proxy 58 Mobile IPv6 Domain. These Authentication, Authorization, and 59 Accounting interactions are primarily used to download and update 60 mobile node specific policy profile information between Proxy Mobile 61 IPv6 entities and a remote policy store. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 66 2. Terminology and Abbreviations . . . . . . . . . . . . . . . . 4 67 3. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 5 68 4. Generic Application Support and Command Codes . . . . . . . . 7 69 4.1. MAG-to-HAAA Interface . . . . . . . . . . . . . . . . . . 7 70 4.2. LMA-to-HAAA Interface . . . . . . . . . . . . . . . . . . 7 71 4.2.1. General Operation and Authorization of PBU . . . . . . 8 72 4.2.2. Updating LMA Address to HAAA . . . . . . . . . . . . . 9 73 4.2.3. Mobile Node Address Update and Assignment . . . . . . 9 74 5. Attribute Value Pair Definitions . . . . . . . . . . . . . . . 10 75 5.1. MIP6-Agent-Info AVP . . . . . . . . . . . . . . . . . . . 10 76 5.2. PMIP6-IPv4-Home-Address AVP . . . . . . . . . . . . . . . 10 77 5.3. MIP6-Home-Link-Prefix AVP . . . . . . . . . . . . . . . . 11 78 5.4. PMIP6-DHCP-Server-Address AVP . . . . . . . . . . . . . . 11 79 5.5. MIP6-Feature-Vector AVP . . . . . . . . . . . . . . . . . 11 80 5.6. Mobile-Node-Identifier AVP . . . . . . . . . . . . . . . . 12 81 5.7. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . . 13 82 5.8. Service-Selection AVP . . . . . . . . . . . . . . . . . . 13 83 5.9. Service-Configuration AVP . . . . . . . . . . . . . . . . 14 84 6. Proxy Mobile IPv6 Session Management . . . . . . . . . . . . . 14 85 6.1. Session-Termination-Request . . . . . . . . . . . . . . . 14 86 6.2. Session-Termination-Answer . . . . . . . . . . . . . . . . 15 87 6.3. Abort-Session-Request . . . . . . . . . . . . . . . . . . 15 88 6.4. Abort-Session-Answer . . . . . . . . . . . . . . . . . . . 15 89 7. Attribute Value Pair Occurrence Tables . . . . . . . . . . . . 15 90 7.1. MAG-to-HAAA Interface . . . . . . . . . . . . . . . . . . 15 91 7.2. LMA-to-HAAA Interface . . . . . . . . . . . . . . . . . . 16 92 8. Example Signaling Flows . . . . . . . . . . . . . . . . . . . 16 93 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 94 9.1. Attribute Value Pair Codes . . . . . . . . . . . . . . . . 17 95 9.2. Namespaces . . . . . . . . . . . . . . . . . . . . . . . . 18 96 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 97 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 98 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 99 12.1. Normative References . . . . . . . . . . . . . . . . . . . 18 100 12.2. Informative References . . . . . . . . . . . . . . . . . . 19 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 103 1. Introduction 105 This specification defines Authentication, Authorization, and 106 Accounting (AAA) interactions between a Mobile Access Gateway (MAG) 107 and an AAA server, and between a Local Mobility Anchor (LMA) and an 108 AAA server within a Proxy Mobile IPv6 (PMIPv6) Domain [RFC5213]. 109 These AAA interactions are primarily used to download and update 110 mobile node (MN) specific policy profile information between PMIPv6 111 entities (a MAG and a LMA) and a remote policy store. 113 Dynamic assignment and downloading of MN's policy profile information 114 to a MAG from a remote policy store is a desirable feature to ease 115 the deployment and network maintenance of larger PMIPv6 domains. For 116 this purpose, the same AAA infrastructure that is used for 117 authenticating and authorizing the MN for a network access, can be 118 leveraged to download some or all of the necessary policy profile 119 information to the MAG. 121 Once the network has authenticated the MN, the MAG sends a Proxy 122 Binding Update (PBU) to the LMA in order to setup a mobility session 123 on behalf of the MN. When the LMA receives the PBU, the LMA may need 124 to authorize the received PBU against the AAA infrastructure. The 125 same AAA infrastructure that can be used for the authorization of the 126 PBU, is also used to update the remote policy store with the LMA 127 provided MN specific mobility session related information. 129 In the context of this specification the home AAA server (HAAA) 130 functionality is co-located with the remote policy store. The NAS 131 functionality may be co-located with the MAG function in the network 132 access router. Diameter [RFC3588] is the used AAA protocol. 134 2. Terminology and Abbreviations 136 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 137 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 138 document are to be interpreted as described in RFC2119 [RFC2119]. 140 The general terminology used in this document can be found in 141 [RFC5213] and [I-D.ietf-netlmm-pmip6-ipv4-support]. The following 142 additional or clarified terms are also used in this document: 144 Network Access Server (NAS): 146 A device that provides an access service for a user to a network. 147 In the context of this document the NAS may be integrated into or 148 co-located to a MAG. The NAS contains a Diameter client function. 150 Home AAA (HAAA): 152 An Authentication, Authorization, and Accounting (AAA) server 153 located in user's home network. A HAAA is essentially a Diameter 154 server. 156 3. Solution Overview 158 This document addresses the AAA interactions and AAA-based session 159 management functionality needed in the PMIPv6 Domain. This document 160 defines Diameter based AAA interactions between the MAG and the HAAA, 161 and between the LMA and the HAAA. 163 The policy profile is downloaded from the HAAA to the MAG during the 164 MN attachment to the PMIPv6 Domain. Figure 1 shows the participating 165 network entities. This document, however, concentrates on the MAG, 166 LMA, and the HAAA (the home Diameter server). 168 +--------+ 169 | HAAA & | Diameter +-----+ 170 | Policy |<---(2)-->| LMA | 171 | Store | +-----+ 172 +--------+ | <--- LMA-Address 173 ^ | 174 | // \\ 175 +---|------------- //---\\----------------+ 176 ( | IPv4/IPv6 // \\ ) 177 ( | Network // \\ ) 178 +---|-----------//---------\\-------------+ 179 | // \\ 180 Diameter // <- Tunnel1 \\ <- Tunnel2 181 (1) // \\ 182 | |- MAG1-Address |- MAG2-Address 183 | +----+ +----+ 184 +---->|MAG1| |MAG2| 185 +----+ +----+ 186 | | 187 | | 188 [MN1] [MN2] 190 Legend: 192 (1): MAG-to-HAAA interaction is described 193 in Section 7.1 194 (2): LMA-to-HAAA interaction is described 195 in Section 7.2 197 Figure 1: Proxy Mobile IPv6 Domain Interaction with Diameter HAAA 198 Server 200 When a MN attaches to a PMIPv6 Domain, a network access 201 authentication procedure is usually started. The choice of the 202 authentication mechanism is specific to the access network 203 deployment, but could be based on the Extensible Authentication 204 Protocol (EAP) [RFC3748]. During the network access authentication 205 procedure, the MAG acting as a NAS queries the HAAA through the AAA 206 infrastructure using the Diameter protocol. If the HAAA detects that 207 the subscriber is also authorized for the PMIPv6 service, PMIPv6 208 specific information is returned along with the successful network 209 access authentication answer to the MAG. 211 After the MN has been successfully authenticated, the MAG sends a PBU 212 to the LMA based on the MN's policy profile information. Upon 213 receiving the PBU the LMA interacts with the HAAA and fetches the 214 relevant parts of the subscriber policy profile and authorization 215 information related to the mobility service session. In this 216 specification, the HAAA has the role of the PMIPv6 remote policy 217 store. 219 4. Generic Application Support and Command Codes 221 This specification does not define new Application-IDs or Command 222 Codes for the MAG-to-HAAA or for the LMA-to-HAAA Diameter 223 connections. Rather, this specification is generic to any Diameter 224 application (and their commands) that is suitable for a network 225 access authentication and authorization. Example applications 226 include NASREQ [RFC4005] and EAP [RFC4072]. 228 4.1. MAG-to-HAAA Interface 230 The MAG-to-HAAA interactions are primarily used for bootstrapping 231 PMIPv6 mobility service session when a MN attaches and authenticates 232 to a PMIPv6 Domain. This includes the bootstrapping of PMIPv6 233 session related information. The same interface may also be used for 234 accounting. The MAG acts as a Diameter client. 236 Whenever the MAG sends a Diameter request message to the HAAA, the 237 User-Name AVP SHOULD contain the MN's identity unless the identity is 238 being suppressed for policy reasons - for example, when identity 239 hiding is in effect. The MN identity, if available, MUST be in 240 Network Access Identifier (NAI) [RFC4282] format. At minimum the 241 home realm of the MN MUST be available at the MAG when the network 242 access authentication takes place. Otherwise the MAG is not able to 243 route the Diameter request messages towards the correct HAAA. The MN 244 identity used on the MAG-to-HAAA interface and in the User-Name AVP 245 MAY entirely be related to the network access authentication, and 246 therefore not suitable to be used as the MN-ID mobility option value 247 in the subsequent PBU/PBA messages. See the related discussion on 248 MN's identities in Section 5.6 and in Section 4.2. 250 For the session management and service authorization purposes, 251 session state SHOULD be maintained on the MAG-to-HAAA interface. See 252 the discussion in Section 5.8. 254 4.2. LMA-to-HAAA Interface 256 The-LMA-to HAAA interface may be used for multiple purposes. These 257 include the authorization of the incoming PBU, updating the LMA 258 address to the HAAA, delegating the assignment of the MN-HNP or the 259 IPv4-HoA to the HAAA, and for accounting and PMIPv6 session 260 management. The primary purpose of this interface is to update the 261 HAAA with the LMA address information in case of dynamically assigned 262 LMA, and exchange the MN address assignment information between the 263 LMA and the HAAA. 265 The LMA-to-HAAA interface description is intended for different types 266 of deployments and architectures. Therefore, this specification only 267 outlines AVPs and considerations that the deployment specific 268 Diameter applications need to take into account from the PMIPv6 and 269 LMAs point of view. 271 4.2.1. General Operation and Authorization of PBU 273 Whenever the LMA sends a Diameter request message to the HAAA, the 274 User-Name AVP SHOULD contain the MN's identity. The LMA provided 275 identity in the User-Name AVP is strongly RECOMMENDED to be the same 276 as the MN's identity information in the PBU MN-ID [RFC4283] [RFC5213] 277 mobility option. The identity SHOULD also be the same as used on the 278 MAG-to-HAAA interface, but in the case those identities differ the 279 HAAA MUST have a mechanism of mapping the MN identity used on the 280 MAG-to-HAAA interface to the identity used on the LMA-to-HAAA 281 interface. 283 If the PBU contains the MN Link-Layer Identifier option, the Calling- 284 Station-Id AVP SHOULD be included in the request message containing 285 the received Link-Layer Identifier. Furthermore, if the PBU contains 286 the Service Selection mobility option [RFC5149], the Service- 287 Selection AVP SHOULD be included in the request message containing 288 the received service identifier. Both MN Link-Layer Identifier and 289 the Service selection can be used to provide more information for the 290 PBU authorization step in the HAAA. 292 The Auth-Request-Type AVP MUST be set to the value AUTHORIZE_ONLY. 293 The Diameter session related aspects discussed in Section 6 need to 294 be taken into consideration when designing the Diameter application 295 for the LMA-to-HAAA interface. If the HAAA is not able to authorize 296 the subscriber's mobility service session, then the reply message to 297 the LMA MUST have the Result-Code AVP set to value 298 DIAMETER_AUTHORIZATION_REJECTED (5003) indicating a permanent 299 failure. A failed authorization obviously results to a rejection of 300 the PBU and a PBA with an appropriate error Status Value MUST be sent 301 back to the MAG. 303 The authorization step MUST be performed at least for the initial PBU 304 session up a mobility session, when the LMA-to-HAAA interface is 305 deployed. For the subsequent re-registration and handover PBUs, the 306 authorization step MAY be repeated (in this case, the LMA-to-HAAA 307 interface should also maintain an authorization session state). 309 4.2.2. Updating LMA Address to HAAA 311 In case of a dynamic LMA discovery and assignment 312 [I-D.ietf-netlmm-lma-discovery] the HAAA and the remote policy store 313 may need to be updated with the selected LMA address information. 314 The update can be done during the PBU authorization step using the 315 LMA-to-HAAA interface. This specification uses the MIP6-Agent-Info 316 AVP and its MIP-Home-Agent-Address and MIP-Home-Agent-Host sub-AVPs 317 for carrying the LMA's address information from the LMA to the HAAA. 318 The LMA address information in the request message MUST contain the 319 IP address of the LMA or the FQDN identifying uniquely the LMA, or 320 both. The LMA address information refers to PMIPv6 part of the LMA, 321 not necessarily the LMA part interfacing with the AAA infrastructure. 323 This specification does not define any HAAA initiated LMA relocation 324 functionality. Therefore, when the MIP6-Agent-Info AVP is included 325 in Diameter answer messages sent from the HAAA to the LMA, the HAAA 326 indicates this by setting the MIP-Home-Agent-Address AVP to all 327 zeroes address (e.g., 0::0) and not including the MIP-Home-Agent-Host 328 AVP. 330 4.2.3. Mobile Node Address Update and Assignment 332 The LMA and the HAAA use the MIP6-Home-Link-Prefix AVP to exchange 333 the MN-HNP when appropriate. Similarly, the LMA and the HAAA use the 334 PMIP6-IPv4-Home-Address AVP to exchange the IPv4-MN-HoA when 335 appropriate. These AVPs are encapsulated inside the MIP6-Agent-Info 336 AVP. The MN address information exchange is again done during the 337 PBU authorization step. The HAAA MAY also use the LMA provided MN 338 address information as a part of the information used to authorize 339 the PBU. 341 Which entity is actually responsible for the address management is 342 deployment specific within the PMIPv6 Domain and MUST be pre-agreed 343 on per deployment basis. When the LMA is responsible for the address 344 management, the MIP6-Agent-Info AVP is used to inform the HAAA and 345 the remote policy store of the MN-HNP/IPv4-MN-HoA assigned to the MN. 347 It is also possible that the LMA delegates the address management to 348 the HAAA. In this case, the MN-HNP/IPv4-MN-HoA are set to undefined 349 addresses (as described in Section 5.1) in the Diameter request 350 message sent from the LMA to the HAAA. The LMA expects to receive 351 the HAAA assigned HNP/IPv4-MN-HoA in the corresponding Diameter 352 answer message. 354 5. Attribute Value Pair Definitions 356 This section describes Attribute Value Pairs (AVPs) defined by this 357 specification or re-used from existing specifications in a PMIPv6 358 specific way. Derived Diameter AVP Data Formats such as Address and 359 UTF8String are defined in Section 4.3 of RFC 3588. Grouped AVP 360 values are defined in Section 4.4 of RFC 3588. 362 5.1. MIP6-Agent-Info AVP 364 The MIP6-Agent-Info grouped AVP (AVP Code 486) is defined in 365 [RFC5447]. The AVP is used to carry LMA addressing related 366 information and a MN-HNP. This specification extends the MIP6-Agent- 367 Info with the PMIP6-IPv4-Home-Address AVP using the Diameter 368 extensibility rules defined in [RFC3588]. The PMIP6-IPv4-Home- 369 Address AVP contains the IPv4-MN-HoA. 371 The extended MIP6-Agent-Info AVP results to the following grouped 372 AVP: 374 MIP6-Agent-Info ::= < AVP-Header: 486 > 375 *2[ MIP-Home-Agent-Address ] 376 [ MIP-Home-Agent-Host ] 377 [ MIP6-Home-Link-Prefix ] 378 [ PMIP6-IPv4-Home-Address ] 379 * [ AVP ] 381 If the MIP-Home-Agent-Address is set to all zeroes address (e.g., 382 0::0), the receiver of the MIP6-Agent-Info AVP MUST ignore the MIP- 383 Home-Agent-Address AVP. 385 5.2. PMIP6-IPv4-Home-Address AVP 387 The PMIP6-IPv4-Home-Address AVP (AVP Code TBD2) is of type Address 388 and contains an IPv4 address. This AVP is used to carry the IPv4-MN- 389 HoA, if available, from the HAAA to the MAG. This AVP SHOULD only be 390 present when the MN is statically provisioned with the IPv4-MN-HoA. 391 Note that proactive dynamic assignment of the IPv4-MN-HoA by the HAAA 392 may result in unnecessary reservation of IPv4 address resources, 393 because the MN may considerably delay or completely bypass its IPv4 394 address configuration. 396 The PMIP6-IPv4-Home-Address AVP is also used on the LMA-to-HAAA 397 interface. The AVP contains the IPv4-MN-HoA assigned to the MN. If 398 the LMA delegates the assignment of the IPv4-MN-HoA to the HAAA, the 399 AVP MUST contain all zeroes IPv4 address (i.e., 0.0.0.0) in the 400 request message. If the LMA delegated the IPv4-MN-HoA assignment to 401 the HAAA, then the AVP contains the HAAA assigned IPv4-MN-HoA in the 402 response message. 404 5.3. MIP6-Home-Link-Prefix AVP 406 The MIP6-Home-Link-Prefix AVP (AVP Code 125) is defined in [RFC5447]. 407 This AVP is used to carry the MN-HNP, if available, from the HAAA to 408 the MAG. The low 64 bits of the prefix MUST be all zeroes. 410 The MIP6-Home-Link-Prefix AVP is also used on the LMA-to-HAAA 411 interface. The AVP contains the prefix assigned to the MN. If the 412 LMA delegates the assignment of the MN-HNP to the HAAA, the AVP MUST 413 contain all zeroes address (i.e., 0::0) in the request message. If 414 the LMA delegated the MN-HNP assignment to the HAAA, then the AVP 415 contains the HAAA assigned MNM-HNP in the response message. 417 5.4. PMIP6-DHCP-Server-Address AVP 419 The PMIP6-DHCP-Server-Address AVP (AVP Code TBD1) is of type Address 420 and contains the IP address of the Dynamic Host Configuration 421 Protocol (DHCP) server assigned to the MAG serving the newly attached 422 MN. If the AVP contains a DHCPv4 [RFC2131] server address, then the 423 Address type MUST be IPv4. If the AVP contains a DHCPv6 [RFC3315] 424 server address, then the Address type MUST be IPv6. The HAAA MAY 425 assign a DHCP server to the MAG in deployments where the MAG acts as 426 a DHCP Relay [I-D.ietf-netlmm-pmip6-ipv4-support]. 428 5.5. MIP6-Feature-Vector AVP 430 The MIP6-Feature-Vector AVP is originally defined in [RFC5447]. This 431 document defines new capability flag bits according to the IANA rules 432 in RFC 5447. 434 PMIP6_SUPPORTED (0x0000010000000000) 436 When the MAG/NAS sets this bit in the MIP6-Feature-Vector AVP, it 437 is an indication to the HAAA that the NAS supports PMIPv6. When 438 the HAAA sets this bit in the response MIP6-Feature-Vector AVP, it 439 indicates that the HAAA also has PMIPv6 support. This capability 440 bit can also be used to allow PMIPv6 mobility support in a 441 subscription granularity. 443 IP4_HOA_SUPPORTED (0x0000020000000000) 445 Assignment of the IPv4-MN-HoA is supported. When the MAG sets 446 this bit in the MIP6-Feature-Vector AVP, it indicates that the MAG 447 implements a minimal functionality of a DHCP server (and a relay) 448 and is able to deliver IPv4-MN-HoA to the MN. When the HAAA sets 449 this bit in the response MIP6-Feature-Vector AVP, it indicates 450 that the HAAA has authorized the use of IPv4-MN-HoA for the MN. 451 If this bit is unset in the returned MIP6-Feature-Vector AVP, the 452 HAAA does not authorize the configuration of IPv4 address. 454 LOCAL_MAG_ROUTING_SUPPORTED (0x0000040000000000) 456 Direct routing of IP packets between MNs anchored to the same MAG 457 is supported. When a MAG sets this bit in the MIP6-Feature- 458 Vector, it indicates that routing IP packets between MNs anchored 459 to the same MAG is supported, without reverse tunneling packets 460 via the LMA or requiring any Route Optimization related signaling 461 (e.g. the Return Routability Procedure in [RFC3775]) prior direct 462 routing. If this bit is cleared in the returned MIP6-Feature- 463 Vector AVP, the HAAA does not authorize direct routing of packets 464 between MNs anchored to the same MAG. The MAG SHOULD support this 465 policy feature per-MN and per-subscription basis. 467 The MIP6-Feature-Vector AVP is also used on the LMA to HAAA 468 interface. Using the capability announcement AVP it is possible to 469 perform a simple capability negotiation between the LMA and the HAAA. 470 Those capabilities that are announced by both parties are also known 471 to be mutually supported. The capabilities listed in earlier are 472 also supported in the LMA to HAAA interface. The LMA to HAAA 473 interface does not define any new capability values. 475 5.6. Mobile-Node-Identifier AVP 477 The Mobile-Node-Identifier AVP (AVP Code TBD3) is of type UTF8String 478 and contains the mobile node identifier (MN-Identifier, see 479 [RFC5213]) in the NAI [RFC4282] format. This AVP is used on the MAG- 480 to-HAAA interface. The Mobile-Node-Identifier AV is designed for 481 deployments where the MAG does not have a way to find out such MN 482 identity that could be used in subsequent PBU/PBA exchanges (e.g., 483 due to identity hiding during the network access authentication) or 484 the HAAA wants to assign periodically changing identities to the MN. 486 The Mobile-Node-Identifier AVP is returned in the answer message that 487 ends a successful authentication (and possibly an authorization) 488 exchange between the MAG and the HAAA, assuming the HAAA is also able 489 to provide the MAG with the MN-Identifier in the first place. The 490 MAG MUST use the received MN-Identifier, if it has not been able to 491 get the mobile node identifier through other means. If the MAG 492 already has a valid mobile node identifier, then the MAG MUST 493 silently discard the received MN-identifier. 495 5.7. Calling-Station-Id AVP 497 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 498 contains a Link-Layer Identifier of the MN. This identifier 499 corresponds to the Link-Layer Identifier as defined in RFC 5213 500 Section 2.2 and 8.6. The Link-Layer Identifier is encoded in ASCII 501 format (upper case only), with octet values separated by a "-". 502 Example: "00-23-32-C9-79-38". The encoding is actually the same as 503 the MAC address encoding in Section 3.21 of RFC 3580. 505 5.8. Service-Selection AVP 507 The Service-Selection AVP (AVP Code 493) is of type UTF8String and 508 contains a LMA provided service identifier on the LMA-to-HAAA 509 interface. This AVP is re-used from [I-D.ietf-dime-mip6-split]. The 510 service identifier may be used to assist the PBU authorization and 511 the assignment of the MN-HNP and the IPv4-MN-HoA as described in RFC 512 5149 [RFC5149]. The identifier MUST be unique within the PMIPv6 513 Domain. In the absence of the Service-Selection AVP in the request 514 message, the HAAA may want to inform the LMA of the default service 515 provisioned to the MN and include the Service-Selection AVP in the 516 response message. 518 It is also possible that the MAG receives the service selection 519 information from the MN, for example, via some lower layer mechanism. 520 In this case the MAG MUST include the Service-Selection AVP also in 521 the MAG-to-HAAA request messages. In absence of the Service- 522 Selection AVP in the MAG-to-HAAA request messages, the HAAA may want 523 to inform the MAG of the default service provisioned to the MN and 524 include the Service-Selection AVP in the response message. 526 Whenever the Service-Selection AVP is included either in a request 527 message or in a response message, and the AAA interaction with HAAA 528 completes successfully, it is an indication that the HAAA also 529 authorized the MN to some service. This should be taken into account 530 when considering what to include in the Auth-Request-Type AVP. 532 The service selection concept supports signaling one service at time. 533 However, the MN policy profile MAY support multiple services being 534 used simultaneously. For this purpose, the HAAA MAY return multiple 535 LMA and service pairs (see Section 5.9) to the MAG in a response 536 message that ends a successful authentication (and possibly an 537 authorization) exchange between the MAG and the HAAA. Whenever the 538 MN initiates additional mobility session to another service (using a 539 link layer or deployment specific method), the provisioned service 540 information is already contained in the MAG. Therefore, there is no 541 need for additional AAA signaling between the MAG and the HAAA. 543 5.9. Service-Configuration AVP 545 The Service-Configuration AVP (AVP Code TBD4) is of type Grouped and 546 contains a service and a LMA pair. The HAAA can use this AVP to 547 inform the MAG of MN's subscribed services and LMAs where those 548 services are hosted in. 550 Service-Configuration ::= < AVP-Header: TBD4 > 551 [ MIP6-Agent-Info ] 552 [ Service-Selection ] 553 * [ AVP ] 555 6. Proxy Mobile IPv6 Session Management 557 Concerning a PMIPv6 mobility session, the HAAA, the MAG and the LMA 558 Diameter entities SHOULD be stateful and maintain the corresponding 559 Authorization Session State Machine defined in [RFC3588]. If a state 560 is maintained, then a PMIPv6 mobility session that can be identified 561 by any of the Binding Cache (BCE) Lookup Keys described in RFC 5213 562 (see Sections 5.4.1.1., 5.4.1.2. and 5.4.1.3.) MUST map to a single 563 Diameter Session-Id. If the PMIPv6 Domain allows further separation 564 of sessions, for example, identified by the RFC 5213 BCE Lookup Keys 565 and the service selection combination (see Section 5.8 and 566 [RFC5149]), then a single Diameter Session-Id MUST map to a PMIPv6 567 mobility session identified by the RFC 5213 BCE Lookup Keys and the 568 selected service. 570 If both the MAG-to-HAAA and the LMA-to-HAAA interfaces are deployed 571 in a PMIPv6 Domain, and a state is maintained on both interfaces, 572 then one PMIPv6 mobility session would have two distinct Diameter 573 sessions on the HAAA. The HAAA needs to be aware of this deployment 574 possibility and SHOULD allow multiple Diameter sessions for the same 575 PMIPv6 mobility session. 577 Diameter session termination related commands described in the 578 following sections may be exchanged between the LMA and the HAAA, or 579 between the MAG and the HAAA. The actual PMIPv6 session termination 580 procedures take place at PMIPv6 protocol level and are described in 581 more detail in RFC 5213 and [I-D.ietf-mext-binding-revocation]. 583 6.1. Session-Termination-Request 585 The LMA or the MAG MAY send the Session-Termination-Request (STR) 586 command [RFC3588] to inform the HAAA that the termination of an 587 ongoing PMIPv6 session is in progress. 589 6.2. Session-Termination-Answer 591 The Session-Termination-Answer (STA) [RFC3588] is sent by the HAAA to 592 acknowledge the termination of a PMIPv6 session. 594 6.3. Abort-Session-Request 596 The HAAA MAY send the Abort-Session-Request (ASR) command [RFC3588] 597 to the LMA or to the MAG and request termination of a PMIPv6 session. 599 6.4. Abort-Session-Answer 601 The Abort-Session-Answer (ASA) command [RFC3588]is sent by the LMA or 602 the MAG to acknowledge that the termination of a PMIPv6 session. 604 7. Attribute Value Pair Occurrence Tables 606 The following tables list the PMIPv6 MAG-to-HAAA interface and LMA- 607 to-HAAA interface AVPs including those that are defined in [RFC5447]. 609 The Figure 2 contains the AVPs and their occurrences on the MAG-to- 610 HAAA interface. The AVPs that are part of grouped AVP are not listed 611 in the table, rather only the grouped AVP is listed. 613 7.1. MAG-to-HAAA Interface 615 +---------------+ 616 | Command-Code | 617 |-------+-------+ 618 Attribute Name | REQ | ANS | 619 -------------------------------+-------+-------+ 620 PMIP6-DHCP-Server-Address | 0 | 0+ | 621 MIP6-Agent-Info | 0+ | 0+ | 622 MIP6-Feature-Vector | 0-1 | 0-1 | 623 Mobile-Node-Identifier | 0-1 | 0-1 | 624 Calling-Station-Id | 0-1 | 0 | 625 Service-Selection | 0-1 | 0 | 626 Service-Configuration | 0 | 0+ | 627 +-------+-------+ 629 Figure 2: MAG-to-HAAA Interface Generic Diameter Request and Answer 630 Commands AVPs 632 7.2. LMA-to-HAAA Interface 634 +---------------+ 635 | Command-Code | 636 |-------+-------+ 637 Attribute Name | REQ | ANS | 638 -------------------------------+-------+-------+ 639 MIP6-Agent-Info | 0-1 | 0-1 | 640 MIP6-Feature-Vector | 0-1 | 0-1 | 641 Calling-Station-Id | 0-1 | 0 | 642 Service-Selection | 0-1 | 0-1 | 643 User-Name | 0-1 | 0-1 | 644 +-------+-------+ 646 Figure 3: LMA-to-HAAA Interface Generic Diameter Request and Answer 647 Commands AVPs 649 8. Example Signaling Flows 651 Figure 4 shows a signaling flow example during PMIPv6 bootstrapping 652 using the AAA interactions defined in this specification. In step 653 (1) of this example, the MN is authenticated to PMIPv6 Domain using 654 EAP-based authentication. The MAG to the HAAA signaling uses the 655 Diameter EAP Application. During step (2), the LMA uses Diameter 656 NASREQ application to authorize the MN with the HAAA server. 658 The MAG-to-HAAA AVPs, as listed in Section 7.1 are used during step 659 (1). These AVPs are included only in the Diameter EAP Request (DER) 660 message which starts the EAP exchange and in the corresponding 661 Diameter EAP Answer (DEA) message which successfully completes this 662 EAP exchange. The LMA-to-HAAA AVPs, as listed in Section 7.2, are 663 used during step (2). Step (2) is used to authorize the MN request 664 for the mobility service and update the HAAA server with the assigned 665 LMA information. In addition, this step may be used to dynamically 666 assist in the assignment of the MN-HNP. 668 MN MAG/NAS LMA HAAA 669 | | | | 670 | L2 attach | | | 671 |-------------------->| | | 672 | EAP/req-identity | | | 673 |<--------------------| | | 674 | EAP/res-identity | DER + MAG-to-HAAA AVPs | s 675 |-------------------->|---------------------------------------->| t 676 | EAP/req #1 | DEA (EAP request #1) | e 677 |<--------------------|<----------------------------------------| p 678 | EAP/res #2 | DER (EAP response #2) | 679 |-------------------->|---------------------------------------->| 1 680 : : : : 681 : : : : 682 | EAP/res #N | DER (EAP response #N) | 683 |-------------------->|---------------------------------------->| 684 | EAP/success | DEA (EAP success) + MAG-to-HAAA AVPs | 685 |<--------------------|<----------------------------------------| 686 : : : : 687 : : : : 688 | | PMIPv6 PBU | AAR + | s 689 | |------------------->| LMA-to-HAAA AVPs | t 690 | | |------------------->| e 691 | | | AAA + | p 692 | | | LMA-to-HAAA AVPs | 693 | | PMIPv6 PBA |<-------------------| 2 694 | RA |<-------------------| | 695 |<--------------------| | | 696 : : : : 697 : : : : 698 | IP connectivity | PMIPv6 tunnel up | | 699 |---------------------|====================| | 700 | | | | 702 Figure 4: MAG and LMA Signaling Interaction with AAA server during 703 PMIPv6 bootstrapping 705 9. IANA Considerations 707 9.1. Attribute Value Pair Codes 709 This specification defines the following new AVPs: 711 PMIP6-DHCP-Server-Address is set to TBD1 712 PMIP6-IPv4-Home-Address is set to TBD2 713 Mobile-Node-Identifier is set to TBD3 714 Service-Configuration is set to TBD4 716 9.2. Namespaces 718 This specification defines new values to the Mobility Capability 719 registry (see [RFC5447]) for use with the MIP6-Feature-Vector AVP: 721 Token | Value | Description 722 ---------------------------------+----------------------+------------ 723 PMIP6_SUPPORTED | 0x0000010000000000 | [RFC TBD] 724 IP4_HOA_SUPPORTED | 0x0000020000000000 | [RFC TBD] 725 LOCAL_MAG_ROUTING_SUPPORTED | 0x0000040000000000 | [RFC TBD] 727 10. Security Considerations 729 The security considerations of the Diameter Base protocol [RFC3588], 730 Diameter EAP application [RFC4072], Diameter NASREQ application 731 [RFC4005] and Diameter Mobile IPv6 integrated scenario bootstrapping 732 [RFC5447] are applicable to this document. 734 In general, the Diameter messages may be transported between the LMA 735 and the Diameter server via one or more AAA brokers or Diameter 736 agents. In this case the LMA to the Diameter server AAA 737 communication rely on the security properties of the intermediate AAA 738 brokers and Diameter agents (such as proxies). 740 11. Acknowledgements 742 Jouni Korhonen would like to thank the TEKES GIGA program MERCoNe- 743 project for providing funding to work on this document while he was 744 with TeliaSonera. The authors also thank Pasi Eronen, Peter McCann, 745 Spencer Dawkins and Marco Liebsch for their detailed reviews on this 746 document. 748 12. References 750 12.1. Normative References 752 [I-D.ietf-dime-mip6-split] 753 Korhonen, J., Tschofenig, H., Bournelle, J., Giaretta, G., 754 and M. Nakhjiri, "Diameter Mobile IPv6: Support for Home 755 Agent to Diameter Server Interaction", 756 draft-ietf-dime-mip6-split-17 (work in progress), 757 April 2009. 759 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 760 Requirement Levels", BCP 14, RFC 2119, March 1997. 762 [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. 763 Arkko, "Diameter Base Protocol", RFC 3588, September 2003. 765 [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, 766 "Diameter Network Access Server Application", RFC 4005, 767 August 2005. 769 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible 770 Authentication Protocol (EAP) Application", RFC 4072, 771 August 2005. 773 [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The 774 Network Access Identifier", RFC 4282, December 2005. 776 [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., 777 and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. 779 [RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., 780 and K. Chowdhury, "Diameter Mobile IPv6: Support for 781 Network Access Server to Diameter Server Interaction", 782 RFC 5447, February 2009. 784 12.2. Informative References 786 [I-D.ietf-mext-binding-revocation] 787 Muhanna, A., Khalil, M., Gundavelli, S., Chowdhury, K., 788 and P. Yegani, "Binding Revocation for IPv6 Mobility", 789 draft-ietf-mext-binding-revocation-12 (work in progress), 790 September 2009. 792 [I-D.ietf-netlmm-lma-discovery] 793 Korhonen, J. and V. Devarapalli, "LMA Discovery for Proxy 794 Mobile IPv6", draft-ietf-netlmm-lma-discovery-02 (work in 795 progress), September 2009. 797 [I-D.ietf-netlmm-pmip6-ipv4-support] 798 Wakikawa, R. and S. Gundavelli, "IPv4 Support for Proxy 799 Mobile IPv6", draft-ietf-netlmm-pmip6-ipv4-support-17 800 (work in progress), September 2009. 802 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 803 RFC 2131, March 1997. 805 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 806 and M. Carney, "Dynamic Host Configuration Protocol for 807 IPv6 (DHCPv6)", RFC 3315, July 2003. 809 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 811 Levkowetz, "Extensible Authentication Protocol (EAP)", 812 RFC 3748, June 2004. 814 [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support 815 in IPv6", RFC 3775, June 2004. 817 [RFC4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. 818 Chowdhury, "Mobile Node Identifier Option for Mobile IPv6 819 (MIPv6)", RFC 4283, November 2005. 821 [RFC5149] Korhonen, J., Nilsson, U., and V. Devarapalli, "Service 822 Selection for Mobile IPv6", RFC 5149, February 2008. 824 Authors' Addresses 826 Jouni Korhonen (editor) 827 Nokia Siemens Network 828 Linnoitustie 6 829 Espoo FI-02600 830 Finland 832 Email: jouni.nospam@gmail.com 834 Julien Bournelle 835 Orange Labs 836 38-4O rue du general Leclerc 837 Issy-Les-Moulineaux 92794 838 France 840 Email: julien.bournelle@orange-ftgroup.com 842 Kuntal Chowdhury 843 Starent Networks 844 30 International Place 845 Tewksbury MA 01876 846 USA 848 Email: kchowdhury@starentnetworks.com 849 Ahmad Muhanna 850 Nortel 851 2221 Lakeside Blvd. 852 Richardson, TX 75082 853 USA 855 Email: amuhanna@nortel.com 857 Ulrike Meyer 858 RWTH Aachen 860 Email: meyer@umic.rwth-aachen.de