idnits 2.17.1 draft-ietf-netext-radius-pmip6-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 17, 2011) is 4629 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4282 (Obsoleted by RFC 7542) ** Obsolete normative reference: RFC 3588 (Obsoleted by RFC 6733) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 netext F. Xia 3 Internet-Draft B. Sarikaya 4 Intended status: Standards Track Huawei USA 5 Expires: February 18, 2012 J. Korhonen 6 Nokia Siemens Networks 7 S. Gundavelli 8 Cisco 9 D. Damic 10 Siemens 11 August 17, 2011 13 RADIUS Support for Proxy Mobile IPv6 14 draft-ietf-netext-radius-pmip6-04 16 Abstract 18 This document defines new attributes to facilitate Proxy Mobile IPv6 19 operations using the RADIUS infrastructure. The RADIUS interactions 20 between the mobile access gateway and the RADIUS-based AAA server 21 take place when the Mobile Node attaches, authenticates and 22 authorizes to a Proxy Mobile IPv6 domain. Furthermore, this document 23 defines the RADIUS-based interface between the local mobility anchor 24 and the AAA RADIUS server for authorizing received Proxy Binding 25 Update messages for the mobile node's mobility session. In addition 26 to the mobility session setup related interactions, this document 27 defines the baseline for the mobile access gateway and the local 28 mobility anchor generated accounting. 30 Status of this Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on February 18, 2012. 47 Copyright Notice 48 Copyright (c) 2011 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 5 66 4. Attribute definitions . . . . . . . . . . . . . . . . . . . . 9 67 4.1. MIP6-Feature-Vector . . . . . . . . . . . . . . . . . . . 9 68 4.2. Mobile-Node-Identifier . . . . . . . . . . . . . . . . . . 10 69 4.3. Service-Selection . . . . . . . . . . . . . . . . . . . . 11 70 4.4. PMIP6-Home-LMA-IPv6-Address . . . . . . . . . . . . . . . 11 71 4.5. PMIP6-Visited-LMA-IPv6-Address . . . . . . . . . . . . . . 12 72 4.6. PMIP6-Home-LMA-IPv4-Address . . . . . . . . . . . . . . . 13 73 4.7. PMIP6-Visited-LMA-IPv4-Address . . . . . . . . . . . . . . 14 74 4.8. PMIP6-Home-HN-Prefix . . . . . . . . . . . . . . . . . . . 15 75 4.9. PMIP6-Visited-HN-Prefix . . . . . . . . . . . . . . . . . 16 76 4.10. PMIP6-Home-Interface-ID . . . . . . . . . . . . . . . . . 17 77 4.11. PMIP6-Visited-Interface-ID . . . . . . . . . . . . . . . . 18 78 4.12. PMIP6-Home-IPv4-HoA . . . . . . . . . . . . . . . . . . . 19 79 4.13. PMIP6-Visited-IPv4-HoA . . . . . . . . . . . . . . . . . . 20 80 4.14. PMIP6-Home-DHCP4-Server-Address . . . . . . . . . . . . . 21 81 4.15. PMIP6-Visited-DHCP4-Server-Address . . . . . . . . . . . . 22 82 4.16. PMIP6-Home-DHCP6-Server-Address . . . . . . . . . . . . . 23 83 4.17. PMIP6-Visited-DHCP6-Server-Address . . . . . . . . . . . . 23 84 4.18. Calling-Station-Id . . . . . . . . . . . . . . . . . . . . 24 85 4.19. Chargeable-User-Identity . . . . . . . . . . . . . . . . . 24 86 5. MAG to RADIUS AAA interface . . . . . . . . . . . . . . . . . 25 87 5.1. Interface operations . . . . . . . . . . . . . . . . . . . 25 88 5.2. Table of Attributes . . . . . . . . . . . . . . . . . . . 25 89 6. LMA to RADIUS AAA interface . . . . . . . . . . . . . . . . . 27 90 6.1. Interface operations . . . . . . . . . . . . . . . . . . . 27 91 6.2. Table of Attributes . . . . . . . . . . . . . . . . . . . 27 92 7. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 28 93 7.1. Accounting at LMA . . . . . . . . . . . . . . . . . . . . 28 94 7.2. Accounting at MAG . . . . . . . . . . . . . . . . . . . . 28 95 7.3. Table of Attributes . . . . . . . . . . . . . . . . . . . 28 96 8. Security Considerations . . . . . . . . . . . . . . . . . . . 30 97 9. IANA consideration . . . . . . . . . . . . . . . . . . . . . . 30 98 9.1. Attribute Type Codes . . . . . . . . . . . . . . . . . . . 30 99 9.2. Namespaces . . . . . . . . . . . . . . . . . . . . . . . . 30 100 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31 101 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 102 11.1. Normative References . . . . . . . . . . . . . . . . . . . 32 103 11.2. Informative references . . . . . . . . . . . . . . . . . . 32 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 106 1. Introduction 108 Proxy Mobile IPv6 (PMIPv6) [RFC5213] is a network-based mobility 109 management protocol which allows IP mobility support for a mobile 110 node without requiring the mobile node's participation in any 111 mobility-related signaling. The mobile management elements in the 112 network, the mobile access gateway (MAG) and the local mobility 113 anchor (LMA) are the two key functions in this network-based mobility 114 system. The mobile access gateway is responsible for detecting the 115 mobile node's movements in the network and for initiating the needed 116 mobility management signaling with the local mobility anchor (LMA). 117 Both the mobility management agents make use of the AAA 118 infrastructure to retrieve the mobile node's Policy Profile and for 119 performing service authorization. 121 This document defines a RADIUS-based [RFC2865] profile and 122 corresponding attributes to be used on the AAA interface between the 123 MAG and the AAA RADIUS server. This interface is used to carry the 124 per-MN Policy Profile from the remote Policy Store to the MAG. 125 Furthermore, this document also defines a RADIUS-based interface 126 between the LMA and the AAA RADIUS server for authorization of the 127 received Proxy Mobile IPv6 signaling messages. The AAA procedures 128 defined in this document cover the following two scenarios: 130 o a mobile node connects to the Proxy Mobile IPv6 domain from the 131 home network 133 o a mobile node connects to the Proxy Mobile IPv6 domain from a 134 visitor network 136 2. Terminology 138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 140 document are to be interpreted as described in [RFC2119]. 142 All the mobility related terms used in this document are to be 143 interpreted as defined in the Proxy Mobile IPv6 specification 144 [RFC5213] and [RFC5844]. Additionally, this document uses the 145 following abbreviations: 147 Network Access Server (NAS): 149 A function that provides authorization services for a device/user 150 access to the network as defined in [RFC2865]. In the context of 151 this document, the NAS function is logically coupled with the MAG. 152 In deployments where the NAS function and the MAG functions are 153 decoupled, the specific interactions needed for that to work is 154 outside the scope of this document. 156 Home AAA (HAAA): 158 An Authentication, Authorization, and Accounting (AAA) server 159 located in MN's home network. This sever has access to mobile 160 node's policy profiles. 162 Visited AAA (VAAA): 164 An Authentication, Authorization, and Accounting (AAA) server 165 located in MN's visited network. The VAAA server takes the role 166 of a proxy-server, forwarding the received AAA service request to 167 the HAAA server in the mobile node's home network and relaying the 168 response to the requesting node, after applying any local access 169 network policies. 171 3. Solution Overview 173 This document defines the RADIUS-based AAA interactions with the two 174 mobility management elements in the Proxy Mobile IPv6 domain. 176 o Interactions between a MAG and a RADIUS-based AAA Server 177 o Interactions between a LMA and a RADIUS-based AAA Server 179 The mobile node's Policy Profile [RFC5213] is present in a policy 180 store and is needed by the PMIPv6 mobility management elements for 181 authorizing the mobile node for mobility management service and for 182 obtaining various service related parameters. This policy store 183 could be locally collocated with the mobility management agents 184 enabling direct local access, or could be available from a AAA server 185 through a RADIUS-based AAA interface. 187 Any time a mobile node attaches to an access network, the NAS on that 188 access network may activate the network access authentication 189 procedure. The choice of the authentication mechanism is specific to 190 the access network deployment, however it is typically based on the 191 Extensible Authentication Protocol (EAP) [RFC3748]. The NAS performs 192 the network access authentication and queries the HAAA using AAA 193 protocol, such as RADIUS. If the network access authentication 194 succeeds, the MN is identified and its Policy Profile is obtained as 195 part of the RADIUS message exchange with the AAA server. 197 The mobile node may be an IPv4-only node, IPv6-only node, or a dual- 198 stack (IPv4/v6) node. Based on the policy specified in the Policy 199 Profile, the network access authentication procedure SHALL provide 200 the unambiguous indication of the type of address(es) to be assigned 201 for the MN in the network and with all other service related and 202 policy parameters relevant to the mobility service. 204 After the successful network access authentication and after 205 obtaining the mobile node's Policy Profile, the MAG sends a PBU to 206 the LMA. Upon receiving the PBU, the LMA interacts with the HAAA for 207 obtaining the mobile node's Policy Profile, needed for authorizing 208 and setting up the mobility service. 210 This document adds support for three distinct PMIPv6 mobility use 211 cases, taking into account the administrative domains to which the 212 MAG and the LMA belong to. Following are the three relevant 213 deployment models. 215 1. the MAG and LMA are both in the home network, 216 2. the MAG and LMA are both in the visited network 217 3. the MAG is in the visited network while the LMA is in the home 218 network. 220 Figure 1 shows participating network entities for the PMIPv6 mobility 221 session which is located in the home network. The MAG and LMA 222 interact only with the HAAA. 224 +--------+ 225 | HAAA & | RADIUS +-----+ 226 | Policy |<-------->| LMA | 227 | Profile| +-----+ 228 +--------+ | <--- LMA-Address 229 ^ | 230 | // \\ 231 +---|------------- //---\\----------------+ 232 ( | IPv4/IPv6 // \\ ) 233 ( | Network // \\ ) 234 +---|-----------//---------\\-------------+ 235 | // \\ 236 RADIUS // <- Tunnel1 \\ <- Tunnel2 237 | // \\ 238 | |- MAG1-Address |- MAG2-Address 239 | +----+ +----+ 240 +---->|MAG1| |MAG2| 241 +----+ +----+ 242 | | 243 | | 244 MN1 MN2 246 Figure 1: The MAG and LMA are both in the home network 248 Figure 2 shows both the LMA and MAG are in the visited network. The 249 MAG and LMA exchange signaling with the HAAA through the VAAA which 250 acts as a Proxy. The visited network may append additional 251 information to the HAAA replies in order to reflect the local policy. 253 +---------------+ 254 | HAAA & | 255 +----------| Policy Profile| 256 | +---------------+ 257 | 258 +--------+ 259 | VAAA & | RADIUS +-----+ 260 | Policy |<-------->| LMA | 261 | Profile| +-----+ 262 +--------+ | <--- LMA-Address 263 ^ // \\ 264 +---|------------- //---\\----------------+ 265 ( | IPv4/IPv6 // \\ ) 266 ( | Network // \\ ) 267 +---|-----------//---------\\-------------+ 268 | // \\ 269 RADIUS // <- Tunnel1 \\ <- Tunnel2 270 | // \\ 271 | |- MAG1-Address |- MAG2-Address 272 | +----+ +----+ 273 +---->|MAG1| |MAG2| 274 +----+ +----+ 275 | | 276 MN1 MN2 278 Figure 2: The MAG and LMA are both in the visited network 280 Figure 3 illustrates topology where MAG resides in the visited 281 network while the associated LMA is in MN's home network. Any 282 message between the MAG and the HAAA passes through the VAAA that 283 acts as a Proxy. During the network authentication, the visited 284 network's specific policy may also be propagated from the VAAA to the 285 MAG. The LMA has a direct access to the HAAA. 287 +---------------+ 288 | HAAA & | 289 +----------| Policy Profile| 290 | +---------------+ 291 | | 292 | RADIUS 293 +--------+ | 294 | VAAA & | +-----+ 295 | Policy | | LMA | 296 | Profile| +-----+ 297 +--------+ | <--- LMA-Address 298 ^ // \\ 299 +---|------------- //---\\----------------+ 300 ( | IPv4/IPv6 // \\ ) 301 ( | Network // \\ ) 302 +---|-----------//---------\\-------------+ 303 | // \\ 304 RADIUS // <- Tunnel1 \\ <- Tunnel2 305 | // \\ 306 | |- MAG1-Address |- MAG2-Address 307 | +----+ +----+ 308 +---->|MAG1| |MAG2| 309 +----+ +----+ 310 | | 311 MN1 MN2 313 Figure 3: Visited MAG and home LMA topology 315 4. Attribute definitions 317 4.1. MIP6-Feature-Vector 319 Diameter [RFC3588] reserves AVP Code space 1-255 as RADIUS attribute 320 compatibility space. The MIP6-Feature-Vector AVP (AVP Code 124) 321 defined in [RFC5447] is of type OctetString and contains a 64-bit 322 flags field of supported mobility capabilities. This document 323 reserves a new capability bit according to the rules in [RFC5447], 324 and reuses the PMIPv6 capability bits defined by [RFC5779]. The 325 following capability flag bits are used or defined in this document: 327 PMIP6_SUPPORTED (0x0000010000000000) 329 This capability bit is used as defined in [RFC5779]. 331 IP4_HOA_SUPPORTED (0x0000020000000000) 333 This capability bit is used as defined in [RFC5779]. Assignment 334 of the IPv4-HoA is defined by [RFC5844]. 336 LOCAL_MAG_ROUTING_SUPPORTED (0x0000040000000000) 338 This capability bit is used as defined in [RFC5779]. 340 IP4_TRANSPORT_SUPPORTED (0x0000080000000000) 342 This capability bit is used for negotiation of the IPv4 transport 343 support between the MAG and AAA. When the MAG sets this flag bit 344 in the MIP6-Feature-Vector, it indicates ability of the MAG to 345 provide IPv4 transport (i.e., IPv4-based encapsulation) for 346 carrying IP traffic between the MAG and the LMA. If this flag bit 347 is unset in the returned MIP6-Feature-Vector AVP, the AAA does not 348 authorize the use of IPv4 transport on the MAG-to-LMA tunnel. 350 IP4_HOA_ONLY_SUPPORTED (0x0000100000000000) 352 This capability bit is used for determination of the authorized 353 PMIPv6 mobility mode. When this bit is set by the AAA it 354 indicates PMIPv6 mobility with IPv4 support has only been 355 authorized for the MN. As a result, the RADIUS Access-Accept 356 SHOULD NOT carry the IPv6 HNP. When this bit is set the 357 PMIP6_SUPPORTED flag MUST also be set, and the IP4_HOA_SUPPORTED 358 flag MUST NOT be set. 360 The MIP6-Feature-Vector attribute is also used on the LMA to the 361 RADIUS AAA interface. This capability announcement attribute enables 362 direct capability negotiation between the LMA and the AAA. The 363 capabilities that are announced by both parties in the MIP6-Feature- 364 Vector are known to be mutually supported. The LMA may use this 365 mechanism during authorization of the received PBU against the AAA to 366 check individual PMIPv6 feature permissions for a particular MN. 368 4.2. Mobile-Node-Identifier 370 The Mobile-Node-Identifier attribute (AVP Code TBD) is of type String 371 and contains the mobile node identifier (MN-Identifier), see 372 [RFC5213]), in a form of a NAI [RFC4282]. This identifier and the 373 identifier used for access authentication may be different, however, 374 there needs to be a mapping between the two identities as specified 375 in Sectin 6.6 of [RFC5213]) This AVP is used on the interface between 376 MAG and the AAA server. The Mobile-Node-Identifier attribute is 377 designed for deployments where the identity used during Network 378 Access Authentication and the identity used for mobility management 379 is decoupled. It may also be the case where the MAG does not have 380 means to find out the MN identity that could be used in subsequent 381 PBU/PBA exchanges (e.g., due to identity hiding during the network 382 access authentication) or when the HAAA wants to assign periodically 383 changing identities to the MN. 385 The Mobile-Node-Identifier attribute MAY be returned by HAAA in the 386 RADIUS Access-Accept message that completes a successful 387 authentication and authorization exchange between the MAG and the 388 HAAA. If the MAG has not acquired a valid MN-Identifier by other 389 means, it MUST use the received MN-Identifier. 391 0 1 2 3 392 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 394 | Type | Length | Mobile Node Identifier... ~ 395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 397 Type: 398 Mobile-Node-Identifier to be defined by IANA. 400 Length: 401 >= 3 octets 403 Mobile Node Identifier: 404 This field is of type String and contains the MN-ID 405 of the MN to be used in the PBU/PBA exchange. 407 4.3. Service-Selection 409 The Service-Selection attribute (AVP Code TBD) contains the name of 410 the service or the external network that the mobility service for the 411 particular MN SHOULD be associated with [RFC5149]. The identifier 412 MUST be unique within the PMIPv6 Domain. 414 The MAG MUST include the Service-Selection attribute in the Access- 415 Request sent to the AAA if the information was acquired. The AAA MAY 416 return the Service-Selection to the MAG even if it was not included 417 in the Access-Request as means to indicate MN's default service to 418 the MAG. 420 On the LMA-to-AAA interface, the LMA MAY populate the Service- 421 Selection attribute in the Access-Request message using the service 422 information found in the received PBU, if such mobility option was 423 included. The Service-Selection identifier should be used to assist 424 the PBU authorization, the assignment of the MN-HNP and the IPv4-MN- 425 HoA as described in [RFC5149] and [RFC5779]. 427 0 1 2 3 428 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 430 | Type | Length | Service Identifier... 431 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 433 Type: 434 Service-Selection to be defined by IANA. 436 Length: 437 >= 3 octets 439 Text: 440 This field is of type UTF8String and contains the Service 441 Identifier the MN is associated with. 443 4.4. PMIP6-Home-LMA-IPv6-Address 445 This attribute (AVP Code TBD) is used to deliver the IPv6 address of 446 the LMA located in the Home network. 447 Before the MAG can engage in Proxy Mobile IPv6 signaling it must be 448 aware of the LMA's IP address. 450 When the LMA is assigned to the MN from the home network, this 451 attribute MAY be sent by the HAAA to the MAG in the RADIUS Access- 452 Accept message. 454 0 1 2 3 455 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 457 | Type | Length | Home LMA IPv6 address 458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 459 . . . 460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 461 . . . 462 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 463 . . . 464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 Home LMA IPv6 address | 466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 468 Type: 469 PMIP6-Home-LMA-IPv6-Address to be defined by IANA. 471 Length: 472 = 18 octets 474 Home LMA IPv6 address: 475 128-bit IPv6 address of the assigned home LMA IPv6 address. 477 4.5. PMIP6-Visited-LMA-IPv6-Address 479 This attribute (AVP Code TBD) is used to propose a particular LMA in 480 the Visited network, and to authorize the use of the LMA in the 481 Visited network. 483 PMIP6-Visited-LMA-IPv6-Address attribute MAY be included by the MAG 484 to VAAA in the RADIUS Access-Request packet as a proposal to allocate 485 the particular LMA to the MN. The LMA in the visited network may be 486 assigned by the visited AAA as the result of retrieved Policy 487 Profile. If included by VAAA in the RADIUS Access-Accept sent to the 488 MAG, the use of the LMA in the visited network is authorized and the 489 attribute SHALL carry the IPv6 address of the visited LMA assigned 490 for the particular MN. 492 The AVP SHOULD NOT be included if the use of LMA in the Home Network 493 is authorized (AVP PMIP6-Home-LMA-IPv6-Address already present). 495 0 1 2 3 496 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 497 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 498 | Type | Length | Visited LMA IPv6 address 499 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 500 . . . 501 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 502 . . . 503 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 504 . . . 505 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 506 Visited LMA IPv6 address | 507 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 509 Type: 510 PMIP6-Visited-LMA-IPv6-Address to be defined by IANA. 512 Length: 513 = 18 octets 515 Visited LMA IPv6 address: 516 128-bit IPv6 address of the assigned visited LMA IPv6 address. 518 4.6. PMIP6-Home-LMA-IPv4-Address 520 The PMIP6-Home-LMA-IPv4-Address attribute (AVP Code TBD) contains the 521 IPv4 address of the LMA assigned by the HAAA. The [RFC5844] supports 522 Proxy Mobile IPv6 signaling exchange between MAG and LMA using the 523 IPv4 transport. 525 When the LMA is located in the home network, this attribute MAY be 526 sent by the HAAA to the MAG in the RADIUS Access-Accept message. 528 0 1 2 3 529 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 530 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 531 | Type | Length | Home LMA IPv4 address 532 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 533 Home LMA IPv4 address | 534 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 536 Type: 537 PMIP6-Home-LMA-IPv4-Address to be defined by IANA. 539 Length: 540 = 6 octets 542 Home LMA IPv4 address: 543 32-bit IPv4 address of the assigned LMA. 545 4.7. PMIP6-Visited-LMA-IPv4-Address 547 This attribute (AVP Code TBD) is used to propose a particular LMA in 548 the Visited network, and to authorize the use of the LMA in the 549 Visited network. 551 PMIP6-Visited-LMA-IPv4-Address attribute MAY be included by the MAG 552 to VAAA in the RADIUS Access-Request packet as a proposal to allocate 553 the particular LMA to the MN. The LMA in the visited network may be 554 assigned by the visited AAA as the result of retrieved Policy 555 Profile. If included by VAAA in the RADIUS Access-Accept sent to the 556 MAG, the use of the LMA in the visited network is authorized and the 557 attribute SHALL carry the IPv4 address of the assigned visited LMA. 559 The AVP SHOULD NOT be included if the use of LMA in the Home Network 560 is authorized (AVP PMIP6-Home-LMA-IPv4-Address already present). 562 0 1 2 3 563 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 564 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 565 | Type | Length | Visited LMA IPv4 address 566 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 567 Visited LMA IPv4 address | 568 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 570 Type: 571 PMIP6-Visited-LMA-IPv4-Address to be defined by IANA. 573 Length: 574 = 6 octets 576 IPv4 LMA address: 577 32-bit IPv4 address of the assigned LMA. 579 4.8. PMIP6-Home-HN-Prefix 581 Mobile Node's Home Network Prefix (MN-HNP) is the IPv6 prefix (i.e., 582 the high 64 bits) assigned to the link between the MN and the MAG. 583 The MN configures its IP interface from its home network prefix(es). 584 When the LMA is located in the home network, PMIP6-Home-HN-Prefix 585 attribute (AVP Code TBD) is used to deliver the MN-HNP from the HAAA 586 to the MAG. 588 The PMIP6-Home-HN-Prefix attribute is also used on the LMA-to-HAAA 589 interface containing the prefix assigned to the MN. If the LMA 590 delegates the MN-HNP assignment to the HAAA, the attribute MUST 591 contain all zeroes address (i.e., 0::0) in the Access-Request 592 message. The attribute MUST be present in RADIUS Access-Accept if 593 the prior request already included one, and SHOULD carry the MN-HNP 594 the HAAA assigned to the MN. 596 0 1 2 3 597 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 598 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 599 | Type | Length | Reserved | Prefix-Length | 600 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 601 | Home MN-HNP 602 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 603 Home MN-HNP | 604 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 606 Type: 607 PMIP6-Home-HN-Prefix to be defined by IANA. 609 Length: 610 = 12 octets. 612 Reserved: 613 Reserved for future use. The bits MUST be set to zero by the 614 sender, and MUST be ignored by the receiver. 616 Prefix-Length: 617 This field indicates the prefix length of the Home Network 618 Prefix (maximum 8 octets). 620 Home Network Prefix: 621 Home Network Prefix for the MN's IPv6 address configuration. 623 4.9. PMIP6-Visited-HN-Prefix 625 When the LMA is assigned from the visited network, PMIP6-Visited-HN- 626 Prefix attribute (AVP Code TBD) is used to deliver the concerning MN- 627 HNP from the VAAA to the MAG. 629 The PMIP6-Visited-HN-Prefix attribute is also used on the LMA to VAAA 630 interface containing the IPv6 prefix assigned to the MN. If the LMA 631 delegates the assignment of the MN-HNP to the VAAA, the AVP MUST 632 contain all zeroes address (i.e., 0::0) in the RADIUS Access-Request. 633 The attribute MUST be present in Access-Accept if the prior request 634 already included one, and SHOULD carry the MN-HNP the VAAA assigned 635 to the MN. 637 0 1 2 3 638 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 639 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 640 | Type | Length | Reserved | Prefix-Length | 641 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 642 | Visited MN-HNP 643 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 644 Visited MN-HNP | 645 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 647 Type: 648 PMIP6-Visited-HN-Prefix to be defined by IANA. 650 Length: 651 = 12 octets. 653 Reserved: 654 Reserved for future use. The bits MUST be set to zero by the 655 sender, and MUST be ignored by the receiver. 657 Prefix-Length: 658 This field indicates the prefix length of the Visited MN-HNP 659 (maximum 8 octets). 661 Visited Home Network Prefix: 662 Home Network Prefix for the MN's IPv6 address configuration. 664 4.10. PMIP6-Home-Interface-ID 666 For Proxy Mobile IPv6 the Home Network Prefixes assigned to the 667 mobile node have to be maintained on a per-interface basis. When the 668 LMA is located in the home network, PMIP6-Home-Interface-ID attribute 669 conveys 64 bits interface identifier representing a particular MN's 670 interface. The attribute is assigned by the HAAA to the MAG for 671 derivation of the MN-HoA. 673 This attribute MAY be sent by the LMA or the MAG to the HAAA in the 674 RADIUS Access-Request packet as a proposal. This attribute MAY be 675 sent by HAAA to the LMA in an Access-Accept packet, however it MUST 676 be present if the prior request already included one. 678 0 1 2 3 679 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 680 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 681 | Type | Length | Home Interface Identifier 682 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 683 Home Interface Identifier 684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 685 Home Interface Identifier | 686 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 688 Type: 689 PMIP6-Home-Interface-ID to be defined by IANA. 691 Length: 692 = 10 octets. 694 Home Interface Identifier: 695 The home interface identifier field is 8 octets. 697 4.11. PMIP6-Visited-Interface-ID 699 For Proxy Mobile IPv6 the visited Home Network Prefixes assigned to 700 the mobile node have to be maintained on a per-interface basis. When 701 the LMA is located in the visited network, the attribute conveys 64 702 bits interface identifier representing a particular MN's interface. 703 The attribute is assigned by the VAAA to MAG for the derivation of 704 MN-HoA. 706 This attribute MAY be sent by the LMA or the MAG to the VAAA in an 707 Access-Request packet as a proposal. This attribute MAY be sent by 708 HAAA to the LMA in an Access-Accept packet, however it MUST be 709 present if the prior request already included one. 711 0 1 2 3 712 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 713 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 714 | Type | Length | Visited Interface Identifier 715 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 716 Visited Interface Identifier 717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 718 Visited Interface Identifier | 719 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 721 Type: 722 PMIP6-Visited-Interface-ID to be defined by IANA. 724 Length: 725 = 10 octets. 727 Visited Interface Identifier: 728 The visited interface identifier field is 8 octets. 730 4.12. PMIP6-Home-IPv4-HoA 732 [RFC5844] specifies extensions to Proxy Mobile IPv6 protocol which 733 enable IPv4 home address mobility support to the MN. The PMIP6-Home- 734 IPv4-HoA attribute (AVP Code TBD) is of type Address and contains the 735 IPv4 Home Address of the MN. The primary use of this attribute is to 736 deliver the assigned IPv4-HoA from HAAA to the MAG. 738 The PMIP6-Home-IPv4-HoA is also used on the LMA-to-HAAA interface. 739 If the LMA in the home network delegates the assignment of the IPv4- 740 HoA to the HAAA, the attribute MUST contain all zeroes address in the 741 request message. The attribute MUST be included in by HAAA in the 742 response if the previous request included it, and it contains the 743 IPv4-HoA assigned to the MN. 745 0 1 2 3 746 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 747 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 748 | Type | Length | Reserved |Prefix-Len | 749 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 750 | Home IPv4 HoA | 751 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 753 Type: 754 PMIP6-Home-IPv4-HoA to be defined by IANA. 756 Length: 757 = 8 octets 759 Reserved 760 The 10-bit field reserved for future use. Value MUST be 761 initialized to zero by sender, and MUST be ignored by the 762 receiver. 764 Prefix-Len 765 The 6-bit unsigned integer indicating the prefix length of the 766 trailing IPv4 HoA 768 Home IPv4 HoA: 769 This field is of type Address and contains the IPv4 home 770 address of the MN in the home network. 772 4.13. PMIP6-Visited-IPv4-HoA 774 When both MAG and the LMA are in the visited network, the PMIP6- 775 Visited-IPv4-HoA attribute (AVP Code TBD) is used to exchange 776 information between the VAAA and the MAG on the assignment of the 777 IPv4 Home Address to the MN being present in the Visited network. 779 The PMIP6-Visited-IPv4-HoA is also used on the LMA-to-VAAA interface. 780 If the LMA delegates the assignment of the IPv4-HoA to the VAAA, the 781 attribute MUST contain all zeroes address in the RADIUS Access- 782 Request. The Access-Accept message MUST have the attribute present 783 if the prior request to VAAA already included one. 785 0 1 2 3 786 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 787 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 788 | Type | Length | Reserved |Prefix-Len | 789 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 790 | Visited IPv4 HoA | 791 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 793 Type: 794 PMIP6-Visited-IPv4-HoA to be defined by IANA. 796 Length: 797 = 8 octets 799 Reserved: 800 The 10-bit field reserved for future use. Value MUST be 801 initialized to zero by the sender, and MUST be ignored by the 802 receiver. 804 Prefix-Len: 805 6-bit unsigned integer indicating the prefix length of the 806 trailing IPv4 HoA 808 Visited IPv4 HoA: 809 This field is of type Address and contains the IPv4 home 810 address of the MN in the visited network. 812 4.14. PMIP6-Home-DHCP4-Server-Address 814 The PMIP6-Home-DHCP4-Server-Address (AVP Code TBD) contains the IPv4 815 address of the DHCPv4 server in the home network. The particular 816 DHCP server address is indicated to the MAG that serves the 817 concerning MN. The HAAA MAY assign a DHCP server to the MAG in 818 deployments where the MAG acts as a DHCP Relay, as defined in 819 [RFC5844]. 821 0 1 2 3 822 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 823 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 824 | Type | Length | Home DHCPv4 server address 825 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 826 Home DHCPv4 server address | 827 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 829 Type: 830 PMIP6-Home-DHCP4-Server-Address to be defined by IANA. 832 Length: 833 = 6 octets. 835 Home DHCPv4 server address: 836 This field is of type Address and contains a 4-octet IPv4 address 837 of the DHCP server. 839 4.15. PMIP6-Visited-DHCP4-Server-Address 841 When both MAG and the LMA are in the visited network, the VAAA uses 842 PMIP6-Visited-DHCP4-Server-Address attribute (AVP Code TBD) to 843 deliver the IPv4 address of the DHCPv4 server from the visited 844 network to the MAG. The VAAA MAY assign a DHCPv4 server to the MAG 845 in deployments where the MAG acts as a DHCP Relay, as defined in 846 [RFC5844]. 848 0 1 2 3 849 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 850 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 851 | Type | Length | Visited DHCPv4 server address 852 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 853 Visited DHCPv4 server address | 854 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 856 Type: 857 PMIP6-Visited-DHCP4-Server-Address to be defined by IANA. 859 Length: 860 = 6 octets 862 Visited DHCPv4 server address: 863 This field is of type Address and contains a 4-octet IPv4 address 864 of the DHCPv4 server 866 4.16. PMIP6-Home-DHCP6-Server-Address 868 The PMIP6-Home-DHCP6-Server-Address (AVP Code TBD) contains the IPv6 869 address of the DHCPv6 server in the home network indicated by HAAA to 870 the MAG that serves the concerning MN. The HAAA MAY assign a DHCPv6 871 server to the MAG in deployments where the MAG acts as a DHCP Relay, 872 as defined in [RFC5213]. 874 0 1 2 3 875 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 876 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 877 | Type | Length | Home DHCPv6 server address 878 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 879 . . 880 . Home DHCPv6 server address . 881 . . 882 . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 883 . | 884 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 886 Type: 887 PMIP6-Home-DHCP6-Server-Address to be defined by IANA. 889 Length: 890 = 18 octets 892 Home DHCPv6 server address: 893 This field is of type Address and contains 16-octet IPv6 address 894 of the DHCPv6 server. 896 4.17. PMIP6-Visited-DHCP6-Server-Address 898 When both MAG and the LMA are located in the visited network, the 899 PMIP6-Visited-DHCP6-Server-Address attribute (AVP Code TBD) is used 900 to deliver the IPv6 address of the DHCPv6 server from the visited 901 network to the MAG that serves the MN. The VAAA MAY assign a DHCPv6 902 server to the MAG in deployments where the MAG acts as a DHCP Relay, 903 as defined in [RFC5213]. 905 0 1 2 3 906 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 907 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 908 | Type | Length | Visited DHCPv6 server address 909 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 910 . . 911 . Visited DHCPv6 server address . 912 . . 913 . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 914 . | 915 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 917 Type: 918 PMIP6-Visited-DHCP6-Server-Address to be defined by IANA. 920 Length: 921 = 18 octets 923 Visited DHCPv6 server address: 924 This field is of type Address and contains the 16-octet IPv6 925 address of the DHCPv6 server. 927 4.18. Calling-Station-Id 929 The Calling-Station-Id AVP (AVP Code 31) is of type String and when 930 used for PMIPv6 it contains a link-layer identifier of the MN as 931 defined in [RFC5213], Sections 2.2 and 8.6. 933 4.19. Chargeable-User-Identity 935 The Chargeable-User-Identity attribute or CUI (AVP Code 89) is an 936 unique temporary handle used as means to, for example, correlate 937 authentication, accounting and bill post-processing for a particular 938 chargeable subscriber. The CUI format and use follows guidelines 939 defined by [RFC4372]. 941 In scope of this document, the CUI attribute MAY be present in the 942 Access-Request. The CUI MAY also be present in the Access-Accept. 943 The CUI Identity MUST be present in the Access-Accept if it was 944 present in the Access-Request. If the use of the Chargeable User 945 Identity is supported, then the MAG and/or the LMA commits to include 946 the Chargeable User Identity in all subsequent RADIUS Accounting 947 packets they send for the given user. 949 5. MAG to RADIUS AAA interface 951 5.1. Interface operations 953 The MAG to the AAA RADIUS server interface is used for retrieval of 954 the Policy Profile when a MN tries to attach, authenticate and 955 authorize to a PMIPv6 domain. Depending on the policies and network 956 capabilities the MAG may retrieve different sets of PMIPv6-session 957 related parameters: 959 o Configuration attributes for Home- or Visited Network access 960 scenario, depending on the location and attachment point of the 961 MN, 963 o The IPv6 or IPv4 address of the designated LMA, depending on the 964 access network's actual IP topology, 966 o The IPv6 or IPv4 configuration parameters for the MN, depending on 967 the utilized IP configuration method and individual MN's service 968 Policy, 970 o The DHCP Relay support attributes (IPv4 or IPv6) in case such 971 functionality is supported in the network. 973 In addition to PMIPv6-specific attributes, other RADIUS attributes 974 are to be used on the MAG-to-AAA interface: 975 The User-Name attribute (1) MUST be present in the Access-Request. 976 It SHOULD carry the valid MN identity (PMIPv6 MN Identifier) in the 977 form of a Network Access Identifier (NAI) [RFC4282], if such identity 978 can be obtained. The NAS-IP-Address (4) or NAS-IPv6-Address (95) or 979 the NAS-Identifier (32) MUST be present in the Access-Request. The 980 Service-Type (6) and the NAS-Port-Type (69) SHOULD be present in the 981 Access-Request. 983 5.2. Table of Attributes 985 The following table provides a guide to attributes that may be found 986 in authentication and authorization RADIUS messages between MAG and 987 the AAA Server. 989 Request Accept Reject Challenge # Attribute 991 1 0-1 0 0 1 User-Name 992 0-1 0-1 0 0 4 NAS-IP-Address 993 0-1 0-1 0 0 5 NAS-Port 994 1 0-1 0 0 6 Service-Type 995 0-1 0-1 0 0-1 24 State 996 0 0-1 0 0 25 Class 997 0 0-1 0 0-1 27 Session-Timeout 998 0-1 0 0 0 31 Calling-Station-Id 999 1 0 0 0 32 NAS-Identifier 1000 0-1 0-1 0 0 33 Proxy-State 1001 1 0 0 0 69 NAS-Port-Type 1002 1 1 1 1 80 Message-Authenticator 1003 0-1 0-1 0 0 89 Chargeable-User-Identity 1004 0-1 0-1 0 0 95 NAS-IPv6-Address 1005 0-1 0-1 0 0 124 MIP6-Feature-Vector 1006 0-1 0-1 0 0 TBD Service-Selection 1007 0 1 0 0 TBD Mobile-Node-Identifier 1008 0 0-1 0 0 TBD PMIP6-Home-LMA-IPv6-Address 1009 0-1 0-1 0 0 TBD PMIP6-Visited-LMA-IPv6-Address 1010 0 0-1 0 0 TBD PMIP6-Home-LMA-IPv4-Address 1011 0-1 0-1 0 0 TBD PMIP6-Visited-LMA-IPv4-Address 1012 0 0-1 0 0 TBD PMIP6-Home-HN-Prefix 1013 0 0-1 0 0 TBD PMIP6-Visited-HN-Prefix 1014 0 0-1 0 0 TBD PMIP6-Home-Interface-ID 1015 0 0-1 0 0 TBD PMIP6-Visited-Interface-ID 1016 0 0-1 0 0 TBD PMIP6-Home-IPv4-HoA 1017 0 0-1 0 0 TBD PMIP6-Visited-IPv4-HoA 1018 0 0-1 0 0 TBD PMIP6-Home-DHCP4-Server-Address 1019 0-1 0-1 0 0 TBD PMIP6-Visited-DHCP4-Server-Address 1020 0 0-1 0 0 TBD PMIP6-Home-DHCP6-Server-Address 1021 0-1 0-1 0 0 TBD PMIP6-Visited-DHCP6-Server-Address 1023 6. LMA to RADIUS AAA interface 1025 6.1. Interface operations 1027 The LMA-to-HAAA interface is used for multiple operations. These 1028 operation include, but are not limited to, the authorization of the 1029 incoming PBU, updating the LMA address at the HAAA, accounting, and 1030 PMIPv6 session management. 1032 6.2. Table of Attributes 1034 The following table provides a guide to which attributes may be found 1035 in authentication and authorization process between LMA and the AAA. 1037 1 0-1 0 0 1 User-Name 1038 0-1 0-1 0 0 4 NAS-IP-Address 1039 0-1 0-1 0 0 5 NAS-Port 1040 1 0-1 0 0 6 Service-Type 1041 0 0-1 0 0 25 Class 1042 0 0-1 0 0-1 27 Session-Timeout 1043 0-1 0 0 0 31 Calling-Station-Id 1044 1 0 0 0 32 NAS-Identifier 1045 1 0 0 0 69 NAS-Port-Type 1046 1 1 1 1 80 Message-Authenticator 1047 0-1 0-1 0 0 89 Chargeable-User-Identity 1048 0-1 0-1 0 0 95 NAS-IPv6-Address 1049 0-1 0-1 0 0 124 MIP6-Feature-Vector 1050 0-1 0-1 0 0 TBD Service-Selection 1051 1 0 0 0 TBD Mobile-Node-Identifier 1052 0-1 0-1 0 0 TBD PMIP6-Home-HN-Prefix 1053 0 0-1 0 0 TBD PMIP6-Visited-HN-Prefix 1054 0-1 0-1 0 0 TBD PMIP6-Home-IPv4-HoA 1055 0 0-1 0 0 TBD PMIP6-Visited-IPv4-HoA 1056 0 0-1 0 0 TBD PMIP6-Home-Interface-ID 1057 0 0-1 0 0 TBD PMIP6-Visited-Interface-ID 1059 7. Accounting 1061 7.1. Accounting at LMA 1063 The accounting at the LMA to AAA server interface is based on 1064 [RFC2865] and [RFC2866]. This interface must support the transfer of 1065 accounting records needed for service control and charging. These 1066 records should include (but may not be limited to): time of binding 1067 cache entry creation and deletion, number of the octets sent and 1068 received by the MN over the bi-directional tunnel, etc. 1070 7.2. Accounting at MAG 1072 The accounting at the MAG to AAA server interface is based on 1073 [RFC2865] and [RFC2866]. The interface must also support the 1074 transfer of accounting records which should include: time of binding 1075 cache entry creation and deletion, number of the octets sent and 1076 received by the MN over the bi-directional tunnel, etc. 1078 If there is data traffic between a visiting MN and a correspondent 1079 node that is locally attached to an access link connected to the same 1080 MAG, the mobile access gateway MAY optimize on the delivery efforts 1081 by locally routing the packets instead of using reverse tunneling to 1082 the mobile node's LMA. In this case, the local data traffic too MUST 1083 be reported to AAA Accounting servers by means of RADIUS protocol. 1085 7.3. Table of Attributes 1087 The following table provides a list of attributes that may be 1088 included in the RADIUS Accounting messages. These attributes are to 1089 complement the set of accounting attributes already required by 1090 [RFC2866] and [RFC2869]. 1092 Request Interim Stop Attribute 1094 0-1 0 0-1 PMIP6-Home-LMA-IPv6-Address 1095 0-1 0 0-1 PMIP6-Visited-LMA-IPv6-Address 1096 0-1 0 0-1 PMIP6-Home-LMA-IPv4-Address 1097 0-1 0 0-1 PMIP6-Visited-LMA-IPv4-Address 1098 0-1 0 0-1 PMIP6-Home-HN-Prefix 1099 0-1 0 0-1 PMIP6-Visited-HN-Prefix 1100 0-1 0 0-1 PMIP6-Home-IPv4-HoA 1101 0-1 0 0-1 PMIP6-Visited-IPv4-HoA 1102 0-1 0 0-1 Service-Selection 1103 0-1 0 0-1 MIP6-Feature-Vector 1104 0-1 0-1 0-1 Mobile-Node-Identifier 1105 0-1 0 0-1 Calling-Station-Id 1106 0-1 0-1 0-1 Chargeable-User-Identity 1108 8. Security Considerations 1110 The RADIUS messages may be transported between the MAG and/or the LMA 1111 to the RADIUS server via one or more AAA brokers or RADIUS proxies. 1112 In this case the LMA to the RADIUS AAA server communication relies on 1113 the security properties of the intermediate AAA brokers and RADIUS 1114 proxies. 1116 9. IANA consideration 1118 9.1. Attribute Type Codes 1120 This specification defines the following new RADIUS attribute type 1121 codes: 1123 Mobile-Node-Identifier 1124 Service-Selection 1125 PMIP6-Home-LMA-IPv6-Address 1126 PMIP6-Visited-LMA-IPv6-Address 1127 PMIP6-Home-LMA-IPv4-Address 1128 PMIP6-Visited-LMA-IPv4-Address 1129 PMIP6-Home-HN-Prefix 1130 PMIP6-Visited-HN-Prefix 1131 PMIP6-Home-Interface-ID 1132 PMIP6-Visited-Interface-ID 1133 PMIP6-Home-IPv4-HoA 1134 PMIP6-Visited-IPv4-HoA 1135 PMIP6-Home-DHCP4-Server-Address 1136 PMIP6-Visited-DHCP4-Server-Address 1137 PMIP6-Home-DHCP6-Server-Address 1138 PMIP6-Visited-DHCP6-Server-Address 1140 9.2. Namespaces 1142 This specification defines new values to the Mobility Capability 1143 registry (see [RFC5447]) for use with the MIP6- Feature-Vector AVP: 1145 Token | Value 1146 ----------------------------------+-------------------- 1147 IP4_TRANSPORT_SUPPORTED | 0x0000080000000000 1148 IP4_HOA_ONLY_SUPPORTED | 0x0000100000000000 1150 10. Acknowledgements 1152 First of all, the authors would like to acknowledge the 1153 standardization work and people of the WiMAX Forum that have set the 1154 foundation for this document. 1155 The authors would like to thank Basavaraj Patil, Glen Zorn, Avi Lior, 1156 Alan DeKok and Pete McCann for reviewing the document and providing 1157 valuable input. 1158 The authors would also like to thank the authors of [RFC5779] as this 1159 document re-uses some procedural ideas of the aforementioned 1160 specification. 1162 11. References 1164 11.1. Normative References 1166 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1167 Requirement Levels", BCP 14, RFC 2119, March 1997. 1169 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1170 "Remote Authentication Dial In User Service (RADIUS)", 1171 RFC 2865, June 2000. 1173 [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., 1174 and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. 1176 [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The 1177 Network Access Identifier", RFC 4282, December 2005. 1179 [RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., 1180 and K. Chowdhury, "Diameter Mobile IPv6: Support for 1181 Network Access Server to Diameter Server Interaction", 1182 RFC 5447, February 2009. 1184 [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. 1185 Arkko, "Diameter Base Protocol", RFC 3588, September 2003. 1187 [RFC5844] Wakikawa, R. and S. Gundavelli, "IPv4 Support for Proxy 1188 Mobile IPv6", RFC 5844, May 2010. 1190 [RFC5779] Korhonen, J., Bournelle, J., Chowdhury, K., Muhanna, A., 1191 and U. Meyer, "Diameter Proxy Mobile IPv6: Mobile Access 1192 Gateway and Local Mobility Anchor Interaction with 1193 Diameter Server", RFC 5779, February 2010. 1195 [RFC4372] Adrangi, F., Lior, A., Korhonen, J., and J. Loughney, 1196 "Chargeable User Identity", RFC 4372, January 2006. 1198 11.2. Informative references 1200 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 1202 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS 1203 Extensions", RFC 2869, June 2000. 1205 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 1206 Levkowetz, "Extensible Authentication Protocol (EAP)", 1207 RFC 3748, June 2004. 1209 [RFC5149] Korhonen, J., Nilsson, U., and V. Devarapalli, "Service 1210 Selection for Mobile IPv6", RFC 5149, February 2008. 1212 Authors' Addresses 1214 Frank Xia 1215 Huawei USA 1216 1700 Alma Dr. Suite 500 1217 Plano, TX 75075 1219 Phone: +1 972-509-5599 1220 Email: xiayangsong@huawei.com 1222 Behcet Sarikaya 1223 Huawei USA 1224 1700 Alma Dr. Suite 500 1225 Plano, TX 75075 1227 Phone: +1 972-509-5599 1228 Email: sarikaya@ieee.org 1230 Jouni Korhonen 1231 Nokia Siemens Networks 1232 Linnoitustie 6 1233 Espoo FI-02600 1234 Finland 1236 Email: jouni.nospam@gmail.com 1238 Sri Gundavelli 1239 Cisco 1240 170 West Tasman Drive 1241 San Jose, CA 95134 1243 Email: sgundave@cisco.com 1245 Damjan Damic 1246 Siemens 1247 Heinzelova 70a 1248 Zagreb 10000 1249 Croatia 1251 Email: damjan.damic@siemens.com