idnits 2.17.1 draft-zhu-netext-ikev2-interworking-pmip-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** There are 4 instances of too long lines in the document, the longest one being 5 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 06, 2011) is 4769 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4739' is defined on line 167, but no explicit reference was found in the text ** Downref: Normative reference to an Experimental RFC: RFC 4739 Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 netext C. Zhu 3 Internet-Draft X. Zhou 4 Intended status: Standards Track ZTE Corporation 5 Expires: October 8, 2011 April 06, 2011 7 The interworking between IKEv2 and PMIPv6 8 draft-zhu-netext-ikev2-interworking-pmip-00.txt 10 Abstract 12 During the network operation, there is a scenario where the IKEv2 is 13 used between MN and MAG while the PMIPv6 is used between MAG and LMA. 14 Hence, the interworking between IKEv2 and PMIPv6 need to be 15 considered in this scenario. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on October 8, 2011. 34 Copyright Notice 36 Copyright (c) 2011 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 53 3. New Mobility Option-IKEv2 Container . . . . . . . . . . . . . 6 54 4. MAG Operation . . . . . . . . . . . . . . . . . . . . . . . . 7 55 5. LMA Operation . . . . . . . . . . . . . . . . . . . . . . . . 8 56 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 57 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 58 8. Normative References . . . . . . . . . . . . . . . . . . . . . 11 59 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 61 1. Motivation 63 Non-transparent access is supported in UMTS since Release 99 and in 64 Rel-8 it was naturally extended to the EPS with 3GPP access. In both 65 UMTS and EPS, the credentials for PAP or CHAP authentication with the 66 private Packet Data Network (PDN) are carried transparently between 67 the UE and the GGSN/PGW inside the Protocol Configuration Options 68 (PCO) information element. In I-WLAN it is possible to access a 69 private PDN via a Packet Data Gateway (PDG) as defined in 3GPP TS 70 29.161. The approach specified in 3GPP TS 29.161 relies on multiple 71 IKEv2 authentication exchanges, based on rfc4739. 73 However, access to private PDNs is still not possible via untrusted 74 non-3GPP IP access, e.g. WLAN access with PMIPv6-based interface. 75 Since the ePDG (i.e. MAG, contrary to the PDG in I-WLAN) has no 76 RADIUS or Diameter interface with the AAA server in the private 77 network, even according to rfc4739 the ePDG is not able to contact 78 the AAA Server for the external authentication and authorization 79 after receiving the credentials. 81 This document attempts to figure out the issue described above via 82 extending PMIPv6 to achieve external authentication and authorization 83 between UE and the AAA server. 85 2. Protocol Overview 87 It is proposed to define a new mobility option as a container (IKEv2 88 container) in Proxy Binding Update and Proxy Binding Acknowledge, 89 which can be used to convey the information from IKEv2 and the result 90 of external authentication and authorization. 92 The following steps is performed during the external authentication 93 and authorization as described in Figure 1. 95 +-------+ +---------+ +--------+ +-----------+ 96 | MN | | MAG | | LMA | | External | 97 +-------+ +---------+ +--------+ |AAA Server | 98 | | | +-----------+ 99 +--------------------------------------+ | | 100 | 1.Procedures until the MAG obtaining | | | 101 | the credentials in the rfc4739 | | | 102 +--------------------------------------+ | | 103 | | | | 104 | | 2.PBU(IKEv2 Container) | | 105 | |------------------------>| | 106 | | |3.Access-Req/Resp| 107 | | |<--------------->| 108 | | | | 109 | |<-4.PBA(IKEv2 Container)-| | 110 | | | | 111 | | | | 112 +----------------------------------------+ | | 113 | 5.Procedures after the MAG obtaining | | | 114 | the credentials and completing the | | | 115 | external Authentication/Authorization| | | 116 +----------------------------------------+ | | 117 | | | | 118 | | | | 119 | | | | 121 Figure 1: Authentication and authorization for the Private network 122 access 124 The steps of the procedure in Figure 1 are as following. 126 1. The mobile node performs additional authentication and 127 authorization with an external AAA Server as specified in rfc4739 129 2. The MAG contructs the IKEv2 container (e.g. PCO) in the Proxy 130 Binding Update, copies the information from IKEv2 (e.g. User ID and 131 password) into the IKEv2 container and sends the PBU to the LMA. 133 3. The LMA uses the authentication credentials provided in the IKEv2 134 container to perform an additional authentication and authorisation 135 with an external AAA server. 137 4. Upon receiving the access response from external AAA server the 138 LMA copies the results from the response message to the IKEv2 139 container which is included in the Proxy Binding Acknowledge. 141 5. Upon receiving credentials in the Proxy Binding Acknowledge the 142 MAG performs the procedure as described in rfc4739 to complete the 143 external Authentication/Authorization. 145 3. New Mobility Option-IKEv2 Container 147 TBD 149 4. MAG Operation 151 TBD 153 5. LMA Operation 155 TBD 157 6. Security Considerations 159 TBD 161 7. IANA Considerations 163 TBD 165 8. Normative References 167 [RFC4739] Eronen, P. and J. Korhonen, "Multiple Authentication 168 Exchanges in the Internet Key Exchange (IKEv2) Protocol", 169 RFC 4739, November 2006. 171 Authors' Addresses 173 Chunhui Zhu 174 ZTE Corporation 175 No.50 Ruanjiandadao Rd,Yuhuatai District 176 Nanjing 177 China 179 Email: zhu.chunhui@zte.com.cn 181 Xingyue Zhou 182 ZTE Corporation 183 No.50 Ruanjiandadao Rd,Yuhuatai District 184 Nanjing 185 China 187 Phone: +86-25-8801-4634 188 Email: zhou.xingyue@zte.com.cn