One document matched: draft-ietf-dime-pmip6-04.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY HUIHAI PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY RFC2234 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2234.xml'>
<!ENTITY RFC3588 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml'>
<!ENTITY RFC5226 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml'>
<!ENTITY RFC4005 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4005.xml'>
<!ENTITY RFC4004 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4004.xml'>
<!ENTITY RFC4072 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml'>
<!ENTITY RFC4301 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301.xml'>
<!ENTITY RFC4303 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4303.xml'>
<!ENTITY RFC5447 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5447.xml'>
<!ENTITY I-D.ietf-dime-mip6-split PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dime-mip6-split.xml'>
<!ENTITY RFC3748 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml'>
<!ENTITY RFC2136 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2136.xml'>
<!ENTITY RFC1035 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml'>
<!ENTITY I-D.ietf-netlmm-pmip6-ipv4-support PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netlmm-pmip6-ipv4-support.xml'>
<!ENTITY RFC4186 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4186.xml'>
<!ENTITY RFC4282 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4282.xml'>
<!ENTITY RFC4283 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4283.xml'>
<!ENTITY RFC2132 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2132.xml'>
<!ENTITY RFC3775 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3775.xml'>
<!ENTITY I-D.ietf-mip6-nemo-v4traversal PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-mip6-nemo-v4traversal.xml'>
<!ENTITY RFC5213 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5213.xml'>
<!ENTITY RFC2131 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2131.xml'>
<!ENTITY RFC3315 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3315.xml'>
<!ENTITY I-D.ietf-mext-binding-revocation PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-mext-binding-revocation.xml'>
<!ENTITY I-D.ietf-netlmm-lma-discovery PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netlmm-lma-discovery.xml'>
<!ENTITY RFC5149 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5149.xml'>
<!ENTITY RFC3580 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3580.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc compact="yes" ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc autobreaks="yes" ?>
<rfc category="std" ipr="trust200902" docName="draft-ietf-dime-pmip6-04.txt">
<front>
<title abbrev="Diameter Support for Proxy Mobile IPv6">Diameter Proxy Mobile IPv6:
Mobile Access Gateway and Local Mobility Anchor Interaction with Diameter Server
</title>
<author role="editor" initials="J" surname="Korhonen" fullname="Jouni Korhonen">
<organization>Nokia Siemens Network</organization>
<address>
<postal>
<street>Linnoitustie 6</street>
<city>Espoo</city>
<code>FI-02600</code>
<country>Finland</country>
</postal>
<email>jouni.nospam@gmail.com</email>
</address>
</author>
<author fullname="Julien Bournelle" surname="Bournelle" initials="J.">
<organization>Orange Labs</organization>
<address>
<postal>
<street>38-4O rue du general Leclerc</street>
<city>Issy-Les-Moulineaux</city>
<code>92794</code>
<country>France</country>
</postal>
<email>julien.bournelle@orange-ftgroup.com</email>
</address>
</author>
<author initials="K." surname="Chowdhury" fullname="Kuntal Chowdhury">
<organization>Starent Networks</organization>
<address>
<postal>
<street>30 International Place</street>
<city>Tewksbury</city>
<code>MA 01876</code>
<country>USA</country>
</postal>
<email>kchowdhury@starentnetworks.com</email>
</address>
</author>
<author initials="A" surname="Muhanna" fullname="Ahmad Muhanna">
<organization abbrev="">Nortel</organization>
<address>
<postal>
<street>2221 Lakeside Blvd.</street>
<city>Richardson</city>
<region>TX</region>
<code>75082</code>
<country>USA</country>
</postal>
<email>amuhanna@nortel.com</email>
</address>
</author>
<author initials="U." surname="Meyer" fullname="Ulrike Meyer">
<organization>RWTH Aachen</organization>
<address>
<email>meyer@umic.rwth-aachen.de</email>
</address>
</author>
<date year="2009"/>
<area>Operations and Management</area>
<workgroup>Diameter Maintenance and Extensions (DIME)</workgroup>
<keyword>Internet-Draft</keyword>
<keyword>Diameter</keyword>
<keyword>Proxy Mobile IPv6</keyword>
<abstract>
<t>This specification defines Authentication, Authorization, and
Accounting interactions between Proxy Mobile IPv6 entities (both
Mobile Access Gateway and Local Mobility Anchor) and
an Authentication, Authorization, and
Accounting server within a Proxy Mobile IPv6 Domain.
These Authentication, Authorization, and
Accounting interactions are primarily used to download and update mobile
node specific policy profile information between Proxy Mobile IPv6
entities and a remote policy store.
</t>
</abstract>
</front>
<middle>
<!-- ====================================================================== -->
<section anchor="introduction" title="Introduction">
<t>This specification defines Authentication, Authorization, and
Accounting (AAA) interactions between a Mobile Access Gateway (MAG)
and an AAA server, and between a Local Mobility Anchor (LMA) and an
AAA server within a Proxy Mobile IPv6 (PMIPv6) Domain <xref target="RFC5213"/>.
These AAA interactions are primarily used to download and update mobile
node (MN) specific policy profile information between PMIPv6 entities
(a MAG and a LMA) and a remote policy store.
</t>
<t>Dynamic assignment and downloading of MN's
policy profile information to a MAG from a remote policy store is a
desirable feature to ease the deployment and network maintenance of
larger PMIPv6 domains. For this purpose, the same AAA infrastructure
that is used for authenticating and authorizing the MN for a network
access, can be leveraged to download some or all of the necessary
policy profile information to the MAG.
</t>
<t>Once the network has authenticated the MN, the MAG sends a
Proxy Binding Update (PBU) to the LMA in order to setup a mobility
session on behalf of the MN. When the LMA receives the
PBU, the LMA may need to authorize the received PBU against the
AAA infrastructure. The same AAA infrastructure that can be used for the
authorization of the PBU, is also used to update the remote policy
store with the LMA provided MN specific mobility session related
information.
</t>
<t>In the context of this specification the
home AAA server (HAAA) functionality is co-located with the remote
policy store. The NAS functionality may be co-located with the MAG
function in the network access router. Diameter <xref target="RFC3588"/>
is the used AAA protocol.
</t>
</section> <!-- introduction -->
<!-- ========================================================= -->
<section anchor="terms" title="Terminology and Abbreviations">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as
described in RFC2119 <xref target="RFC2119"/>.
</t>
<t>The general terminology used in this document can be found in
<xref target="RFC5213"/> and <xref target="I-D.ietf-netlmm-pmip6-ipv4-support"/>.
The following additional or clarified
terms are also used in this document:
</t>
<t><list style="hanging">
<t hangText="Network Access Server (NAS):">
<vspace blankLines="1"/>A device that provides an access service for a
user to a network. In the context of this document the NAS may be
integrated into or co-located to a MAG. The NAS contains a Diameter
client function.
<vspace blankLines="1"/>
</t>
<t hangText="Home AAA (HAAA):">
<vspace blankLines="1"/> An Authentication, Authorization, and
Accounting (AAA) server located in user's home network. A HAAA is
essentially a Diameter server.
<vspace blankLines="1"/>
</t>
</list></t>
</section>
<section title="Solution Overview">
<t>This document addresses the AAA interactions and AAA-based session
management functionality needed in the
PMIPv6 Domain. This document defines Diameter based AAA interactions
between the MAG and the HAAA, and between the LMA and the HAAA.
</t>
<t>The policy profile is downloaded from the HAAA to the MAG
during the MN attachment to the PMIPv6 Domain.
<xref target="pmip6-scenario"/> shows the
participating network entities. This document, however,
concentrates on the MAG, LMA, and
the HAAA (the home Diameter server).
</t>
<t><figure anchor="pmip6-scenario" title="Proxy Mobile IPv6 Domain
Interaction with Diameter HAAA Server">
<artwork><![CDATA[
+--------+
| HAAA & | Diameter +-----+
| Policy |<---(2)-->| LMA |
| Store | +-----+
+--------+ | <--- LMA-Address
^ |
| // \\
+---|------------- //---\\----------------+
( | IPv4/IPv6 // \\ )
( | Network // \\ )
+---|-----------//---------\\-------------+
| // \\
Diameter // <- Tunnel1 \\ <- Tunnel2
(1) // \\
| |- MAG1-Address |- MAG2-Address
| +----+ +----+
+---->|MAG1| |MAG2|
+----+ +----+
| |
| |
[MN1] [MN2]
Legend:
(1): MAG-to-HAAA interaction is described
in Section 7.1
(2): LMA-to-HAAA interaction is described
in Section 7.2
]]></artwork>
</figure></t>
<t>When a MN attaches to a PMIPv6 Domain, a
network access authentication procedure is usually started. The
choice of the authentication mechanism is specific to the
access network deployment, but could be based on the
Extensible Authentication Protocol (EAP) <xref
target="RFC3748"/>. During the network access authentication
procedure, the MAG acting as a NAS queries the HAAA through
the AAA infrastructure using the Diameter protocol. If the
HAAA detects that the subscriber is also authorized for the
PMIPv6 service, PMIPv6 specific information is returned
along with the successful
network access authentication answer to the MAG.
</t>
<t>After the MN has been successfully authenticated, the MAG
sends a PBU to the LMA based on the MN's policy profile information.
Upon receiving the PBU the LMA interacts
with the HAAA and fetches the relevant parts of the subscriber policy
profile and authorization
information related to the mobility service session.
In this specification, the HAAA has the role of the PMIPv6
remote policy store.
</t>
</section> <!-- overview -->
<!-- ====================================================================== -->
<section anchor="cmds" title="Generic Application Support and Command Codes">
<t>This specification does not define new Application-IDs or Command
Codes for
the MAG-to-HAAA or for the LMA-to-HAAA Diameter connections. Rather,
this specification is generic to any Diameter application (and their
commands) that is suitable for a network access authentication and
authorization.
Example applications include NASREQ <xref target="RFC4005"/>
and EAP <xref target="RFC4072"/>.
</t>
<section title="MAG-to-HAAA Interface">
<t>The MAG-to-HAAA interactions are primarily used for
bootstrapping PMIPv6 mobility service session when
a MN attaches and authenticates to a PMIPv6 Domain.
This includes the bootstrapping of PMIPv6 session
related information. The same interface
may also be used for accounting. The MAG acts as a Diameter client.
</t>
<t>Whenever the MAG sends a Diameter request message to the HAAA, the
User-Name AVP SHOULD contain the MN's identity unless the identity
is being suppressed for policy reasons - for example, when identity
hiding is in effect. The MN identity, if
available, MUST be in Network Access Identifier (NAI) <xref
target="RFC4282"/> format. At minimum
the home realm of the MN MUST be available at the MAG when
the network access authentication takes place. Otherwise
the MAG is not able to route the Diameter request messages
towards the correct HAAA. The MN identity used on the MAG-to-HAAA
interface and in the User-Name AVP MAY entirely be related to the
network access authentication, and therefore not suitable to be
used as the MN-ID mobility option value in the subsequent PBU/PBA
messages. See the related discussion on MN's identities in
<xref target="mnid"/> and in <xref target="l2hmnid"/>.
</t>
<t>For the session management and service authorization purposes,
session state SHOULD be maintained on the MAG-to-HAAA interface.
See the discussion in <xref target="sersel"/>.
</t>
</section> <!-- command codes -->
<section title="LMA-to-HAAA Interface" anchor="l2hmnid">
<t>The-LMA-to HAAA interface may be used for multiple
purposes. These include the authorization of the incoming
PBU, updating the LMA address to the HAAA, delegating the assignment
of the MN-HNP or the IPv4-HoA to the HAAA, and for
accounting and PMIPv6 session management. The primary purpose of
this interface is to update the HAAA with the LMA address information
in case of dynamically assigned LMA, and exchange the MN address
assignment information between the LMA and the HAAA.
</t>
<t>The LMA-to-HAAA interface description is intended for different
types of deployments and architectures. Therefore, this specification
only outlines AVPs and considerations that the deployment specific
Diameter applications need to take into account from the PMIPv6 and
LMAs point of view.
</t>
<section title="General Operation and Authorization of PBU">
<t>Whenever the LMA sends a Diameter request message to the HAAA, the
User-Name AVP SHOULD contain the MN's identity. The LMA provided
identity in the User-Name AVP is strongly RECOMMENDED to be the
same as the MN's
identity information in the PBU MN-ID <xref target="RFC4283"/>
<xref target="RFC5213"/> mobility option. The identity SHOULD also
be the same as used on the MAG-to-HAAA interface, but in the case
those identities differ the HAAA MUST have a mechanism of mapping
the MN identity used on the MAG-to-HAAA interface to the identity
used on the LMA-to-HAAA interface.
</t>
<t>If the PBU contains the MN Link-Layer Identifier option,
the Calling-Station-Id AVP SHOULD be included in the request
message containing the received Link-Layer Identifier. Furthermore,
if the PBU contains the Service Selection mobility option
<xref target="RFC5149"/>, the Service-Selection AVP SHOULD be
included in the request message containing the received service
identifier. Both MN Link-Layer Identifier and the Service selection
can be used to provide more information for the PBU authorization
step in the HAAA.
</t>
<t>The Auth-Request-Type AVP MUST be set to the value AUTHORIZE_ONLY.
The Diameter session related aspects discussed in
<xref target="session"/> need to be taken into consideration when
designing the Diameter application for the LMA-to-HAAA interface.
If the HAAA is not able to authorize the subscriber's mobility
service session, then the reply
message to the LMA MUST have the Result-Code AVP set to
value DIAMETER_AUTHORIZATION_REJECTED (5003) indicating
a permanent failure. A failed authorization obviously results to a
rejection of the PBU and a PBA with an appropriate error Status
Value MUST be sent back to the MAG.
</t>
<t>The authorization step MUST be performed at
least for the initial PBU session up a mobility session, when the
LMA-to-HAAA interface is deployed. For the subsequent re-registration
and handover PBUs, the authorization step MAY be repeated (in this
case, the LMA-to-HAAA interface should also maintain an authorization
session state).
</t>
</section>
<section title="Updating LMA Address to HAAA">
<t>In case of a dynamic LMA discovery and assignment
<xref target="I-D.ietf-netlmm-lma-discovery"/> the HAAA and the
remote policy store may need to be updated with the selected LMA
address information. The update can be done during the PBU
authorization step using the LMA-to-HAAA interface. This specification
uses the MIP6-Agent-Info AVP and its MIP-Home-Agent-Address and
MIP-Home-Agent-Host sub-AVPs for carrying the LMA's address information
from the LMA to the HAAA. The LMA address information in the request
message MUST contain the IP address of the LMA or the FQDN identifying
uniquely the LMA, or both. The LMA address information
refers to PMIPv6 part of the LMA, not necessarily the LMA part
interfacing with the AAA infrastructure.
</t>
<t>This specification does not define any HAAA initiated LMA relocation
functionality. Therefore, when the MIP6-Agent-Info AVP is included
in Diameter answer messages sent from the HAAA to the LMA,
the HAAA indicates this by setting the MIP-Home-Agent-Address AVP
to all zeroes address (e.g., 0::0) and not including the
MIP-Home-Agent-Host AVP.
</t>
</section>
<section title="Mobile Node Address Update and Assignment">
<t>The LMA and the HAAA use the MIP6-Home-Link-Prefix AVP to
exchange the MN-HNP when appropriate. Similarly, the LMA and the HAAA
use the PMIP6-IPv4-Home-Address AVP to exchange the IPv4-MN-HoA
when appropriate. These AVPs are encapsulated inside
the MIP6-Agent-Info AVP. The MN address information exchange is
again done during the PBU authorization step. The HAAA MAY also
use the LMA provided MN address information as a part of the
information used to authorize the PBU.
</t>
<t>Which entity is actually responsible for the address management
is deployment specific within the PMIPv6 Domain and MUST be
pre-agreed on per deployment basis. When the LMA is responsible
for the address management, the MIP6-Agent-Info AVP is used to
inform the HAAA and the remote policy store of the MN-HNP/IPv4-MN-HoA
assigned to the MN.
</t>
<t>It is also possible that the LMA delegates the
address management to the HAAA. In this case, the MN-HNP/IPv4-MN-HoA
are set to undefined addresses (as described in <xref target="info"/>)
in the Diameter request message sent from the LMA to the HAAA. The LMA
expects to receive the HAAA assigned HNP/IPv4-MN-HoA in the
corresponding Diameter answer message.
</t>
</section>
<!--/section-->
</section>
</section>
<!-- ====================================================================== -->
<section title="Attribute Value Pair Definitions">
<t>This section describes Attribute Value Pairs (AVPs) defined by this
specification or re-used from existing specifications in a PMIPv6
specific way. Derived Diameter AVP Data Formats such as Address and
UTF8String are defined in Section 4.3 of RFC 3588. Grouped AVP values
are defined in Section 4.4 of RFC 3588.
</t>
<section title="MIP6-Agent-Info AVP" anchor="info">
<t>The MIP6-Agent-Info grouped AVP (AVP Code 486) is defined in <xref
target="RFC5447"/>. The AVP is used to carry
LMA addressing related information and a MN-HNP. This
specification extends the MIP6-Agent-Info with the
PMIP6-IPv4-Home-Address AVP using the Diameter
extensibility rules defined in <xref target="RFC3588"/>.
The PMIP6-IPv4-Home-Address AVP contains the IPv4-MN-HoA.
</t>
<t>The extended MIP6-Agent-Info AVP results to the following grouped AVP:
</t>
<figure><artwork><![CDATA[
MIP6-Agent-Info ::= < AVP-Header: 486 >
*2[ MIP-Home-Agent-Address ]
[ MIP-Home-Agent-Host ]
[ MIP6-Home-Link-Prefix ]
[ PMIP6-IPv4-Home-Address ]
* [ AVP ]
]]></artwork>
</figure>
<t>If the MIP-Home-Agent-Address is set to all zeroes address (e.g., 0::0),
the receiver of the MIP6-Agent-Info AVP MUST ignore the
MIP-Home-Agent-Address AVP.
</t>
</section>
<section title="PMIP6-IPv4-Home-Address AVP">
<t>The PMIP6-IPv4-Home-Address AVP (AVP Code TBD2) is of type Address
and contains an IPv4 address. This AVP is used to carry
the IPv4-MN-HoA, if available, from the HAAA to the MAG.
This AVP SHOULD only be present when the MN is statically provisioned
with the IPv4-MN-HoA. Note that proactive dynamic assignment of the
IPv4-MN-HoA by the HAAA may result in unnecessary reservation of
IPv4 address resources, because the MN may considerably delay or completely
bypass its IPv4 address configuration.
</t>
<t>The PMIP6-IPv4-Home-Address AVP is also used on the LMA-to-HAAA
interface. The AVP contains the IPv4-MN-HoA
assigned to the MN. If the LMA
delegates the assignment of the IPv4-MN-HoA to the HAAA,
the AVP MUST contain all zeroes IPv4 address (i.e., 0.0.0.0) in the
request message. If the LMA delegated the IPv4-MN-HoA
assignment to the HAAA, then the AVP contains the
HAAA assigned IPv4-MN-HoA in the response message.
</t>
</section>
<section title="MIP6-Home-Link-Prefix AVP" anchor="MIP6-Home-Link-Prefix">
<t>The MIP6-Home-Link-Prefix AVP (AVP Code 125) is defined
in <xref target="RFC5447"/>. This AVP is
used to carry the MN-HNP, if available, from the HAAA to the MAG.
The low 64 bits of the prefix MUST be all zeroes.
</t>
<t>The MIP6-Home-Link-Prefix AVP is also used on the LMA-to-HAAA
interface. The AVP contains the
prefix assigned to the MN. If the LMA
delegates the assignment of the MN-HNP to the HAAA,
the AVP MUST contain all zeroes address (i.e., 0::0) in the
request message. If the LMA delegated the MN-HNP
assignment to the HAAA, then the AVP contains the
HAAA assigned MNM-HNP in the response message.
</t>
</section>
<section title="PMIP6-DHCP-Server-Address AVP">
<t>The PMIP6-DHCP-Server-Address AVP (AVP Code TBD1) is of type Address
and contains the IP address of the Dynamic Host Configuration Protocol
(DHCP) server assigned to the MAG serving the newly attached MN. If
the AVP contains a DHCPv4 <xref target="RFC2131"/> server
address, then the Address type MUST be IPv4. If the AVP contains a
DHCPv6 <xref target="RFC3315"/> server address, then the Address type
MUST be IPv6. The HAAA MAY assign a DHCP server to the MAG in
deployments where the MAG acts as a DHCP Relay
<xref target="I-D.ietf-netlmm-pmip6-ipv4-support"/>.
</t>
</section>
<section title="MIP6-Feature-Vector AVP" anchor="capability">
<t>The MIP6-Feature-Vector AVP is originally defined in <xref
target="RFC5447"/>. This document
defines new capability flag bits according to the IANA rules in
RFC 5447.
</t>
<t><list style="hanging">
<t hangText="PMIP6_SUPPORTED (0x0000010000000000)">
<vspace blankLines="1"/> When the MAG/NAS sets this
bit in the MIP6-Feature-Vector AVP, it is an indication
to the HAAA that the NAS supports PMIPv6. When the
HAAA sets this bit in the response MIP6-Feature-Vector AVP, it
indicates that the HAAA also has PMIPv6 support. This
capability bit can also be used to allow PMIPv6 mobility
support in a subscription granularity.
<vspace blankLines="1"/>
</t>
<t hangText="IP4_HOA_SUPPORTED (0x0000020000000000)">
<vspace blankLines="1"/> Assignment of the
IPv4-MN-HoA is supported. When the MAG sets this
bit in the MIP6-Feature-Vector AVP, it indicates that the MAG
implements a minimal functionality of a DHCP server (and a
relay) and is able to deliver IPv4-MN-HoA to the MN. When the
HAAA sets this bit in the response MIP6-Feature-Vector AVP, it
indicates that the HAAA has authorized the use of IPv4-MN-HoA
for the MN. If this bit is unset in the returned
MIP6-Feature-Vector AVP, the HAAA does not authorize the
configuration of IPv4 address.
<vspace blankLines="1"/>
</t>
<t hangText="LOCAL_MAG_ROUTING_SUPPORTED (0x0000040000000000)">
<vspace blankLines="1"/>Direct routing of IP packets
between MNs anchored to the same MAG is supported. When a
MAG sets this bit in the MIP6-Feature-Vector, it indicates
that routing IP packets between MNs anchored to the
same MAG is supported, without reverse tunneling
packets via the LMA or requiring any Route Optimization
related signaling (e.g. the Return Routability Procedure in
<xref target="RFC3775"/>) prior direct routing. If this
bit is cleared in the returned MIP6-Feature-Vector AVP, the
HAAA does not authorize direct routing of packets between
MNs anchored to the same MAG. The MAG SHOULD support this policy
feature per-MN and per-subscription basis.
<vspace blankLines="1"/>
</t>
</list></t>
<t>The MIP6-Feature-Vector AVP is also used on
the LMA to HAAA interface.
Using the capability announcement AVP it is possible
to perform a simple capability negotiation between the LMA and
the HAAA. Those capabilities that are announced by both parties
are also known to be mutually supported. The capabilities
listed in earlier are also supported
in the LMA to HAAA interface. The LMA to HAAA interface
does not define any new capability values.
</t>
</section>
<section title="Mobile-Node-Identifier AVP" anchor="mnid">
<t>The Mobile-Node-Identifier AVP (AVP Code TBD3) is of type
UTF8String and contains the
mobile node identifier (MN-Identifier, see <xref
target="RFC5213"/>) in the NAI <xref target="RFC4282"/>
format. This AVP is used on the MAG-to-HAAA interface. The
Mobile-Node-Identifier AV is designed for
deployments where the MAG does not have a way to
find out such MN identity that could be used in subsequent
PBU/PBA exchanges (e.g., due to identity hiding during the
network access authentication) or the HAAA wants to assign
periodically changing identities to the MN.
</t>
<t>The Mobile-Node-Identifier AVP is returned in the answer message
that ends a successful authentication (and possibly an
authorization) exchange between the MAG and the HAAA,
assuming the HAAA is also able to provide the MAG with the
MN-Identifier in the first place. The
MAG MUST use the received MN-Identifier, if it has not been
able to get the mobile node identifier through other means.
If the MAG already has a valid mobile node identifier, then
the MAG MUST silently discard the received
MN-identifier.
</t>
</section>
<section title="Calling-Station-Id AVP">
<t>The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and
contains a Link-Layer Identifier of the MN. This
identifier corresponds to the Link-Layer Identifier as defined in
RFC 5213 Section 2.2 and 8.6. The Link-Layer Identifier is encoded
in ASCII format (upper case only), with octet values separated by a
"-". Example: "00-23-32-C9-79-38". The encoding is actually the
same as the MAC address encoding in Section 3.21 of RFC 3580.
</t>
</section>
<section title="Service-Selection AVP" anchor="sersel">
<t>The Service-Selection AVP (AVP Code 493) is of type UTF8String and
contains a LMA provided service identifier on the LMA-to-HAAA
interface. This AVP is re-used from <xref
target="I-D.ietf-dime-mip6-split"/>. The service identifier may be used to assist the
PBU authorization and the assignment of the MN-HNP and the IPv4-MN-HoA
as described in RFC 5149 <xref target="RFC5149"/>. The identifier MUST
be unique within the PMIPv6 Domain. In the absence of the
Service-Selection AVP in the request message, the HAAA may want
to inform the LMA
of the default service provisioned to the MN and
include the Service-Selection AVP in the response message.
</t>
<t>It is also possible that the MAG receives the service selection
information from the MN, for example, via some lower layer mechanism.
In this case the MAG MUST include the Service-Selection AVP also
in the MAG-to-HAAA request messages. In absence of the Service-Selection AVP
in the MAG-to-HAAA request messages, the HAAA may want to inform the MAG
of the default service provisioned to the MN and
include the Service-Selection AVP in the response message.
</t>
<t>Whenever the Service-Selection AVP is included either in a request
message or in a response message, and the AAA interaction with
HAAA completes successfully, it is an indication that
the HAAA also authorized the MN to some service. This should be
taken into account when considering what to include in the
Auth-Request-Type AVP.
</t>
<t>The service selection concept supports signaling one service at
time. However, the MN policy profile MAY support multiple services
being used simultaneously. For this purpose, the HAAA MAY return
multiple LMA and service pairs (see <xref target="conf"/>) to the
MAG in a response message that ends a successful authentication
(and possibly an authorization) exchange between the MAG and the
HAAA. Whenever the MN initiates additional mobility session to
another service (using a link layer or deployment specific method),
the provisioned service information is already contained in the MAG.
Therefore, there is no need for additional AAA signaling between
the MAG and the HAAA.
</t>
</section>
<section title="Service-Configuration AVP" anchor="conf">
<t>The Service-Configuration AVP (AVP Code TBD4) is of type Grouped and
contains a service and a LMA pair. The HAAA can use this AVP
to inform the MAG of MN's subscribed services and LMAs where those
services are hosted in.
</t>
<figure><artwork><![CDATA[
Service-Configuration ::= < AVP-Header: TBD4 >
[ MIP6-Agent-Info ]
[ Service-Selection ]
* [ AVP ]
]]></artwork>
</figure>
</section>
</section>
<!-- ========================================================= -->
<section title="Proxy Mobile IPv6 Session Management" anchor="session">
<t>Concerning a PMIPv6 mobility session, the HAAA,
the MAG and the LMA Diameter entities SHOULD be stateful and
maintain the corresponding Authorization Session State Machine
defined in <xref target="RFC3588"/>. If a state is maintained,
then a PMIPv6 mobility session that can be identified by any
of the Binding Cache (BCE) Lookup Keys described in RFC 5213
(see Sections 5.4.1.1., 5.4.1.2. and 5.4.1.3.) MUST
map to a single Diameter Session-Id. If the PMIPv6 Domain allows
further separation of sessions, for example, identified
by the RFC 5213 BCE Lookup Keys and the service selection
combination (see <xref target="sersel"/> and <xref target="RFC5149"/>),
then a single Diameter Session-Id MUST map to a PMIPv6 mobility
session identified by the RFC 5213 BCE Lookup Keys and the
selected service.
</t>
<t>If both the MAG-to-HAAA and the LMA-to-HAAA interfaces are
deployed in a PMIPv6 Domain, and a state is maintained on
both interfaces, then one PMIPv6 mobility session would have
two distinct Diameter sessions on the HAAA. The HAAA needs
to be aware of this deployment possibility and SHOULD allow
multiple
Diameter sessions for the same PMIPv6 mobility session.
</t>
<t>
Diameter session termination related commands described in
the following sections may be exchanged between the LMA and
the HAAA, or between the MAG and the HAAA.
The actual PMIPv6 session termination procedures take place
at PMIPv6 protocol level and are described in more detail in
RFC 5213 and <xref target="I-D.ietf-mext-binding-revocation"/>.
</t>
<section title="Session-Termination-Request">
<t>The LMA or the MAG MAY send the Session-Termination-Request
(STR) command <xref target="RFC3588"/> to inform the HAAA that the
termination of an ongoing PMIPv6 session is in progress.
</t>
</section>
<section title="Session-Termination-Answer">
<t>The Session-Termination-Answer (STA) <xref
target="RFC3588"/> is sent by the HAAA to
acknowledge the termination of a PMIPv6 session.
</t>
</section>
<section title="Abort-Session-Request">
<t>The HAAA MAY send the Abort-Session-Request (ASR) command
<xref target="RFC3588"/> to the LMA or to the MAG and
request termination of a PMIPv6 session.
</t>
</section>
<section title="Abort-Session-Answer">
<t>The Abort-Session-Answer (ASA) command <xref
target="RFC3588"/>is sent by the LMA or the MAG to
acknowledge that the termination of a PMIPv6 session.
</t>
</section>
</section>
<!-- ====================================================================== -->
<section title="Attribute Value Pair Occurrence Tables">
<t>The following tables list the PMIPv6 MAG-to-HAAA interface and
LMA-to-HAAA interface AVPs including those that are defined in
<xref target="RFC5447"/>.
</t>
<t>The <xref target="magavptable"/> contains the AVPs and
their occurrences on the MAG-to-HAAA interface. The AVPs that
are part of grouped AVP are not listed in the table, rather
only the grouped AVP is listed.
</t>
<section title="MAG-to-HAAA Interface" anchor="magavpsection">
<t><figure anchor="magavptable" title="MAG-to-HAAA Interface
Generic Diameter Request and Answer Commands AVPs">
<artwork><![CDATA[
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | REQ | ANS |
-------------------------------+-------+-------+
PMIP6-DHCP-Server-Address | 0 | 0+ |
MIP6-Agent-Info | 0+ | 0+ |
MIP6-Feature-Vector | 0-1 | 0-1 |
Mobile-Node-Identifier | 0-1 | 0-1 |
Calling-Station-Id | 0-1 | 0 |
Service-Selection | 0-1 | 0 |
Service-Configuration | 0 | 0+ |
+-------+-------+
]]></artwork>
</figure>
</t>
</section>
<section title="LMA-to-HAAA Interface" anchor="lmaavpsection">
<t><figure anchor="lmaavptable" title="LMA-to-HAAA Interface
Generic Diameter Request and Answer Commands AVPs">
<artwork><![CDATA[
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | REQ | ANS |
-------------------------------+-------+-------+
MIP6-Agent-Info | 0-1 | 0-1 |
MIP6-Feature-Vector | 0-1 | 0-1 |
Calling-Station-Id | 0-1 | 0 |
Service-Selection | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 |
+-------+-------+
]]></artwork>
</figure>
</t>
</section>
</section>
<!-- ====================================================================== -->
<section title="Example Signaling Flows">
<t><xref target="example1"/> shows a signaling flow example during PMIPv6
bootstrapping using the AAA interactions defined in this
specification. In step (1) of this example, the MN is authenticated to
PMIPv6 Domain using EAP-based authentication. The MAG to the HAAA signaling
uses the Diameter EAP Application. During step (2), the LMA uses Diameter
NASREQ application to authorize the MN with the HAAA server.
</t>
<t>The MAG-to-HAAA AVPs, as listed in <xref target="magavpsection"/>
are used during step (1). These AVPs are included only in the Diameter
EAP Request (DER) message which starts the EAP exchange and in the
corresponding Diameter EAP Answer (DEA)
message which successfully completes this EAP exchange. The LMA-to-HAAA
AVPs, as listed in <xref target="lmaavpsection"/>, are used
during step (2). Step (2) is used to authorize the MN request for the
mobility service and update the HAAA server with the assigned LMA
information. In addition, this step may be used to dynamically assist
in the assignment of the MN-HNP.
</t>
<t><figure title="MAG and LMA Signaling Interaction with AAA server during
PMIPv6 bootstrapping" anchor="example1">
<artwork><![CDATA[
MN MAG/NAS LMA HAAA
| | | |
| L2 attach | | |
|-------------------->| | |
| EAP/req-identity | | |
|<--------------------| | |
| EAP/res-identity | DER + MAG-to-HAAA AVPs | s
|-------------------->|---------------------------------------->| t
| EAP/req #1 | DEA (EAP request #1) | e
|<--------------------|<----------------------------------------| p
| EAP/res #2 | DER (EAP response #2) |
|-------------------->|---------------------------------------->| 1
: : : :
: : : :
| EAP/res #N | DER (EAP response #N) |
|-------------------->|---------------------------------------->|
| EAP/success | DEA (EAP success) + MAG-to-HAAA AVPs |
|<--------------------|<----------------------------------------|
: : : :
: : : :
| | PMIPv6 PBU | AAR + | s
| |------------------->| LMA-to-HAAA AVPs | t
| | |------------------->| e
| | | AAA + | p
| | | LMA-to-HAAA AVPs |
| | PMIPv6 PBA |<-------------------| 2
| RA |<-------------------| |
|<--------------------| | |
: : : :
: : : :
| IP connectivity | PMIPv6 tunnel up | |
|---------------------|====================| |
| | | |
]]></artwork>
</figure>
</t>
</section>
<!-- ====================================================================== -->
<section title="IANA Considerations">
<section title="Attribute Value Pair Codes">
<t>This specification defines the following new AVPs:
<figure><artwork><![CDATA[
PMIP6-DHCP-Server-Address is set to TBD1
PMIP6-IPv4-Home-Address is set to TBD2
Mobile-Node-Identifier is set to TBD3
Service-Configuration is set to TBD4
]]></artwork></figure></t>
</section>
<section title="Namespaces">
<t>This specification defines new values to the Mobility
Capability registry (see <xref
target="RFC5447"/>)
for use with the MIP6-Feature-Vector
AVP:
<figure><artwork><![CDATA[
Token | Value | Description
---------------------------------+----------------------+------------
PMIP6_SUPPORTED | 0x0000010000000000 | [RFC TBD]
IP4_HOA_SUPPORTED | 0x0000020000000000 | [RFC TBD]
LOCAL_MAG_ROUTING_SUPPORTED | 0x0000040000000000 | [RFC TBD]
]]></artwork></figure>
</t>
</section>
<!--section title="Result-Code AVP Values">
<t>This specification requests IANA to allocate a new value to
the Result-Code AVP (AVP Code 268) address space within the Permanent
Failures category (5xxx) defined in <xref target="RFC3588"/>:
<figure><artwork><![CDATA[
DIAMETER_PMIP6_AUTHORIZATION_FAILED is set to TBD5
]]></artwork></figure>
</t>
</section-->
</section>
<!-- ====================================================================== -->
<section title="Security Considerations">
<t>The security considerations of the Diameter Base protocol <xref
target="RFC3588"/>, Diameter EAP application <xref target="RFC4072"/>,
Diameter NASREQ application <xref target="RFC4005"/>
and Diameter Mobile IPv6 integrated scenario bootstrapping <xref
target="RFC5447"/> are applicable to this document.
</t>
<t>In general, the Diameter messages may be transported between the LMA and the
Diameter server via one or more AAA brokers or Diameter agents. In
this case the LMA to the Diameter server AAA communication rely on the
security properties of the intermediate AAA brokers and Diameter
agents (such as proxies).
</t>
</section>
<!-- ====================================================================== -->
<section title="Acknowledgements">
<t>Jouni Korhonen would like to thank the TEKES GIGA program MERCoNe-project for
providing funding to work on this document while he was with
TeliaSonera. The authors also thank Pasi Eronen, Peter McCann,
Spencer Dawkins and Marco Liebsch for their detailed reviews on this
document.
</t>
</section>
<!-- ====================================================================== -->
</middle>
<!-- ====================================================================== -->
<back>
<references title="Normative References">
&HUIHAI;
&RFC3588;
&RFC4072;
&RFC4005;
&RFC4282;
&RFC5213;
&I-D.ietf-dime-mip6-split;
&RFC5447;
</references>
<references title="Informative References">
&I-D.ietf-netlmm-pmip6-ipv4-support;
&I-D.ietf-mext-binding-revocation;
&RFC3775;
&RFC3748;
&RFC4283;
&RFC5149;
&RFC2131;
&RFC3315;
&I-D.ietf-netlmm-lma-discovery;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:56:27 |