AAA-Mobile IPv6 Frameworks

1
AAA-Mobile IPv6 Frameworks

• Alper Yegin

IETF 62
2
Objective

• Identify various frameworks where AAA is used for
  the Mobile IPv6 service
• Agree on one (or more) to standardize

3
Why AAA?

• MIP6-AAA protocol (e.g., RADIUS) interworking
  for
• Centralized auth, authz, and acct management
• Use AAA interfaces during a MIP6 session
• HA, HoA, MN-HA key discovery
• Use AAA interfaces before a MIP6 session

4
Framework 4

• AAA protocol is executed between the HA and the
  AAA server for MIP6 AAA
• MN-HA key is generated during MIP6 session
  establishment (optionally HoA as well)
• Considerations
• Independent of the network access AAA
• MN must already know the HA
• Accounting Signaling and traffic counters on the
  HA

MN
NAS
HA
AAA server
RADIUS
MIP6
5
Framework 1

• Using network access AAA to deliver MIP6
  configuration info (HA, optionally HoA and MN-HA
  key)
• Considerations
• Optimized
• ASP must know MSP info (integrated SP)
• Applicability of EAP for host configuration

AAA server
MN
NAS
HA
info/EAP_method
HoA,key/RADIUS
MIP6
Fwk-4
6
Framework 2

• Using network access AAA to deliver MIP6
  configuration info first to the NAS, than to the
  MN
• Considerations
• Similar to RADIUS Framed-IP-Address attribute
• If NAS is DHCP relay, info needs to be relayed to
  DHCP server first.
• DHCP relay agent option

AAA server
MN
NAS
HA
info/RADIUS
info/DHCP, PANA
HoA,key/RADIUS
MIP6
Fwk-4
7
Framework 3

• Piggybacking MIP6 signaling (BU) with network
  access AAA
• BU may also be transported via EAP lower-layers
• Considerations
• Optimized (RTT to home domain reduced)
• Integrated SP
• Added complexity
• MN must learn HA, CoA during/before network
  access AAA
• AAA server encaps/decaps or tunnels BU to HA
• Authorization result coordination between MIP6
  and network access services

MN
NAS
AAA server
HA
BU(?)
BU/EAP_method
8
MIP6 Bootstrapping
HA discovery HoA discovery MN-HA key generation
DNS RFC3775 anycast IKEv2 mip6-mn-ident-option - Fwk-4
Fwk-2 PANA/DHCP Fwk-2 PANA/DHCP IKEv2 mip6-mn-ident-option Fwk-4 Fwk-2 PANA/DHCP (for MN) Fwk-4 (for HA)
- Fwk-1 Fwk-1 IKEv2 mip6-mn-ident-option Fwk-1 (for MN) Fwk-4 (for HA) - Fwk-4
9
Where to go now?

• Fwk-4 New AAA-MIP6 application for HA-AAA
  interface
• Fwk-1 EAP method attributes for MIP6 config
• Fwk-2 AAA attributes PANA/DHCP options for
  MIP6 config
• Fwk-3 BU piggybacked in network access AAA (EAP
  lower-layer or method attributes)

10
Appendix
11
Framework 4

• Mobile lt---------------gt Home agent/
  lt--------------gt AAA
• node IKE, BU AAA client
  RADIUS or server
• 
  Diameter

MN HA
AAA server
Auth/Authz for IKE
MIPv6 IPsec SA
lt-------------------gtlt--------------------gt

Binding Update Authz
for BU lt-------------------gtlt--
------------------gt



Binding Update Authz for BU
lt-------------------gtlt------------
--------gt
v time
12
Example Framework4 Implementation

• Using EAP/IKEv2 for authentication
• MIP6 MN/ lt----------------gt MIP6 HA/
  lt---------------gt EAP auth server/
• EAP peer EAP/IKEv2, BU EAP author/
  EAP/RADIUS, AAA server
• AAA Client
  RADIUS
• EAP enables
• end2end authentication between MN and AAA server
• SA establishment between MN and HA (AAA-Key)
• Note IKE/IPsec-less implementations of this
  framework is possible (draft-ietf-mip6-auth-protoc
  ol-00).