90 likes | 297 Views
AAA Mobile IPv6 Application Framework. draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin. IETF 61 – 12 Nov 2004. Why AAA?. Centralized service management Especially useful when MN can use any one of multiple HAs HAs on the same subnet HAs in the same service provider domain
E N D
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004
Why AAA? • Centralized service management • Especially useful when MN can use any one of multiple HAs • HAs on the same subnet • HAs in the same service provider domain • HAs across service provider domains
Why Talking About a Framework? • There are multiple ways to utilize AAA for Mobile IPv6 service (see solution space!) • Before we embark on solutions, MIP6 WG should: • Identify different frameworks of using AAA for MIP6 • Select one or more framework (many considerations go in here) • Identify requirements/solutions based on that • Take the RADIUS/Diameter solutions to AAA++ WG, handle MIP6 changes (if any) in MIP6 WG
Frameworks • (1) Using network access AAA to deliver MIP6 bootstrapping information to MN • draft-giaretta-mip6-authorization-eap-01 • draft-le-aaa-mipv6-requirements-03 • draft-ohnishi-mip6-aaa-problem-statement-00 • (2) Using network access AAA to deliver MIP6 bootstrapping information to NAS • draft-chowdhury-mip6-bootstrap-radius-00 • It is assumed that info will be delivered from NAS to MN via another protocol (e.g., draft-jang-dhc-haopt-00)
Frameworks • (3) Piggybacking MIP6 signaling (BU) with network access AAA • draft-le-aaa-mipv6-requirements-03 • (4) AAA of Mobile IPv6 signaling (IKE, BU) • MIP6 AAA is independent of network access AAA • Described in this I-D
Framework 4 Mobile <---------------> Home agent/ <--------------> AAA node IKE, AAA client RADIUS or server Mobile IPv6 Diameter MN HA AAA server | | Auth/Authz for | | IKE | MIPv6 IPsec SA | |<------------------->|<-------------------->| | | | | Binding Update | Authz for BU | |<------------------->|<-------------------->| | | | | | | | | | | Binding Update | Authz for BU | |<------------------->|<-------------------->| | | | v time
Example Framework4 Implementation • Using EAP/IKEv2 for authentication MIP6 MN/ <----------------> MIP6 HA/ <---------------> EAP auth server/ EAP peer EAP/IKEv2, EAP auth’or/ EAP/RADIUS, AAA server Mobile IPv6 AAA Client RADIUS • EAP enables • end2end authentication between MN and AAA server • SA establishment between MN and HA (AAA-Key) • Note: IKE/IPsec-less implementations of this framework is possible (draft-ietf-mip6-auth-protocol-00).
Relation to MIP6 Bootstrapping • Framework 4 assumes MN already knows the HA • Rely on static configuration or other dynamic discovery schemes • MN-HA SA is dynamically created as a result of MIP6-AAA execution • Home address can be assigned before, during, or after the MIP6-AAA execution • Therefore, this framework provides a partial solution to bootstrapping problem
Summary • Identification of frameworks and detailed discussion on one (fwk4) • Proposal to MIP6 WG: • Start by framework identification (discovery) • Solution introductions help that • Select one or more (how?) • Identify required changes on MIP6 (if any) and AAA protocols • Produce requirements for AAA -- augmented or new AAA applications (interface to AAA++ WG)