120 likes | 220 Views
AAA-Mobile IPv6 Frameworks. Alper Yegin. IETF 62. Objective. Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or more) to standardize. Why AAA?. MIP6-AAA protocol (e.g., RADIUS) interworking for: Centralized auth, authz, and acct management
E N D
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62
Objective • Identify various frameworks where AAA is used for the Mobile IPv6 service • Agree on one (or more) to standardize
Why AAA? • MIP6-AAA protocol (e.g., RADIUS) interworking for: • Centralized auth, authz, and acct management • Use AAA interfaces during a MIP6 session • HA, HoA, MN-HA key discovery • Use AAA interfaces before a MIP6 session
Framework 4 • AAA protocol is executed between the HA and the AAA server for MIP6 AAA • MN-HA key is generated during MIP6 session establishment (optionally HoA as well) • Considerations • Independent of the network access AAA • MN must already know the HA • Accounting: Signaling and traffic counters on the HA MN NAS HA AAA server MIP6 RADIUS
Framework 1 • Using network access AAA to deliver MIP6 configuration info (HA, optionally HoA and MN-HA key) • Considerations • Optimized • ASP must know MSP info (integrated SP) • Applicability of EAP for host configuration AAAserver MN NAS HA info/EAP_method MIP6 {HoA,key}/RADIUS Fwk-4
Framework 2 • Using network access AAA to deliver MIP6 configuration info first to the NAS, than to the MN • Considerations • Similar to RADIUS Framed-IP-Address attribute • If NAS is DHCP relay, info needs to be relayed to DHCP server first. • DHCP relay agent option AAAserver MN NAS HA info/{DHCP, PANA} info/RADIUS MIP6 {HoA,key}/RADIUS Fwk-4
Framework 3 • Piggybacking MIP6 signaling (BU) with network access AAA • BU may also be transported via EAP lower-layers • Considerations • Optimized (RTT to home domain reduced) • Integrated SP • Added complexity • MN must learn HA, CoA during/before network access AAA • AAA server encaps/decaps or tunnels BU to HA • Authorization result coordination between MIP6 and network access services MN NAS AAA server HA BU/EAP_method BU(?)
Where to go now? • Fwk-4: New AAA-MIP6 application for HA-AAA interface • Fwk-1: EAP method attributes for MIP6 config • Fwk-2: AAA attributes + PANA/DHCP options for MIP6 config • Fwk-3: BU piggybacked in network access AAA (EAP lower-layer or method attributes)
Framework 4 Mobile <---------------> Home agent/ <--------------> AAA node IKE, BU AAA client RADIUS or server Diameter MN HA AAA server | | Auth/Authz for | | IKE | MIPv6 IPsec SA | |<------------------->|<-------------------->| | | | | Binding Update | Authz for BU | |<------------------->|<-------------------->| | | | | | | | | | | Binding Update | Authz for BU | |<------------------->|<-------------------->| | | | v time
Example Framework4 Implementation • Using EAP/IKEv2 for authentication MIP6 MN/ <----------------> MIP6 HA/ <---------------> EAP auth server/ EAP peer EAP/IKEv2, BU EAP auth’or/ EAP/RADIUS, AAA server AAA Client RADIUS • EAP enables • end2end authentication between MN and AAA server • SA establishment between MN and HA (AAA-Key) • Note: IKE/IPsec-less implementations of this framework is possible (draft-ietf-mip6-auth-protocol-00).