1 / 12

AAA-Mobile IPv6 Frameworks

This document identifies and discusses various frameworks where Authentication, Authorization, and Accounting (AAA) is utilized for Mobile IPv6 services. It focuses on the agreement to standardize one or more frameworks, emphasizing the importance of AAA, particularly through the MIP6-AAA protocol (e.g., RADIUS). Key topics include centralized management of authentication, accounting, and authorization processes, the role of AAA interfaces during MIP6 sessions, and considerations regarding signaling and traffic counts between the Mobile Node (MN), Home Agent (HA), and AAA server.

sarah-owens
Télécharger la présentation

AAA-Mobile IPv6 Frameworks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62

  2. Objective • Identify various frameworks where AAA is used for the Mobile IPv6 service • Agree on one (or more) to standardize

  3. Why AAA? • MIP6-AAA protocol (e.g., RADIUS) interworking for: • Centralized auth, authz, and acct management • Use AAA interfaces during a MIP6 session • HA, HoA, MN-HA key discovery • Use AAA interfaces before a MIP6 session

  4. Framework 4 • AAA protocol is executed between the HA and the AAA server for MIP6 AAA • MN-HA key is generated during MIP6 session establishment (optionally HoA as well) • Considerations • Independent of the network access AAA • MN must already know the HA • Accounting: Signaling and traffic counters on the HA MN NAS HA AAA server MIP6 RADIUS

  5. Framework 1 • Using network access AAA to deliver MIP6 configuration info (HA, optionally HoA and MN-HA key) • Considerations • Optimized • ASP must know MSP info (integrated SP) • Applicability of EAP for host configuration AAAserver MN NAS HA info/EAP_method MIP6 {HoA,key}/RADIUS Fwk-4

  6. Framework 2 • Using network access AAA to deliver MIP6 configuration info first to the NAS, than to the MN • Considerations • Similar to RADIUS Framed-IP-Address attribute • If NAS is DHCP relay, info needs to be relayed to DHCP server first. • DHCP relay agent option AAAserver MN NAS HA info/{DHCP, PANA} info/RADIUS MIP6 {HoA,key}/RADIUS Fwk-4

  7. Framework 3 • Piggybacking MIP6 signaling (BU) with network access AAA • BU may also be transported via EAP lower-layers • Considerations • Optimized (RTT to home domain reduced) • Integrated SP • Added complexity • MN must learn HA, CoA during/before network access AAA • AAA server encaps/decaps or tunnels BU to HA • Authorization result coordination between MIP6 and network access services MN NAS AAA server HA BU/EAP_method BU(?)

  8. MIP6 Bootstrapping

  9. Where to go now? • Fwk-4: New AAA-MIP6 application for HA-AAA interface • Fwk-1: EAP method attributes for MIP6 config • Fwk-2: AAA attributes + PANA/DHCP options for MIP6 config • Fwk-3: BU piggybacked in network access AAA (EAP lower-layer or method attributes)

  10. Appendix

  11. Framework 4 Mobile <---------------> Home agent/ <--------------> AAA node IKE, BU AAA client RADIUS or server Diameter MN HA AAA server | | Auth/Authz for | | IKE | MIPv6 IPsec SA | |<------------------->|<-------------------->| | | | | Binding Update | Authz for BU | |<------------------->|<-------------------->| | | | | | | | | | | Binding Update | Authz for BU | |<------------------->|<-------------------->| | | | v time

  12. Example Framework4 Implementation • Using EAP/IKEv2 for authentication MIP6 MN/ <----------------> MIP6 HA/ <---------------> EAP auth server/ EAP peer EAP/IKEv2, BU EAP auth’or/ EAP/RADIUS, AAA server AAA Client RADIUS • EAP enables • end2end authentication between MN and AAA server • SA establishment between MN and HA (AAA-Key) • Note: IKE/IPsec-less implementations of this framework is possible (draft-ietf-mip6-auth-protocol-00).

More Related