TOC 
Diameter Maintenance andJ. Korhonen, Ed.
Extensions (DIME)Nokia Siemens Network
Internet-DraftJ. Bournelle
Intended status: Standards TrackOrange Labs
Expires: October 18, 2009K. Chowdhury
 Starent Networks
 A. Muhanna
 Nortel
 U. Meyer
 RWTH Aachen
 April 16, 2009


Diameter Proxy Mobile IPv6: Mobile Access Gateway and Local Mobility Anchor Interaction with Diameter Server
draft-ietf-dime-pmip6-02.txt

Status of this Memo

This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on October 18, 2009.

Copyright Notice

Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

Abstract

This specification defines the Diameter support for the Proxy Mobile IPv6 and the corresponding mobility service session setup. The policy information needed by the Proxy Mobile IPv6 is defined in mobile node's policy profile, which could be downloaded from the Diameter server to the Mobile Access Gateway once the mobile node attaches to a Proxy Mobile IPv6 Domain and performs access authentication. During the binding update exchange between the Mobile Access Gateway and the Local Mobility Anchor, the Local Mobility Anchor can interact with the Diameter server in order to update the remote policy store with the mobility session related information.



Table of Contents

1.  Introduction
2.  Terminology and Abbreviations
3.  Solution Overview
4.  Attribute Value Pair Definitions
    4.1.  MIP6-Agent-Info AVP
    4.2.  PMIP6-IPv4-Home-Address AVP
    4.3.  MIP6-Home-Link-Prefix AVP
    4.4.  PMIP6-DHCP-Server-Address AVP
    4.5.  MIP6-Feature-Vector AVP
    4.6.  Mobile-Node-Identifier AVP
    4.7.  Calling-Station-Id AVP
    4.8.  Service-Selection AVP
    4.9.  Service-Configuration AVP
5.  Application Support and Command Codes
    5.1.  MAG-to-HAAA Interface
    5.2.  LMA-to-HAAA Interface
        5.2.1.  Authorization of the Proxy Binding Update
6.  Proxy Mobile IPv6 Session Management
    6.1.  Session-Termination-Request
    6.2.  Session-Termination-Answer
    6.3.  Abort-Session-Request
    6.4.  Abort-Session-Answer
7.  Attribute Value Pair Occurrence Tables
    7.1.  MAG-to-HAAA Interface
    7.2.  LMA-to-HAAA Interface
8.  Example Signaling Flows
9.  IANA Considerations
    9.1.  Attribute Value Pair Codes
    9.2.  Namespaces
    9.3.  Result-Code AVP Values
10.  Security Considerations
11.  Acknowledgements
12.  References
    12.1.  Normative References
    12.2.  Informative References
§  Authors' Addresses




 TOC 

1.  Introduction

In the Proxy Mobile IPv6 (PMIPv6) protocol [RFC5213] (Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, “Proxy Mobile IPv6,” August 2008.) and IPv4 support for Proxy Mobile IPv6 [I‑D.ietf‑netlmm‑pmip6‑ipv4‑support] (Wakikawa, R. and S. Gundavelli, “IPv4 Support for Proxy Mobile IPv6,” February 2010.) a Mobile Access Gateway (MAG) performs a proxy registration with a Local Mobility Anchor (LMA) on behalf of the mobile node (MN). In order to perform the proxy registration the MAG needs the IP address of the LMA, possibly MN's Home Network Prefix(es) (MN-HNP), MN's IPv4 home address (IPv4-MN-HoA), DHCP server address and other PMIPv6 specific information such as the allowed address configuration modes and roaming related policies. All this information is defined in MN's policy profile that gets downloaded from the Diameter server to the MAG once the MN attaches to the MAG's Proxy Mobile IPv6 Domain (PMIPv6 Domain) and performs the access authentication.

Dynamic assignment and downloading of PMIPv6 policy profile information is a desirable feature to ease the deployment and network maintenance of larger PMIPv6 deployments. For this purpose, the Authentication, Authorization, and Accounting (AAA) infrastructure, which is used for access authentication, can be leveraged to assign some or all of the necessary parameters. The Diameter server in the Mobility Service authorizer's (MSA) network may return these parameters to the Network Access Server (NAS).

Once the MN authenticates to the network the MAG sends a Proxy Binding Update (PBU) towards the LMA on behalf of the MN. When the LMA receives the PBU, the LMA may need to update the remote policy store located in the MSA with the MN's mobility session related information.

This specification defines the Diameter support for PMIPv6. In the context of this specification the location of the subscriber policy profile equals to the home Diameter server, which is also referred as the home AAA server (HAAA). The NAS functionality of the MAG may be co-located or an integral part of the MAG.



 TOC 

2.  Terminology and Abbreviations

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).

The general terminology used in this document can be found in [RFC5213] (Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, “Proxy Mobile IPv6,” August 2008.) and [I‑D.ietf‑netlmm‑pmip6‑ipv4‑support] (Wakikawa, R. and S. Gundavelli, “IPv4 Support for Proxy Mobile IPv6,” February 2010.). The following additional or clarified terms are also used in this document:

Network Access Server (NAS):

A device that provides an access service for a user to a network. In the context of this document the NAS may be integrated into or co-located to a MAG. The NAS contains a Diameter client function.

Home AAA (HAAA):

An Authentication, Authorization, and Accounting (AAA) server located in user's home network. A HAAA is essentially a Diameter server.



 TOC 

3.  Solution Overview

This document addresses the AAA interactions and AAA-based session management functionality needed in the PMIPv6 Domain. This document defines Diameter based AAA interactions between the MAG and the HAAA, and between the LMA and the HAAA.

The policy profile is downloaded from the HAAA to the MAG during the MN attachment to the PMIPv6 Domain. Figure 1 (Proxy Mobile IPv6 Domain Interaction with Diameter HAAA Server) shows the participating network entities. This document, however, concentrates on the MAG, LMA, and the home Diameter server.



 +--------+
 | HAAA & | Diameter +-----+
 | Policy |<---(2)-->| LMA |
 | Profile|          +-----+
 +--------+             | <--- LMA-Address
      ^                 |
      |               // \\
  +---|------------- //---\\----------------+
 (    |  IPv4/IPv6  //     \\                )
 (    |   Network  //       \\               )
  +---|-----------//---------\\-------------+
      |          //           \\
  Diameter      // <- Tunnel1  \\ <- Tunnel2
     (1)       //               \\
      |        |- MAG1-Address   |- MAG2-Address
      |     +----+             +----+
      +---->|MAG1|             |MAG2|
            +----+             +----+
               |                 |
               |                 |
             [MN1]             [MN2]

  Legend:

    (1): MAG-to-HAAA interaction is described
         in Section 5.1
    (2): LMA-to-HAAA interaction is described
         in Section 5.2

 Figure 1: Proxy Mobile IPv6 Domain Interaction with Diameter HAAA Server 

When a MN attaches to a PMIPv6 Domain, a network access authentication procedure is usually started. The choice of the authentication mechanism is specific to the access network deployment, but could be based on the Extensible Authentication Protocol (EAP) [RFC3748] (Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, “Extensible Authentication Protocol (EAP),” June 2004.). During the network access authentication procedure, the MAG acting as a NAS queries the HAAA through the AAA infrastructure using the Diameter protocol. If the HAAA detects that the subscriber is also authorized for the PMIPv6 service, PMIPv6 specific information is returned along with the successful network access authentication answer to the MAG.

After the MN has been successfully authenticated, the MAG sends a PBU to the LMA based on the MN's policy profile information. Upon receiving the PBU the LMA interacts with the HAAA and fetches the relevant parts of the subscriber policy profile and authorization information related to the mobility service session. In this specification, the HAAA has the role of the PMIPv6 remote policy store.



 TOC 

4.  Attribute Value Pair Definitions

This section describes Attribute Value Pairs (AVPs) defined by this specification or re-used from existing specifications in a PMIPv6 specific way.



 TOC 

4.1.  MIP6-Agent-Info AVP

The MIP6-Agent-Info grouped AVP (AVP Code 486) is defined in [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.). The AVP is used to carry LMA addressing related information and a MN-HNP. This specification extends the MIP6-Agent-Info with the PMIP6-IPv4-Home-Address AVP using the Diameter extensibility rules defined in [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.). The PMIP6-IPv4-Home-Address AVP contains the IPv4-MN-HoA.

The extended MIP6-Agent-Info AVP results to the following grouped AVP:

    MIP6-Agent-Info ::= < AVP-Header: 486 >
                      *2[ MIP-Home-Agent-Address ]
                        [ MIP-Home-Agent-Host ]
                        [ MIP6-Home-Link-Prefix ]
                        [ PMIP6-IPv4-Home-Address ]
                      * [ AVP ]


 TOC 

4.2.  PMIP6-IPv4-Home-Address AVP

The PMIP6-IPv4-Home-Address AVP (AVP Code TBD2) is of type Address and contains an IPv4 address. This AVP is used to carry the IPv4-MN-HoA, if available, from the HAAA to the MAG. This AVP SHOULD only be present when the MN is statically provisioned with the IPv4-MN-HoA. Note that proactive dynamic assignment of the IPv4-MN-HoA by the HAAA may result in unnecessary reservation of IPv4 address resources, because the MN may considerably delay or completely bypass its IPv4 address configuration.

The PMIP6-IPv4-Home-Address AVP is also used on the LMA-to-HAAA interface. The AVP contains the IPv4-MN-HoA assigned to the MN. If the LMA delegates the assignment of the IPv4-MN-HoA to the HAAA, the AVP MUST contain all zeroes IPv4 address (i.e., 0.0.0.0) in the request message. If the LMA delegated the IPv4-MN-HoA assignment to the HAAA, then the AVP contains the HAAA assigned IPv4-MN-HoA in the response message.



 TOC 

4.3.  MIP6-Home-Link-Prefix AVP

The MIP6-Home-Link-Prefix AVP (AVP Code 125) is defined in [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.). This AVP is used to carry the MN-HNP, if available, from the HAAA to the MAG. The low 64 bits of the prefix MUST be all zeroes.

The MIP6-Home-Link-Prefix AVP is also used on the LMA-to-HAAA interface. The AVP contains the prefix assigned to the MN. If the LMA delegates the assignment of the MN-HNP to the HAAA, the AVP MUST contain all zeroes address (i.e., 0::0) in the request message. If the LMA delegated the MN-HNP assignment to the HAAA, then the AVP contains the HAAA assigned MNM-HNP in the response message.



 TOC 

4.4.  PMIP6-DHCP-Server-Address AVP

The PMIP6-DHCP-Server-Address AVP (AVP Code TBD1) is of type Address and contains the IP address of the DHCPv4 and/or DHCPv6 server assigned to the MAG serving the newly attached MN. If the AVP contains a DHCPv4 server address, then the Address type MUST be IPv4. If the AVP contains a DHCPv6 server address, then the Address type MUST be IPv6. The HAAA MAY assign a DHCP server to the MAG in deployments where the MAG acts as a DHCP Relay [I‑D.ietf‑netlmm‑pmip6‑ipv4‑support] (Wakikawa, R. and S. Gundavelli, “IPv4 Support for Proxy Mobile IPv6,” February 2010.).



 TOC 

4.5.  MIP6-Feature-Vector AVP

The MIP6-Feature-Vector AVP is originally defined in [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.). This document defines new capability flag bits according to the rules in [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.).

PMIP6_SUPPORTED (0x0000010000000000)

When the MAG/NAS sets this bit in the MIP6-Feature-Vector AVP, it is an indication to the HAAA that the NAS supports PMIPv6. When the HAAA sets this bit in the response MIP6-Feature-Vector AVP, it indicates that the HAAA also has PMIPv6 support. This capability bit can also be used to allow PMIPv6 mobility support in a subscription granularity.

IP4_HOA_SUPPORTED (0x0000020000000000)

Assignment of the IPv4-MN-HoA is supported. When the MAG sets this bit in the MIP6-Feature-Vector AVP, it indicates that the MAG implements a minimal functionality of a DHCP server (and a relay) and is able to deliver IPv4-MN-HoA to the MN. When the HAAA sets this bit in the response MIP6-Feature-Vector AVP, it indicates that the HAAA has authorized the use of IPv4-MN-HoA for the MN. If this bit is unset in the returned MIP6-Feature-Vector AVP, the HAAA does not authorize the configuration of IPv4 address.

LOCAL_MAG_ROUTING_SUPPORTED (0x0000040000000000)

Direct routing of IP packets between MNs anchored to the same MAG is supported. When a MAG sets this bit in the MIP6-Feature-Vector, it indicates that routing IP packets between MNs anchored to the same MAG is supported, without reverse tunneling packets via the LMA or requiring any Route Optimization related signaling (e.g. the Return Routability Procedure in [RFC3775] (Johnson, D., Perkins, C., and J. Arkko, “Mobility Support in IPv6,” June 2004.)) prior direct routing. If this bit is unset in the returned MIP6-Feature-Vector AVP, the HAAA does not authorize direct routing of packets between MNs anchored to the same MAG. This policy feature SHOULD be supported per MN and subscription basis.

The MIP6-Feature-Vector AVP is also used on the LMA to HAAA interface. Using the capability announcement AVP it is possible to perform a simple capability negotiation between the LMA and the HAAA. Those capabilities that are announced by both parties are also known to be mutually supported. The capabilities listed in earlier are also supported in the LMA to HAAA interface. The LMA to HAAA interface does not define any new capability values.



 TOC 

4.6.  Mobile-Node-Identifier AVP

The Mobile-Node-Identifier AVP (AVP Code TBD3) is of type UTF8String and contains the mobile node identifier (MN-Identifier, see [RFC5213] (Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, “Proxy Mobile IPv6,” August 2008.)) in the NAI [RFC4282] (Aboba, B., Beadles, M., Arkko, J., and P. Eronen, “The Network Access Identifier,” December 2005.) format. This AVP is used on the MAG-to-HAAA interface. The Mobile-Node-Identifier AV is designed for deployments where the MAG does not have a way to find out such MN identity that could be used in subsequent PBU/PBA exchanges (e.g., due to identity hiding during the network access authentication) or the HAAA wants to assign periodically changing identities to the MN.

The Mobile-Node-Identifier AVP is returned in the answer message that ends a successful authentication (and possibly an authorization) exchange between the MAG and the HAAA, assuming the HAAA is also able to provide the MAG with the MN-Identifier in the first place. The MAG MUST use the received MN-Identifier, if it has not been able to get the mobile node identifier through other means. If the MAG already has a valid mobile node identifier, then the MAG MUST silently discard the received MN-identifier.



 TOC 

4.7.  Calling-Station-Id AVP

The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and contains a Link-Layer Identifier of the MN. This identifier corresponds to the Link-Layer Identifier as defined in RFC 5213 Section 2.2. and 8.6.



 TOC 

4.8.  Service-Selection AVP

The Service-Selection AVP (AVP Code TBD) is of type UTF8String and contains a LMA provided service identifier on the LMA-to-HAAA interface. This AVP is re-used from [I‑D.ietf‑dime‑mip6‑split] (Korhonen, J., Tschofenig, H., Bournelle, J., Giaretta, G., and M. Nakhjiri, “Diameter Mobile IPv6: Support for Home Agent to Diameter Server Interaction,” April 2009.). The service identifier may be used to assist the PBU authorization and the assignment of the MN-HNP and the IPv4-MN-HoA as described in RFC 5149 [RFC5149] (Korhonen, J., Nilsson, U., and V. Devarapalli, “Service Selection for Mobile IPv6,” February 2008.). The identifier MUST be unique within the PMIPv6 Domain. In the absence of the Service-Selection AVP in the request message, the HAAA may want to inform the LMA of the default service provisioned to the MN and include the Service-Selection AVP in the response message.

It is also possible that the MAG receives the service selection information from the MN, for example, via some lower layer mechanism. In this case the MAG SHOULD include the Service-Selection AVP also in the MAG-to-HAAA request messages. In absence of the Service-Selection AVP in the MAG-to-HAAA request messages, the HAAA may want to inform the MAG of the default service provisioned to the MN and include the Service-Selection AVP in the response message.

Whenever the Service-Selection AVP is included either in a request message or in a response message, and the AAA interaction with HAAA completes successfully, it is an indication that the HAAA also authorized the MN to some service. This should be taken into account when considering what to include in the Auth-Request-Type AVP.

The service selection concept supports signaling one service at time. However, the MN policy profile MAY support multiple services being used simultaneously. For this purpose, the HAAA MAY return multiple LMA and service pairs (see Section 4.9 (Service-Configuration AVP)) to the MAG in a response message that ends a successful authentication (and possibly an authorization) exchange between the MAG and the HAAA. Whenever the MN initiates additional mobility session to another service (using a link layer or deployment specific method), the provisioned service information is already contained in the MAG. Therefore, there is no need for additional AAA signaling between the MAG and the HAAA.



 TOC 

4.9.  Service-Configuration AVP

The Service-Configuration AVP (AVP Code TBD4) is of type Grouped and contains a service and a LMA pair. The HAAA can use this AVP to inform the MAG of MN's subscribed services and LMAs where those services are hosted in.

    Service-Configuration ::= < AVP-Header: TBD4 >
                              [ MIP6-Agent-Info ]
                              [ Service-Selection ]
                            * [ AVP ]


 TOC 

5.  Application Support and Command Codes



 TOC 

5.1.  MAG-to-HAAA Interface

This specification does not define a new Application-ID for the MAG-to-HAAA Diameter connection. Rather, this specification re-uses any Diameter application and their commands that are used to authenticate and authorize the MN for the network access. Example applications include NASREQ [RFC4005] (Calhoun, P., Zorn, G., Spence, D., and D. Mitton, “Diameter Network Access Server Application,” August 2005.) and EAP [RFC4072] (Eronen, P., Hiller, T., and G. Zorn, “Diameter Extensible Authentication Protocol (EAP) Application,” August 2005.). The MAG acts as a Diameter client.

The MAG-to-HAAA interactions are primarily used for bootstrapping PMIPv6 mobility service session when a MN attaches and authenticates to a PMIPv6 Domain. This includes the bootstrapping of PMIPv6 session related information. The same interface may also be used for accounting.

Whenever the MAG sends a Diameter request message to the HAAA the User-Name AVP SHOULD contain the MN's identity. The MN identity, if available, MUST be in Network Access Identifier (NAI) [RFC4282] (Aboba, B., Beadles, M., Arkko, J., and P. Eronen, “The Network Access Identifier,” December 2005.) format. At minimum the home realm of the MN MUST be available at the MAG when the network access authentication takes place. Otherwise the MAG is not able to route the Diameter request messages towards the correct HAAA. The MN identity used on the MAG-to-HAAA interface and in the User-Name AVP MAY entirely be related to the network access authentication, and therefore not suitable to be used as the MN-ID mobility option value in the subsequent PBU/PBA messages. See the related discussion on MN's identities in Section 4.6 (Mobile-Node-Identifier AVP) and in Section 5.2.1 (Authorization of the Proxy Binding Update)

For the session management and service authorization purposes, session state SHOULD be maintained on the MAG-to-HAAA interface. See the discussion in Section 4.8 (Service-Selection AVP).



 TOC 

5.2.  LMA-to-HAAA Interface

The-LMA-to HAAA interface may be used for multiple purposes. These include the authorization of the incoming PBU, updating the LMA address to the HAAA, accounting and PMIPv6 session management.

This specification does not define a new Application-ID for the LMA-to-HAAA Diameter connection. Rather, this specification re-uses any Diameter application and their commands. An example application could be NASREQ [RFC4005] (Calhoun, P., Zorn, G., Spence, D., and D. Mitton, “Diameter Network Access Server Application,” August 2005.). The LMA acts as a Diameter client.



 TOC 

5.2.1.  Authorization of the Proxy Binding Update

Whenever the LMA sends a Diameter request message to the HAAA, the User-Name AVP SHOULD contain the MN's identity. The LMA MAY retrieve the MN's identity information from the PBU MN-ID [RFC4283] (Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. Chowdhury, “Mobile Node Identifier Option for Mobile IPv6 (MIPv6),” November 2005.)[RFC5213] (Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, “Proxy Mobile IPv6,” August 2008.) mobility option. The identity SHOULD be the same as used on the MAG-to-HAAA interface, but in the case those identities differ the HAAA MUST have a mechanism of mapping the MN identity used on the MAG-to-HAAA interface to the identity used on the LMA-to-HAAA interface.

If the PBU contains the MN Link-Layer Identifier option, the Calling-Station-Id AVP SHOULD be included in the request message containing the received Link-Layer Identifier. Furthermore, if the PBU contains the Service Selection mobility option [RFC5149] (Korhonen, J., Nilsson, U., and V. Devarapalli, “Service Selection for Mobile IPv6,” February 2008.), the Service-Selection AVP SHOULD be included in the request message containing the received service identifier.

The LMA and the HAAA use the MIP6-Home-Link-Prefix AVP to exchange the MN-HNP when appropriate. Similarly, the LMA and the HAAA use the PMIP6-IPv4-Home-Address AVP to exchange the IPv4-MN-HoA when appropriate. Note that these AVPs are encapsulated inside the MIP6-Agent-Info AVP. Which entity is actually responsible for the address management is a deployment specific within the PMIPv6 Domain and MUST be pre-agreed on per deployment basis.

The Auth-Request-Type AVP MUST be set to the value AUTHORIZE_ONLY. If the HAAA is not able to authorize the subscriber's mobility service session, then the reply message to the LMA MUST have the Result-Code AVP set to value DIAMETER_PMIP6_AUTHORIZATION_FAILED (TBD5) indicating a permanent failure.

The LMA-to-HAAA interface can also be used to update the selected LMA address to the HAAA and the remote policy store during the authorization step. This applies to the case where the MAG, for example, discovered the LMA address using the DNS.



 TOC 

6.  Proxy Mobile IPv6 Session Management

Concerning a PMIPv6 mobility session, the HAAA, the MAG and the LMA Diameter entities SHOULD be stateful and maintain the corresponding Authorization Session State Machine defined in [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.). If a state is maintained, then a PMIPv6 mobility session that can be identified by any of the Binding Cache (BCE) Lookup Keys described in RFC 5213 (see Sections 5.4.1.1., 5.4.1.2. and 5.4.1.3.) MUST map to a single Diameter Session-Id. If the PMIPv6 Domain allows further separation of sessions, for example, identified by the RFC 5213 BCE Lookup Keys and the service selection combination (see Section 4.8 (Service-Selection AVP) and [RFC5149] (Korhonen, J., Nilsson, U., and V. Devarapalli, “Service Selection for Mobile IPv6,” February 2008.)), then a single Diameter Session-Id MUST map to a PMIPv6 mobility session identified by the RFC 5213 BCE Lookup Keys and the selected service.

If both the MAG-to-HAAA and the LMA-to-HAAA interfaces are deployed in a PMIPv6 Domain, and a state is maintained on both interfaces, then one PMIPv6 mobility session would have two distinct Diameter sessions on the HAAA. The HAAA needs to be aware of this deployment possibility and SHOULD allow multiple Diameter sessions for the same PMIPv6 mobility session.

Diameter session termination related commands described in the following sections may be exchanged between the LMA and the HAAA, or between the MAG and the HAAA. The actual PMIPv6 session termination procedures take place at PMIPv6 protocol level and are described in more detail in RFC 5213 and [I‑D.ietf‑mext‑binding‑revocation] (Muhanna, A., Khalil, M., Gundavelli, S., Chowdhury, K., and P. Yegani, “Binding Revocation for IPv6 Mobility,” October 2009.).



 TOC 

6.1.  Session-Termination-Request

The LMA or the MAG MAY send the Session-Termination-Request (STR) command [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.) to the HAAA and inform the termination of an ongoing PMIPv6 session is in progress.



 TOC 

6.2.  Session-Termination-Answer

The Session-Termination-Answer (STA) [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.) is sent by the HAAA to acknowledge the termination of a PMIPv6 session.



 TOC 

6.3.  Abort-Session-Request

The HAAA MAY send the Abort-Session-Request (ASR) command [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.) to the LMA or to the MAG and request termination of a PMIPv6 session.



 TOC 

6.4.  Abort-Session-Answer

The Abort-Session-Answer (ASA) command [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.)is sent by the LMA or the MAG to acknowledge that the termination of a PMIPv6 session.



 TOC 

7.  Attribute Value Pair Occurrence Tables

The following tables list the PMIPv6 MAG-to-HAAA interface and LMA-to-HAAA interface AVPs including those that are defined in [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.).

The Figure 2 (MAG-to-HAAA Interface Generic Diameter Request and Answer Commands AVPs) contains the AVPs and their occurrences on the MAG-to-HAAA interface. The AVPs that are part of grouped AVP are not listed in the table, rather only the grouped AVP is listed.



 TOC 

7.1.  MAG-to-HAAA Interface



                                  +---------------+
                                  |  Command-Code |
                                  |-------+-------+
   Attribute Name                 |  REQ  |  ANS  |
   -------------------------------+-------+-------+
   PMIP6-DHCP-Server-Address      |   0   |  0+   |
   MIP6-Agent-Info                |  0+   |  0+   |
   MIP6-Feature-Vector            |  0-1  |  0-1  |
   Mobile-Node-Identifier         |  0-1  |  0-1  |
   Calling-Station-Id             |  0-1  |   0   |
   Service-Selection              |  0-1  |   0   |
   Service-Configuration          |   0   |  0+   |
                                  +-------+-------+

 Figure 2: MAG-to-HAAA Interface Generic Diameter Request and Answer Commands AVPs 



 TOC 

7.2.  LMA-to-HAAA Interface



                                  +---------------+
                                  |  Command-Code |
                                  |-------+-------+
   Attribute Name                 |  REQ  |  ANS  |
   -------------------------------+-------+-------+
   MIP6-Agent-Info                |  0-1  |  0-1  |
   MIP6-Feature-Vector            |  0-1  |  0-1  |
   Calling-Station-Id             |  0-1  |   0   |
   Service-Selection              |  0-1  |  0-1  |
   User-Name                      |  0-1  |  0-1  |
                                  +-------+-------+

 Figure 3: LMA-to-HAAA Interface Generic Diameter Request and Answer Commands AVPs 



 TOC 

8.  Example Signaling Flows

Figure 4 (MAG and LMA Signaling Interaction with AAA server during PMIPv6 bootstrapping) shows a signaling flow example during PMIPv6 bootstrapping using the AAA interactions defined in this specification. In step (1) of this example, the MN is authenticated to PMIPv6 domain using EAP-based authentication. The MAG to the HAAA signaling uses the Diameter EAP Application. During step (2), the LMA uses Diameter NASREQ application to authorize the MN with the HAAA server.

The MAG-to-HAAA AVPs, as listed in Section 7.1 (MAG-to-HAAA Interface) are used during step (1). These AVPs are included only in the DER message which starts the EAP exchange and in the corresponding DEA message which successfully completes this EAP exchange. The LMA-to-HAAA AVPs, as listed in Section 7.2 (LMA-to-HAAA Interface), are used during step (2). Step (2) is used to authorize the MN request for the mobility service and update the HAAA server with the assigned LMA information. In addition, this step may be used to dynamically assist in the assignment of the MN-HNP.



MN                 MAG/NAS                LMA                  HAAA
|                     |                    |                    |
| L2 attach           |                    |                    |
|-------------------->|                    |                    |
| EAP/req-identity    |                    |                    |
|<--------------------|                    |                    |
| EAP/res-identity    | DER + MAG-to-HAAA AVPs                  | s
|-------------------->|---------------------------------------->| t
| EAP/req #1          | DEA (EAP request #1)                    | e
|<--------------------|<----------------------------------------| p
| EAP/res #2          | DER (EAP response #2)                   |
|-------------------->|---------------------------------------->| 1
:                     :                    :                    :
:                     :                    :                    :
| EAP/res #N          | DER (EAP response #N)                   |
|-------------------->|---------------------------------------->|
| EAP/success         | DEA (EAP success) + MAG-to-HAAA AVPs    |
|<--------------------|<----------------------------------------|
:                     :                    :                    :
:                     :                    :                    :
|                     | PMIPv6 PBU         | AAR +              | s
|                     |------------------->| LMA-to-HAAA AVPs   | t
|                     |                    |------------------->| e
|                     |                    | AAA +              | p
|                     |                    | LMA-to-HAAA AVPs   |
|                     | PMIPv6 PBA         |<-------------------| 2
| RA                  |<-------------------|                    |
|<--------------------|                    |                    |
:                     :                    :                    :
:                     :                    :                    :
| IP connectivity     | PMIPv6 tunnel up   |                    |
|---------------------|====================|                    |
|                     |                    |                    |

 Figure 4: MAG and LMA Signaling Interaction with AAA server during PMIPv6 bootstrapping 



 TOC 

9.  IANA Considerations



 TOC 

9.1.  Attribute Value Pair Codes

This specification defines the following new AVPs:

  PMIP6-DHCP-Server-Address   is set to TBD1
  PMIP6-IPv4-Home-Address     is set to TBD2
  Mobile-Node-Identifier      is set to TBD3
  Service-Configuration       is set to TBD4



 TOC 

9.2.  Namespaces

This specification defines new values to the Mobility Capability registry (see [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.)) for use with the MIP6-Feature-Vector AVP:

Token                            | Value                | Description
---------------------------------+----------------------+------------
PMIP6_SUPPORTED                  | 0x0000010000000000   | [RFC TBD]
IP4_HOA_SUPPORTED                | 0x0000020000000000   | [RFC TBD]
LOCAL_MAG_ROUTING_SUPPORTED      | 0x0000040000000000   | [RFC TBD]



 TOC 

9.3.  Result-Code AVP Values

This specification requests IANA to allocate a new value to the Result-Code AVP (AVP Code 268) address space within the Permanent Failures category (5xxx) defined in [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.):

  DIAMETER_PMIP6_AUTHORIZATION_FAILED  is set to TBD5



 TOC 

10.  Security Considerations

The security considerations of the Diameter Base protocol [RFC3588] (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.), Diameter EAP application [RFC4072] (Eronen, P., Hiller, T., and G. Zorn, “Diameter Extensible Authentication Protocol (EAP) Application,” August 2005.), Diameter NASREQ application [RFC4005] (Calhoun, P., Zorn, G., Spence, D., and D. Mitton, “Diameter Network Access Server Application,” August 2005.) and Diameter Mobile IPv6 integrated scenario bootstrapping [RFC5447] (Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” February 2009.) are applicable to this document.

In general, the Diameter messages may be transported between the HA and the Diameter server via one or more AAA brokers or Diameter agents. In this case the HA to the Diameter server AAA communication rely on the security properties of the intermediate AAA brokers and Diameter agents (such as proxies).



 TOC 

11.  Acknowledgements

Jouni Korhonen would like to thank the TEKES GIGA program MERCoNe-project for providing funding to work on this document while he was with TeliaSonera.



 TOC 

12.  References



 TOC 

12.1. Normative References

[I-D.ietf-netlmm-pmip6-ipv4-support] Wakikawa, R. and S. Gundavelli, “IPv4 Support for Proxy Mobile IPv6,” draft-ietf-netlmm-pmip6-ipv4-support-18 (work in progress), February 2010 (TXT).
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” RFC 3588, September 2003 (TXT).
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, “Diameter Network Access Server Application,” RFC 4005, August 2005 (TXT).
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, “Diameter Extensible Authentication Protocol (EAP) Application,” RFC 4072, August 2005 (TXT).
[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, “The Network Access Identifier,” RFC 4282, December 2005 (TXT).
[RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, “Proxy Mobile IPv6,” RFC 5213, August 2008 (TXT).
[RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, “Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction,” RFC 5447, February 2009 (TXT).


 TOC 

12.2. Informative References

[I-D.ietf-dime-mip6-split] Korhonen, J., Tschofenig, H., Bournelle, J., Giaretta, G., and M. Nakhjiri, “Diameter Mobile IPv6: Support for Home Agent to Diameter Server Interaction,” draft-ietf-dime-mip6-split-17 (work in progress), April 2009 (TXT).
[I-D.ietf-mext-binding-revocation] Muhanna, A., Khalil, M., Gundavelli, S., Chowdhury, K., and P. Yegani, “Binding Revocation for IPv6 Mobility,” draft-ietf-mext-binding-revocation-14 (work in progress), October 2009 (TXT).
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, “Extensible Authentication Protocol (EAP),” RFC 3748, June 2004 (TXT).
[RFC3775] Johnson, D., Perkins, C., and J. Arkko, “Mobility Support in IPv6,” RFC 3775, June 2004 (TXT).
[RFC4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. Chowdhury, “Mobile Node Identifier Option for Mobile IPv6 (MIPv6),” RFC 4283, November 2005 (TXT).
[RFC5149] Korhonen, J., Nilsson, U., and V. Devarapalli, “Service Selection for Mobile IPv6,” RFC 5149, February 2008 (TXT).


 TOC 

Authors' Addresses

  Jouni Korhonen (editor)
  Nokia Siemens Network
  Linnoitustie 6
  Espoo FI-02600
  Finland
Email:  jouni.nospam@gmail.com
  
  Julien Bournelle
  Orange Labs
  38-4O rue du general Leclerc
  Issy-Les-Moulineaux 92794
  France
Email:  julien.bournelle@orange-ftgroup.com
  
  Kuntal Chowdhury
  Starent Networks
  30 International Place
  Tewksbury MA 01876
  USA
Email:  kchowdhury@starentnetworks.com
  
  Ahmad Muhanna
  Nortel
  2221 Lakeside Blvd.
  Richardson, TX 75082
  USA
Email:  amuhanna@nortel.com
  
  Ulrike Meyer
  RWTH Aachen
Email:  meyer@umic.rwth-aachen.de