AAA Working Group Jayshree Bharatia Internet Draft Kuntal Chowdhury Category: Standards Track Nortel Networks Expires on May 2002 November 2001 Optimized Dynamic Home Agent Assignment Using DIAMETER Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract The operation of determining dynamic Home Agent (HA) is currently defined in [MIPBis] and a DIAMETER usage for Mobile IP application is specified in [MIPApp]. This document enhances the DIAMETER usage for Mobile IP application discussed in [MIPApp] and offers an optimized solution for dynamically assigning a Home Agent. The proposed solution: - Reduces the number of AAA message exchanges between the Home AAA (AAAH) and the Foreign AAA (AAAF) for dynamic home agent assignment in the foreign network. - Relieves the Foreign Agent (FA) and the AAAF of the burden of processing AVPs that are based on the Home Agent (HA) address received in a Registration Request (Reg-Request). - Provides better scope of offering home network controlled services by the network providers. - Generalizes HA assignment operation between the AAAF and the AAAH. - Also, it makes a better use of the AAAH policy for the HA assignment operation. Bharatia, Chowdhury [Page 1] Internet Draft November 2001 1 Introduction 1.1 Glossary of Terms AAA Authentication, Authorization and Accounting AAAF AAA in foreign network AAAH AAA in home network FA Foreign Agent HA Home Agent AMR Mobile-Node-Request message AMA Mobile-Node-Answer message HAR Home-Agent-MIP-Request message HAA Home-Agent-MIP-Answer message 1.2 Current Solution for Dynamic HA Assignment Using DIAMETER The current solution proposed in [MIPApp] uses home agent address received in Mobile IP Registration Request. The FA processes this information and sends a MIP-Feature-Vector to the Foreign AAA (AAAF) with Home-Agent-Requested flag set to one. The FA also sets the Home-Address-Allocatable-Only-In-Home flag set to zero/one based on the HA address specified in the Registration Request message i.e. 0.0.0.0/255.255.255.255 respectively. If the AAAF determines that it is possible to assign the HA in the foreign network and the MIP-Feature-Vector AVP set with appropriate flags, it will set the Foreign-Home-Agent-Available flag to one in MIP-Feature-Vector AVP. The AAAF sends this information to the AAAH. At this point, the AAAH authenticates and determines whether its local policy allows the user to have an HA in the foreign network. Based on this policy, The AAAH may allow the AAAF to assign the HA in the foreign network. Otherwise, the HAAA attempts to assign the HA in the home network. In short, the AAAH has the ability to supersede any specific dynamic HA assignment request based on local policy. If the AAAH allows the HA assignment in the foreign network, it sends the Home-Agent-MIP-Request (HAR) message to the AAAF. Once the assignment of an HA is completed in the foreign network, the AAAF sends a HAA message to the AAAH. Upon receipt of the HAA message, the AAAH sends an AMA response to the AAAF. The AAAF then relays the AMA message to the FA. This confirms the completion of the operation. 1.3 Proposed Solution for Dynamic HA Assignment Using DIAMETER The proposed solution offers to treat HA information received in a Registration Request transparently at the FA. Regardless of the value that the HA address field contains in the received Mobile- Node-Request (AMR) message from the mobile, FA relays the message Bharatia, Chowdhury Expires May 2002 [Page 2] Internet Draft November 2001 transparently to the AAAF. Upon receipt of the AMA message from the FA, the AAAF sets Foreign-Home-Agent-Available flag to one if it is possible to assign a HA in the foreign network and relays the AMA message to the AAAH. Upon receiving the AMA message from AAAF, the AAAH performs authentication and authorization functions. The AAAH also determines whether a dynamic HA assignment is requested by examining the HA = 255.255.255.255 in the AMA message. If yes, the AAAH determines whether local policy allows the user to have an HA in the foreign network. Based on this policy, The AAAH may allow the AAAF to assign an HA in the foreign network, when the AAAF has set the Foreign- Home-Agent-Available flag to one. Otherwise, the AAAH shall attempt to assign the HA in the home network. If the AAAH allows the HA assignment in the foreign network, it sends the Mobile-Node-Answer (AMA) response to the AAAF with the result-code DIAMETER-LIMITED-SUCCESS. Upon receipt of this AMA message from the AAAH, the AAAF assigns an HA in the foreign network and sends an AMR with new HA address to the FA which completes the operation. If the HA assignment in the foreign network fails, then the AAAF sends an AMR message to the AAAH with a new flag indicating request to assign HA in the home network due to failure in assigning an HA in the foreign network. Compared to the solution discussed in section 1.2, this proposal offers the following advantages: - For a home agent assignment in the foreign network, the number of AAA exchanges between the AAAH and the AAAF is reduced. The AAAH only authorizes the AAAF to assign an HA in foreign network, and it is not involved in the HA assignment operation in the foreign network. In case of failure in assigning an HA in the foreign network, the AAAF shall notify the AAAH by sending an AMR with a new flag. - It relieves the burden of processing AVPs at the FA, based on the HA address received in the Registration Request message from the mobile. - It provides better scope of offering the home network controlled services by the network providers. - It generalizes the HA assignment operation between the AAAF and AAAH. - Also, it makes a better use of the AAAH policy for the HA assignment operation since the solution relies on the policy configured in the Home AAA (AAAH) rather than acting on the HA address received from the MN. 2 Conventions used in this document Bharatia, Chowdhury Expires May 2002 [Page 3] Internet Draft November 2001 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. 3 Detailed Description of the Proposed Solution For effective use of home IP address, the home AAA SHOULD be able to select an HA for use with the newly assigned home address. In many cases, the MN will already know the address of its HA, even if the MN does not already have an existing home address. Regardless of what is being requested by HA, it MUST be still up to the local policy provisioned at the AAAH to decide which HA is appropriate to use. When the FA receives this request with the HA address = 255.255.255.255 or any other valid IP address, it simply forwards the received HA address and other relevant informations (including HA address) in a Mobile-Node-Request (AMR) message as mentioned in [MIPApp], to the AAAF. Upon receipt of the AMR message, the AAAF checks whether it is possible to assign an HA in the foreign network. If it is possible, then it MUST add a MIP-Feature-Vector AVP to Mobile-Node-Request (AMR) with the Foreign-Home-Agent-Available flag set to one. Setting up this flag basically indicates that AAAF is willing/able to assign an HA in the foreign network. When the AAAH receives the AMR message, it first authenticates/authorizes data received in the AMR message. As per the local policy, it MAY be possible to have an HA in the foreign network for a particular user. In this case, it SHOULD follow a procedure discussed in section 3.1 of this document. Otherwise, the AAAH shall assign an HA in the home network by following the procedure described in [MIPApp]. 3.1 Home Agent in Foreign network The message exchanges for successful dynamic HA assignment in a foreign network is shown in Figure 1 and 2. Visited Home Network Network +--------+ ------- AMR -------> +--------+ | AAAF | <------ AMA -------- | AAAH | | | | | +---->| server | | server | | +--------+ +--------+ | ^ | | | | HAR/HAA | AMR | | AMA v | v Bharatia, Chowdhury Expires May 2002 [Page 4] Internet Draft November 2001 +---------+ +---------+ | Home | | Foreign | | Agent | | Agent | +---------+ +---------+ ^ +--------+ | Reg-Request/Reply | Mobile |<----------+ | Node | Mobile IP +--------+ Figure 1: Dynamic HA Assignment in Foreign Network If the local policy at the AAAH allows an HA assignment in the foreign network, the AAAH MUST set the result-code to DIAMETER- LIMITED-SUCCESS in a Mobile-Node-Answer (AMA) message and send it to the AAAF. MN FA HA(Foreign Network) AAAF AAAH -- -- -- ---- ---- ----Reg-Request--> ---------------AMR-----------------> -----AMR----> <----AMA----- <------------------HAR---- ------------------HAA----> <----------------AMA----------------- <----Reg-Reply---- Figure 2: Message Exchanges for Dynamic HA Assignment in Foreign Network Since the AAAF receives an AMA message result-code DIAMETER-LIMITED- SUCCESS, it MUST assign an HA in the foreign network. Hence the AAAF sends a Home-Agent-MIP-Request (HAR) message to a dynamically assigned HA in the foreign network. Once a Home-Agent-MIP-Answer (HAA) response is received from this new HA, the AAAF sends an AMA message to the FA. This completes the successful assignment of an HA in foreign network. If the assignment of an HA fails in the foreign network after receiving AMA from the AAAH, the AAAF MUST initiate an AMR to the AAAH. At this time the AAAF adds MIP-Feature-Vector AVP to Mobile- Node-Request (AMR) with the Home-Agent Assignment-in-Foreign- Network-Failed flag set to one. The AAAF sends this AMR message to AAAH for an HA assignment in the home network. Upon receipt of this AMR message, the AAAH shall assign a HA in the home network if permitted by the local policy. Otherwise, an error DIAMETER-ERROR- HA-NOT-AVAILABLE is sent to AAAF, which subsequently forwards the dynamic HA assignment failure to the MN in a Registration Reply (Reg-Reply) message. MN FA HA(Home Network) AAAF AAAH -- -- -- ---- ---- Bharatia, Chowdhury Expires May 2002 [Page 5] Internet Draft November 2001 ----Reg-Request--> ---------------AMR-----------------> -----AMR----> <------------------HAR---------------- ------------------HAA----------------> <----AMA--- <----------------AMA-------------- <----Reg-Reply---- Figure 3 Home Agent Assignment Failure in Foreign Network 4 IANA Considerations New flag Home-Agent Assignment-in-Foreign-Network-Failed is defined for existing AVP MIP-Feature-Vector whose namespace is already assigned by [MIPApp]. 5 Security Considerations The solution proposed in this document is an optimized solution for dynamically assignment of HA and it does not add new functionality. Hence there may not be any new security requirements exist. 6 References [MIPReq] "Mobile IP Authentication, Authorization and Accounting Requirements", RFC 2977 [MIPApp] "DIAMETER Mobile IPv4 Application", draft-ietf-aaa- diameter-mobileip-07.txt, Work in progress, July 2001 [3GAAAReq] "CDMA2000 Wireless Data Requirements for AAA", RFC 3141 [DIAMETER] _DIAMETER Base Protocol_ draft-ietf-aaa--07.txt, Work in progress, July 2001 [MIPBis] _IP Mobility Support for IPv4, revised_ Work in progress, September 2001 7 Acknowledgments Authors like to thank Pete Wenzel, Glenn Morrow and Tony Saboorian for their valuable input to this work. 8 Author's Address Jayshree Bharatia Nortel Networks 2221, Lakeside Blvd, Richardson, TX-75082 Phone: 972-684-5767 jayshree@nortelnetworks.com Kuntal Chowdhury Nortel Networks Bharatia, Chowdhury Expires May 2002 [Page 6] Internet Draft November 2001 2221, Lakeside Blvd, Richardson, TX-75082 Phone: 972-685-7788 chowdury@nortelnetworks.com Bharatia, Chowdhury Expires May 2002 [Page 7]