HTTP/1.1 200 OK Date: Mon, 08 Apr 2002 23:06:35 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Fri, 14 Aug 1998 13:07:00 GMT ETag: "2e7ed2-d89e-35d43674" Accept-Ranges: bytes Content-Length: 55454 Connection: close Content-Type: text/plain INTERNET DRAFT Pat R. Calhoun Category: Standards Track Charles E. Perkins Title: draft-calhoun-diameter-mobileip-00.txt Sun Microsystems, Inc. Date: July 1998 DIAMETER Mobile IP Extensions Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract DIAMETER is an Authentication, Authorization and Accounting (AAA) Policy Protocol that is used between two entities for various services. This document defines an extension that allow a DIAMETER Client to request authentication and receive autorization information for a Mobile IP Mobile Node. Calhoun expires January 1999 [Page 1] INTERNET DRAFT July 1998 Table of Contents 1.0 Introduction 1.1 Specification of Requirements 2.0 Command Codes 2.1 AA-Mobile-Node-Request (AMR) 2.2 AA-Mobile-Node-Answer (AMA) 2.3 Home-Agent-MIP-Request 2.4 Home-Agent-MIP-Answer 3.0 DIAMETER AVPs 3.1 MIP-Registration-Request 3.2 MIP-Registration-Reply 3.3 MN-FA-Challenge 3.4 MN-FA-Response 3.5 MN-FA-SPI 3.6 MN-to-FA-Key 3.7 FA-to-MN-Key 3.8 FA-HA-SPI 3.9 FA-to-HA-Key 3.10 HA-to-FA-Key 3.11 MN-HA-SPI 3.12 MN-to-HA-Key 3.13 HA-to-MN-Key 3.14 Mobile-Node-Address 3.15 Home-Agent-Address 3.16 Session-Timeout 4.0 Protocol Definition 5.0 References 6.0 Authors' Addresses 1.0 Introduction The Mobile IP [4] protocol defines a method that allows Mobile Nodes to change their point of attachments on the Internet without service disruption. The protocol requires that all Mobility Agents share a pre-existing security association, which leads to scaling problems. The protocol also does not mention how Mobility Agents account for services rendered, which does not make it an attractive protocol for use by service providers. This draft describes an extension that allows cross-domain authentication and authorization, assignment of Mobile Node Home Addresses, assignment of Home Agent as well as Key Distribution to allows the Mobile IP network to scale in a large network. The dynamic assignment of Mobile Node and Home Agent addresses makes this extension useful for Service Providers wishing to provide Mobile Calhoun expires January 1999 [Page 2] INTERNET DRAFT July 1998 IP services for mobile nodes. The soon-to-be DIAMETER Accounting extension will be used to collect accounting information. This extension requires small modifications to the Mobile IP protocol [4], which already exists in the TEP protocol [8], to allow a Mobile Node to identify itself using an NAI [6] in addition to an IP address. The use of the NAI is consistent with the current roaming model which makes use of DIAMETER proxying [7]. The Extension number for this draft is four (4). This value is used in the Extension-Id AVP as defined in [1]. 1.1 Specification of Requirements In this document, several words are used to signify the requirements of the specification. These words are often capitalized. MUST This word, or the adjective "required", means that the definition is an absolute requirement of the specification. MUST NOT This phrase means that the definition is an absolute prohibition of the specification. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications must be understood and carefully weighed before choosing a different course. MAY This word, or the adjective "optional", means that this item is one of an allowed set of alternatives. An implementation which does not include this option MUST be prepared to interoperate with another implementation which does include the option. 2.0 Command Codes This document defines the following DIAMETER Commands. All DIAMETER implementations supporting this extension MUST support all of the following commands: Calhoun expires January 1999 [Page 3] INTERNET DRAFT July 1998 Command Name Command Code ----------------------------------- AA-Mobile-Node-Request 306 AA-Mobile-Node-Answer 307 Home-Agent-MIP-Request 308 Home-Agent-MIP-Answer 309 2.1 AA-Mobile-Node-Request (AMR) Description The AA-Mobile-Node-Request is sent by a Foreign Agent acting as a DIAMETER client to a server to request authentication and authorization of a Mobile Node. The AA-Mobile-Node-Request message MUST include the MIP- Registration-Request, User-Name, MN-FA-Challenge, MN-FA-Response AVP as well as the Session-Id AVPs. When the Mobile-Node-Address AVP is absent from the AA-Mobile- Node-Request, it indicates that a Home Address should be assigned to the Mobile Node. When the Home-Agent-Address AVP is absent from the AA-Mobile-Node-Request, it indicates that a Home Agent should be assigned to the Mobile Node. Message Format ::= { || } AVP Format A summary of the AA-Mobile-Node-Request packet format is shown below. The fields are transmitted from left to right. Calhoun expires January 1999 [Page 4] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Command Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 256 DIAMETER Command AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Command Code The Command Code field MUST be set to 306 (AA-Mobile-Node- Request). 2.2 AA-Mobile-Node-Answer (AMA) Description The AA-Mobile-Node-Answer is sent by the DIAMETER Server to the client in response to the AA-Mobile-Node-Request message. The message MUST include the Session-Id, Result-Code, MIP- Registration-Reply as well as the various key and SPI AVPs (shown below) and MAY include the Home-Agent-Address and Mobile-Node- Address AVPs. When the Home-Agent-Address AVP is present in this message it contains the Home Agent that was assigned to the Mobile Node. When the Mobile-Node-Address AVP is present in this message it contains the Home Address that is being assigned to the Mobile Node. The following error codes are defined for this message: Calhoun expires January 1999 [Page 5] INTERNET DRAFT July 1998 DIAMETER_ERROR_UNKNOWN_DOMAIN 1 This error code is used to indicate to the initiator of the request that the requested domain is unknown and cannot be resolved. DIAMETER_ERROR_USER_UNKNOWN 2 This error code is used to indicate to the initiator that the username request is not valid. DIAMETER_ERROR_BAD_PASSWORD 3 This error code indicates that the password provided is invalid. DIAMETER_ERROR_CANNOT_AUTHORIZE 4 This error code is used to indicate that the user cannot be authorized due to the fact that the user has expended local resources. This could be a result that the server believes that the user has already spent the number of credits in his/her account, etc. Message Format ::= [] [] { || } AVP Format A summary of the AA-Mobile-Node-Answer packet format is shown below. The fields are transmitted from left to right. Calhoun expires January 1999 [Page 6] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Command Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 256 DIAMETER Command AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Command Code The Command Code field MUST be set to 307 (AA-Mobile-Node- Answer). 2.3 Home-Agent-MIP-Request (HAR) Description The Home-Agent-MIP-Request is sent by the home DIAMETER server to the Home Agent overseeing the Mobile Node to process the Mobile IP Registration Request. The Home-Agent-MIP-Request message MUST include the MIP- Registration-Request, User-Name, Session-Id as well as the SPI and key AVPs (shown below) to be used by the Mobile Node and the Home Agent. When the Mobile-Node-Address AVP is absent from the request it indicates that the Home Agent MUST assign a Home Address for the Mobile Node, othewise the value in the Mobile-Node-Address AVP MUST be used. Calhoun expires January 1999 [Page 7] INTERNET DRAFT July 1998 Message Format ::= [] { || } AVP Format A summary of the Home-Agent-MIP-Request packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Command Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 256 DIAMETER Command AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Calhoun expires January 1999 [Page 8] INTERNET DRAFT July 1998 Command Code The Command Code field MUST be set to 308 (Home-Agent-MIP- Request). 2.4 Home-Agent-MIP-Answer (HAA) Description The Home-Agent-MIP-Answer is sent by the Home Agent to the home DIAMETER Server in response to the Home-Agent-MIP-Request. The message MUST include the Session-Id, Result-Code, MIP- Registration-Reply and MAY include the Mobile-Node-Address if the Home Agent was responsible for assigning an address to the Mobile Node. The following error codes are defined for this message: DIAMETER_ERROR_BAD_KEY 1 This error code is used by the Home Agent to indicate to the local DIAMETER Server that the key generated is invalid. DIAMETER_ERROR_BAD_HOME_ADDRESS 2 This error code is used by the Home Agent to indicate that the Home Address chosen by the Mobile Node or assigned by the local DIAMETER server cannot be handled. DIAMETER_ERROR_TOO_BUSY 3 This error code is used by the Home Agent to inform the DIAMETER Server that it cannot handle an extra Mobile Node. Upon receiving this error the DIAMETER Server can try to use an alternate Home Agent if available. DIAMETER_ERROR_MIP_REPLY_FAILURE 4 This error code is used by the Home Agent to inform the DIAMETER Server that the Registration Request was not successful. Message Format ::= [] Calhoun expires January 1999 [Page 9] INTERNET DRAFT July 1998 { || } AVP Format A summary of the Home-Agent-MIP-Answer packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Command Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 256 DIAMETER Command AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Command Code The Command Code field MUST be set to 309 (Home-Agent-MIP- Answer). 3.0 DIAMETER AVPs This section will define the mandatory AVPs which MUST be supported by all DIAMETER implementations supporting this extension. The following AVPs are defined in this document: Calhoun expires January 1999 [Page 10] INTERNET DRAFT July 1998 Attribute Name Attribute Code ----------------------------------- MIP-Registration-Request 320 MIP-Registration-Reply 321 MN-FA-Challenge 322 MN-FA-Response 323 MN-FA-SPI 324 MN-to-FA-Key 325 FA-to-MN-Key 326 FA-HA-SPI 327 FA-to-HA-Key 328 HA-to-FA-Key 329 MN-HA-SPI 330 MN-to-HA-Key 331 HA-to-MN-Key 332 Mobile-Node-Address 333 Home-Agent-Address 334 Session-Timeout 27 3.1 MIP-Registration-Request Description This AVP is used to carry the Mobile IP Registration Request [4] sent by the Mobile Node to the Foreign Agent within a DIAMETER message. AVP Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 320 MIP-Registration-Request AVP Length The length of this attribute MUST be at least 9. Calhoun expires January 1999 [Page 11] INTERNET DRAFT July 1998 AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the Mobile IP Registration Request. 3.2 MIP-Registration-Reply Description This AVP is used to carry the Mobile IP Registration Reply [4] sent by the Home Agent to the Foreign Agent within a DIAMETER message. AVP Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 321 MIP-Registration-Reply AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the Mobile IP Registration Reply. Calhoun expires January 1999 [Page 12] INTERNET DRAFT July 1998 3.3 MN-FA-Challenge Description This AVP contains the Challenge generated by the Foreign Agent to the Mobile Node as defined in [5]. AVP Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 322 MN-FA-Challenge AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the Foreign Agent's Challenge to the Mobile Node. 3.4 MN-FA-Response Description This AVP contains the Response generated by the Mobile Node as defined in [5]. The value is the result of the Challenge presented by the Foreign Agent hashed using the secret the Mobile Node shares with it's Home DIAMETER Server. Calhoun expires January 1999 [Page 13] INTERNET DRAFT July 1998 AVP Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 323 MN-FA-Response AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the Mobile Node's Challenge Response. 3.5 MN-FA-SPI Description The MN-FA-SPI is sent in both the Home-Agent-MIP-Request as well as the AA-Mobile-Node-Answer messages and contains the SPI value associated with the key generated by the home DIAMETER Server for use between the Foreign Agent and the Mobile Node (MN-to-FA-Key, FA-to-MN-Key). AVP Format Calhoun expires January 1999 [Page 14] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Integer32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 324 MN-FA-SPI AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Integer32 The Integer32 field contains the SPI value associated with the key shared between the Mobile Node and the Foreign Agent. 3.6 MN-to-FA-Key Description This AVP contains the Key generated by the home DIAMETER Server that must be used by the Mobile Node when computing the Mobile- Foreign- Authentication-Extension in the Mobile IP Registration Request [4]. AVP Format Calhoun expires January 1999 [Page 15] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 325 MN-to-FA-Key AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the encrypted key to be used by the Mobile Node when generating the Mobile IP Mobile-Foreign- Authentication-Extension. 3.7 FA-to-MN-Key Description This AVP contains the Key generated by the home DIAMETER Server that must be used by the Foreign Agent when computing the Mobile- Foreign- Authentication-Extension in the Mobile IP Registration Reply [4]. AVP Format Calhoun expires January 1999 [Page 16] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 326 FA-to-MN-Key AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the encrypted key to be used by the Foreign Agent when generating the Mobile IP Mobile-Foreign- Authentication-Extension. 3.8 FA-HA-SPI Description The FA-HA-SPI is sent in both the Home-Agent-MIP-Request as well as the AA-Mobile-Node-Answer messages and contains the SPI value associated with the key generated by the home DIAMETER Server for use between the Foreign Agent and the Home Agent (FA-to-HA-Key, HA-to-FA-Key). AVP Format Calhoun expires January 1999 [Page 17] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Integer32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 327 FA-HA-SPI AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Integer32 The Integer32 field contains the SPI value associated with the key shared between the Foreign Agent and the Home Agent. 3.9 FA-to-HA-Key Description This AVP contains the Key generated by the home DIAMETER Server that must be used by the Foreign Agent when computing the Foreign-Home Authentication-Extension in the Mobile IP Registration Request [4]. AVP Format Calhoun expires January 1999 [Page 18] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 328 FA-to-HA-Key AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the encrypted key to be used by the Foreign Agent when generating the Mobile IP Foreign-Home- Authentication-Extension. 3.10 HA-to-FA-Key Description This AVP contains the Key generated by the home DIAMETER Server that must be used by the Home Agent when computing the Foreign- Home Authentication-Extension in the Mobile IP Registration Reply [4]. AVP Format Calhoun expires January 1999 [Page 19] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 329 HA-to-FA-Key AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the encrypted key to be used by the Home Agent when generating the Mobile IP Foreign-Home- Authentication-Extension. 3.11 MN-HA-SPI Description The MN-HA-SPI is sent in both the Home-Agent-MIP-Request as well as the AA-Mobile-Node-Answer messages and contains the SPI value associated with the key generated by the home DIAMETER Server for use between the Mobile Node and the Home Agent (MN-to-HA-Key, HA- to-MN-Key). AVP Format Calhoun expires January 1999 [Page 20] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Integer32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 330 MN-HA-SPI AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Integer32 The Integer32 field contains the SPI value associated with the Session Key shared between the Mobile Node and the Home Agent. 3.12 MN-to-HA-Key Description This AVP contains the Key generated by the home DIAMETER Server that must be used by the Mobile Node when computing the Mobile- Home Authentication-Extension in the Mobile IP Registration Request [4]. AVP Format Calhoun expires January 1999 [Page 21] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 331 MN-to-HA-Key AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the encrypted key to be used by the Mobile Node when generating the Mobile IP Mobile-Home- Authentication-Extension. 3.13 HA-to-MN-Key Description This AVP contains the Key generated by the home DIAMETER Server that must be used by the Home Agent when computing the Mobile-Home Authentication-Extension in the Mobile IP Registration Reply [4]. AVP Format Calhoun expires January 1999 [Page 22] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ AVP Code 332 HA-to-MN-Key AVP Length The length of this attribute MUST be at least 9. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Data The data field contains the encrypted key to be used by the Home Agent when generating the Mobile IP Mobile-Home- Authentication-Extension. 3.14 Mobile-Node-Address Description When used in the AA-Mobile-Node-Request it contains the Mobile Node's Home Address. When present in the MIP-Registration-Reply message it contains the Home Address assigned to the Mobile Node. The lack of this AVP in the AA-Mobile-Node-Request indicates that the Mobile Node is requesting that a Home Address be assigned to it. AVP Format Calhoun expires January 1999 [Page 23] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 333 Mobile-Node-Address AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Address The Address field contains the IP address assigned to the Mobile Node. 3.15 Home-Agent-Address Description When used in the AA-Mobile-Node-Request it contains the Mobile Node's requested Home Agent. When present in the MIP- Registration-Reply message it contains the Home Agent assigned to the Mobile Node. The lack of this AVP in the AA-Mobile-Node-Request indicates that the Mobile Node is requesting that a Home Agent be assigned to it. AVP Format Calhoun expires January 1999 [Page 24] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AVP Code 334 Home-Agent-Address AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Address The Address field contains the Home Agent address assigned to the Mobile Node. 3.16 Session-Timeout Description This AVP contains the number of seconds before the session keys expire. AVP Format A summary of the Session-Timeout Attribute format is shown below. The fields are transmitted from left to right. Calhoun expires January 1999 [Page 25] INTERNET DRAFT July 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Length | Reserved |U|T|V|E|H|M| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Integer32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 27 for Session-Timeout. AVP Length The length of this attribute MUST be 12. AVP Flags The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending upon the security model used. The 'V', 'T' and the 'U' bits MUST NOT be set. Integer32 The Integer32 field is 4 octets, containing a 32-bit unsigned integer with the number of seconds before the session keys expire. A value of zero means that the session keys have no expiration. 4.0 Protocol Definition This section will outline how the DIAMETER Mobile IP Extension can be used. The follwing diagram is an example of an inter-domain Mobile IP network. Calhoun expires January 1999 [Page 26] INTERNET DRAFT July 1998 ISP Home Network +--------+ +--------+ | proxy | AMR/A | AAA | | AAA |<--------------->| | | server | server-server | server | +--------+ communication +--------+ / /| /|( /AMR/A | client-server | HAR/A / | communication | |/_ / / +---------+ +---------+ +---------+ | Foreign | | Foreign | | Home | | Agent | | Agent | | Agent | +---------+ +---------+ +---------+ /|( | Mobile IP | / +--------+ | Mobile | | Node | +--------+ The AA-Mobile-Node-Request is generated by the Foreign Agent and includes the AVPs defined in section 2.1. If the Home Address field in the Registration Request was set to a value other than zero the Mobile-Node-Address AVP is added to the DIAMETER request. If the Home Agent field in the Registration Request was set to a value other than zero the Home-Agent-Address AVP is added to the DIAMETER request. The DIAMETER request is then forwarded to the Foreign Agent's local DIAMETER Server. When the ISP's DIAMETER Server receives the message it looks at the User-Name AVP [1] to determine whether authentication and authorization can be handled locally. The User-Name format is consistent with the NAI described in [6] and the user's domain is used to determine the Mobile Node's home DIAMETER Server. In the example below the request cannot be processed locally, therefore the request is forwarded to the Mobile Node's home DIAMETER Server. The following is an example of the first Mobile IP and DIAMETER exchange which sets up the key. Note that this example is also valid when the session key expires and a new key needs to be generated. Calhoun expires January 1999 [Page 27] INTERNET DRAFT July 1998 Mobile Node Foreign Agent Proxy Server Home Server Home Agent ----------- ------------- ------------ ----------- ---------- <-------Challenge Reg-Req(Response)-> AMR-------------> AMR------------> HAR-----------> <----------HAA <-----------AMA <------------AMA <-------Reg-Reply The home DIAMETER Server must first authenticate the user. This is done by fist validating the MN-FA-Challenge which contains a timstamp. The timestamp information is embedded within the challenge to prevent replay attacks. The server then uses the user's secret or its public key and performs the hash on the the challenge and ensures that the result is identical with the value in the MN-FA-Response AVP. If both values are identical the user is authenticated, otherwise an error message is returned. See [5] for more information on the challenge format and how the hash is computed. If successfully authenticated, the DIAMETER Server checks whether the Home-Agent-Address AVP was part of the AA-Mobile-Node-Request. If so the server must validate the address to ensure that it is a known Home Agent. If no such AVP was present in the request the server can allocate a known Home Agent for the Mobile Node. This can be done in a variety of ways including using a load balancing algorithm in order not to overburden any given Home Agent. Note that the existing Home Agent Discovery method described in [4] can still be used. If the request did not contain a Mobile-Node-Address AVP, the DIAMETER Server has the option to assign an address for the Mobile Node or leave it up to the Home Agent to assign an address. This is purely a local policy decision. The DIAMETER Server then generates three sets of short-lived session keys. One that will be shared between the Home agent and the Foreign Agent, one between the Mobile Node and the Foreign Agent and one between the Mobile Node and the Home Agent. The keys destined for the Mobile Node are encrypted either using the Mobile Node's secret or its public key [1]. The keys destined for the Foreign Agent are encrypted either using the DIAMETER Secret shared between the Home DIAMETER Server and the ISP's proxy Server, or using public key cryptography [1]. The keys destined for the Home Agent can be either encrypted using the DIAMETER Secret, or if IPSEC's ESP is Calhoun expires January 1999 [Page 28] INTERNET DRAFT July 1998 in use no DIAMETER encryption is necessary. The Session-Timeout AVP is included and contains the number of seconds before the session keys expire. Note that this extension requires a departure from the existing SPI usage described in [4]. The DIAMETER Server generates SPI values for the Mobility Agents as opposed to a receiver choosing its own SPI value. The SPI values are used as a Key Identifier, meaning that each shared session key has its own SPI value and since two nodes share a session key they share an SPI as well. Take for example a scenario where a Mobile Node and a Foreign Agent share a key that was created by the DIAMETER Server. The Server also generated a corresponding SPI value of x. All Mobile-Foreign Authentication extensions must be computed by either entity using the shared session key and include the SPI value of x. The DIAMETER Server then sends a Home-Agent-MIP-Request to the assigned or requested Home Agent. The request contains the original MIP-Registration-Request as well as the keys and SPIs destined for the Home Agent (HA-to-MN-Key, MN-HA-SPI, HA-to-FA-Key and FA-HA-SPI AVPs) and the Mobile Node (MN-FA-SPI, MN-to-FA-Key, MN-HA-SPI and MN-to-HA-Key AVP). The Mobile-Node-Address AVP is present if the Mobile Node specified an address or if the home DIAMETER Server assigned an address, but not if the Home Agent assigns it. The Home Agent processes the DIAMETER Home-Agent-MIP-Request as well as the embedded Mobile IP Registration Request. If both are successfully processed, the Home Agent creates the Mobile IP Registration Reply and includes the keying material to be used by the Mobile Node (MN-FA SPI, MN-to-FA-Key, MN-HA-SPI and MN-to-HA-Key) which is attached as the MIP-Registration-Reply AVP. If no Mobile- Node-Address AVP was present in the request the Home Agent must assign an address for the Mobile Node. The Result-Code AVP is included and the Home-Agent-MIP-Answer is sent to the home DIAMETER Server. The home DIAMETER Server issues a AA-Mobile-Node-Answer to the Foreign Agent which includes the MIP-Registration-Reply, Result-Code and the Mobile-Node-Address AVP. The message also includes the keys and SPI AVPs used by the Foreign Agent (MN-FA-SPI, FA-to-MN-Key, FA- HA-SPI and the FA-to-HA-Key AVPs). The message is then transmitted to the ISP's proxy DIAMETER Server. Upon receipt of the successful AA-Mobile-Node-Answer the proxy server decrypts the FA-to-MN-Key and the FA-to-HA-Key AVPs. These keys are then re-encrypted using the DIAMETER secret, or are not encrypted if IPSEC's ESP is used between the Foreign Agent and the Proxy DIAMETER Calhoun expires January 1999 [Page 29] INTERNET DRAFT July 1998 Server. The message is transmitted to the Foreign Agent. The Foreign Agent, upon receipt of the AA-Mobile-Node-Answer, must decrypt the appropriate KEY AVPs, process the Mobile IP Registration Reply which is then forwarded to the Mobile Node. from this point on, all Registration Request and Replies no longer traverse through the DIAMETER proxy chain and the Foreign Agent can contact the Home Agent directly using the keys which were previously distributed. This can continue until the session keys expire, which is indicated in the Session-Timeout AVP. The following is an example of subsequent Mobile IP message exchange. Mobile Node Foreign Agent Home Agent ----------- ------------- ---------- Reg-Req(MN-FA-Auth, MN-HA-Auth)--------> Reg-Req(MN-HA-Auth, FA-HA-Auth)--------> <--------Reg-Rep(MN-HA-Auth, FA-HA-Auth) <--------Reg-Rep(MN-HA-Auth, MN-FA-Auth) 5.0 References [1] Calhoun, Rubens, "DIAMETER", Internet-Draft, draft-calhoun-diameter-04.txt, July 1998. [2] Calhoun, Zorn, Pan, "DIAMETER Framework", Internet- Draft, draft-calhoun-diameter-framework-01.txt, August 1998 [3] P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, March 1998. [4] C. Perkins, Editor. IP Mobility Support. RFC 2002, October 1996. [5] C. Perkins, "Router Advertisement Challenge Extension", draft-ietf-mobileip-?????-00.txt, August 1998. [6] B. Aboba. "The Network Access Identifier." draft-ietf-roamops- nai-11.txt, July 1998. [7] Aboba, Zorn, "Roaming Requirements", draft-ietf-roamops- roamreq-09.txt, April 1998. Calhoun expires January 1999 [Page 30] INTERNET DRAFT July 1998 [8] P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, March 1998. 6.0 Authors' Addresses Questions about this memo can be directed to: Pat R. Calhoun Technology Development Sun Microsystems, Inc. 15 Network Circle Menlo Park, California, 94025 USA Phone: 1-650-786-7733 Fax: 1-650-786-6445 E-mail: pcalhoun@eng.sun.com Charles E. Perkins Technology Development Sun Microsystems, Inc. 15 Network Circle Menlo Park, California, 94025 USA Phone: 1-650-786-6464 Fax: 1-650-786-6445 E-mail: charles.perkins@eng.sun.com Calhoun expires January 1999 [Page 31]