1

RADIUS Mobile IPv6 Supportdraft-ietf-mip6-radius-01.txt

Kuntal Chowdhury

Avi Lior

Hannes Tschofenig

2

Changes

• Editorial changes

• Added text to attributes regarding its occurrences

• Updated “Table of Attributes” section with regard to accounting

• Added “Diameter Considerations” section

3

Next Step

• Meet RADEXT standards with regard to attribute formatting.

• Define what to put in Service-Type and/or NAS-Port-Type attributes.

• Make sure that the Diameter Mobility work in DIME is inline with this document.

4

Backup Slides

5

Overview

• RADIUS based AAA infrastructure can be used in conjunction with MIPv6

• The essential information set for bootstrapping a MIPv6 MN can be sent to the AR or the HA via RADIUS attributes

• The 01 version of the I-D covers bootstrapping scenarios for the following:– Split Scenario– Integrated Scenario

6

Split Scenario

• MSA != MSP• RADIUS interaction triggered by protocol

(MIP6/IKEv2 ) transaction at the HA• The HA acts a RADIUS Client.• At the end of the RADIUS transaction the

HA should have relevant MIPv6 specific parameters

• The RADIUS server may also instruct the HA to perform DNS update for the MN

7

Integrated Scenario

• ASA != MSA

• At the time of access auth/authz, the RADIUS server in the ASA (/MSA) may download the relevant MIPv6 parameters to the NAS/AR

• The NAS/AR acts as the RADIUS Client

• The HA aslo acts as the RADIUS Client

8

RADIUS Attributes

• The Following attributes are identified at present:– Home Agent Address– Home Agent FQDN– Home Link Prefix– Home Address– DNS Update Mobility Option

9

Additional Enhancements

• The necessary support for the following are planned to be included in the next revision– MIP6 Auth protocol (RFC 4285) and – The associated bootstrapping I-D: draft-

devarapalli-mip6-authprotocol-bootstrap

10

AAA-Goals: Compliance

• G1.1 – G1.4:– These are standard requirements for a AAA

protocol mutual authentication, integrity, replay protection, confidentiality.

– IPsec can be used to achieve the goals

• G1.5 Inactive Peer Detection – needs further investigation, since heartbeat

messages do not exist in RADIUS.– However, there are robust RADIUS failover

mechanisms deployed today for this purpose

11

AAA-Goals: Compliance

• G2.1: Use of NAI over HA-AAA– Username Attribute can be used for this

• G2.2: Query for MIPv6 authz – HA can send Access-Request to authz the

user

• G2.3: Enforce operational limitations– RADIUS based NAS-filter-rule, QoS,

prepaid…work in progress in IETF

12

AAA-Goals: Compliance

• G2.4 – G2.6: MIPv6 session limit, disconnect, re-authz etc.– RADIUS attributes likes session-timeout,

Change-of-Authorization, Disconnect Message, prepaid extensions can be leveraged to meet these goals.

• G3.1: Accounting HA-AAA interface– Existing accounting messages can be used– Do we need AR/NAS-AAA accounting?

13

AAA-Goals: Compliance

• G4.1: HA-AAA intf, pass through EAP auth with HA as the EAP authenticator– In general, RADIUS meets this goal. – Details can be worked out for relevant

scenarios.

• G5.1: DNS update– Already defined the DNS Update Mobility

Option Attribute