1
RADIUS Mobile IPv6 Supportdraft-ietf-mip6-radius-01.txt
Kuntal Chowdhury
Avi Lior
Hannes Tschofenig
2
Changes
• Editorial changes
• Added text to attributes regarding its occurrences
• Updated “Table of Attributes” section with regard to accounting
• Added “Diameter Considerations” section
3
Next Step
• Meet RADEXT standards with regard to attribute formatting.
• Define what to put in Service-Type and/or NAS-Port-Type attributes.
• Make sure that the Diameter Mobility work in DIME is inline with this document.
4
Backup Slides
5
Overview
• RADIUS based AAA infrastructure can be used in conjunction with MIPv6
• The essential information set for bootstrapping a MIPv6 MN can be sent to the AR or the HA via RADIUS attributes
• The 01 version of the I-D covers bootstrapping scenarios for the following:– Split Scenario– Integrated Scenario
6
Split Scenario
• MSA != MSP• RADIUS interaction triggered by protocol
(MIP6/IKEv2 ) transaction at the HA• The HA acts a RADIUS Client.• At the end of the RADIUS transaction the
HA should have relevant MIPv6 specific parameters
• The RADIUS server may also instruct the HA to perform DNS update for the MN
7
Integrated Scenario
• ASA != MSA
• At the time of access auth/authz, the RADIUS server in the ASA (/MSA) may download the relevant MIPv6 parameters to the NAS/AR
• The NAS/AR acts as the RADIUS Client
• The HA aslo acts as the RADIUS Client
8
RADIUS Attributes
• The Following attributes are identified at present:– Home Agent Address– Home Agent FQDN– Home Link Prefix– Home Address– DNS Update Mobility Option
9
Additional Enhancements
• The necessary support for the following are planned to be included in the next revision– MIP6 Auth protocol (RFC 4285) and – The associated bootstrapping I-D: draft-
devarapalli-mip6-authprotocol-bootstrap
10
AAA-Goals: Compliance
• G1.1 – G1.4:– These are standard requirements for a AAA
protocol mutual authentication, integrity, replay protection, confidentiality.
– IPsec can be used to achieve the goals
• G1.5 Inactive Peer Detection – needs further investigation, since heartbeat
messages do not exist in RADIUS.– However, there are robust RADIUS failover
mechanisms deployed today for this purpose
11
AAA-Goals: Compliance
• G2.1: Use of NAI over HA-AAA– Username Attribute can be used for this
• G2.2: Query for MIPv6 authz – HA can send Access-Request to authz the
user
• G2.3: Enforce operational limitations– RADIUS based NAS-filter-rule, QoS,
prepaid…work in progress in IETF
12
AAA-Goals: Compliance
• G2.4 – G2.6: MIPv6 session limit, disconnect, re-authz etc.– RADIUS attributes likes session-timeout,
Change-of-Authorization, Disconnect Message, prepaid extensions can be leveraged to meet these goals.
• G3.1: Accounting HA-AAA interface– Existing accounting messages can be used– Do we need AR/NAS-AAA accounting?
13
AAA-Goals: Compliance
• G4.1: HA-AAA intf, pass through EAP auth with HA as the EAP authenticator– In general, RADIUS meets this goal. – Details can be worked out for relevant
scenarios.
• G5.1: DNS update– Already defined the DNS Update Mobility
Option Attribute
Top Related