[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits] [IPR]

Versions: (draft-tschofenig-dime-mip6-split) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 RFC 5778

Diameter Maintenance and                                J. Korhonen, Ed.
Extensions (DIME)                                            TeliaSonera
Internet-Draft                                             H. Tschofenig
Intended status: Standards Track                  Nokia Siemens Networks
Expires: April 1, 2008                                      J. Bournelle
                                                      France Telecom R&D
                                                             G. Giaretta
                                                                Qualcomm
                                                             M. Nakhjiri
                                                                Motorola
                                                      September 29, 2007


    Diameter Mobile IPv6: Support for Home Agent to Diameter Server
                              Interaction
                   draft-ietf-dime-mip6-split-05.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 1, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).






Korhonen, et al.          Expires April 1, 2008                 [Page 1]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


Abstract

   Mobile IPv6 deployments may want to bootstrap their operations
   dynamically based on an interaction between the Home Agent and the
   Diameter server of the Mobile Service Provider (MSP).  This document
   specifies the interaction between a Mobile IP Home Agent and the
   Diameter server.

   Several different mechanisms for authenticating a Mobile Node are
   supported.  The usage of the Internet Key Exchange v2 (IKEv2)
   protocol allows different mechanisms, such as the Extensible
   Authentication Protocol (EAP), certificates and pre-shared secrets in
   IKEv2 to be used.  Furthermore, another method makes use of the
   Mobile IPv6 Authentication protocol.  In addition to authentication
   authorization, the configuration of Mobile IPv6 specific parameters
   and accounting is specified in this document.



































Korhonen, et al.          Expires April 1, 2008                 [Page 2]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  7
   3.  Advertising Application Support  . . . . . . . . . . . . . . .  7
   4.  Protocol Description . . . . . . . . . . . . . . . . . . . . .  7
     4.1.  Support for Mobile IPv6 with IKEv2 and EAP . . . . . . . .  7
     4.2.  Support for Mobile IPv6 with IKEv2 and Certificates  . . .  9
     4.3.  Support for Mobile IPv6 with IKEv2 and Pre-Shared
           Secrets  . . . . . . . . . . . . . . . . . . . . . . . . . 10
     4.4.  Support for the Mobile IPv6 Authentication Protocol  . . . 10
     4.5.  Mobile IPv6 Session Management . . . . . . . . . . . . . . 11
       4.5.1.  Session-Termination-Request Command  . . . . . . . . . 11
       4.5.2.  Session-Termination-Answer Command . . . . . . . . . . 11
       4.5.3.  Abort-Session-Request Command  . . . . . . . . . . . . 11
       4.5.4.  Abort-Session-Answer Command . . . . . . . . . . . . . 11
     4.6.  Accounting for Mobile IPv6 services  . . . . . . . . . . . 11
       4.6.1.  Accounting-Request Command . . . . . . . . . . . . . . 12
       4.6.2.  Accounting-Answer Command  . . . . . . . . . . . . . . 12
   5.  Command Codes  . . . . . . . . . . . . . . . . . . . . . . . . 12
     5.1.  Command Code for Mobile IPv6 with IKEv2 and EAP  . . . . . 12
       5.1.1.  Diameter-EAP-Request (DER) . . . . . . . . . . . . . . 13
       5.1.2.  Diameter-EAP-Answer (DEA)  . . . . . . . . . . . . . . 13
     5.2.  Command Code for Mobile IPv6 with IKEv2 and
           Certificate- and PSK-based Authentication  . . . . . . . . 14
       5.2.1.  AA-Request (AAR) . . . . . . . . . . . . . . . . . . . 14
       5.2.2.  AA-Answer (AAA)  . . . . . . . . . . . . . . . . . . . 15
     5.3.  Command Codes for MIPv6 Auth. Protocol Support . . . . . . 16
       5.3.1.  MIP6-Request-Message . . . . . . . . . . . . . . . . . 16
       5.3.2.  MIP6-Answer-Message  . . . . . . . . . . . . . . . . . 17
   6.  AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
     6.1.  User-Name AVP  . . . . . . . . . . . . . . . . . . . . . . 21
     6.2.  MIP-MN-AAA-SPI AVP . . . . . . . . . . . . . . . . . . . . 21
     6.3.  MIP-Mobile-Node-Address AVP  . . . . . . . . . . . . . . . 21
     6.4.  MIP-Home-Agent-Address AVP . . . . . . . . . . . . . . . . 21
     6.5.  MIP-Careof-Address AVP . . . . . . . . . . . . . . . . . . 21
     6.6.  MIP-Authenticator AVP  . . . . . . . . . . . . . . . . . . 21
     6.7.  MIP-MAC-Mobility-Data AVP  . . . . . . . . . . . . . . . . 22
     6.8.  MIP-Session-Key AVP  . . . . . . . . . . . . . . . . . . . 22
     6.9.  MIP-MSA-Lifetime AVP . . . . . . . . . . . . . . . . . . . 22
     6.10. MIP-MN-to-HA-MSA AVP . . . . . . . . . . . . . . . . . . . 22
     6.11. MIP-Algorithm-Type AVP . . . . . . . . . . . . . . . . . . 22
     6.12. MIP-Replay-Mode AVP  . . . . . . . . . . . . . . . . . . . 23
     6.13. MIP-nonce AVP  . . . . . . . . . . . . . . . . . . . . . . 23
     6.14. MIP6-Feature-Vector AVP  . . . . . . . . . . . . . . . . . 23
     6.15. MIP-Timestamp AVP  . . . . . . . . . . . . . . . . . . . . 23
     6.16. QoS-Capability AVP . . . . . . . . . . . . . . . . . . . . 23
     6.17. QoS-Resources AVP  . . . . . . . . . . . . . . . . . . . . 23



Korhonen, et al.          Expires April 1, 2008                 [Page 3]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


     6.18. Accounting AVPs  . . . . . . . . . . . . . . . . . . . . . 23
   7.  Result-Code AVP Values . . . . . . . . . . . . . . . . . . . . 24
     7.1.  Transient Failures . . . . . . . . . . . . . . . . . . . . 24
     7.2.  Permanent Failures . . . . . . . . . . . . . . . . . . . . 24
   8.  AVP Occurence Tables . . . . . . . . . . . . . . . . . . . . . 25
     8.1.  AAR, AAA, DER, DEA, MRM and MAM AVP/Command-Code Table . . 25
     8.2.  Accounting AVP Table . . . . . . . . . . . . . . . . . . . 26
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 26
     9.1.  Command Codes  . . . . . . . . . . . . . . . . . . . . . . 26
     9.2.  AVP Codes  . . . . . . . . . . . . . . . . . . . . . . . . 26
     9.3.  Result-Code AVP Values . . . . . . . . . . . . . . . . . . 27
     9.4.  Application Identifier . . . . . . . . . . . . . . . . . . 27
   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 27
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
     12.2. Informative References . . . . . . . . . . . . . . . . . . 29
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29
   Intellectual Property and Copyright Statements . . . . . . . . . . 31
































Korhonen, et al.          Expires April 1, 2008                 [Page 4]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


1.  Introduction

   Performing the Mobile IPv6 protocol [1], requires the Mobile Node
   (MN) to own a Home Address (HoA) and assignment of a Home Agent (HA)
   to the MN.  The MN needs to register with the HA in order facilitate
   its reachability and mobility, when away from home.  The registration
   process itself requires establishment of IPsec security associations
   (SA) and cryptographic material between the MN and HA.  Providing the
   collection of home address, HA address and keying material is
   generally referred to as the Mobile IPv6 bootstrapping problem [2].
   The purpose of this specification is to provide Diameter support for
   the interaction between the HA and the AAA server, as it is required
   for bootstrapping in the split scenario [13] and in the integrated
   scenario [14] in a manner that satisfies the requirements defined in
   [15].

   From an operator (mobility service provider, MSP) perspective, it is
   important to verify that the MN is authenticated and authorized to
   utilize Mobile IPv6 service and that such services are accounted for.
   Only when the MN is authenticated and authorized, the MSP allows the
   boostrapping of Mobile IPv6 parameters.  Thus, prior to processing
   the Mobile IPv6 service requests, the HA, participates in the
   authentication of the MN to verify the MN's identity.  The HA also
   participates in the Mobile IPv6 authorization process involving the
   Diameter infrastrucure.  The HA due to its role in traffic
   forwarding, also may also perform accounting for the Mobile IPv6
   service provided to the MN.

   This document enables the following functionality:

   Authentication:  Asserting or helping in asserting of the correctness
      of the MN identity.  As a Diameter client supporting the new
      Diameter Mobile IPv6 application, the HA may need to support more
      than one authentication type depending on the environment.
      Although the authentication is performed by the AAA server there
      is an impact for the HA as different set of command codes are
      needed for the respective authentication procedures.

   Authorization:  The HA must verify that the user is authorized to use
      the Mobile IPv6 service using the assistance of the MSP Diameter
      servers.  This is accomplised through the use of new Diameter
      commands specifically designed for performing Mobile IPv6
      authorization decisions.  This document defines these commands and
      requires the HA to support them and to participate in this
      authorization signaling.






Korhonen, et al.          Expires April 1, 2008                 [Page 5]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


   Accounting:  For accounting purposes and capacity planning, it is
      required of the HA to provide accounting report to the Diameter
      infrastructure and thus to support the related Diameter accounting
      procedures.


   Figure 1 depicts the architecture.

                                             +--------+
                                             |Diameter|
                                             |Server  |
                                             +--------+
                                                 ^
                                        Back-End | Diameter MIPv6
                                        Protocol | HA<->AAA Server
                                        Support  | Interaction
                                                 | (this document)
                                                 v
    +---------+                           +--------------+
    | Mobile  |    Front-End Protocol     |Home Agent /  |
    | Node    |<--------------------------|Diemter Client|
    +---------+    IKEv2 or RFC 4285      +--------------+

                      Figure 1: Architecture Overview

   Mobile IPv6 signaling between the MN and the HA can protected using
   two different mechanisms, namely using IPsec and via the MIPv6 Auth.
   Protocol.  Note that the actual mechanism to protect the MIPv6
   signaling messages is only indirectly relevant to this document.  The
   important aspect is, however, that for these two approaches several
   different authentication and key exchange solutions are available.
   To establish IPsec security associations for protection of Mobile
   IPv6 signaling messages IKEv2 is used, see [3].  IKEv2 supports EAP-
   based authentication, certificates and pre-shared secrets.  For
   protecting using the MIPv6 Auth.  Protocol [4] a mechanism has been
   designed that is very similar to the one used by Mobile IPv4.

   The ability to use different credentials has an impact on the
   interaction between the HA (acting as a Diameter client) and the
   Diameter Server.  For that reason this document illustrates the usage
   of these authentication mechanisms with different subsections for
   o  IKEv2 usage with EAP
   o  IKEv2 usage with certificates and pre-shared secrets
   o  MIPv6 Auth.  Protocol

   For accounting of Mobile IPv6 services provided to the MN, this
   specification uses the accounting application defined in [5].




Korhonen, et al.          Expires April 1, 2008                 [Page 6]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [6].

   The MIPv6 bootstrapping terminology is taken from [2].


3.  Advertising Application Support

   Diameter nodes conforming to this specification MUST advertise
   support by including the Diameter Mobile IPv6 Application ID value of
   [TO BE ASSIGNED BY IANA] in the Auth-Application-Id AVP of the
   Capabilities-Exchange-Request and Capabilities-Exchange-Answer
   command [5].  The Acct-Application-id AVP needs to include the
   Diameter Base Accounting Application ID value of 3 (to support the
   split accounting model [16]).


4.  Protocol Description

4.1.  Support for Mobile IPv6 with IKEv2 and EAP

   The use of IKEv2 with EAP between the MN and the HA allows the AAA to
   authenticate the MN.  When EAP is used with IKEv2, the Diameter EAP
   application, as defined in [7], is re-used.  EAP methods that do not
   establish a shared key SHOULD NOT be used, as they are subject to a
   number of man-in-the-middle attacks as stated in Section 2.16 and
   Section 5 of RFC 4306 [8].  AVPs specific to Mobile IPv6
   bootstrapping are added to the EAP application commands.

   Figure 2 shows the message flow involved during the authentication
   phase when EAP is used.

















Korhonen, et al.          Expires April 1, 2008                 [Page 7]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


    Mobile                           Home                      Diameter
    Node                             Agent                     Server
     |                                 |                          |
     | HDR, SAi1, KEi, Ni  (1)         |                          |
     |-------------------------------->|                          |
     |                                 |                          |
     | HDR, SAr1, KEr, Nr, [CERTREQ](2)|                          |
     |<------------------------------->|                          |
     |                                 |                          |
     | HDR, SK{IDi,[CERTREQ,] [IDr,]   |                          |
     | [CP(CFG_REQUEST),]              |                          |
     | SAi2, TSi, TSr} (3)             |                          |
     |-------------------------------->| DER (EAP-Response) (4)   |
     |                                 |------------------------->|
     |                                 |                          |
     |                                 | DEA (EAP-Request) (5)    |
     | HDR, SK{IDr, [CERT,] AUTH, EAP} |<-------------------------|
     |<------------------------------- |                          |
     |                                 |                          |
     | HDR, SK{EAP}                    |                          |
     |-------------------------------->| DER (EAP-Response)       |
     |                                 |------------------------->|
     |                                 |                          |
     |                                 | DEA (EAP-Request)        |
     | HDR, SK{EAP-Request}            |<-------------------------|
     |<------------------------------- |                          |
     |                                 |                          |
     | HDR, SK{EAP-Response}           |                          |
     |-------------------------------->| DER (EAP-Response)       |
     |                                 |------------------------->|
     |               ...               |          ...             |
     |                                 |                          |
     |                                 | DEA (EAP-Success)        |
     |                                 |<-------------------------|
     | HDR, SK{EAP-Success}            |                          |
     |<------------------------------- |                          |
     |                                 |                          |
     | HDR, SK{AUTH}                   |                          |
     |-------------------------------> |                          |
     |                                 |                          |
     | HDR, SK{AUTH, [CP(CFG_REPLY,]   |                          |
     | SAr2, TSi, TSr}                 |                          |
     |<------------------------------- |                          |
     |                                 |                          |

                 Figure 2: Mobile IPv6 with IKEv2 and EAP

   The MN and the HA start the interaction with an IKE_SA_INIT exchange.



Korhonen, et al.          Expires April 1, 2008                 [Page 8]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


   In this phase cryptographic algorithms are negotiated, nonces and
   Diffie-Hellman parameters are exchanged.  Message (3) starts the
   IKE_AUTH phase.  This second phase authenticates the previous
   messages, exchanges identities and certificates and establishes the
   first CHILD_SA.  It is used to mutually authenticate the MN (acting
   as an IKEv2 Initiator) and the HA (acting as an IKEv2 Responder).
   The identity of the user/MN is provided in the IDi field.  The MN
   indicates its willingness to be authenticated via EAP by omitting the
   AUTH field in message (3) (see Section 2.16 of [8]).

   As part of the authentication process, the MN MAY request a Home-
   Address, a Home Prefix or suggests one, see [3], using a CFG_REQUEST
   payload in the message (3).

   The HA extracts the IDi field from the message (3) and sends a
   Diameter-EAP-Request (DER) message (4) towards the authenticating
   Diameter server.  The EAP-Payload AVP contains a EAP-Response/
   Identity with the identity extracted from the IDi field.

   This message is routed to the MNs Diameter server/EAP server.  The
   Diameter server selects the EAP method and replies with the DEA
   Message.  Depending on the type of EAP method chosen, a number of DER
   and DEA messages carry the method specific exchanges between the MN
   and the Diameter server/EAP server.

   At the end of the EAP authentication phase, the Diameter server
   indicates the result of the authentication in the Result-Code AVP and
   provides the corresponding EAP packet (EAP Success or EAP Failure).
   The last IKEv2 message sent by the HA contains the Home Address or
   the Home Prefix.  In the latter case, a CREATE_CHILD_SA exchange is
   necessary to setup IPsec SAs for Mobile IPv6 signalling.

   In some deployment scenario, the HA may also acts as a IKEv2
   Responder for IPsec VPN access.  A problem in this case is that the
   IKEv2 responder may not know if IKEv2 is used for MIP6 service or for
   IPsec VPN access.  A network operator needs to be aware of this
   limitation.

4.2.  Support for Mobile IPv6 with IKEv2 and Certificates

   When IKEv2 is used with certificate-based authentication, the
   Diameter NASREQ application [9] is used to authorize the MN for the
   Mobile IPv6 service.  The IDi payload extracted from the IKE_AUTH
   message MUST correspond to the identity in the MN's certificate.
   This identity is then used by the Home Agent to populate the User-
   Name AVP in the succeeding AA-Request message.  Further PKI-related
   procedures such as certificate revocation checking are out of scope
   of this document.



Korhonen, et al.          Expires April 1, 2008                 [Page 9]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


4.3.  Support for Mobile IPv6 with IKEv2 and Pre-Shared Secrets

   When IKEv2 is used with PSK-based initiator authentication, the
   Diameter NASREQ application [9] isused to authorize the MN for the
   Mobile IPv6 service.  The IDi payload extracted from the IKE_AUTH
   message has to contain an identity that is meaningful for the
   Diameter infrastructure, such as a Network Access Identifier (NAI),
   and is then used by the Home Agent to populate the User-Name AVP is
   the succeeding AA-Request message.

4.4.  Support for the Mobile IPv6 Authentication Protocol

   Figure 3 describes the sequence of messages sent and received between
   the MN, the HA and the Diameter server during the registration when
   MIPv6 Auth.  Protocol is used.  Binding Update (BU) and Binding
   Acknowledgement (BA) messages are used in the registration process.
   This exchange triggers the Diameter interaction.

   According to [4] the MN uses the Mobile Node Identifier Option,
   specifically the MN-NAI mobility option (as defined in [17]) to
   identify itself.

   The BU initiates a MIP6-Request-Message to the Diameter server and
   the corresponding response is carried in a MIP6-Answer-Message.  The
   Home Agent also provides the assigned Home Address to the Diameter
   server in the MIP-Mobile-Node-Address AVP.


     Mobile                                Home                 Diameter
     Node                                  Agent                 Server
       |                                     |                     |
       |                                     |                     |
       |       Binding Update                |MIP6-Request-Message |
       |------------------------------------>|-------------------->|
       | (Mobile Node Identifier Option,     |                     |
       |  Mobility Message Replay Protection |                     |
       |  Option, Authentication Option)     |                     |
       |                                     |                     |
       |                                     |                     |
       |       Binding Acknowledgement       |MIP6-Answer-Message  |
       |<------------------------------------|<--------------------|
       | (Mobile Node Identifier Option      |                     |
       |  Mobility Message Replay Protection |                     |
       |  Option, Authentication Option)     |                     |

       Figure 3: MIPv6 Bootstrapping using the MIPv6 Auth. Protocol





Korhonen, et al.          Expires April 1, 2008                [Page 10]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


4.5.  Mobile IPv6 Session Management

   The Diameter server may maintain state or may be stateless.  This is
   indicated in the Auth-Session-State AVP (or its absence).  The HA
   MUST support the Authorization Session State Machine defined in [5].
   Moreover, the following four commands may be exchanged between the HA
   and the Diameter server.

4.5.1.  Session-Termination-Request Command

   The Session-Termination-Request (STR) message [5] is sent by the HA
   to inform the Diameter server that an authorized session is being
   terminated.

4.5.2.  Session-Termination-Answer Command

   The Session-Termination-Answer (STA) message [5] is sent by the
   Diameter server to acknowledge the notification that the session has
   been terminated.

4.5.3.  Abort-Session-Request Command

   The Abort-Session-Request (ASR) message [5] is sent by the Diameter
   server to terminates the session.  This fulfills one of the
   requirement described in [15].

4.5.4.  Abort-Session-Answer Command

   The Abort-Session-Answer (ASA) message [5] is sent by the Home Agent
   in response to an ASR message.

4.6.  Accounting for Mobile IPv6 services

   The HA MUST be able act as a Diameter client collecting accounting
   records needed for service control and charging.  The HA MUST support
   the accounting procedures (specifically the command codes mentioned
   below) and the Accounting Session State Machine as defined in [5].
   The command codes, exchanged between the HA and Diameter server for
   accounting purposes, are provided in the following subsections.

   The Diameter application design guideline [16] defines two separate
   models for accounting:

   Split accounting model:

      According to this model, the accounting messages use the Diameter
      base accounting application ID (value of 3).  Since accounting is
      treated as an independent application, accounting commands may be



Korhonen, et al.          Expires April 1, 2008                [Page 11]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


      routed separately from the rest of application messages and thus
      the accounting messages generally end up in a central accounting
      server.  Since Diameter Mobile IPv6 application does not define
      its own unique accounting commands, this is the prefered choice,
      since it permits use of centralized accounting for several
      applications.

   Coupled accounting model:

      In this model, the accounting messages will use the application ID
      of the Mobile IPv6 application.  This means that accounting
      messages will be routed like any other Mobile IPv6 application
      messages.  This requires the Diameter server in charge of Mobile
      IPv6 application to handle the accounting records (e.g., sends
      them to a proper accounting server).

   As mentioned above, the prefered choice is to use the split
   accounting model and thus to choose Diameter base accounting
   application ID (value of 3) for accounting messages.

4.6.1.  Accounting-Request Command

   The Accounting-Request command [5] is sent by the HA to the Diameter
   server to exchange accounting information regarding the MN with the
   Diameter server.

4.6.2.  Accounting-Answer Command

   The Accounting-Answer command [5] is sent by the Diameter server to
   the HA to acknowledge receiving an Accounting-Request.


5.  Command Codes

5.1.  Command Code for Mobile IPv6 with IKEv2 and EAP

   For usage of Mobile IPv6 with IKEv2 and EAP this document re-uses the
   Diameter EAP application [7] commands.  The following commands are
   used to carry MIPv6 related bootstrapping AVPs.


   Command-Name             Abbrev.   Code     Reference  Application
   ------------------------------------------------------------------
   Diameter-EAP-Request      DER       268      RFC 4072   EAP
   Diameter-EAP-Answer       DEA       268      RFC 4072   EAP

                          Figure 4: Command Codes




Korhonen, et al.          Expires April 1, 2008                [Page 12]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


5.1.1.  Diameter-EAP-Request (DER)

   The Diameter-EAP-Request (DER) message [7], indicated by the Command-
   Code field set to 268 and the 'R' bit set in the Command Flags field,
   is sent by the HA to the Diameter server to initiate a Mobile IPv6
   service authentication and authorization procedure.  The DER message
   format is the same as defined in [7].  The Application-ID field of
   the Diameter Header MUST be set to the Diameter Mobile IPv6
   Application ID [TO BE ASSIGNED TO IANA].


     <Diameter-EAP-Request> ::= < Diameter Header: 268, REQ, PXY >
                                < Session-Id >
                                { Auth-Application-Id }
                                { Origin-Host }
                                { Origin-Realm }
                                { Destination-Realm }
                                { Auth-Request-Type }
                                [ Destination-Host ]
                                [ NAS-Identifier ]
                                [ NAS-IP-Address ]
                                [ NAS-IPv6-Address ]
                                [ NAS-Port-Type ]
                                [ User-Name ]
                                { EAP-Payload }

                                [ MIP6-Feature-Vector ]
                                [ MIP-Home-Agent-Address ]
                                { MIP-Mobile-Node-Address }
                                ...
                              * [ AVP ]

5.1.2.  Diameter-EAP-Answer (DEA)

   The Diameter-EAP-Answer (DEA) message defined in [7], indicated by
   the Command-Code field set to 268 and 'R' bit cleared in the Command
   Flags field, is sent in response to the Diameter-EAP-Request message
   (DER).  If the Mobile IPv6 authentication procedure was successful
   then the response MAY include any set of bootstrapping AVPs.

   The DEA message format is the same as defined in [7].  The
   Application-Id field in the Diameter header MUST be set to the
   Diameter Mobile IPv6 Application-Id [TO BE ASSIGNED BY IANA].








Korhonen, et al.          Expires April 1, 2008                [Page 13]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


     <Diameter-EAP-Answer> ::= < Diameter Header: 268, PXY >
                               < Session-Id >
                               { Auth-Application-Id }
                               { Auth-Request-Type }
                               { Result-Code }
                               { Origin-Host }
                               { Origin-Realm }

                               [ User-Name ]
                               { EAP-Payload }
                               [ Authorization-Lifetime ]

                               [ MIP-Mobile-Node-Address ]
                               [ MIP6-Feature-Vector ]
                               ...
                             * [ AVP ]

5.2.  Command Code for Mobile IPv6 with IKEv2 and Certificate- and PSK-
      based Authentication

   This document re-uses the Diameter NASREQ application commands.  The
   following commands are used to carry MIPv6 related bootstrapping
   AVPs.


   Command-Name             Abbrev.   Code     Reference  Application
   ------------------------------------------------------------------
   AA-Request               AAR       265      RFC 4005   NASREQ
   AA-Answer                AAA       265      RFC 4005   NASREQ

                          Figure 7: Command Codes

5.2.1.  AA-Request (AAR)

   The AA-Request (AAR) message [9], indicated by the Command-Code field
   set to 265 and the 'R' bit set in the Command Flags field, is sent by
   the HA to the Diameter server to initiate a Mobile IPv6 service
   authentication and authorization procedure.  The AAR message format
   is the same as defined in [9].  The Application-ID field of the
   Diameter Header MUST be set to the Diameter Mobile IPv6 Application
   ID [TO BE ASSIGNED TO IANA].










Korhonen, et al.          Expires April 1, 2008                [Page 14]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


     <AA-Request> ::= < Diameter Header: 265, REQ, PXY >
                      < Session-Id >
                      { Auth-Application-Id }
                      { Origin-Host }
                      { Origin-Realm }
                      { Destination-Realm }
                      { Auth-Request-Type }
                      [ Destination-Host ]
                      [ NAS-Identifier ]
                      [ NAS-IP-Address ]
                      [ NAS-IPv6-Address ]
                      [ NAS-Port-Type ]
                      [ User-Name ]

                      [ MIP6-Feature-Vector ]
                      [ MIP-Home-Agent-Address ]
                      { MIP-Mobile-Node-Address }
                      ...
                    * [ AVP ]

5.2.2.  AA-Answer (AAA)

   The AA-Answer (AAA) message defined in [9], indicated by the Command-
   Code field set to 265 and 'R' bit cleared in the Command Flags field,
   is sent in response to the AA-Request message (AAR).  If the Mobile
   IPv6 authentication procedure was successful then the response MAY
   include any set of bootstrapping AVPs.

   The AAA message format is the same as defined in [9].  The
   Application-Id field in the Diameter header MUST be set to the
   Diameter Mobile IPv6 Application-Id [TO BE ASSIGNED BY IANA].


     <AA-Answer> ::= < Diameter Header: 265, PXY >
                     < Session-Id >
                     { Auth-Application-Id }
                     { Auth-Request-Type }
                     { Result-Code }
                     { Origin-Host }
                     { Origin-Realm }

                     [ User-Name ]
                     [ Authorization-Lifetime ]

                     [ MIP-Mobile-Node-Address ]
                     [ MIP6-Feature-Vector ]
                     ...
                   * [ AVP ]



Korhonen, et al.          Expires April 1, 2008                [Page 15]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


5.3.  Command Codes for MIPv6 Auth. Protocol Support

   This section defines the commands that are used for support with the
   MIPv6 Auth.  Protocol.


      Command-Name             Abbreviation    Code           Section
      ------------------------------------------------------------------
      MIP6-Request-Message         MRM         TBD         Section 6.2.1
      MIP6-Answer-Message          MAM         TBD         Section 6.2.2

                               Command Codes

5.3.1.  MIP6-Request-Message

   The MIP6-Request-Message (MRM), indicated by the Command-Code field
   set to TBD and the 'R' bit set in the Command Flags field, is sent by
   the HA, acting as a Diameter client, in order to request the
   authentication and authorization of a MN.  The HA uses information
   found in the Binding Update to construct the following AVPs, to be
   included as part of the MRM:

   o  Home Address (MIP-Mobile-Node-Address AVP)
   o  Mobile Node NAI (User-Name AVP [5])
   o  MN-AAA Authentication Option (MIP-MN-AAA-Auth AVP)
   o  Care-of Address (MIP-Careof-Address AVP)
   o  Mobility message replay protection Option using timestamps (MIP-
      Timestamp AVP)

   The message format is shown below.





















Korhonen, et al.          Expires April 1, 2008                [Page 16]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


           <MIP6-Request-Message> ::= < Diameter Header: XXX, REQ, PXY >
             < Session-ID >
             { Auth-Application-Id }
             { User-Name }
             { Destination-Realm }
             { Origin-Host }
             { Origin-Realm }
             [ Acct-Multi-Session-Id ]
             [ Destination-Host ]
             [ Origin-State-Id ]
             [ NAS-Identifier ]
             [ NAS-IP-Address ]
             [ NAS-IPv6-Address ]
             [ NAS-Port-Type ]

             [ MIP6-Feature-Vector ]
             { MIP-MN-AAA-SPI }
             { MIP-Mobile-Node-Address ]
             { MIP-Home-Agent-Address }
             { MIP-Careof-Address }
             { MIP-Authenticator }
             { MIP-MAC-Mobility-Data }
             [ MIP-Timestamp ]
             [ QoS-Capability ]
           * [ QoS-Resources ]

             [ Authorization-Lifetime ]
             [ Auth-Session-State ]
           * [ Proxy-Info ]
           * [ Route-Record ]
           * [ AVP ]

5.3.2.  MIP6-Answer-Message

   The MIP6-Answer-Message (MAM) message, indicated by the Command-Code
   field set to TBD and the 'R' bit cleared in the Command Flags field,
   is sent by the Diameter server in response to the MIP6-Request-
   Message message.  The User-Name MAY be included in the MAM if it is
   present in the MRM.  The Result-Code AVP MAY contain one of the
   values defined in Section 7, in addition to the values defined in RFC
   3588 [5].

   An MAM message with the Result-Code AVP set to DIAMETER_SUCCESS MUST
   include the MIP-Mobile-Node-Address AVP.

   The message format is shown below.





Korhonen, et al.          Expires April 1, 2008                [Page 17]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


      <MIP6-Answer-Message> ::= < Diameter Header: XXX, PXY >
               < Session-Id >
               { Auth-Application-Id }
               { Result-Code }
               { Origin-Host }
               { Origin-Realm }
               [ Acct-Multi-Session-Id ]
               [ User-Name ]
               [ Authorization-Lifetime ]
               [ Auth-Session-State ]
               [ Error-Message ]
               [ Error-Reporting-Host ]
               [ Re-Auth-Request-Type ]

               [ MIP6-Feature-Vector ]
               [ MIP-Home-Agent-Address ]
               { MIP-Mobile-Node-Address }
               { MIP-Session-Key }
               { MIP-MSA-Lifetime }
               { MIP-MN-to-HA-MSA }
             * [ QoS-Resources ]

               [ Origin-State-Id ]
             * [ Proxy-Info ]
             * [ AVP ]

   The QoS-Resources AVP is defined in [10].


6.  AVPs

   To provide support for RFC 4285 [4] and for RFC 4877 [3] the AVPs in
   the following subsections are needed.  RFC 3588, RFC 4004 and RFC
   4005 defined AVPs are reused whenever possible without violating the
   existing semantics of those AVPs.
















Korhonen, et al.          Expires April 1, 2008                [Page 18]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


                                            +--------------------------+
                                            |    AVP Flag rules        |
                                            +----+-----+----+-----+----+
                   AVP  Defined             |    |     |SHLD| MUST|MAY |
   Attribute Name  Code in       Value Type |MUST| MAY | NOT|  NOT|Encr|
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP6-Feature-   TBD  Note 1   Unsigned64 |    |  P  |    | M,V | Y  |
  |  Vector                                 |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Mobile-                              |    | M,P |    |  V  | Y  |
  |Node-Address    334  RFC4004  Address    |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Home-       334  RFC4004  Address    |    | M,P |    |  V  | Y  |
  |  Agent-Address                          |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+

                      AVPs for Mobile IPv6 with IKEv2

   Note 1: The MIP6-Feature-Vector is defined in Section 4.7.4 of [11].
































Korhonen, et al.          Expires April 1, 2008                [Page 19]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


                                            +--------------------------+
                                            |    AVP Flag rules        |
                                            +----+-----+----+-----+----+
                   AVP  Section             |    |     |SHLD| MUST|MAY |
   Attribute Name  Code Defined  Value Type |MUST| MAY | NOT|  NOT|Encr|
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP6-Feature-   TBD  Note 1   Unsigned64 |    |  P  |    | M,V | Y  |
  |  Vector                                 |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Mobile-     333  RFC4004  Address    |    | M,P |    |  V  | Y  |
  |  Node-Address                           |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Home-       334  RFC4004  Address    |    | M,P |    |  V  | Y  |
  |  Agent-Address                          |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-MN-AAA-SPI  341  RFC4004  Unsigned32 | M  |  P  |    |  V  | Y  |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Careof-     TBD  5.4.5    Address    | M  |  P  |    |  V  | Y  |
  |  Address                                |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-            TBD  5.4.6    OctetString| M  |  P  |    |  V  | Y  |
  |  Authenticator                          |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-MAC-        TBD  5.4.7    OctetString| M  |  P  |    |  V  | Y  |
  |  Mobility-Data                          |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Timestamp   TBD  TBD      Time       |    | M,P |    |  V  | Y  |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-Session-Key 343  RFC4004  OctetString| M  |  P  |    |  V  | Y  |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-MSA-        367  RFC4004  Unsigned32 | M  |  P  |    |  V  | Y  |
  |  Lifetime                               |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |MIP-MN-to-      331  RFC4004  Grouped    | M  |  P  |    |  V  | Y  |
  |  HA-MSA                                 |    |     |    |     |    |
  +-----------------------------------------+----+-----+----+-----+----+
  |QoS-Capability  TBD  Note 2   Groupe     |    | M,P |    |  V  | Y  |
  +-----------------------------------------+----+-----+----+-----+----+
  |QoS-Resources   TBD  Note 2   Grouped    |    | M,P |    |  V  | Y  |
  +-----------------------------------------+----+-----+----+-----+----+

             AVPs for the Mobile IPv6 Authentication Protocol

   Note 1: The MIP6-Feature-Vector is defined in Section 4.7.4 of [11].

   Note 2: The QoS-Capability and QoS-Resource AVPs are defined in
   Sections 4.1 and 4.3 of [10].




Korhonen, et al.          Expires April 1, 2008                [Page 20]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


6.1.  User-Name AVP

   The User-Name AVP (AVP Code 2) is of type UTF8String and contains an
   NAI extracted from the MN-NAI mobility option included in the
   received BU message.  Alternatively, the NAI can be extracted from
   the IKEv2 IDi payload included in the IKE_SA_INIT message.

6.2.  MIP-MN-AAA-SPI AVP

   The MIP-MN-AAA-SPI AVP (AVP Code 341) is of type Unsigned32 and
   contains an SPI code extracted from the Mobility Message
   Authentication Option included in the received BU message.

   This AVP is re-used from [12].

6.3.  MIP-Mobile-Node-Address AVP

   The MIP-Mobile-Node-Address AVP (AVP Code 333) is of type Address and
   contains the Home Agent assigned IPv6 Home Address of the Mobile
   Node.

   If the MIP-Mobile-Node-Address AVP contains unspecified IPv6 address
   (0::0) in a request message, then the Home Agent expects the Diameter
   server to assign the Home Address in a subsequent reply message.  In
   case the Diameter server assigns only a prefix to the Mobile Node the
   lower 64 bits of the MIP-Mobile-Node-Address AVP provided address are
   set to zero.

   This AVP is re-used from [12].

6.4.  MIP-Home-Agent-Address AVP

   The MIP-Home-Agent-Address AVP (AVP Code 334) is of type Address and
   contains the IPv6 address of the Home Agent.  This AVP is re-used
   from [12].

6.5.  MIP-Careof-Address AVP

   The MIP-Careof-Address AVP (AVP Code TBD) is of type Address and
   contains the IPv6 Care-of Address of the Mobile Node.  The Home Agent
   extracts this IP address from the received BU message.

6.6.  MIP-Authenticator AVP

   The MIP-Authenticator AVP (AVP Code TBD) is of type OctetString and
   contains the Authenticator Data from the received BU message.  The
   Home Agent extracts this data from the MN-AAA Mobility Message
   Authentication Option included in the received BU message.



Korhonen, et al.          Expires April 1, 2008                [Page 21]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


6.7.  MIP-MAC-Mobility-Data AVP

   The MIP-MAC-Mobility-Data AVP (AVP Code TBD) is of type OctetString
   and contains the calculated MAC_Mobility_Data, as defined in [4].

6.8.  MIP-Session-Key AVP

   The AVP (AVP Code 343) is of type OctetString and contains the MN-HA
   shared secret (i.e., the session key) for the associated Mobile IPv6
   MH-HA authentication option.  When the Diameter server computes the
   session key it is placed in this AVP.

   This AVP is re-used from [12].

6.9.  MIP-MSA-Lifetime AVP

   The AVP (AVP Code 367) is of type Unsigned32 and represents the
   period of time (in seconds) for which the session key (see
   Section 6.8) or nonce (see Section 6.13) is valid.  The associated
   session key or nonce MUST NOT be used if the lifetime has expired.

   This AVP is re-used from [12].

6.10.  MIP-MN-to-HA-MSA AVP

   The AVP (AVP Code 331) is of type Grouped and contains the session
   related information for use with the MIPv6 Auth.  Protocol.


   MIP-MN-to-HA-MSA ::= < AVP Header: 331 >
                        { MIP-Algorithm-Type }
                        { MIP-Replay-Mode }
                        { MIP-nonce }
                      * [ AVP ]

   This AVP is re-used from [12].

6.11.  MIP-Algorithm-Type AVP

   The AVP (AVP Code 345) is of type Enumerated and contains Algorithm
   identifier for the associated Mobile IPv6 MN-HA Authentication
   Option.  The Diameter server selects the algorithm type.  Existing
   algorithm types are defined in RFC 4004 that also fulfill current RFC
   4285 requirements.  This AVP is re-used from [12].







Korhonen, et al.          Expires April 1, 2008                [Page 22]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


6.12.  MIP-Replay-Mode AVP

   The AVP (AVP Code 346) is of type Enumerated and contains the replay
   mode the Home Agent for authenticating the mobile node.  The replay
   modes, defined in RFC 4004 [12], are supported.  This AVP is re-used
   from [12].

6.13.  MIP-nonce AVP

   The AVP (AVP Code 335) is of type OctetString and contains the nonce
   sent to the Mobile Node.  This AVP is re-used from [12].  At the time
   of writing the MIPv6 Auth.  Protocol does not require use of nonces
   for replay protection between the MN and the Diameter server.  Thus,
   the Home Agent is allowed to ignore the returned MIP-Nonce AVP.

6.14.  MIP6-Feature-Vector AVP

   This AVP is defined in [11].

6.15.  MIP-Timestamp AVP

   The MIP-Timestamp AVP (AVP Code TBD) is of type Time and may contain
   the timestamp value from the Mobility message replay protection
   option, defined in [4].  The Home Agent extracts this value from the
   received BU message, if available.

   The support for replay protection is an optional feature in [4].
   When the Diameter server checks the timestamp provided by the MN via
   the HA and recognizes a clock-drift (outside a locally defined replay
   protection window) then it MUST initiate the re-synchronization
   procedure by returning a MIP6-Answer-Message with Result-Code set to
   MIP6-TIMESTAMP-MISMATCH and attaches the MIP-Timestamp AVP including
   it's current time back to the HA.

6.16.  QoS-Capability AVP

   The QoS-Capability AVP is defined in [10] and contains a list of
   supported Quality of Service profiles.

6.17.  QoS-Resources AVP

   The QoS-Resources AVP is defined in [10] and provides QoS and packet
   filtering capabilities.

6.18.  Accounting AVPs

   This document reuses the accounting AVPs defined in Diameter Mobile
   IPv4 application [12], namely:



Korhonen, et al.          Expires April 1, 2008                [Page 23]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


   Accounting-Input-Octets:

      Number of octets in IP packets received from the user

   Accounting-Output-Octets:

      Number of octets in IP packets sent by the user

   Accounting-Input-Packets:

      Number of IP packets received from the user

   Accounting-Output-Packets:

      Number of IP packets sent by the user.


7.  Result-Code AVP Values

   This section defines new Result-Code [5] values that MUST be
   supported by all Diameter implementations that conform to this
   specification.

7.1.  Transient Failures

   Errors in the transient failures category are used to inform a peer
   that the request could not be satisfied at the time it was received,
   but that it may be able to satisfy the request in the future.

   MIP6-TIMESTAMP-MISMATCH    TBD

      This error code is used by the home agent to indicate to the HA
      that the timestamp value provided as part of the MN-AAA option has
      an inacceptable clock-drift.

7.2.  Permanent Failures

   Errors that fall within the permanent failures category are used to
   inform the peer that the request failed and SHOULD NOT be attempted
   again.

   DIAMETER_ERROR_END_TO_END_MIP6_KEY_ENCRYPTION     TBD

      This error is used by the Diameter server to inform the peer that
      the requested Mobile IPv6 session keys could not be delivered via
      a security association.





Korhonen, et al.          Expires April 1, 2008                [Page 24]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


8.  AVP Occurence Tables

   The following tables present the AVPs defined in this document and
   their occurrences in Diameter messages.  Note that AVPs that can only
   be present within a Grouped AVP are not represented in this table.

   The table uses the following symbols:

   0:

      The AVP MUST NOT be present in the message.

   0+:

      Zero or more instances of the AVP MAY be present in the message.

   0-1:

      Zero or one instance of the AVP MAY be present in the message.

   1:

      One instance of the AVP MUST be present in the message.

8.1.  AAR, AAA, DER, DEA, MRM and MAM AVP/Command-Code Table



                                   +-----------------------------------+
                                   |           Command-Code            |
                                   |-----+-----+-----+-----+-----+-----+
    AVP Name                       | AAR | AAA | DER | DEA | MRM | MAM |
    -------------------------------|-----+-----|-----+-----+-----+-----+
    MIP6-Feature-Vector            | 0-1 | 0-1 | 0-1 | 0-1 | 0-1 | 0-1 |
    MIP-Mobile-Node-Address        |  1  | 0-1 |  1  | 0-1 |  1  | 0-1 |
    MIP-MN-AAA-SPI                 |  0  |  0  |  0  |  0  |  1  |  0  |
    MIP-Home-Agent-Address         | 0-1 |  0  | 0-1 |  0  |  1  |  0  |
    MIP-Careof-Address             |  0  |  0  |  0  |  0  |  1  |  0  |
    MIP-Authenticator              |  0  |  0  |  0  |  0  |  1  |  0  |
    MIP-MAC-Mobility-Data          |  0  |  0  |  0  |  0  |  1  |  0  |
    MIP-Session-Key                |  0  |  0  |  0  |  0  |  0  |  1  |
    MIP-MSA-Lifetime               |  0  |  0  |  0  |  0  |  0  |  1  |
    MIP-MN-to-HA-MSA               |  0  |  0  |  0  |  0  |  0  |  1  |
    MIP-Timestamp                  |  0  |  0  |  0  |  0  | 0-1 | 0-1 |
    QoS-Resources  (1)             |  0  |  0  |  0  |  0  |  *0 | *0  |
    QoS-Capability (1)             |  0  |  0  |  0  |  0  | 0-1 |  0  |
                                   +-----+-----+-----+-----+-----+-----+




Korhonen, et al.          Expires April 1, 2008                [Page 25]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


   Note (1): The QoS-Capability and QoS-Resources AVPs usage with
   Diameter EAP and Diameter NASREQ is already defined in [10].

8.2.  Accounting AVP Table

   The table in this section is used to represent which AVPs defined in
   this document are to be present in the Accounting messages, as
   defined in [5].


                                              +-------------+
                                              | Command-Code|
                                              |------+------+
         Attribute Name                       |  ACR |  ACA |
         -------------------------------------|------+------+
         Accounting-Input-Octets              |  1   |  0-1 |
         Accounting-Input-Packets             |  1   |  0-1 |
         Accounting-Output-Octets             |  1   |  0-1 |
         Accounting-Output-Packets            |  1   |  0-1 |
         Acct-Multi-Session-Id                |  1   |  0-1 |
         Acct-Session-Time                    |  1   |  0-1 |
         MIP6-Feature-Vector                  |  1   |  0-1 |
         MIP-Home-Agent-Address               |  1   |  0-1 |
         MIP-Mobile-Node-Address              |  1   |  0-1 |
         Event-Timestamp                      | 0-1  |   0  |
         -------------------------------------|------+------+


9.  IANA Considerations

   This section contains the namespaces that have either been created in
   this specification or had their values assigned to existing
   namespaces managed by IANA.

9.1.  Command Codes

   IANA is requested to allocate a command code value for the MIP6-
   Request-Message (MRM) and for the MIP6-Answer-Message (MAM) from the
   Command Code namespace defined in [5].  See Section 5 for the
   assignment of the namespace in this specification.

9.2.  AVP Codes

   This specification requires IANA to register the following new AVPs
   from the AVP Code namespace defined in [5].
   o  MIP-Careof-Address





Korhonen, et al.          Expires April 1, 2008                [Page 26]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


   o  MIP-Authenticator
   o  MIP-MAC-Mobility-Data
   o  MIP-Timestamp
   The AVPs are defined in Section 6.

9.3.  Result-Code AVP Values

   This specification requests IANA to allocate new values to the
   Result-Code AVP (AVP Code 268) namespace defined in [5].  See
   Section 7 for the assignment of the namespace in this specification.

9.4.  Application Identifier

   This specification requires IANA to allocate a new value for
   "Diameter Mobile IPv6" from the Application Identifier namespace
   defined in [5].


10.  Security Considerations

   The security considerations for the Diameter interaction required to
   accomplish the split scenario are described in in [13].
   Additionally, the security considerations of the Diameter Base
   protocol [5], Diameter EAP application [7] are applicable to this
   document.  This document does not introduce new security
   vulnerabilities.


11.  Acknowledgements

   The authors would like to thanks Jari Arkko, Tolga Asversen, Pasi
   Eronen, Santiago Zapata Hernandez, Anders Kristensen, Avi Lior, John
   Loughney, Ahmad Muhanna, Behcet Sarikaya, Basavaraj Patil, Vijay
   Devarapalli, Lionel Morand and Yoshihiro Ohba for all the useful
   discussions.  Ahmad Muhanna provided a detailed review of the
   document in August 2007.

   We would also like to thank our Area Director, Dan Romascanu, for his
   support.

   Hannes Tschofenig would like to thank the European Commission support
   in the co-funding of the ENABLE project, where this work is partly
   being developed.

   Julien Bournelle would like to thank GEN/INT since he began this work
   while he was under their employ.





Korhonen, et al.          Expires April 1, 2008                [Page 27]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


12.  References

12.1.  Normative References

   [1]   Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
         IPv6", RFC 3775, June 2004.

   [2]   Patel, A. and G. Giaretta, "Problem Statement for bootstrapping
         Mobile IPv6 (MIPv6)", RFC 4640, September 2006.

   [3]   Devarapalli, V. and F. Dupont, "Mobile IPv6 Operation with
         IKEv2 and the Revised IPsec Architecture", RFC 4877,
         April 2007.

   [4]   Patel, A., "Authentication Protocol for Mobile IPv6",
         draft-ietf-mip6-rfc4285bis-00 (work in progress), March 2007.

   [5]   Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko,
         "Diameter Base Protocol", RFC 3588, September 2003.

   [6]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [7]   Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
         Authentication Protocol (EAP) Application", RFC 4072,
         August 2005.

   [8]   Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
         RFC 4306, December 2005.

   [9]   Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter
         Network Access Server Application", RFC 4005, August 2005.

   [10]  Korhonen, J., "Quality of Service Attributes for Diameter and
         RADIUS", draft-ietf-dime-qos-attributes-01 (work in progress),
         July 2007.

   [11]  Korhonen, J., "Diameter Mobile IPv6: Support for Network Access
         Server to Diameter Server  Interaction",
         draft-ietf-dime-mip6-integrated-05 (work in progress),
         July 2007.

   [12]  Calhoun, P., Johansson, T., Perkins, C., Hiller, T., and P.
         McCann, "Diameter Mobile IPv4 Application", RFC 4004,
         August 2005.






Korhonen, et al.          Expires April 1, 2008                [Page 28]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


12.2.  Informative References

   [13]  Giaretta, G., "Mobile IPv6 bootstrapping in split scenario",
         draft-ietf-mip6-bootstrapping-split-07 (work in progress),
         July 2007.

   [14]  Chowdhury, K. and A. Yegin, "MIP6-bootstrapping for the
         Integrated Scenario",
         draft-ietf-mip6-bootstrapping-integrated-dhc-05 (work in
         progress), July 2007.

   [15]  Giaretta, G., "AAA Goals for Mobile IPv6",
         draft-ietf-mip6-aaa-ha-goals-03 (work in progress),
         September 2006.

   [16]  Fajardo, V., "Diameter Applications Design Guidelines",
         draft-ietf-dime-app-design-guide-02 (work in progress),
         July 2007.

   [17]  Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. Chowdhury,
         "Mobile Node Identifier Option for Mobile IPv6 (MIPv6)",
         RFC 4283, November 2005.


Authors' Addresses

   Jouni Korhonen (editor)
   TeliaSonera
   Teollisuuskatu 13
   Sonera  FIN-00051
   Finland

   Email: jouni.korhonen@teliasonera.com


   Hannes Tschofenig
   Nokia Siemens Networks
   Otto-Hahn-Ring 6
   Munich, Bavaria  81739
   Germany

   Email: Hannes.Tschofenig@nsn.com
   URI:   http://www.tschofenig.com








Korhonen, et al.          Expires April 1, 2008                [Page 29]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


   Julien Bournelle
   France Telecom R&D
   38-4O rue du general Leclerc
   Issy-Les-Moulineaux  92794
   France

   Email: julien.bournelle@orange-ftgroup.com


   Gerardo Giaretta
   Qualcomm


   Email: gerardo.giaretta@gmail.com


   Madjid Nakhjiri
   Motorola
   USA

   Email: madjid.nakhjiri@motorola.com






























Korhonen, et al.          Expires April 1, 2008                [Page 30]

Internet-Draft      Diameter MIP6: HA-to-AAAH Support     September 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Korhonen, et al.          Expires April 1, 2008                [Page 31]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/