X.P0054-110 v0.1

«SpecIdentity» «Organization»

1

2

3

Document Title: e.g., MIPv4 Specification in Converged Access Network 4

5

CONTENTS 6

7

8

1 Introduction .............................................................................................................................................. 1

9

10

2 References ................................................................................................................................................ 2 11

2.1 Normative References ................................................................................................................ 2 12

13

2.2 Informative References .............................................................................................................. 2

14

15

3 Mobile IPv4 Operation ............................................................................................................................. 3 16

3.1 Protocol Stack ............................................................................................................................ 3 17

18

3.2 AT Requirements ....................................................................................................................... 3

19

3.2.1 Agent Discovery .......................................................................................................... 3 20

3.2.2 MIPv4 Registration...................................................................................................... 4 21

3.2.3 Reverse Tunneling ....................................................................................................... 4 22

3.2.4 Termination ................................................................................................................. 4 23

24

3.3 AGW Requirements ................................................................................................................... 4 25

3.3.1 Agent Advertisement ................................................................................................... 4 26

3.3.2 MIPv4 Registration...................................................................................................... 5 27

28

3.3.3 FA-HA Security........................................................................................................... 7

29

3.3.4 Reverse Tunneling ....................................................................................................... 8 30

3.3.5 Ingress Address Filtering ............................................................................................. 9 31

3.3.6 Overlapping Private Address Support ......................................................................... 9 32

33

3.4 HA Requirements ...................................................................................................................... 9

34

3.4.1 MIPv4 Registration...................................................................................................... 9 35

3.4.2 FA-HA Security......................................................................................................... 11 36

3.5 AAA Requirements .................................................................................................................. 12 37

38

3.5.1 MIPv4 Registration.................................................................................................... 12 39

3.5.2 FA-HA Security......................................................................................................... 13 40

3.5.3 Reverse Tunneling ..................................................................................................... 14 41

42

4 Call Flows .............................................................................................................................................. 15 43

44

4.1 Mobile IPv4 Addressing with Diameter .................................................................................. 15 45

4.2 Mobile IPv4 Addressing with RADIUS .................................................................................. 17 46

47

48

49

50

51

52

53

54

55

56

57

58

59

60









i Error! No text of specified style in document.

«SpecIdentity» «Organization»

1

2

3

4 LIST OF FIGURES

5

6 Figure 1 Protocol Reference Model for MIPv4 Control .......................................................................... 3

7

8

Figure 2 Protocol Reference Model for MIPv4 User Data ...................................................................... 3

9 Figure 3 Mobile IPv4 Addressing ......................................................................................................... 15

10

11 Figure 4 Mobile IPv4 Addressing with RADIUS .................................................................................. 18

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60









List of Figures ii

«SpecIdentity» «Organization»

1

2

3

LIST OF TABLES 4

5

Table 1. Diameter Attributes between AGW and H-AAA for Supporting MIPv4 Registration [6] ........5 6

7

Table 2. Additional RADIUS Attributes between AGW and AAA during Access Authentication and 8

Authorization for Supporting MIPv4 Registration.....................................................................7 9

Table 3. Additional Diameter attribute between AGW and H-AAA for Supporting FA-HA MSA 10

Distribution [6] ..........................................................................................................................7 11

12

Table 4. RADIUS Attributes between AGW and AAA for Supporting FA-HA MSA Distribution .......8 13

14

Table 5. Diameter Attributes between HA and H-AAA for Supporting MIPv4 Registration [6] ............9

15

Table 6. RADIUS Attributes between HA and AAA for Supporting MIPv4 Registration ....................10 16

17

Table 7. Additional Diameter Attributes between HA and H-AAA for Supporting FA-HA MSA 18

Distribution [6] ........................................................................................................................11 19

Table 8. RADIUS Attributes between HA and AAA for Supporting FA-HA MSA distribution ..........11 20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60









iii Error! No text of specified style in document.

«SpecIdentity» «Organization»

1

2

3

4 FOREWORD

5

6 (This foreword is not part of this Standard.)

7

8

9 SCOPE

10

11 This document is part of a multi-part document consisting of multiple parts that together

12 describes Ultra Mobile Broadband Wireless IP Network operation.

13

The scope of this document covers support for UMB wireless IP network reference model,

14

authentication and authorization, and IP address assignment.

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60









Foreword iv

«SpecIdentity» «Organization»

1

2

3

1 Introduction 4

5

This document defines the stage-2 and stage-3 requirements for supporting Ultra Mobile 6

Broadband Wireless IP Network. 7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60







2.1 Normative References 1 1 Introduction

«SpecIdentity» «Organization»

1

2

3

4 2 References

5

6

7

8 2.1 Normative References

9

10 [1] IETF: RFC3344, Parkins, “IP Mobility Support for IPv4”, August 2002.

11

12 [2] IETF: RFC2794, Calhoun, et.al., “Mobile IP Network Access Identifier

13 Extension for IPv4”, March 2000.

14

[3] IETF: RFC3012, Parkins, et.al., “Mobile IPv4 Challenge/Response

15

16

Extensions”, November 2000.

17 [4] 3GPP2: TSG-S WG4 document on key hierarchy/derivation

18

19 [5] IETF: RFC3024, Montenegro, “Reverse Tunneling for Mobile IP,

20 revised”, January 2001.

21

22 [6] IETF: RFC4004

23

24 [7] 3GPP2: X.S0011-002-D, cdma2000 Wireless IP Network Standard:

25 Simple IP and Mobile IP Access Service, March 2006.

26

[8] IETF: RFC1918, Rekhter, et.al., “Address Allocation for Private

27

28

Internets”, February 1996.

29

30

31

32

33

34 2.2 Informative References

35

36 This section provides references to other documents that may be useful for the reader of this

37 document.

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60







2 References 2 2.1 Normative References

«SpecIdentity» «Organization»

1

2

3

3 Mobile IPv4 Operation 4

5

This section describes the requirements and procedures for MIPv4. 6

7

8

3.1 Protocol Stack 9

10

Figure 1 shows the protocol reference model for MIPv4 control data between the AT and the

11

HA. Figure 2 shows the protocol reference model for MIPv4 user data between AT and HA.

12

13

MIPv4 MIPv4 MIPv4

14

UDP UDP UDP 15

16

IPv4 IPv4 IPv4 17

IPv4

18

19

20

GRE GRE 21

22

IP IP 23

Link Link 24

Link Link

UMB UMB Layer Layer 25

Layer Layer

air air 26

interface interface 27

PL PL PL PL 28

29

AT eBS 30

AGW HA 31

32

Figure 1 Protocol Reference Model for MIPv4 Control 33

34

35

36

IPv4 IPv4 IPv4 IPv4

37

38

GRE GRE IP-IP 39

IP-IP

Link Link Layer 40

IP IP

UMB air UMB Link Link Layer 41

interface Link Link

air I/F 42

Layer Layer Layer Layer

43

PL PL PL PL 44

PL PL

45

46

AT eBS AGW HA CN 47

48

Figure 2 Protocol Reference Model for MIPv4 User Data 49

50

51

52

53

3.2 AT Requirements 54

55

56

57

3.2.1 Agent Discovery 58

59

After successful access authentication, if the AT wants to use MIPv4, the AT shall send Agent 60

Solicitation [1]. If the AT does not have a home address, the AT shall set the source IP



3.1 Protocol Stack 3 3 Mobile IPv4 Operation

«SpecIdentity» «Organization»

1

2

3 address to 0.0.0.0. The AT shall set the destination IP address set to 255.255.255.255 (limited

4 broadcast).

5

6

When the FA advertisement lifetime expires, the AT may send Agent Solicitations.

7

8

9 3.2.2 MIPv4 Registration

10

11 Upon receiving Agent Advertisement from the AGW, the AT shall send RRQ [1].

12

13 During initial MIPv4 registration, if the AT wants to request a HA in the AT‟s home network,

14 the AT shall set the HA Address field to 255.255.255.255 in the RRQ; otherwise, the AT shall

15 set the HA Address field to 0.0.0.0 in the RRQ. The AT shall set the Home Address field to

16 0.0.0.0 in the RRQ. The AT shall include the MN-NAI extension [2], MN-FA Challenge

17 extension, and MN-AAA Authentication extension [3] in the RRQ. The AT shall generate a

18 MN-AAA key [4] to compute the MN-AAA Authentication extension in the RRQ. Upon

19 receiving RRP, the AT shall generate a MN-HA key [4] to verify the MN-HA Authentication

20 extension in the RRP.

21

22 During MIPv4 re-registration (to refresh lifetime) or inter-AGW handoff (change of FA

23 CoA), the AT shall use the same HA address and home address in the RRQ. The AT shall

24

include the MN-HA Authentication extension [1], MN-NAI extension [2], MN-FA Challenge

25

extension, and MN-AAA Authentication extension [3] in the RRQ. For the SPI field of the

26

MN-HA Authentication extension in the RRQ, the AT shall use the same value in the SPI

27

field of the MN-HA Authentication extension of the RRP that was received during the initial

28

29

MIPv4 registration.

30

31 3.2.3 Reverse Tunneling

32

33 If the AT‟s policy requires reverse tunneling, the AT shall set the „T‟ bit in the RRQ [5]. The

34 AT may negotiate encapsulated delivery style with the AGW [5].

35

36 3.2.4 Termination

37

38 When the AT wishes to terminate a MIP4 session, the AT may send RRQ with registration

39 lifetime set to zero.

40

41

42 3.3 AGW Requirements

43

44

The AGW shall support the FA operations specified in [1], [2], and [3].

45

46 3.3.1 Agent Advertisement

47

48 Upon receiving an Agent Solicitation from an AT, the AGW shall send an Agent

49 Advertisement to the AT. Based on a policy, the AGW may send Agent Advertisements to

50 the AT without AT‟s solicitation.

51

52 The AGW shall advertise a publicly routable FA CoA in the Agent Advertisement.

53

54 The AGW shall include the MN-FA Challenge Extension [3] in the Agent Advertisement.

55 Because Advertisements are rarely sent (to save air resources), the AGW shall include in the

56 RRP a new challenge that the AT should use in its next re-registration with this AGW.

57

58

In order to minimize Agent Advertisements sent over the air, the AGW shall not send

59

unsolicited Agent Advertisements to an AT periodically to refresh the FA advertisement

60







3 Mobile IPv4 Operation 4 3.3 AGW Requirements

«SpecIdentity» «Organization»

1

2

lifetime. The Advertisement Lifetime shall be set to 9000 seconds (the maximum ICMP 3

router advertisement lifetime). 4

5

6

3.3.2 MIPv4 Registration 7

8

For dynamic Home Address assignment, the AGW shall accept RRQ with the source IP 9

address set to 0.0.0.0, from an AT. The AGW shall use AT‟s NAI (in the MN-NAI extension) 10

and the Identification field [2] for the pending registration. The AGW shall acquire the AT‟s 11

home address from the RRP. 12

Upon receiving a RRQ with the HA Address field set to a value other than 0.0.0.0 and 13

255.255.255.255, if FA-HA MSA already exists between the AGW and the HA identified in the 14

15

HA Address field of the RRQ, or if FA-HA MSA is not required between the AGW and the HA

16

based on a policy, the AGW shall forward the RRQ to the HA. Upon receiving a RRP from the

17

HA, the AGW shall process the RRP and forward it to the AT according to [1].

18

3.3.2.1 Diameter 19

20

The AGW shall support [6]. 21

22

[Editor‟s note: An alternative to RFC 4004 is under consideration. The decision to use the alternative or RFC 4004 23

will be decided in the R&F.] 24

25

Upon receiving a RRQ with the HA Address field set to 0.0.0.0 or 255.255.255.255, the AGW 26

shall include the MIP-Feature-Vector AVP with the Home-Agent-Requested flag set to one. 27

The AGW shall include the MIP4-Mesg-ID AVP containing the timestamp value from the 28

Identification field of the RRQ, which is for the MN-HA key generation. The AGW shall 29

include the MN-HA-SPI AVP set equal to TBD. If the HA Address field of the RRQ is set to 30

0.0.0.0, the AGW may include the MIP-Candidate-Home-Agent-Host AVP in the AMR, which 31

indicates a HA address that can be allocated in the visited network if the H-AAA authorizes it. 32

The AGW shall send the AMR to the H-AAA, via V-AAA if roaming. 33

34

[Editor‟s note: The generation of the MN-HA SPI is TBD.] 35

36

Upon receiving the AMA, the AGW shall extract the RRP from the AMA [6] and shall process 37

the RRP and forward it to the AT according to [1]. 38

39

Table 1. Diameter Attributes between AGW and H-AAA for Supporting 40

41

MIPv4 Registration [6]

42

AVP AVP Code AMR AMA Interface 43

User-Name 1 1 0-1 AGW H-AAA 44

Session-Id 263 1 1 AGW H-AAA 45

Result-Code 268 0 1 AGW H-AAA

48

Origin-Host 264 1 1 AGW H-AAA

49

MIP-Reg-Request 320 1 0 AGW -> H-AAA 50

MIP-Reg-Reply 321 0 1 AGW H-AAA 52

MIP-MN-AAA-Auth 322 1 0 AGW -> H-AAA 53

MIP-MSA-Lifetime 367 0 0-1 AGW H-AAA 55

MIP-Feature-Vector 337 0-1 0-1 AGW H-AAA 56

MIP4-Mesg-ID AVP 26/173 1 0 AGW -> H-AAA 57

MN-HA-SPI AVP 26/TBD 1 0 AGW -> H-AAA 58

59

Authorization-Lifetime 291 0-1 0-1 AGW H-AAA

60

Auth-Application-Id 258 1 1 AGW H-AAA





3.3 AGW Requirements 5 3 Mobile IPv4 Operation

«SpecIdentity» «Organization»

1

2

3 AVP AVP Code AMR AMA Interface

4

Destination-Host 293 0-1 0 AGW -> H-AAA

5

Destination-Realm 283 1 0 AGW -> H-AAA

6

7

Error-Message 281 0 0-1 AGW H-AAA

10 Host

11 MIP-Home-Agent-Host 348 0-1 0 AGW -> H-AAA

12 MIP-Originating-Foreign-AAA 347 0-1 0 AGW -> H-AAA

13 MIP-FA-Challenge 344 0-1 0 AGW -> H-AAA

14 0 This attribute shall not be present.

15 0-1 Zero or one instance of this attribute may be present.

16 1 Exactly one instance of this attribute shall be present.

17

18 3.3.2.2 RADIUS

19

20 During the EAP access authentication of a roaming AT, if the visited network‟s policy allows

21 local HA assignment in its network, the AGW shall include the MIP4-HA-Local-Assignment-

22 Capability VSA in the RADIUS Access-Request for the EAP access authentication.

23

24 Upon receiving a RRQ with the HA Address field set to 255.255.255.255, if during the access

25 authentication the AGW has received the RADIUS Access-Accept with the Home Agent VSA

26 (containing a HA address assigned by the H-AAA), the AGW shall forward the RRQ to that HA.

27

28 Upon receiving a RRQ with the HA Address field set to 255.255.255.255, if during the access

29

authentication the AGW has not received the Home Agent VSA, the AGW shall send RADIUS

30

Access-Request to the H-AAA, via V-AAA if roaming, for requesting dynamic HA assignment

31

from the H-AAA according to [7]; upon receiving RADIUS Access-Accept that contains a HA

32

address in the Home-Agent VSA, the AGW shall forward the RRQ to that HA.

33

34

35 Upon receiving a RRQ with the HA Address field set to 0.0.0.0, if during the access

36 authentication the AGW has received the RADIUS Access-Accept with the MIP4-HA-Local-

37 Assignment-Capability VSA (indicating authorization for local HA assignment) and the

38 VAAA-Assigned-MIP4-HA VSA (containing a HA address assigned by the V-AAA), the AGW

39 shall forward the RRQ to that HA.

40

41 Upon receiving a RRQ with the HA Address field set to 0.0.0.0, if during the access

42 authentication the AGW has received the RADIUS Access-Accept with the MIP4-HA-Local-

43 Assignment-Capability VSA but without the VAAA-Assigned-MIP4-HA VSA, the AGW shall

44 select a HA and forward the RRQ to that HA.

45

46 Upon receiving a RRQ with the HA Address field set to 0.0.0.0, if during the access

47 authentication the AGW has received the RADIUS Access-Accept with the Home Agent VSA

48 (containing a HA address assigned by the H-AAA) but without the MIP4-HA-Local-

49 Assignment-Capability VSA, the AGW shall forward the RRQ to that HA.

50

51

Upon receiving a RRQ with the HA Address field set to 0.0.0.0, if during the access

52

53

authentication the AGW has received the RADIUS Access-Accept without both the MIP4-HA-

54

Local-Assignment-Capability VSA and Home Agent VSA, the AGW shall send RADIUS

55

Access-Request to the H-AAA, via V-AAA if roaming, for requesting dynamic HA assignment

56 from the H-AAA according to [7]; upon receiving RADIUS Access-Accept that contains a HA

57 address in the Home-Agent VSA, the AGW shall forward the RRQ to that HA.

58

59

60







3 Mobile IPv4 Operation 6 3.3 AGW Requirements

«SpecIdentity» «Organization»

1

2

3

Table 2. Additional RADIUS Attributes between AGW and AAA during

4

Access Authentication and Authorization for Supporting MIPv4 5

Registration 6

7

Attribute Name Type Access- Access- Interface(s)

8

Request Accept

9

MIP4-HA-Local- 26/TBD 0-1 0-1 AGW H-AAA

10

Assignment- 11

Capability 12

Home Agent 26/07 0 0-1 AGW H-AAA 37

38

MIP-FA-to-HA-SPI 318 0 0-1 AGW H-AAA

36 NAS-IP-Address 4 1 0 AGW -> H-AAA

37 FA-HA-MSA- 26/TBD 1 0 AGW -> H-AAA

38 Request

39 FA-HA-MSA 26/TBD 0 1 AGW H-AAA 60







3.4 HA Requirements 9 3 Mobile IPv4 Operation

«SpecIdentity» «Organization»

1

2

3 AVP AVP Code HAR HAA Interface

4

Session-Id 263 1 1 HA H-AAA

5

Result-Code 268 0 1 HA -> H-AAA

6

7

Origin-Realm 296 1 1 HA H-AAA

8 Origin-Host 264 1 1 HA H-AAA

9 MIP-Reg-Request 320 1 0 HA H-AAA

11 MIP-Mobile-Node-Address 333 0-1 0-1 HA H-AAA

12 MIP-MSA-Lifetime 367 0-1 0 HA H-AAA

14 MIP-Feature-Vector 337 1 0-1 HA H-AAA

15 MN-HA-Shared-Key 26/TBD 1 0 HA H-AAA

20 Auth-Session-State 277 1 0 HA H-AAA

24 Error-Reporting-Host 294 0 0-1 HA -> H-AAA

25 MIP-Candidate-Home-Agent- 336 0-1 0 HA AAA

6

NAS-IP-Address 4 1 0 HA -> AAA

7

CHAP-Password 3 1 0 HA -> AAA 8

CHAP-Challenge 60 1 0 HA -> AAA 9

MIP4-Mesg-ID 26/173 0 1 HA -> AAA 10

MN-HA SPI 26/57 1 1 HA AAA 11

MN-HA Shared Key 26/58 0 1 HA H-AAA

31

MIP-HA-to-FA-MSA 329 0-1 0 HA H-AAA 54

NAS-IP-Address 4 1 0 HA -> H-AAA 55

FA-HA-MSA- 26/TBD 1 0 HA -> H-AAA 56

Request 57

FA-HA-MSA 26/TBD 0 1 HA <- H-AAA 58

0 This attribute shall not be present. 59

0-1 Zero or one instance of this attribute may be present. 60







3.4 HA Requirements 11 3 Mobile IPv4 Operation

«SpecIdentity» «Organization»

1

2

3 1 Exactly one instance of this attribute shall be present.

4

5 3.5 AAA Requirements

6

7

8

9

10

3.5.1 MIPv4 Registration

11

12

13

14 3.5.1.1 Diameter

15

16

The V-AAA and H-AAA shall support [6].

17

18 3.5.1.1.1 V-AAA

19

20

Upon receiving the AMR from the AGW, if the MIP-Feature-Vector AVP contains the

21 Home-Agent-Requested flag set to 1 and the Home-Address-Allocatable-Only-in-Home-

22 Realm flag set to 0, the V-AAA may set the Foreign-Home-Agent-Available flag to 1 in the

23 MIP-Feature-Vector AVP in order to indicate to the H-AAA that the visited network is

24 willing to assign a local HA for the AT. If the Foreign-Home-Agent-Available flag is set to 1

25 in the MIP-Feature-Vector AVP, but the received AMR does not include the MIP-Candidate-

26 Home-Agent-Host AVP, the V-AAA shall include the MIP-Candidate-Home-Agent-Host AVP

27 in the AMR, which indicates a HA address that can be allocated in the visited network if the H-

28 AAA authorizes it. The V-AAA shall include the MIP-Originating-Foreign-AAA-AVP in the

29 AMR, which contains the identity of the V-AAA. The V-AAA shall send the AMR to the H-

30 AAA.

31

32 Upon receiving the HAR, the V-AAA shall forward it to the HA identified in the MIP-

33 Candidate-Home-Agent-Host AVP of the HAR.

34

35

Upon receiving the HAA, the V-AAA shall forward it to the H-AAA.

36

37

Upon receiving the AMA, the V-AAA shall forward it to the AGW.

38

39

40 3.5.1.1.2 H-AAA

41

42

Upon receiving the AMR, the H-AAA shall generate a MN-AAA key [4] to authenticate the

43

AT‟s credential conveyed in the MIP-MN-AAA-Auth AVP of the AMR. If the authentication

44 is successful, the H-AAA shall generate a MN-HA key [TSG-S WG4 document on key

45 hierarchy/derivation] and a unique MN-HA SPI. The H-AAA shall include the MN-HA-

46 Shared-Key AVP in the HAR, which contains the MN-HA key. The H-AAA shall include the

47 MN-HA-SPI AVP in the HAR, which contains the MN-HA SPI. If the Home-Address-

48 Allocatable-Only-in-Home-Realm flag is set to 1 in the MIP-Feature-Vector AVP of the

49 AMR, the H-AAA shall select a HA and send the HAR to that HA. If the Foreign-Home-

50 Agent-Available flag is set to 1 in the MIP-Feature-Vector AVP of the AMR, but the H-AAA

51 does not want the visited network to allocate a HA for the AT in the visited network, the H-

52 AAA shall select a HA and send the HAR to that HA. If the Foreign-Home-Agent-Available

53 flag is set to 1 in the MIP-Feature-Vector AVP of the AMR, and the H-AAA authorizes the

54 visited network to allocate a HA for the AT, the H-AAA shall send the HAR to the V-AAA

55 identified by the MIP-Originating-Foreign-AAA-AVP in the AMR.

56

57 Upon receiving the HAA, the H-AAA shall send the AMA to the AGW, or via V-AAA if

58 roaming.

59

60







3 Mobile IPv4 Operation 12 3.5 AAA Requirements

«SpecIdentity» «Organization»

1

2

3.5.1.2 RADIUS 3

4

5

6

7

3.5.1.2.1 V-AAA

8

During the EAP access authentication of a roaming AT, if the V-AAA receives RADIUS 9

Access-Accept containing the MIP4-HA-Local-Assignment-Capability VSA, the V-AAA 10

11

may allocate a HA from the visited network, based on local policy, by including the VAAA-

12

Assigned-MIP4-HA VSA in the RADIUS Access-Accept before sending to the AGW.

13

14

3.5.1.2.2 H-AAA 15

16

During the EAP access authentication of a roaming AT, upon receiving RADIUS Access-

17

Request containing the MIP4-HA-Local-Assignment-Capability VSA, if the H-AAA 18

authorizes the visited network to assign a local HA, the H-AAA shall include the MIP4-HA- 19

Local-Assignment-Capability VSA in the RADIUS Access-Accept; otherwise, the H-AAA 20

shall not include the MIP4-HA-Local-Assignment-Capability VSA. In either case, the H- 21

AAA may include the Home-Agent VSA in the RADIUS Access-Accept, which contains the 22

address of a HA assigned by the H-AAA in the home network. 23

24

During the initial MIPv4 registration, upon receiving RADIUS Access-Request from an 25

AGW, which contains the Home-Agent VSA set to zero, the H-AAA shall use a MN-AAA 26

key [4] to verify the AT‟s RRQ credential (i.e., MN-AAA authenticator) conveyed in the 27

CHAP-Password attribute of the RADIUS Access-Request [7]. If successful, the H-AAA 28

shall select a HA address and includes it in the RADIUS Access-Accept to the AGW 29

according to [7]. 30

31

During the initial MIPv4 registration, upon receiving RADIUS Access-Request from a HA, 32

which contains the MN-HA SPI VSA and MIP4-Mesg-ID VSA, the H-AAA shall use a MN- 33

AAA key [4] to verify the AT‟s RRQ credential (i.e., MN-AAA authenticator) conveyed in 34

35

the CHAP-Password attribute of the RADIUS Access-Request [7]. If successful, the H-AAA

36

shall generate a MN-HA key [TSG-S WG4 document on key hierarchy/derivation] and a

37

unique MN-HA SPI. The H-AAA shall include the MN-HA Shared Key VSA (containing the

38

MN-HA key) and the MN-HA SPI VSA (containing the MN-HA SPI) in the RADIUS

39

Access-Accept sent to the HA. 40

41

3.5.2 FA-HA Security 42

43

The method of generating FA-HA MSA is outside the scope of this document. 44

45

3.5.2.1 Diameter 46

47

If FA-HA MSA is requested by the AGW via AMR, the H-AAA shall generate FA-HA MSA 48

and distribute it to the AGW and HA according to the procedures in [6]. 49

50

3.5.2.2 RADIUS 51

52

During the EAP access authentication of the inte-AGW handoff, if the AT‟s MIPv4 session 53

has not been terminated yet (as indicated by the accounting record), the H-AAA shall include 54

the HA-Realm VSA in the RADIUS Access-Accept. The H-AAA shall set the HA-Realm 55

VSA to the realm where the HA is allocated. 56

57

58

If the RADIUS Access-Request received directly from an AGW or HA includes the FA-HA-

59

MSA-Request VSA and the User Name attribute set to “AGW|HA”, the AAA shall generate

60







3.5 AAA Requirements 13 3 Mobile IPv4 Operation

«SpecIdentity» «Organization»

1

2

3 FA-HA MSA and includes it in the FA-HA-MSA VSA of the RADIUS Access-Accept sent to

4 the AGW or HA.

5

6

If the RADIUS Access-Request received via V-AAA includes the FA-HA-MSA-Request

7

VSA, the AAA shall generate FA-HA MSA and includes it in the FA-HA-MSA VSA of the

8

RADIUS Access-Accept sent to the AGW or HA via V-AAA.

9

10

11 3.5.3 Reverse Tunneling

12

13 If reverse tunneling [5] is required for the AT, based on a policy, the H-AAA during EAP

14 access authentication shall include the Reverse-Tunnel-Specification AVP in the DEA, or the

15 Reverse-Tunnel-Specification VSA in the RADIUS Access-Accept.

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60







3 Mobile IPv4 Operation 14 3.5 AAA Requirements

«SpecIdentity» «Organization»

1

2

3

4 Call Flows 4

5

6

7

4.1 Mobile IPv4 Addressing with Diameter 8

9

Figure 3 illustrates an example call flow for Mobile IPv4 addressing. In this particular 10

example, the AT requests dynamic HA and HoA assignment. 11

12

AT AN AGW HA VAAA HAAA

13

14

1. Successful Authentication and Tunneling establishment between AN and AGW

15

16

17

2. Application 18

requests for 19

MIPv4 Address

20

3. Agent Solicitation 21

22

4. Agent Advertisement

23

24

5. RRQ (NAI, HoA 0.0.0.0, MN-AAA Auth Ext, HA Add (all 0 or all 1), ) 25

7. AMR (RRQ, 26

6. AMR (RRQ AVP, HA Req)

HA Req)

27

8. Generates 28

MN-HA Key 29

30

10. HAR (RRQ, 9. HAR (RRQ,

MN-HA Key) MN-HA Key) 31

32

11. HAA 12. HAA

(RRP (HoA)) (RRP HoA)) 33

34

13.AMA

14. AMA (RRP)

(RRP)

35

15. RRP (HoA, HA, MN-HA Auth Ext) 36

37

16. Generates 38

MN-HA Key To/from 39

Internet

40

17. IPv4 Packets Tunnel through AN and AGW MIPv4 Tunnel 17. IPv4 Packets

41

42

43

Figure 3 Mobile IPv4 Addressing 44

45

46

The steps in Figure 3 are described below. 47

48

1. The AT performs a successful authentication and the per AT tunnel is established

49

between the AN and AGW.

50

2. AT‟s application requests for MIPv4 address. Step 2 may occur during step 1. 51

52

3. The AT sends Agent Solicitation message with the source IP address set to all 0 (if 53

the AT doen‟t have home address) and destination address set to “limited Broadcast” 54

Address (255.255.255.255). The Agent Solicitation message is sent to AGW through 55

the tunnel between the AN and the AGW. 56

57

4. The AGW, acting as a MIPv4 foreign agent, sends an Agent Advertisement message 58

[1] to the AT containing the AT‟s FA CoA and the Challenge extension [3]. The 59

60







4.1 Mobile IPv4 Addressing with Diameter 15 4 Call Flows

«SpecIdentity» «Organization»

1

2

3 Agent Advertisement message is sent to AT through the tunnel between the AN and

4 the AGW.

5

6 5. The AT sends a Registration Request message [1] to the AGW through the tunneling

7 between the AN and AGW requesting dynamic HA and HoA assignment containing

8 the MN-NAI extension [2], MN-FA Challenge extension, and the MN-AAA

9 Authentication extension [3]. The AT indicates that it has no preference for HA in

10 home or visited domain by specifying 0.0.0.0 in the HA Address field of RRQ) or it

11 prefers an HA in the home network (by specifying 255.255.255.255 in the HA

12 Address field of RRQ). The AT also specifies an HoA of 0.0.0.0 in the RRQ.

13

14 6. The FA populates the Diameter MIP-Reg-Request AVP of the AMR with the

15 corresponding values from the RRQ including the authentication data (see RFC

16 4004). The FA adds a MIP-Feature-Vector AVP to the AMR with the Home-Agent-

17 Requested flag set to one. If the HA-Address field of the RRQ is set to

18 255.255.255.255, the FA sets the Home-Address-Allocatable-Only-in-Home-Realm

19 flag of the MIP-Feature-Vector AVP of the AMR equal to one. If the HA Address

20

field of the extension is set to 0.0.0.0, the FA sets the Home-Address-Allocatable-

21

Only-in-Home-Realm flag of the MIP-Feature-Vector AVP of the AMR equal to

22

zero. The FA includes the MN-HA SPI AVP in the AMR indicating that the HAAA

23

generates the MN-HA Shared Key. The FA sends the AMR to the HAAA via VAAA

24

25

to authenticate the MS and the RRQ. The FA includes the MIP4-Mesg-ID AVP in

26

the AMR, which contains the timestamp value from the Identification field of the

27 RRQ.

28

7. The VAAA processes the AMR. If the VAAA receives an AMR message with the

29

Home-Agent-Requested flag of the MIP-Feature-Vector AVP set to one and with the

30

Home-Address-Allocatable-Only-in-Home-Realm flag of the MIP-Feature-Vector

31

32

AVP equal to zero, the VAAA can set the Foreign-Home-Agent-Available flag in the

33

MIP-Feature-Vector AVP in order to indicate to the HAAA that it is willing to

34 assign a HA for the MS in its network. If the AGW has not included a MIP-

35 Candidate-Home-Agent-Host AVP in the AMR, the VAAA will include the MIP-

36 Candidate-Home-Agent-Host AVP (contains the address of the home agent that the

37 VAAA would assign to the MS). The VAAA includes the MIP-Originating-Foreign-

38 AAA-AVP (contains the identity of the VAAA) in the AMR. The VAAA then sends

39 the AMR to the HAAA.

40

41 8. When the HAAA receives the AMR message, it first checks the authentication data

42 supplied by the MS in the MIP-Reg-Request AVP and MIP-MN-AAA-Auth AVP,

43 and determines success of the MS authentication. If authentication is successful and

44 the AMR indicates that the visited network has allocated Home Agent for the MS,

45 the HAAA decides based on its local policy and/or the subscriber profile if it will

46 allow the user to have a home agent in the visited network. If the MS is authorized,

47 the HAAA generates the MN-HA Key and assigns its value to the MN-HA Shared

48 Key AVP.

49

50 9. The HAAA sends the HAR message to the originating VAAA as identified by the

51 AMR‟s MIP-Originating-Foreign-AAA AVP.

52

53

10. The VAAA processes the HAR and sends the HAR to the HA.

54 11. The HA receives the HAR containing a MIP-Reg-Request AVP. The HA will

55

process the RRQ and stores the MN-HA key (MN-HA Shared Key AVP) as part of

56

its security association with the MS. The HA shall calculate the MN-HA

57

Authentication Extension using the MN-HA Shared key. The HA sends an HAA

58

including the MIP-Reg-Reply AVP and Mobile-Home Authentication Extension

59

60

back to the H-AAA via the VAAA.







4 Call Flows 16 4.1 Mobile IPv4 Addressing with Diameter

«SpecIdentity» «Organization»

1

2

12. VAAA processes and sends the HAA to the HAAA. 3

4

13. The HAAA creates an AMA message containing the MIP-Reg-Reply AVP received 5

from the HA, and sends an AMA to the FA through the VAAA. 6

7

14. The VAAA processes and forwards the AMA to the FA. 8

9

15. The FA processes the AMA including the MIP-Reg-Reply AVP and sends the RRP 10

to the MS. 11

12

16. The MS generates the MN-HA Shared key using the data contained in the RRP

13

according to section YY, and validates the MN-HA Authentication Extension. If an

14

RRP indicating success is received, the RRP contains the assigned HA address in the

15

Home Agent field. The RRP also contains the assigned HoA in the Home Address 16

field. The MS creates or updates its Mobility Security Association with the HA 17

indicated in the RRP using the MN-HA Shared key that it computes. The MS 18

authenticates the RRP by validating the Mobile-Home Authentication extension. If 19

the check fails, the MS discards the RRP and the new Mobility Security Association. 20

In the success case, subsequent re-registrations are sent to the same HA. 21

22

17. The AT sends/receives IPv4 packets to/from the HA through the MIPv4 tunnel 23

between the HA and AGW and the tunnel between the AN and AGW. 24

25

[Editor Note: This call flow shows the scenario that the serving AGW and Anchor AGW is combined called

26

AGW. The interaction between the serving AGW and Anchor AGW should be added.]

27

[Editor Note: How to set up SPI value is FFS.] 28

29

[Editor Note: Whether to use Diameter or Radius is an open issue.] 30

31

4.2 Mobile IPv4 Addressing with RADIUS 32

33

Figure 4 illustrates an example call flow for Mobile IPv4 addressing. This call flow is for the

34

initial MIPv4 registration. In this particular example, the AT requests dynamic HA and HoA 35

assignment. 36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60







4.2 Mobile IPv4 Addressing with RADIUS 17 4 Call Flows

«SpecIdentity» «Organization»

1

2

3 AT AN AGW HA VAAA HAAA

4

5

1. Successful Authentication and Tunneling establishment between AN and AGW

6

(During authentication, HA(s) is assigned by HAAA/VAAA, and HA(s) IP address will be sent to the AGW

7

8

2. Application

9

requests for

10 MIPv4 Address

11

3. Agent Solicitation

12

13

4. Agent Advertisement

14

15

5. RRQ (NAI, HoA 0.0.0.0, HA 0.0.0.0, MN-AAA Auth Ext) 6. Radius Access Request [NAI]

16

17 7. Radius Access Accespt [NAI, HA IP Add]

18

19 8. RRQ 9. Radius Access Request (MN-

20 AAA AE, MIPv4-Msg-ID)

21

22 10. Generates

MN-HA Key

23

11. Radius Access Accept

24 12. RRP (NAI, HoA, MN- (MN-HA Key)

25 HA AE)

26

27 13. RRP (NAI, HA, HoA, MN-HA AE)



28

14. Generates

29 MN-HA Key To/from

30 Internet

31 15. IPv4 Packets Tunnel through AN and AGW MIPv4 Tunnel 15. IPv4 Packets

32

33

34

35 Figure 4 Mobile IPv4 Addressing with RADIUS

36

37

The steps in Figure 4 are described below.

38

39 1. The AT performs a successful authentication and the per AT tunnel is established

40 between the AN and AGW. During the EAP successful authentication and

41 authorization, if the user profile and the policy of the home AAA allows the AT to

42 access a HA in the visited network, the home AAA server shall send the HA-

43 Authorized Attribute along with the MIP4-Home Agent Attribute containing an

44 assigned HA in the home network to the AGW in the AAA message. If the user

45 profile or the policy of the home network disallows the AT to access a HA in the

46

visited network, the home AAA server shall omit the HA-Authorized Attribute but

47

include the MIPv4-Home Agent Attribute containing an assigned HA in the home

48

network in the AAA message. If the VAAA receives HA-Authorized Attribute from

49

HAAA, the VAAA may insert MIPv4-Home Agent Attribute containing an assigned

50

51

HA in the visiting network. The details are shown up in the access authentication and

52

authorization call flow.

53

2. AT‟s application requests for MIPv4 address. Step 2 may occur during step 1.

54

55 3. The AT sends Agent Solicitation message with the source IP address set to all 0 (if

56 the AT doesn‟t have home address) and destination address set to “limited

57 Broadcast” Address (255.255.255.255). The Agent Solicitation message is sent to

58 AGW through the tunnel between the AN and the AGW.

59

60







4 Call Flows 18 4.2 Mobile IPv4 Addressing with RADIUS

«SpecIdentity» «Organization»

1

2

4. The AGW, acting as a MIPv4 foreign agent, sends an Agent Advertisement message 3

[RFC3344] to the AT containing the AT‟s FA CoA and the Challenge extension 4

[RFC3012]. The Agent Advertisement message is sent to AT through the tunnel 5

6

between the AN and the AGW.

7

5. The AT sends a Registration Request message Error! Reference source not 8

found.Error! Reference source not found. to the AGW through the tunneling 9

between the AN and AGW requesting dynamic HA and HoA assignment containing 10

the MN-NAI extension [RFC2794], MN-FA Challenge extension [RFC3012], and 11

the MN-AAA Authentication extension [3]. The AT indicates that it has no 12

13

preference for HA in home or visited domain by specifying 0.0.0.0 in the HA

14

Address field of RRQ) or it prefers an HA in the home network (by specifying

15

255.255.255.255 in the HA Address field of RRQ). The AT also specifies an HoA of

16

0.0.0.0 in the RRQ.

17

6. If the AGW doesn‟t obtain HA IP address in step 1 or HA IP address is obsolete 18

based on local policy, the AGW can not determine the HA. In that case, the AGW 19

20

can send Access Request Message to the HAAA. This step is optional.

21

7. Upon receiving Access Request Message, the HAAA sends Access Accept Message 22

to AGW including HA assignment. 23

24

8. The AGW selects HA based on AT‟s request and authorization specified in step 1 or 25

step 7 and then sends RRQ to the proper HA. 26

27

9. The HA sends a RADIUS Access-Request, via the V-AAA, to the H-AAA to 28

authenticate the MS‟s MN-AAA authenticator received in the RRQ. The RADIUS 29

Access-Request also contains the MN-HA SPI VSA for requesting an MN-HA key, 30

and the MIP4-Mesg-ID VSA containing the timestamp value from the Identification 31

field of the RRQ. 32

33

10. The H-AAA authenticates the user via the MN-AAA Authentication extension. The 34

H-AAA calculates the MN-HA key. 35

36

11. The H-AAA sends a RADIUS Access-Accept with the MN-HA-Shared-Key VSA 37

containing the MN-HA-Shared key (IK). The attributes in the RADIUS Access- 38

Accept are protected by the Message Authentication attribute. 39

40

12. The HA generates the RRP which includes the Mobile-Home Authentication

41

Extension [1] computed by the HA based on the MN-HA-Shared key, AT‟s Home

42

Address, HA‟s address, and NAI. The HA sends the RRP to the AGW.

43

13. The AGW forwards RRQ to the AT. 44

45

14. The AT derives the MN-HA key and verifies the Mobile-Home Authentication 46

Extension in the received RRP. 47

48

15. The AT sends/receives IPv4 packets to/from the HA through the MIPv4 tunnel 49

between the HA and AGW and the tunnel between the AN and AGW. 50

51

[Editor Note: SPI value needs to follow up MIPv4 Enhancement (X.P0044) after it is approved.] 52

[Editor Note: Whether Static MN-HA Key is allowed needs to be further clarified. Then the AGW may receive 53

MN-AAA removal indicator.] 54

55

56

57

58

59

60







4.2 Mobile IPv4 Addressing with RADIUS 19 4 Call Flows

«SpecIdentity» «Organization»

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60







4 Call Flows 20 4.2 Mobile IPv4 Addressing with RADIUS