Internet Engineering Task Force (IETF) J. Korhonen, Ed.
Request for Comments: 5779 Nokia Siemens Network
Category: Standards Track J. Bournelle
ISSN: 2070-1721 Orange Labs
K. Chowdhury
Cisco Systems
A. Muhanna
Ericsson
U. Meyer
RWTH Aachen
February 2010
Internet Engineering Task Force (IETF) J. Korhonen, Ed.
Request for Comments: 5779 Nokia Siemens Network
Category: Standards Track J. Bournelle
ISSN: 2070-1721 Orange Labs
K. Chowdhury
Cisco Systems
A. Muhanna
Ericsson
U. Meyer
RWTH Aachen
February 2010
Diameter Proxy Mobile IPv6: Mobile Access Gateway and Local Mobility Anchor Interaction with Diameter Server
Diameter代理移动IPv6:移动接入网关和本地移动锚与Diameter服务器的交互
Abstract
摘要
This specification defines Authentication, Authorization, and Accounting (AAA) interactions between Proxy Mobile IPv6 entities (both Mobile Access Gateway and Local Mobility Anchor) and a AAA server within a Proxy Mobile IPv6 Domain. These AAA interactions are primarily used to download and update mobile node specific policy profile information between Proxy Mobile IPv6 entities and a remote policy store.
本规范定义了代理移动IPv6实体(移动接入网关和本地移动锚)与代理移动IPv6域内的AAA服务器之间的身份验证、授权和计费(AAA)交互。这些AAA交互主要用于在代理移动IPv6实体和远程策略存储之间下载和更新特定于移动节点的策略配置文件信息。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5779.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5779.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................4
2. Terminology and Abbreviations ...................................4
3. Solution Overview ...............................................5
4. Generic Application Support and Command Codes ...................6
4.1. MAG-to-HAAA Interface ......................................6
4.2. LMA-to-HAAA Interface ......................................7
4.2.1. General Operation and Authorization of PBU ..........7
4.2.2. Updating LMA Address to HAAA ........................8
4.2.3. Mobile Node Address Update and Assignment ...........8
5. Attribute Value Pair Definitions ................................9
5.1. MIP6-Agent-Info AVP ........................................9
5.2. PMIP6-IPv4-Home-Address AVP ...............................10
5.3. MIP6-Home-Link-Prefix AVP .................................10
5.4. PMIP6-DHCP-Server-Address AVP .............................10
5.5. MIP6-Feature-Vector AVP ...................................10
5.6. Mobile-Node-Identifier AVP ................................11
5.7. Calling-Station-Id AVP ....................................12
5.8. Service-Selection AVP .....................................12
5.9. Service-Configuration AVP .................................13
6. Proxy Mobile IPv6 Session Management ...........................13
6.1. Session-Termination-Request ...............................14
6.2. Session-Termination-Answer ................................14
6.3. Abort-Session-Request .....................................14
6.4. Abort-Session-Answer ......................................14
7. Attribute Value Pair Occurrence Tables .........................14
7.1. MAG-to-HAAA Interface .....................................15
7.2. LMA-to-HAAA Interface .....................................15
8. Example Signaling Flows ........................................15
9. IANA Considerations ............................................17
9.1. Attribute Value Pair Codes ................................17
9.2. Namespaces ................................................17
10. Security Considerations .......................................17
11. Acknowledgements ..............................................17
12. References ....................................................18
12.1. Normative References .....................................18
12.2. Informative References ...................................18
1. Introduction ....................................................4
2. Terminology and Abbreviations ...................................4
3. Solution Overview ...............................................5
4. Generic Application Support and Command Codes ...................6
4.1. MAG-to-HAAA Interface ......................................6
4.2. LMA-to-HAAA Interface ......................................7
4.2.1. General Operation and Authorization of PBU ..........7
4.2.2. Updating LMA Address to HAAA ........................8
4.2.3. Mobile Node Address Update and Assignment ...........8
5. Attribute Value Pair Definitions ................................9
5.1. MIP6-Agent-Info AVP ........................................9
5.2. PMIP6-IPv4-Home-Address AVP ...............................10
5.3. MIP6-Home-Link-Prefix AVP .................................10
5.4. PMIP6-DHCP-Server-Address AVP .............................10
5.5. MIP6-Feature-Vector AVP ...................................10
5.6. Mobile-Node-Identifier AVP ................................11
5.7. Calling-Station-Id AVP ....................................12
5.8. Service-Selection AVP .....................................12
5.9. Service-Configuration AVP .................................13
6. Proxy Mobile IPv6 Session Management ...........................13
6.1. Session-Termination-Request ...............................14
6.2. Session-Termination-Answer ................................14
6.3. Abort-Session-Request .....................................14
6.4. Abort-Session-Answer ......................................14
7. Attribute Value Pair Occurrence Tables .........................14
7.1. MAG-to-HAAA Interface .....................................15
7.2. LMA-to-HAAA Interface .....................................15
8. Example Signaling Flows ........................................15
9. IANA Considerations ............................................17
9.1. Attribute Value Pair Codes ................................17
9.2. Namespaces ................................................17
10. Security Considerations .......................................17
11. Acknowledgements ..............................................17
12. References ....................................................18
12.1. Normative References .....................................18
12.2. Informative References ...................................18
This specification defines Authentication, Authorization, and Accounting (AAA) interactions between a Mobile Access Gateway (MAG) and a AAA server, and between a Local Mobility Anchor (LMA) and a AAA server within a Proxy Mobile IPv6 (PMIPv6) Domain [RFC5213]. These AAA interactions are primarily used to download and update mobile node (MN) specific policy profile information between PMIPv6 entities (a MAG and an LMA) and a remote policy store.
本规范定义了移动接入网关(MAG)和AAA服务器之间以及代理移动IPv6(PMIPv6)域内本地移动锚(LMA)和AAA服务器之间的身份验证、授权和计费(AAA)交互[RFC5213]。这些AAA交互主要用于下载和更新PMIPv6实体(MAG和LMA)和远程策略存储之间的移动节点(MN)特定策略配置文件信息。
Dynamic assignment and downloading of an MN's policy profile information to a MAG from a remote policy store is a desirable feature to ease the deployment and network maintenance of larger PMIPv6 domains. For this purpose, the same AAA infrastructure that is used for authenticating and authorizing the MN for a network access can be leveraged to download some or all of the necessary policy profile information to the MAG.
动态分配MN的策略配置文件信息并将其从远程策略存储下载到MAG是一种理想的功能,可以简化大型PMIPv6域的部署和网络维护。为此目的,可以利用用于认证和授权用于网络访问的MN的相同AAA基础设施将一些或所有必要的策略配置文件信息下载到MAG。
Once the network has authenticated the MN, the MAG sends a Proxy Binding Update (PBU) to the LMA in order to set up a mobility session on behalf of the MN. When the LMA receives the PBU, the LMA may need to authorize the received PBU against the AAA infrastructure. The same AAA infrastructure that can be used for the authorization of the PBU, is also used to update the remote policy store with the LMA-provided MN specific mobility session-related information.
一旦网络认证了MN,MAG向LMA发送代理绑定更新(PBU),以便代表MN建立移动会话。当LMA接收到PBU时,LMA可能需要针对AAA基础设施授权接收到的PBU。可用于PBU授权的相同AAA基础设施也用于使用LMA提供的MN特定移动会话相关信息更新远程策略存储。
In the context of this specification, the home AAA (HAAA) server functionality is co-located with the remote policy store. The NAS functionality may be co-located with the MAG function in the network access router. Diameter [RFC3588] is the used AAA protocol.
在本规范的上下文中,家庭AAA(HAAA)服务器功能与远程策略存储位于同一位置。NAS功能可与网络接入路由器中的MAG功能共存。Diameter[RFC3588]是使用的AAA协议。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
The general terminology used in this document can be found in [RFC5213] and [NETLMM-PMIP6]. The following additional or clarified terms are also used in this document:
本文件中使用的通用术语见[RFC5213]和[NETLMM-PMIP6]。本文件中还使用了以下附加或澄清的术语:
Network Access Server (NAS):
网络访问服务器(NAS):
A device that provides an access service for a user to a network. In the context of this document, the NAS may be integrated into or co-located to a MAG. The NAS contains a Diameter client function.
为用户提供网络访问服务的设备。在本文档的上下文中,NAS可以集成到MAG中或与MAG共存。NAS包含Diameter客户端功能。
Home AAA (HAAA):
家庭AAA(HAAA):
An Authentication, Authorization, and Accounting (AAA) server located in user's home network. A HAAA is essentially a Diameter server.
位于用户家庭网络中的身份验证、授权和记帐(AAA)服务器。HAAA本质上是一个Diameter服务器。
This document addresses the AAA interactions and AAA-based session management functionality needed in the PMIPv6 Domain. This document defines Diameter-based AAA interactions between the MAG and the HAAA, and between the LMA and the HAAA.
本文档介绍PMIPv6域中所需的AAA交互和基于AAA的会话管理功能。本文件定义了MAG和HAAA之间以及LMA和HAAA之间基于直径的AAA相互作用。
The policy profile is downloaded from the HAAA to the MAG during the MN attachment to the PMIPv6 Domain. Figure 1 shows the participating network entities. This document, however, concentrates on the MAG, LMA, and the HAAA (the home Diameter server).
在MN连接到PMIPv6域期间,策略配置文件从HAAA下载到MAG。图1显示了参与的网络实体。然而,本文档主要关注MAG、LMA和HAAA(HomeDiameter服务器)。
+--------+
| HAAA & | Diameter +-----+
| Policy |<---(2)-->| LMA |
| Store | +-----+
+--------+ | <--- LMA-Address
^ |
| // \\
+---|------------- //---\\----------------+
( | IPv4/IPv6 // \\ )
( | Network // \\ )
+---|-----------//---------\\-------------+
| // \\
Diameter // <- Tunnel1 \\ <- Tunnel2
(1) // \\
| |- MAG1-Address |- MAG2-Address
| +----+ +----+
+---->|MAG1| |MAG2|
+----+ +----+
| |
| |
[MN1] [MN2]
+--------+
| HAAA & | Diameter +-----+
| Policy |<---(2)-->| LMA |
| Store | +-----+
+--------+ | <--- LMA-Address
^ |
| // \\
+---|------------- //---\\----------------+
( | IPv4/IPv6 // \\ )
( | Network // \\ )
+---|-----------//---------\\-------------+
| // \\
Diameter // <- Tunnel1 \\ <- Tunnel2
(1) // \\
| |- MAG1-Address |- MAG2-Address
| +----+ +----+
+---->|MAG1| |MAG2|
+----+ +----+
| |
| |
[MN1] [MN2]
Legend:
图例:
(1): MAG-to-HAAA interaction is described in Section 7.1 (2): LMA-to-HAAA interaction is described in Section 7.2
(1) :MAG与HAAA的相互作用见第7.1(2)节:LMA与HAAA的相互作用见第7.2节
Figure 1: Proxy Mobile IPv6 Domain Interaction with Diameter HAAA Server
图1:代理移动IPv6域与Diameter HAAA服务器的交互
When an MN attaches to a PMIPv6 Domain, a network access authentication procedure is usually started. The choice of the authentication mechanism is specific to the access network deployment, but could be based on the Extensible Authentication Protocol (EAP) [RFC3748]. During the network access authentication procedure, the MAG acting as a NAS queries the HAAA through the AAA infrastructure using the Diameter protocol. If the HAAA detects that the subscriber is also authorized for the PMIPv6 service, PMIPv6 specific information is returned along with the successful network access authentication answer to the MAG.
当MN连接到PMIPv6域时,通常会启动网络访问身份验证过程。认证机制的选择特定于接入网部署,但可以基于可扩展认证协议(EAP)[RFC3748]。在网络访问身份验证过程中,充当NAS的MAG使用Diameter协议通过AAA基础设施查询HAAA。如果HAAA检测到订户也被授权使用PMIPv6服务,则将PMIPv6特定信息与成功的网络访问认证应答一起返回给MAG。
After the MN has been successfully authenticated, the MAG sends a PBU to the LMA based on the MN's policy profile information. Upon receiving the PBU, the LMA interacts with the HAAA and fetches the relevant parts of the subscriber policy profile and authorization information related to the mobility service session. In this specification, the HAAA has the role of the PMIPv6 remote policy store.
在MN已被成功认证之后,MAG基于MN的策略简档信息向LMA发送PBU。在接收到PBU时,LMA与HAAA交互并获取与移动服务会话相关的订户策略简档的相关部分和授权信息。在本规范中,HAAA扮演PMIPv6远程策略存储的角色。
This specification does not define new Application-IDs or Command Codes for the MAG-to-HAAA or for the LMA-to-HAAA Diameter connections. Rather, this specification is generic to any Diameter application (and their commands) that is suitable for a network access authentication and authorization. Example applications include NASREQ [RFC4005] and EAP [RFC4072].
本规范未为MAG至HAAA或LMA至HAAA直径连接定义新的应用程序ID或命令代码。相反,本规范是适用于网络访问身份验证和授权的任何Diameter应用程序(及其命令)的通用规范。示例应用程序包括NASREQ[RFC4005]和EAP[RFC4072]。
The MAG-to-HAAA interactions are primarily used for bootstrapping PMIPv6 mobility service session when an MN attaches and authenticates to a PMIPv6 Domain. This includes the bootstrapping of PMIPv6 session-related information. The same interface may also be used for accounting. The MAG acts as a Diameter client.
MAG到HAAA的交互主要用于在MN连接到PMIPv6域并进行身份验证时引导PMIPv6移动服务会话。这包括PMIPv6会话相关信息的引导。同样的接口也可用于记帐。MAG充当Diameter客户端。
Whenever the MAG sends a Diameter request message to the HAAA, the User-Name AVP SHOULD contain the MN's identity unless the identity is being suppressed for policy reasons -- for example, when identity hiding is in effect. The MN identity, if available, MUST be in Network Access Identifier (NAI) [RFC4282] format. At minimum, the home realm of the MN MUST be available at the MAG when the network access authentication takes place. Otherwise, the MAG is not able to route the Diameter request messages towards the correct HAAA. The MN identity used on the MAG-to-HAAA interface and in the User-Name AVP MAY entirely be related to the network access authentication, and
每当MAG向HAAA发送Diameter请求消息时,用户名AVP应包含MN的标识,除非该标识因策略原因而被抑制——例如,当标识隐藏生效时。MN标识(如果可用)必须采用网络访问标识符(NAI)[RFC4282]格式。至少,当网络访问认证发生时,MN的主域必须在MAG上可用。否则,MAG无法将Diameter请求消息路由到正确的HAAA。在MAG-to-HAAA接口和用户名AVP中使用的MN标识可能完全与网络接入认证相关,并且
therefore not suitable to be used as the MN-ID mobility option value in the subsequent PBU / Proxy Binding Acknowledgement (PBA) messages. See the related discussion on MN identities in Sections 4.2 and 5.6.
因此,不适合用作后续PBU/代理绑定确认(PBA)消息中的MN-ID移动性选项值。参见第4.2节和第5.6节中有关MN标识的相关讨论。
For the session management and service authorization purposes, session state SHOULD be maintained on the MAG-to-HAAA interface. See the discussion in Section 5.8.
出于会话管理和服务授权的目的,应在MAG到HAAA接口上维护会话状态。见第5.8节中的讨论。
The LMA-to-HAAA interface may be used for multiple purposes. These include the authorization of the incoming PBU, updating the LMA address to the HAAA, delegating the assignment of the MN-HNP (home network prefix) or the IPv4-HoA (home address) to the HAAA, and for accounting and PMIPv6 session management. The primary purpose of this interface is to update the HAAA with the LMA address information in case of dynamically assigned LMA, and exchange the MN address assignment information between the LMA and the HAAA.
LMA到HAAA接口可用于多种用途。这些包括对传入PBU的授权、将LMA地址更新到HAAA、将MN-HNP(家庭网络前缀)或IPv4 HoA(家庭地址)的分配委托给HAAA,以及用于记帐和PMIPv6会话管理。该接口的主要目的是在动态分配LMA的情况下,使用LMA地址信息更新HAAA,并在LMA和HAAA之间交换MN地址分配信息。
The LMA-to-HAAA interface description is intended for different types of deployments and architectures. Therefore, this specification only outlines AVPs and considerations that the deployment specific Diameter applications need to take into account from the PMIPv6 and LMA's point of view.
LMA到HAAA接口描述适用于不同类型的部署和体系结构。因此,本规范仅从PMIPv6和LMA的角度概述了部署特定直径应用需要考虑的AVP和注意事项。
Whenever the LMA sends a Diameter request message to the HAAA, the User-Name AVP SHOULD contain the MN's identity. The LMA-provided identity in the User-Name AVP is strongly RECOMMENDED to be the same as the MN's identity information in the PBU MN-ID [RFC4283] [RFC5213] mobility option. The identity SHOULD also be the same as used on the MAG-to-HAAA interface, but in case those identities differ the HAAA MUST have a mechanism of mapping the MN identity used on the MAG-to-HAAA interface to the identity used on the LMA-to-HAAA interface.
每当LMA向HAAA发送Diameter请求消息时,用户名AVP应包含MN的标识。强烈建议用户名AVP中LMA提供的身份与PBU MN-ID[RFC4283][RFC5213]移动选项中MN的身份信息相同。该标识还应与MAG至HAAA接口上使用的标识相同,但如果这些标识不同,HAAA必须具有将MAG至HAAA接口上使用的MN标识映射到LMA至HAAA接口上使用的标识的机制。
If the PBU contains the MN Link-Layer Identifier option, the Calling-Station-Id AVP SHOULD be included in the request message containing the received link-layer identifier. Furthermore, if the PBU contains the Service Selection mobility option [RFC5149], the Service-Selection AVP SHOULD be included in the request message containing the received service identifier. Both the MN link-layer identifier and the service selection can be used to provide more information for the PBU authorization step in the HAAA.
如果PBU包含MN链路层标识符选项,则包含所接收链路层标识符的请求消息中应包括呼叫站Id AVP。此外,如果PBU包含服务选择移动性选项[RFC5149],则服务选择AVP应包括在包含所接收服务标识符的请求消息中。MN链路层标识符和服务选择都可用于为HAAA中的PBU授权步骤提供更多信息。
The Auth-Request-Type AVP MUST be set to the value AUTHORIZE_ONLY. The Diameter session-related aspects discussed in Section 6 need to be taken into consideration when designing the Diameter application
身份验证请求类型AVP必须设置为值AUTHORIZE_ONLY。在设计Diameter应用程序时,需要考虑第6节中讨论的Diameter会话相关方面
for the LMA-to-HAAA interface. If the HAAA is not able to authorize the subscriber's mobility service session, then the reply message to the LMA MUST have the Result-Code AVP set to value DIAMETER_AUTHORIZATION_REJECTED (5003) indicating a permanent failure. A failed authorization obviously results in a rejection of the PBU, and a PBA with an appropriate error Status Value MUST be sent back to the MAG.
用于LMA到HAAA接口。如果HAAA不能授权订户的移动服务会话,那么对LMA的应答消息必须将结果代码AVP设置为DIAMETER_AUTHORIZATION_REJECTED(5003),指示永久性故障。授权失败显然会导致PBU被拒绝,具有适当错误状态值的PBA必须发送回MAG。
The authorization step MUST be performed at least for the initial PBU session up to a mobility session, when the LMA-to-HAAA interface is deployed. For the subsequent re-registration and handover PBUs, the authorization step MAY be repeated (in this case, the LMA-to-HAAA interface should also maintain an authorization session state).
当部署LMA到HAAA接口时,必须至少对初始PBU会话到移动会话执行授权步骤。对于随后的重新注册和切换pbu,可以重复授权步骤(在这种情况下,LMA到HAAA接口也应该保持授权会话状态)。
In case of a dynamic LMA discovery and assignment [NETLMM-LMA], the HAAA and the remote policy store may need to be updated with the selected LMA address information. The update can be done during the PBU authorization step using the LMA-to-HAAA interface. This specification uses the MIP6-Agent-Info AVP and its MIP-Home-Agent-Address and MIP-Home-Agent-Host sub-AVPs for carrying the LMA's address information from the LMA to the HAAA. The LMA address information in the request message MUST contain the IP address of the LMA or the Fully Qualified Domain Name (FQDN) identifying uniquely the LMA, or both. The LMA address information refers to the PMIPv6 part of the LMA, not necessarily the LMA part interfacing with the AAA infrastructure.
在动态LMA发现和分配[NETLMM-LMA]的情况下,可能需要使用所选LMA地址信息更新HAAA和远程策略存储。可以在PBU授权步骤中使用LMA到HAAA接口进行更新。本规范使用MIP6 Agent Info AVP及其MIP Home Agent地址和MIP Home Agent Host sub AVP将LMA的地址信息从LMA传输到HAAA。请求消息中的LMA地址信息必须包含LMA的IP地址或唯一标识LMA的完全限定域名(FQDN),或两者。LMA地址信息指LMA的PMIPv6部分,不一定指与AAA基础设施接口的LMA部分。
This specification does not define any HAAA-initiated LMA relocation functionality. Therefore, when the MIP6-Agent-Info AVP is included in Diameter answer messages sent from the HAAA to the LMA, the HAAA indicates this by setting the MIP-Home-Agent-Address AVP to all zeroes address (e.g., 0::0) and not including the MIP-Home-Agent-Host AVP.
本规范未定义任何HAAA启动的LMA重定位功能。因此,当MIP6代理信息AVP包括在从HAAA发送到LMA的Diameter应答消息中时,HAAA通过将MIP归属代理地址AVP设置为全零地址(例如,0::0)而不包括MIP归属代理主机AVP来指示这一点。
The LMA and the HAAA use the MIP6-Home-Link-Prefix AVP to exchange the MN-HNP when appropriate. Similarly, the LMA and the HAAA use the PMIP6-IPv4-Home-Address AVP to exchange the IPv4-MN-HoA when appropriate. These AVPs are encapsulated inside the MIP6-Agent-Info AVP. The MN address information exchange is again done during the PBU authorization step. The HAAA MAY also use the LMA-provided MN address information as a part of the information used to authorize the PBU.
LMA和HAAA在适当时使用MIP6主链路前缀AVP交换MN-HNP。类似地,LMA和HAAA在适当时使用PMIP6-IPv4-Home-Address AVP来交换IPv4 MN-HoA。这些AVP封装在MIP6代理信息AVP中。MN地址信息交换在PBU授权步骤中再次完成。HAAA还可以使用LMA提供的MN地址信息作为用于授权PBU的信息的一部分。
Which entity is actually responsible for the address management is deployment specific within the PMIPv6 Domain and MUST be pre-agreed on per deployment basis. When the LMA is responsible for the address management, the MIP6-Agent-Info AVP is used to inform the HAAA and the remote policy store of the MN-HNP/IPv4-MN-HoA assigned to the MN.
哪个实体实际负责地址管理是PMIPv6域中特定于部署的,并且必须根据每个部署预先商定。当LMA负责地址管理时,MIP6代理信息AVP用于通知HAAA和远程策略存储分配给MN的MN-HNP/IPv4 MN HoA。
It is also possible that the LMA delegates the address management to the HAAA. In this case, the MN-HNP/IPv4-MN-HoA are set to undefined addresses (as described in Section 5.1) in the Diameter request message sent from the LMA to the HAAA. The LMA expects to receive the HAAA assigned HNP/IPv4-MN-HoA in the corresponding Diameter answer message.
LMA也可能将地址管理委托给HAAA。在这种情况下,在从LMA发送到HAAA的Diameter请求消息中,MN-HNP/IPv4 MN HoA被设置为未定义的地址(如第5.1节所述)。LMA期望在相应的Diameter应答消息中接收HAAA分配的HNP/IPv4 MN HoA。
This section describes Attribute Value Pairs (AVPs) defined by this specification or re-used from existing specifications in a PMIPv6 specific way. Derived Diameter AVP Data Formats such as Address and UTF8String are defined in Section 4.3 of [RFC3588]. Grouped AVP values are defined in Section 4.4 of [RFC3588].
本节描述本规范定义的属性值对(AVP),或以特定于PMIPv6的方式从现有规范重新使用的属性值对。[RFC3588]第4.3节定义了衍生直径AVP数据格式,如地址和UTF8String。[RFC3588]第4.4节定义了分组AVP值。
The MIP6-Agent-Info grouped AVP (AVP Code 486) is defined in [RFC5447]. The AVP is used to carry LMA addressing-related information and an MN-HNP. This specification extends the MIP6- Agent-Info with the PMIP6-IPv4-Home-Address AVP using the Diameter extensibility rules defined in [RFC3588]. The PMIP6-IPv4-Home-Address AVP contains the IPv4-MN-HoA.
[RFC5447]中定义了MIP6代理信息分组AVP(AVP代码486)。AVP用于携带LMA寻址相关信息和MN-HNP。本规范使用[RFC3588]中定义的Diameter扩展规则,使用PMIP6-IPv4-Home-Address AVP扩展MIP6-代理信息。PMIP6-IPv4-Home-Address AVP包含IPv4 MN HoA。
The extended MIP6-Agent-Info AVP results in the following grouped AVP. The grouped AVP has the following modified ABNF (as defined in [RFC3588]):
扩展的MIP6代理信息AVP产生以下分组AVP。分组的AVP具有以下修改的ABNF(定义见[RFC3588]):
MIP6-Agent-Info ::= < AVP-Header: 486 >
*2[ MIP-Home-Agent-Address ]
[ MIP-Home-Agent-Host ]
[ MIP6-Home-Link-Prefix ]
[ PMIP6-IPv4-Home-Address ]
* [ AVP ]
MIP6-Agent-Info ::= < AVP-Header: 486 >
*2[ MIP-Home-Agent-Address ]
[ MIP-Home-Agent-Host ]
[ MIP6-Home-Link-Prefix ]
[ PMIP6-IPv4-Home-Address ]
* [ AVP ]
If the MIP-Home-Agent-Address is set to all zeroes address (e.g., 0::0), the receiver of the MIP6-Agent-Info AVP MUST ignore the MIP-Home-Agent-Address AVP.
如果MIP Home Agent地址设置为全零地址(例如,0::0),则MIP6 Agent Info AVP的接收方必须忽略MIP Home Agent地址AVP。
The PMIP6-IPv4-Home-Address AVP (AVP Code 505) is of type Address and contains an IPv4 address. This AVP is used to carry the IPv4-MN-HoA, if available, from the HAAA to the MAG. This AVP SHOULD only be present when the MN is statically provisioned with the IPv4-MN-HoA. Note that proactive dynamic assignment of the IPv4-MN-HoA by the HAAA may result in unnecessary reservation of IPv4 address resources, because the MN may considerably delay or completely bypass its IPv4 address configuration.
PMIP6-IPv4-Home-Address AVP(AVP代码505)属于Address类型,包含IPv4地址。此AVP用于将IPv4 MN HoA(如果可用)从HAAA传输到MAG。此AVP仅在MN静态配置IPv4 MN HoA时出现。请注意,HAAA主动动态分配IPv4 MN HoA可能会导致不必要的IPv4地址资源保留,因为MN可能会显著延迟或完全绕过其IPv4地址配置。
The PMIP6-IPv4-Home-Address AVP is also used on the LMA-to-HAAA interface. The AVP contains the IPv4-MN-HoA assigned to the MN. If the LMA delegates the assignment of the IPv4-MN-HoA to the HAAA, the AVP MUST contain all zeroes IPv4 address (i.e., 0.0.0.0) in the request message. If the LMA delegated the IPv4-MN-HoA assignment to the HAAA, then the AVP contains the HAAA assigned IPv4-MN-HoA in the response message.
PMIP6-IPv4-Home-Address AVP也用于LMA到HAAA接口。AVP包含分配给MN的IPv4 MN HoA。如果LMA将IPv4 MN HoA的分配委托给HAAA,则AVP必须在请求消息中包含所有零IPv4地址(即0.0.0.0)。如果LMA将IPv4 MN HoA分配委派给HAAA,则AVP在响应消息中包含HAAA分配的IPv4 MN HoA。
The MIP6-Home-Link-Prefix AVP (AVP Code 125) is defined in [RFC5447]. This AVP is used to carry the MN-HNP, if available, from the HAAA to the MAG. The low 64 bits of the prefix MUST be all zeroes.
[RFC5447]中定义了MIP6主链路前缀AVP(AVP代码125)。此AVP用于将MN-HNP(如果可用)从HAAA传送到MAG。前缀的低64位必须全部为零。
The MIP6-Home-Link-Prefix AVP is also used on the LMA-to-HAAA interface. The AVP contains the prefix assigned to the MN. If the LMA delegates the assignment of the MN-HNP to the HAAA, the AVP MUST contain all zeroes address (i.e., 0::0) in the request message. If the LMA delegated the MN-HNP assignment to the HAAA, then the AVP contains the HAAA-assigned MN-HNP in the response message.
在LMA到HAAA接口上也使用MIP6主链路前缀AVP。AVP包含分配给MN的前缀。如果LMA将MN-HNP的分配委托给HAAA,则AVP必须在请求消息中包含全零地址(即0::0)。如果LMA将MN-HNP分配委托给HAAA,则AVP在响应消息中包含HAAA分配的MN-HNP。
The PMIP6-DHCP-Server-Address AVP (AVP Code 504) is of type Address and contains the IP address of the Dynamic Host Configuration Protocol (DHCP) server assigned to the MAG serving the newly attached MN. If the AVP contains a DHCPv4 [RFC2131] server address, then the Address type MUST be IPv4. If the AVP contains a DHCPv6 [RFC3315] server address, then the Address type MUST be IPv6. The HAAA MAY assign a DHCP server to the MAG in deployments where the MAG acts as a DHCP Relay [NETLMM-PMIP6].
PMIP6 DHCP服务器地址AVP(AVP代码504)属于Address类型,并且包含分配给服务于新连接的MN的MAG的动态主机配置协议(DHCP)服务器的IP地址。如果AVP包含DHCPv4[RFC2131]服务器地址,则地址类型必须为IPv4。如果AVP包含DHCPv6[RFC3315]服务器地址,则地址类型必须为IPv6。在MAG充当DHCP中继的部署中,HAAA可以向MAG分配DHCP服务器[NETLMM-PMIP6]。
The MIP6-Feature-Vector AVP is originally defined in [RFC5447]. This document defines new capability flag bits according to the IANA rules in RFC 5447.
MIP6特征向量AVP最初在[RFC5447]中定义。本文档根据RFC 5447中的IANA规则定义了新的能力标志位。
PMIP6_SUPPORTED (0x0000010000000000)
支持的PMIP6_(0x000001000000000)
When the MAG/NAS sets this bit in the MIP6-Feature-Vector AVP, it is an indication to the HAAA that the NAS supports PMIPv6. When the HAAA sets this bit in the response MIP6-Feature-Vector AVP, it indicates that the HAAA also has PMIPv6 support. This capability bit can also be used to allow PMIPv6 mobility support in a subscription granularity.
当MAG/NAS在MIP6特征向量AVP中设置该位时,它向HAAA指示NAS支持PMIPv6。当HAAA在响应MIP6特征向量AVP中设置该位时,它指示HAAA还具有PMIPv6支持。此功能位还可用于在订阅粒度中支持PMIPv6移动性。
IP4_HOA_SUPPORTED (0x0000020000000000)
支持IP4_-HOA_(0x000002000000000)
Assignment of the IPv4-MN-HoA is supported. When the MAG sets this bit in the MIP6-Feature-Vector AVP, it indicates that the MAG implements a minimal functionality of a DHCP server (and a relay) and is able to deliver IPv4-MN-HoA to the MN. When the HAAA sets this bit in the response MIP6-Feature-Vector AVP, it indicates that the HAAA has authorized the use of IPv4-MN-HoA for the MN. If this bit is unset in the returned MIP6-Feature-Vector AVP, the HAAA does not authorize the configuration of IPv4 address.
支持IPv4 MN HoA的分配。当MAG在MIP6特征向量AVP中设置此位时,表示MAG实现DHCP服务器(和中继)的最小功能,并且能够向MN提供IPv4 MN HoA。当HAAA在响应MIP6特征向量AVP中设置此位时,表示HAAA已授权MN使用IPv4 MN HoA。如果此位在返回的MIP6特征向量AVP中未设置,则HAAA不会授权配置IPv4地址。
LOCAL_MAG_ROUTING_SUPPORTED (0x0000040000000000)
支持本地磁盘路由(0x00004000000000)
Direct routing of IP packets between MNs anchored to the same MAG is supported as described in Sections 6.10.3 and 9.2 of [RFC5213]. When a MAG sets this bit in the MIP6-Feature-Vector, it indicates that routing IP packets between MNs anchored to the same MAG is supported, without reverse tunneling packets via the LMA or requiring any Route Optimization-related signaling (e.g., the Return Routability Procedure in [RFC3775]) prior direct routing. If this bit is cleared in the returned MIP6-Feature-Vector AVP, the HAAA does not authorize direct routing of packets between MNs anchored to the same MAG. The MAG SHOULD support this policy feature on a per-MN and per-subscription basis.
如[RFC5213]第6.10.3节和第9.2节所述,支持在锚定到同一MAG的MN之间直接路由IP数据包。当MAG在MIP6特征向量中设置该位时,它表示支持在锚定到同一MAG的MN之间路由IP数据包,而无需通过LMA反向隧道数据包或在直接路由之前需要任何路由优化相关信令(例如,[RFC3775]中的返回路由性过程)。如果在返回的MIP6特征向量AVP中清除了该位,则HAAA不会授权锚定到同一MAG的MN之间的数据包直接路由。MAG应在每个MN和每个订阅的基础上支持该策略功能。
The MIP6-Feature-Vector AVP is also used on the LMA-to-HAAA interface. Using the capability announcement AVP it is possible to perform a simple capability negotiation between the LMA and the HAAA. Those capabilities that are announced by both parties are also known to be mutually supported. The capabilities listed in earlier are also supported in the LMA-to-HAAA interface. The LMA-to-HAAA interface does not define any new capability values.
MIP6特征向量AVP也用于LMA到HAAA接口。使用能力公告AVP,可以在LMA和HAAA之间执行简单的能力协商。双方宣布的这些能力也被认为是相互支持的。LMA到HAAA接口也支持前面列出的功能。LMA到HAAA接口没有定义任何新的能力值。
The Mobile-Node-Identifier AVP (AVP Code 506) is of type UTF8String and contains the mobile node identifier (MN-Identifier; see [RFC5213]) in the NAI [RFC4282] format. This AVP is used on the MAG-to-HAAA interface. The Mobile-Node-Identifier AVP is designed for
移动节点标识符AVP(AVP代码506)为UTF8String类型,包含NAI[RFC4282]格式的移动节点标识符(MN标识符;参见[RFC5213])。该AVP用于MAG至HAAA接口。移动节点标识符AVP设计用于
deployments where the MAG does not have a way to find out such MN identity that could be used in subsequent PBU/PBA exchanges (e.g., due to identity hiding during the network access authentication) or the HAAA wants to assign periodically changing identities to the MN.
MAG无法找到可在后续PBU/PBA交换中使用的MN标识的部署(例如,由于网络访问身份验证期间的标识隐藏),或者HAAA希望向MN分配定期更改的标识。
The Mobile-Node-Identifier AVP is returned in the answer message that ends a successful authentication (and possibly an authorization) exchange between the MAG and the HAAA, assuming the HAAA is also able to provide the MAG with the MN-Identifier in the first place. The MAG MUST use the received MN-Identifier, if it has not been able to get the mobile node identifier through other means. If the MAG already has a valid mobile node identifier, then the MAG MUST silently discard the received MN-Identifier.
移动节点标识符AVP在应答消息中返回,该应答消息结束MAG和HAAA之间的成功认证(以及可能的授权)交换,假设HAAA首先也能够向MAG提供MN标识符。如果MAG不能通过其他方式获得移动节点标识符,则它必须使用接收到的MN标识符。如果MAG已经具有有效的移动节点标识符,则MAG必须以静默方式放弃接收到的MN标识符。
The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and contains a link-layer identifier of the MN. This identifier corresponds to the link-layer identifier as defined in RFC 5213, Sections 2.2 and 8.6. The Link-Layer Identifier is encoded in ASCII format (upper case only), with octet values separated by a "-". Example: "00-23-32-C9-79-38". The encoding is actually the same as the MAC address encoding in Section 3.21 of RFC 3580.
呼叫站Id AVP(AVP代码31)是UTF8String类型,并且包含MN的链路层标识符。该标识符对应于RFC 5213第2.2节和第8.6节中定义的链路层标识符。链路层标识符以ASCII格式编码(仅大写),八位字节值以“-”分隔。示例:“00-23-32-C9-79-38”。该编码实际上与RFC 3580第3.21节中的MAC地址编码相同。
The Service-Selection AVP (AVP Code 493) is of type UTF8String and contains an LMA-provided service identifier on the LMA-to-HAAA interface. This AVP is re-used from [RFC5778]. The service identifier may be used to assist the PBU authorization and the assignment of the MN-HNP and the IPv4-MN-HoA as described in RFC 5149 [RFC5149]. The identifier MUST be unique within the PMIPv6 Domain. In the absence of the Service-Selection AVP in the request message, the HAAA may want to inform the LMA of the default service provisioned to the MN and include the Service-Selection AVP in the response message.
服务选择AVP(AVP代码493)为UTF8String类型,在LMA到HAAA接口上包含LMA提供的服务标识符。此AVP从[RFC5778]重新使用。如RFC 5149[RFC5149]中所述,服务标识符可用于协助PBU授权以及MN-HNP和IPv4 MN HoA的分配。标识符在PMIPv6域中必须是唯一的。在请求消息中没有服务选择AVP的情况下,HAAA可能希望通知LMA向MN提供的默认服务,并在响应消息中包括服务选择AVP。
It is also possible that the MAG receives the service selection information from the MN, for example, via some lower layer mechanism. In this case, the MAG MUST include the Service-Selection AVP also in the MAG-to-HAAA request messages. In the absence of the Service-Selection AVP in the MAG-to-HAAA request messages, the HAAA may want to inform the MAG of the default service provisioned to the MN and include the Service-Selection AVP in the response message.
MAG还可能例如经由某个较低层机制从MN接收服务选择信息。在这种情况下,MAG还必须在MAG到HAAA请求消息中包含服务选择AVP。在MAG到HAAA请求消息中没有服务选择AVP的情况下,HAAA可能希望通知MAG向MN提供的默认服务,并在响应消息中包括服务选择AVP。
Whenever the Service-Selection AVP is included either in a request message or in a response message, and the AAA interaction with HAAA completes successfully, it is an indication that the HAAA also authorized the MN to some service. This should be taken into account when considering what to include in the Auth-Request-Type AVP.
每当服务选择AVP包括在请求消息或响应消息中,并且AAA与HAAA的交互成功完成时,就表示HAAA还将MN授权给某个服务。在考虑授权请求类型AVP中包含的内容时,应考虑到这一点。
The service selection concept supports signaling one service at time. However, the MN policy profile MAY support multiple services being used simultaneously. For this purpose, the HAAA MAY return multiple LMA and service pairs (see Section 5.9) to the MAG in a response message that ends a successful authentication (and possibly an authorization) exchange between the MAG and the HAAA. Whenever the MN initiates an additional mobility session to another service (using a link layer or deployment specific method), the provisioned service information is already contained in the MAG. Therefore, there is no need for additional AAA signaling between the MAG and the HAAA.
服务选择概念支持一次发送一个服务的信号。然而,MN策略概要文件可以支持同时使用的多个服务。为此,HAAA可在响应消息中向MAG返回多个LMA和服务对(参见第5.9节),该响应消息结束MAG和HAAA之间的成功认证(以及可能的授权)交换。每当MN发起到另一服务的附加移动会话时(使用链路层或部署特定方法),所提供的服务信息已经包含在MAG中。因此,MAG和HAAA之间不需要附加AAA信令。
The Service-Configuration AVP (AVP Code 507) is of type Grouped and contains a service and an LMA pair. The HAAA can use this AVP to inform the MAG of the MN's subscribed services and LMAs where those services are hosted in.
服务配置AVP(AVP代码507)是分组的类型,并且包含服务和LMA对。HAAA可以使用此AVP通知MAG MN的订阅服务以及这些服务所在的LMA。
Service-Configuration ::= < AVP-Header: 507 >
[ MIP6-Agent-Info ]
[ Service-Selection ]
* [ AVP ]
Service-Configuration ::= < AVP-Header: 507 >
[ MIP6-Agent-Info ]
[ Service-Selection ]
* [ AVP ]
Concerning a PMIPv6 mobility session, the HAAA, the MAG, and the LMA Diameter entities SHOULD be stateful and maintain the corresponding Authorization Session State Machine defined in [RFC3588]. If a state is maintained, then a PMIPv6 mobility session that can be identified by any of the Binding Cache Entry (BCE) Lookup Keys described in RFC 5213 (see Sections 5.4.1.1, 5.4.1.2, and 5.4.1.3) MUST map to a single Diameter Session-Id. If the PMIPv6 Domain allows further separation of sessions, for example, identified by the RFC 5213 BCE Lookup Keys and the service selection combination (see Section 5.8 and [RFC5149]), then a single Diameter Session-Id MUST map to a PMIPv6 mobility session identified by the RFC 5213 BCE Lookup Keys and the selected service.
关于PMIPv6移动会话,HAAA、MAG和LMA Diameter实体应该是有状态的,并维护[RFC3588]中定义的相应授权会话状态机。如果保持状态,则可通过RFC 5213中描述的任何绑定缓存项(BCE)查找键(参见第5.4.1.1、5.4.1.2和5.4.1.3节)识别的PMIPv6移动会话必须映射到单个Diameter会话Id。例如,如果PMIPv6域允许进一步分离会话,由RFC 5213 BCE查找键和服务选择组合标识(参见第5.8节和[RFC5149]),则单直径会话Id必须映射到由RFC 5213 BCE查找键和所选服务标识的PMIPv6移动会话。
If both the MAG-to-HAAA and the LMA-to-HAAA interfaces are deployed in a PMIPv6 Domain, and a state is maintained on both interfaces, then one PMIPv6 mobility session would have two distinct Diameter
如果MAG到HAAA和LMA到HAAA接口都部署在PMIPv6域中,并且两个接口上都保持状态,那么一个PMIPv6移动性会话将具有两个不同的直径
sessions on the HAAA. The HAAA needs to be aware of this deployment possibility and SHOULD allow multiple Diameter sessions for the same PMIPv6 mobility session.
哈亚会议。HAAA需要意识到这种部署的可能性,并应允许同一PMIPv6移动会话的多个Diameter会话。
Diameter session termination-related commands described in the following sections may be exchanged between the LMA and the HAAA, or between the MAG and the HAAA. The actual PMIPv6 session termination procedures take place at the PMIPv6 protocol level and are described in more detail in RFC 5213 and [MEXT-BINDING].
以下部分中描述的Diameter会话终止相关命令可以在LMA和HAAA之间交换,或者在MAG和HAAA之间交换。实际的PMIPv6会话终止过程发生在PMIPv6协议级别,在RFC 5213和[MEXT-BINDING]中有更详细的描述。
The LMA or the MAG MAY send the Session-Termination-Request (STR) command [RFC3588] to inform the HAAA that the termination of an ongoing PMIPv6 session is in progress.
LMA或MAG可发送会话终止请求(STR)命令[RFC3588]以通知HAAA正在终止正在进行的PMIPv6会话。
The Session-Termination-Answer (STA) [RFC3588] is sent by the HAAA to acknowledge the termination of a PMIPv6 session.
会话终止应答(STA)[RFC3588]由HAAA发送以确认PMIPv6会话的终止。
The HAAA MAY send the Abort-Session-Request (ASR) command [RFC3588] to the LMA or to the MAG and request termination of a PMIPv6 session.
HAAA可向LMA或MAG发送中止会话请求(ASR)命令[RFC3588],并请求终止PMIPv6会话。
The Abort-Session-Answer (ASA) command [RFC3588] is sent by the LMA or the MAG to acknowledge the termination of a PMIPv6 session.
中止会话应答(ASA)命令[RFC3588]由LMA或MAG发送,以确认PMIPv6会话的终止。
The following tables list the PMIPv6 MAG-to-HAAA interface and LMA-to-HAAA interface AVPs including those that are defined in [RFC5447].
下表列出了PMIPv6 MAG至HAAA接口和LMA至HAAA接口AVP,包括[RFC5447]中定义的AVP。
Figure 2 contains the AVPs and their occurrences on the MAG-to-HAAA interface. The AVPs that are part of grouped AVP are not listed in the table; rather, only the grouped AVP is listed.
图2包含AVP及其在MAG到HAAA接口上的出现。表中未列出属于分组AVP一部分的AVP;相反,仅列出分组的AVP。
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | REQ | ANS |
-------------------------------+-------+-------+
PMIP6-DHCP-Server-Address | 0 | 0+ |
MIP6-Agent-Info | 0+ | 0+ |
MIP6-Feature-Vector | 0-1 | 0-1 |
Mobile-Node-Identifier | 0-1 | 0-1 |
Calling-Station-Id | 0-1 | 0 |
Service-Selection | 0-1 | 0 |
Service-Configuration | 0 | 0+ |
+-------+-------+
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | REQ | ANS |
-------------------------------+-------+-------+
PMIP6-DHCP-Server-Address | 0 | 0+ |
MIP6-Agent-Info | 0+ | 0+ |
MIP6-Feature-Vector | 0-1 | 0-1 |
Mobile-Node-Identifier | 0-1 | 0-1 |
Calling-Station-Id | 0-1 | 0 |
Service-Selection | 0-1 | 0 |
Service-Configuration | 0 | 0+ |
+-------+-------+
Figure 2: MAG-to-HAAA Interface Generic Diameter Request and Answer Commands AVPs
图2:MAG到HAAA接口通用直径请求和应答命令AVPs
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | REQ | ANS |
-------------------------------+-------+-------+
MIP6-Agent-Info | 0-1 | 0-1 |
MIP6-Feature-Vector | 0-1 | 0-1 |
Calling-Station-Id | 0-1 | 0 |
Service-Selection | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 |
+-------+-------+
+---------------+
| Command-Code |
|-------+-------+
Attribute Name | REQ | ANS |
-------------------------------+-------+-------+
MIP6-Agent-Info | 0-1 | 0-1 |
MIP6-Feature-Vector | 0-1 | 0-1 |
Calling-Station-Id | 0-1 | 0 |
Service-Selection | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 |
+-------+-------+
Figure 3: LMA-to-HAAA Interface Generic Diameter Request and Answer Commands AVPs
图3:LMA到HAAA接口通用直径请求和应答命令AVPs
Figure 4 shows a signaling flow example during PMIPv6 bootstrapping using the AAA interactions defined in this specification. In step (1) of this example, the MN is authenticated to the PMIPv6 Domain using EAP-based authentication. The MAG to the HAAA signaling uses the Diameter EAP Application. During step (2), the LMA uses the Diameter NASREQ application to authorize the MN with the HAAA server.
图4显示了使用本规范中定义的AAA交互在PMIPv6引导期间的信令流示例。在该示例的步骤(1)中,使用基于EAP的认证将MN认证到PMIPv6域。HAAA信令的MAG使用Diameter EAP应用程序。在步骤(2)期间,LMA使用Diameter NASREQ应用程序向HAAA服务器授权MN。
The MAG-to-HAAA AVPs, as listed in Section 7.1, are used during step (1). These AVPs are included only in the Diameter EAP Request (DER) message which starts the EAP exchange and in the corresponding Diameter EAP Answer (DEA) message which successfully completes this EAP exchange. The LMA-to-HAAA AVPs, as listed in Section 7.2, are used during step (2). Step (2) is used to authorize the MN request for the mobility service and update the HAAA server with the assigned LMA information. In addition, this step may be used to dynamically assist in the assignment of the MN-HNP.
第7.1节中列出的MAG至HAAA AVP在步骤(1)中使用。这些AVP仅包含在启动EAP交换的Diameter EAP请求(DER)消息和成功完成此EAP交换的相应Diameter EAP应答(DEA)消息中。第7.2节中列出的LMA至HAAA AVP在步骤(2)中使用。步骤(2)用于授权移动服务的MN请求,并使用分配的LMA信息更新HAAA服务器。此外,该步骤可用于动态地协助MN-HNP的分配。
MN MAG/NAS LMA HAAA
| | | |
| L2 attach | | |
|-------------------->| | |
| EAP/req-identity | | |
|<--------------------| | |
| EAP/res-identity | DER + MAG-to-HAAA AVPs | s
|-------------------->|---------------------------------------->| t
| EAP/req #1 | DEA (EAP request #1) | e
|<--------------------|<----------------------------------------| p
| EAP/res #2 | DER (EAP response #2) |
|-------------------->|---------------------------------------->| 1
: : : :
: : : :
| EAP/res #N | DER (EAP response #N) |
|-------------------->|---------------------------------------->|
| EAP/success | DEA (EAP success) + MAG-to-HAAA AVPs |
|<--------------------|<----------------------------------------|
: : : :
: : : :
| | PMIPv6 PBU | AAR + | s
| |------------------->| LMA-to-HAAA AVPs | t
| | |------------------->| e
| | | AAA + | p
| | | LMA-to-HAAA AVPs |
| | PMIPv6 PBA |<-------------------| 2
| RA |<-------------------| |
|<--------------------| | |
: : : :
: : : :
| IP connectivity | PMIPv6 tunnel up | |
|---------------------|====================| |
| | | |
MN MAG/NAS LMA HAAA
| | | |
| L2 attach | | |
|-------------------->| | |
| EAP/req-identity | | |
|<--------------------| | |
| EAP/res-identity | DER + MAG-to-HAAA AVPs | s
|-------------------->|---------------------------------------->| t
| EAP/req #1 | DEA (EAP request #1) | e
|<--------------------|<----------------------------------------| p
| EAP/res #2 | DER (EAP response #2) |
|-------------------->|---------------------------------------->| 1
: : : :
: : : :
| EAP/res #N | DER (EAP response #N) |
|-------------------->|---------------------------------------->|
| EAP/success | DEA (EAP success) + MAG-to-HAAA AVPs |
|<--------------------|<----------------------------------------|
: : : :
: : : :
| | PMIPv6 PBU | AAR + | s
| |------------------->| LMA-to-HAAA AVPs | t
| | |------------------->| e
| | | AAA + | p
| | | LMA-to-HAAA AVPs |
| | PMIPv6 PBA |<-------------------| 2
| RA |<-------------------| |
|<--------------------| | |
: : : :
: : : :
| IP connectivity | PMIPv6 tunnel up | |
|---------------------|====================| |
| | | |
Figure 4: MAG and LMA Signaling Interaction with AAA Server during PMIPv6 Bootstrapping
图4:PMIPv6引导期间与AAA服务器的MAG和LMA信令交互
This specification defines the following new AVPs:
本规范定义了以下新的AVP:
PMIP6-DHCP-Server-Address 504 PMIP6-IPv4-Home-Address 505 Mobile-Node-Identifier 506 Service-Configuration 507
PMIP6 DHCP服务器地址504 PMIP6-IPv4-Home-Address 505移动节点标识符506服务配置507
This specification defines new values to the Mobility Capability registry (see [RFC5447]) for use with the MIP6-Feature-Vector AVP:
本规范定义了移动能力注册表的新值(参见[RFC5447]),用于MIP6特征向量AVP:
Token | Value | Description
---------------------------------+----------------------+------------
PMIP6_SUPPORTED | 0x0000010000000000 | [RFC5779]
IP4_HOA_SUPPORTED | 0x0000020000000000 | [RFC5779]
LOCAL_MAG_ROUTING_SUPPORTED | 0x0000040000000000 | [RFC5779]
Token | Value | Description
---------------------------------+----------------------+------------
PMIP6_SUPPORTED | 0x0000010000000000 | [RFC5779]
IP4_HOA_SUPPORTED | 0x0000020000000000 | [RFC5779]
LOCAL_MAG_ROUTING_SUPPORTED | 0x0000040000000000 | [RFC5779]
The security considerations of the Diameter Base protocol [RFC3588], Diameter EAP application [RFC4072], Diameter NASREQ application [RFC4005], and Diameter Mobile IPv6 integrated scenario bootstrapping [RFC5447] are applicable to this document.
Diameter基本协议[RFC3588]、Diameter EAP应用程序[RFC4072]、Diameter NASREQ应用程序[RFC4005]和Diameter移动IPv6集成场景引导[RFC5447]的安全注意事项适用于本文档。
In general, the Diameter messages may be transported between the LMA and the Diameter server via one or more AAA brokers or Diameter agents. In this case, the LMA to the Diameter server AAA communication rely on the security properties of the intermediate AAA brokers and Diameter agents (such as proxies).
通常,Diameter消息可以通过一个或多个AAA代理或Diameter代理在LMA和Diameter服务器之间传输。在这种情况下,LMA到Diameter服务器AAA通信依赖于中间AAA代理和Diameter代理(例如代理)的安全属性。
Jouni Korhonen would like to thank the TEKES GIGA program MERCoNe-project for providing funding to work on this document while he was with TeliaSonera. The authors also thank Pasi Eronen, Peter McCann, Spencer Dawkins, and Marco Liebsch for their detailed reviews of this document.
Jouni Korhonen感谢TEKES GIGA计划MERCoNe项目在他任职TeliaSonera期间为编写本文件提供资金。作者还感谢Pasi Eronen、Peter McCann、Spencer Dawkins和Marco Liebsch对本文件的详细评论。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3588]Calhoun,P.,Loughney,J.,Guttman,E.,Zorn,G.,和J.Arkko,“直径基础协议”,RFC 3588,2003年9月。
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005.
[RFC4005]Calhoun,P.,Zorn,G.,Spence,D.,和D.Mitton,“Diameter网络访问服务器应用”,RFC 4005,2005年8月。
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005.
[RFC4072]Eronen,P.,Hiller,T.,和G.Zorn,“直径可扩展认证协议(EAP)应用”,RFC 4072,2005年8月。
[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network Access Identifier", RFC 4282, December 2005.
[RFC4282]Aboba,B.,Beadles,M.,Arkko,J.,和P.Erenen,“网络访问标识符”,RFC 42822005年12月。
[RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008.
[RFC5213]Gundavelli,S.,Leung,K.,Devarapalli,V.,Chowdhury,K.,和B.Patil,“代理移动IPv6”,RFC 5213,2008年8月。
[RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, "Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction", RFC 5447, February 2009.
[RFC5447]Korhonen,J.,Bournelle,J.,Tschofenig,H.,Perkins,C.,和K.Chowdhury,“Diameter移动IPv6:支持网络访问服务器到Diameter服务器的交互”,RFC 5447,2009年2月。
[RFC5778] Korhonen, J., Ed., Tschofenig, H., Bournelle, J., Giaretta, G., and M. Nakhjiri, "Diameter Mobile IPv6: Support for Home Agent to Diameter Server Interaction", RFC 5778, February 2010.
[RFC5778]Korhonen,J.,Ed.,Tschofenig,H.,Bournelle,J.,Giaretta,G.,和M.Nakhjiri,“Diameter移动IPv6:对归属代理到Diameter服务器交互的支持”,RFC 5778,2010年2月。
[MEXT-BINDING] Muhanna, A., Khalil, M., Gundavelli, S., Chowdhury, K., and P. Yegani, "Binding Revocation for IPv6 Mobility", Work in Progress, October 2009.
[MEXT-BINDING]Muhanna,A.,Khalil,M.,Gundavelli,S.,Chowdhury,K.,和P.Yegani,“IPv6移动性的绑定撤销”,正在进行的工作,2009年10月。
[NETLMM-LMA] Korhonen, J. and V. Devarapalli, "LMA Discovery for Proxy Mobile IPv6", Work in Progress, September 2009.
[NETLMM-LMA]Korhonen,J.和V.Devarapalli,“代理移动IPv6的LMA发现”,正在进行的工作,2009年9月。
[NETLMM-PMIP6] Wakikawa, R. and S. Gundavelli, "IPv4 Support for Proxy Mobile IPv6", Work in Progress, September 2009.
[NETLMM-PMIP6]Wakikawa,R.和S.Gundavelli,“代理移动IPv6的IPv4支持”,正在进行的工作,2009年9月。
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[RFC2131]Droms,R.,“动态主机配置协议”,RFC21311997年3月。
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3315]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.
[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展身份验证协议(EAP)”,RFC 3748,2004年6月。
[RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004.
[RFC3775]Johnson,D.,Perkins,C.,和J.Arkko,“IPv6中的移动支持”,RFC 37752004年6月。
[RFC4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. Chowdhury, "Mobile Node Identifier Option for Mobile IPv6 (MIPv6)", RFC 4283, November 2005.
[RFC4283]Patel,A.,Leung,K.,Khalil,M.,Akhtar,H.,和K.Chowdhury,“移动IPv6的移动节点标识符选项(MIPv6)”,RFC 4283,2005年11月。
[RFC5149] Korhonen, J., Nilsson, U., and V. Devarapalli, "Service Selection for Mobile IPv6", RFC 5149, February 2008.
[RFC5149]Korhonen,J.,Nilsson,U.,和V.Devarapalli,“移动IPv6的服务选择”,RFC 5149,2008年2月。
Authors' Addresses
作者地址
Jouni Korhonen (editor) Nokia Siemens Network Linnoitustie 6 Espoo FI-02600 Finland
Jouni Korhonen(编辑)诺基亚西门子网络Linnoitustie 6 Espoo FI-02600芬兰
EMail: jouni.nospam@gmail.com
EMail: jouni.nospam@gmail.com
Julien Bournelle Orange Labs 38-4O rue du general Leclerc Issy-Les-Moulineaux 92794 France
Julien Bournelle Orange实验室法国莱克勒将军大道38-4O号
EMail: julien.bournelle@orange-ftgroup.com
EMail: julien.bournelle@orange-ftgroup.com
Kuntal Chowdhury Cisco Systems 30 International Place Tewksbury, MA 01876 USA
Kuntal Chowdhury Cisco Systems美国马萨诸塞州特克斯伯里国际广场30号01876
EMail: kchowdhury@cisco.com
EMail: kchowdhury@cisco.com
Ahmad Muhanna Ericsson, Inc. 2201 Lakeside Blvd. Richardson, TX 75082 USA
艾哈迈德·穆哈纳·爱立信公司,湖畔大道2201号。美国德克萨斯州理查森75082
EMail: Ahmad.muhanna@ericsson.com
EMail: Ahmad.muhanna@ericsson.com
Ulrike Meyer RWTH Aachen
乌尔里克·迈耶·瑞斯·亚琛
EMail: meyer@umic.rwth-aachen.de
EMail: meyer@umic.rwth-aachen.de