RADIUS Mobile IPv6 Support draft-chowdhury-mip6-radius-01.txt

1
RADIUS Mobile IPv6 Supportdraft-chowdhury-mip6-ra
dius-01.txt

• Kuntal Chowdhury
• Avi Lior
• Hannes Tschofenig

2
Overview

• RADIUS based AAA infrastructure can be used in
  conjunction with MIPv6
• The essential information set for bootstrapping a
  MIPv6 MN can be sent to the AR or the HA via
  RADIUS attributes
• The 01 version of the I-D covers bootstrapping
  scenarios for the following
• Split Scenario
• Integrated Scenario

3
Split Scenario

• MSA ! MSP
• RADIUS interaction triggered by protocol
  (MIP6/IKEv2 ) transaction at the HA
• The HA acts a RADIUS Client.
• At the end of the RADIUS transaction the HA
  should have relevant MIPv6 specific parameters
• The RADIUS server may also instruct the HA to
  perform DNS update for the MN

4
Integrated Scenario

• ASA ! MSA
• At the time of access auth/authz, the RADIUS
  server in the ASA (/MSA) may download the
  relevant MIPv6 parameters to the NAS/AR
• The NAS/AR acts as the RADIUS Client
• The HA aslo acts as the RADIUS Client

5
RADIUS Attributes

• The Following attributes are identified at
  present
• Home Agent Address
• Home Agent FQDN
• Home Link Prefix
• Home Address
• DNS Update Mobility Option

6
Additional Enhancements

• The necessary support for the following are
  planned to be included in the next revision
• MIP6 Auth protocol (RFC 4285) and
• The associated bootstrapping I-D
  draft-devarapalli-mip6-authprotocol-bootstrap

7
AAA-Goals Compliance

• G1.1 G1.4
• These are standard requirements for a AAA
  protocol mutual authentication, integrity,
  replay protection, confidentiality.
• IPsec can be used to achieve the goals
• G1.5 Inactive Peer Detection
• needs further investigation, since heartbeat
  messages do not exist in RADIUS.
• However, there are robust RADIUS failover
  mechanisms deployed today for this purpose

8
AAA-Goals Compliance

• G2.1 Use of NAI over HA-AAA
• Username Attribute can be used for this
• G2.2 Query for MIPv6 authz
• HA can send Access-Request to authz the user
• G2.3 Enforce operational limitations
• RADIUS based NAS-filter-rule, QoS, prepaidwork
  in progress in IETF

9
AAA-Goals Compliance

• G2.4 G2.6 MIPv6 session limit, disconnect,
  re-authz etc.
• RADIUS attributes likes session-timeout,
  Change-of-Authorization, Disconnect Message,
  prepaid extensions can be leveraged to meet these
  goals.
• G3.1 Accounting HA-AAA interface
• Existing accounting messages can be used
• Do we need AR/NAS-AAA accounting?

10
AAA-Goals Compliance

• G4.1 HA-AAA intf, pass through EAP auth with HA
  as the EAP authenticator
• In general, RADIUS meets this goal.
• Details can be worked out for relevant scenarios.
• G5.1 DNS update
• Already defined the DNS Update Mobility Option
  Attribute

11
Next Step?

• WG I-D?
• Recommend the work to proceed in DIME or RADEXT?