AAA and Security for Mobile IP

AAA and Security for Mobile IP
As we explained in our treatment of trust and architecture model, Mobile IPv4-AAA signaling for a mobile node connecting to a foreign network is influenced by whether or not the foreign network deploys foreign agents (FA):
FA-based CoA: When the foreign network has deployed foreign agents and the MN is using a FA-based care of address (CoA), the MN must register through an FA. The FA would then forward the registration request to the HA directly. When the necessary MSAs for support of Mobile IP authentication do not exist, the FA must forward the request to the AAA server. Co-located CoA: When no FAs are deployed, the MN sends its registration request directly to the HA. When the MN does not share an SA with the HA, the HA can then send the request to AAA server to authenticate the MN prior to processing the registration request.
As we can see, the Diameter Mobile IP interaction must be designed based on the mode of CoA registration. The path taken by Diameter signaling depends on whether FAs are deployed and the administrative domain to which both FA and MN belong. When foreign administrative domains are involved, the FA must first contact its local AAA server (LAAA), which in turn contacts the home AAA server (HAAA) for the MN and the trust model for Diameter Mobile IP interaction is more complicated (Figure 8.1). To keep this discussion simple, we assume the mobile only moves within the boundaries of its home domain, i.e. a case when the FA is also served by the AAAH and up do not consider the LAAA-HAAA interaction here. The mechanics of the process are still the same, but that assumption makes the figures and the understanding of the problem a bit simpler. The reader is referred to [DIAMIP] for a treatment of that model. Figure 8.5 shows how a Diameter server interacts with the Mobile IP agents in each of the two Mobile IP modes explained above. As we can see in Figure 8.5. Diameter Mobile IPv4 application has defined new message types (commands and command codes) for this interaction. In the following we provide a brief description of each of the new Diameter command codes. We will go through the messaging procedure afterwards.
Diameter HAR Diameter Server HA Diameter HAA Diameter Server
Diameter AMR Mobile IP Registration
Diameter AMA HA
Diameter AMR Mobile IP Registration MN (B)
Diameter AMA FA
Figure 8.5 Interaction between Diameter server and Mobile IP agents (A) Co-located mobile nodes (B) Mobile nodes using a foreign agent
AAA and Network Security for Mobile Access
Diameter defines four new commands for interaction with Mobile IP agents:
AA-Mobile node Request (AMR): The AMR command is sent from the Mobile IP agent, receiving the Mobile IP registration request, to the Diameter server (in this case HAAA). Through this message, the Mobile IP agent forwards the MN s request for authentication and key generation to the HAAA. As we can see in Figure 8.5, for co-located MNs the AMR is created and sent by the HA (Figure 8.5(A)), whereas for MN using an FA, the AMR is created by the FA. The Mobile IP agent includes necessary information related to MN s registration, authentication and key generation inside specific Diameter AVPs that are explained later on. The Mobile IP agent is assumed to have the minimum necessary information required for routing of the Diameter message towards the HAAA. AA-Mobile node Answer (AMA): The AMA command is sent from the Diameter server, acting as the HAAA for the MN, towards the Mobile IP agent that had sent the AMR. The HAAA server includes the result of processing of the AMR inside a Result-Code AVP. When processing is successful and key materials were requested, the AMR includes AVPs that carry information to be used for generation of MSAs at MN and at the Mobile IP agent receiving the AMR. For FA-based MNs (Figure 8.5(A)), the Diameter server has already contacted the HA for the MN and received a registration reply. Hence, for these nodes the AMA sent to the FA already includes the registration reply as an AVP (detailed in the following subsection). For co-located MNs (Figure 8.5(B)), the HA processes the Mobile IP registration request first after it receives the AMA from the Diameter server. Regardless of the case, when the Mobile IP agent receives the AMA from the Diameter server, the agent sends the result of Mobile IP-AAA signaling in the form of a Mobile IP registration reply message with related extensions to the MN. Home agent MIP-Request (HMR): The HMR command is sent from a Diameter server to HA to request the HA to process the Mobile IP registration request. As shown in Figure 8.5(B), this is applicable only to the cases when the MN registers through an FA rather than directly with the HA. Obviously this Diameter command needs to include Mobile IP registration request as an AVP, so that the request can be conveyed to the HA. The command includes key material for HA and nonces for MN for MSAs with HA and FA as well. However, for obvious reasons the key materials for the FA are not included in this message. Home agent MIP-Answer (HMA): The HMA command is sent back from the HA to the Diameter server that has sent the HMR to the HA.
We will describe the messaging procedure for Diameter Mobile IP signaling shortly. However, it is useful to go through the details of the new AVPs that are defined for support of Mobile IP within Diameter.
to add qr code iso/iec18004 and qr-codes data, size, image with barcode sdk New Diameter AVPs for Mobile IP Support Diameter Mobile IP application [DIAMIP] defines a large number of AVPs for support of Mobile IPv4 authentication and key distribution. Table 8.5 shows a number of AVPs defined in the application, while the full list of AVPs is provided in [DIAMIP]. In order to provide clarity, we have grouped the AVPs into two tables to help the understanding of the use of these AVPs. A brief description of each AVP is provided in Table 8.5. This description should be enough to gain an understanding of the purpose of most of these AVPs. We will describe the use of many of these AVPs when we go through the details of
