Mobile IPv 6 Bootstrapping Architecture using DHCP draftohbamip

Mobile IPv 6 Bootstrapping Architecture using DHCP draft-ohba-mip 6 -boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez, Mayumi Yanagiya, Hiroyuki Ohnishi and Kuntal Chowdhury

Mobility Service, Network Access Service and AAA • Integration of a bootstrapping architecture with AAA infrastructure is needed – Operators rely on AAA protocol to provide authentication, authorization and accounting functionalities for their subscribers of services • The services include network access service and mobility service • In many cases, AAA for network access (AAA-NA) occurs before AAA for mobility service (AAA-MS) • It is reasonable to consider a scenario where there is some dependency between AAA-NA and AAA-MS

Two Minimum Sets of Seed Information • Parameter Set 1: – The domain name or FQDN of the home agent – IKE credentials • Parameter Set 2: – Network access credentials • draft-ohba-mip 6 -boot-arch uses Parameter Set 2

Basic Architecture Serving or Home MSP ASP or IASP AAA protocol AAA-NA Server AAA-MS AAA protocol Server protocol AAA protocol Network access authentication protocol Mobile Node/ DHCP Client DHCP Server AAA protocol Serving or Home MSP protocol NAS DHCPv 6 Home Agent

Basic Architecture (cont’d) • DHCP server in the visited network is used for delivering bootstrap information to MN – The visited network may be the home network • DHCP delayed authentication is used for integrity protected delivery of bootstrap information – DHCP delayed authentication key is also bootstrapped from AAA-NA – Alper’s comment: DHCP authentication problem can be separated • NAS and/or DHCP server in the visited network is aware of MIPv 6 service (but they do not need to speak MIPv 6) • Two models exist depending on who is AAA-MS client – Model 1: DHCP server as AAA-MS client • DHCP server directly communicates with AAA-MS server to obtain MIP 6 bootstrap information – Model 2: NAS as AAA-MS client • NAS communicates with AAA-MS server to obtain MIP 6 bootstrap information • NAS passes the obtained bootstrap information to DHCP server

Model 1 (DHCP Server as AAA-MS Client) Client Network Access Client DHCP Key DHCP Client Mobile Node (1)Network Access Authentication Protocol (1’)AAA-NA NAS AAA-Key (2) DHCPv 6 with (2)AAA-MS Delayed Authentication DHCP MIP 6 bootinfo {HA [, Ho. A or Ho. L]} (3)IKE MIP 6 bootinfo {[Ho. A or Ho. L]} Server AAA Infrastructure MIP 6 bootinfo {HA [, Ho. A or Ho. L], DHCP-key} (2)AAA-MS Home Agent MIP 6 bootinfo {IKE credentials [, Ho. A or Ho. L]}

Model 2 (NAS as AAA-MS Client) Client Network Access Client DHCP Key DHCP Client Mobile Node (1)Network Access Authentication Protocol (1’)AAA-NA (2)AAA-MS MIP 6 bootinfo {HA [, Ho. A or Ho. L], AAA-Key [, DHCP-key]} NAS MIP 6 bootinfo {HA [, Ho. A or Ho. L] [, DHCP-key]} (2’) DHCPv 6 with Delayed Authentication DHCP MIP 6 bootinfo {HA [, Ho. A or Ho. L]} (3)IKE MIP 6 bootinfo {[Ho. A or Ho. L]} AAA Infrastructure Server (2)AAA-MS Home Agent MIP 6 bootinfo {IKE credentials [, Ho. A or Ho. L]}

Mapping to Bootstrapping Scenarios • Bootstrapping problem statement draft identifies four cases – – Mobility Service Subscription Scenario Integrated ASP (IASP) Scenario Third-party MSP Scenario Infrastructure-less Scenario • Some scenarios do not assume relationship between AAANA and AAA-MS – Mobility service subscription scenario and infrastructure-less scenario are not supported in this bootstrapping architecture • This architecture is intended for IASP scenario and thirdparty ASP scenario

Integrated ASP Scenario (Model 1) NAS/ DHCP Server Mobile Node NA Req. IASP (ASP+MSP) AAA-NA Server Home Agent AAA-MS Server AAA-NA Authentication Authorization for NA NA Rep. DHCP Req. AAA-NA Parameter Req. Authorization for MS DHCP Rep. IKEv 2 Parameter Req. IKE credentials

Integrated ASP Scenario (Model 2) NAS/ DHCP Server Mobile Node NA Req. IASP (ASP+MSP) AAA-NA Server Home Agent AAA-MS Server AAA-NA Authentication Authorization for NA Parameter Req. Authorization for MS NA Rep. DHCP Req. DHCP Rep. IKEv 2 AAA-NA IKE credentials Parameter Rep.

Third-Party MSP Scenario (Model 1) Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP Mobile Node NAS/ DHCP Server NA Req. ASP AAA-NA Server Serving MSP Home Agent AAA-MS Server AAA-NA Authentication Authorization for NA NA Rep. DHCP Req. AAA-NA Parameter Req. Authorization for MS IKE credentials DHCP Rep. IKEv 2 Parameter Req.

Third-Party MSP Scenario (Model 2) Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP Mobile Node NAS/ DHCP Server NA Req. ASP AAA-NA Server Serving MSP Home Agent AAA-MS Server AAA-NA Authentication Authorization for NA Parameter Req. Authorization for MS NA Rep. DHCP Req. DHCP Rep. IKEv 2 AAA-NA IKE credentials Parameter Rep.

Other Bootstrapping Architectures (draft-yegin-mip 6 -aaa-fwk) • Uses home agent as AAA-MS client • Assumption: HA address is somehow known to MN (e. g. , pre-configuration, DNS SRV record) • Simplest but operators want to provide flexibility in assignment of HA address – E. g. , assigning different HA depending on the profile of subscriber

Other Bootstrapping Architectures (draft-giaretta-mip 6 -authorization-eap) • Uses EAP for conveying bootstrapping information between MN (EAP peer) and AAA-NA server (EAP server) • The bootstrapping procedure is transparent to access network • Potential complexity for multiple-domain case

Security Considerations • Question: Is it valid to use DHCP in ASP to deliver HA assigned by MSP? – If the ASP and MSP are separated, the MSP might not want to expose bootstrapping information to other providers • Answer: The bootstrapping information can be encrypted based on SA between MN and AAAMS server – The DHCP server can deliver the encrypted information to mobile as opaque data if such an option is defined

Open Issues • When multiple MSPs are able to assign HA to MN, how to determine which MSP should be the assigner(s)? – This case could happen in a hybrid case of IASP scenario and third -party scenario (i. e. , AAA-MS servers exist in both ASP and home MSP) • Model 1 might have some security issue – If there is no coordination between AAA-MS client (DHCP server) and AAA-NA client (NAS), AAA-MS procedure is performed without authentication – A DHCP server would initiate AAA-MS without making sure whether the requesting MN has been authorized by the NAS in the AAA-NA procedure

Next Step • If the architecture is relevant, make it part of the entire bootstrapping architecture – This architecture is NOT the only solution • Resolve the open issues

Thank you!