Network Working Group                     T. Hiller, Lucent Technologies
Request for Comments: 3141                 P. Walsh, Lucent Technologies
Category: Informational                                 X. Chen, Alcatel
                                                               M. Munson
                                               G. Dommety, Cisco Systems
                        S. Sivalingham, Ericsson Wireless Communications
                           B. Lim, LG Information & Communications, Ltd.
                                          P. McCann, Lucent Technologies
                                          H. Shiino, Lucent Technologies
                                                  B. Hirschman, Motorola
                                       S. Manning, Award Solutions, Inc.
                                                  R. Hsu, Qualcomm, Inc.
                        H. Koo, Samsung Telecommunications America, Inc.
                                                  M. Lipford, Sprint PCS
                                      P. Calhoun, Sun Laboratories, Inc.
                                                         C. Lo, Vodafone
                                                     E. Jaques, Vodafone
                      E. Campbell, CommWorks Corporation, A 3Com Company
                                               Y. Xu, WaterCove Networks
                                 S. Baba, Toshiba America Research, Inc.
                                               T. Ayaki, DDI Corporation
                                                 T. Seki, DO Corporation
                                                      A. Hameed, Fujitsu
                                                               June 2001
        
Network Working Group                     T. Hiller, Lucent Technologies
Request for Comments: 3141                 P. Walsh, Lucent Technologies
Category: Informational                                 X. Chen, Alcatel
                                                               M. Munson
                                               G. Dommety, Cisco Systems
                        S. Sivalingham, Ericsson Wireless Communications
                           B. Lim, LG Information & Communications, Ltd.
                                          P. McCann, Lucent Technologies
                                          H. Shiino, Lucent Technologies
                                                  B. Hirschman, Motorola
                                       S. Manning, Award Solutions, Inc.
                                                  R. Hsu, Qualcomm, Inc.
                        H. Koo, Samsung Telecommunications America, Inc.
                                                  M. Lipford, Sprint PCS
                                      P. Calhoun, Sun Laboratories, Inc.
                                                         C. Lo, Vodafone
                                                     E. Jaques, Vodafone
                      E. Campbell, CommWorks Corporation, A 3Com Company
                                               Y. Xu, WaterCove Networks
                                 S. Baba, Toshiba America Research, Inc.
                                               T. Ayaki, DDI Corporation
                                                 T. Seki, DO Corporation
                                                      A. Hameed, Fujitsu
                                                               June 2001
        

CDMA2000 Wireless Data Requirements for AAA

AAA的CDMA2000无线数据要求

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

Abstract

摘要

This memo specifies cdma2000 wireless data AAA (Authentication, Authorization, Accounting) requirements associated with third generation wireless architecture that supports roaming among service providers for traditional PPP and Mobile IP services.

本备忘录规定了与支持传统PPP和移动IP服务的服务提供商之间漫游的第三代无线体系结构相关的cdma2000无线数据AAA(身份验证、授权、计费)要求。

1. Introduction
1. 介绍

The architecture is designed for use with a cellular network as an access medium. Sections 1, 2, present a brief high level review of the cdma2000 wireless data architecture. Section 3 presents cdma2000 AAA requirements.

该体系结构设计用于蜂窝网络作为接入介质。第1节和第2节简要回顾了cdma2000无线数据体系结构。第3节介绍了cdma2000 AAA要求。

This document specifies AAA requirements associated with a third generation cdma2000 wireless architecture that supports roaming among service providers for traditional PPP and Mobile IP services. The architecture is designed for use with a cellular network as an access medium.

本文档规定了与支持传统PPP和移动IP服务的服务提供商之间漫游的第三代cdma2000无线体系结构相关的AAA要求。该体系结构设计用于蜂窝网络作为接入介质。

Sections 1 and 2 present a brief, high level review of the cdma2000 wireless data architecture as an aid to interested AAA WG members. Section 3 presents cdma2000 AAA requirements, and is self contained relative to the architecture review.

第1节和第2节简要介绍了cdma2000无线数据体系结构,以帮助有兴趣的AAA工作组成员。第3节介绍了cdma2000 AAA需求,并且与体系结构审查相关。

1.1. Requirements language
1.1. 需求语言

In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [RFC2119].

在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”应按照[RFC2119]中所述进行解释。

Please note that the requirements specified in this document are to be used in evaluating AAA protocol submissions. As such, the requirements language refers to capabilities of these protocols; the protocol documents will specify whether these features are required, recommended, or optional. For example, requiring that a protocol support confidentiality is NOT the same thing as requiring that all protocol traffic be encrypted.

请注意,本文件中规定的要求将用于评估AAA协议提交。因此,需求语言指的是这些协议的能力;协议文件将指定这些功能是必需的、推荐的还是可选的。例如,要求协议支持保密性与要求对所有协议通信量进行加密不同。

A protocol submission is not compliant if it fails to satisfy one or more of the MUST or MUST NOT requirements for the capabilities that it implements. A protocol submission that satisfies all the MUST, MUST NOT, SHOULD and SHOULD NOT requirements for its capabilities is said to be "unconditionally compliant"; one that satisfies all the MUST and MUST NOT requirements but not all the SHOULD or SHOULD NOT requirements for its protocols is said to be "conditionally compliant."

如果协议提交未能满足其实现的功能的一个或多个必须或不得要求,则该协议提交不符合要求。满足其能力的所有必须、不得、应该和不应该要求的协议提交称为“无条件符合”;满足其协议的所有必须和不得要求,但并非所有应该或不应该要求的协议称为“有条件兼容”

1.2. General Service Requirements
1.2. 一般事务要求

o Provide service during subscriber visiting between wireless networks systems while maintaining a formal customer-service provider relation with only one wireless service provider.

o 在用户访问无线网络系统期间提供服务,同时仅与一家无线服务提供商保持正式的客户服务提供商关系。

o Support Traditional PPP and Mobile IP services:

o 支持传统PPP和移动IP服务:

o Support dynamic and static home address assignments for Mobile IP o Support a Home Agent in the mobile's home wireless network, home ISP, or private network. o Support IP Security on the Mobile IP tunnel between Foreign Agent and Home Agent, in order to avoid the overhead of a voluntary tunnel on the radio interface.

o 支持移动IP的动态和静态家庭地址分配o支持移动家庭无线网络、家庭ISP或专用网络中的家庭代理。o在外部代理和本地代理之间的移动IP隧道上支持IP安全,以避免无线电接口上的自愿隧道的开销。

o Provide robust authentication, authorization and accounting services (AAA):

o 提供可靠的身份验证、授权和会计服务(AAA):

o Provide separation of airlink resource AAA services and data resource AAA services. o Authenticate and authorize a mobile based on an IMSI and an NAI. The architecture allows for a carrier to determine if billing is based on the IMSI or the NAI. o Support optional AAA broker services between wireless carriers and between wireless carriers and other external data networks. o Allow for distribution of specific Mobile IP security key information to support home agent assignment, fast handoff, and fast HA-FA authentication assignment during registration.

o 提供airlink资源AAA服务和数据资源AAA服务的分离。o基于IMSI和NAI对移动设备进行身份验证和授权。该体系结构允许运营商确定计费是基于IMSI还是基于NAI。o支持无线运营商之间以及无线运营商与其他外部数据网络之间的可选AAA代理服务。o允许分发特定的移动IP安全密钥信息,以支持注册期间的归属代理分配、快速切换和快速HA-FA身份验证分配。

o Provide QoS

o 提供服务质量

2. High Level Architecture
2. 高级体系结构

The high level architecture is shown in Figure 1. The six major entities that compose the network are the Home Agent, the PDSN, the AAA Server, the Radio Network, the HLR/VLR, and Mobile Client.

高层架构如图1所示。构成网络的六个主要实体是归属代理、PDSN、AAA服务器、无线网络、HLR/VLR和移动客户端。

            Visited Access              Home Access
            Provider Network           Provider Network
              +--------+                 +--------+
              |        |      SS7        |        |
              |  VLR   |-----------------|  HLR   |
              |        |                 |        |
              +--------+                 +--------+
                  |
                  |
                  |  Visited Access      Broker        Home IP
                  |  Provider Network    Network       Network
                  |     +--------+      +--------+   +--------+
                  |     |        |      |        |   |        |
                  |     |  AAA   |------|  AAA   |---|  AAA   |
                  |     |        |      |        |   |        |
                  |     +--------+      +--------+   +--------+
                  |             \                \       |
                  |              \                \      |
                  |               \                \     |
                  |                \                \    |
                  |                 \                \   |
              +---------+       +---------+       +---------+
              |         |       |         |       |         |
              |   RN    |-------|  PDSN   |-------|  HA     |
              |         |       |         |       |         |
              +---------+       +---------+       +---------+
                  |
                  |   Visited Access            Home Network
                  |  Provider Network           -Private
            Mobile|                             -Visited Provider
              IP  |                             -Home Provider
                  |                             -Home ISP
               +--------+
               | Mobile |
               | Node   |
               +--------+
        
            Visited Access              Home Access
            Provider Network           Provider Network
              +--------+                 +--------+
              |        |      SS7        |        |
              |  VLR   |-----------------|  HLR   |
              |        |                 |        |
              +--------+                 +--------+
                  |
                  |
                  |  Visited Access      Broker        Home IP
                  |  Provider Network    Network       Network
                  |     +--------+      +--------+   +--------+
                  |     |        |      |        |   |        |
                  |     |  AAA   |------|  AAA   |---|  AAA   |
                  |     |        |      |        |   |        |
                  |     +--------+      +--------+   +--------+
                  |             \                \       |
                  |              \                \      |
                  |               \                \     |
                  |                \                \    |
                  |                 \                \   |
              +---------+       +---------+       +---------+
              |         |       |         |       |         |
              |   RN    |-------|  PDSN   |-------|  HA     |
              |         |       |         |       |         |
              +---------+       +---------+       +---------+
                  |
                  |   Visited Access            Home Network
                  |  Provider Network           -Private
            Mobile|                             -Visited Provider
              IP  |                             -Home Provider
                  |                             -Home ISP
               +--------+
               | Mobile |
               | Node   |
               +--------+
        

Figure 1: General cdma2000 Wireless IP Architecture

图1:通用cdma2000无线IP架构

2.1. PDSN
2.1. PDSN

o Acts as a Foreign Agent; o Establish, maintain, and terminate link layer to the mobile client; o Initiate the authentication, authorization and accounting for the mobile client; o Optionally, securely tunnel using IP security to the Home Agent; o Receives service parameters from AAA for mobile client; o Collect usage data for accounting purposes to be relayed to AAA; o Routes packets to external packet data networks or to the HA in the case of reverse tunneling; o Maps home address and Home Agent address to a unique link layer identifier used to communicate with Radio Network.

o 担任外国代理人;o建立、维护和终止与移动客户端的链路层;o启动移动客户端的身份验证、授权和计费;o可选地,使用IP安全性安全地隧道到归属代理;o从AAA接收移动客户端的服务参数;o收集用于会计目的的使用数据,以转发给AAA;o在反向隧道的情况下,将分组路由到外部分组数据网络或HA;o将家庭地址和家庭代理地址映射到用于与无线网络通信的唯一链路层标识符。

2.2. Authentication, Authorization, and Accounting Server
2.2. 身份验证、授权和记帐服务器

o Interact with the Foreign Agent and other AAA servers to authorize, authenticate and perform accounting for the mobile client; o Provides mechanism to support security association between PDSN/FA and HA and between the MN and PDSN/FA; o For dynamic Home Agent assignment, dynamically identify an HA and assign a MN on that HA, and provide the security association between the MN and HA; o Provide QoS information to the PDSN; o Optionally, assign dynamic home address.

o 与外部代理和其他AAA服务器交互,对移动客户端进行授权、认证和计费;o提供支持PDSN/FA和HA之间以及MN和PDSN/FA之间的安全关联的机制;o对于动态归属代理分配,动态识别HA并在该HA上分配MN,并提供MN和HA之间的安全关联;o向PDSN提供QoS信息;o可选地,分配动态家庭地址。

2.3. Radio Network
2.3. 无线网络

o Maps Mobile Client identifier reference to a unique link layer identifier used to communicate with PDSN; o Validates Mobile Station for access service; o Manages physical layer connection to the Mobile Client; o Maintain state of reachability for packet service between the access radio network and the mobile station; o Buffers packets arriving from the PDSN, when radio resources are not in place or are insufficient to support the flow from the PDSN; o Relays packets between the mobile station and the PDSN.

o 将移动客户端标识符参考映射到用于与PDSN通信的唯一链路层标识符;o验证移动站的接入服务;o管理与移动客户端的物理层连接;o维持接入无线电网络和移动站之间的分组业务的可达性状态;o当无线资源不在适当位置或不足以支持来自PDSN的流时,缓冲来自PDSN的分组;o在移动站和PDSN之间中继数据包。

2.4. Location Registers (VLR/HLR)
2.4. 位置寄存器(VLR/HLR)

o Stores authentication and authorization information for the radio network.

o 存储无线网络的身份验证和授权信息。

2.5. Home Agent
2.5. 国内代理

o Maintains user registration and redirects packets to the PDSN; o Optionally, establish an IP secure tunnel to the PDSN/FA; o Supports the dynamic Home Agent assignment; o Optionally, assigns dynamic home address; o Support reverse tunneling.

o 维护用户注册并将数据包重定向到PDSN;o可选地,建立到PDSN/FA的IP安全隧道;o支持动态归属代理分配;o可选地,分配动态家庭地址;o支持反向隧道。

2.6. Mobile Node
2.6. 移动节点

o Support PPP; o Can act as a Mobile IP Node; and support Foreign Agent Challenge and NAI; o Interacts with the Radio Network to obtain appropriate radio resources from the network for the exchange of packets; o Maintains knowledge of status of radio resources (e.g., active, standby, dormant); o Buffers packets when radio resources are not in place or are insufficient to support the flow to the network.

o 支持PPP;o可以充当移动IP节点;并支持国外代理商挑战和NAI;o与无线电网络交互以从网络获取适当的无线电资源以交换分组;o保持对无线电资源状态的了解(例如,活动、备用、休眠);o当无线资源不到位或不足以支持网络流量时,缓冲数据包。

3. AAA Requirements
3. AAA要求
3.1. Core AAA Requirements
3.1. 核心AAA要求

The following is a summary of cdma2000 AAA specific requirements. In these requirements, the serving network and home network may or may not have a direct business relationship. In such cases in which there is not a direct business relationship, service may be supported indirectly via broker.

以下是cdma2000 AAA特定要求的摘要。在这些要求中,服务网络和家庭网络可能有也可能没有直接的业务关系。在没有直接业务关系的情况下,可以通过代理间接支持服务。

o Authenticate and authorize a user NAI in a roaming environment. The NAI is obtained via CHAP (for traditional PPP service) or a Foreign Agent Challenge (for Mobile IP service). A shared secret exists between the mobile and its HAAA. The FAC will typically be computed in a manner consistent with CHAP. o Transport wireless data attributes from the home network to the Serving network. This may often take the form of a user profile. o Encrypt or sign one or more AVPs in an AAA message between home, serving network, or some broker across multiple AAA server hops. o Support a reliable AAA transport mechanism. o This transport mechanism will be able indicate to an AAA application that a message was delivered to the next peer AAA application or that a time out occurred. o Retransmission is controlled by the reliable AAA transport mechanism, and not by lower layer protocols such as TCP.

o 在漫游环境中对用户NAI进行身份验证和授权。NAI通过CHAP(用于传统PPP服务)或外部代理质询(用于移动IP服务)获得。移动设备与其HAAA之间存在共享秘密。FAC通常将以与从家庭网络到服务网络的CHAP.o传输无线数据属性一致的方式来计算。这通常可以采取用户配置文件的形式。o在家庭、服务网络或某个代理之间的AAA消息中,跨多个AAA服务器跃点对一个或多个AVP进行加密或签名。o支持可靠的AAA传输机制。o此传输机制将能够向AAA应用程序指示消息已传递到下一个对等AAA应用程序或发生超时。o重传由可靠的AAA传输机制控制,而不是由较低层协议(如TCP)控制。

o Even if the AAA message is to be forwarded, or the message's options or semantics do not conform with the AAA protocol, the transport mechanism will acknowledge that the peer received the AAA message. However, if the message fails to pass authentication, it will not be acknowledged. o Acknowledgements should be allowed to be piggybacked in AAA messages o The reliable transport mechanism features shall have the capability to detect silent failures of the AAA peer or path to the AAA peer, to manage failure on a proactive basis. o Transport a digital certificate in an AAA message, in order to minimize the number of round trips associated with AAA transactions. Note: This requirement applies to AAA applications and not mobile stations. o Support both proxy and non-proxy brokers, where non-proxy brokers imply the broker terminates an entire request and initiates a new request. AAA brokers should have the capability to modify certain parts of AAA messages whereby to operate to in non-proxy or proxy environments. o Provide message integrity and identity authentication on a per hop (AAA node) basis. o Support replay protection and optional non-repudiation capabilities for all authorization and accounting messages. The AAA protocol must provide the capability for accounting messages to be matched with prior authorization messages. o Support accounting via both bilateral arrangements and via broker AAA servers providing accounting clearinghouse and reconciliation between serving and home networks. There is an explicit agreement that if the private network or home ISP authenticates the mobile station requesting service, then the private network or home ISP network also agrees to reconcile charges with the home service provider or broker. Real time accounting must be supported. o Provides security between AAA servers, and between AAA server and PDSN or HA via IP security.

o 即使要转发AAA消息,或者消息的选项或语义不符合AAA协议,传输机制也会确认对等方收到了AAA消息。但是,如果消息未能通过身份验证,则不会对其进行确认。o应允许在AAA消息中携带确认。o可靠传输机制功能应能够检测AAA对等方的静默故障或AAA对等方的路径,以便主动管理故障。o在AAA消息中传输数字证书,以尽量减少与AAA事务相关的往返次数。注:此要求适用于AAA应用程序,而非移动站。o支持代理和非代理代理代理,其中非代理代理意味着代理终止整个请求并启动新请求。AAA代理应该能够修改AAA消息的某些部分,从而在非代理或代理环境中运行。o基于每跳(AAA节点)提供消息完整性和身份验证。o支持所有授权和记帐消息的重播保护和可选不可否认性功能。AAA协议必须提供记帐消息与先前授权消息匹配的功能。o通过双边协议和代理AAA服务器支持会计,提供会计清算所,并在服务网络和家庭网络之间进行对账。有一项明确的协议,即如果专用网络或家庭ISP认证了请求服务的移动站,则专用网络或家庭ISP网络也同意与家庭服务提供商或经纪人核对费用。必须支持实时会计。o通过IP安全性在AAA服务器之间以及AAA服务器与PDSN或HA之间提供安全性。

3.2. Mobile IP Specific Requirements and AAA
3.2. 移动IP特定要求和AAA
3.2.1. Mobile IP Security Discussion
3.2.1. 移动IP安全探讨

Three Mobile IP security extensions are defined in RFC 2002:

RFC 2002中定义了三个移动IP安全扩展:

. HA - FA . MN - FA . HA - MN

. 哈法。MN-FA。HA-MN

Therefore, Mobile IP and IPsec security models differ in that Mobile IP provides its own authentication mechanisms calculated within the Mobile IP registration procedures whereas IPsec uses IPsec AH.

因此,移动IP和IPsec安全模型的不同之处在于,移动IP提供在移动IP注册过程中计算的自己的身份验证机制,而IPsec使用IPsec AH。

The keys and SPIs associated with the MN-FA and HA-FA extensions need to be dynamically established in a roaming wireless carrier environment. The MN-FA extension is useful for allowing a new FA (PDSN) to quickly authenticate a mobile using the previous foreign agent extension. The HA-FA extension is useful for the HA to ensure that only FAs from carrier's with roaming agreements access the HA. The MN-HA is usually provisioned, but for dynamic Home Agent assignment, this security association must be dynamically created.

与MN-FA和HA-FA扩展相关联的密钥和SPI需要在漫游无线载波环境中动态建立。MN-FA扩展可用于允许新FA(PDSN)使用先前的外部代理扩展快速认证移动设备。HA-FA扩展对HA非常有用,可以确保只有具有漫游协议的运营商的FA才能访问HA。通常会设置MN-HA,但对于动态归属代理分配,必须动态创建此安全关联。

It is possible to use IPsec AH between MN and FA, FA and HA, and MN and HA. IKE may be used to establish security associations between these entities. However, use of IKE may pose a problem for smaller mobiles and may introduce unacceptable delays for certain applications (e.g., Voice Over IP). The following three sections outline Mobile IP specific functions that benefit from AAA based key distribution.

可以在MN和FA、FA和HA以及MN和HA之间使用IPsec AH。IKE可用于在这些实体之间建立安全关联。然而,IKE的使用可能会对较小的移动设备造成问题,并且可能会对某些应用程序(例如,IP语音)带来不可接受的延迟。以下三个部分概述了移动IP特定的功能,这些功能受益于基于AAA的密钥分发。

3.2.2. Dynamic Home Agent Assignment
3.2.2. 动态归属代理分配

A visited or home AAA server will optionally be able perform dynamic HA assignment. For dynamically assigned HA, the visited AAA server will indicate to the home AAA server whether it supports dynamic HA assignment in those cases in which the mobile node requests dynamic assignment. If so indicated, the home AAA server may choose to allow the visited AAA server to perform the HA assignment. Otherwise, the home AAA assigns the HA.

访问的或家庭AAA服务器可以选择执行动态HA分配。对于动态分配的HA,访问的AAA服务器将向家庭AAA服务器指示,在移动节点请求动态分配的情况下,它是否支持动态HA分配。如果如此指示,家庭AAA服务器可以选择允许访问的AAA服务器执行HA分配。否则,家庭AAA将分配HA。

3.2.3. Fast Handoff
3.2.3. 快速切换

To achieve a faster handoff, the mobile may attempt to avoid an AAA transaction with the home AAA server. To accomplish this, the mobile may send the PDSN the Previous FA address in the RRQ message from the mobile, along with the MN-FA authentication extension. The new PDSN passes the Previous FA address and MN-FA authentication extension to the visited AAA server. If the visited AAA server is able authenticate the MN-FA authentication extension for the mobile, then the visited AAA may be able to avoid an actual transaction to the home AAA server.

为了实现更快的切换,移动设备可以尝试避免与家庭AAA服务器的AAA事务。为了实现这一点,移动设备可以从移动设备向PDSN发送RRQ消息中的先前FA地址以及MN-FA认证扩展。新的PDSN将以前的FA地址和MN-FA身份验证扩展传递给访问的AAA服务器。如果访问的AAA服务器能够认证移动设备的MN-FA认证扩展,则访问的AAA可能能够避免到家庭AAA服务器的实际事务。

3.2.4. HA-FA Authentication
3.2.4. HA-FA认证

To achieve a fast registration for the case of a mobile station with a Home Agent, the PDSN and HA may receive from the AAA mechanism a HA-FA key and SPI that is used to authenticate the PDSN and the HA to each other.

为了实现移动站与归属代理的快速注册,PDSN和HA可以从AAA机制接收HA-FA密钥和SPI,该密钥和SPI用于相互认证PDSN和HA。

3.2.5. Key Distribution
3.2.5. 密钥分配

These functions are primarily useful in a wireless environment in which handoffs may occur rapidly (implying a need for low latency), or where mobile devices have limited computing power. To achieve these functions, AAA will be used to securely pass keys and SPIs between the serving network and target network in encrypted form. These keys are then used for the specific functions outlined in this document.

这些功能主要适用于切换可能快速发生(意味着需要低延迟)或移动设备计算能力有限的无线环境。为了实现这些功能,AAA将用于以加密形式在服务网络和目标网络之间安全地传递密钥和SPI。然后,这些键用于本文档中概述的特定功能。

3.3. IKE and AAA
3.3. IKE和AAA

The use of IKE in the cdma2000 wireless architecture requires the use of certificates. However, the AAA servers may be able to distribute a pre- shared key to the Mobile IP Agents for use during Phase 1 ISAKMP exchanges. This may lessen the need for on-line revocation checks.

在cdma2000无线体系结构中使用IKE需要使用证书。然而,AAA服务器可能能够将预共享密钥分发给移动IP代理,以便在第一阶段ISAKMP交换期间使用。这可以减少在线撤销检查的需要。

3.4. Interoperability with RADIUS
3.4. 与RADIUS的互操作性

Users with a home AAA server based on RADIUS may desire to roam into a wireless carrier network that uses "new" AAA servers based on the requirements in this document, and vice verse. The AAA protocol should be designed in a way so as to make conversions to and from RADIUS messages straight forward. This will allow for the development of gateway processes to aid in interoperability. Note: The features of the new AAA protocols which are beyond the feature set of the RADIUS protocol will not be available for users while on home or serving networks based on RADIUS.

使用基于RADIUS的家庭AAA服务器的用户可能希望漫游到无线运营商网络中,该网络根据本文档中的要求使用“新”AAA服务器,反之亦然。AAA协议的设计应确保与RADIUS消息直接进行转换。这将允许开发网关流程,以帮助实现互操作性。注意:当用户在基于RADIUS的家庭或服务网络上时,超出RADIUS协议功能集的新AAA协议的功能将不可用。

4. References
4. 工具书类

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

5. Security Considerations
5. 安全考虑

This document is very much about security. These requirements do not require the serving and home networks to not be in the same domain nor must they have a direct relationship. The serving network requires authorization from the home network so that the serving

这份文件主要是关于安全性的。这些要求不要求服务网络和家庭网络不在同一个域中,也不要求它们具有直接关系。服务网络需要来自家庭网络的授权,以便服务

network obtains proof it will get paid for services rendered to the mobile. This implies the home network must authenticate the user. AAA functions must be performed in a secure manner. The requirements contained in section 2 outline the security required.

网络获得证据,证明它将为提供给移动设备的服务付费。这意味着家庭网络必须对用户进行身份验证。AAA功能必须以安全的方式执行。第2节中包含的要求概述了所需的安全性。

Mobile IP supports authentication mechanisms outside IP Security. These mechanism may be enhanced in a cellular wireless environment by allowing a home AAA server to distribute keys to the serving network. Additionally, the home AAA server may be able to send a pre-shared key to be used in Phase 1 ISAKMP security association establishment between FA and HA. These keys would sent in encrypted form from the home network to the serving network. As supported in the requirements contained in section 2, the encryption could be handled via public cryptography and certificates.

移动IP支持IP安全之外的身份验证机制。通过允许家庭AAA服务器向服务网络分发密钥,可以在蜂窝无线环境中增强这些机制。此外,家庭AAA服务器可能能够发送预共享密钥,以在FA和HA之间的阶段1 ISAKMP安全关联建立中使用。这些密钥将以加密形式从家庭网络发送到服务网络。正如第2节中包含的要求所支持的,可以通过公共加密和证书来处理加密。

6. IANA Considerations
6. IANA考虑

This document does not create any new number spaces for IANA administration.

本文档不会为IANA管理创建任何新的数字空间。

7. Acknowledgements
7. 致谢

The authors are active members of the TIA TR45.6 committee.

作者是TIA TR45.6委员会的积极成员。

8. Authors' Addresses
8. 作者地址

Pat R. Calhoun Network and Security Research Center, Sun Labs Sun Microsystems, Inc. 15 Network Circle Menlo Park, CA 94025 USA

Pat R.Calhoun网络和安全研究中心,太阳实验室太阳微系统公司,美国加利福尼亚州门罗公园网络圈15号,邮编94025

Phone: (650) 786-7733 EMail: pcalhoun@eng.sun.com

电话:(650)786-7733电子邮件:pcalhoun@eng.sun.com

Ed Campbell CommWorks Corporation, A 3Com Company 3800 Golf Road Rolling Meadows, IL 60008

Ed Campbell CommWorks Corporation,一家3Com公司,伊利诺伊州高尔夫路3800号滚滚草地,60008

Phone: (847)262-2325 E-Mail: ed_campbell@commworks.com

电话:(847)262-2325电子邮件:ed_campbell@commworks.com

Gopal Dommety Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA

Gopal Dommety Cisco Systems,Inc.美国加利福尼亚州圣何塞西塔斯曼大道170号,邮编95134

   EMail: gdommety@cisco.com
        
   EMail: gdommety@cisco.com
        

Tom Hiller Rm 2F-218 263 Shuman Dr. Lucent Technologies Naperville, IL USA

汤姆·希勒,美国伊利诺伊州纳珀维尔市朗讯科技公司舒曼博士2F-218263室

Phone: (630) 979-7673 EMail: tom.hiller@lucent.com

电话:(630)979-7673电子邮件:汤姆。hiller@lucent.com

Raymond T. Hsu Qualcomm Inc. 6455 Lusk Blvd. San Diego, CA 92121 USA

雷蒙德T.许高通公司,卢斯克大道6455号。美国加利福尼亚州圣地亚哥92121

Phone: (619) 651-3623 EMail: rhsu@qualcomm.com

电话:(619)651-3623电子邮件:rhsu@qualcomm.com

Mark A. Lipford Sprint PCS 15405 College Blvd. Lenexa, KS 66219

马克·利普福德斯普林特学院大道15405号。莱内萨,堪萨斯州66219

Phone: (913) 890-4248 EMail: mlipfo01@sprintspectrum.com

电话:(913)890-4248电子邮件:mlipfo01@sprintspectrum.com

Serge Manning Award Solutions, Inc. 800 E. Campbell Rd., Suite 120 Richardson, TX 75081

Serge Manning Award Solutions,Inc.德克萨斯州理查森市坎贝尔东路800号120室,邮编75081

Phone: (972) 664-0727 x350 EMail: serge@awardsolutions.com

电话:(972)664-0727 x350电子邮件:serge@awardsolutions.com

Peter J. McCann Lucent Technologies Rm 2Z-305 263 Shuman Blvd Naperville, IL 60566 USA

Peter J.McCann-Lucent Technologies美国伊利诺伊州纳珀维尔舒曼大道263号2Z-305室,邮编60566

Phone: (630) 713 9359 EMail: mccap@lucent.com

电话:(630)7139359电子邮件:mccap@lucent.com

Mark Munson 1371 Winding Branch Circle Atlanta, Georgia 30338 USA

马克·蒙森1371美国佐治亚州亚特兰大绕线支路30338

Phone: (678) 339-4439 EMail: mmunson@gte.net

电话:(678)339-4439电子邮件:mmunson@gte.net

Haeng Koo Samsung Telecommunications America, Inc. 1130 E. Arapaho Road Richardson, TX 75081 USA

美国德克萨斯州理查森市阿拉帕霍路东1130号三星通讯美国有限公司,邮编75081

Phone: (972)761-7755 EMail: hskoo@sta.samsung.com

电话:(972)761-7755电子邮件:hskoo@sta.samsung.com

Pat Walsh Lucent Technologies 263 Shuman Blvd. 1F-545 Naperville, IL

帕特·沃尔什·朗讯科技公司舒曼大道263号。伊利诺伊州纳珀维尔1F-545

   Phone: +1 630-713-5063
   EMail: walshp@lucent.com
        
   Phone: +1 630-713-5063
   EMail: walshp@lucent.com
        

Yingchun Xu WaterCove Networks One Century Centre, Suite 550 1750 E. Golf Road Schaumburg, IL

伊利诺伊州绍姆堡高尔夫大道东550 1750室迎春徐水运网络一世纪中心

   Phone: +1 847-477-9280
   EMail: yxu@watercove.com
        
   Phone: +1 847-477-9280
   EMail: yxu@watercove.com
        

Brent Hirschman 1501 Shure Dr. Arlington Heights, IL 60006 USA

布伦特·赫希曼1501美国伊利诺伊州阿灵顿高地舒尔博士60006

Phone: (847) 632-1563 EMail: qa4053@email.mot.com

电话:(847)632-1563电子邮件:qa4053@email.mot.com

Eric Jaques Vodafone 2999 Oak Road, MS-750 Walnut Creek, CA 94596 USA

埃里克·贾克斯·沃达丰美国加利福尼亚州胡桃溪橡树路2999号,MS-750,邮编94596

   Phone: +1-925-210-3900
   EMail: ejaques@akamail.com
        
   Phone: +1-925-210-3900
   EMail: ejaques@akamail.com
        

Sanjeevan Sivalingham Ericsson Wireless Communications Inc., Rm Q-356C 6455 Lusk Blvd San Diego, CA 92126 USA

Sanjeevan Sivalingham Ericsson Wireless Communications Inc.,美国加利福尼亚州圣地亚哥路斯克大道6455号Q-356C室,邮编92126

Phone: (858) 332-5670 EMail: s.sivalingham@ericsson.com

电话:(858)332-5670电子邮件:s。sivalingham@ericsson.com

Xing Chen Alcatel USA 1000 Coit Road Plano, TX 75075 USA

Xing Chen Alcatel USA美国德克萨斯州科伊特路平面1000号,邮编75075

   Phone: 972-519-4142
   Fax:   +1 972-519-3300
   EMail: xing.chen@usa.alcatel.com
        
   Phone: 972-519-4142
   Fax:   +1 972-519-3300
   EMail: xing.chen@usa.alcatel.com
        

Byung-Keun Lim LG Electronics Inc. 533, Hogye-dong, Donan-Ku, Anyang-shi, Kyungki-do, 431-080, Korea

Byung Keun Lim LG Electronics Inc.533,韩国京畿道安阳市多南区Hogye dong,431-080

   Phone: +82-31-450-7199
   Fax:   +82-31-450-7050
   EMail: bklim@lge.com
        
   Phone: +82-31-450-7199
   Fax:   +82-31-450-7050
   EMail: bklim@lge.com
        

Hajime Shiino Lucent Technologies Japan Ltd. 25 Mori Bldg. 1-4-30 Roppongi, Minato-ku Tokyo Japan

Hajime Shiino-Lucent Technologies Japan Ltd.日本东京Minato ku六本木森大厦25号1-4-30

   Phone: +81-3-5561-3695
   EMail: hshiino@lucent.com
        
   Phone: +81-3-5561-3695
   EMail: hshiino@lucent.com
        

Shinichi Baba Toshiba America Research, Inc. PO Box 136, Convent Station, NJ 07961-0136 USA

东芝美国研究公司Shinichi Baba美国新泽西州修道院站136号邮政信箱07961-0136

Phone: (973) 829-4795 EMail: sbaba@tari.toshiba.com

电话:(973)829-4795电子邮件:sbaba@tari.toshiba.com

Takahiro Ayaki DDI corporation Ichibancho FS Bldg. 8, Ichibancho, Chiyoda-ku Tokyo Japan

日本东京千代田区一坂町一坂町8号一坂町金融大厦

   Phone: +81-3-3221-9682
   EMail: ayaki@ddi.co.jp
        
   Phone: +81-3-3221-9682
   EMail: ayaki@ddi.co.jp
        

Alan Hameed Fujitsu 2801 Telecom Parkway Richardson, Texas 75082 USA

美国德克萨斯州理查森电信大道2801号艾伦·哈米德·富士通75082

Phone: (972) 479-2089

电话:(972)479-2089

Charles N. Lo Vodafone AirTouch 2999 Oak Rd Walnut Creek, CA 94596 USA

美国加利福尼亚州核桃溪橡树路2999号查尔斯N.罗沃达丰航空触摸酒店,邮编94596

Phone: (925) 210-3460 EMail: Charles.Lo@vodafone-us.com

电话:(925)210-3460电子邮件:查尔斯。Lo@vodafone-美国网站

Takuo Seki IDO Corporation Gobancho YS Bldg. 12-3, Gobancho, Chiyoda-ku Tokyo Japan

Takuo Seki IDO公司日本东京千代田区Gobancho Gobancho YS大厦12-3号

   Phone: +81-3-3263-9660
   EMail: t-seki@kddi.com
        
   Phone: +81-3-3263-9660
   EMail: t-seki@kddi.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。