Internet Engineering Task Force (IETF) K. Chowdhury, Ed. Request for Comments: 6611 Radio Mobile Access, Inc. Category: Standards Track A. Yegin ISSN: 2070-1721 Samsung May 2012
Internet Engineering Task Force (IETF) K. Chowdhury, Ed. Request for Comments: 6611 Radio Mobile Access, Inc. Category: Standards Track A. Yegin ISSN: 2070-1721 Samsung May 2012
Mobile IPv6 (MIPv6) Bootstrapping for the Integrated Scenario
针对集成场景的移动IPv6(MIPv6)引导
Abstract
摘要
Mobile IPv6 bootstrapping can be categorized into two primary scenarios: the split scenario and the integrated scenario. In the split scenario, the mobile node's mobility service is authorized by a different service authorizer than the network access authorizer. In the integrated scenario, the mobile node's mobility service is authorized by the same service authorizer as the network access service authorizer. This document defines a method for home agent information discovery for the integrated scenario.
移动IPv6引导可分为两种主要场景:拆分场景和集成场景。在拆分场景中,移动节点的移动服务由不同于网络访问授权人的服务授权人授权。在集成场景中,移动节点的移动服务由与网络接入服务授权人相同的服务授权人授权。本文档为集成场景定义了归属代理信息发现方法。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6611.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6611.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction and Scope ..........................................2 2. Terminology .....................................................3 3. Assumptions and Conformance .....................................4 4. Solution Overview ...............................................5 4.1. Logical View of the Integrated Scenario ....................5 4.2. Bootstrapping Message Sequence .............................6 4.2.1. Home Agent Allocation in the MSP ....................7 4.2.2. Home Agent Allocation in the ASP ....................9 4.3. Bootstrapping Message Sequence: Fallback Case .............10 4.4. HoA and IKEv2 SA Bootstrapping in the Integrated Scenario ..................................................10 5. Security Considerations ........................................10 6. Acknowledgements ...............................................11 7. Contributors ...................................................11 8. References .....................................................11 8.1. Normative References ......................................11 8.2. Informative References ....................................12
1. Introduction and Scope ..........................................2 2. Terminology .....................................................3 3. Assumptions and Conformance .....................................4 4. Solution Overview ...............................................5 4.1. Logical View of the Integrated Scenario ....................5 4.2. Bootstrapping Message Sequence .............................6 4.2.1. Home Agent Allocation in the MSP ....................7 4.2.2. Home Agent Allocation in the ASP ....................9 4.3. Bootstrapping Message Sequence: Fallback Case .............10 4.4. HoA and IKEv2 SA Bootstrapping in the Integrated Scenario ..................................................10 5. Security Considerations ........................................10 6. Acknowledgements ...............................................11 7. Contributors ...................................................11 8. References .....................................................11 8.1. Normative References ......................................11 8.2. Informative References ....................................12
The Mobile IPv6 protocol [RFC6275] requires the mobile node to have the following information:
移动IPv6协议[RFC6275]要求移动节点具有以下信息:
o the Home Address (HoA),
o 家庭住址(HoA),
o the home agent address, and
o 国内代理地址,以及
o the cryptographic materials for establishing an IPsec security association with the home agent.
o 用于与归属代理建立IPsec安全关联的加密资料。
The cryptographic materials need to be established prior to initiating the registration process. The mechanism via which the mobile node obtains this information is called "Mobile IPv6 bootstrapping". In order to allow a flexible deployment model for Mobile IPv6, it is desirable to define a bootstrapping mechanism for the mobile node to acquire these parameters dynamically. [RFC4640] describes the problem statement for Mobile IPv6 bootstrapping. It also defines the bootstrapping scenarios based on the relationship between the entity that authenticates and authorizes the mobile node for network access (i.e., the Access Service Authorizer, ASA) and the entity that authenticates and authorizes the mobile node for mobility service (i.e., the Mobility Service Authorizer, MSA). The scenario in which the Access Service Authorizer is not the Mobility Service Authorizer is called the "split" scenario. The bootstrapping solution for the split scenario is defined in [RFC5026]. The scenario in which the Access Service Authorizer is also the Mobility Service Authorizer is called the "integrated" scenario. This document defines a bootstrapping solution for the integrated scenario.
在启动注册过程之前,需要建立加密材料。移动节点获取此信息的机制称为“移动IPv6引导”。为了实现灵活的移动IPv6部署模型,需要为移动节点定义一种引导机制来动态获取这些参数。[RFC4640]介绍了移动IPv6引导的问题陈述。它还基于认证和授权移动节点进行网络访问的实体(即接入服务授权人,ASA)和认证和授权移动节点进行移动服务的实体(即移动服务授权人,MSA)之间的关系定义引导场景。接入服务授权人不是移动服务授权人的场景称为“拆分”场景。拆分方案的引导解决方案在[RFC5026]中定义。接入服务授权人同时也是移动服务授权人的场景称为“集成”场景。本文档定义了集成场景的引导解决方案。
[RFC5026] identifies four different components of the bootstrapping problem: home agent address discovery, HoA assignment, IPsec Security Association [RFC4301] setup, and Authentication and Authorization with the MSA. This document defines a mechanism for home agent address discovery. The other components of bootstrapping are as per [RFC5026].
[RFC5026]确定了引导问题的四个不同组成部分:归属代理地址发现、HoA分配、IPsec安全关联[RFC4301]设置以及MSA的身份验证和授权。本文档定义了归属代理地址发现的机制。引导的其他组件符合[RFC5026]。
In the integrated scenario, the bootstrapping of the home agent information can be achieved via DHCPv6. This document defines the MIPv6 bootstrapping procedures for the integrated scenario. It enables home agent assignment in the integrated scenario by utilizing DHCP and Authentication, Authorization, and Accounting (AAA) protocols. The specification utilizes DHCP and AAA options and attribute-value pairs (AVPs) that are defined in [RFC6610] and [RFC5447]. This document specifies the interworking among Mobile Node (MN), Network Access Server (NAS), DHCP, and AAA entities for the bootstrapping procedure in the integrated scenario.
在集成场景中,可以通过DHCPv6实现归属代理信息的引导。本文档定义了集成场景的MIPv6引导过程。它通过利用DHCP和身份验证、授权和记帐(AAA)协议,在集成场景中启用归属代理分配。该规范使用[RFC6610]和[RFC5447]中定义的DHCP和AAA选项以及属性值对(AVP)。本文档指定了集成场景中引导过程的移动节点(MN)、网络访问服务器(NAS)、DHCP和AAA实体之间的互通。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
General mobility terminology can be found in [RFC3753]. The following additional terms, as defined in [RFC4640], are used in this document:
通用机动性术语可在[RFC3753]中找到。本文件中使用了[RFC4640]中定义的以下附加术语:
Access Service Authorizer (ASA): A network operator that authenticates a mobile node and establishes the mobile node's authorization to receive Internet service.
接入服务授权人(ASA):对移动节点进行认证并建立移动节点接收互联网服务的授权的网络运营商。
Access Service Provider (ASP): A network operator that provides direct IP packet forwarding to and from the mobile node.
接入服务提供商(ASP):一家网络运营商,提供与移动节点之间的直接IP数据包转发。
Mobility Service Authorizer (MSA): A service provider that authorizes Mobile IPv6 service.
移动服务授权人(MSA):授权移动IPv6服务的服务提供商。
Mobility Service Provider (MSP): A service provider that provides Mobile IPv6 service. An MSP is called a "home MSP" when MSP == MSA. In this document, the term MSP means a Mobility Service Provider that has a roaming relationship with the MSA but it is not the MSA.
移动服务提供商(MSP):提供移动IPv6服务的服务提供商。当MSP==MSA时,MSP称为“主MSP”。在本文件中,术语MSP是指与MSA有漫游关系但不是MSA的移动服务提供商。
Split Scenario: A scenario where the mobility service and the network access service are authorized by different entities.
拆分场景:移动服务和网络访问服务由不同实体授权的场景。
Integrated Scenario: A scenario where the mobility service and the network access service are authorized by the same entity.
集成场景:移动服务和网络接入服务由同一实体授权的场景。
The following assumptions are made in this document:
本文件作出以下假设:
(a) MSA == ASA.
(a) MSA==ASA。
(b) MSA and MSP have a roaming relationship.
(b) MSA和MSP具有漫游关系。
(c) DHCP relay and NAS are either co-located or there is a mechanism to transfer received AAA information from the NAS to the DHCP relay.
(c) DHCP中继和NAS位于同一位置,或者有一种机制将接收到的AAA信息从NAS传输到DHCP中继。
Note: If assignment of a home agent in the home MSP is not required by a deployment, co-location of the NAS and the DHCP relay functions or a mechanism to transfer received AAA information from the NAS to the DHCP relay won't be necessary. In such a case, only the implementation of the options and procedures defined in [RFC6610] should suffice.
注意:如果部署不需要在归属MSP中分配归属代理,则不需要NAS和DHCP中继功能的同址,也不需要将接收到的AAA信息从NAS传输到DHCP中继的机制。在这种情况下,仅实施[RFC6610]中定义的选项和程序就足够了。
(d) The NAS shall support MIPv6-specific AAA attributes as specified in [RFC5447].
(d) NAS应支持[RFC5447]中规定的MIPv6特定AAA属性。
(e) The AAA server in the home domain (AAAH) used for network access authentication (ASA) has access to the same database as the AAAH used for the mobility service authentication (MSA).
(e) 用于网络访问身份验证(ASA)的主域(AAAH)中的AAA服务器可以访问与用于移动服务身份验证(MSA)的AAAH相同的数据库。
If home agent assignment is required only in the ASP by the deployment, a minimal implementation of this specification MAY only support the delivery of information from the DHCP server to the DHCP client through [RFC6610]. However, if home agent assignment in the MSP is required by the deployment, an implementation conforming to this specification SHALL be able to transfer the information received from the AAA server to the NAS, and from the NAS to the DHCP relay function. This can be achieved either by co-locating the NAS and the DHCP relay functions or via an interface between these functions. The details of this interface are out of the scope of this specification.
如果部署仅在ASP中需要归属代理分配,则此规范的最小实现可能仅支持通过[RFC6610]将信息从DHCP服务器传递到DHCP客户端。但是,如果部署需要在MSP中分配归属代理,则符合本规范的实现应能够将从AAA服务器接收到的信息传输到NAS,并将从NAS接收到的信息传输到DHCP中继功能。这可以通过共同定位NAS和DHCP中继功能或通过这些功能之间的接口来实现。此接口的详细信息不在本规范的范围内。
In the integrated scenario, the mobile node utilizes the network access authentication process to bootstrap Mobile IPv6. It is assumed that the access service authorizer is mobility service aware. This allows for Mobile IPv6 bootstrapping at the time of access authentication and authorization. Also, the mechanism defined in this document requires the NAS to support MIP6-specific AAA attributes and a co-located DHCP relay agent.
在集成场景中,移动节点利用网络访问身份验证过程引导移动IPv6。假设接入服务授权者是移动服务感知的。这允许在访问身份验证和授权时进行移动IPv6引导。此外,本文档中定义的机制要求NAS支持MIP6特定的AAA属性和一个位于同一位置的DHCP中继代理。
Figure 1 shows the AAA infrastructure with a AAA client (NAS), a AAA proxy in the visited network (AAAV), and a AAA server in the home network (AAAH).
图1显示了具有AAA客户端(NAS)、访问网络(AAAV)中的AAA代理和家庭网络(AAAH)中的AAA服务器的AAA基础设施。
| ASP(/MSP) | ASA/MSA(/MSP) | | +-------+ | +-------+ | | | | | |AAAV |-----------|--------|AAAH | | | | | | +-------+ | +-------+ | | | | | | | | +-----+ +------+ | +----+ | NAS/| |DHCP | | | MN |------|DHCP |----|Server| | +----+ |Relay| | | | +-----+ +------+ | | | +--------+ | +--------+ | HA | | | HA | | in ASP | | |in MSP | +--------+ | +--------+
| ASP(/MSP) | ASA/MSA(/MSP) | | +-------+ | +-------+ | | | | | |AAAV |-----------|--------|AAAH | | | | | | +-------+ | +-------+ | | | | | | | | +-----+ +------+ | +----+ | NAS/| |DHCP | | | MN |------|DHCP |----|Server| | +----+ |Relay| | | | +-----+ +------+ | | | +--------+ | +--------+ | HA | | | HA | | in ASP | | |in MSP | +--------+ | +--------+
Figure 1: Integrated Scenario, Network Diagram with DHCP Server
图1:集成场景,带有DHCP服务器的网络图
The user's home network authorizes the mobile node for network access and mobility services. Note that usage of a home agent with the mobile node might be selected in the access service provider's network or alternatively in the mobility service provider's network.
用户的家庭网络授权移动节点进行网络接入和移动服务。注意,可以在接入服务提供商的网络中或者可选地在移动服务提供商的网络中选择将归属代理用于移动节点。
The MSP may be co-located with the ASP, or the ASA/MSA, or independent of the two.
MSP可与ASP或ASA/MSA位于同一位置,或独立于两者。
The mobile node interacts with the DHCP server via the relay agent after the network access authentication as part of the mobile node configuration procedure.
作为移动节点配置过程的一部分,在网络访问认证之后,移动节点通过中继代理与DHCP服务器交互。
In this case, the mobile node is able to acquire the home agent address via a DHCPv6 query. In the integrated scenario, the ASA and the MSA are the same; it can be safely assumed that the AAAH used for network access authentication (ASA) has access to the same database as the AAAH used for the mobility service authentication (MSA). Hence, the same AAAH can authorize the mobile node for network access
在这种情况下,移动节点能够通过DHCPv6查询获取归属代理地址。在综合场景中,ASA和MSA是相同的;可以安全地假设,用于网络访问认证(ASA)的AAAH可以访问与用于移动服务认证(MSA)的AAAH相同的数据库。因此,相同的AAAH可以授权移动节点进行网络接入
and mobility service at the same time. When the MN performs Mobile IPv6 registration, the AAAH ensures that the MN is accessing the assigned home agent for that MSP.
同时提供移动服务。当MN执行移动IPv6注册时,AAAH确保MN正在访问为该MSP分配的归属代理。
Figure 2 shows the message sequence for home agent allocation in both scenarios -- HA in the ASP (which is co-located with the MSP), or HA in an MSP that is separate from ASP and possibly from the ASA/MSA as well.
图2显示了两种情况下归属代理分配的消息序列——ASP中的HA(与MSP位于同一位置),或MSP中的HA(与ASP分离,也可能与ASA/MSA分离)。
| --------------ASP------>|<--ASA+MSA-- | +----+ +------+ +-------+ +-----+ | | | | | | | | | MN/| |NAS/ | | DHCP | |AAAH | |User| |DHCP | | Server| | | | | |relay | | | | | +----+ +------+ +-------+ +-----+ | | | | | 1 | 1 | | |<------------->|<---------------------->| | | | | | | | | | 2 | | | |-------------->| | | | | | | | | 3 | | | |------------>| | | | | | | | 4 | | | |<------------| | | | | | | 5 | | | |<--------------| | | | | | |
| --------------ASP------>|<--ASA+MSA-- | +----+ +------+ +-------+ +-----+ | | | | | | | | | MN/| |NAS/ | | DHCP | |AAAH | |User| |DHCP | | Server| | | | | |relay | | | | | +----+ +------+ +-------+ +-----+ | | | | | 1 | 1 | | |<------------->|<---------------------->| | | | | | | | | | 2 | | | |-------------->| | | | | | | | | 3 | | | |------------>| | | | | | | | 4 | | | |<------------| | | | | | | 5 | | | |<--------------| | | | | | |
Figure 2: Message Sequence for Home Agent Allocation
图2:归属代理分配的消息序列
This section describes a scenario where the home agent is allocated in the mobile node's MSP network(s) that is (are) not co-located with the ASP. In order to provide the mobile node with information about the assigned home agent, the AAAH conveys the assigned home agent's information to the NAS via a AAA protocol, e.g., [RFC5447].
本节描述在移动节点的MSP网络中分配归属代理的场景,该移动节点的MSP网络不与ASP位于同一位置。为了向移动节点提供关于所分配的归属代理的信息,AAAH通过AAA协议(例如,[RFC5447])将所分配的归属代理的信息传送到NAS。
Figure 2 shows the message sequence for home agent allocation. In the scenario with HA in the MSP, the following details apply.
图2显示了归属代理分配的消息序列。在MSP中包含HA的场景中,以下详细信息适用。
(1) The mobile node executes the network access authentication procedure (e.g., IEEE 802.11i/802.1X), and it interacts with the NAS. The NAS is in the ASP, and it interacts with the AAAH, which is in the ASA/MSA, to authenticate the mobile node. In the process of authorizing the mobile node, the AAAH verifies in the AAA profile that the mobile node is allowed to use the Mobile IPv6 service. The AAAH assigns a home agent in the home MSP, and it assigns one or more home agents in other authorized MSPs and returns this information to the NAS. The NAS may keep the received information for a configurable duration, or it may keep the information for as long as the MN is connected to the NAS.
(1) 移动节点执行网络接入认证过程(例如,IEEE 802.11i/802.1X),并与NAS交互。NAS位于ASP中,它与ASA/MSA中的AAAH交互以验证移动节点。在授权移动节点的过程中,AAAH在AAA简档中验证移动节点被允许使用移动IPv6服务。AAAH在主MSP中分配一个主代理,并在其他授权MSP中分配一个或多个主代理,并将此信息返回NAS。NAS可以将接收到的信息保留一段可配置的持续时间,或者只要MN连接到NAS,NAS就可以将该信息保留一段时间。
(2) The mobile node sends a DHCPv6 Information-request message [RFC3315] to the All_DHCP_Relay_Agents_and_Servers multicast address. In this message, the mobile node (DHCP client) SHALL include the following:
(2) 移动节点将DHCPv6信息请求消息[RFC3315]发送到所有_DHCP_中继_代理_和_服务器多播地址。在该消息中,移动节点(DHCP客户端)应包括以下内容:
* the Option Code for the Visited Home Network Information option [RFC6610] in the OPTION_ORO.
* 选项中访问家庭网络信息选项[RFC6610]的选项代码。
* Client Home Network ID FQDN option identifying the MSP.
* 标识MSP的客户端家庭网络ID FQDN选项。
* the OPTION_CLIENTID to identify itself to the DHCP server
* 选项\u CLIENTID用于向DHCP服务器标识自身
(3) The relay agent intercepts the Information Request from the mobile node and forwards it to the DHCP server. The relay agent also includes the received home agent information from the AAAH in the Relay-Supplied Options option [RFC6610]. If a NAS implementation does not store the received information as long as the MN's session remains in the ASP, and if the MN delays sending a DHCP request, the NAS/DHCP relay does not include the Relay-Supplied Options option in the Relay Forward message.
(3) 中继代理截获来自移动节点的信息请求,并将其转发到DHCP服务器。中继代理还将从AAAH接收到的归属代理信息包括在中继提供的选项[RFC6610]中。如果只要MN的会话仍在ASP中,NAS实现就不存储接收到的信息,并且如果MN延迟发送DHCP请求,则NAS/DHCP中继在中继转发消息中不包括中继提供的选项。
(4) The DHCP server:
(4) DHCP服务器:
* identifies the client by looking at the DHCP Unique Identifier (DUID) for the client in the OPTION_CLIENTID.
* 通过查看选项_CLIENTID中客户端的DHCP唯一标识符(DUID)来标识客户端。
* determines that the mobile node is requesting home agent information in the MSP by looking at the Home Network ID FQDN option.
* 通过查看家庭网络ID FQDN选项,确定移动节点正在请求MSP中的家庭代理信息。
* determines that the home agent is allocated by the AAAH by looking at the Relay-Supplied Options option.
* 通过查看中继提供的选项,确定归属代理由AAAH分配。
* extracts the allocated home agent information from the Relay-Supplied Options option and includes it in the Identified Home Network Information option [RFC6610] in the Reply Message. If the requested information is not available in the DHCP server, it follows the behavior described in [RFC6610].
* 从中继提供的选项中提取分配的归属代理信息,并将其包括在应答消息中标识的归属网络信息选项[RFC6610]中。如果请求的信息在DHCP服务器中不可用,则遵循[RFC6610]中描述的行为。
(5) The relay agent relays the Reply Message from the DHCP server to the mobile node. At this point, the mobile node has the home agent information that it requested.
(5) 中继代理将应答消息从DHCP服务器中继到移动节点。此时,移动节点具有其请求的归属代理信息。
This section describes a scenario where the mobile node requests home agent allocation in the ASP by setting the id-type field to zero in the Home Network Identifier Option [RFC6610] in the DHCPv6 request message. In this scenario, the ASP becomes the MSP for the duration of the network access authentication session.
本节描述了一种场景,其中移动节点通过在DHCPv6请求消息中的家庭网络标识符选项[RFC6610]中将id type字段设置为零来请求ASP中的家庭代理分配。在此场景中,ASP在网络访问身份验证会话期间成为MSP。
Figure 2 shows the message sequence for home agent allocation. In the scenario with HA in the ASP, the following details apply.
图2显示了归属代理分配的消息序列。在ASP中具有HA的场景中,以下详细信息适用。
(1) The mobile node executes the network access authentication procedure (e.g., IEEE 802.11i/802.1X) and interacts with the NAS. The NAS is in the ASP, and it interacts with the AAAH, which is in the ASA/MSA, to authenticate the mobile node. In the process of authorizing the mobile node, the AAAH verifies in the AAA profile that the mobile node is allowed to use the Mobile IPv6 services. The AAAH assigns a home agent in the home MSP, and it assigns one or more home agents in other authorized MSPs and returns this information to the NAS. Note that the AAAH is not aware of the fact that the mobile node prefers a home agent allocation in the ASP. Therefore, the assigned home agent may not be used by the mobile node. This leaves the location of the mobility anchor point decision to the mobile node.
(1) 移动节点执行网络接入认证过程(例如,IEEE 802.11i/802.1X)并与NAS交互。NAS位于ASP中,它与ASA/MSA中的AAAH交互以验证移动节点。在授权移动节点的过程中,AAAH在AAA简档中验证移动节点被允许使用移动IPv6服务。AAAH在主MSP中分配一个主代理,并在其他授权MSP中分配一个或多个主代理,并将此信息返回NAS。注意,AAAH不知道移动节点更喜欢在ASP中分配归属代理这一事实。因此,移动节点可能不使用分配的归属代理。这将移动性锚点的位置决定留给移动节点。
(2) The mobile node sends a DHCPv6 Information Request message [RFC3315] to the All_DHCP_Relay_Agents_and_Servers multicast address. In this message, the mobile node (DHCP client) SHALL include the following:
(2) 移动节点将DHCPv6信息请求消息[RFC3315]发送到所有_DHCP_中继_代理_和_服务器多播地址。在该消息中,移动节点(DHCP客户端)应包括以下内容:
* the Option Code for the Home Network Identifier Option [RFC6610] in the OPTION_ORO.
* 选项中家庭网络标识符选项[RFC6610]的选项代码。
* the OPTION_CLIENTID to identify itself to the DHCP server.
* 选项\u CLIENTID用于向DHCP服务器标识自身。
(3) The relay agent (which is the NAS) intercepts the Information Request from the mobile node and forwards it to the DHCP server. The relay agent also includes the received AAA AVP from the AAAH in the Relay-Supplied Options option [RFC6610].
(3) 中继代理(即NAS)截获来自移动节点的信息请求,并将其转发到DHCP服务器。中继代理还将从AAAH接收到的AAA AVP包含在中继提供的选项[RFC6610]中。
(4) The DHCP server identifies the client by looking at the DUID for the client in the OPTION_CLIENTID. The DHCP server also determines that the mobile node is requesting home agent information in the ASP by looking at the Visited Home Network Information option. If configured to do so, the DHCP server allocates a home agent from its configured list of home agents and includes it in the Visited Home Network Information Option [RFC6610] in the Reply Message. Note that in this case, the DHCP server does not use the received information in the Relay-Supplied Options option.
(4) DHCP服务器通过查看选项\u CLIENTID中客户端的DUID来识别客户端。DHCP服务器还通过查看访问的家庭网络信息选项,确定移动节点正在ASP中请求家庭代理信息。如果配置为这样做,DHCP服务器将从其配置的归属代理列表中分配归属代理,并将其包括在应答消息中的到访归属网络信息选项[RFC6610]中。请注意,在这种情况下,DHCP服务器不会在中继提供的选项中使用接收到的信息。
(5) The relay agent relays the Reply Message from the DHCP server to the mobile node. At this point, the mobile node has the home agent information that it requested.
(5) 中继代理将应答消息从DHCP服务器中继到移动节点。此时,移动节点具有其请求的归属代理信息。
In the fallback case, the mobile node is not able to acquire the home agent information via DHCPv6. The mobile node MAY perform DNS queries to discover the home agent address as defined in [RFC5026]. To perform DNS-based home agent discovery, the mobile node needs to know the DNS server address. The details of how the MN is configured with the DNS server address are outside the scope of this document.
在回退情况下,移动节点不能通过DHCPv6获取归属代理信息。移动节点可执行DNS查询以发现在[RFC5026]中定义的归属代理地址。要执行基于DNS的归属代理发现,移动节点需要知道DNS服务器地址。有关如何使用DNS服务器地址配置MN的详细信息超出了本文档的范围。
In the integrated scenario, the HoA, IPsec Security Association setup, and Authentication and Authorization with the MSA are bootstrapped via the same mechanism as described in the bootstrapping solution for the split scenario [RFC5026].
在集成场景中,HoA、IPsec安全关联设置以及MSA的身份验证和授权通过与拆分场景的引导解决方案[RFC5026]中描述的相同机制引导。
The transport of the assigned home agent information via the AAA infrastructure (i.e., from the AAA server to the AAA client) to the NAS may only be integrity protected as per standard Diameter or other AAA protocol security mechanisms. No additional security considerations are imposed by the usage of this document. The security mechanisms provided by [RFC3588] are applicable for this purpose. This document does not introduce any new security issues to Mobile IPv6.
通过AAA基础设施(即,从AAA服务器到AAA客户端)将分配的归属代理信息传输到NAS只能根据标准Diameter或其他AAA协议安全机制进行完整性保护。本文档的使用不会带来额外的安全考虑。[RFC3588]提供的安全机制适用于此目的。本文档不会给移动IPv6带来任何新的安全问题。
The authors would like to thank Kilian Weniger, Vidya Narayanan, and George Tsirtsis for their review and comments. Thanks to Alfred Hoenes for thorough review and valuable suggestions to improve the readability of the document.
作者要感谢Kilian Weniger、Vidya Narayanan和George Tsirtsis的评论和评论。感谢阿尔弗雷德·霍恩斯(Alfred Hoenes)的全面审查和宝贵建议,以提高文件的可读性。
This contribution is a joint effort of the bootstrapping solution design team of the MEXT WG. The contributors include Jari Arkko, Julien Bournelle, Kuntal Chowdhury, Vijay Devarapalli, Gopal Dommety, Gerardo Giaretta, Junghoon Jee, James Kempf, Alpesh Patel, Basavaraj Patil, Hannes Tschofenig, and Alper Yegin.
这一贡献是MEXT工作组引导解决方案设计团队的共同努力。贡献者包括雅丽·阿尔科、朱利安·布内尔、昆塔·乔杜里、维杰·德瓦拉帕利、戈帕尔·多梅蒂、杰拉尔多·贾莱塔、吉荣勋、詹姆斯·肯普夫、阿尔佩什·帕特尔、巴萨瓦拉伊·帕蒂尔、汉内斯·茨霍芬尼和阿尔珀·叶金。
The design team members can be reached at the following email addresses:
可通过以下电子邮件地址联系设计团队成员:
Jari Arkko jari.arkko@kolumbus.fi Julien Bournelle julien.bournelle@orange-ftgroup.com Kuntal Chowdhury kc@radiomobiles.com Vijay Devarapalli Vijay.Devarapalli@AzaireNet.com Gopal Dommety dommety@yahoo.com Gerardo Giaretta gerardog@qualcomm.com Junghoon Jee jhjee@etri.re.kr James Kempf kempf@docomolabs-usa.com Alpesh Patel alpesh@cisco.com Basavaraj Patil basavaraj.patil@nsn.com Hannes Tschofenig hannes.tschofenig@nsn.com Alper Yegin alper.yegin@yegin.org
雅丽雅可雅丽。arkko@kolumbus.fi朱利安·博内尔·朱利安。bournelle@orange-ftgroup.com Kuntal Chowdhurykc@radiomobiles.com维杰·德瓦拉帕利·维杰。Devarapalli@AzaireNet.com戈帕尔·多梅蒂dommety@yahoo.com杰拉尔多·贾雷塔gerardog@qualcomm.com郑勋吉jhjee@etri.re.kr詹姆斯·坎普夫kempf@docomolabs-美国网站Alpesh Patelalpesh@cisco.com 巴萨瓦拉吉·帕蒂尔·巴萨瓦拉吉。patil@nsn.com汉内斯·乔菲尼·汉内斯。tschofenig@nsn.com阿尔帕·耶金·阿尔帕。yegin@yegin.org
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3315]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3588]Calhoun,P.,Loughney,J.,Guttman,E.,Zorn,G.,和J.Arkko,“直径基础协议”,RFC 3588,2003年9月。
[RFC5026] Giaretta, G., Kempf, J., and V. Devarapalli, "Mobile IPv6 Bootstrapping in Split Scenario", RFC 5026, October 2007.
[RFC5026]Giaretta,G.,Kempf,J.,和V.Devarapalli,“拆分场景中的移动IPv6引导”,RFC 5026,2007年10月。
[RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., and K. Chowdhury, "Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction", RFC 5447, February 2009.
[RFC5447]Korhonen,J.,Bournelle,J.,Tschofenig,H.,Perkins,C.,和K.Chowdhury,“Diameter移动IPv6:支持网络访问服务器到Diameter服务器的交互”,RFC 5447,2009年2月。
[RFC6275] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support in IPv6", RFC 6275, July 2011.
[RFC6275]Perkins,C.,Johnson,D.,和J.Arkko,“IPv6中的移动支持”,RFC 62752011年7月。
[RFC6610] Jang, H., Yegin, A., Chowdhury, K., Choi, J., and T. Lemon, "DHCP Option for Home Agent Discovery in Mobile IPv6 (MIPv6)", RFC 6610, May 2012.
[RFC6610]Jang,H.,Yegin,A.,Chowdhury,K.,Choi,J.,和T.Lemon,“移动IPv6(MIPv6)中家庭代理发现的DHCP选项”,RFC 66102012年5月。
[RFC3753] Manner, J. and M. Kojo, "Mobility Related Terminology", RFC 3753, June 2004.
[RFC3753]Way,J.和M.Kojo,“机动性相关术语”,RFC 3753,2004年6月。
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[RFC4640] Patel, A. and G. Giaretta, "Problem Statement for bootstrapping Mobile IPv6 (MIPv6)", RFC 4640, September 2006.
[RFC4640]Patel,A.和G.Giaretta,“引导移动IPv6(MIPv6)的问题陈述”,RFC 46402006年9月。
Authors' Addresses
作者地址
Kuntal Chowdhury (editor) Radio Mobile Access, Inc. 100 Ames Pond Dr. Tewksbury MA 01876
Kuntal Chowdhury(编辑)无线电移动接入公司100 Ames Pond博士Tewksbury MA 01876
EMail: kc@radiomobiles.com
EMail: kc@radiomobiles.com
Alper Yegin Samsung Istanbul Turkey
土耳其伊斯坦布尔阿尔珀·耶金酒店
EMail: alper.yegin@yegin.org
EMail: alper.yegin@yegin.org