draft-ietf-netlmm-lma-discovery-03.txt   draft-ietf-netlmm-lma-discovery-04.txt 
Network-based Localized Mobility J. Korhonen Network-based Localized Mobility J. Korhonen
Management (NetLMM) Nokia Siemens Networks Management (NetLMM) Nokia Siemens Networks
Internet-Draft V. Devarapalli Internet-Draft V. Devarapalli
Intended status: Informational WiChorus Intended status: Informational WiChorus
Expires: August 28, 2010 February 24, 2010 Expires: November 25, 2010 May 24, 2010
LMA Discovery for Proxy Mobile IPv6 LMA Discovery for Proxy Mobile IPv6
draft-ietf-netlmm-lma-discovery-03.txt draft-ietf-netlmm-lma-discovery-04.txt
Abstract Abstract
Large Proxy Mobile IPv6 deployments would benefit from a Large Proxy Mobile IPv6 deployments would benefit from a
functionality, where a Mobile Access Gateway could dynamically functionality, where a Mobile Access Gateway could dynamically
discover a Local Mobility Anchor for a Mobile Node attaching to a discover a Local Mobility Anchor for a Mobile Node attaching to a
Proxy Mobile IPv6 domain. The purpose of the dynamic discovery Proxy Mobile IPv6 domain. The purpose of the dynamic discovery
functionality is to reduce the amount of static configuration in the functionality is to reduce the amount of static configuration in the
Mobile Access Gateway. This specification describes a number of Mobile Access Gateway. This document describes several possible
possible dynamic Local Mobility Anchor discovery solutions. dynamic Local Mobility Anchor discovery solutions.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 28, 2010. This Internet-Draft will expire on November 25, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
described in the BSD License. described in the BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. AAA-based Discovery Solutions . . . . . . . . . . . . . . . . 3 2. AAA-based Discovery Solutions . . . . . . . . . . . . . . . . 3
2.1. Receiving LMA Address during the Network Access 2.1. Receiving LMA Address during the Network Access
Authentication . . . . . . . . . . . . . . . . . . . . . . 4 Authentication . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Receiving LMA FQDN during the Network Access 2.2. Receiving LMA FQDN during the Network Access
Authentication . . . . . . . . . . . . . . . . . . . . . . 4 Authentication . . . . . . . . . . . . . . . . . . . . . . 4
3. Lower Layers based Discovery Solutions . . . . . . . . . . . . 5 3. Discovery Solutions based on Data from Lower Layers . . . . . 5
3.1. Constructing the LMA FQDN from a mobile node Identity . . 5 3.1. Constructing the LMA FQDN from a Mobile Node Identity . . 5
3.2. Receiving LMA FQDN or IP Address from Lower Layers . . . . 6 3.2. Receiving LMA FQDN or IP Address from Lower Layers . . . . 5
3.3. Constructing the LMA FQDN from a Service Name . . . . . . 6 3.3. Constructing the LMA FQDN from a Service Name . . . . . . 6
4. Domain Name System Considerations . . . . . . . . . . . . . . 6 4. Domain Name System Considerations . . . . . . . . . . . . . . 6
5. Handover Considerations . . . . . . . . . . . . . . . . . . . 7 5. Handover Considerations . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
9. Informative References . . . . . . . . . . . . . . . . . . . . 9 9. Informative References . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
Large Proxy Mobile IPv6 (PMIPv6) [RFC5213] deployments would benefit Large Proxy Mobile IPv6 (PMIPv6) [RFC5213] deployments would benefit
from a functionality, where a Mobile Access Gateway (MAG) could from a functionality, where a Mobile Access Gateway (MAG) could
dynamically discover a Local Mobility Anchor (LMA) for a Mobile Node dynamically discover a Local Mobility Anchor (LMA) for a Mobile Node
(MN) attaching to a PMIPv6 domain. The purpose of the dynamic (MN) attaching to a PMIPv6 domain. The purpose of the dynamic
discovery functionality is to reduce the amount of static discovery functionality is to reduce the amount of static
configuration in the MAG. Other drivers for the dynamic discovery of configuration in the MAG. Other drivers for the dynamic discovery of
a LMA include LMA load balancing solutions and selecting LMA based on a LMA include LMA load balancing solutions and selecting a LMA based
desired services (i.e. allowing service-specific routing of traffic). on desired services (i.e. allowing service-specific routing of
This document describes a number of possible dynamic LMA discovery traffic) [RFC5149]. This document describes several possible dynamic
solutions. LMA discovery solutions.
There are a number of different ways for dynamically discovering the The following list briefly introduces solutions that will be
LMA at the MAG. The following list briefly introduces solutions that discussed in this document:
will be discussed in this specification:
o LMA Address from AAA during the network access authentication o LMA Address from AAA during the network access authentication
procedure when the MN attaches to the MAG. procedure when the MN attaches to the MAG.
o LMA FQDN from AAA during the network access authentication, o LMA FQDN from AAA during the network access authentication,
followed by a Domain Name System (DNS) lookup. followed by a Domain Name System (DNS) lookup.
o LMA FQDN derived from the MN identity received from the lower o LMA FQDN derived from the MN identity received from the lower
layers during the network attachment, followed by a DNS lookup. layers during the network attachment, followed by a DNS lookup.
o LMA FQDN or IP address received from the lower layers during the o LMA FQDN or IP address received from the lower layers during the
network attachment followed by an optional DNS lookup. network attachment. The reception of an FQDN from the lower
layers is followed by a DNS lookup.
o LMA FQDN derived from the service selection indication received o LMA FQDN derived from the service selection indication received
from lower layers during the network attachment, followed by a DNS from lower layers during the network attachment, followed by a DNS
lookup. lookup.
When a MN performs a handover from one MAG to another, the new MAG When a MN performs a handover from one MAG to another, the new MAG
must use the same LMA that the old MAG was using. This is required must use the same LMA that the old MAG was using. This is required
for session continuity. The LMA discovery mechanism used by the new for session continuity. The LMA discovery mechanism used by the new
MAG should be able to return the information about the same LMA that MAG should be able to return the information about the same LMA that
was being used by the old MAG. This document also discusses was being used by the old MAG. This document also discusses
solutions for LMA discovery during a handover. solutions for LMA discovery during a handover.
2. AAA-based Discovery Solutions 2. AAA-based Discovery Solutions
This section presents a LMA discovery solution that requires a MAG to This section presents a LMA discovery solution that requires a MAG to
be connected to an AAA infrastructure. The AAA infrastructure is be connected to an AAA infrastructure. The AAA infrastructure is
also assumed to be aware of and support PMIPv6 functionality. A MN also assumed to be aware of and support PMIPv6. A MN attaching to a
attaching to a PMIPv6 domain is typically required to authenticate to PMIPv6 domain is typically required to provide authentication for
the network access and to be authorized for the mobility services network access and to be authorized for mobility services before the
before the MN is allowed to send or receive any IP packets or even MN is allowed to send or receive any IP packets or even complete its
complete its IP level configuration. IP level configuration.
The AAA-based LMA discovery solution hooks into the network access The AAA-based LMA discovery solution hooks into the network access
authentication and authorization procedure. The MAG has also the authentication and authorization procedure. The MAG has also the
role of a Network Access Server (NAS) at this step. While the MN is role of a Network Access Server (NAS) at this step. While the MN is
attaching to the network, the PMIPv6 related parameters are attaching to the network, the PMIPv6 related parameters are
bootstrapped at the same time the MN is authenticated for the network bootstrapped at the same time the MN is authenticated for the network
access and authorized for the mobility services using the AAA access and authorized for the mobility services using the AAA
infrastructure. The PMIPv6 parameters bootstrapping involves the infrastructure. The PMIPv6 parameters bootstrapping involves the
Policy Profile download over the AAA infrastructure to the MAG. The Policy Profile download over the AAA infrastructure to the MAG (see
procedure for the Policy Profile download resembles largely the Appendix A of [RFC5213]).
client Mobile IPv6 Integrated Scenario bootstrapping [RFC5447].
2.1. Receiving LMA Address during the Network Access Authentication 2.1. Receiving LMA Address during the Network Access Authentication
After the MN has successfully authenticated for the network access After the MN has successfully authenticated for the network access
and authorized for the mobility service, the MAG receives the LMA IP and authorized for the mobility service, the MAG receives the LMA IP
address(es) from the AAA server over the AAA infrastructure. The LMA address(es) from the AAA server over the AAA infrastructure. The LMA
IP address information would be part of the AAA message(s) that ends IP address information would be part of the AAA message(s) that ends
the successful authentication and authorization AAA exchange. the successful authentication and authorization AAA exchange.
Once the MAG receives the LMA IP address(es), it sends Proxy Binding Once the MAG receives the LMA IP address(es), it sends Proxy Binding
Update (PBU) message for the newly authenticated and authorized MN. Update (PBU) message for the newly authenticated and authorized MN.
The MAG trusts that the LMA returned by the AAA server is able to The MAG trusts that the LMA returned by the AAA server is able to
provide mobility session continuity for the MN, i.e. after a handover provide mobility session continuity for the MN, i.e. after a handover
the LMA would be the same the MN already has a mobility session set the LMA would be the same one the MN already has a mobility session
up with. set up with.
2.2. Receiving LMA FQDN during the Network Access Authentication 2.2. Receiving LMA FQDN during the Network Access Authentication
This solution is identical to the procedure described in Section 2.1. This solution is similar to the procedure described in Section 2.1.
The difference is that the MAG receives a Fully Qualified Domain Name The difference is that the MAG receives a Fully Qualified Domain Name
(FQDN) of the LMA instead of the IP address(es). The MAG has to (FQDN) of the LMA instead of the IP address(es). The MAG has to
query the DNS infrastructure in order to resolve the FQDN to the LMA query the DNS infrastructure in order to resolve the FQDN to the LMA
IP address(es). IP address(es).
The LMA FQDN might be a generic to a PMIPv6 domain resolving to one The LMA FQDN might be a generic name for a PMIPv6 domain that
or more LMAs in the said domain. Alternatively the LMA FQDN might resolves to one or more LMAs in the PMIPv6 domain. Alternatively the
resolve to exactly one LMA within the PMIPv6 domain. The latter LMA FQDN might be resolved to exactly one LMA within the PMIPv6
approach would obviously be useful if a new target MAG after a domain. The latter approach would obviously be useful if a new
handover should resolve the LMA FQDN to the LMA IP address where the target MAG after a handover should resolve the LMA FQDN to the LMA IP
MN mobility session is already located. address where the MN mobility session is already located.
The procedures described in this section and in Section 2.1 may also The procedures described in this section and in Section 2.1 may also
be used together. For example, the AAA server might return a generic be used together. For example, the AAA server might return a generic
LMA FQDN during the MN initial attach and once the LMA gets selected, LMA FQDN during the MN initial attach and once the LMA gets selected,
return the LMA IP address during the subsequent attachments to other return the LMA IP address during the subsequent attachments to other
MAGs in the PMIPv6 domain. In order for this to work, the resolved MAGs in the PMIPv6 domain. In order for this to work, the resolved
and selected LMA IP address must be updated to the remote Policy and selected LMA IP address must be updated to the remote Policy
Store. For example, the LMA could perform the update once it Store. For example, the LMA could perform the update once it
receives the initial PBU from the MAG for the new mobility session. receives the initial PBU from the MAG for the new mobility session.
3. Lower Layers based Discovery Solutions 3. Discovery Solutions based on Data from Lower Layers
The following section discusses solutions, where the MAG receives The following section discusses solutions, where the MAG receives
information from lower layers below the IP layer when the MN attaches information from lower layers below the IP layer when the MN attaches
to the MAG. Based on this information, the MAG is then able to to the MAG. Based on this information, the MAG is then able to
determine which LMA to contact. These solution could essentially determine which LMA to contact. These solutions could allow large
allow large PMIPv6 deployments without the AAA infrastructure. The PMIPv6 deployments without any AAA infrastructure. The lower layers
lower layers discussed here are not explicitly defined but could discussed here are not explicitly defined but could include different
include different radio access technologies and tunneling solutions radio access technologies and tunneling solutions such as IKEv2
such as IKEv2 [RFC4306] IPsec tunnel [RFC4303]. [RFC4306] IPsec tunnel [RFC4303].
3.1. Constructing the LMA FQDN from a mobile node Identity 3.1. Constructing the LMA FQDN from a Mobile Node Identity
Depending on the actual network access technology, the MAG may be Depending on the actual network access technology, the MAG may be
able to receive a MN identity (or actually the subscription identity able to receive a MN identity as a result of the network access
but from now on we assume that the MN identity equals to the attachment procedure. The MN may signal its identity as part of the
subscription identity, which is a rather broad simplification) as a attachment signaling or alternatively the MAG may receive the MN
result of the network access attachment procedure. The MN may signal identity from a remote policy store.
its identity as part of the attachment signaling or alternatively the
MAG receives the MN identity from a remote policy store.
Once the MAG has acquired the MN identity, the MAG can use the Once the MAG has acquired the MN identity, the MAG can use the
information embedded in the identity to construct a generic LMA FQDN information embedded in the identity to construct a generic LMA FQDN
(based on some pre-configured formatting rules) and then proceed to (based on some pre-configured formatting rules) and then proceed to
resolve the LMA IP address(es) using the DNS. Obviously, the MN resolve the LMA IP address(es) using the DNS. Obviously, the MN
identity must embed information elements that can be extracted and at identity must embed information that can be used to determine the
minimum used to determine the entity hosting and operating the LMA entity hosting and operating the LMA for the MN. Examples of such
for the MN. Thus the MN identity in this solution cannot be a "flat" identities are the International Mobile Subscriber Identity (IMSI) or
identity without any structure and "clear text" parts containing the Globally Unique Temporary User Equipment Identity (GUTI)
hosting entity information. Examples of such identities are the [3GPP.23.003] that both contain information of the operator owning
International Mobile Subscriber Identity (IMSI) or Globally Unique the given subscription.
Temporary User Equipment Identity (GUTI) [3GPP.23.003] that both
contain information of the operator owning the given subscription.
The solution discussed in this section has issues if MN's identity The solution discussed in this section has issues if MN identity does
does not embed enough information. In a case the MN identity does not embed enough information. If the MN identity does not embed any
not embed any LMA hosting entity information, the MAG might use a LMA hosting entity information, the MAG might use a local database to
local database to map MN identities to corresponding LMAs. However, map MN identities to corresponding LMAs. However, this solution is
this solution is unlikely to scale outside a limited PMIPv6 domain. unlikely to scale outside a limited PMIPv6 domain.
3.2. Receiving LMA FQDN or IP Address from Lower Layers 3.2. Receiving LMA FQDN or IP Address from Lower Layers
The solution described in this section is similar to the solution The solution described in this section is similar to the solution
discussed in Section 3.1. Instead of deriving the LMA FQDN from the discussed in Section 3.1. Instead of deriving the LMA FQDN from the
MN identity, the MAG receives a LMA FQDN or an IP address information MN identity, the MAG receives a LMA FQDN or an IP address information
from lower layers, for example, as a part of the normal lower layer from lower layers, for example, as a part of the normal lower layer
signaling when the MN attaches to the network. IKEv2 could be signaling when the MN attaches to the network. IKEv2 could be
existing example of such lower layer signaling when IPsec is the existing example of such lower layer signaling when IPsec is the
"lower layer" for the MN. IKEv2 has an IKEv2 IDr payload, which is "lower layer" for the MN. IKEv2 has an IKEv2 IDr payload, which is
used by the IKEv2 initiator (i.e. the MN in this case) to specify used by the IKEv2 initiator (i.e. the MN in this case) to specify
which of the responder's identities (i.e. the LMA in this case) it which of the responder's identities (i.e. the LMA in this case) it
wants to talk to. And here the responder indentity could be an FQDN wants to talk to. And here the responder identity could be an FQDN
or an IP address of the LMA (as the IKEv2 identification payload can or an IP address of the LMA (as the IKEv2 identification payload can
be an IP address or an FQDN). Another existing example is the Access be an IP address or an FQDN). Another existing example is the Access
Point Name Information Element (APN IE) in 3GPP radio's network Point Name Information Element (APN IE) in 3GPP radio's network
access signaling capable of carrying a FQDN [3GPP.24.008]. However, access signaling capable of carrying a FQDN [3GPP.24.008]. However,
in general this means the MN is also the originator of the LMA in general this means the MN is also the originator of the LMA
information. The LMA information content as such can be transparent information. The LMA information content as such can be transparent
to the MN, meaning the MN has no knowledge it being anything LMA to the MN, meaning the MN does not associate the information with any
related. LMA function..
3.3. Constructing the LMA FQDN from a Service Name 3.3. Constructing the LMA FQDN from a Service Name
Some network access technologies (including tunneling solutions) Some network access technologies (including tunneling solutions)
allow the MN to signal the service name that identifies a particular allow the MN to signal the service name that identifies a particular
service or the external network it wants to access. If the MN service or the external network it wants to access [3GPP.24.302]
originated service name also embeds the information of the entity [RFC4306]. If the MN originated service name also embeds the
hosting the service or the hosting information can be derived from information of the entity hosting the service or the hosting
other information available at the same time (e.g., see Section 3.1), information can be derived from other information available at the
then the MAG can construct a generic LMA FQDN (e.g., based on some same time (e.g., see Section 3.1), then the MAG can construct a
pre-defined formatting rules) providing an access to the service or generic LMA FQDN (e.g., based on some pre-defined formatting rules)
the external network. The pre-defined formatting rules are usually providing an access to the service or the external network. The pre-
agreed on among operators that belong to the same inter-operator defined formatting rules [3GPP.23.003] are usually agreed on among
roaming consortium or by network infrastructure vendors defining an operators that belong to the same inter-operator roaming consortium
open networking system architecture. or by network infrastructure vendors defining an open networking
system architecture.
Once the MAG has the FQDN it can proceed to resolve the LMA IP Once the MAG has the FQDN it can proceed to resolve the LMA IP
address(es) using the DNS. An example of such service or external address(es) using the DNS. An example of such service or external
network name is the Access Point Name (APN) [3GPP.23.003] that network name is the Access Point Name (APN) [3GPP.23.003] that
contain information of the operator providing the access to the given contain information of the operator providing the access to the given
service or the external network. service or the external network.
4. Domain Name System Considerations 4. Domain Name System Considerations
A number of LMA discovery solutions described in Section 2 and Some LMA discovery solutions described in Section 2 and Section 3
Section 3 eventually depend on the DNS. This section discusses eventually depend on the DNS. This section discusses impacts of the
impacts of the DNS response caching and issues related to the Dynamic DNS response caching and issues related to the Dynamic DNS [RFC2136]
DNS [RFC2136] updates. updates. The impacts and related issues can mostly be avoided by a
proper DNS administration that takes PMIPv6 domain deployment aspects
into consideration.
The caching (positive or negative) properties of the DNS [RFC2308] The caching (positive or negative) properties of the DNS [RFC2308]
and the fact that updates to the DNS take time to propagate globally, and the fact that updates to the DNS take time to propagate globally,
need to be considered when applying DNS-based solutions to the PMIPv6 need to be considered when applying DNS-based solutions to the PMIPv6
domain. First, the caching of DNS responses effectively delay the domain. First, the caching of DNS responses effectively delays the
propagation of up to date FQDN to IP address mappings (after both propagation of up to date FQDN to IP address mappings (after both
addition and deletion). Hosts in the PMIPv6 domain keep using the addition and deletion). Hosts in the PMIPv6 domain keep using the
stale cached DNS response (positive or negative) until they give up stale cached DNS response (positive or negative) until they give up
or the caching times out. The delay can be in order of hours in the or the cached data times out. The delay can be in order of hours in
worst case. On the other hand, DNS administrators can lower the the worst case. On the other hand, DNS administrators can lower the
resource record caching time (the Time To Live (TTL) value). resource record caching time (the Time To Live (TTL) value). Low TTL
Obviously, too low TTL values increase the number of DNS queries values increase the number of DNS queries considerably. Second, the
considerably. Second, the secondary DNS servers do not get secondary DNS servers do not get immediately updated when the masters
immediately updated when the masters do. These updates are also do. These updates are also periodic, usually in order of several
periodic, usually in order of several hours, and may cause hours, and may cause considerable delay on global propagation of the
considerable delay on global propagation of the updated naming updated naming information. Third, some DNS resolvers ignore low
information. Third, some DNS resolvers ignore low TTLs, replacing TTLs, replacing them with a higher default value. This could lead to
them with a higher default value. This could lead to outdated LMA outdated LMA information being around for longer than desired.
information being around for longer than desired.
The above considerations are valid when, for example, the PMIPv6 The above considerations are valid when, for example, the PMIPv6
domain LMA availability or load information is dynamically updated domain LMA availability or load information is dynamically updated
into the DNS. There are incentives for doing so, however, the into the DNS. There are incentives for doing so, however, the
concerns described above need to be understood clearly in that case. concerns described above need to be understood clearly in that case.
5. Handover Considerations 5. Handover Considerations
Whenever a MN moves and attaches to a new MAG in a PMIPv6 domain, all Whenever a MN moves and attaches to a new MAG in a PMIPv6 domain, all
the MAGs that the MN attaches to, should use the same LMA. If there the MAGs that the MN attaches to, should use the same LMA. If there
skipping to change at page 8, line 4 skipping to change at page 7, line 46
Relying on DNS during handovers is not generally a working solution Relying on DNS during handovers is not generally a working solution
if the PMIPv6 domain has more than one LMA, unless the DNS if the PMIPv6 domain has more than one LMA, unless the DNS
consistently assigns a specific LMA for each given MN. In most cases consistently assigns a specific LMA for each given MN. In most cases
described in Section 3, where the MAG derives the LMA FQDN, there is described in Section 3, where the MAG derives the LMA FQDN, there is
no prior knowledge whether the LMA FQDN resolves to one or more LMA no prior knowledge whether the LMA FQDN resolves to one or more LMA
IP address(es) in the PMIPv6 domain. However, depending on the IP address(es) in the PMIPv6 domain. However, depending on the
deployment and deployment related regulation (such as inter-operator deployment and deployment related regulation (such as inter-operator
roaming consortium agreements) the situation might not be this roaming consortium agreements) the situation might not be this
desperate. For example, a MAG might be able to synthesize a LMA desperate. For example, a MAG might be able to synthesize a LMA
specific FQDN (e.g. out of MN identity or some other service specific specific FQDN (e.g. out of MN identity or some other service specific
parameters). Another alternative could that MAG uses, for example, a parameters). Alternatively, the MAG could use (for example), a MN
MN identity as an input to an algorithm that deterministically identity as an input to an algorithm that deterministically assigns
assigns the same LMA out of a pool of LMAs (assuming the MAG has e.g. the same LMA out of a pool of LMAs (assuming the MAG has e.g. learned
learned a group of LMA FQDNs via SRV [RFC2782] query). These a group of LMA FQDNs via SRV [RFC2782] query). These approaches
approaches would guarantee that DNS returns always the same LMA would guarantee that DNS returns always the same LMA Address to the
Address to the MAG. MAG.
Once the MN completes its initial attachment to a PMIPv6 domain, the Once the MN completes its initial attachment to a PMIPv6 domain, the
information about the LMA that is selected to serve the MN is stored information about the LMA that is selected to serve the MN is stored
in the Policy Store (or the AAA server). The LMA information is in the Policy Store (or the AAA server). The LMA information is
conveyed to the policy store by the LMA after the initial attachment conveyed to the policy store by the LMA after the initial attachment
is completed [I-D.ietf-dime-pmip6]. Typically AAA infrastructure is is completed [RFC5779]. Typically AAA infrastructure is used for
used for exchanging information between the LMA and the Policy Store. exchanging information between the LMA and the Policy Store.
When the MN moves and attaches to another MAG in the PMIPv6 domain, When the MN moves and attaches to another MAG in the PMIPv6 domain,
then the AAA servers delivers the existing LMA information to the new then the AAA servers delivers the existing LMA information to the new
MAG as part of the authentication and authorization procedure as MAG as part of the authentication and authorization procedure as
described in Section 2.1 described in Section 2.1
6. Security Considerations 6. Security Considerations
The use of DNS for obtaining the IP address of a mobility agent The use of DNS for obtaining the IP address of a mobility agent
carries certain security risks. These are explained in detail in carries certain security risks. These are explained in detail in
Section 9.1 of RFC 5026 [RFC5026]. However, the risks described in Section 9.1 of [RFC5026]. However, the risks described in [RFC5026]
RFC 5026 are mitigated to a large extent in this document, since the are mitigated to a large extent in this document, since the MAG and
MAG and the LMA belong belong to the same PMIPv6 domain. The DNS the LMA belong to the same PMIPv6 domain. The DNS server that the
server that the MAG queries is also part of the same PMIPv6 domain. MAG queries is also part of the same PMIPv6 domain. Even if the MAG
Even if the MAG obtains the IP address of a bogus LMA from a bogus obtains the IP address of a bogus LMA from a bogus DNS server,
DNS server, further harm is prevented since the MAG and the LMA further harm is prevented since the MAG and the LMA should
should authenticate each other before exchanging PMIPv6 signaling authenticate each other before exchanging PMIPv6 signaling messages.
messages. RFC 5213 [RFC5213] specifies the use of IKEv2 [RFC4306] [RFC5213] specifies the use of IKEv2 between the MAG and the LMA to
between the MAG and the LMA to authenticate each other and setup authenticate each other and setup IPsec security associations for
IPsec security associations for protecting the PMIPv6 signaling protecting the PMIPv6 signaling messages.
messages.
The AAA infrastructure may be used to transport the LMA discovery The AAA infrastructure may be used to transport the LMA discovery
related information between the MAG and the AAA server via one or related information between the MAG and the AAA server via one or
more AAA brokers and/or AAA proxies. In this case the MAG to the AAA more AAA brokers and/or AAA proxies. In this case the MAG to the AAA
server communication relies on the security properties of the server communication relies on the security properties of the
intermediate AAA brokers and AAA proxies. intermediate AAA brokers and AAA proxies.
7. IANA Considerations 7. IANA Considerations
This specification has no actions for IANA. This document has no actions for IANA.
8. Acknowledgements 8. Acknowledgements
The authors would like to thank Julien Laganier, Christian Vogt, The authors would like to thank Julien Laganier, Christian Vogt,
Ryuji Wakikawa, Frank Xia, Behcet Sarikaya and Xiangsong Cui for Ryuji Wakikawa, Frank Xia, Behcet Sarikaya, Charlie Perkins, Qin Wu
their comments, extensive discussions and suggestions on this and Xiangsong Cui for their comments, extensive discussions and
document. suggestions on this document.
9. Informative References 9. Informative References
[3GPP.23.003] [3GPP.23.003]
3GPP, "Numbering, addressing and identification", 3GPP 3GPP, "Numbering, addressing and identification", 3GPP
TS 23.003 8.2.0, September 2008. TS 23.003 8.2.0, September 2008.
[3GPP.24.008] [3GPP.24.008]
3GPP, "Mobile radio interface Layer 3 specification", 3GPP 3GPP, "Mobile radio interface Layer 3 specification", 3GPP
TS 24.008 8.6.0, June 2009. TS 24.008 8.6.0, June 2009.
[I-D.ietf-dime-pmip6] [3GPP.24.302]
Korhonen, J., Bournelle, J., Chowdhury, K., Muhanna, A., 3GPP, "Access to the 3GPP Evolved Packet Core (EPC) via
and U. Meyer, "Diameter Proxy Mobile IPv6: Mobile Access non-3GPP access networks", 3GPP TS 24.302 8.5.0,
Gateway and Local Mobility Anchor Interaction with March 2010.
Diameter Server", draft-ietf-dime-pmip6-04 (work in
progress), September 2009.
[I-D.ietf-mipshop-pfmipv6] [I-D.ietf-mipshop-pfmipv6]
Yokota, H., Chowdhury, K., Koodli, R., Patil, B., and F. Yokota, H., Chowdhury, K., Koodli, R., Patil, B., and F.
Xia, "Fast Handovers for Proxy Mobile IPv6", Xia, "Fast Handovers for Proxy Mobile IPv6",
draft-ietf-mipshop-pfmipv6-12 (work in progress), draft-ietf-mipshop-pfmipv6-14 (work in progress),
December 2009. May 2010.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997. RFC 2136, April 1997.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, March 1998. NCACHE)", RFC 2308, March 1998.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
skipping to change at page 10, line 8 skipping to change at page 9, line 46
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005. RFC 4303, December 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005. RFC 4306, December 2005.
[RFC5026] Giaretta, G., Kempf, J., and V. Devarapalli, "Mobile IPv6 [RFC5026] Giaretta, G., Kempf, J., and V. Devarapalli, "Mobile IPv6
Bootstrapping in Split Scenario", RFC 5026, October 2007. Bootstrapping in Split Scenario", RFC 5026, October 2007.
[RFC5149] Korhonen, J., Nilsson, U., and V. Devarapalli, "Service
Selection for Mobile IPv6", RFC 5149, February 2008.
[RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K.,
and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008.
[RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., [RFC5779] Korhonen, J., Bournelle, J., Chowdhury, K., Muhanna, A.,
and K. Chowdhury, "Diameter Mobile IPv6: Support for and U. Meyer, "Diameter Proxy Mobile IPv6: Mobile Access
Network Access Server to Diameter Server Interaction", Gateway and Local Mobility Anchor Interaction with
RFC 5447, February 2009. Diameter Server", RFC 5779, February 2010.
Authors' Addresses Authors' Addresses
Jouni Korhonen Jouni Korhonen
Nokia Siemens Networks Nokia Siemens Networks
Linnoitustie 6 Linnoitustie 6
FIN-02600 Espoo FIN-02600 Espoo
Finland Finland
Email: jouni.nospam@gmail.com Email: jouni.nospam@gmail.com
 End of changes. 35 change blocks. 
124 lines changed or deleted 121 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/