aaav6 n. asokan/nokia research thomas eklund/switchcore patrik flykt/nokia research charles e....

AAAv6

N. Asokan/Nokia Research

Thomas Eklund/Switchcore

Patrik Flykt/Nokia Research

Charles E. Perkins/Nokia Research

IETF 47

draft-ietf-perkins-aaav6-00.txt

Authorized Network Access v6

• Where is control exercised?

• How does node know what to do?

• What happened to the foreign agent/attendant?

Where to exercise control

• Default router already provides access to Internet

• Incoming packets directed by router’s Neighbor Cache

• Outgoing packets may be controlled by router’s Ingress Filtering

How does node know how to act?

• Advertisements from router• Configured with MN-NAI• Stateless vs. Stateful action, as usual• Is router the attendant?

– in this case, additional relay functionality

• Or, does router advertise the attendant’s address?– in this case, additional filtering rules needed

Stateless operation

• New node sends a Router Solicitation with credentials and MN-NAI

• Router returns a Router Advertisement with the results

• Of course, AAA is not stateless

AAAF AAAH

Default Router

charliep@nokia.com

Operation with DHCPv6

• Node supplies MN-NAI and credentials as part of DHCP Request

• Node gets authorization indication in the status field of the DHCP Reply

Packet types

• MN-NAI extension to Router Solicitation

• AAA Credential extension to Router Solicitation

• AAA Reply to Router Advertisement

• MN-NAI and AAA Credential extensions to DHCP Request

• AAA Reply extension to DHCP Reply

Issues

• Key distribution?• Generalized Key extensions a la MIER?• Unmediated interaction with AAAL?• Advertise the need for AAA as is done for

managed links now?• Relationship between address lifetime, key

lifetime, and renewal of authorization?• Relationship with aaa-hooks?• Relationship with DHCPv4 + AAA?