IPv4 [RFC4004] AVPs
Diameter Mobile IPv4 Application (application id: 2)
The Diameter Mobile IPv4 Application, defined by RFC 4004, is an essential protocol for supporting Mobile IPv4 services within the context of Authentication, Authorization, and Accounting (AAA) operations. This application facilitates seamless mobility management for Mobile Nodes (MNs) as they move across different administrative domains while maintaining a constant IP address.
The primary purpose of the Diameter Mobile IPv4 Application is to provide a standardized mechanism for AAA functions within the Mobile IPv4 framework. This includes verifying the identity of a Mobile Node (MN), authorizing its access to network resources, and accounting for its usage while connected to the network. The application ensures that these functions are securely and efficiently performed as the MN moves between home and foreign networks.
The architecture involves key entities:
- Mobile Node (MN): A device that moves between networks, maintaining connectivity through a fixed home IP address.
- Home Agent (HA): A network node in the home domain responsible for managing the MN's IP address and forwarding packets to its current location.
- Foreign Agent (FA): A network node in the visited domain that facilitates the MN's attachment to the network and interacts with the HA to tunnel packets to the MN.
- AAA Home (AAAH) and AAA Foreign (AAAF) Servers: These servers are responsible for authenticating and authorizing the MN in the home and visited domains, respectively.
Diameter Mobile IPv4 Application interface workflow:
Registration Request and Creation of AMR Message:
- When an MN moves into a foreign domain, it initiates a Registration Request to the FA. The FA creates an AA-Mobile-Node-Request (AMR) message, encapsulating important details such as the MN’s Home Address, Home Agent, and other relevant attributes.
AMR Message Handling:
- The FA forwards the AMR message to the AAAF in the visited realm. The AAAF determines whether to process the request locally or forward it to the home realm's AAAH for further processing. If forwarded, the AAAH authenticates the MN and verifies its authorization to use network resources.
Authorization and Response:
- The AAAH processes the request and sends back an AA-Mobile-Node-Answer (AMA) message. This message grants or denies the requested service, including the expiration time of the authorization.
Session Establishment and Management:
- Upon successful authorization, the HA is involved to establish the necessary tunneling and routing mechanisms to forward packets to the MN in the foreign network. Session identifiers are generated and managed to track the ongoing session of the MN as it moves across networks. These identifiers ensure that the session remains intact even if the MN connects to multiple FAs during its mobility.
Session State and Management:
- The session state may be maintained by either the AAAH or the AAAF, depending on the session's specific requirements. Some session information is kept at the FA and HA levels to facilitate continued service delivery as the MN roams.
For complete technical specification of Diameter Mobile IPv4 Application interface in Diameter protocol please refer to: [RFC4004]
package com.mobius.software.telco.protocols.diameter.primitives.rfc4004
|
Name |
AVP Code |
Data Type |
Vendor |
|
MIP-Algorithm-Type |
345 |
Enumerated |
IETF |
|
Used to specify the algorithm identifier associated with Mobile IPv4 (MIPv4) authentication extensions. This AVP allows the Home Authentication, Authorization, and Accounting (HAAA) system to select the algorithm type for securing Mobile IPv4 communication. Enumerated Values: 2: HMAC-SHA-1: The HMAC-SHA-1 algorithm defined by HMAC for Mobile IPv4 authentication. |
|||
|
MIP-Authenticator-Length |
339 |
Unsigned32 |
IETF |
|
Specifies the length (in bytes) of the Mobile IPv4 (MIPv4) authenticator to be validated by the targeted AAA server (also known as AAAH). It is primarily used during MIPv4 authentication and authorization procedures. |
|||
|
MIP-Authenticator-Length |
339 |
Unsigned32 |
IETF |
|
Specifies the length (in bytes) of the Mobile IPv4 (MIPv4) authenticator to be validated by the targeted AAA server (also known as AAAH). It is primarily used during MIPv4 authentication and authorization procedures. |
|||
|
MIP-Authenticator-Offset |
340 |
Unsigned32 |
IETF |
|
Specifies the offset position (in bytes) into the Registration Request Data where the Mobile IPv4 (MIPv4) authenticator is located. This information is used by the targeted AAA server (AAAH) to locate and validate the authenticator during the MIPv4 registration process. |
|||
|
MIP-Auth-Input-Data-Length |
338 |
Unsigned32 |
IETF |
|
Specifies the length (in bytes) of the Registration Request Data used as input to the authentication algorithm during the Mobile IPv4 (MIPv4) registration process. This length defines the portion of the MIP-Reg-Request AVP that is validated against the Authenticator Data provided by the mobile node. |
|||
|
MIP-Candidate-Home-Agent-Host |
336 |
DiameterIdentity |
IETF |
|
Specifies the identity of a home agent in the foreign network that the AAAF (Foreign AAA Server) proposes for dynamic assignment to a mobile node (MN) during Mobile IPv4 (MIPv4) registration. |
|||
|
MIP-FA-Challenge |
344 |
OctetString |
IETF |
|
Contains the challenge generated by the Foreign Agent (FA) and is advertised to the Mobile Node (MN) during Mobile IPv4 (MIPv4) authentication and registration. This AVP is mandatory in the Agent Advertisement Message Reply (AMR) if the mobile node used the RADIUS-style MN-AAA computation algorithm [MIPCHAL]. |
|||
|
MIP-FA-to-HA-MSA |
328 |
Grouped |
IETF |
|
Contains the Foreign Agent (FA) to Home Agent (HA) session key. This AVP is sent to the FA in an Authorization and Mobile IP Advertisement (AMA) message to establish a secure session between the FA and HA for Mobile IPv4 communication. The AVP structure is defined as follows: MIP-FA-to-HA-SPI (Mandatory): Contains the Security Parameter Index (SPI) assigned by the HA for session authentication. MIP-Algorithm-Type (Mandatory): Specifies the algorithm type for authentication (e.g., HMAC-SHA-1). MIP-Session-Key (Mandatory): Includes the session key for validating the authentication extension. |
|||
|
MIP-FA-to-HA-SPI |
318 |
Unsigned32 |
IETF |
|
Represents the Security Parameter Index (SPI) utilized by the Foreign Agent (FA) and Home Agent (HA) for identifying the FA-HA mobility security association. The HA dynamically allocates this value to manage secure communications between the agents. Must not be within the range 0–255 (reserved namespace). Each SPI must be unique for a given FA-HA security association. SPI values are assigned by the HA dynamically during session setup. |
|||
|
MIP-FA-to-MN-MSA |
326 |
Grouped |
IETF |
|
Defines the Foreign Agent (FA) to Mobile Node (MN) session key, enabling authentication and secure communication between the FA and MN. It is utilized in Mobile IPv4 environments to ensure data integrity and session security during mobility operations. The AVP structure is defined as follows: MIP-FA-to-MN-SPI (316, Unsigned32): Security Parameter Index (SPI) uniquely identifying the session. SPI must not use values 0–255 (reserved namespace). MIP-Algorithm-Type (345, Enumerated): Specifies the algorithm used for authentication, e.g., HMAC-SHA-1 (value: 2). MIP-Session-Key (328, OctetString): Contains the session key used for authentication between the FA and MN. |
|||
|
MIP-FA-to-MN-SPI |
319 |
Unsigned32 |
IETF |
|
Defines the Security Parameter Index (SPI) for the Foreign Agent (FA) and Mobile Node (MN). It identifies the FA-MN mobility security association, ensuring secure communication and authentication between these entities in Mobile IPv4 networks. SPI must not use values 0–255 (reserved namespace). |
|||
|
MIP-Feature-Vector |
337 |
Unsigned32 |
IETF |
|
Represents a bitmask flag set that is configured by the Foreign Agent (FA) or the AAAF (AAA server in the foreign domain). It defines mobility-related feature support and requirements for Mobile IPv4 (MIPv4). Flag Definitions 1: Mobile-Node-Home-Address-Requested: Indicates that the MN requests a home address in the Registration Request. 2: Home-Address-Allocatable-Only-in-Home-Realm: The home address is only allocatable within the home realm (used when HA field is 255.255.255.255). 4: Home-Agent-Requested: Requests assignment of a home agent. 8: Foreign-Home-Agent-Available: Signals the availability of a home agent in the foreign network. 16: MN-HA-Key-Request: Requests a key for MN-HA authentication. 32: MN-FA-Key-Request: Requests a key for MN-FA authentication. 64: FA-HA-Key-Request: Requests a key for FA-HA authentication. 128: Home-Agent-In-Foreign-Network: Indicates that the requested home agent is in the foreign network. 256: Co-Located-Mobile-Node: Signals that the MN operates as a co-located node with its own home agent capabilities. Rules and Behaviors
|
|||
|
MIP-Filter-Rule |
342 |
IPFilterRule |
IETF |
|
Specifies packet filtering rules that must be enforced by the foreign agent (FA) or the home agent (HA) for a user in Mobile IPv4 (MIPv4) environments. It allows the AAAH (Authentication, Authorization, and Accounting Home server) to define and configure rules for data traffic handling. Behavior:
The MIP-Filter-Rule follows the syntax defined by the [RFC 4004]. Rule Format: action dir proto from src [ports] to dst [ports] [options] Example Rule: permit in udp from 192.168.1.0/24 5000-6000 to 10.0.0.0/16 80 Meaning: permit – Action to allow the traffic. in – Direction of the traffic (inbound). udp – Protocol to match. from 192.168.1.0/24 5000-6000 – Source address range and ports. to 10.0.0.0/16 80 – Destination address range and ports. |
|||
|
MIP-HA-to-FA-MSA |
329 |
Grouped |
IETF |
|
Provides a mobility security association between the Home Agent (HA) and the Foreign Agent (FA). It facilitates secure communication and authentication for Mobile IPv4 (MIPv4) sessions by sharing a session key and authentication algorithm. After establishing the session, the HA generates an authentication extension using the specified session key and algorithm. The FA validates the extension with the same parameters. The AVP structure is defined as follows: MIP-HA-to-FA-SPI (Unsigned32): Security Parameter Index assigned by FA to identify the security session. MIP-Algorithm-Type (Enumerated): Algorithm type (e.g., HMAC-SHA-1) for authentication extensions. MIP-Session-Key (OctetString): Shared session key used for hashing and encryption. |
|||
|
MIP-HA-to-FA-SPI |
323 |
Unsigned32 |
IETF |
|
Defines a Security Parameter Index (SPI) used by the Home Agent (HA) and the Foreign Agent (FA) to refer to the HA-FA mobility security association. This AVP uniquely identifies the session and allows both agents to authenticate each other during Mobile IPv4 (MIPv4) communication. The FA allocates the SPI, and it must fall outside the reserved range 0–255, which is defined in [RFC 3344]. Both the HA and FA validate the SPI against their internal session data before processing requests. |
|||
|
MIP-HA-to-MN-MSA |
332 |
Grouped |
IETF |
|
Defines the Home Agent (HA) to Mobile Node (MN) session key information required for authentication and security in Mobile IPv4 (MIPv4). It is transmitted to the HA in two scenarios:
The MN allocates the MIP-HA-to-MN-SPI, and the HA uses the provided session key and algorithm to create authentication extensions. The MN then verifies these extensions using the same key and algorithm. The AVP structure is defined as follows: MIP-HA-to-MN-SPI (Unsigned32, Mandatory): Security Parameter Index (SPI) used for referencing the session key between HA and MN. MIP-Algorithm-Type (Enumerated, Mandatory): Specifies the algorithm (e.g., HMAC-SHA-1) used for authentication. MIP-Replay-Mode (Enumerated, Mandatory): Replay protection mechanism, ensuring defense against replay attacks. MIP-Session-Key (OctetString, Mandatory): Contains the actual session key used for authentication and encryption. Usage Rules:
|
|||
|
MIP-HA-to-MN-SPI |
custom |
Unsigned32 |
custom |
|
Assumed to define a Security Parameter Index (SPI) between the Home Agent (HA) and the Mobile Node (MN) within a Mobile IPv4 (MIPv4) session. This AVP provides a unique identifier for referencing the HA-to-MN mobility security association. This AVP is based on other SPI fields defined in [RFC 4004], such as MIP-FA-to-MN-SPI (AVP Code 319) and MIP-HA-to-FA-SPI (AVP Code 323). |
|||
|
MIP-Home-Agent-Address |
334 |
Address |
IETF |
|
Used to store the IP address of the Home Agent (HA) assigned to a Mobile Node (MN) in Mobile IPv4 (MIPv4) operations. It enables identification and communication with the HA, responsible for managing mobile IP sessions and maintaining connectivity during mobility. |
|||
|
MIP-Home-Agent-Host |
348 |
Grouped |
IETF |
|
Identifies the Home Agent (HA) assigned to the Mobile Node (MN) in Mobile IPv4 (MIPv4) operations. It specifies the destination realm and destination host, ensuring routing and communication with the designated HA. Must be included in the AMR (Agent Mobile Request) when the HA is dynamically assigned. Must be copied into the HAR (Home Agent Request) by the AAAH. The AAAH must forward this AVP without modification in the HAR when received in the AMR. The AVP structure is defined as follows: Destination-Realm (UTF8String, Mandatory): The realm (domain) of the Home Agent for routing purposes. Destination-Host (UTF8String, Mandatory): The host name or identifier of the Home Agent. Allows inclusion of additional optional AVPs if needed. |
|||
|
MIP-MN-AAA-Auth |
322 |
Grouped |
IETF |
|
Designed for Mobile IPv4 (MIPv4) authentication purposes. It provides additional data to assist the AAA server in processing authentication data present in the Mobile Node's Registration Request. The AVP structure is defined as follows: MIP-MN-AAA-SPI (Unsigned32, Mandatory): Security Parameter Index (SPI) for identifying the authentication algorithm. MIP-Auth-Input-Data-Length (Unsigned32, Mandatory): Length (in bytes) of input data used in the authentication process. MIP-Authenticator-Length (Unsigned32, Mandatory): Length of the Authenticator to be validated by the AAA server. MIP-Authenticator-Offset (Unsigned32, Mandatory): Offset into the registration request data specifying the location of Authenticator. Additional optional AVPs for extensibility. |
|||
|
MIP-MN-AAA-SPI |
341 |
Unsigned32 |
IETF |
|
Specifies the Security Parameter Index (SPI) for the Mobile Node (MN) to AAA Server (AAAH) security association. It is used by the targeted AAA server to identify the correct security mechanism required to validate the Authenticator computed by the Mobile Node over the Registration Request data. |
|||
|
MIP-MN-FA-SPI |
custom |
Unsigned32 |
custom |
|
Designed to serve as a Security Parameter Index (SPI) between the Mobile Node (MN) and the Foreign Agent (FA) within a Mobile IPv4 (MIPv4) security association. This AVP allows the Foreign Agent and Mobile Node to securely authenticate each other during mobility session management. |
|||
|
MIP-MN-to-FA-MSA |
325 |
Grouped |
IETF |
|
Designed to establish a Mobility Security Association (MSA) between the Mobile Node (MN) and the Foreign Agent (FA). It facilitates secure key derivation and authentication for Mobile IPv4 communications by defining the SPI, algorithm type, and a nonce used to generate session keys. The AVP structure is defined as follows: MIP-MN-FA-SPI (319, Unsigned32, Mandatory): Security Parameter Index (SPI) for identifying the association. 0–255 is invalid for SPI. MIP-Algorithm-Type (345, Enumerated, Mandatory): Specifies the cryptographic algorithm (e.g., HMAC-SHA-1). MIP-Nonce (335, OctetString, Mandatory): Purpose: Random value to ensure unique key derivation and avoid replay attacks. |
|||
|
MIP-MN-to-HA-MSA |
331 |
Grouped |
IETF |
|
Used in Mobile IPv4 networks to establish a Mobility Security Association (MSA) between the Mobile Node (MN) and the Home Agent (HA). It facilitates secure communication through the derivation of session keys, ensuring message integrity and authentication. This AVP supports both FA COA (Foreign Agent Care-of Address) and collocated COA methods, providing flexibility in registration scenarios. The AVP structure is defined as follows: MIP-MN-HA-SPI (320, Unsigned32, Mandatory): Provides a Security Parameter Index (SPI) for identifying the association. 0–255 is invalid for SPI. MIP-Algorithm-Type (345, Enumerated, Mandatory): Specifies the cryptographic algorithm (e.g., HMAC-SHA-1). MIP-Replay-Mode (346, Enumerated, Mandatory): Defines replay protection modes to prevent attacks. MIP-Nonce (335, OctetString, Mandatory): Provides a random value for key derivation and replay protection. |
|||
|
MIP-Mobile-Node-Address |
333 |
Address |
IETF |
|
Used to store the home IP address of a Mobile Node (MN) in Mobile IPv4 networks. It acts as an identifier for the mobile node within the network and is primarily utilized during registration, authentication, and session management processes. |
|||
|
MIP-MSA-Lifetime |
367 |
Unsigned32 |
IETF |
|
Specifies the validity duration (in seconds) for a session key or nonce associated with a Mobile IPv4 Security Association (MSA). Once the specified lifetime expires, the session key or nonce becomes invalid and cannot be used for further authentication or security purposes. May be updated dynamically if session extensions or renewals occur. |
|||
|
MIP-Nonce |
335 |
OctetString |
IETF |
|
Carries a nonce that is sent to the mobile node for use in the authentication extension process. The HAAA (Home AAA) generates and selects this nonce, which the mobile node uses to create a session key for securing Mobile IPv4 registration messages. |
|||
|
MIP-Originating-Foreign-AAA |
347 |
Grouped |
IETF |
|
Identifies the AAAF (Originating Foreign AAA) responsible for initiating the Authentication, Authorization, and Accounting (AAA) message, particularly the AMR (Authorization and Mobile Registration Request) sent to the AAAH (Home AAA). This AVP is mandatory when the Home Agent (HA) is allocated in a foreign domain or may be allocated in the future. The AVP structure is defined as follows: Origin-Realm (Mandatory): Identifies the realm (domain) of the AAAF that originated the request. Used to route messages back to the foreign AAA system. Origin-Host (Mandatory): Specifies the host name of the AAAF server responsible for sending the request. Provides an addressable identifier for further communication. Allows the inclusion of custom AVPs to provide extended information about the originating system. |
|||
|
MIP-Reg-Reply |
321 |
OctetString |
IETF |
|
Used to convey the Mobile IPv4 Registration Reply message. This message is sent by the Home Agent (HA) to the Foreign Agent (FA), providing a response to the Mobile IPv4 Registration Request initiated by the Mobile Node (MN). |
|||
|
MIP-Reg-Request |
320 |
OctetString |
IETF |
|
Used to carry the binary-encoded data of the Registration Request initiated by the Mobile Node (MN) and sent to the Foreign Agent (FA). |
|||
|
MIP-Replay-Mode |
346 |
Enumerated |
IETF |
|
Used to indicate the replay protection mechanism selected by the Home Agent (HA) for authenticating the Mobile Node (MN) during Mobile IPv4 registration. This AVP defines how the system ensures replay attack protection when validating requests and replies during the registration process. The value is selected by the Home Authentication Authorization and Accounting (HAAA) server. Enumerated Values 1 None: No replay protection is applied. 2 Timestamps: Uses timestamps to validate the freshness of the request. 3 Nonces: Uses nonces (unique random values) for replay protection. |
|||
|
MIP-Session-Key |
343 |
OctetString |
IETF |
|
Used to store the Session Key associated with a Mobile IPv4 authentication extension. This key is generated and selected by the Home Authentication Authorization and Accounting (HAAA) server. The Session Key ensures secure communication between the Mobile Node (MN) and the Foreign Agent (FA) or Home Agent (HA) by providing a shared secret used for authentication. |
|||
Start innovating with Mobius
What's next? Let's talk!