Proxy-Mobile IP


Proxy-Mobile IP
 
 
This chapter describes system support for Proxy Mobile IP and explains how it is configured. The product administration guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model before using the procedures in this chapter.
Proxy Mobile IP provides a mobility solution for subscribers with mobile nodes (MNs) capable of supporting only Simple IP.
This chapter includes the following sections:
 
 
Overview
Proxy Mobile IP provides mobility for subscribers with MNs that do not support the Mobile IP protocol stack.
Important: This feature is enabled as part of a license bundle or with the purchase of a standalone Proxy-MIP license. Other licenses might be required to enable all the features described in this chapter. If you do not have the appropriate license(s), please contact your sales advisor.
The Proxy Mobile IP feature is supported for various products. The following table indicates the products on which the feature is supported and the relevant sections within the chapter that pertain to that product.
Applicable Products and Relevant Sections
 
Proxy Mobile IP in 3GPP2 Service
For subscriber sessions using Proxy Mobile IP, R-P and PPP sessions get established between the MN and the PDSN as they would for a Simple IP session. However, the PDSN/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber’s profile) on behalf of the MN (i.e. the MN is only responsible for maintaining the Simple IP PPP session with PDSN).
The MN is assigned an IP address by either the PDSN/FA or the HA. Regardless of its source, the address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider’s network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA.
Note that unlike Mobile IP-capable MNs that can perform multiple sessions over a single PPP link, Proxy Mobile IP allows only a single session over the PPP link. In addition, simultaneous Mobile and Simple IP sessions will not be supported for an MN by the FA that is currently facilitating a Proxy Mobile IP session for the MN.
The MN is assigned an IP address by either the HA, a AAA server, or on a static-basis. The address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider’s network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA.
 
Proxy Mobile IP in 3GPP Service
For IP PDP contexts using Proxy Mobile IP, the MN establishes a session with the GGSN as it normally would. However, the GGSN/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber’s profile) on behalf of the MN (i.e. the MN is only responsible for maintaining the IP PDP context with the GGSN, no Agent Advertisement messages are communicated with the MN).
The MN is assigned an IP address by either the HA, a AAA server, or on a static-basis. The address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider’s network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA.
Proxy Mobile IP can be performed on a per-subscriber basis based on information contained in their user profile, or for all subscribers facilitated by a specific APN. In the case of non-transparent IP PDP contexts, attributes returned from the subscriber’s profile take precedence over the configuration of the APN.
 
Proxy Mobile IP in WiMAX Service
For subscriber sessions using Proxy Mobile subscriber sessions get established between the MN and the ASN GW as they would for a Simple IP session. However, the ASN GW/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber’s profile) on behalf of the MN (i.e. the MN is only responsible for maintaining the Simple IP subscriber session with ASN GW).
The MN is assigned an IP address by either the ASN GW/FA or the HA. Regardless of its source, the address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider’s network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA.
Note that unlike Mobile IP-capable MNs that can perform multiple sessions over a single session link, Proxy Mobile IP allows only a single session over the session link. In addition, simultaneous Mobile and Simple IP sessions will not be supported for an MN by the FA that is currently facilitating a Proxy Mobile IP session for the MN.
 
How Proxy Mobile IP Works in 3GPP2 Network
This section contains call flows displaying successful Proxy Mobile IP session setup scenarios. There are multiple scenarios that are dependant on how the MN receives an IP address. The following scenarios are described:
 
 
Scenario 1: The AAA server that authenticates the MN at the PDSN allocates an IP address to the MN. Note that the PDSN does not allocate an address from its IP pools.
Scenario 2: The HA assigns an IP address to the MN from one of its locally configured dynamic pools.
 
Scenario 1: AAA server and PDSN/FA Allocate IP Address
The following figure and table display and describe a call flow in which the MN receives its IP address from the AAA server and PDSN/FA.
 
AAA/PDSN Assigned IP Address Proxy Mobile IP Call Flow
AAA/PDSN Assigned IP Address Proxy Mobile IP Call Flow Description
 
Scenario 2: HA Allocates IP Address
The following figure and table display and describe a call flow in which the MN receives its IP address from the HA.
 
HA Assigned IP Address Proxy Mobile IP Call Flow
HA Assigned IP Address Proxy Mobile IP Call Flow Description
 
How Proxy Mobile IP Works in 3GPP Network
This section contains call flows displaying successful Proxy Mobile IP session setup scenarios in 3GPP network.
The following figure and the text that follows describe a a sample successful Proxy Mobile IP session setup call flow in 3GGP service.
 
Proxy Mobile IP Call Flow in 3GPP
Proxy Mobile IP Call Flow in 3GPP Description
 
How Proxy Mobile IP Works in WiMAX Network
This section contains call flows displaying successful Proxy Mobile IP session setup scenarios. There are multiple scenarios that are dependant on how the MN receives an IP address. The following scenarios are described:
 
Scenario 1: The AAA server that authenticates the MN at the ASN GW allocates an IP address to the MN. Note that the ASN GW does not allocate an address from its IP pools.
Scenario 2: The HA assigns an IP address to the MN from one of its locally configured dynamic pools.
 
Scenario 1: AAA server and ASN GW/FA Allocate IP Address
The following figure and table display and describe a call flow in which the MN receives its IP address from the AAA server and ASN GW/FA.
 
AAA/ASN GW Assigned IP Address Proxy Mobile IP Call Flow
AAA/ASN GW Assigned IP Address Proxy Mobile IP Call Flow Description
 
Scenario 2: HA Allocates IP Address
The following figure and table display and describe a call flow in which the MN receives its IP address from the HA.
 
HA Assigned IP Address Proxy Mobile IP Call Flow
HA Assigned IP Address Proxy Mobile IP Call Flow Description
 
How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication
Proxy-Mobile IP was developed as a result of networks of Mobile Subscribers (MS) that are not capable of Mobile IP operation. In this scenario a PDIF acts a mobile IP client and thus implements Proxy-MIP support.
Although not required or necessary in a Proxy-MIP network, this implementation uses a technique called Multiple Authentication. In Multi-Auth arrangements, the device is authenticated first using HSS servers. Once the device is authenticated, then the subscriber is authenticated over a RADIUS interface to AAA servers. This supports existing EV-DO servers in the network.
The MS first tries to establish an IKEv2 session with the PDIF. The MS uses the EAP-AKA authentication method for the initial device authentication using Diameter over SCTP over IPv6 to communicate with HSS servers. After the initial Diameter EAP authentication, the MS continues with EAP MD5/GTC authentication.
After successful device authentication, PDIF then uses RADIUS to communicate with AAA servers for the subscriber authentication. It is assumed that RADIUS AAA servers do not use EAP methods and hence RADIUS messages do not contain any EAP attributes.
Assuming a successful RADIUS authentication, PDIF then sets up the IPSec Child SA tunnel using a Tunnel Inner Address (TIA) for passing control traffic only. PDIF receives the MS address from the Home Agent, and passes it on to the MS through the final AUTH response in the IKEv2 exchange.
When IPSec negotiation finishes, the PDIF assigns a home address to the MS and establishes a CHILD SA to pass data. The initial TIA tunnel is torn down and the IP address returned to the address pool.The PDIF then generates a RADIUS accounting START message.
When the session is disconnected, the PDIF generates a RADIUS accounting STOP message.
The following figures describe a Proxy-MIP session setup using CHAP authentication (EAP-MD5), but also addresses a PAP authentication setup using EAP-GTC when EAP-MD5 is not supported by either PDIF or MS.
 
Proxy-MIP Call Setup using CHAP Authentication
Proxy-MIP Call Setup using CHAP Authentication
a.   If PDIF service does not support Multiple-Authentication and ANOTHER_AUTH_FOLLOWS Notify payload is received, then PDIF sends IKE_AUTH Response with appropriate error and terminate the IKEv2 session by sending INFORMATIONAL (Delete) Request.b.   If ANOTHER_AUTH_FOLLOWS Notify payload is not present in the IKE_AUTH Request, PDIF allocates the IP address from the locally configured pools. However, if proxy-mip-required is enabled, then PDIF initiates Proxy-MIP setup to HA by sending P-MIP RRQ. When PDIF receives the Proxy-MIP RRP, it takes the Home Address (and DNS addresses if any) and sends the IKE_AUTH Response back to MS by including CP payload with Home Address and DNS addresses. In either case, IKEv2 setup will finish at this stage and IPSec tunnel gets established with a Tunnel Inner Address (TIA).
PDIF checks the validity of the AUTH payload and initiates Proxy-MIP setup request to the Home Agent if proxy-mip-required is enabled. The HA address may be received from the RADIUS server in the Access Accept (Step 16) or may be locally configured. PDIF may also remember the HA address from the first authentication received in the final DEA message.
If proxy-mip-required is disabled, PDIF assigns the IP address from the local pool.
Important: For Proxy-MIP call setup using PAP, the first 14 steps are the same as for CHAP authentication. However, here they deviate because the MS does not support EAP-MD5 authentication, but EAP-GTC. In response to the EAP-MD5 challenge, the MS instead responds with legacy-Nak with EAP-GTC. The diagram below picks up at this point.
 
Proxy-MIP Call Setup using PAP Authentication
Proxy-MIP Call Setup using PAP Authentication
 
Configuring Proxy Mobile-IP Support
Support for Proxy Mobile-IP requires that the following configurations be made:
Important: Not all commands and keywords/variables may be supported. This depends on the platform type and the installed license(s).
 
FA service(s): Proxy Mobile IP must be enabled, operation parameters must be configured, and FA-HA security associations must be specified.
HA service(s): FA-HA security associations must be specified.
Subscriber profile(s): Attributes must be configured to allow the subscriber(s) to use Proxy Mobile IP. These attributes can be configured in subscriber profiles stored locally on the system or remotely on a RADIUS AAA server.
APN template(s): Proxy Mobile IP can be supported for every subscriber IP PDP context facilitated by a specific APN template based on the configuration of the APN.
Important: These instructions assume that the system was previously configured to support subscriber data sessions as a core network service and/or an HA according to the instructions described in the respective product administration guide.
 
Configuring FA Services
Use this example to configure an FA service to support Proxy Mobile IP:
configure
  context <context_name>
     fa-service <fa_service_name>
     proxy-mip allow
        proxy-mip max-retransmissions <integer>
        proxy-mip retransmission-timeout <seconds>
        proxy-mip renew-percent-time percentage
        fa-ha-spi remote-address { ha_ip_address | ip_addr_mask_combo } spi-number number { encrypted secret enc_secret | secret secret } [ description string ][ hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } | replay-protection { timestamp | nonce } | timestamp-tolerance tolerance ]
authentication mn-ha allow-noauth
        end
Notes:
The proxy-mip max-retransmissions command configures the maximum number re-try attempts that the FA service is allowed to make when sending Proxy Mobile IP Registration Requests to the HA.
proxy-mip retransmission-timeout configures the maximum amount of time allowed by the FA for a response from the HA before re-sending a Proxy Mobile IP Registration Request message.
proxy-mip renew-percent-time configures the amount of time that must pass prior to the FA sending a Proxy Mobile IP Registration Renewal Request.
Example
If the advertisement registration lifetime configured for the FA service is 900 seconds and the renew-time is configured to 50%, then the FA requests a lifetime of 900 seconds in the Proxy MIP registration request. If the HA grants a lifetime of 600 seconds, then the FA sends the Proxy Mobile IP Registration Renewal Request message after 300 seconds have passed.
 
Use the fa-ha-spi remote-addresscommand to modify configured FA-HA SPIs to support Proxy Mobile IP. Refer to the Command Line Interface Reference for the full command syntax.
Important: Note that FA-HA SPIs must be configured for the Proxy-MIP feature to work, while it is optional for regular MIP.
Use the authentication mn-ha allow-noauth command to configure the FA service to allow communications from the HA without authenticating the HA.
 
Verify the FA Service Configuration
Use the following command to verify the configuration of the FA service:
show fa-service name <fa_service_name>
Notes:
Save your configuration as described in Verifying and Saving Your Configuration.
Proceed to the optional Configuring Proxy MIP HA Failover section to configure Proxy MIP HA Failover support or skip to the Configuring HA Services section to configure HA service support for Proxy Mobile IP.
 
Configuring Proxy MIP HA Failover
Use this example to configure Proxy Mobile IP HA Failover:
Important: This configuration in this section is optional.
When configured, Proxy MIP HA Failover provides a mechanism to use a specified alternate Home Agent for the subscriber session when the primary HA is not available. Use the following configuration example to configure the Proxy MIP HA Failover:
configure
  context <context_name>
     fa-service <fa_service_name>
        proxy-mip ha-failover [ max-attempts <max_attempts> | num-attempts-before-switching <num_attempts> | timeout <seconds> ]
Notes:
Save your configuration as described in Verifying and Saving Your Configuration.
 
Configuring HA Services
Use the following configuration example to configure HA services to support Proxy Mobile IP.
configure
  context <context_name>
     ha-service <ha_service_name>
Important: Note that FA-HA SPIs must be configured for the Proxy MIP feature to work while it is optional for regular MIP. Also note that the above syntax assumes that FA-HA SPIs were previously configured as part of the HA service as described in respective product Administration Guide. The replay-protection and timestamp- tolerance keywords should only be configured when supporting Proxy Mobile IP.
     fa-ha-spi remote-address <fa_ip_address> spi-number <number> { encrypted secret <enc_secret> | secret <secret> } [ description <string> ] [ hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } ] replay-protection { timestamp | nonce } | timestamp-tolerance <tolerance> ]
     authentication mn-ha allow-noauth
     authentication mn-aaa allow-noauth
     end
Notes:
Save your configuration as described in Verifying and Saving Your Configuration.
To verify the configuration of the HA service:
context <context_name>
  show ha-service name <ha_service_name>
 
Configuring Subscriber Profile RADIUS Attributes
In order for subscribers to use Proxy Mobile IP, attributes must be configured in their user profile or in an APN for 3GPP service. As mentioned previously, the subscriber profiles can be located either locally on the system or remotely on a RADIUS AAA server.
This section provides information on the RADIUS attributes that must be used and instructions for configuring locally stored profiles/APNs in support of Proxy Mobile IP.
Important: Instructions for configuring RADIUS-based subscriber profiles are not provided in this document. Please refer to the documentation supplied with your server for further information.
 
RADIUS Attributes Required for Proxy Mobile IP
The following table describes the attributes that must be configured in profiles stored on RADIUS AAA servers in order for the subscriber to use Proxy Mobile IP.
Required RADIUS Attributes for Proxy Mobile IP
For Proxy Mobile IP, this attribute must be set to Simple IP.
This attribute must be enabled to support Proxy Mobile IP.
Disabled - do not perform compulsory Proxy-MIP (0)
Enabled - perform compulsory Proxy-MIP (1)
Important: Regardless of the configuration of this attribute, the FA facilitating the Proxy Mobile IP session will not allow simultaneous Simple IP and Mobile IP sessions for the MN.
 
Configuring Local Subscriber Profiles for Proxy-MIP on a PDSN
This section provides information and instructions for configuring local subscriber profiles on the system to support Proxy Mobile IP on a PDSN.
configure
  context <context_name>
     subscriber name <subscriber_name>
     permission pdsn-simple-ip
     proxy-mip allow
     inter-pdsn-handoff require ip-address
     mobile-ip home-agent <ha_address>
     <optional> mobile-ip home-agent <ha_address> alternate
     ip context-name <context_name>
     end
Verify that your settings for the subscriber(s) just configured are correct.
show subscribers configuration username <subscriber_name>
Notes:
Optional: If you have enabled the Proxy-MIP HA Failover feature, use the mobile-ip home-agent ha_address alternate command to specify the secondary, or alternate HA.
Save your configuration as described in Verifying and Saving Your Configuration.
 
Configuring Local Subscriber Profiles for Proxy-MIP on a PDIF
This section provides instructions for configuring local subscriber profiles on the system to support Proxy Mobile IP on a PDIF.
configure
  context <context-name>
     subscriber name <subscriber_name>
     proxy-mip require
Note
subscriber_name is the name of the subscriber and can be from 1 to 127 alpha and/or numeric characters and is case sensitive.
 
Configuring Default Subscriber Parameters in Home Agent Context
It is very important that the subscriber default, configured in the same context as the HA service, has the name of the destination context configured. Use the configuration example below:
configure
  context <context_name>
     ip context-name <context_name>
     end
Save your configuration as described in Verifying and Saving Your Configuration.
 
Configuring APN Parameters
This section provides instructions for configuring the APN templates to support Proxy Mobile IP for all IP PDP contexts they facilitate.
Important: This is an optional configuration. In addition, attributes returned from the subscriber’s profile for non-transparent IP PDP contexts take precedence over the configuration of the APN.
These instructions assume that you are at the root prompt for the Exec mode:
 
[local]host_name#
Step 1
 
configure
The following prompt appears:
 
[local]host_name(config)#
Step 2
 
context <context_name>
context_name is the name of the system destination context designated for APN configuration. The name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.
The following prompt appears:
 
[<context_name>]host_name(config-ctx)#
Step 3
 
apn <apn_name>
apn_name is the name of the APN that is being configured. The name must be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).
The following prompt appears:
 
[<context_name>]host_name(config-apn)#
Step 4
 
proxy-mip required
This command causes proxy Mobile IP to be supported for all IP PDP contexts facilitated by the APN.
Step 5
Optional. GGSN/FA MN-NAI extension can be skipped in MIP Registration Request by entering following command:
 
proxy-mip null-username static-homeaddr
This command will enables the accepting of MIP Registration Request without NAI extensions in this APN.
Step 6
 
end
The following prompt appears:
 
[local]host_name#
Step 7
Repeat step 1 through step 6 as needed to configure additional APNs.
Step 8
 
show apn { all | name <apn_name> }
The output is a detailed listing of configured APN parameter settings.
Step 9
Save your configuration as described in Verifying and Saving Your Configuration.
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883