For handsets that do not support mobile IP, PDIF supports proxy mobile IP. If the MS is not suitable for proxy mobile IP registration, it may still be allowed to establish a simple IP session, in which case the traffic is directly routed to the Internet or corporate network from the PDIF. This behavior is controlled through the proxy-mip-required configuration in the domain, local default subscriber, or the corresponding Diameter AVP or RADIUS Access Accept. If this is not present, establishing a simple IP session is permitted. Although not required for Proxy-MIP, this manual documents Proxy-MIP with a custom-designed feature called multiple authentication (Multi-Auth). Instead of the more usual subscriber authentication, Multi-Auth requires both the device and the subscriber be authenticated using EAP/AKA authentication for the first stage (the device authentication) and GTC/MD5 for the second stage (the subscriber authentication). For this installation, neither GTC nor MD5 is supported, which means authentication is done using PAP/CHAP instead.
When the DMH successfully sets up mobile IP, it receives the home address from the HA. The DMH then establishes a second IPSec tunnel using this HA. Once the DMH successfully establishes the second IPSec tunnel with the PDIF/FA, the PDIF/FA tears down the first TIA-based IPSec tunnel to free the TIA, which then returns to the IP address pool. If required, use the no release-tia command in config-subscriber mode to prevent the TIA from returning to the pool. The DMH sends packetized voice and data through the PDIF/FA to the HA through the second IPSec tunnel.
|
3.
|
Important: Simple IP fallback is disabled by default. Use the pdif mobile-ip simple-ip-fallback command in config-subscriber mode to enable simple IP fallback.
context <pdif-in>
Important: All known restrictions are shown in Appendix B.For more information about PSC2s, see the Product Overview Guide.
Important: Mobile IP registration revocation is also supported for proxy mobile IP. However, in this implementation, only the HA can initiate the revocation.
Important: For more information, see Mobile-IP Registration Revocation chapter in this guide.There are several known Denial of Service (DoS) attacks associated with IKEv2. Through a configurable option in the Config Crypto-Template mode, the PDIF can implement the IKEv2 “cookie challenge” payload method as described in [RFC 4306]. This is intended to protect against the PDIF creating too many half-opened sessions or other similar mechanisms. The default is not enabled. If the IKEv2 cookie feature is enabled, when the number of half-opened IPSec sessions exceeds the reasonable limit (or the trigger point with other detection mechanisms), the PDIF invokes the cookie challenge payload mechanism to insure that only legitimate subscribers are initiating the IKEv2 tunnel request, and not a spoofed attack.
|
•
|
show crypto managers summary ikev2-stats: Shows the total number of invalid cookies per manager instance.
|
|
•
|
show crypto managers summary npu-stats: Shows NPU statistics on each IPSec manager.
|
|
•
|
show crypto statistics: Shows the combined data statistics for the given context name. Includes the number of cookie flows, the number of cookie flow packets, and the total number of cookie errors.
|
|
•
|
show crypto statistics ikev2: Shows the control statistics for a given context name. Includes the output for show crypto statistics, plus Total IKEv2 Cookie Statistics, Cookie Notify Sent, Cookie Notify Received, Cookie Notify Match, Cookie Notify NOT Match, and Invalid Notify Payload Cookie.
|
Important: See also Diameter Authentication Failure-Handling in the Command Line Interface Reference.
Important: RADIUS attributes and customizable dictionary types are described in the AAA and GTPP Interface Administration and Reference. For the impact of attributes in Request and Reply messages, see also Mobile IP Native Simple IP Call Minimum Requirements. There is additional attribute information in the Session Termination section in Troubleshooting.|
•
|
3GPP2-Serving-PCF. The generation of each new custom dictionary requires a new PDIF image. Configured in the pdif-service mode, the command aaa attribute 3gpp2-serving-pcf <ip-address> specifies the required values for the attribute without building a new software image. If configured, this attribute is sent in RADIUS accounting messages.
|
Important: The SN-Proxy-MIP attribute is required when PDIF supports proxy mobile IP. The PDIF-Mobile-IP-Required attribute is SN1-PDIF-MIP-Required. These attributes need to be returned in a AAA response message or the mobile IP call fails, although there might be an option for simple IP call setup. See the Sample Deployments section for more information on attribute messaging.For more information on configuring port-switch-on-l3-fail, see Ethernet Interface Configuration Commands in the Command Line Interface Reference and Creating and Configuring Ethernet Interfaces and Ports in the System Element Configuration Procedures section of the System Administration Guide.
Important: For a number of failure scenarios involving Dead Peer Detection, refer to the Troubleshooting chapter.Congestion control is an operator-configurable facility. When the PDIF chassis reaches certain limits (based on CPU utilization, port utilization, and other controls) the system enters a congested state. When in a congested state, existing calls are not impacted but new calls are potentially restricted.There is a separate subscriber-level configuration to enable/disable the feature on a per-subscriber basis. There is also a subscriber-level configurable for inactivity-time and connect-time thresholds to remove some old and abandoned calls from the system.
|
•
|
If only idle-time-threshold is configured, sessions exceeding this threshold would be selected for disconnection.
|
|
•
|
If only connect-time-threshold is configured, sessions exceeding this threshold would be selected for disconnection.
|
|
•
|
If both idle-time-threshold and connect-time-threshold are configured, sessions with an idle-time greater than the idle-time threshold and a connect-time greater than the connect-time-threshold would be selected for disconnection.
|
|
•
|
If neither idle-time-threshold nor connect-time-threshold is configured, sessions are sorted based on the idle-timer, and sessions with a longer idle-timer are deleted first.
|
Important: For more configuration information, refer to Global Configuration in the Command Line Interface Reference.
Important: For more information including full definitions for each of the trigger behaviors, see Configuring Crypto Template in Configuration, and also see the Command Line Interface Reference.
Important: Contact your local Sales or Support representative for information on how to obtain a license.|
•
|
The IPv4 address for the service: This is the PDIF IP address to which the MS tries to connect. The MS sends IKEv2 messages to this IP address and this address must be a valid address in the context. PDIF service will not be up and running if this IP address is not configured.
|
|
•
|
The name of the crypto template for IKEv2: A crypto template is used to configure an IKEv2 PDIF IPSec policy. It includes most of the IPSec parameters and IKEv2 parameters for keep-alive, lifetime, NAT-T and cryptographic and authentication algorithms. There must be one crypto template per PDIF service. The PDIF service will not be up and running without a crypto-template configuration.
|
|
•
|
The EAP profile name: This profile defines the EAP authentication methods.
|
|
•
|
Multiple authentication support: The multiple authentication configuration is a part of the crypto template.
|
|
•
|
IKEv2 and IPSec transform sets: These define the negotiable algorithms for IKE SA and CHILD SA setup to connect calls to the PDIF/FA.
|
|
•
|
Configure the setup timeout value: The MS connection attempt is terminated if the MS does not establish a successful connection within the configured value.
|
|
•
|
Mobile IP foreign agent context and foreign agent service: This defines the system context where mobile IP foreign agent functionalities are configured.
|
|
•
|
Max-sessions: The maximum number of subscriber sessions allowed by this PDIF service.
|
|
•
|
PDIF supports a domain template for storing domain related configuration: The domain name is taken from the received NAI and searched in the domain template database.
|
|
•
|
3GPP2 serving PCF address: This configurable specifies what value in the RADIUS attribute when sending authentication and accounting messages.
|
|
•
|
Duplicate session detection parameters: PDIF supports either NAI (first phase authentication) or IMSI to be used for duplicate session detection. This configuration specifies whether duplicate session detection is based on IMSI or NAI. The default is NAI.
|
diameter authentication <failure-handling> session-termination-request
diameter authentication <failure-handling> session-termination-request
Important: Refer to Configuring Diameter Authentication Failure Handling in the AAA and GTPP Interface Administration and Reference and the Command Line Interface Reference for more information.
Important: Refer to the Maintenance chapter in this guide for information on how to perform the upgrade.
Important: Online upgrade requires miscellaneous internal processing that may result in intensive CPU utilization. Up to 50% CPU utilization overhead should be expected during the upgrade.
Important: Ingress and egress contexts could be the same context. The SRP context must be a separate context.
|
•
|
Task recovery mode: Wherein one or more session manager failures occur and are recovered without the need to use resources on a standby PSC. In this mode, recovery is performed by using the mirrored standby-mode session manager tasks running on active PSCs. The standby-mode task is renamed, made active, and is then populated using information from other tasks such as AAA manager.
|
|
•
|
Full PSC recovery mode: Used when a PSC hardware failure occurs, or when a PSC migration failure happens. In this mode, the standby PSC is made active and the standby-mode session manager and AAA manager tasks on the newly-activated PSC perform session recovery.
|
Important: For more information on session recovery support, refer to Session Recovery in this guide.Refer to Sample Deployments for a full description of how a variety of calls are successfullyset up (and torn down) in a variety of network scenarios.
Network operators with handsets that are mobile IP capable may want the MS to be connected to the network and capable of doing data transfer even though the mobile IP registration process might fail under certain situations. If the mobile IP registration failures are due to HA reachability issues or any authentication problems, the MS should still be able to connect to the network using a simple IP connection, assuming that simple IP fallback is enabled in the PDIF configuration. See Simple IP and Simple IP Fallback in this chapter for a full description of this type of network configuration.
|
•
|
|
•
|
Proxy mobile IP is configured through the proxy-mip-required configuration, or the corresponding Diameter AVP or RADIUS Access Accept messages. If neither are present, the PDIF establishes a simple IP session and the PDIF routes the call to the Internet or corporate network.
|
Important: Refer to Proxy Mobile-IP in the System Administration Guide for more information.
Important: Even if the PDIF confirms MULTIPLE_AUTH_SUPPORTED capability in the initial IKEv2 setup response, the MS may not support multiple authentication and hence may not include a MULTIPLE_AUTH_SUPPORTED Notify payload in the subsequent IKEv2 AUTH exchange. In this case, the MS may only go through the first-phase (EAP-AKA) of device authentication.
Important: First-phase authentication refers to device authentication, and second-phase authentication refers to subscriber authentication.When the aaa-large-configuration command is issued, this number becomes 800 AAA groups and 1600 RADIUS servers configured within the chassis.
Please see the document AAA and GTPP Interface Administration and Reference for information on AAA, RADIUS, and Diameter groups.
Important: First-phase authentication must use the EAP-AKA method.In general, session attributes during first-phase authentication are overwritten by those from second-phase authentication, unless specified separately. Exceptions to this include session-timeout and idle-timeout, when the lower values are taken.
If multiple-auth-supported is not enabled on the PDIF, and the MS still sends a MULTIPLE_AUTH_SUPPORTED Notify payload marked with the critical bit set, the PDIF returns UNSUPPORTED_PAYLOAD. Otherwise, the PDIF ignores it and processes the IKE packet as if the payload was never received. This is non-standard MS behavior.
Important: The multiple authentication process in a proxy mobile IP network is described in the Proxy-MIP chapter in this guide.
Important: For more information, refer to the PDIF Session Recovery chapter in this guide.
Important: IPMS is described in the IPMS System Administration Guide.
Important: In this software release, the PDIF supports IPv4 traffic selectors only.