AAA-Generated Cryptographic Keys
Two cryptographic keys are generated by Steel-Belted Radius Carrier:
The Steel-Belted Radius Carrier generates the keys and their associated security parameter indexes (SPI) and determines the lifetime of both keys.
Home Agent Root Key (HA-RK)
At least one HA-RK must be generated for each HA. The HA-RK is a random number generated by the Steel-Belted Radius Carrier. The attribute used for the key is WiMAX-hHA-RK-KEY or WiMAX-vHA-RK-KEY.
When the Access-Accept message is sent to the access services network gateway (ASN-GW) the Steel-Belted Radius Carrier queries its internal HA-RK list for the HA and selects the HA-RK with the longest lifetime. If the remaining lifetime of all HA-RKs is less than the master session key (MSK) lifetime (value of the Session-Timeout attribute), then the Steel-Belted Radius Carrier server generates a new HA-RK with a longer lifetime than the MSK lifetime.
The Steel-Belted Radius Carrier generates a unique SPI for each HA (HA-RK-SPI attribute). The SPI is a 32-bit integer that is randomly generated. The HA is identified by a combination of its IPv4 address and the HA-RK-SPI attribute.
The HA-RK-Lifetime attribute represents the lifetime of HA-RK-KEY. The Session-Timeout attribute is sent by the Steel-Belted Radius Carrier to the ASN-GW in the Access-Accept message. It specifies the lifetime of the MSK and all extended master session key (EMSK) derived keys, and indicates the maximum number of seconds of service to be provided to the user before termination of the session. The Session-Timeout attribute is configurable using SBR Administrator, or through an external SQL or LDAP database.
Make sure to configure the HA-RK-Lifetime attribute significantly larger than the Session-Timeout attribute.
The HA-RK key is destroyed only when its lifetime has expired.
After the HA-RK key has been generated, it is stored for possible future retrieval. One or more keys are stored for each HA.
Allowing the VAAA to Assign the HA-RK
If the vHA-IP-MIP4 attribute is received from the ASN-GW in an Access-Request, it indicates that the VCSN proxy AAA server (VAAA) is capable of assigning the HA IP address, vHA-RK-Key, vHA-RK-SPI, and vHA-RK-Lifetime values. If the Allow-VAAA-To-Assign-Home-Agent-And-DHCP-Server parameter is set to 1 in the wimax.ini file, Steel-Belted Radius Carrier allows the VAAA to set these values, and attaches the vHA-IP-MIP4, MN-vHA-MIP4-KEY, and MN-vHA-MIP4-SPI attributes to the Access-Accept message. For more information see Assigning the IP Address of the HA and DHCP Server.
DHCP Server Root Key (DHCP-RK)
The DHCP-RK is very similar to the HA-RK. However, instead of an SPI, the DHCP-RK is identified by the DHCP-RK-Key-ID attribute.
If the DHCP-RK-Key-ID attribute is received in the Access-Request from the DHCP server, it contains the identifier of one of the DHCP-RK keys for the DHCP server.
The DHCP-RK is a random number generated by the Steel-Belted Radius Carrier server. At least one DHCP-RK must be generated for each DHCP server. The DHCP server is identified by the DHCPv4-Server attribute. The [DHCP-Servers] section of wimax.ini lists the IPv4 addresses of all allowed DHCP servers.
When Steel-Belted Radius Carrier sends the Access-Accept message to the ASN-GW, the server queries the DHCP-RK list for that DHCP server and selects the DHCP-RK with the longest lifetime. If the remaining lifetime of all DHCP-RKs is less than the MSK lifetime (value of the Session-Timeout attribute), then Steel-Belted Radius Carrier generates a new DHCP-RK with a longer lifetime than the MSK lifetime.
The DHCP-RK-Lifetime attribute represents the lifetime of DHCP-RK. This attribute is attached to the Access-Accept by Steel-Belted Radius Carrier, and sent to the ASN-GW. Make sure to configure the DHCP-RK-Lifetime attribute with a value significantly larger than the Session-Timeout attribute. The DHCP-RK lifetime configuration is added to wimax.ini. The configuration is global. It applies to all DHCP-RKs.
The Session-Timeout attribute specifies the lifetime of MSK and all EMSK derived keys, and is the maximum number of seconds of service to be provided to the user before termination of the session. The Session-Timeout attribute is configurable using SBR Administrator or through an external SQL or LDAP database. Make sure to configure the Session-Timeout attribute value significantly smaller than the DHCP-RK-Lifetime attribute.
The DHCP-RK key is destroyed only when its lifetime has expired.
After the DHCP-RK key has been generated at the time of ASN-GW authentication, the key is stored for possible future retrieval. One or more keys are stored for each DHCP server, where the DHCP server is identified by its IPV4 address.