Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

AAA-Generated Cryptographic Keys

 

Two cryptographic keys are generated by Steel-Belted Radius Carrier:

  • Home agent root key (HA-RK)

  • DHCP server root key (DHCP-RK)

The Steel-Belted Radius Carrier generates the keys and their associated security parameter indexes (SPI) and determines the lifetime of both keys.

Home Agent Root Key (HA-RK)

Home Agent Root Key (HA-RK)

At least one HA-RK must be generated for each home agent. The HA-RK is a random number generated by the Steel-Belted Radius Carrier. The attribute used for the key is WiMAX-hHA-RK-KEY or WiMAX-vHA-RK-KEY.

When the Access-Accept message is sent to the access services network gateway (ASN-GW) the Steel-Belted Radius Carrier queries its internal HA-RK list for the home agent and selects the HA-RK with the longest lifetime. If the remaining lifetime of all HA-RKs is less than the master session key (MSK) lifetime (value of the Session-Timeout attribute), then the Steel-Belted Radius Carrier server generates a new HA-RK with a longer lifetime than the MSK lifetime.

The Steel-Belted Radius Carrier generates a unique SPI for each home agent (HA-RK-SPI attribute). The SPI is a 32-bit integer that is randomly generated. The home agent is identified by a combination of its IPv4 address and the HA-RK-SPI attribute.

The HA-RK-Lifetime attribute represents the lifetime of HA-RK-KEY. The Session-Timeout attribute is sent by the Steel-Belted Radius Carrier to the ASN-GW in the Access-Accept message. It specifies the lifetime of the MSK and all extended master session key (EMSK) derived keys, and indicates the maximum number of seconds of service to be provided to the user before termination of the session. The Session-Timeout attribute is configurable using Web GUI or through an external SQL or LDAP database.

Make sure to configure the HA-RK-Lifetime attribute significantly larger than the Session-Timeout attribute.

The HA-RK key is destroyed only when its lifetime has expired.

After the HA-RK key has been generated, it is stored for possible future retrieval. One or more keys are stored for each home agent.

Allowing the VAAA to Assign the HA-RK

Allowing the VAAA to Assign the HA-RK

If the hHA-IP-MIP4 attribute is received from the ASN-GW in an Access-Request, it indicates that the VCSN proxy AAA server (VAAA) is capable of assigning the home agent IP address, vHA-RK-Key, vHA-RK-SPI, and vHA-RK-Lifetime values. If the Allow-VAAA-To-Assign-Home-Agent-And-DHCP-Server parameter is set to 1 in the wimax.ini file, Steel-Belted Radius Carrier allows the VAAA to set these values, echoes the received hHA-IP-MIP4 as vHA-IP-MIP4 and attaches the vHA-IP-MIP4, MN-vHA-MIP4-KEY, and MN-vHA-MIP4-SPI attributes to the Access-Accept message. For more information see Home Agent and DHCP Server Assignment.

DHCP Server Root Key (DHCP-RK)

DHCP Server Root Key (DHCP-RK)

The DHCP-RK is very similar to the HA-RK. However, instead of an SPI, the DHCP-RK is identified by the DHCP-RK-Key-ID attribute.

If the DHCP-RK-Key-ID attribute is received in the Access-Request from the DHCP server, it contains the identifier of one of the DHCP-RK keys for the DHCP server.

The DHCP-RK is a random number generated by the Steel-Belted Radius Carrier server. At least one DHCP-RK must be generated for each DHCP server. The DHCP server is identified by the DHCPv4-Server attribute. The [DHCP-Servers] section of wimax.ini lists the IPv4 addresses of all allowed DHCP servers.

When Steel-Belted Radius Carrier sends the Access-Accept message to the ASN-GW, the server queries the DHCP-RK list for that DHCP server and selects the DHCP-RK with the longest lifetime. If the remaining lifetime of all DHCP-RKs is less than the MSK lifetime (value of the Session-Timeout attribute), then Steel-Belted Radius Carrier generates a new DHCP-RK with a longer lifetime than the MSK lifetime.

The DHCP-RK-Lifetime attribute represents the lifetime of DHCP-RK. This attribute is attached to the Access-Accept by SBR Carrier, and sent to the ASN-GW. Make sure to configure the DHCP-RK-Lifetime attribute with a value significantly larger than the Session-Timeout attribute. The DHCP-RK lifetime configuration is added to wimax.ini. The configuration is global. It applies to all DHCP-RKs.

The Session-Timeout attribute specifies the lifetime of MSK and all EMSK derived keys, and is the maximum number of seconds of service to be provided to the user before termination of the session. The Session-Timeout attribute is configurable using the Web GUI or through an external SQL or LDAP database. Make sure to configure the Session-Timeout attribute value significantly smaller than the DHCP-RK-Lifetime attribute.

The DHCP-RK key is destroyed only when its lifetime has expired.

After the DHCP-RK key has been generated at the time of ASN-GW authentication, the key is stored for possible future retrieval. One or more keys are stored for each DHCP server, where the DHCP server is identified by its IPV4 address.