Use the IPv4 HA Nodal test case to test an HA's ability to process MN registrations and mobility events, and to handle bearer plane traffic destined for a roaming MN. The options available in the test case allow you to configure tests that simulate the access models described below:
Use the CDMA/WiFi Convergence test case to test a PDIF-FA's ability to properly register and service MNs entering the network from a wireless LAN in the WLAN access model.
In an IPv4 network, the process by which an MN attaches to a network can be summarized as follows:
The MN determines, based on the Agent Advertisements it receives after connecting to a network, whether it is in its home network or in a foreign network and which, if any, agents are available to service it.
If the MN has joined a foreign network that provides Foreign Agent mobility services, the MN attempts to register with an FA. The FA relays the registration request to the MN's HA, and responds to the MN with the result of the request.
If the MN has joined a foreign network that does not provide FA services, the MN obtains a co-located care-of address from an external source, such as DHCP, and attempts to register the address with its HA.
If the MN has connected to its home network, it registers directly with its HA and if it is returning from a foreign network, it de-registers any care-of address. In IPv4 testing, the MNs always initially connect to a foreign network.
Various types of MIP authentication may be used during the process: MN-HA authentication is always required, MN-FA and FA-HA authentication may be performed. In addition, the HA may authenticate the MN with a AAA server.
In the basic Mobile IPv4 access model, bearer plane traffic is routed differently depending on the location of the MN:
When the MN is in a foreign network and registered with an FA, the HA intercepts traffic that is directed towards the MN's home address and forwards the traffic to the MN's care-of address (typically an interface on the FA) using the encapsulation agreed upon during registration. The FA decapsulates the packets and forwards them to the MN. Reverse traffic from the MN is relayed to a Network Host using the FA as the MN's default router.
When the MN is in a foreign network and directly registered with its HA, the HA encapsulates and forwards traffic addressed to the MN's home address to the MN's co-located care-of address. In this case, the MN decapsulates the packets. The MN's co-located care-of address allows it to communicate directly with the HA or a Network Host without the assistance of an FA.
When you include FA support in an IPv4 HA Nodal test, the test system simulates the MNs and at least one FA, and can optionally simulate a Network Host for testing the bearer plane and multiple FAs for simulating inter-FA handoffs.
When you use co-located care-of addresses in an IPv4 HA Nodal test, the test system simulates the MNs and can optionally simulate a Network Host or MN mobility.
When you include HA support in an IPv4 FA Nodal test, the test system simulates the MNs and at least one HA, and can optionally simulate a Network Host for testing the bearer plane and multiple HAs for simulating inter-FA handoffs.
In the Reverse Tunnel model, bearer plane traffic in the reverse direction, from the MN to a Network Host, is tunneled to the HA rather than routed directly to the Network Host. The HA decapsulates the packets and then relays them towards the Network Host.
When you include FA support in an IPv4 HA Nodal test, the test system simulates the MNs and at least one FA, and can optionally simulate a Network Host for testing the bearer plane and multiple FAs for simulating inter-FA handoffs.
When you use co-located care-of addresses in an IPv4 HA Nodal test, the test system simulates the MNs and can optionally simulate a Network Host or MN mobility.
When you include HA support in an IPv4 FA Nodal test, the test system simulates the MNs and at least one HA, and can optionally simulate a Network Host for testing the bearer plane and multiple HAs for simulating inter-FA handoffs.
The Mobile IP Virtual Private Network (VPN) model allows MN access to a private home network. Its structure is the same as the Reverse Tunnel model explained above, with one exception. In the reverse tunnel model, the HA is in the service provider network; in the VPN model, the HA belongs to the private network. If the HA is also a security gateway, IPSec can be used to secure bearer plane packets between the MN and the HA.
As with the reverse tunnel model, all data packets are routed through the HA. Since the HA is in the private network, the MNs can use private addresses and NAT traversal is supported.
When you include FA support (shown) or use co-located care-of addresses, you can add IPSec and encrypt bearer plane traffic between the MNs and the HA.
When you include HA support (shown) or use co-located care-of addresses, you can add IPSec and encrypt bearer plane traffic between the MNs and the FA.
The Mobile IPv4 Network-Based VPN model allows MN access to a private network by establishing an IPSec tunnel between the MN and a Security Gateway on the perimeter of the private network. In contrast with the Mobile IP VPN model, the HA is in the service provider's network, and may have no knowledge of the private network.
As with the reverse tunnel model, all data packets are routed through the HA. The MN obtains its home address from the HA, and that address must be unique across the HA. The MN may request that the Security Gateway assign a private address to the IPSec tunnel, and NAT-T is supported.
In an IPv4 HA Nodal test with an FA node (shown) or with co-located care-of addresses, you can add IPSec and encrypt bearer plane traffic between the MNs and the Security Gateway.
In an IPv4 FA Nodal test with an HA node (shown) or with co-located care-of addresses, you can add IPSec and encrypt bearer plane traffic between the MNs and the Security Gateway.
The MIPv4 WLAN access model provides access to a CDMA2000 network from a wireless LAN that is operated within a CDMA2000 network or from a wireless LAN that is operated by another entity who provides a portal to a CDMA2000 network through a business arrangement. The MN registers with its HA via a Packet Data Interworking Function (PDIF) that includes FA functionality.
In this case, the MN receives a co-located care-of address from the WLAN and then attempts to establish an IPSec SA with the PDIF-FA in order to secure all control plane traffic prior to registration. The PDIF-FA may be located in a foreign network, as shown, or in the home network. Bearer-plane traffic in the reverse direction is always tunneled to the HA.
Test a PDIF-FA in a nodal configuration using the test case's default configuration. The test case emulates the MNs, an HA, and an optional Network Host.
The CDMA/WiFi Convergence test case also supports and end-to-end configuration. In this case, a primary and optional secondary HA can be included in the test.
The VPN configurations described above are also supported. IPSec can be used with bearer plane traffic between the MN and a Security Gateway and can be used with control plane traffic between the PDIF-FA and an HA node.
In addition to performing the functions of a PDSN — access control, IP address allocation, policy enforcement, and accounting collection — and providing FA mobility support, the PDIF is also a security gateway for the CDMA2000 network.
When an MN joins a WLAN, it receives an IP address from the wireless network and access to the Internet. An attempt to access a CDMA2000 service will trigger the registration process, and that is the starting point for a test. Co-located Care-of Address defines the MN's WLAN address.
When an MN attempts to register, it begins by locating an FA through the agent discovery process. The PDIF-FA should respond with an Agent Advertisement message. After it locates the FA, the MN attempts to establish an IPSec tunnel and requests that an IP address be assigned to the tunnel.
IKEv2 is required to provide MOBIKE support and EAP authentication support. MOBIKE allows IKE and IPSec SAs to be updated when a peer moves from one network to another, resulting in a change of IP address, thereby maintaining the integrity of the SAs and the IPSec tunnel.
During IKE Phase I, the PDIF-FA authenticates the MN with its home AAA server using either EAP-AKA or EAP-TLS with pre-shared keys. When an MN is registering from a foreign network, the PDIF-FA interfaces with a Visited AAA server (VAAA) which in turn interfaces with the MN's Home AAA server (HAAA), either directly or through Broker AAA servers. The PDIF-FA/AAA interface supports both RADIUS and Diameter, and AAA Server Node test cases can be used to simulate a VAAA and an HAAA.
Once the IPSec SA is established, MIP registration commences and is secured by IPSec. The address assigned during SA negotiation becomes the MN's care-of address registered with the HA. If the MN successfully registers, the PDIF-FA opens an accounting session on the HAAA and the MN is free to access CDMA2000 services.
Session termination can be initiated by the MN (shown), by the PDIF, or by the PDIF at the behest of the HAAA. The peer that initiates the disconnect sends an IKEv2 Informational request with a Delete payload to the remote peer. If the disconnect is initiated by the network, accounting is stopped prior to the Delete request.