This sub-section presents details of message flow of the overall GSABA architecture with FMIPv6 as shown in Figure 3.
* GSABA Address Discovery: The MN authenticates with Mobility Service Authorizer (i.e.
* Key Generation: During bootstrapping a new key is generated by the MN and the AAA server, called GSABA key that might be derived from EMSK generated after a successful EAP method authentication (some guidelines for further key derivation by using EMSK as a root key.
* BCID Generation: the MN and the GSABA AAA generate a new identifier called "Bootstrapping Client IDentifier" (BCID).
* ABIRES Message: Upon receiving the ABIREQ message, the GSABA Proxy sends an ABIRES message with the authorization decision and minimum information conveyed to the MN about the service points (e.g.
For securing FMIPv6 signaling messages, a handover key (HK) is derived from the GSABA key shared by MN and GSABA proxy.
* Step 7: SIReq: After having received HKReq and nCoA validation, it forwards this HKReq message to GSABA using SIReq message.
* Step 8-9: HK and SIRsp: The GSABA checks the MAC contained in the HKReq from the MN and if successful, derives a new handover key for new candidate access router and returns SIRsp message including the result code and new handover key as well as AAA nonce.
In GSABA, GSABA key is used as the HMK to derive the HK as well as the HIK.
The GSABA Proxy is in essence an AAA server, which consists of the BCA and BAA Proxy collocated inside it.