pana_paa.cxx

/* BEGIN_COPYRIGHT                                                        */
/*                                                                        */
/* Open Diameter: Open-source software for the Diameter and               */
/*                Diameter related protocols                              */
/*                                                                        */
/* Copyright (C) 2002-2004 Open Diameter Project                          */
/*                                                                        */
/* This library is free software; you can redistribute it and/or modify   */
/* it under the terms of the GNU Lesser General Public License as         */
/* published by the Free Software Foundation; either version 2.1 of the   */
/* License, or (at your option) any later version.                        */
/*                                                                        */
/* This library is distributed in the hope that it will be useful,        */
/* but WITHOUT ANY WARRANTY; without even the implied warranty of         */
/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU      */
/* Lesser General Public License for more details.                        */
/*                                                                        */
/* You should have received a copy of the GNU Lesser General Public       */
/* License along with this library; if not, write to the Free Software    */
/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307    */
/* USA.                                                                   */
/*                                                                        */
/* In addition, when you copy and redistribute some or the entire part of */
/* the source code of this software with or without modification, you     */
/* MUST include this copyright notice in each copy.                       */
/*                                                                        */
/* If you make any changes that are appeared to be useful, please send    */
/* sources that include the changed part to                               */
/* diameter-developers@lists.sourceforge.net so that we can reflect your  */
/* changes to one unified version of this software.                       */
/*                                                                        */
/* END_COPYRIGHT                                                          */

#include "pana_paa.h"
#include "pana_serial_num.h"
#include "pana_config_manager.h"
#include "pana_cookie.h"

void PANA_Paa::ReceiveDiscover()
{
   PANA_Message &msg = *(m_RxMessageQueue.front());
   m_RxMessageQueue.pop_front();

   m_PeerDeviceId.clone(msg.srcDevices());
   m_PeerPort = msg.srcPort();
   
   if (PANA_CONFIG_AUTHAGENT().eap_piggyback_) {
       static_cast<PANA_PaaEventInterface&>(m_Event).EapStart
           (m_SeparateAuth);
       m_InStatefulDiscovery = true;
   }
   else {
       SendStartRequest(NULL);
   }
   delete &msg;
}

void PANA_Paa::Receive2ndEapStart()
{
   PANA_Message &msg = *(m_RxMessageQueue.front());
   m_RxMessageQueue.pop_front();

   // cancel bind answer retry
   m_Timer.Cancel(PANA_TID_PBR_RETRY);
   m_RtQueue.ClearFront();
   
   static_cast<PANA_PaaEventInterface&>(m_Event).EapStart
       (m_SeparateAuth);
   delete &msg;
}

void PANA_Paa::ReceiveEapReAuth()
{
    if (! m_RxMessageQueue.empty()) {
        PANA_Message *msg = m_RxMessageQueue.front();
        if (msg) {
            m_RxMessageQueue.pop_front();
            delete msg;
        }
    }
   
    BindResultReset();
    ReAuthenticate(PANA_REAUTH_EAP);
}

void PANA_Paa::ReceiveStartAnswer()
{
   /* 
      When the PAA receives the PANA-Start-Answer message from the PaC, it
      verifies the cookie.  The cookie is considered as valid if the
      received cookie has the expected value.  If the computed cookie is
      valid, the protocol enters the authentication phase.  Otherwise, it
      MUST silently discard the received message.

      When a Cookie-AVP is carried in a PANA-Start-Request message, the
      initial EAP Request MUST NOT be carried in the PANA-Start-Request
      message in order for the PAA to be stateless.

      When a Cookie-AVP is not carried in a PANA-Start-Request message, the
      PAA does not need to be stateless.  In this case, the initial EAP
      Request message MAY be carried in the PANA-Start-Request message.

      If the initial EAP Request message is carried in the
      PANA-Start-Request message, an EAP Response message MUST be carried
      in the PANA-Start-Answer message returned to the PAA.

      In any case, PANA MUST NOT generate an EAP message on behalf of EAP
      peer or EAP (pass-through) authenticator.

      The PANA-Start-Request/Answer exchange is needed before entering
      authentication phase even when the PaC is pre-configured with PAAs IP
      address and the PANA-PAA-Discover message is unicast.

      A PANA-Start-Request message is never retransmitted. A
      PANA-Start-Answer message is retransmitted based on timer in the same
      manner as other messages retransmitted at PANA-layer.

      It is possible that both PAA and PaC initiate the discovery and
      initial handshake procedure at the same time, i.e., the PAA sends a
      PANA-Start-Request message while the PaC sends a PANA-PAA-Discover
      message.  To resolve the race condition, the PAA SHOULD silently
      discard the PANA-PAA-Discover message received from the PaC after it
      has sent a PANA-Start-Request message with creating a state for the
      PaC.
   */
    
   PANA_Message &msg = *(m_RxMessageQueue.front());
   m_RxMessageQueue.pop_front();

   ACE_DEBUG((LM_INFO, "(%P|%t) RECV: Start answer [session], S-flag %d, tseq=%d, rseq=%d\n",
                       msg.flags().separate, msg.tseq(), msg.rseq()));

   AAAAvpContainer* c_sessionId = msg.avpList().search("Session-Id");
   if (c_sessionId == NULL) {
      throw (PANA_Exception(PANA_Exception::ENTRY_NOT_FOUND, 
                           "Session Id AVP not found in packet, discarding message"));
   }
   diameter_utf8string_t &sessionId = (*c_sessionId)
             [0]->dataRef(Type2Type<diameter_utf8string_t>());

   // save the attributes
   m_SessionId              = sessionId;
   m_InitialPaaTsec         = msg.rseq();
   m_InitialPacTsec         = msg.tseq();
   m_LastTransmittedTsec    = m_InitialPaaTsec;
   m_LastReceivedTsec       = msg.tseq();
   m_LastReceivedRsec       = msg.rseq();
   m_PeerPort               = msg.srcPort();
   m_LastPayload            = NULL;
   m_SessionLifetime        = PANA_CONFIG_AUTHAGENT().sessionLifetime_;
   m_SeparateAuth           = (PANA_CONFIG_AUTHAGENT().s_flag_) ? 
                              msg.flags().separate : 0;   
   m_ReqDeviceId            = PANA_DeviceId::TYPE(PANA_CONFIG_AUTHAGENT().request_dev_id_);
   m_PeerDeviceId.clone(msg.srcDevices());
   m_BindCount              = 0;

   // extract ISP information if any
   if (AAAAvpContainer *c_ispInfo = msg.avpList().search("ISP-Information")) {

      diameter_grouped_t &ispList = (*c_ispInfo)[0]->dataRef(Type2Type<diameter_grouped_t>());

      if (AAAAvpContainer *c_name = ispList.search("Provider-Name")) {
         m_PreferedISP.name_  = (*c_name)[0]->dataRef(Type2Type<diameter_utf8string_t>());
         ACE_DEBUG((LM_INFO, "(%P|%t)    Provider name = %s\n", m_PreferedISP.name_.data()));
      }

      if (AAAAvpContainer *c_id = ispList.search("Provider-Identifier")) {
         m_PreferedISP.id_ = (*c_id)[0]->dataRef(Type2Type<diameter_unsigned32_t>());
         ACE_DEBUG((LM_INFO, "(%P|%t)    Provider id = %d\n", m_PreferedISP.id_));
      }
      
      ACE_DEBUG((LM_INFO, "(%P|%t) Pac ISP preference: %s [ID: %d]\n",
                 m_PreferedISP.name_.data(), m_PreferedISP.id_));
   }

   if (PANA_CONFIG_AUTHAGENT().use_cookie_ ||
       (! PANA_CONFIG_AUTHAGENT().eap_piggyback_)) {
       static_cast<PANA_PaaEventInterface&>(m_Event).EapStart(m_SeparateAuth);
   }
   else {
       AAAAvpContainer* c_eapPayload = msg.avpList().search("EAP-Payload");
       if (c_eapPayload == NULL) {
           throw (PANA_Exception(PANA_Exception::INVALID_MESSAGE, 
                           "No EAP payload found in PSA during piggyback"));
       }
        
       diameter_octetstring_t &eapPayload = (*c_eapPayload)[0]->
                   dataRef(Type2Type<diameter_octetstring_t>());

       AAAMessageBlock *block = AAAMessageBlock::Acquire
                   ((char*)eapPayload.data(), eapPayload.size());              
       static_cast<PANA_PaaEventInterface&>(m_Event).EapResponse
                   (block, m_SeparateAuth);
       block->Release();
   }
   delete &msg;
}

void PANA_Paa::SendStartRequest(AAAMessageBlock *request, PANA_PINFO type)
{
   /*    
      PAA MAY enable NAP-ISP authentication separation by setting the
      S-flag of the message header of the PANA-Start-Request. Also, the
      PANA-Start-Request MAY contain zero or one NAP-Information AVP and
      zero or more ISP-Information AVPs to advertise the information on the
      NAP and/or ISPs.

       9.3.3 PANA-Start-Request (PSR)

         PANA-Start-Request (PSR) is sent by the PAA to the PaC. The PAA sets
         the transmission sequence number to an initial random value.  The
         received sequence number is set to zero (0).

              PANA-Start-Request ::= < PANA-Header: 2, REQ [SEP] >
                            [ Cookie ]
                            [ EAP-Payload ]
                            [ NAP-Information ]
                         *  [ ISP-Information ]
                         *  [ AVP ]
    */

   AAAAvpContainerManager cm;
   AAAAvpContainerEntryManager em;
   AAAAvpContainerEntry *e;
   PANA_Message *msg;

   ACE_NEW_NORETURN(msg, PANA_Message);
   if (msg == NULL) {
      throw (PANA_Exception(PANA_Exception::NO_MEMORY, 
                            "Failed to allocate msg message"));
   }

   // Populate header
   PANA_MsgHeader::Flags flg = { 1, 0, 0, 0 };
   msg->flags(flg);
   msg->type(PANA_MTYPE_START);
   msg->tseq(PANA_SerialNumber::generateIsn());
   msg->rseq(0);

   // Calculate S-flag
   msg->flags().separate = PANA_CONFIG_AUTHAGENT().s_flag_;

   // Add EAP payload if any
   if (request) {
       AAAAvpContainer *c_eapPayload = cm.acquire("EAP-Payload");

       e = em.acquire(AAA_AVP_STRING_TYPE);
       diameter_octetstring_t &eapPayload = e->dataRef(Type2Type<diameter_octetstring_t>());
       c_eapPayload->add(e);

       // Add containers to listen
       msg->avpList().add(c_eapPayload);

       /*
          The EAP-Payload AVP (AVP Code 402) is of type OctetString and is used
          to encapsulate the actual EAP packet [RFC2284] that is being
          exchanged between the EAP client and the home Diameter server.
        */

       // Populate eap payload
       eapPayload.assign(request->base(), request->size());
   }

   // Populate NAP-Information 
   PANA_ProviderInfoTool infoTool;
   PANA_CfgProviderInfo *pInfo = &PANA_CONFIG_AUTHAGENT().nap_info_;
   if (pInfo->name_.length() > 0) {

      // Add the AVP's to containers
      AAAAvpContainer *c_napInfo = cm.acquire("NAP-Information");        
      e = em.acquire(AAA_AVP_GROUPED_TYPE);
      diameter_grouped_t &napInfo = e->dataRef(Type2Type<diameter_grouped_t>());
      c_napInfo->add(e);

      // Add containers to list and populate
      msg->avpList().add(c_napInfo);
      infoTool.Add(napInfo, *pInfo);
   }

   // See if there is also ISP-Info
   PANA_CfgProviderList &ispList = PANA_CONFIG_AUTHAGENT().isp_info_;
   if (ispList.size() > 0) {

      // Add containers to message
      AAAAvpContainer *c_ispInfo = cm.acquire("ISP-Information");        
      msg->avpList().add(c_ispInfo);

      PANA_CfgProviderList::iterator i;
      for (i = ispList.begin(); i != ispList.end(); i ++) {

         pInfo = (*i);

         // Add the AVP's to containers
         e = em.acquire(AAA_AVP_GROUPED_TYPE);
         diameter_grouped_t &ispInfo = e->dataRef(Type2Type<diameter_grouped_t>());
         c_ispInfo->add(e);

         // Add containers to list and populate
         PANA_ProviderInfoTool info;
         info.Add(ispInfo, *pInfo);
      }
   }

   // reset stateful flag
   m_InStatefulDiscovery = false;

   // send message
   DestinationAddressFormatting(*msg);
   m_TxChannel.Send(*this, *msg);

   ACE_DEBUG((LM_INFO, "(%P|%t) SEND: Start-Request, tseq=%d, rseq=%d\n",
              msg->tseq(), msg->rseq()));
}

void PANA_Paa::SendEapRequest(AAAMessageBlock *request, PANA_PINFO type)
{
   /*
       PaC      PAA  Message(tseq,rseq)[AVPs] 
       ------------------------------------------------- 
                      (continued from discovery and initial handshake phase) 
           <-----     PANA-Auth-Request(x+1,y)[EAP{Request}] 
           ----->     PANA-Auth-Answer(y+1,x+1)[EAP{Response}] 
             . 
             . 
           <-----     PANA-Auth-Request (x+2,y+1)[EAP{Request}] 
           ----->     PANA-Auth-Answer (y+2,x+2)[EAP{Response}] 
           <-----     PANA-Bind-Request(x+3,y+2) // F-flag set 
                       [EAP{Success}, Device-Id, Protection-Cap., MAC]  
           ----->     PANA-Bind-Answer(y+3,x+3) 
                       [Device-Id, Protection-Cap., MAC] // F-flag set 

       9.3.5 PANA-Auth-Request (PAR)

           PANA-Auth-Request (PAR) is sent by the PAA to the PaC.

            PANA-Auth-Request ::= < PANA-Header: 3, REQ >
                           < Session-Id >
                           < EAP-Payload >
                        0*1 [ NAP-Information ]
                        0*1 [ ISP-Information ]
                         *  [ AVP ]
                        0*1 < MAC >

          (Both NAP-Information and ISP-Information MUST NOT be
           included at the same time)
   */

   AAAAvpContainerManager cm;
   AAAAvpContainerEntryManager em;
   PANA_Message *msg;

   ACE_NEW_NORETURN(msg, PANA_Message);
   if (msg == NULL) {
      throw (PANA_Exception(PANA_Exception::NO_MEMORY, 
                           "Failed to allocate msg message"));
   }

   // Populate header
   PANA_MsgHeader::Flags flg = { 1, 0, 0, 0 };
   msg->flags(flg);
   msg->type(PANA_MTYPE_AUTH);
   msg->tseq(++ m_LastTransmittedTsec);
   msg->rseq(m_LastReceivedTsec);

   // Populate AVP's
   AAAAvpContainerEntry *e;
   AAAAvpContainer *c_sessionId = cm.acquire("Session-Id");
   AAAAvpContainer *c_eapPayload = cm.acquire("EAP-Payload");

   // Add the AVP's to containers
   e = em.acquire(AAA_AVP_UTF8_STRING_TYPE);
   diameter_utf8string_t &sessionId = e->dataRef(Type2Type<diameter_utf8string_t>());
   c_sessionId->add(e);

   e = em.acquire(AAA_AVP_STRING_TYPE);
   diameter_octetstring_t &eapPayload = e->dataRef(Type2Type<diameter_octetstring_t>());
   c_eapPayload->add(e);

   // Add containers to listen
   msg->avpList().add(c_sessionId);
   msg->avpList().add(c_eapPayload);

   /*
      The EAP-Payload AVP (AVP Code 402) is of type OctetString and is used
      to encapsulate the actual EAP packet [RFC2284] that is being
      exchanged between the EAP client and the home Diameter server.
    */

   // Populate session id
   sessionId.assign(m_SessionId.data(), m_SessionId.size());
   eapPayload.assign(request->base(), request->size());

   if (m_SeparateAuth) {

      ACE_DEBUG((LM_INFO, "(%P|%t) Separate NAP/ISP authentication supported\n"));

      /*
        When PaC and PAA negotiated during the discovery and initial
        handshake phase to perform separate NAP and ISP authentications in a
        single PANA session, the PAA determines the execution order of NAP
        authentication and ISP authentication.  In this case, the PAA can
        indicate which EAP authentication is currently occurring by including
        a NAP-Information or an ISP-Information AVP of the corresponding EAP
        authentication in the first PANA-Auth-Request message sent to the
        PaC. In the case where the PaC agreed to perform separate
        authentications but did not specify its ISP choice in
        PANA-Start-Answer message, the PAA MUST include its NAP-Information
        AVP in PANA-Auth-Request message when it performs NAP authentication
        and MUST NOT include any service provider information AVP when it
        performs ISP authentication so that the PaC can always distinguish
        ISP authentication from NAP authentication.  The PAA SHOULD stop
        including a NAP-Information or an ISP-Information AVP once it
        receives the first PANA-Auth-Answer message of the current EAP
        authentication.
      */

      PANA_CfgProviderInfo *pInfo = NULL;
      AAAAvpContainer *c_pInfo = NULL;

      switch (type) {
         case PANA_PINFO_ISP: 
            pInfo = &m_PreferedISP;
            c_pInfo = cm.acquire("ISP-Information");        
            break;

         case PANA_PINFO_NAP:
            pInfo = &PANA_CONFIG_AUTHAGENT().nap_info_;
            c_pInfo = cm.acquire("NAP-Information");        
            break;

         default:
            break;
      }

      if (pInfo && pInfo->name_.length() > 0) {

         // Add the AVP's to containers
         e = em.acquire(AAA_AVP_GROUPED_TYPE);
         diameter_grouped_t &group = e->dataRef(Type2Type<diameter_grouped_t>());
         c_pInfo->add(e);

         // Add containers to list and populate
         msg->avpList().add(c_pInfo);
         PANA_ProviderInfoTool infoTool;
         infoTool.Add(group, *pInfo);
      }
   }

   // send message
   DestinationAddressFormatting(*msg);
   m_TxChannel.Send(*this, *msg);

   ACE_DEBUG((LM_INFO, "(%P|%t) SEND: EAP-Request, tseq=%d, rseq=%d\n",
              msg->tseq(), msg->rseq()));
}

void PANA_Paa::SendBindRequest(AAAMessageBlock *request, ACE_UINT32 rCode)
{
   /*
       PaC      PAA  Message(tseq,rseq)[AVPs] 
       ------------------------------------------------- 
                      (continued from discovery and initial handshake phase) 
           <-----     PANA-Auth-Request(x+1,y)[EAP{Request}] 
           ----->     PANA-Auth-Answer(y+1,x+1)[EAP{Response}] 
             . 
             . 
           <-----     PANA-Auth-Request (x+2,y+1)[EAP{Request}] 
           ----->     PANA-Auth-Answer (y+2,x+2)[EAP{Response}] 
           <-----     PANA-Bind-Request(x+3,y+2) // F-flag set 
                       [EAP{Success}, Device-Id, Protection-Cap., MAC]  
           ----->     PANA-Bind-Answer(y+3,x+3) 
                       [Device-Id, Protection-Cap., MAC]  // F-flag set 

        9.3.7 PANA-Bind-Request (PBR)

            PANA-Bind-Request (PBR) is sent by the PAA to the PaC.

               PANA-Bind-Request ::= < PANA-Header: 4, REQ >
                           < Session-Id >
                           < Device-Id >
                           { EAP-Payload }
                           { Result-Code }
                           [ Session-Lifetime ]
                           [ Protection-Capability ]
                           [ Key-Id ]
                        *  [ EP-Device-Id ]
                        *  [ AVP ]
                       0*1 < MAC >
   */

   AAAAvpContainerManager cm;
   AAAAvpContainerEntryManager em;
   PANA_Message *msg;

   ACE_NEW_NORETURN(msg, PANA_Message);
   if (msg == NULL) {
      throw (PANA_Exception(PANA_Exception::NO_MEMORY, 
                           "Failed to allocate msg message"));
   }

   // Populate header
   PANA_MsgHeader::Flags flg = { 1, 0, 0, 0 }; // TBD: bind request
   msg->flags(flg);
   msg->type(PANA_MTYPE_BIND);
   msg->tseq(++ m_LastTransmittedTsec);
   msg->rseq(m_LastReceivedTsec);

   // Populate AVP's
   AAAAvpContainerEntry *e;
   AAAAvpContainer *c_sessionId = cm.acquire("Session-Id");
   AAAAvpContainer *c_deviceId = cm.acquire("Device-Id");
   AAAAvpContainer *c_eapPayload = cm.acquire("EAP-Payload");
   AAAAvpContainer *c_resultCode = cm.acquire("Result-Code");

   // Add the AVP's to containers
   e = em.acquire(AAA_AVP_UTF8_STRING_TYPE);
   diameter_utf8string_t &sessionId = e->dataRef(Type2Type<diameter_utf8string_t>());
   c_sessionId->add(e);

   e = em.acquire(AAA_AVPDataType(AAA_AVP_DEVICEID_TYPE));
   PANA_TVData_t &deviceId = e->dataRef(Type2Type<PANA_TVData_t>());
   c_deviceId->add(e);

   e = em.acquire(AAA_AVP_STRING_TYPE);
   diameter_octetstring_t &eapPayload = e->dataRef(Type2Type<diameter_octetstring_t>());
   c_eapPayload->add(e);
   
   e = em.acquire(AAA_AVP_UINTEGER32_TYPE);
   diameter_unsigned32_t &resultCode = e->dataRef(Type2Type<diameter_unsigned32_t>());
   c_resultCode->add(e);

   // Add containers to listen
   msg->avpList().add(c_sessionId);
   msg->avpList().add(c_deviceId);
   msg->avpList().add(c_eapPayload);
   msg->avpList().add(c_resultCode);

   // Populate required AVP's
   resultCode = rCode;
   sessionId.assign(m_SessionId.data(), m_SessionId.size());
   eapPayload.assign(request->base(), request->size());

   switch (BindResult()) {
       case PANA_BIND_SUCCESS_FINAL: {
          diameter_unsigned32_t lifetime =
              PANA_CONFIG_AUTHAGENT().sessionLifetime_ +
              PANA_CONFIG_AUTHAGENT().gracePeriod_;
          if (lifetime > 0) {
              AAAAvpContainer *c_sessionLifetime = cm.acquire("Session-Lifetime");
       
              e = em.acquire(AAA_AVP_UINTEGER32_TYPE);
              diameter_unsigned32_t &sessionLifetime = e->dataRef
                  (Type2Type<diameter_unsigned32_t>());
              c_sessionLifetime->add(e);

              sessionLifetime = lifetime;
              msg->avpList().add(c_sessionLifetime);
          }
       }
       // fall through
       case PANA_BIND_INTERIM: {
          diameter_unsigned32_t protectionCap = PANA_PCAP_UNKNOWN;
          if (PANA_CONFIG_GENERAL().protection_capability_ > 0) {
              AAAAvpContainer *c_protectionCap = cm.acquire
                  ("Protection-Capability");
       
              e = em.acquire(AAA_AVP_UINTEGER32_TYPE);
              protectionCap = e->dataRef(Type2Type<diameter_unsigned32_t>());
              c_protectionCap->add(e);

              protectionCap = PANA_CONFIG_GENERAL().protection_capability_;
              msg->avpList().add(c_protectionCap);
          }

          if (m_SA.MSK().length() > 0) {
             AAAAvpContainer *c_keyId = cm.acquire("Key-Id");
             e = em.acquire(AAA_AVP_INTEGER32_TYPE);
             diameter_integer32_t &keyId = e->dataRef
                 (Type2Type<diameter_integer32_t>());
             c_keyId->add(e);

             msg->avpList().add(c_keyId);
             keyId = m_SA.KeyId();
          }

          /*
            4.11 Support for Separate EP

              PANA allows PAA and EP to be separate entities.  In this case,
              if data traffic protection needs to be initiated after successful
              PANA authentication phase, PaC needs to know the device identifier
              of EP(s) so that it is able to establish a security association
              with each EP to protect data traffic.

              To this end, when a Protection-Capability AVP with either
              L2_PROTECTION or IPSEC_PROTECTION in the AVP payload is carried
              in a PANA-Bind-Request message and if there is an EP that has a
              different device identifier than that of the PAA, one or more
              EP-Device-Id AVPs MUST also be carried in the PANA-Bind-Request
              message.  In this case, if one EP has the same device identifier
              as the PAA, an EP-Device-Id AVP that contains the device identifier
              of the EP (i.e., the PAA) MUST also be included in the
              PANA-Bind-Request.
           */
           if (((protectionCap == PANA_PCAP_L2) ||
                (protectionCap == PANA_PCAP_IPSEC)) &&
               (! PANA_CONFIG_AUTHAGENT().ep_id_.empty())) {
       
               AAAAvpContainer *c_epDeviceId = cm.acquire("EP-Device-Id");
               msg->avpList().add(c_epDeviceId);
       
               PANA_DeviceIdIterator i = PANA_CONFIG_AUTHAGENT().ep_id_.begin();
               for (;i != PANA_CONFIG_AUTHAGENT().ep_id_.end(); i++) {

                   PANA_DeviceId *id = (*i);
  
                   // Add the AVP's to containers
                   e = em.acquire(AAA_AVPDataType(AAA_AVP_DEVICEID_TYPE));
                   PANA_TVData_t &deviceId = e->dataRef(Type2Type<PANA_TVData_t>());
                   c_epDeviceId->add(e);

                   deviceId.type = id->type();
                   std::string &value = const_cast<std::string&>(id->id());
                   deviceId.value.assign(value.data(), value.size());
               }
           }
       }
       break;
       case PANA_BIND_SUCCESS_INITIAL:
       case PANA_BIND_FAILED:
       default:
           break;
   }

   /*
     The EAP-Payload AVP (AVP Code 402) is of type OctetString and is used
     to encapsulate the actual EAP packet [RFC2284] that is being
     exchanged between the EAP client and the home Diameter server.
    */
   
   // resolve source address
   PANA_DeviceIdContainer srcDevices;
   m_TxChannel.GetLocalAddress(srcDevices);

   PANA_DeviceId *id = srcDevices.search(m_ReqDeviceId);
   if (id == NULL) {
      // default is IPV4
      id = srcDevices.search(PANA_DeviceId::IPV4_ADDRESS);
      if (id == NULL) {
         throw (PANA_Exception(PANA_Exception::FAILED, 
               "No IPV4/MAC address given in the peer device list"));
      }
      m_ReqDeviceId = PANA_DeviceId::IPV4_ADDRESS;
   }
   deviceId.type = id->type();
   deviceId.value.assign(id->id().data(), id->id().size());

   // send message
   DestinationAddressFormatting(*msg, request);
   m_TxChannel.Send(*this, *msg);

   ACE_DEBUG((LM_INFO, "(%P|%t) SEND: Bind-Request, tseq=%d, rseq=%d, keyId=%d\n",
              msg->tseq(), msg->rseq(), m_SA.KeyId()));
   
  PANA_RtQueueMsgBlockDataWithRcode data(request, rCode);
  if (m_RtQueue.Schedule(data)) {
      m_Timer.Schedule(PANA_TID_PBR_RETRY, data.Timeout());       
  }
}

void PANA_Paa::RetryBindRequest()
{
   m_Timer.Cancel(PANA_TID_PBR_RETRY);
   
   PANA_RtQueueData *data = NULL;
   if (m_RtQueue.ReSchedule(data)) {
       SendBindRequest(static_cast<PANA_RtQueueMsgBlockDataWithRcode*>(data)->MsgBlock(), 
                   static_cast<PANA_RtQueueMsgBlockDataWithRcode*>(data)->RCode());
       m_Timer.Schedule(PANA_TID_PBR_RETRY, data->Timeout());       
   }
   else {
       m_Timer.Schedule(PANA_TID_DISCONNECT, 0);
   }
}

void PANA_Paa::ReceiveBindAnswer()
{
   PANA_Message &msg = *(m_RxMessageQueue.front());
   m_RxMessageQueue.pop_front();

   AAAAvpContainer* c_deviceId = msg.avpList().search("Device-Id");
   if (c_deviceId) {
       PANA_TVData_t &deviceId = (*c_deviceId)[0]->dataRef(Type2Type<PANA_TVData_t>());
       if (m_ReqDeviceId == deviceId.type) {
           PANA_DeviceId id(PANA_DeviceId::TYPE(deviceId.type), deviceId.value);
           PANA_DeviceId *knownId = m_PeerDeviceId.search(PANA_DeviceId::TYPE(deviceId.type));
           if (knownId && !(*knownId == id)) {
               throw (PANA_Exception(PANA_Exception::INVALID_MESSAGE, 
                            "Device id type in bind answer does not match known peer id"));
           }
           else if (! knownId) {
               m_PeerDeviceId.clone(id);
           }
           m_Event.AuthorizePeer(id, false);
       }
       else {
           throw (PANA_Exception(PANA_Exception::INVALID_MESSAGE, 
                           "Device id type in bind answer does not match request"));
       }
   }

   // cancel bind answer retry
   m_Timer.Cancel(PANA_TID_PBR_RETRY);
   m_RtQueue.ClearFront();   
   delete &msg;
}

void PANA_Paa::ReceiveEapResponse()
{
   PANA_Message &msg = *(m_RxMessageQueue.front());
   m_RxMessageQueue.pop_front();

   ACE_DEBUG((LM_INFO, "(%P|%t) RECV: Auth answer, S-flag %d, tseq=%d, rseq=%d\n",
                       msg.flags().separate, msg.tseq(), msg.rseq()));

   AAAAvpContainer* c_eapPayload = msg.avpList().search("EAP-Payload");
   if (c_eapPayload == NULL) {
      throw (PANA_Exception(PANA_Exception::ENTRY_NOT_FOUND, 
                           "EAP-Payload AVP not found in packet, discarding message"));
   }

   diameter_octetstring_t &eapPDU = (*c_eapPayload)
              [0]->dataRef(Type2Type<diameter_octetstring_t>());
   AAAMessageBlock *eapBlock = AAAMessageBlock::Acquire((char*)eapPDU.data(), eapPDU.size());
   static_cast<PANA_PaaEventInterface&>(m_Event).EapResponse(eapBlock, m_SeparateAuth);
   eapBlock->Release();
   delete &msg;
}

void PANA_Paa::DestinationAddressFormatting(PANA_Message &msg,
                                            AAAMessageBlock *eapPayload)
{
   // Save the payload
   if (eapPayload) {
      if (m_LastPayload) {
         m_LastPayload->Release();
      }
      m_LastPayload = AAAMessageBlock::Acquire(eapPayload);
   }

   msg.srcPort(m_PeerPort);
   msg.srcDevices().clone(m_PeerDeviceId);
}

void PANA_Paa::ValidateCookie(PANA_Message &psa) throw(PANA_Exception)
{
   // extract cookie
   AAAAvpContainer *c_cookie = psa.avpList().search("Cookie");
   if (c_cookie == NULL) {
      throw (PANA_Exception(PANA_Exception::INVALID_MESSAGE, 
                           "Missing cookie AVP in start answer message"));
   }
   diameter_octetstring_t &cookie = (*c_cookie)[0]->dataRef(Type2Type<diameter_octetstring_t>());

   // convert address 
   PANA_DeviceIdContainer &cntr = psa.srcDevices();
   PANA_DeviceId *ipId = cntr.search(PANA_DeviceId::IPV4_ADDRESS);
   PANA_DeviceId *hwId = cntr.search(PANA_DeviceId::LL_ADDRESS);

   ACE_DEBUG((LM_INFO, "(%P|%t) Validating cookie\n"));

   // verify cookie with source device id
   if ((PANA_COOKIE_VERIFY(const_cast<std::string&>(ipId->id()), cookie) == false)) {
       // now try mac address
       if (PANA_COOKIE_VERIFY(const_cast<std::string&>(hwId->id()), cookie) == false) {
          throw (PANA_Exception(PANA_Exception::FAILED, 
                               "Received start answer with invalid cookie"));
       }
   }
}

---