Attached patch does two things: Removes MN-FA key generation. These keys are generated at the authenticator not the AAA so this is not needed. Adds support to generate the RRQ-MN-HA key. I am left with two questions. First - I dug but haven't fully tracked down whether there is any validity checking on the IP addresses that arrive in the request packets. When testing this by dumping the RRQ-HA-IP address directly into the config file with unlang I can see that invalid IP addresses are not accepted. Are similar checks performed on packets off the wire and where? Second - is a question of placement of the RRQ-MN-HA generation code. These attributes are only needed for CMIP when the MN does not know the IP address of the HA during network entry. Is it better to generate the appropriate key whenever the RRQ-HA-IP is seen (at the potential expense of generating this key if the MN is using PMIP yet somehow the RRQ-HA-IP shows up in the request packet as well), or either moving the generation of the RRQ-MN-HA keys to the appropriate sections of the switch where the MN-HA keys are generated or adding an additional check to the generation block to ensure that the appropriate MIP Technology is being used. Ben Wiechman