[PPT] - AAA Requiremen ts from Mobile IP Gopal Dommet y , Cisco PowerPoint Presentation

SLIDE 1 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 1 Sun AAA Requiremen ts from Mobile IP Gopal Dommet y , Cisco Systems Stev e Glass, Nokia T elecomm unications Stuart Jacobs, GTE Lab

ratories

T

m

Hiller, Lucen t Basa v ara j P atil, Nortelnet w

rks

Charles E. P erkins, Sun Lab

ratories

h ttp://www.svrlo c.org/ec harliep/txt/ietf45/aaa.ps

SLIDE 2 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 2 Sun AAA

Authen

tication, Authorization, and Accoun ting AAA is used b y Mobile IP agen ts to handle

Mobile

No des authen ticated b y trusted agen ts in their home domain

Connectivit

y authorized b y administrativ e agen ts in the foreign domain

Accoun

ting initiated b y foreign agen ts, whic h are trusted b y the administrativ e agen ts in the foreign domain

SLIDE 3 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 3 Sun In teractions b et w een Mobile IP and AAA

AAAF FA AAAH HA

Broker

Mobile

No des authen ticated b y AAA in their home domain

Connectivit

y authorized b y AAA in the foreign domain

Acct'g

initiated b y foreign agen ts

AAA

w/brok ers pro vides economic infrastructure for in ter-domain mobilit y

Bilateral

relationships may preempt need for brok ers

Authen

tication in v

k

ed b y simple Mobile IP extensions

SLIDE 4 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 4 Sun T rust Relationshi ps

AAAF FA AAAH HA

SA1 SA 2 SA 3 SA 4

Home

AAA trusts Mobile No de

Visited

AAA trusts Home AAA

Visited

F

reign

Agen t trusts Visited AAA

Home

Agen t trusts Home AAA

SLIDE 5 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 5 Sun MN NAI extension

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1 2 3 Type Length Network Access Identifier ...

The mobile no de is able to iden tify itself using its NAI (Net w

rk

Access Iden tier) instead

f

its IP address. The NAI is standardized in RF C 2486. This extension is going through w

rking

group Last Call.

SLIDE 6 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 6 Sun F A Challenge Extension

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1 2 3 Type Length Challenge...

The F

reign

Agen t includes the F A Challenge extension in its Agen t Adv ertisemen ts. The mobile no de includes the same c hallenge string in an extension to the Registra- tion Reply

SLIDE 7 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 7 Sun MN-AAA Authen tication

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1 2 3 Type SPI ..... Length Authenticator .... .... SPI (continued)

The mobile no de includes a MN-AAA authen tication extension along with the c hallenge string from the F A c hallenge.

SLIDE 8 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 8 Sun Proto col Ov erview

AAAF FA AAAH HA

1 2 3 4 5

,

0. F

reign

agen t (F A) adv ertises c hallenge 1. Mobile no de (MN) adds NAI, Challenge Resp

nse

etc., to Mobile IP registration request 2. F A in v

k

es AAA proto col with its lo cal AAA serv er (AAAF) 3. AAAF (\pro xy") parses NAI, nds MN's home serv er address (AAAH) 4. AAAF in v

k

es AAA proto col and a w aits appro v al b y AAAH 5. AAAH c hec ks MN creden tials and may allo cate a home address for the mobile no de

SLIDE 9 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 9 Sun Step 6: Key Generation

AAAF FA AAAH HA

SA1 SA 2 SA 3 SA 4

AAAH generates:

K

1 : MN $ F A

K

2 : MN $ HA

K

3 : F A $ HA AAAH encrypts:

K

1 & K 2 using S A 1 ! MN

K

1 & K 3 using S A 3 ! F A

K

2 & K 3 using S A 2 ! HA

SLIDE 10 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 10 Sun Proto col Ov erview, con tin ued

AAAF FA AAAH HA

7 8 9 10 11 12

7. AAAH rela ys Mobile IP information to HA with K 2 , K 3 8. HA creates registration reply using K 2 , and K 3 for F A. 9. HA sends results to AAAH, whic h pro xies request to AAAF 10. AAAF decrypts K 1 & K 3 using S A 3 , re-encrypts using S A 4 11. F A decrypts K 1 & K 3 using S A 4 , c hec ks registration reply and F A$HA authen tication, adds MN$F A using K 1 12. MN decrypts K 1 & K 2 using S A 1 , c hec ks registration reply , and MN$F A authen tication

SLIDE 11 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 11 Sun AAA Requiremen ts { Pre-existing Con tracts

T

rust relationship b et w een foreign agen t and foreign AAA

T

rust relationship b et w een home agen t and home AAA

F
reign

agen t has to b e able to k eep state for p ending registration/creden tials- c hec king

AAA

m ust not restrict the scalabilit y

f

Mobile IP registrations at an y particular foreign agen ts.

Conrmation

when service b egins

Supp
rt

for prepaid net w

rk

cards and cyb er cafes

Either

bil l-b e for e

se

r v ic e

r

servic e

b

e for e

b

il l

SLIDE 12 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 12 Sun Using Brok ers

AAAF FA AAAH HA

Broker

Using a securit y brok er should b e enabled, if the AAAF and AAAH do not already share a securit y asso ciation S A 3

SLIDE 13 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 13 Sun AAA Requiremen ts { Brok er Mo del

Negotiating

service b y a trusted third part y

Negotiating

service parameters

Secret

information m ust not b e divulged to an y third parties

V

erication

f

message in tegrit y is required for messages handled b y third parties.

SLIDE 14 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 14 Sun AAA Reqs { Mobile IP Authen tication

Arbitrate

trust b et w een the home agen t and the mobile no de

Arbitrate

trust b et w een the home agen t and the foreign agen t

Mobile

no de has to b e able to v erify the creden tials

f

the foreign domain

F
reign

agen t has to b e able to v erify mobile no de creden tials without requiring mobile no de to rst con tact home domain

Authen

tication information SHOULD b e a v ailable from AAA agen ts in 1 second

r

less.

Challenge

authen tications may b e less time-critial

F
reign

and Home AAA serv ers m ust sim ultaneously handle h uge n um b ers

f

Mobile IP registrations (from dieren t F As).

AAA

m ust main tain the mobile no de's abilit y to register with m ultiple home agen ts.

SLIDE 15 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 15 Sun AAA Requiremen ts { Mobile IP Authorization

Authorization

for link access

No

constrain t

n

Mobile IP proto col regarding resource categorization

Authorization

for default router service

Authorization

for v arious tunnel proto cols (Minimal, GRE)

Authorization

for rev erse tunneling/home agen t decapsulation

Authorization

for clo c k sync hronization

Authorization

for smo

th

hando

Authorization

for rew all tra v ersal

SLIDE 16 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 16 Sun AAA Reqs { Mobile IP vs. Accoun ting Mobile IP do esn't ha v e an ything to sa y ab

ut

accoun ting. Ho w ev er, accoun ting requiremen ts within the scop e

f

AAA include information to enable c harging for the follo wing resources and services:

Connection

time to some degree

f

accuracy (p er min ute, p er second)

Address

allo cation, distinguishable b y routabilit y

Lo

cation-sensitiv e home agen t allo cation

Registration

pro cessing requiremen ts

Num

b er

f

pac k ets

Key

generation

Bandwidth

requiremen t Accoun ting mo des could b e either incr emental

r

running totals.

SLIDE 17 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 17 Sun Ov erall Vision

AAA AAA AAA AAA TR45.6 Hawaii GPRS Brokers Thema Mobile IP/AAA Mobile IP/AAA

Mobile IP can pro vide the b est tec hnology for new deplo ymen ts

f

wireless tec hnology . Mobile IP , with AAA, can also pro vide the bac kb

ne

connectivit y for wireless pro viders, no matter what lo cal

r

legacy proto cols are used.

SLIDE 18 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 18 Sun TBD IPv6? Smo

th

hando problems T unneling requiremen ts (esp. for priv ate addresses) Encryption services requested at Mobile IP registration time QoS requiremen ts sp ecied at Mobile IP registration time