distributed ip networks
play

distributed IP networks IETF 89 - Tutorials London, England March - PowerPoint PPT Presentation

Jun 23, 2023 •472 likes •1.2k views

Introduction to centralized Authentication, Authorization and Accounting (AAA) management for distributed IP networks IETF 89 - Tutorials London, England March 2 - 7, 2014 Presented by: Lionel Morand Co-authored by: Alan Dekok x Introduction

  1. Introduction to centralized Authentication, Authorization and Accounting (AAA) management for distributed IP networks IETF 89 - Tutorials London, England March 2 - 7, 2014 Presented by: Lionel Morand Co-authored by: Alan Dekok

  2. x Introduction 2

  3. 3

  4. Generic 3-Tier "AAA" model AAA AAA Proxy/server Server AAA Protocols AAA Client Network Access User Resource Controller 4

  5. A AA… for Authentication • Control user Identity • Credentials provided by the user to prove his/her Id • Examples of credentials: – passwords – one-time token – digital certificates, – or any other information related to the identity (e.g. biometric parameters.) 5

  6. A A A… for Authorization • Allowing access to specific types of service • Authorization typically based on user authentication but not restricted to • Access configuration based on user access rights and local policies. • Examples of services: – IP address filtering – IP address assignment – Route assignment – Encryption – QoS/differential services – Bandwidth control/traffic management. 6

  7. AA A … for Accounting • Tracking of the consumption of network resources by users • Typical information gathered in accounting report: – User Id (e.g. lionel@ietf89.com) – Service description – Data volume – Session duration, etc. • Useful for management, planning, billing, etc. 7

  8. AAA Protocols • "AAA protocols" refers to IP protocols: – used to transport AAA related information – between the AAA client and the AAA server – in the back-end infrastructure • "AAA protocols" does not include protocols used between the host and the AAA client (e.g. PPP) 8

  9. Why use an AAA protocol? • Why use AAA when we have Kerberos, OAUTH, etc.? • AAA is almost entirely pre-network access • Answers the questions of – Should this person be let on the network? – what should they be allowed to do? • In many cases, a network is not available – No IPv4 or IPv6! – Just EAP, PPP, etc. 9

  10. AAA is about a trust boundary • AAA requires trusted systems – switches, access points, VPN concentrators, DSL concentrator, ASNGW, etc. – these systems use non-IP protocols to talk to a user. • Other authentication protocols interact with untrusted systems, to authenticate a user – Some random IP is using OAUTH, that’s fine. I can still authenticate the user. – then tie that authentication to an IP connection 10

  11. AAA is about a trust boundary (2) • AAA - You have an "outside" and an "inside", and need to let "outside" users appear on the "inside" network • Others - random IP addresses need access to services on a system with a public IP address • A public system may use AAA on the back end to authenticate a user. – But the user is untrusted, so he/her can’t use an AAA protocol – The public system can be trusted by an AAA server 11

  12. AAA Protocols in IETF • 2 IETF standard protocols – RADIUS (RFC 2865) – The first one… – Diameter (RFC 6733) – the successor … or so … • NOTE: other solutions proposed as AAA protocol but not standardized by IETF. • TACACS (Terminal Access Controller Access Control System) • TACACS+: enhanced TACAS version developed by Cisco – Still used in Unix environment for remote user authentication and router configuration 12

  13. 13

  14. RADIUS • Remote Authentication Dial In User Service (RADIUS) – developed in 1991 but first RFCized in 1997 • Widely deployed by ISP and enterprises to control access to Internet or internal networks/services – including modems, DSL, Wi-Fi access points, VPNs, network ports, web servers, etc. RADIUS Server Public Internet Switched Telephone Network Modem Network Access Server 14

  15. RADIUS and PPP • RADIUS is initially designed to interoperate with the Point-to-Point Protocol (PPP – RFC 1661) used to encapsulate IP packets over a phone line. – PPP enables data link set-up between two endpoints (modem) and provides mechanisms for authentication, data encryption and compression. – RADIUS is used to transport user credentials received over PPP to an authoritative server that will grant access to the user based on successful authentication. 15

  16. Authentication Protocols • Authentication mechanisms defined for PPP are reused over RADIUS – PAP (Password Authentication Protocol), • User's username/password provided in clear text to the NAS. – CHAP (Challenge-handshake Authentication Protocol), • A challenge/response mechanism based on MD5 algorithm • The user must provide a response calculated based on the password and a random value received from the network – EAP (Extensible Authentication Protocol) • An authentication framework, not a specific authentication mechanism • It provides some common functions and negotiation of authentication methods called EAP methods. 16

  17. RADIUS as per RFC2865/2866 • Simple and efficient solution for AAA – Client/server model – UDP transport – Authentication and Authorization combined in a single transaction (RFC 2865) – Accounting report sent at the beginning and the end of the access session (RFC 2866) – Information data carried in Attributes in the TLV format (|Type|Length |Value…|) – Simple routing based on pre-configured IP address 17

  18. RADIUS Security • A secret is shared between client and server • Used to generate cryptographic hash values (using MD5) to authenticate RADIUS messages • Used also to encrypt the user password between the client and the RADIUS server – The user's password is never sent in clear-text in the network.

  19. Dial-In Access Control RADIUS Server Public Internet Switched Telephone Network Modem Network Access Server 19

  20. Access-Request 1/2 RADIUS Server RADIUS Access-Request [ User-Name =login] [User-Password =encrypted password] [ NAS-Identifier ] [etc. ] PPP User Access Request (Login/Password) Internet PSTN Modem Network Access Server 20

  21. Access-Request 2/2 RADIUS Server RADIUS Access-Request [ User-Name=login ] [ NAS-Identifier ] [etc. ] PPP User Access Request (Login) Internet PSTN Modem Network Access Server 21

  22. Access-Challenge RADIUS Server RADIUS Access-Challenge [ Reply-Message ] PPP Challenge Internet PSTN Modem Network Access Server 22

  23. Challenge Response RADIUS Server RADIUS Access-Request [ User-Name ] [CHAP-Password =Response] [ NAS-Identifier ] [ etc. ] PPP New User Access Request (response) Internet PSTN Modem Network Access Server 23

  24. Authentication & Authorization RADIUS Server Local or external Database Internet PSTN Modem Network Access Server 24

  25. Access-Reject RADIUS Server RADIUS Access-Reject [ Reply-Message ] PPP Access Request denied (reason) Internet PSTN Modem Network Access Server 25

  26. Service Configuration RADIUS Server RADIUS Access-Accept [ Reply-Message ] [ Service-Type ] [ Framed-IP-Address ] [ Filter-Id ] [ etc. ] Internet PSTN Modem Network Access Server 26

  27. Start of service delivery RADIUS Server IP PPP Frames IP Internet PSTN Modem Network Access Server 27

  28. Accounting-request (START) RADIUS Server RADIUS Accounting-Request RADIUS Acct-Response [ User-Name ] [ Acct-Status-Type=Start ] [ Acct-Session-Id ] [ NAS-Identifier ] [ Framed-IP-Address ] IP PPP Frames IP Internet PSTN Modem Network Access Server 28

  29. Accounting-Request (STOP) RADIUS Server RADIUS Accounting-Request [ User-Name ] [ Acct-Status-Type=Stop ] [ Acct-Session-Id ] RADIUS Acct-Response [ NAS-Identifier ] [ Framed-IP-Address ] [ Acct-Input-Octets ] [ Acct-Output-Octets ] [ Acct-Session-Time ] [ Acct-Terminate-Cause ] PPP Frames IP Internet PSTN Modem Network Access Server 29

  30. Wi-Fi Hotspot RADIUS Server Internet LAN Wi-Fi Access Point 30

  31. Roaming Agreements RADIUS Server RADIUS Proxy Internet LAN Wi-Fi Access Point Login: lionel@orange.com 31

  32. Key: RADIUS Extensibility • New standard attributes standarized by IETF – but only 256 standard attributes can be defined • RADIUS wide adoption due to the "Vendor- Specific" attribute – Freely used by vendors to encapsulate their own extended attributes (up to 256 per vendor) – unrecognized vendor-specific attributes are simply ignored by servers • New messages need IETF Standards Action – but incompatible with existing RADIUS implementations 32

  33. RADIUS Ubiquity Dial-In Mobile Data Access VPN Wi-Fi Hot-Spot Enterprise RADIUS Mobile IP Others (e.g. OAM) Services Broadband (incl. Web Access and VoIP) 33

  34. 34

  35. Back to the Future • RADIUS RFC 2865 published in 2000 – Designed as simple/efficient solution for access control in size-limited networks • but with limitations regarding new AAA service requirements: – IP Mobile management, Roaming operations, enhanced access control, etc. • Need for new capabilities – Server-initiated messages, re-auth during session, realm- based routing, reliable and secure transport, bigger packets for more complex policies, etc. • Need for a new protocol: Diameter 35

  36. Diameter … • Diameter was designed to be the successor of RADIUS • Diameter = Twice the RADIUS • So Diameter is not an acronym!!! 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Distributed Fusion in Sensor Distributed Fusion in Sensor Networks Networks Jie Gao Computer

Distributed Fusion in Sensor Distributed Fusion in Sensor Networks Networks Jie Gao Computer

Distributed Fusion in Sensor Distributed Fusion in Sensor Networks Networks Jie Gao Computer Science Department Stony Brook University Papers Papers [Xiao04] Lin Xiao, Stephen Boyd, Fast Linear Iterations for Distributed Averaging ,

659 views • 50 slides
Networks and Distributed Systems Olaf Landsiedel Networks and Distributed Systems What is

Networks and Distributed Systems Olaf Landsiedel Networks and Distributed Systems What is

Distributed Computing and Systems Networks and Distributed Systems Olaf Landsiedel Networks and Distributed Systems What is A computer network? Have you ever seen one? Have you ever used one? A distributed system? Have

995 views • 39 slides
Sol Fast Distributed Computation Over Slow Networks Fan Lai , Jie You, Xiangfeng Zhu Harsha V.

Sol Fast Distributed Computation Over Slow Networks Fan Lai , Jie You, Xiangfeng Zhu Harsha V.

Sol Fast Distributed Computation Over Slow Networks Fan Lai , Jie You, Xiangfeng Zhu Harsha V. Madhyastha, Mosharaf Chowdhury 1 Distributed Data Processing is Ubiquitous Distributed computation in Local-Area Networks (LAN) To accelerate

1.92k views • 77 slides
Ekta: An Efficient DHT Substrate for Distributed Applications in Mobile Ad Hoc Networks

Ekta: An Efficient DHT Substrate for Distributed Applications in Mobile Ad Hoc Networks

Ekta: An Efficient DHT Substrate for Distributed Applications in Mobile Ad Hoc Networks Himabindu Pucha, Saumitra Das, Y. Charlie Hu Distributed Systems and Networking Lab, School of ECE, Purdue University 1 Mobile ad hoc networks (MANETs)

1.17k views • 32 slides
Differential Forms for Target Tracking and Aggregate Queries in Distributed Networks Distributed

Differential Forms for Target Tracking and Aggregate Queries in Distributed Networks Distributed

Differential Forms for Target Tracking and Aggregate Queries in Distributed Networks Distributed Networks Rik Sarkar Jie Gao Stony Brook University 1 Target Tracking with Sensor Networks 2 Target Queries Range queries : # targets within

894 views • 40 slides
Algorithms and Methods for Distributed Storage Networks 10 Distributed Heterogeneous Hash Tables

Algorithms and Methods for Distributed Storage Networks 10 Distributed Heterogeneous Hash Tables

Algorithms and Methods for Distributed Storage Networks 10 Distributed Heterogeneous Hash Tables Christian Schindelhauer Albert-Ludwigs-Universitt Freiburg Institut fr Informatik Rechnernetze und Telematik Wintersemester 2007/08

922 views • 64 slides
CS 3700 Networks and Distributed Systems Overlay Networks (P2P DHT via KBR FTW) Revised

CS 3700 Networks and Distributed Systems Overlay Networks (P2P DHT via KBR FTW) Revised

CS 3700 Networks and Distributed Systems Overlay Networks (P2P DHT via KBR FTW) Revised 10/26/2016 Outline 2 Consistent Hashing Structured Overlays / DHTs Key/Value Storage Service 3 Imagine a simple service that stores

1.8k views • 177 slides
Optical Networks CS294-3: Distributed Service Architectures in Converged Networks George

Optical Networks CS294-3: Distributed Service Architectures in Converged Networks George

Optical Networks CS294-3: Distributed Service Architectures in Converged Networks George Porter Tal Lavian Feb. 5, 2002 EECS - UC Berkeley Overview Physical technology, devices How are optical networks currently

874 views • 38 slides
CS 3700 Networks and Distributed Systems Intro to Distributed Systems Revised 10/01/15

CS 3700 Networks and Distributed Systems Intro to Distributed Systems Revised 10/01/15

CS 3700 Networks and Distributed Systems Intro to Distributed Systems Revised 10/01/15 Application Layer 2 Function: Application Whatever you want Presentation Implement your app using the network Session Key challenges:

862 views • 32 slides
Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Michael Rossberg, Rene Golembewski, Guenter Schaefer Ilmenau University of Technology, Germany ICCCN 2012 Attack-Resistant Distributed Time Synchronization for Virtual Private Networks Overview Distributed Services for Distributed VPNs

212 views • 9 slides
4/22/2009 Private networks Problem You have several geographically separated Distributed

4/22/2009 Private networks Problem You have several geographically separated Distributed

4/22/2009 Private networks Problem You have several geographically separated Distributed Systems local area networks that you would like to have connected securely Virtual Private Networks Solution Set up a private network line

221 views • 3 slides
Multi-agent distributed optimization over networks and its application to energy systems Maria

Multi-agent distributed optimization over networks and its application to energy systems Maria

Vistas in Control | ETH Zurich | September 10 - 11 2018 Multi-agent distributed optimization over networks and its application to energy systems Maria Prandini Introduction Robotic networks Social networks taken from AJGpr.com Transportation

1.27k views • 116 slides
Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

4/25/08 Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You have several geographically separated local area networks that you would like to have connected securely Solution Set up a private

425 views • 7 slides
Circuit-GNN: Graph Neural Networks for Distributed Circuit Design Guo Zhang Hao He Dina Katabi

Circuit-GNN: Graph Neural Networks for Distributed Circuit Design Guo Zhang Hao He Dina Katabi

Circuit-GNN: Graph Neural Networks for Distributed Circuit Design Guo Zhang Hao He Dina Katabi Poster #248 Distributed Circuit Design Design high frequency circuits Important for 5G and future cellular networks! Distributed Circuit Design

380 views • 34 slides
Proposal for a Register of Distributed Energy Resources A Networks Perspective Dr Stuart

Proposal for a Register of Distributed Energy Resources A Networks Perspective Dr Stuart

Proposal for a Register of Distributed Energy Resources A Networks Perspective Dr Stuart Johnston General Manager, Network Transformation Energy Networks Australia 27 March 2018 Energy Networks Australia Energy Networks Australia Members

457 views • 11 slides
CSE Seminar Series Networks and Distributed Systems (+ Data as bonus - mainly Big)

CSE Seminar Series Networks and Distributed Systems (+ Data as bonus - mainly Big)

CSE Seminar Series Networks and Distributed Systems (+ Data as bonus - mainly Big) 2019-03-07 Marina Papatriantafilou Networks and Systems Division CSE Department Chalmers & Gothenburg Un. 1 M. Papatriantafilou Networks,

690 views • 42 slides
CS 423 Operating System Design: OS Security Crash Course Tianyin Xu Thanks for Prof. Adam Bates

CS 423 Operating System Design: OS Security Crash Course Tianyin Xu Thanks for Prof. Adam Bates

CS 423 Operating System Design: OS Security Crash Course Tianyin Xu Thanks for Prof. Adam Bates for the slides. CS 423: Operating Systems Design Security Properties Confidentiality? Integrity? Availability? Authenticity? CS

437 views • 22 slides
Bonsai: Balanced Lineage Authentication Ashish Gehani Bonsai:Balanced Lineage Authentication

Bonsai: Balanced Lineage Authentication Ashish Gehani Bonsai:Balanced Lineage Authentication

Bonsai: Balanced Lineage Authentication Ashish Gehani Bonsai:Balanced Lineage Authentication p. 1/19 What is data lineage ? Output Operation Input 1 Input n (a) Primitive operation (b) Compound operation tree Bonsai:Balanced Lineage

651 views • 19 slides
Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech

Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech

Introduction Formal Definitions Case Studies Conclusion Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Universit Grenoble 1, CNRS, VERIMAG firstname.lastname@imag.fr Principles of Security and

806 views • 68 slides
TwistIn: Tangible Authentication of Smart Devices via Motion Co-analysis with a Smartwatch Ho Ho

TwistIn: Tangible Authentication of Smart Devices via Motion Co-analysis with a Smartwatch Ho Ho

TwistIn: Tangible Authentication of Smart Devices via Motion Co-analysis with a Smartwatch Ho Ho Man Col Colman Leu Leung, Chi Wing Fu, Pheng Ann Heng The Chinese University of Hong Kong, Hong Kong Shenzhen Key Laboratory of Virtual Reality

910 views • 15 slides
Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Todays Lecture

Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Todays Lecture

Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Todays Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases for crypto: Sealed blob:

1.09k views • 58 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
CS 4803 Computer and Network Security Servers Users How do users prove their identities when

CS 4803 Computer and Network Security Servers Users How do users prove their identities when

Many-to-Many Authentication ? CS 4803 Computer and Network Security Servers Users How do users prove their identities when requesting services from machines on the network? Alexandra (Sasha) Boldyreva Nave solution: every server knows

217 views • 5 slides
SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM? S alted C hallenge R esponse A uthentication M echanism SCRAM-SHA-1-PLUS An improved SASL mechanism for password authentication of the

469 views • 31 slides

More recommend