AAA for IPv6 Network Access

Download PDF
0 downloads 0 Views 80KB Size Report
Comment
Jan 11, 2001 - PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM). AAA for IPv6 Network Access. FASTER workshop, Tampere University of Technology, January 11 ...
AAA for IPv6 Network Access

FASTER workshop, Tampere University of Technology, January 11, 2001

N. Asokan Nokia Research Center [email protected] 1

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Outline • Introduction • AAA for Mobile IPv4 • AAA for IPv6 • Some open issues

2

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

What is it? • Authentication, Authorization, and Accounting • Authorization • checking of eligibility to access service or resource, e.g.,

• • •

• • •

passport at border control movie ticket to the gatekeeper driver's license to the attendant with an authorized visitor list



network access, auxiliary services (e.g., QoS), other services (e.g., mobile commerce)

sometimes, but not always, based on authentication based on some type of credential basis for collecting money from users

• Authorization infrastructure • framework necessary to support authorization, servers, contracts,... • for mobile users, issuer and verifier are in different administrative domains

3

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

AAA Basics • Support for authorization seen as a critical missing piece in IETF • General model • •

AAA server responsible for authorization decisions (one per domain) may distribute cryptographic keys to be used between, e.g., attendant and client

• SA3 implies the need for a large scale authorization infrastructure Local domain

Home domain

SA3

AAAL

AAAH

SA2

Attendant

SA1 Security associations

client 4

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Access protocol flows AAA Protocol flows

Mobile IP Basics • Mobile host has a permanent home address, and a home agent (HA) in the home network • On entering a visited network, it acquires a care-of address (CoA) and conveys this information to the HA in a binding update. •

binding update is protected using the MN-HA security association

• In IPv4, the access router may act as a foreign agent (FA): an address of the FA may be used as the CoA Local domain

Home domain

Router

HA SA1

client/host 5

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Security association Mobile IP protocol flows

Mobile IPv4/AAA • AAA and Mobile IP working groups are developing protocols for AAA • AAA credential sent as payload in Registration Request (RR) • FA extracts relevant information from RR, includes in request to AAAL •

also, includes entire RR (in order to meet the "single round-trip" requirement) Local domain

Home domain SA3

AAAL

AAAH

SA2

SA4

FA

SA1

HA Security associations

client/host See "Mobile IP Joins Forces with AAA", IEEE Personal Communications magazine, August 2000 6

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Mobile IP protocol flows AAA Protocol flows

AAA for IPv6 • Objectives • general framework for AAA support for IPv6 network access • support many different scenarios: stateless and stateful address autoconfiguration, Mobile IPv6, ... • anticipate use in other contexts as well • Proposed approach • described in IETF personal draft: draft-ietf-perkins-aaav6 • joint work with Patrik Flykt, Charlie Perkins, Thomas Eklund • current version available at http://people.nokia.net/~charliep/txt/aaav6/aaav6.txt

7

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

General Framework Router System

Client/Host

Attendant

Packet filter

AAAL

Local Challenge (LC) AAA Req: LC, RPI, CID, Cred.

AHR: LC, RPI, CID, Cred AHA: code, RPI, KR, ...

AAA Rep: code, RPI, KR • CID - client identifier • LC - Local challenge • RPI - Replay protection indicator (between AAAH and host)

8

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Update config

• Cred. - AAA Credential (from host to AAAH) • KR - Key reply • AHA, AHR - AAA protocol messages

AHR AHA

AAAH

General Framework, cont. • Client Identifier: NAI or an IPv6 address • Replay protection: • between AAAL and AAAH, AAAL and Attendant: AAA protocol • host and AAAH: timestamps or random challenges (similar to Mobile IPv4) • AAA Credential: based on • security association between the client and AAAH • client identifier • local AAA challenge • replay protection indicator • Key Reply: encoded session key(s) for use between host & local domain • e.g., used in IPSec AH tunnel for upstream traffic • used for subsequent authorization within the same domain (e.g., for regional registration requests) 9

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Stateless Address Autoconfiguration • Router Advertisement containing local AAA challenge option • ICMPv6 messages (alt. IPv6 destination options) for transporting AAA data between host and attendant • AAA Request, AAA Reply • AAA Home Challenge Request • AAA Teardown Request? AAA Teardown? • one or more AAA options • • • • • • •

Client Identifier (subtypes: NAI, IPV6 address) Challenge (subtypes: local challenge, AAAH challenge) Generalized Key Reply Timestamp IPv6 address (acquired IPv6 address) Lifetime Embedded data (to carry additional data)

• AAA protocol (DIAMETER) between • • 10

© NOKIA

attendant and AAAL ,and AAAL and AAAH

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Mobile IPv6 • If HA and AAAH belong to the same domain • bundle Binding Update in AAA Request using Embedded Data option • AAAH extracts Binding Update and sends it to HA • Binding Acknowledgement sent back via AAAH • Otherwise, AAA processing and binding updates can be done seperately • Which is the common case? • "single home" is the traditional telecom notion (e.g., HLR) • IETF heading in this direction, too • but "authorization home" and "routing home" may be different •



"single roundtrip" may not be a critical factor for IPv6 •



11

© NOKIA

needed when existing authorization infrastructures are used: e.g., payment with credit card, or authorization using SIM card (see next slide) binding updates to correspondent nodes/previous router are more time critical

provisional conclusion: both models need to be supported

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Bootstrapping MIP/AAA: GSMSIM case GSM authorization infrastructure

• Use GSM auth. infrastructure as AAAH • Use existing SIM cards • Local access network operators need contracts with local GSM operators

AAAH

HLR

Gateway/MSC SA3

Local domain AAAL

Home domain SA1'

SA4

Attendant

HA Derived security associations

See IETF draft draft-haverinen-gsmsim-01.txt (for Mobile IPv4) 12

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Bootstrapping MIP/AAA: Pros and cons • No new per-user setup necessary • users need to download necessary software • use existing SIM cards • charges show up in phone bill • Local access network operators trusted to generate correct charging information • alternatives • • •

13

© NOKIA

do GSM authentication periodically to authorize a fixed amount flat-rate billing use unforgeable digital signatures (based on public key mechanisms)

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)

Other issues • ICMPv6 or destination options for the AAA Request and Reply messages? • ICMPv6: more explicit, allow longer options (16-bit length field) • destination options: possibly more optimal if AAA signaling is to be combined with data transfer • Support for micromobility? • usual authorization on entering a new domain • subsequent authorizations (with different access routers) within the same domain must be lightweight and fast • What about DHCPv6? • current approach: define new AAA extensions to DHCPv6 • alternative: use the same ICMPv6 messages, along with the embedded data option? • Additions to the AAA protocol? 14

© NOKIA

aaav6.PPT, v1.0/ 10.1.2001/ N.Asokan (NRC/COM)