1 / 11

TDR authentication requirements

This article discusses the key requirements for full TDR service authentication, including verifying TDR authorisation, minimising impact of DoS attacks, and credential verification mechanisms. It also explores different authentication methods for various network nodes.

dandrew
Download Presentation

TDR authentication requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TDR authentication requirements Dr. Ian Brown University College London

  2. Key Requirements for full TDR service • Verify TDR authorisation at originating, terminating and intermediate network nodes • Minimise impact of Denial of Service attacks

  3. Three stage authorisation • Verify user’s TDR credentials • Verify signalling is from authorised user • Verify data flows are part of an authorised session

  4. Credential verification mechanisms • GETS: PIN entered by user • GSM/TIPHON: challenge-response registration protocol between user device, local and home networks. User enters PIN to device • SIP: HTTPS with client authentication used to fetch token?

  5. Verifying user credentials • Ideally done by local domain • e.g. GSM, TIPHON retrieve user profile • allows local transport priority – edge networks important, as most likely to suffer congestion • Otherwise done remotely • e.g. GETS, SIP proxy

  6. Verifying signalling • In trusted federation of domains, may rely on ingress policing • But this has problems with transitive trust, DoS and complex network topologies which are difficult to map to international TDR agreements • Possibility of independent verification better

  7. Authorisation token • IP client obtains token from server like tdr.ncs.gov • Token included in SIP call setup message and can be verified by SIP nodes along whole path to IP endpoint • Endpoint can interrupt lower priority sessions or take other TDR-specific action • International Emergency Priority Parameter proposed for ISUP, B-ISUP and BICC CS‑2

  8. Flow verification • Session setup most important in Circuit Switched Networks • But Packet Switched Networks need mechanism to differentiate specific packet flows

  9. QoS mechanisms • DiffServ, RSVP, MPLS all possibilities • All unpopular inter-domain with ISPs due to potential security problems between untrusted networks • Hardest remaining problem for multi-domain networks!

  10. Gateway support • Gateways must translate TDR markings appropriately, and carry authorisation through if possible • Cryptographic link between IP source and PSTN gateway allows PSTN priority even without IP-side support. But gateway should check authorisation on destination network first

  11. VoIP scenarios Legacy Telco Networks SS7 IP (SIP or H.323) • Single IP backbone network connecting SS7 switches • Authorisation done in PSTN • ISUP tunnelled in SIP SS7 PSTN IP Domains • Internetwork • Home+access network authorise transport priority • Proxy/gateway authorises session and PSTN priority ISP ...Rest of the Internet

More Related