1 / 32

MIPv6 authentication

MIPv6 authentication. MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication – PPP MIPv6 authentication - comparison Appendix A: IEEE 802.1x authentication. MIPv6 authentication. AAAv6. AAAv6 Introduction.

kail
Download Presentation

MIPv6 authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication – PPP MIPv6 authentication - comparison Appendix A: IEEE 802.1x authentication

  2. MIPv6 authentication AAAv6

  3. AAAv6 Introduction • Proposes a way for IPv6 nodes (clients) to offer credentials to a local AAA server in order to be granted access to the local network • The client solicits access to the network in conjunction with some protocol. Protocols considered in this document include: • Stateless Address Autoconfiguration (RFC 2462) • Mobile IPv6 • DHCPv6 • Controlled and uncontrolled access: Each network interface of the router can be configured to provide AAA services. When an interface is so configured, all transiting packets are subject to controlled access. If a packet does not pass access control, but is an AAA message addressed to the router, it is given to the Attendant in the uncontrolled access part.

  4. AAAL AAAH Local Attendant Home Agent charliep@nokia.com Conformance to IPv4 model • Basic RADIUS/DIAMETER doesn’t require changes • AAA servers in home and local domain • Attendant at local point of attachment (as in FA for MIPv4) • Node desiring authorization supplies identification and credentials to attendant

  5. AAAv6 Router System (PDSN) • The router is the node that provides network access to the client. In addition to the usual packet forwarding functionality, the router system consists of functional blocks like the attendant and the packet filter. • Attendant: The attendant is the entity that extracts identification and authorization data sent by the client and forwards them to AAAL for verification. It is also responsible for making the necessary configuration updates (e.g., to the packet filter, and the router's Neighbor Cache) so that only authorized clients can access the network. • Packet filter: A packet filter/firewall/security gateway is the entity responsible for disallowing unauthorized datagram traffic. When a client is authorized, the access control list of the filter is updated with the corresponding client's IP address(es).

  6. System Point of View Router System Client System AAA Server Infrastructure AAAL Filter Attendant Client AAAH

  7. AAAv6 Messages • New ICMPv6 messages to transport AAA data between the client and the attendant. In addition, several options that can be embedded in a AAAv6 Protocol Message are defined • AAAv6 Protocol Message types • From client to attendant: • AAA Request: Request for client authorization. • AAA Home Challenge Request: Request for a new challenge from AAAH. • From attendant to client: • AAA Reply: Reply to AAA Request • AAA Teardown: Indication of termination of the currently active AAA registration. This message is always sent unsolicited to the registered AAA client.

  8. LC = Local AAA Challenge RPI = Replay Protection Indicator used between client and AAAH CR = AAA Credential ID = Client Identifier KR = Key Reply UCP = Uncontrolled part CP = Controlled part ACR = AAA Client Request (using an AAA protocol) ACA = AAA Client Answer (using an AAA protocol) Router subsystem Challenge ID,CR,RPI,Ch ACR ACR ACA ACA update config Status,RPI,Key AAAL AAAH MN UCP CP General AAAv6 protocol overview

  9. MIPv6 authentication PANA

  10. Protocol for carrying Authentication for Network Access (PANA) An IETF Protocol for Last-hop AAA Alper Yegin, Basavaraj Patil IETF PANA WG Chairs

  11. Overview • A network-layer (i.e., link-layer and IP Version agnostic) access authentication protocol, that can carry various authentication methods • Last-hop AAA (i.e., between host and access network) • AAA backend can be either RADIUS or Diameter • Purpose: Enable authentication and authorization of nodes and networks, for gaining network access Authentication method EAP PANA UDP IP

  12. PANA • PANA is a standards-track solution that will allow any authentication method to be used on any link-layer • No need to rely on the underlying L2 for providing an authentication mechanism • No need to resort to non-standard ad-hoc schemes (e.g., web-based login) • No need to stretch and overload existing protocols (e.g., using Mobile IPv4 for network access authentication)

  13. Architecture Internet PaC (MT) PAA (PDSN) Authentication Server PANA DIAMETER/Radius

  14. Signaling • Before authentication, the MT is allowed to send and receive only PANA packets (and maybe DHCP, Router Discovery) • PANA can be engaged before or after the MT has been assigned an IP address (i.e., can work with 0.0.0.0 address) • After PANA is completed , MT is allowed any traffic allowed by its AAA profile • PDSN turns the gate open MT (PaC) PDSN (PAA) AAA PANA Discovery PANA EAP RADIUS/Diameter PANA Termination

  15. Supported Scenarios • PANA over physically secured networks (e.g., DSL) • PANA over already cipher-secured links (e.g., cdma2000 in 3GPP2) • PANA without any lower layer security • It can enable L2 or L3 ciphering as a result of authentication

  16. Data Security • PANA can be used for enabling per-packet authentication and encryption • At L2 (e.g., bootstrap WEP) • At L3 (e.g., bootstrap IPsec. See draft-mohanp-pana-ipsec-00.txt) • Uses EAP keying framework

  17. Useful PANA Features • Unifying: • Can be used for any link-layer for any type of access (simple IPv4/IPv6, Mobile IPv4/IPv6) • Extensible: • Support for any authentication method via EAP • Standard and vendor-specific AVPs • Ease to deploy: PANA can be implemented as a UDP-based application

  18. Useful PANA Features • Provides deployment flexibility: • PAA can be placed on any device on the last hop. • PAA, access router, and access enforcement points can be hosted on separate nodes. • Well-integrated with “Internet AAA architecture” • EAP, RADIUS, Diameter, IPsec, IKE, provisioning protocols • Mobility optimizations • Re-use of ongoing PANA session even after PAA (subnet) change

  19. Useful PANA Features • Bootstraps a local security association • Useful for securing other protocols (e.g., draft-tschofenig-pana-bootstrap-rfc3118-00.txt) • Authentication sequencing • Example: separate ISP and NAP authentication • Multiple parallel authenticated sessions • “Limited free access” model: Forcing authentication only after client attempts to access beyond free zone.

  20. Proposal • Mobile IPv6 is intended for use in cdma2000 networks in Revision “D” • PANA can be used as the authentication protocol for clients before allowing Mobile IPv6 access • It can enable various levels of last-hop AAA unification, enhanced features

  21. Status • Informational drafts are being reviewed by IESG • Problem statement • Requirements • Security Threats • PANA protocol: Mostly completed, being revised and reviewed • Expected to be completed before the end of ‘03

  22. Pointers • Working Group web site: www.ietf.org/html.charters/pana-charter.html • Additional web site: • http://www.toshiba.com/tari/pana/pana.htm • FAQ: • http://www.toshiba.com/tari/pana/pana-faq.txt

  23. MIPv6 authentication PPP

  24. PPP/EAP • Uses LCP Configuration Option for Authentication-Protocol (as in with Simple IP service) i.e. : • Description On some links it may be desirable to require a peer to authenticate itself before allowing network-layer protocol packets to be exchanged. • This Configuration Option provides a method to negotiate the use of a specific protocol for authentication. • A summary of the Authentication-Protocol Configuration Option format is shown below. The fields are transmitted from left to right. • 0 1 2 3 • 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 • +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • | Type | Length | Authentication-Protocol | • +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • | Data ... • +-+-+-+-+

  25. Authentication Protocol • Authentication-Protocol • The Authentication-Protocol field is two octets, and indicates the authentication protocol desired. Values for this field are always the same as the PPP Protocol field values for that same authentication protocol. • Value (in hex) Protocol • C023 Password Authentication Protocol (PAP) • C223 Challenge Handshake Authentication Protocol (CHAP) • C227 Extensible Authentication Protocol [RFC2284] (EAP) • Within the EAP Request message, there is a Type field to indicate what authentication is being requested. Examples of Request Types include MD5-challenge, etc.

  26. MIPv6 authentication comparison

  27. MIPv6 authentication in TIA-835D(i.e. rfc3012 for MIPv6)

  28. +/- analysis

  29. Appendix A:MIPv6 authentication 802.1x

  30. 802.1x authentication • The 3-year-old Wired Equivalent Privacy (WEP) protocol has been discredited so thoroughly that its authentication and encryption capabilities are not considered sufficient for use in enterprise networks. • In response to the WEP fiasco, many wireless LAN vendors have latched onto IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs. The wildcard with 802.1x protocol is interoperability.

  31. 802.1x authentication (cont)

  32. 802.1x authentication (cont) • Wireless client sends authentication request to either wireless access point or 802.1x-enabled switch. • Wireless access point or 802.1x-enabled switch repackages authentication request to send on to RADIUS server. • RADIUS server examines request and may proxy the request to another server or consult an authentication database directly. • If access is authenticated, RADIUS server informs wireless access point or 802.1x-enabled switch. • Wireless access point or 802.1x-enabled switch informs client of access.

More Related