Aaa mobile ipv6
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

AAA 를 이용한 Mobile IPv6 인증체계 PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

AAA 를 이용한 Mobile IPv6 인증체계. Kim Mi Young Soongsil University [email protected] 목 차. Introduction Model Diameter 서비스 구조 Assumptions Basic Features MIPv6 Application-Diameter Message Information Exchange(MN, AAA Client) Basic Protocol Overview

Download Presentation

AAA 를 이용한 Mobile IPv6 인증체계

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Aaa mobile ipv6

AAA를 이용한 Mobile IPv6 인증체계

Kim Mi Young

Soongsil University

[email protected]


Aaa mobile ipv6

목 차

  • Introduction

  • Model

  • Diameter 서비스 구조

  • Assumptions

  • Basic Features

  • MIPv6 Application-Diameter Message

  • Information Exchange(MN, AAA Client)

  • Basic Protocol Overview

  • Mobile IPv6에서의 Diameter 프로토콜 구조

  • Enhanced Protocol Operation

  • Security Consideration

  • Mobile IPv6를 위한 AAA 구조


Introduction

Introduction

Inter-domain mobility support in pure MIPv6 ?

Scalability Problem

Commercial Deployment Problem

What about using AAA (Diameter) ?

Authentication / Authorization / Account

Inter-domain operable

Global Scale Service

Secure Communication between AAA servers

What about using Diameter ext. in MIPv6 ?

Global Roaming with Secure Infrastructure

Needs new message and behavior

Diameter Application

Distribution of Secure Key

Providing MIPv6 with Mobility Procedure (inter-domain)

General and Optimized AAA Service for MIPv6


Diameter

Diameter 서비스 구조


Diameter vs radius

Diameter vs. Radius

Diameter와 Radius 비교

Diameter

Radius

서비스 대상

여러 도메인 내의 User 상호간

소규모 도메인 내에서의 End-User간

서비스 Paradigm

Broker 기반의 peer-to-peer

Client / Server

연결 형태

Connection-oriented

Connectionless

보안

End-to-end 보안

TLS (Client에서는 Optional), SCPT

IPSec (Mandatory)

패킷 전체를 암호화

서버와 End-user간의 보안

CHAP / PAP

사용자 비밀번호만 암호화

Attribute Space

32비트 AVP지원 (최대 2**32 Pair)

8비트 AVP지원(최대 2**8 Pair)

전송 프로토콜

TCP

UDP

메시지 전송

Request / Response

Unsolicited Message

Request / Response only

Fail-over

Built-in Fail-over (DWR / DWA)

-

기타

Capability Negotiation(version, apps..)

Extensibility 높음

Extensibility 낮음

권장 서비스 안

Fixed network 환경

Roaming User

Fixed / Roaming User

Mobile Network 환경

Mobile IP 사용자

Strong Security 사용자

-


Model

Model

Mobility Entities

MN(Mobile Node)

HA(Home Agent)

AAA Client(Attendant)

AAA Relay Entity

사용자 ID 전달

인증 정보 전달

Access Router or AA Agent

AAAv Server

AAA Server in Visited Domain

AAAh Server

AAA Server in Home Domain


Assumptions

Assumptions

Identity for MN

NAI(Network Access Identifier) : RFC2794

Home Address of MN

If MN has both : used NAI by AAA

If MN has only one : used it by AAA

Shared Long-term Key (MN and AAAh)

Network and User Authentication

Secure Communication (between AAAv and AAAh)

SA between AAA(Diameter) Servers

Exchange Information over Secure Channel


Basic features 1 authentication authorization

Basic Features(1) Authentication / Authorization

Authentication and Authorization (AA)

Mutual AA

Visited Network : Network Resource Planning and Protection

IPv6 Node : Impersonation (false BTS Attack)


Basic features 2 dynamic home agent assignment in home domain

Basic Features(2) Dynamic Home Agent Assignment in Home Domain

Network Renumbering / Unfixed Assignment

Dynamic Home Agent 할당 기능 제공

Dynamic HA Address Discovery Mechanism

IN MIPv6 : Many Round-Trips / Many Signaling / Long Delay

Over AAA Infrastructure : One Round-Trip


Basic feature 3 key distribution

Basic Feature(3)Key Distribution

Dynamic Security Associations

MN and Visited Network

Confidentiality and Integrity of data over Access Link

MN and Home Agent

BU / BA (Must be protected)

Key Distribution Algorithm (ex. IKE)


Basic features 4 optimization of binding updates

Basic Features(4)Optimization of Binding Updates

Role of AAA Server in this I-D

Authentication / Authorization

Key Distribution

Dynamic Home Agent Allocation

Optimization of BU

Pre-Assumption : MN knows its HA

MN Behavior : Embedding BU in AAA Req. Message

AAA Behavior : Processing BU (Relay it to HA)

Steps for Binding Update

AAA 인프라를 통한 인증 획득

동적 홈 에이전트 주소 발견 (DHAAD)

MN과 HA간의 SA 설정(e.g. 인터넷 키 교환 – IKE)

바인딩 갱신 요청(BU) / 응답(BA)


Mipv6 app diameter message 1

MIPv6 App. Diameter Message(1)

Command Codes

ARR : AA-Registration-Request

Attendant -> AAAL -> AAAH

ARA : AA-Registration-Answer

AAAH -> AAAL -> Attendant

HOR : Home-Agent-MIPv6-Request

AAAH -> HA

HOA : Home-Agent-MIPv6-Answer

HA -> AAAH


Mipv6 app diameter message 2

MIPv6 App. Diameter Message(2)

AVPs (Attribute Value Pair)

MIP-Binding-Update

Type : OctetString, Payload : BU Message

MIP-Binding-Acknowledgement

Type : OctetString, Payload : BA Message

MIPv6-Mobile-Node-Address

Type : IPAddress, Payload : Home Address of MN

MIPv6-Home-Agent-Address

Type : IPAddress, Payload : Home Agent Address of MN

MIPv6-Feature-Vector :

Type : Unsigned32, Payload : Flag

For Dynamic HA Assignment

Flag Value = 1

Requesting Dynamic HA Assignment


Information exchange 1 mn aaa client

Information Exchange(1) (MN, AAA Client)

MIP Feature Data

When Requesting Dynamic HA Assignment

Feature Data In ICMPv6 / New Destination Option / etc..

EAP Data

MIPv6 Node : Various AA Method (including EAP)

Embedded Data

Send/Receive BU and BA in AAA Req. Message(piggyback)

Reduce the Round-Trips

BU Optimization


Aaa mobile ipv6

Authentication

방문 망을 엑세스 하기 전에 반드시 인증되어야 함

Mutual Authentication (MN <-> Visited Network)

Default : Mutual Challenge Exchange (in Router Adv.)

Messages

ARR : Authentication Registration Request

ARA : Authentication Registration Answer

HOR : Home-Agent-MIPv6-Request

HOA : Home-Agent-MIPv6 Answer

Information Exchange(2) (MN, AAA Client)


Mobile ipv6 diameter basic operation

Mobile IPv6에서의 Diameter 프로토콜구조-basic operation-


Enhanced protocol operation 1

Enhanced Protocol Operation(1)

If MN dose not know the pre-configured HA

Dynamic HA Assignment

Dynamic Home Address Assignment

Contains all features of ‘Basic Operation’

Key distribution

Optimized(Embedded) BU

Authentication : Same as basic operation

Additional Activities

Behavior of Entities

AVPs


Enhanced protocol operation 2

Enhanced Protocol Operation(2)

Home Agent Assignment in Home Network


Security consideration

Security Consideration

  • 분석

    • Security

      • Embedded BU/BA에 대한 보안 헛점 발생

      • 단계 1(RA), 2(ARR), 9(ARA)에서 보안 기능 추가 요구

    • Performance

      • 총 9단계의 메시지 교환

      • Embedded BU/BA


Mobile ipv6 aaa 1

Mobile IPv6를 위한 AAA 구조(1)

  • Proposed by F.Dupont “AAA for Mobile IPv6”

  • 특징

    • AAA (RADIUS / DIAMETER) 사용

      • MN <-> Attendant

    • 12 단계의 메시지 교환

  • AAA 메시지

    • AS : Attendant Solicitation

    • AA : Attendant Advertisement

    • AReq : Authentication Request

    • AMR : Authentication MN-Request

    • AMA : Authentication MN-Answer

    • AHR : Authentication HA-Request

    • AHA : Authentication HA-Answer

    • ARsp : Authentication Reply


Mobile ipv6 aaa 2

Mobile IPv6를 위한 AAA 구조(2)


Mobile ipv6 aaa 3

Mobile IPv6를 위한 AAA 구조(3)

  • 분석

    • Security

      • 일반적인 Mobile IPv6 보안 강도를 유지

    • Performance

      • 총 12 단계의 메시지 교환 -> 빠른 이동성 제공에 적합하지 않음


  • Login