Authors hannes tschofenig henning schulzrinne maarten buechli sven van den bosch
This presentation is the property of its rightful owner.
Sponsored Links
1 / 13

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli Sven Van den Bosch. NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt). Draft Scope. This draft is: A first attempt to describe AAA issues relevant for NSIS.

Download Presentation

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Authors hannes tschofenig henning schulzrinne maarten buechli sven van den bosch

Authors:

Hannes Tschofenig

Henning Schulzrinne

Maarten Buechli

Sven Van den Bosch

NSIS Authentication, Authorization and Accounting Issues(draft-tschofenig-nsis-aaa-issues-00.txt)


Draft scope

Draft Scope

This draft is:

  • A first attempt to describe AAA issues relevant for NSIS.

  • It points to the importance of authorization/charging for QoS signaling.

    The draft is not:

  • A summary of mathematical pricing models

  • A new protocol proposal

  • A motivation for a certain architecture


Introduction

Introduction

  • At the last IETF Steve Bellovin talked about security issues in NSIS.

  • He pointed to the importance of authorization for an NSIS protocol.

  • An interesting aspect of authorization for QoS signaling is:

    Authorization = ability to charge someone1

    1 There are other authorization issues (e.g. session ownership).


Introduction cont

Introduction (cont.)

  • Authorization has an implication on the security architecture.

  • We looked at two possible models:

    • New Jersey Turnpike Model

    • New Jersey Parkway Model


New jersey turnpike model

New Jersey Turnpike Model

Network A

Network B

Network C

  • Peering relationship is used to provide charging between neighboring networks

  • Similar to edge pricing proposed by Schenker et. al.

Data Sender

Data Receiver

Node B

Node A


Nj turnpike model issues

NJ Turnpike Model Issues

  • Establishment of the financial settlement between end host (data sender favorable) and access network based on network access procedure (not per-session based)

  • Simple (if data sender is charged for the reservation)

  • More difficult: receiver-initiated signaling and charging for data receiver

  • Unfortunately it is possible to fully avoid reverse charging (e.g. #800 numbers).


New jersey parkway model

New Jersey Parkway Model

Network A

Network B

Network C

  • Financial settlement has to be provided on a per-session basis

  • More complex: financial settlement to intermediate networks required(authentication alone is insufficient)

Direct AAA relationship to intermediate networks

Data Sender

Data Receiver

Node B

Node A


Nj parkway model issues

NJ Parkway Model Issues

  • Trusted third party might be required such as a clearing house since intermediate networks have no direct relationship to end host

  • Financial settlement has to be provided on a per-session basis  scalability and deployment problem

  • More flexible signaling protocol functionality required:

    • A route change might require interaction with end host.

    • Signaling protocol might support the possibility for intermediate networks to interact with the end host

    • Aggregation in the core network might be difficult to use if per-session information is required for charging.


Who is charged for what

Who is charged for what?

  • Basic question: Charging for data sender or data receiver

  • Sender- vs. receiver oriented signaling adds some issues but is not the source of the problem.

  • What is the problem?

    Per-session based establishment of financial settlement

    Example: Sender-initiated reservation with charging for data receiver (see next slide)


Sender initiated reservation with charging for data receiver

Sender-initiated reservation with charging for data receiver

Network A

Network B

Network C

  • Node A indicates that some other entity is paying for the reservation.

  • Why should Network A authorize the reservation request?

RESV

RESV

RESV

RESV

“Authorization Information”

Data Sender

Data Receiver

Node B

Node A


Not enough problems already price distribution

Not enough problems already?Price Distribution

Price for a QoS reservation:

Price cannot be deferred from the destination IP address alone (unlike telephone numbers) Price distribution required (can be in-band, out-of-band or a combination of both)  Price depends on the route (number of traversed networks) Price is directional (due to cost and route asymmetry)

An end user wants to know the price before issuing a reservation request.


Price distribution building blocks

Price distribution Building Blocks

  • A resource negotiation and pricing protocol (RNAP)

  • An embedded charging approach for RSVP

  • Border Pricing Protocol (BPP)

  • Billing Information Protocol (BIP)

  • Tariff Distribution Protocol (TDP)

  • Internet Open Trading Protocol (IOTP)

  • Open Settlement Protocol (OSP)

    Not surprising: Many of these protocols require the same properties as a QoS signaling protocol.


Conclusion

Conclusion

  • Peer-to-peer security is fine for a simple charging model (NJ Turnpike). Authorization issues needs additional security protection.

  • Charging is not only an end-to-end (application) issue. The network needs some information.

  • Some authorization/charging objects have to be included into a NSIS protocol.

  • An NSIS protocol needs to be flexible. (e.g. support for several roundtrips).


  • Login