authors hannes tschofenig henning schulzrinne maarten buechli sven van den bosch
Download
Skip this Video
Download Presentation
NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt)

Loading in 2 Seconds...

play fullscreen
1 / 13

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli Sven Van den Bosch. NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt). Draft Scope. This draft is: A first attempt to describe AAA issues relevant for NSIS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt)' - mignon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
authors hannes tschofenig henning schulzrinne maarten buechli sven van den bosch
Authors:

Hannes Tschofenig

Henning Schulzrinne

Maarten Buechli

Sven Van den Bosch

NSIS Authentication, Authorization and Accounting Issues(draft-tschofenig-nsis-aaa-issues-00.txt)

draft scope
Draft Scope

This draft is:

  • A first attempt to describe AAA issues relevant for NSIS.
  • It points to the importance of authorization/charging for QoS signaling.

The draft is not:

  • A summary of mathematical pricing models
  • A new protocol proposal
  • A motivation for a certain architecture
introduction
Introduction
  • At the last IETF Steve Bellovin talked about security issues in NSIS.
  • He pointed to the importance of authorization for an NSIS protocol.
  • An interesting aspect of authorization for QoS signaling is:

Authorization = ability to charge someone1

1 There are other authorization issues (e.g. session ownership).

introduction cont
Introduction (cont.)
  • Authorization has an implication on the security architecture.
  • We looked at two possible models:
    • New Jersey Turnpike Model
    • New Jersey Parkway Model
new jersey turnpike model
New Jersey Turnpike Model

Network A

Network B

Network C

  • Peering relationship is used to provide charging between neighboring networks
  • Similar to edge pricing proposed by Schenker et. al.

Data Sender

Data Receiver

Node B

Node A

nj turnpike model issues
NJ Turnpike Model Issues
  • Establishment of the financial settlement between end host (data sender favorable) and access network based on network access procedure (not per-session based)
  • Simple (if data sender is charged for the reservation)
  • More difficult: receiver-initiated signaling and charging for data receiver
  • Unfortunately it is possible to fully avoid reverse charging (e.g. #800 numbers).
new jersey parkway model
New Jersey Parkway Model

Network A

Network B

Network C

  • Financial settlement has to be provided on a per-session basis
  • More complex: financial settlement to intermediate networks required(authentication alone is insufficient)

Direct AAA relationship to intermediate networks

Data Sender

Data Receiver

Node B

Node A

nj parkway model issues
NJ Parkway Model Issues
  • Trusted third party might be required such as a clearing house since intermediate networks have no direct relationship to end host
  • Financial settlement has to be provided on a per-session basis  scalability and deployment problem
  • More flexible signaling protocol functionality required:
    • A route change might require interaction with end host.
    • Signaling protocol might support the possibility for intermediate networks to interact with the end host
    • Aggregation in the core network might be difficult to use if per-session information is required for charging.
who is charged for what
Who is charged for what?
  • Basic question: Charging for data sender or data receiver
  • Sender- vs. receiver oriented signaling adds some issues but is not the source of the problem.
  • What is the problem?

Per-session based establishment of financial settlement

Example: Sender-initiated reservation with charging for data receiver (see next slide)

sender initiated reservation with charging for data receiver
Sender-initiated reservation with charging for data receiver

Network A

Network B

Network C

  • Node A indicates that some other entity is paying for the reservation.
  • Why should Network A authorize the reservation request?

RESV

RESV

RESV

RESV

“Authorization Information”

Data Sender

Data Receiver

Node B

Node A

not enough problems already price distribution
Not enough problems already?Price Distribution

Price for a QoS reservation:

Price cannot be deferred from the destination IP address alone (unlike telephone numbers) Price distribution required (can be in-band, out-of-band or a combination of both)  Price depends on the route (number of traversed networks) Price is directional (due to cost and route asymmetry)

An end user wants to know the price before issuing a reservation request.

price distribution building blocks
Price distribution Building Blocks
  • A resource negotiation and pricing protocol (RNAP)
  • An embedded charging approach for RSVP
  • Border Pricing Protocol (BPP)
  • Billing Information Protocol (BIP)
  • Tariff Distribution Protocol (TDP)
  • Internet Open Trading Protocol (IOTP)
  • Open Settlement Protocol (OSP)

Not surprising: Many of these protocols require the same properties as a QoS signaling protocol.

conclusion
Conclusion
  • Peer-to-peer security is fine for a simple charging model (NJ Turnpike). Authorization issues needs additional security protection.
  • Charging is not only an end-to-end (application) issue. The network needs some information.
  • Some authorization/charging objects have to be included into a NSIS protocol.
  • An NSIS protocol needs to be flexible. (e.g. support for several roundtrips).
ad