1 / 48

Binding Authentication to Provisioning

Binding Authentication to Provisioning. Freek Dijkstra Utrecht University. Utrecht, 19 september 2002. Background. I’m co-author of the Access Bind PIB The Access Bind PIB is a data structure created to bind authentication to provisioning )

alma
Download Presentation

Binding Authentication to Provisioning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Binding Authentication to Provisioning Freek Dijkstra Utrecht University Utrecht, 19 september 2002 Binding Authentication to Provisioning

  2. Background • I’m co-author of the Access Bind PIB • The Access Bind PIB is a data structure created to bind authentication to provisioning) • Created in the IETF, AAAarch research group, RAP working group. • Goal: introduce authentication, provisioning. Describe how the Access Bind PIB fits into existing models Binding Authentication to Provisioning

  3. Talk Outline • Generic Authentication models • Provisioning • The Access Bind PIB model • Message Sequence • DiffServ model • Data Structure • Conclusions Binding Authentication to Provisioning

  4. Generic Authentication Models • Terminology • Three authentication models Binding Authentication to Provisioning

  5. Terminology (AAA) AAA: • AuthenticationTelling who you are (identification) • AuthorisationWhat a user may or may not do • AccountingKeeping track of what a user does Binding Authentication to Provisioning

  6. Terminology (devices) • User = the client that requests a service • Service = The device which offers the service the User wishes to use.(PEP, Policy Enforcement Point) For example: a Network Access Device • AAA server = Authentication, Authorisation and Accounting Server(PDP, Policy Decision Point) Binding Authentication to Provisioning

  7. User AAA server (PDP) request decision request Service (PEP) decision usage of service Pull model Binding Authentication to Provisioning

  8. Push model User AAA server (PDP) request approval with ticket request Service (PEP) decision usage of service Binding Authentication to Provisioning

  9. Agent model User AAA server (PDP) request decision configuration Service (PEP) usage of service Binding Authentication to Provisioning

  10. Provisioning • Device model • COPS Provisioning = To Configure Anything can be provisioned. Typically Quality of Service (QoS) For example: DiffServ (Differentiated Services) Binding Authentication to Provisioning

  11. Device model PDP PEP = Policy Enforcement Point PDP = Policy Decision Point configuration PEP The PDP provisions the Quality of Service (QoS) policy of the PEP Binding Authentication to Provisioning

  12. COPS • Protocol to transport provisioning data • Created by the RAP group • Excellent state synchronization features (unlike SNMP) • Client/server model (request & response)PEP is the client, PDP is the server Binding Authentication to Provisioning

  13. The Access Bind PIB • Why it was created • The Access Bind PIB model • What it is Binding Authentication to Provisioning

  14. Pull model Provisioning U S E R AAA PDP service PEP Why the Access Bind PIB? • Boot-up provisioning • Per-user provisioning Access Bind PIB Provision a PEP based on the user who wants access To Bind Authentication to Provisioning Binding Authentication to Provisioning

  15. Access Bind PIB model User PDP Any Authentication Protocol Access Bind PIB PEP usage of service Binding Authentication to Provisioning

  16. What is the Access Bind PIB? • It’s an Internet Draft (“Framework for Binding Provisioning to Access Control”) • It’s a data structure • It’s a DiffServ element (a complex Classifier) Binding Authentication to Provisioning

  17. Message Sequences • Overview • Authorisation sequence • Example protocols: PAP, CHAP and EAP • Configuration sequence Binding Authentication to Provisioning

  18. Sequence Overview time P E P P D P “Capabilities” “Behaviour” U S E R Access request Access notification Access decision Access decision Access Bind PIB Binding Authentication to Provisioning

  19. User sends traffic to PEP Credential negotiation (Using PAP or CHAP) Access request to PDP PEP sends knowledge about the user PEP sends user credentials to PDP Provision PEP with policies (optional) Access Decision (Approve or Deny) Access Decision notification to user Usage of service Message Sequence (PAP/CHAP) time U S E R P D P P E P Network Binding Authentication to Provisioning

  20. User sends traffic to PEP Access request to PDP PEP sends knowledge about the user Credential negotiation (Using EAP) Provision PEP with policies (optional) Access Decision (Approve or Deny) Access Decision notification to user Usage of service Message Sequence (EAP) time U S E R P D P P E P Network Binding Authentication to Provisioning

  21. Configuration request to PDP Capability exchange Provision PEP with policies Provision response Configuration Sequence time P D P U S E R P E P Binding Authentication to Provisioning

  22. Configuration • When an access request must be sent(When an event has to be triggered) • Which information about the user must be sent along • Optionally (for PAP and CHAP): which authentication protocol must be used to retrieve user credentials (like username and password) Binding Authentication to Provisioning

  23. P E P P D P Combine access notifi-cation and User Info Combine provisioning and session approval Combining messages Binding Authentication to Provisioning

  24. Differentiated Services (DiffServ) • DiffServ Model • DiffServ Elements • Access Bind PIB as a Classifier • Edge devices and non-edge devices The DiffServ model describes the Quality of Service a PEP should offer. Binding Authentication to Provisioning

  25. DiffServ Model PEP Queue Ingress Ports (Datapath start) Meter In Profile Out of Profile Dropper Classifier Egress Ports Premium Subnet A Default Tunnel encapsulation Queue MPLS Tunnel to Address Y Scheduler Queue Binding Authentication to Provisioning

  26. The Datapath PEP Queue Ingress Ports (Datapath start) Meter In Profile Out of Profile Dropper Classifier Egress Ports Premium Subnet A Default Tunnel encapsulation Queue MPLS Tunnel to Address Y Scheduler Queue Binding Authentication to Provisioning

  27. DiffServ Elements PEP Queue Ingress Ports (Datapath start) Meter In Profile Out of Profile Dropper Classifier Egress Ports Premium Subnet A Default Tunnel encapsulation Queue MPLS Tunnel to Address Y Scheduler Queue A DiffServ element Binding Authentication to Provisioning

  28. DiffServ Classifier PEP Queue Scheduler Classifier Meter Classifier In Profile Out of Profile Premium User 1 User 2 Dropper Access Mgr Access Bind PIB PDP Binding Authentication to Provisioning

  29. User Edge Device Big Bad Internet Big Bad Internet Access Server Server User Edge- and non-edge Devices Example of an edge device Example of a non-edge device Binding Authentication to Provisioning

  30. Data structure • COPS • Terminology • What’s in the data structure? • Event Handling concept • Context Data concept • Session concept • EventHandler data structure Binding Authentication to Provisioning

  31. COPS common header Version Flags Op Code = REQ Client-type Message Length (variable) = 88 octets Object header Length (variable) = 8 octets C-Num = 1 C-Type = 1 Client handle obj. Client Handle Object header Length = 8 octets C-Num = 2 C-Type = 1 COPS-PR Objects in Named ClientSI: Context object R-Type = Configuration Request M-Type Object header Length (variable) = 40 octets C-Num = 9 C-Type = 2 Length (variable) = 8 octets S-Num = PRID S-Type = BER Pr. Object header Instance Identifier (for event) event PRID Length (variable) = 8 octets S-Num = EPD S-Type = BER Pr. Object header BER Encoded PRI (of event) event PRI Named ClientSI object Length (variable) = 8 octets S-Num = PRID S-Type = BER Pr. Object header Instance Identifier (for ctxtL3Hdr) ctxtL3Hdr PRID Length (variable) = 12 octets S-Num = EPD S-Type = BER Pr. Object header BER Encoded PRI (of ctxtL3Hdr) ctxtL3Hdr PRI Object header Length (variable) = 24 octets C-Num = 16 C-Type = 1 Key ID Sequence Number Integrity object (optional) Keyed Message Digest COPS and COPS-PR • The Access Bind PIB defines a data structure. • The data is transported between the PEP and the PDP using the COPS and COPS-PR protocols. Binding Authentication to Provisioning

  32. Terminology (COPS-PR) • PEP = Policy Enforcement Point • PDP = Policy Decision Point • PIB = Policy Information Base. A data structure • PRC = PRovisioning Class. A table of policy data. • PRI = PRovisioning Instance. An instance of a PRC. • PRID = PRI Identifier. Uniquely defines a PRI. Binding Authentication to Provisioning

  33. Event Handling concept As soon as a user sends data to the PEP, the PEP checks if the data is coming from a known or unknown source address. The PEP can be configured to trigger an event when the source is unknown. Binding Authentication to Provisioning

  34. Context Data concept The PEP has a lot of information about the userFor example source IP address, Dial-in number, modem number (s)he got connected to, etc. It is desirable that the PDP can configure which information is sent by the PEP when an event is triggered. This can be specified by Context Data classes. Binding Authentication to Provisioning

  35. Sessions Concept • Each COPS message is preceded by a COPS “Client Handle”. • The PEP creates a new Client Handle for each event. • The COPS Client Handle is used to associate a response with a session. • The PDP and the PEP can use the Client Handle to delete a session. Binding Authentication to Provisioning

  36. What’s in the data structure? • The Classifier: an event triggerPRC’s describing when it should be triggered, which data should be sent along, etc. • The Event • Authentication data structuresCurrently PAP, CHAP and EAP are supported • Triggers and FiltersUsually defined in extension documents. The data structure describes: Binding Authentication to Provisioning

  37. Event Handler data structure Event Handler Authentication Protocol Authentication Protocol Event Handler Element ContextData ContextData ContextData Event Hdlr Scope Filter Event Hdlr Scope Filter Event Hdlr Scope DataPath Filter Binding Authentication to Provisioning

  38. User AAA server User AAA server Service Service User AAA server Service Authorisation models Pull model Push model • Access Bind PIB can be used in pull model • Access Bind PIB doesn’t make sense in push model • DiffServ provisioning can be used in agent model Agent model Binding Authentication to Provisioning

  39. Conclusions • Binds Authentication to Provisioning • Works in pull model, partly in agent model • Depends on DiffServ model • Can be used for any access server (not just edge devices) • Uses an Event Triggering concept The Access Bind PIB: Binding Authentication to Provisioning

  40. Questions? Generic AAA models Fitting the Access Bind PIB in the AAA model Authentication protocols (PAP, CHAP, EAP) Sessions and events Edge devices and network access devices Binding Authentication to Provisioning

  41. Generic AAA architectures • Home Organisation • Trust relations • Internals of an AAA server Binding Authentication to Provisioning

  42. Home Organisation User Home Organisation User AAA Server request response Service Provider AAA Server request response request Service response Binding Authentication to Provisioning

  43. Example of Trust Relations Pre-established trust relations Bank You Shop transaction Binding Authentication to Provisioning

  44. Internals of an AAA server AAA Server (PDP) 1 Generic AAA server rule based engine 1 Policy 2 3 4 Application Specific Module Events 5 Service (PEP) usage of service Binding Authentication to Provisioning

  45. Authentication protocols • PAP • CHAP • EAP (EAP-MD5) • HTTP, SRP, TLS • Extensibility of EAP Binding Authentication to Provisioning

  46. User NAS (PEP) AAA Server (PDP) PPP: LCP: Negotiation PPP: PAP: identity, password RADIUS: PAP: identity, password RADIUS: PAP: accept/reject PPP: PAP: accept/reject PPP: Usage PAP Message Sequence Binding Authentication to Provisioning

  47. User NAS (PEP) AAA Server (PDP) PPP: LCP: Negotiation PPP: CHAP: id, challenge PPP: CHAP: id, name, MD5(response) RADIUS: CHAP: id, name, challenge, MD5(response) RADIUS: CHAP: success/failure PPP: CHAP: success/failure PPP: Usage CHAP Message Sequence Binding Authentication to Provisioning

  48. EAP-MD5 Message Sequence AAA Server (PDP) User NAS (PEP) PPP: LCP: Negotiation RADIUS Access request: EAP Start RADIUS Access challenge: EAP request: identity PPP: EAP request: identity PPP: EAP response: identity RADIUS Access request: EAP response: identity RADIUS Access challenge: EAP request: MD5-challenge PPP: EAP request: MD5-challenge PPP: EAP response: MD5-challenge RADIUS Access request: EAP response: MD5-challenge RADIUS Access-Accept: EAP success PPP: EAP success PPP: Usage Binding Authentication to Provisioning

More Related