1 / 10

Washinton D.C., November 2004

Washinton D.C., November 2004. IETF 61 st – mip6 WG. Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00). Gerardo Giaretta Ivano Guardini Elena Demaria Telecom Italia Lab (TILab) Julien Bournelle GET/INT Rafa Marin Lopez University of Murcia. Motivation.

jennifer-silva
Download Presentation

Washinton D.C., November 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Washinton D.C., November 2004 IETF 61st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena DemariaTelecom Italia Lab (TILab) Julien Bournelle GET/INT Rafa Marin Lopez University of Murcia

  2. Motivation • MIPv6 may be a service offered by a Mobility Service Provider • the MSP manages a set of HAs that can be used only by the customers that subcribed for MIPv6 service • In this case all protocol operations need to be explicitely authorized and monitored • to control service utilization and enable consistentbilling • This can be done relying on the AAA infrastructure of the MSP • the AAA infrastructure can be used also to enable dynamic Mobile IPv6 bootstrapping

  3. AAA-HA interface • Interface between the AAA infrastructure of the MSP and the HA • the HA is a kind of Network Access Server (NAS) for MIPv6 • Core capabilities • Mobile IPv6 service authorization and maintenance (e.g. asynchronous service termination) • exchange of accounting data (e.g. time of creation and removal of binding cache entries) • Dynamic bootstrapping capabilities • mobile node authentication (e.g. EAP-based) • delivery of configuration parameters to the HA (e.g. PSK for peer authentication in IKE phase 1)

  4. Basic Security Model • MN shares a pre-configured trust relationship with the AAA server of the MSP (AAA-MSP) • HA shares a trust relationship with the AAA-MSP server AAA-MSP Server Home Agent Trust Relationships

  5. Usage scenario n.1 • Bootstrapping directly with the HA • using IKEv2 (draft-ietf-mip6-ikev2-00) • or using PANA multi-hop (draft-tschofenig-mip6-bootstrapping-pana-00) AAA-MSP Server Home Agent NAS EAP (IKEv2, PANA multi-hop) AAA-HA protocol User authentication and authorization (EAP transport)

  6. Usage scenario n.2 • Bootstrapping through AAA infrastructure • using EAP (draft-giaretta-mip6-authorization-eap-02) • using RADIUS or Diameter AVPs (draft-ohba-mip6-boot-arch-dhcp-00, draft-jee-mip6-bootstrap-pana-00, draft-chowdhury-mip6-bootstrap-radius-00) AAA-MSP Server Home Agent NAS Piggybacking of MIPv6 data within EAP AAA-HA protocol A) PANA, L2 or DHCP specific extensions MIPv6 RADIUS or Diameter AVPs AAA-HA protocol B) MIPv6 state set-up

  7. Usage scenario n.3 • MN is statically provisioned with bootstrapping data (Home Address, HA address, etc.) • Explicit authorization of MIPv6 service • service may not be authorized if MN's credit is going to exhaust AAA-MSP Server Home Agent NAS IKEv1/IKEv2 AAA-HA protocol MIPv6 Authorization

  8. Usage scenario n.4 • IPsec SA is statically and manually configured • IPsec SA is enough to authenticate BUs and BAs, it is not to authorize MIPv6 service AAA-MSP Server Home Agent NAS BU AAA-HA protocol Binding Authorization BA

  9. Goals Security Service Authorization • NAI to identify the MN • HA must be able to query AAA-MSP to verify MN authorization • AAA-MSP should be able to enforce auth. restrictions of HA • ....... Common goals • Mutual authentication • Integrity protection • Replay protection • Confidentiality • Inactive peer detection • Transfer of accounting records (e.g. bytes transferred in bi-directional tunneling) Accounting Mobile node authentication • MN authentication with HA as NAS and AAA-MSP as backend authentication server (e.g. EAP) • ....... Scenario n.1 Delivery of config. data • AAA-MSP should be able to poll HA for the allocation of a HoA • AAA-MSP should be able to send security data to HA (e.g. PSK) • ........ Scenario n.2

  10. Next Steps • Identify a protocol that fulfills the goals • Diameter • RADIUS • SNMPv3 • Identify a framework and develop the interface for that? • Alternatevely, develop a more general interface for different bootstrapping scenarios?

More Related