aaa mobile ipv6
Skip this Video
Download Presentation
AAA 를 이용한 Mobile IPv6 인증체계

Loading in 2 Seconds...

play fullscreen
1 / 22

AAA 를 이용한 Mobile IPv6 인증체계 - PowerPoint PPT Presentation

  • Uploaded on

AAA 를 이용한 Mobile IPv6 인증체계. Kim Mi Young Soongsil University [email protected] 목 차. Introduction Model Diameter 서비스 구조 Assumptions Basic Features MIPv6 Application-Diameter Message Information Exchange(MN, AAA Client) Basic Protocol Overview

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'AAA 를 이용한 Mobile IPv6 인증체계' - kimn

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
목 차
  • Introduction
  • Model
  • Diameter 서비스 구조
  • Assumptions
  • Basic Features
  • MIPv6 Application-Diameter Message
  • Information Exchange(MN, AAA Client)
  • Basic Protocol Overview
  • Mobile IPv6에서의 Diameter 프로토콜 구조
  • Enhanced Protocol Operation
  • Security Consideration
  • Mobile IPv6를 위한 AAA 구조

Inter-domain mobility support in pure MIPv6 ?

Scalability Problem

Commercial Deployment Problem

What about using AAA (Diameter) ?

Authentication / Authorization / Account

Inter-domain operable

Global Scale Service

Secure Communication between AAA servers

What about using Diameter ext. in MIPv6 ?

Global Roaming with Secure Infrastructure

Needs new message and behavior

Diameter Application

Distribution of Secure Key

Providing MIPv6 with Mobility Procedure (inter-domain)

General and Optimized AAA Service for MIPv6

diameter vs radius
Diameter vs. Radius

Diameter와 Radius 비교



서비스 대상

여러 도메인 내의 User 상호간

소규모 도메인 내에서의 End-User간

서비스 Paradigm

Broker 기반의 peer-to-peer

Client / Server

연결 형태




End-to-end 보안

TLS (Client에서는 Optional), SCPT

IPSec (Mandatory)

패킷 전체를 암호화

서버와 End-user간의 보안


사용자 비밀번호만 암호화

Attribute Space

32비트 AVP지원 (최대 2**32 Pair)

8비트 AVP지원(최대 2**8 Pair)

전송 프로토콜



메시지 전송

Request / Response

Unsolicited Message

Request / Response only


Built-in Fail-over (DWR / DWA)



Capability Negotiation(version, apps..)

Extensibility 높음

Extensibility 낮음

권장 서비스 안

Fixed network 환경

Roaming User

Fixed / Roaming User

Mobile Network 환경

Mobile IP 사용자

Strong Security 사용자



Mobility Entities

MN(Mobile Node)

HA(Home Agent)

AAA Client(Attendant)

AAA Relay Entity

사용자 ID 전달

인증 정보 전달

Access Router or AA Agent

AAAv Server

AAA Server in Visited Domain

AAAh Server

AAA Server in Home Domain


Identity for MN

NAI(Network Access Identifier) : RFC2794

Home Address of MN

If MN has both : used NAI by AAA

If MN has only one : used it by AAA

Shared Long-term Key (MN and AAAh)

Network and User Authentication

Secure Communication (between AAAv and AAAh)

SA between AAA(Diameter) Servers

Exchange Information over Secure Channel

basic features 1 authentication authorization
Basic Features(1) Authentication / Authorization

Authentication and Authorization (AA)

Mutual AA

Visited Network : Network Resource Planning and Protection

IPv6 Node : Impersonation (false BTS Attack)

basic features 2 dynamic home agent assignment in home domain
Basic Features(2) Dynamic Home Agent Assignment in Home Domain

Network Renumbering / Unfixed Assignment

Dynamic Home Agent 할당 기능 제공

Dynamic HA Address Discovery Mechanism

IN MIPv6 : Many Round-Trips / Many Signaling / Long Delay

Over AAA Infrastructure : One Round-Trip

basic feature 3 key distribution
Basic Feature(3)Key Distribution

Dynamic Security Associations

MN and Visited Network

Confidentiality and Integrity of data over Access Link

MN and Home Agent

BU / BA (Must be protected)

Key Distribution Algorithm (ex. IKE)

basic features 4 optimization of binding updates
Basic Features(4)Optimization of Binding Updates

Role of AAA Server in this I-D

Authentication / Authorization

Key Distribution

Dynamic Home Agent Allocation

Optimization of BU

Pre-Assumption : MN knows its HA

MN Behavior : Embedding BU in AAA Req. Message

AAA Behavior : Processing BU (Relay it to HA)

Steps for Binding Update

AAA 인프라를 통한 인증 획득

동적 홈 에이전트 주소 발견 (DHAAD)

MN과 HA간의 SA 설정(e.g. 인터넷 키 교환 – IKE)

바인딩 갱신 요청(BU) / 응답(BA)

mipv6 app diameter message 1
MIPv6 App. Diameter Message(1)

Command Codes

ARR : AA-Registration-Request

Attendant -> AAAL -> AAAH

ARA : AA-Registration-Answer

AAAH -> AAAL -> Attendant

HOR : Home-Agent-MIPv6-Request


HOA : Home-Agent-MIPv6-Answer


mipv6 app diameter message 2
MIPv6 App. Diameter Message(2)

AVPs (Attribute Value Pair)


Type : OctetString, Payload : BU Message


Type : OctetString, Payload : BA Message


Type : IPAddress, Payload : Home Address of MN


Type : IPAddress, Payload : Home Agent Address of MN

MIPv6-Feature-Vector :

Type : Unsigned32, Payload : Flag

For Dynamic HA Assignment

Flag Value = 1

Requesting Dynamic HA Assignment

information exchange 1 mn aaa client
Information Exchange(1) (MN, AAA Client)

MIP Feature Data

When Requesting Dynamic HA Assignment

Feature Data In ICMPv6 / New Destination Option / etc..

EAP Data

MIPv6 Node : Various AA Method (including EAP)

Embedded Data

Send/Receive BU and BA in AAA Req. Message(piggyback)

Reduce the Round-Trips

BU Optimization


방문 망을 엑세스 하기 전에 반드시 인증되어야 함

Mutual Authentication (MN <-> Visited Network)

Default : Mutual Challenge Exchange (in Router Adv.)


ARR : Authentication Registration Request

ARA : Authentication Registration Answer

HOR : Home-Agent-MIPv6-Request

HOA : Home-Agent-MIPv6 Answer

Information Exchange(2) (MN, AAA Client)

enhanced protocol operation 1
Enhanced Protocol Operation(1)

If MN dose not know the pre-configured HA

Dynamic HA Assignment

Dynamic Home Address Assignment

Contains all features of ‘Basic Operation’

Key distribution

Optimized(Embedded) BU

Authentication : Same as basic operation

Additional Activities

Behavior of Entities


enhanced protocol operation 2
Enhanced Protocol Operation(2)

Home Agent Assignment in Home Network

security consideration
Security Consideration
  • 분석
    • Security
      • Embedded BU/BA에 대한 보안 헛점 발생
      • 단계 1(RA), 2(ARR), 9(ARA)에서 보안 기능 추가 요구
    • Performance
      • 총 9단계의 메시지 교환
      • Embedded BU/BA
mobile ipv6 aaa 1
Mobile IPv6를 위한 AAA 구조(1)
  • Proposed by F.Dupont “AAA for Mobile IPv6”
  • 특징
      • MN <-> Attendant
    • 12 단계의 메시지 교환
  • AAA 메시지
    • AS : Attendant Solicitation
    • AA : Attendant Advertisement
    • AReq : Authentication Request
    • AMR : Authentication MN-Request
    • AMA : Authentication MN-Answer
    • AHR : Authentication HA-Request
    • AHA : Authentication HA-Answer
    • ARsp : Authentication Reply
mobile ipv6 aaa 3
Mobile IPv6를 위한 AAA 구조(3)
  • 분석
    • Security
      • 일반적인 Mobile IPv6 보안 강도를 유지
    • Performance
      • 총 12 단계의 메시지 교환 -> 빠른 이동성 제공에 적합하지 않음