Authors hannes tschofenig henning schulzrinne maarten buechli sven van den bosch
Download
1 / 13

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli Sven Van den Bosch. NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt). Draft Scope. This draft is: A first attempt to describe AAA issues relevant for NSIS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt)' - mignon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Authors hannes tschofenig henning schulzrinne maarten buechli sven van den bosch

Authors:

Hannes Tschofenig

Henning Schulzrinne

Maarten Buechli

Sven Van den Bosch

NSIS Authentication, Authorization and Accounting Issues(draft-tschofenig-nsis-aaa-issues-00.txt)


Draft scope
Draft Scope

This draft is:

  • A first attempt to describe AAA issues relevant for NSIS.

  • It points to the importance of authorization/charging for QoS signaling.

    The draft is not:

  • A summary of mathematical pricing models

  • A new protocol proposal

  • A motivation for a certain architecture


Introduction
Introduction

  • At the last IETF Steve Bellovin talked about security issues in NSIS.

  • He pointed to the importance of authorization for an NSIS protocol.

  • An interesting aspect of authorization for QoS signaling is:

    Authorization = ability to charge someone1

    1 There are other authorization issues (e.g. session ownership).


Introduction cont
Introduction (cont.)

  • Authorization has an implication on the security architecture.

  • We looked at two possible models:

    • New Jersey Turnpike Model

    • New Jersey Parkway Model


New jersey turnpike model
New Jersey Turnpike Model

Network A

Network B

Network C

  • Peering relationship is used to provide charging between neighboring networks

  • Similar to edge pricing proposed by Schenker et. al.

Data Sender

Data Receiver

Node B

Node A


Nj turnpike model issues
NJ Turnpike Model Issues

  • Establishment of the financial settlement between end host (data sender favorable) and access network based on network access procedure (not per-session based)

  • Simple (if data sender is charged for the reservation)

  • More difficult: receiver-initiated signaling and charging for data receiver

  • Unfortunately it is possible to fully avoid reverse charging (e.g. #800 numbers).


New jersey parkway model
New Jersey Parkway Model

Network A

Network B

Network C

  • Financial settlement has to be provided on a per-session basis

  • More complex: financial settlement to intermediate networks required(authentication alone is insufficient)

Direct AAA relationship to intermediate networks

Data Sender

Data Receiver

Node B

Node A


Nj parkway model issues
NJ Parkway Model Issues

  • Trusted third party might be required such as a clearing house since intermediate networks have no direct relationship to end host

  • Financial settlement has to be provided on a per-session basis  scalability and deployment problem

  • More flexible signaling protocol functionality required:

    • A route change might require interaction with end host.

    • Signaling protocol might support the possibility for intermediate networks to interact with the end host

    • Aggregation in the core network might be difficult to use if per-session information is required for charging.


Who is charged for what
Who is charged for what?

  • Basic question: Charging for data sender or data receiver

  • Sender- vs. receiver oriented signaling adds some issues but is not the source of the problem.

  • What is the problem?

    Per-session based establishment of financial settlement

    Example: Sender-initiated reservation with charging for data receiver (see next slide)


Sender initiated reservation with charging for data receiver
Sender-initiated reservation with charging for data receiver

Network A

Network B

Network C

  • Node A indicates that some other entity is paying for the reservation.

  • Why should Network A authorize the reservation request?

RESV

RESV

RESV

RESV

“Authorization Information”

Data Sender

Data Receiver

Node B

Node A


Not enough problems already price distribution
Not enough problems already?Price Distribution

Price for a QoS reservation:

Price cannot be deferred from the destination IP address alone (unlike telephone numbers) Price distribution required (can be in-band, out-of-band or a combination of both)  Price depends on the route (number of traversed networks) Price is directional (due to cost and route asymmetry)

An end user wants to know the price before issuing a reservation request.


Price distribution building blocks
Price distribution Building Blocks

  • A resource negotiation and pricing protocol (RNAP)

  • An embedded charging approach for RSVP

  • Border Pricing Protocol (BPP)

  • Billing Information Protocol (BIP)

  • Tariff Distribution Protocol (TDP)

  • Internet Open Trading Protocol (IOTP)

  • Open Settlement Protocol (OSP)

    Not surprising: Many of these protocols require the same properties as a QoS signaling protocol.


Conclusion
Conclusion

  • Peer-to-peer security is fine for a simple charging model (NJ Turnpike). Authorization issues needs additional security protection.

  • Charging is not only an end-to-end (application) issue. The network needs some information.

  • Some authorization/charging objects have to be included into a NSIS protocol.

  • An NSIS protocol needs to be flexible. (e.g. support for several roundtrips).