AAA Requiremen ts from Mobile IP Gopal Dommet y , Cisco - PowerPoint PPT Presentation

AAA Requiremen ts from Mobile IP Gopal Dommet y , Cisco Systems Stev e Glass, Nokia T elecomm unications Stuart Jacobs, GTE Lab oratories T om Hiller, Lucen t Basa v ara j P atil, Nortelnet w orks Charles E. P erkins, Sun Lab oratories h ttp://www.svrlo c.org/ e c harliep/txt/ietf45/aaa.ps Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 1 Sun

AAA - Authen tication, Authorization, and Accoun ting AAA is used b y Mobile IP agen ts to handle Mobile No des authen ticated b y trusted agen ts in their home domain � Connectivit y authorized b y administrativ e agen ts in the foreign domain � Accoun ting initiated b y foreign agen ts, whic h are trusted b y the administrativ e � agen ts in the foreign domain Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 2 Sun

In teractions b et w een Mobile IP and AAA Broker AAAF AAAH HA FA Mobile No des authen ticated b y AAA in their home domain � Connectivit y authorized b y AAA in the foreign domain � Acct'g initiated b y foreign agen ts � AAA w/brok ers pro vides economic infrastructure for in ter-domain mobilit y � Bilateral relationships preempt need for brok ers � may Authen tication in v ok ed b y simple Mobile IP extensions � Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 3 Sun

T rust Relationshi ps SA 3 AAAF AAAH SA 2 SA 4 HA SA 1 FA Home AAA trusts Mobile No de � Visited AAA trusts Home AAA � Visited F oreign Agen t trusts Visited AAA � Home Agen t trusts Home AAA � Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 4 Sun

MN NAI extension 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Type Length Network Access Identifier ... The mobile no de is able to iden tify itself using its NAI (Net w ork Access Iden ti�er) instead of its IP address. The NAI is standardized in RF C 2486. This extension is going through w orking group Last Call. Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 5 Sun

F A Challenge Extension 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Type Length Challenge... The F oreign Agen t includes the F A Challenge extension in its Agen t Adv ertisemen ts. The mobile no de includes the same c hallenge string in an extension to the Registra- tion Reply Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 6 Sun

MN-AAA Authen tication 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Type Length SPI ..... .... SPI (continued) Authenticator .... The mobile no de includes a authen tication extension along with the c hal- MN-AAA lenge string from the F A c hallenge. Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 7 Sun

Proto col Ov erview 3 4 5 AAAF AAAH 2 HA FA , 0 1 0. F oreign agen t (F A) adv ertises c hallenge 1. Mobile no de (MN) adds NAI, Challenge Resp onse etc., to Mobile IP registration request 2. F A in v ok es AAA proto col with its lo cal AAA serv er (AAAF) 3. AAAF (\pro xy") parses NAI, �nds MN's home serv er address (AAAH) 4. AAAF in v ok es AAA proto col and a w aits appro v al b y AAAH 5. AAAH c hec ks MN creden tials and allo cate a home address for the mobile may no de Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 8 Sun

Step 6: Key Generation SA 3 AAAF AAAH SA 2 SA 4 HA SA 1 FA AAAH generates: AAAH encrypts: : MN F A K & K using S A MN K � ! � $ 1 1 2 1 K : MN HA K & K using S A F A � $ � ! 1 3 3 2 K : F A HA K & K using S A HA � $ � ! 3 2 3 2 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 9 Sun

Proto col Ov erview, con tin ued 10 AAAF AAAH 7 9 HA 8 12 11 FA 7. AAAH rela ys Mobile IP information to HA with K , K 2 3 8. HA creates registration reply using K , and K for F A. 2 3 9. HA sends results to AAAH, whic h pro xies request to AAAF 10. AAAF decrypts K & K using S A , re-encrypts using S A 1 3 3 4 11. F A decrypts K & K using S A , c hec ks registration reply and F A $ HA au- 1 3 4 then tication, adds MN $ F A using K 1 12. MN decrypts & using , c hec ks registration reply , and MN $ F A au- K K S A 1 2 1 then tication Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 10 Sun

AAA Requiremen ts { Pre-existing Con tracts T rust relationship b et w een foreign agen t and foreign AAA � T rust relationship b et w een home agen t and home AAA � F oreign agen t has to b e able to k eep state for p ending registration/creden tials- � c hec king AAA m ust not restrict the scalabilit y of Mobile IP registrations at an y particular � foreign agen ts. Con�rmation when service b egins � Supp ort for prepaid net w ork cards and cyb er cafes � Either or � bil l-b e for e - se r v ic e servic e - b e for e -b il l Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 11 Sun

Using Brok ers Broker AAAF AAAH HA FA Using a securit y brok er should b e enabled, if the AAAF and AAAH do not already share a securit y asso ciation S A 3 Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 12 Sun

AAA Requiremen ts { Brok er Mo del Negotiating service b y a trusted third part y � Negotiating service parameters � Secret information m ust not b e divulged to an y third parties � V eri�cation of message in tegrit y is required for messages handled b y third parties. � Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 13 Sun

AAA Reqs { Mobile IP Authen tication Arbitrate trust b et w een the home agen t and the mobile no de � Arbitrate trust b et w een the home agen t and the foreign agen t � Mobile no de has to b e able to v erify the creden tials of the foreign domain � F oreign agen t has to b e able to v erify mobile no de creden tials without requiring � mobile no de to �rst con tact home domain Authen tication information SHOULD b e a v ailable from AAA agen ts in 1 second � or less. Challenge authen tications b e less time-critial � may F oreign and Home AAA serv ers m ust sim ultaneously handle h uge n um b ers of � Mobile IP registrations (from di�eren t F As). AAA m ust main tain the mobile no de's abilit y to register with m ultiple home � agen ts. Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 14 Sun

AAA Requiremen ts { Mobile IP Authorization Authorization for link access � No constrain t on Mobile IP proto col regarding resource categorization � Authorization for default router service � Authorization for v arious tunnel proto cols (Minimal, GRE) � Authorization for rev erse tunneling/home agen t decapsulation � Authorization for clo c k sync hronization � Authorization for smo oth hando� � Authorization for �rew all tra v ersal � Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 15 Sun

AAA Reqs { Mobile IP vs. Accoun ting Mobile IP do esn't ha v e an ything to sa y ab out accoun ting. Ho w ev er, accoun ting requiremen ts within the scop e of AAA include information to enable c harging for the follo wing resources and services: Connection time to some degree of accuracy (p er min ute, p er second) � Address allo cation, distinguishable b y routabilit y � Lo cation-sensitiv e home agen t allo cation � Registration pro cessing requiremen ts � Num b er of pac k ets � Key generation � Bandwidth requiremen t � Accoun ting mo des could b e either or totals . incr emental running Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 16 Sun

Ov erall Vision Brokers Mobile IP/AAA Mobile IP/AAA AAA AAA TR45.6 AAA AAA GPRS Hawaii Thema Mobile IP can pro vide the b est tec hnology for new deplo ymen ts of wireless tec hnology . Mobile IP , with AAA, can also pro vide the bac kb one connectivit y for wireless pro viders, no matter what lo cal or legacy proto cols are used. Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 17 Sun

TBD IPv6? Smo oth hando� problems T unneling requiremen ts (esp. for priv ate addresses) Encryption services requested at Mobile IP registration time QoS requiremen ts sp eci�ed at Mobile IP registration time Dommet y ,Glass,Jacobs,Hiller,P atil,P erkins 18 Sun