AAA Requirements for cdma2000 draft-hiller-cdma2000-AAA-00.txt TR45.6 Wireless Data Group Tom Hiller --- Editor Tom Hiller 11/11/99
Carriers and Vendors Involved... I US I Vendors – Fujitsu – Vodafone – LGIC – Ameritech – Lucent – GTE – Motorola – Nortel – Sprint PCS – Qualcomm I Canadian – Samsung – Bell Mobility – SUN – 3Com I Japan – Cisco – DDI – NEC – Alcatel – IDO – Toshiba Tom Hiller 11/11/99
Introduction I IP network access via cdma2000 carrier – Traditional PPP (Simple IP ) – Mobile IP » Home Agent is located in wireless carrier network » Home Agent may be assigned by visited or home carrier I Private Network or Home ISP access – Home IP network authenticates and authorizes the user – Home Agent behind a firewall in a private network or ISP – Security support for low end devices that can not support IPsec and/or will not pay overhead on air interfaces I Dual authentication of mobile by radio and IP networks Tom Hiller 11/11/99
General Architecture SS7 VLR HLR Network Home Access Provider Network Home Visited AAA AAA Home IP Network AAA IP Server R-P Network Interface AAA Broker Network PDSN Mobile Station Radio Network HA Visited Access Provider Network Home ISP Private Network Visited Provider Home Provider Tom Hiller 11/11/99
Radio Network Authentication and Authorization VLR HLR Home Access Provider Network Mobile uses usual wireless interfaces and wireless authentication mechanisms to gain radio access R-P Interface Mobile Station Radio Network Visited Access Provider Network Tom Hiller 11/11/99
IP Network Authentication Mobile uses CHAP for "Traditional PPP Service" Mobile uses the Foreign Agent Challenge for Mobile IP Same AAA infrastructure works for both authentication mechanisms AAA Request/Response Visited Broker Home AAA AAA AAA AAA Broker Network Home IP PPP Network R-P Interface PDSN/FA Mobile Station RAN Visited Access Provider Network Tom Hiller 11/11/99
Authentication and Authorization I Mobile accesses data services after radio access » Radio network authenticates mobile for radio access I Authenticate mobile using CHAP or Foreign Agent Challenge – The NAI is used to route the AAA request to the home network based on the realm of the NAI – The AAA response provides assurance to the serving network that it will get paid for services rendered Tom Hiller 11/11/99
General MIP/AAA Requirements I Same AAA infrastructure must work for both Traditional PPP service (limited mobility) and Mobile IP service – Mobile Node and home network have a shared secret I The serving and home network are not required to have a direct security association – The home network may be a private network that only has an association with a broker or home wireless carrier – Associations may be provided indirectly via brokers » TR45.6 has not studied the number of brokers required Tom Hiller 11/11/99
AAA Transport Requirements I User profiles – Ability to transport a profile » Examples: Types of security and QoS services the home IP network authorizes I AVP Encryption and Key Distribution – Ability for Home AAA server to distribute keys » Pre-shared key for IKE » HA-FA key » MN-FA and MN-HA keys – Keys should be encrypted across multiple AAA server hops – Ability to transmit public key to facilitate encryption of AVPs or IP security Tom Hiller 11/11/99
Key Distribution I Reasons: – To promote use of HA to FA authentication extension – To promote fast intradomain FA to FA handoffs – To promote dynamic HA assignment – To allow pre-shared key for IKE to avoid certificate processing in the FA and HA Tom Hiller 11/11/99
AAA Reliability I AAA protocol must provide carrier grade reliability – Support reliable proxy chaining » Ability for the next hop AAA server to indicate delivery to the previous AAA server application – Support configurable retransmission and fail-over – Ability to detect silent failures of path to next AAA server Tom Hiller 11/11/99
Minimize Latency I Desirable: – Single round trip for AAA and MIP – Should be able to encode a MIP registration request in the same message to avoid multiple round trips – Fast FA to FA handoff Tom Hiller 11/11/99
Message Integrity and Non-repudiation I Support – Replay protection and optional non-repudiation capabilities for all authorization and accounting messages. – Ability for accounting messages to be matched with prior authorization messages. – Reliable transmission of accounting records » Accounting and settlement directly or via brokers. – Capability for AAA brokers to modify certain parts of AAA messages. Tom Hiller 11/11/99
cdma2000 MIP Deployment Status I cdma2000 needs the FAC: – NAI privacy is not a first release requirement – RADIUS extension looks like CHAP – Consensus has been reached on the list to use the RADIUS MN extension I With the FAC and NAI, cdma200 carriers are ready to deploy! – 3G deployment starts next year – Packet data is a driving factor for 3G wireless deployment – Must have a robust AAA infrastructure ASAP – Highly desirable that the initial deployment be based on the new AAA protocol Tom Hiller 11/11/99
Recommend
More recommend
