Presentation is loading. Please wait.

Presentation is loading. Please wait.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Similar presentations


Presentation on theme: "Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena."— Presentation transcript:

1 Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria Telecom Italia Lab (TILab) Julien Bournelle GET/INT Rafa Marin Lopez University of Murcia

2 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 2 Motivation MIPv6 may be a service offered by a Mobility Service Provider –the MSP manages a set of HAs that can be used only by the customers that subcribed for MIPv6 service In this case all protocol operations need to be explicitely authorized and monitored – to control service utilization and enable consistent billing This can be done relying on the AAA infrastructure of the MSP –the AAA infrastructure can be used also to enable dynamic Mobile IPv6 bootstrapping

3 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 3 AAA-HA interface Interface between the AAA infrastructure of the MSP and the HA –the HA is a kind of Network Access Server (NAS) for MIPv6 Core capabilities –Mobile IPv6 service authorization and maintenance (e.g. asynchronous service termination) –exchange of accounting data (e.g. time of creation and removal of binding cache entries) Dynamic bootstrapping capabilities –mobile node authentication (e.g. EAP-based) –delivery of configuration parameters to the HA (e.g. PSK for peer authentication in IKE phase 1)

4 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 4 Basic Security Model MN shares a pre-configured trust relationship with the AAA server of the MSP (AAA-MSP) HA shares a trust relationship with the AAA- MSP server AAA-MSP Server Home Agent Trust Relationships

5 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 5 Usage scenario n.1 Bootstrapping directly with the HA –using IKEv2 (draft-ietf-mip6-ikev2-00) –or using PANA multi-hop (draft-tschofenig-mip6-bootstrapping- pana-00) AAA-MSP Server Home Agent NAS EAP (IKEv2, PANA multi-hop) AAA-HA protocol User authentication and authorization (EAP transport)

6 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 6 Usage scenario n.2 Bootstrapping through AAA infrastructure –using EAP (draft-giaretta-mip6-authorization-eap-02) –using RADIUS or Diameter AVPs (draft-ohba-mip6-boot-arch-dhcp- 00, draft-jee-mip6-bootstrap-pana-00, draft-chowdhury-mip6- bootstrap-radius-00) AAA-MSP Server Home Agent NAS AAA-HA protocol Piggybacking of MIPv6 data within EAP AAA-HA protocol MIPv6 RADIUS or Diameter AVPs PANA, L2 or DHCP specific extensions A) B) MIPv6 state set-up

7 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 7 Usage scenario n.3 AAA-MSP Server Home Agent NAS IKEv1/IKEv2 AAA-HA protocol MIPv6 Authorization MN is statically provisioned with bootstrapping data (Home Address, HA address, etc.) Explicit authorization of MIPv6 service –service may not be authorized if MN's credit is going to exhaust

8 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 8 Usage scenario n.4 IPsec SA is statically and manually configured IPsec SA is enough to authenticate BUs and BAs, it is not to authorize MIPv6 service AAA-MSP Server Home Agent NAS BU AAA-HA protocol Binding Authorization BA

9 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 9 Goals Security Service Authorization Accounting Mobile node authentication  Mutual authentication  Integrity protection  Replay protection  Confidentiality  Inactive peer detection  NAI to identify the MN  HA must be able to query AAA- MSP to verify MN authorization  AAA-MSP should be able to enforce auth. restrictions of HA   Transfer of accounting records (e.g. bytes transferred in bi- directional tunneling) Delivery of config. data  MN authentication with HA as NAS and AAA-MSP as backend authentication server (e.g. EAP)   AAA-MSP should be able to poll HA for the allocation of a HoA  AAA-MSP should be able to send security data to HA (e.g. PSK)  Common goals Scenario n.1 Scenario n.2

10 November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals Next Steps Identify a protocol that fulfills the goals –Diameter –RADIUS –SNMPv3 Identify a framework and develop the interface for that? Alternatevely, develop a more general interface for different bootstrapping scenarios?


Download ppt "Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena."

Similar presentations


Ads by Google