Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

Published byEleanor Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,"— Presentation transcript:

1 November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez, Mayumi Yanagiya, Hiroyuki Ohnishi and Kuntal Chowdhury

2 November 200461st IETF MIP6 WG Mobility Service, Network Access Service and AAA Integration of a bootstrapping architecture with AAA infrastructure is needed –Operators rely on AAA protocol to provide authentication, authorization and accounting functionalities for their subscribers of services The services include network access service and mobility service In many cases, AAA for network access (AAA-NA) occurs before AAA for mobility service (AAA-MS) It is reasonable to consider a scenario where there is some dependency between AAA-NA and AAA-MS

3 November 200461st IETF MIP6 WG Two Minimum Sets of Seed Information Parameter Set 1: –The domain name or FQDN of the home agent –IKE credentials Parameter Set 2: –Network access credentials draft-ohba-mip6-boot-arch uses Parameter Set 2

4 November 200461st IETF MIP6 WG Basic Architecture AAA-NA Server DHCP Server NAS Mobile Node/ DHCP Client AAA-MS Server Home Agent Serving or Home MSP Serving or Home MSP ASP or IASP AAA protocol Network access authentication protocol AAA protocol DHCPv6 protocol AAA protocol

5 November 200461st IETF MIP6 WG Basic Architecture (cont’d) DHCP server in the visited network is used for delivering bootstrap information to MN –The visited network may be the home network DHCP delayed authentication is used for integrity protected delivery of bootstrap information –DHCP delayed authentication key is also bootstrapped from AAA-NA –Alper’s comment: DHCP authentication problem can be separated NAS and/or DHCP server in the visited network is aware of MIPv6 service (but they do not need to speak MIPv6) Two models exist depending on who is AAA-MS client –Model 1: DHCP server as AAA-MS client DHCP server directly communicates with AAA-MS server to obtain MIP6 bootstrap information –Model 2: NAS as AAA-MS client NAS communicates with AAA-MS server to obtain MIP6 bootstrap information NAS passes the obtained bootstrap information to DHCP server

6 November 200461st IETF MIP6 WG Model 1 (DHCP Server as AAA-MS Client) Client AAA Infrastructure NAS DHCP Server Home Agent Network Access Client DHCP Client Mobile Node DHCP Key (1’)AAA-NA (1)Network Access Authentication Protocol (2) DHCPv6 with Delayed Authentication MIP6 bootinfo {HA [,HoA or HoL]} MIP6 bootinfo {HA [,HoA or HoL], DHCP-key} (2)AAA-MS (3)IKE MIP6 bootinfo {[HoA or HoL]} (2)AAA-MS MIP6 bootinfo {IKE credentials [,HoA or HoL]} AAA-Key

7 November 200461st IETF MIP6 WG Model 2 (NAS as AAA-MS Client) Client AAA Infrastructure NAS DHCP Server Home Agent Network Access Client DHCP Client Mobile Node DHCP Key (1’)AAA-NA (2)AAA-MS (1)Network Access Authentication Protocol (2’) DHCPv6 with Delayed Authentication MIP6 bootinfo {HA [,HoA or HoL]} MIP6 bootinfo {HA [,HoA or HoL] [,DHCP-key]} (3)IKE MIP6 bootinfo {[HoA or HoL]} (2)AAA-MS MIP6 bootinfo {IKE credentials [,HoA or HoL]} MIP6 bootinfo {HA [,HoA or HoL], AAA-Key [,DHCP-key]}

8 November 200461st IETF MIP6 WG Mapping to Bootstrapping Scenarios Bootstrapping problem statement draft identifies four cases –Mobility Service Subscription Scenario –Integrated ASP (IASP) Scenario –Third-party MSP Scenario –Infrastructure-less Scenario Some scenarios do not assume relationship between AAA- NA and AAA-MS –Mobility service subscription scenario and infrastructure-less scenario are not supported in this bootstrapping architecture This architecture is intended for IASP scenario and third- party ASP scenario

9 November 200461st IETF MIP6 WG Integrated ASP Scenario (Model 1) IASP (ASP+MSP) AAA-NA Server AAA-MS Server Mobile Node Home Agent NAS/ DHCP Server Authentication Authorization for NA Parameter Req. AAA-NA DHCP Req. DHCP Rep. IKEv2 Parameter Req. Authorization for MS NA Req. NA Rep. IKE credentials

10 November 200461st IETF MIP6 WG Integrated ASP Scenario (Model 2) IASP (ASP+MSP) AAA-NA Server AAA-MS Server Mobile Node Home Agent NAS/ DHCP Server Authentication Authorization for NA Parameter Req. AAA-NA DHCP Req. DHCP Rep. IKEv2 Parameter Rep. Authorization for MS NA Req. NA Rep. IKE credentials

11 November 200461st IETF MIP6 WG Third-Party MSP Scenario (Model 1) ASPServing MSPHome MSP Authentication Authorization for NA Parameter Req. AAA-NA NA Req. NA Rep. DHCP Req. DHCP Rep. IKEv2 Parameter Req. Authorization for MS IKE credentials AAA-NA Server AAA-MS Server Mobile Node Home Agent NAS/ DHCP Server Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP

12 November 200461st IETF MIP6 WG Third-Party MSP Scenario (Model 2) ASPServing MSPHome MSP Authentication Authorization for NA Parameter Req. AAA-NA NA Req. NA Rep. DHCP Req. DHCP Rep. IKEv2 Parameter Rep. Authorization for MS IKE credentials AAA-NA Server AAA-MS Server Mobile Node Home Agent NAS/ DHCP Server Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP

13 November 200461st IETF MIP6 WG Other Bootstrapping Architectures (draft-yegin-mip6-aaa-fwk) Uses home agent as AAA-MS client Assumption: HA address is somehow known to MN (e.g., pre-configuration, DNS SRV record) Simplest but operators want to provide flexibility in assignment of HA address –E.g., assigning different HA depending on the profile of subscriber

14 November 200461st IETF MIP6 WG Other Bootstrapping Architectures (draft-giaretta-mip6-authorization-eap) Uses EAP for conveying bootstrapping information between MN (EAP peer) and AAA-NA server (EAP server) The bootstrapping procedure is transparent to access network Potential complexity for multiple-domain case

15 November 200461st IETF MIP6 WG Security Considerations Question: Is it valid to use DHCP in ASP to deliver HA assigned by MSP? –If the ASP and MSP are separated, the MSP might not want to expose bootstrapping information to other providers Answer: The bootstrapping information can be encrypted based on SA between MN and AAA- MS server –The DHCP server can deliver the encrypted information to mobile as opaque data if such an option is defined

16 November 200461st IETF MIP6 WG Open Issues When multiple MSPs are able to assign HA to MN, how to determine which MSP should be the assigner(s)? –This case could happen in a hybrid case of IASP scenario and third-party scenario (i.e., AAA-MS servers exist in both ASP and home MSP) Model 1 might have some security issue –If there is no coordination between AAA-MS client (DHCP server) and AAA-NA client (NAS), AAA-MS procedure is performed without authentication –A DHCP server would initiate AAA-MS without making sure whether the requesting MN has been authorized by the NAS in the AAA-NA procedure

17 November 200461st IETF MIP6 WG Next Step If the architecture is relevant, make it part of the entire bootstrapping architecture –This architecture is NOT the only solution Resolve the open issues

18 November 200461st IETF MIP6 WG Thank you!

Download ppt "November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,"

Similar presentations

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.

1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March 2004 59th IETF – Seoul,

1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March th IETF – Seoul,
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.

Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.
1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.

1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.
50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)

50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and 802.11i IKEv2 EAP authentication.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.

1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.
21-06-0727-01-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0727-01-0000 Title: Proposal for IEEE 802.21 Study Group on Security Signaling Optimization.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Proposal for IEEE Study Group on Security Signaling Optimization.
Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

Similar presentations

Ads by Google