Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication.

Published byGyles Timothy Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication."— Presentation transcript:

1 1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication – PPP MIPv6 authentication - comparison Appendix A: IEEE 802.1x authentication

2 2 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication AAAv6

3 3 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik AAAv6 Introduction Proposes a way for IPv6 nodes (clients) to offer credentials to a local AAA server in order to be granted access to the local network The client solicits access to the network in conjunction with some protocol. Protocols considered in this document include: Stateless Address Autoconfiguration (RFC 2462) Mobile IPv6 DHCPv6 Controlled and uncontrolled access: Each network interface of the router can be configured to provide AAA services. When an interface is so configured, all transiting packets are subject to controlled access. If a packet does not pass access control, but is an AAA message addressed to the router, it is given to the Attendant in the uncontrolled access part.

4 4 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Conformance to IPv4 model Basic RADIUS/DIAMETER doesn’t require changes AAA servers in home and local domain Attendant at local point of attachment (as in FA for MIPv4) Node desiring authorization supplies identification and credentials to attendant AAALAAAH Local Attendant Home Agent charliep@nokia.com

5 5 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik AAAv6 Router System (PDSN) The router is the node that provides network access to the client. In addition to the usual packet forwarding functionality, the router system consists of functional blocks like the attendant and the packet filter. Attendant: The attendant is the entity that extracts identification and authorization data sent by the client and forwards them to AAAL for verification. It is also responsible for making the necessary configuration updates (e.g., to the packet filter, and the router's Neighbor Cache) so that only authorized clients can access the network. Packet filter: A packet filter/firewall/security gateway is the entity responsible for disallowing unauthorized datagram traffic. When a client is authorized, the access control list of the filter is updated with the corresponding client's IP address(es).

6 6 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik System Point of View Router System Filter Client System Attendant AAAH AAAL AAA Server Infrastructure Client

7 7 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik AAAv6 Messages New ICMPv6 messages to transport AAA data between the client and the attendant. In addition, several options that can be embedded in a AAAv6 Protocol Message are defined AAAv6 Protocol Message types From client to attendant: AAA Request: Request for client authorization. AAA Home Challenge Request: Request for a new challenge from AAAH. From attendant to client: AAA Reply: Reply to AAA Request AAA Teardown: Indication of termination of the currently active AAA registration. This message is always sent unsolicited to the registered AAA client.

8 8 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik General AAAv6 protocol overview LC = Local AAA Challenge RPI = Replay Protection Indicator used between client and AAAH CR = AAA Credential ID = Client Identifier KR = Key Reply UCP = Uncontrolled part CP = Controlled part ACR = AAA Client Request (using an AAA protocol) ACA = AAA Client Answer (using an AAA protocol) Challenge MNUCPCP AAALAAAH ACR ACA ID,CR,RPI,Ch Status,RPI,Key update config Router subsystem

9 9 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication PANA

10 10 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Protocol for carrying Authentication for Network Access (PANA) An IETF Protocol for Last-hop AAA Alper Yegin, Basavaraj Patil IETF PANA WG Chairs

11 11 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Overview A network-layer (i.e., link-layer and IP Version agnostic) access authentication protocol, that can carry various authentication methods Last-hop AAA (i.e., between host and access network) AAA backend can be either RADIUS or Diameter Purpose: Enable authentication and authorization of nodes and networks, for gaining network access EAP PANA IP Authentication method UDP

12 12 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik PANA PANA is a standards-track solution that will allow any authentication method to be used on any link-layer No need to rely on the underlying L2 for providing an authentication mechanism No need to resort to non-standard ad-hoc schemes (e.g., web- based login) No need to stretch and overload existing protocols (e.g., using Mobile IPv4 for network access authentication)

13 13 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Architecture Internet PaC (MT)PAA (PDSN) Authentication Server PANADIAMETER/Radius

14 14 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Signaling Before authentication, the MT is allowed to send and receive only PANA packets (and maybe DHCP, Router Discovery) PANA can be engaged before or after the MT has been assigned an IP address (i.e., can work with 0.0.0.0 address) After PANA is completed, MT is allowed any traffic allowed by its AAA profile PDSN turns the gate open PDSN (PAA) AAA PANA Discovery PANA EAPRADIUS/Diameter MT (PaC) PANA Termination

15 15 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Supported Scenarios PANA over physically secured networks (e.g., DSL) PANA over already cipher-secured links (e.g., cdma2000 in 3GPP2) PANA without any lower layer security It can enable L2 or L3 ciphering as a result of authentication

16 16 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Data Security PANA can be used for enabling per-packet authentication and encryption At L2 (e.g., bootstrap WEP) At L3 (e.g., bootstrap IPsec. See draft-mohanp-pana- ipsec-00.txt) Uses EAP keying framework

17 17 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Useful PANA Features Unifying: Can be used for any link-layer for any type of access (simple IPv4/IPv6, Mobile IPv4/IPv6) Extensible: Support for any authentication method via EAP Standard and vendor-specific AVPs Ease to deploy: PANA can be implemented as a UDP-based application

18 18 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Useful PANA Features Provides deployment flexibility: PAA can be placed on any device on the last hop. PAA, access router, and access enforcement points can be hosted on separate nodes. Well-integrated with “Internet AAA architecture” EAP, RADIUS, Diameter, IPsec, IKE, provisioning protocols Mobility optimizations Re-use of ongoing PANA session even after PAA (subnet) change

19 19 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Useful PANA Features Bootstraps a local security association Useful for securing other protocols (e.g., draft-tschofenig-pana- bootstrap-rfc3118-00.txt) Authentication sequencing Example: separate ISP and NAP authentication Multiple parallel authenticated sessions “Limited free access” model: Forcing authentication only after client attempts to access beyond free zone.

20 20 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Proposal Mobile IPv6 is intended for use in cdma2000 networks in Revision “D” PANA can be used as the authentication protocol for clients before allowing Mobile IPv6 access It can enable various levels of last-hop AAA unification, enhanced features

21 21 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Status Informational drafts are being reviewed by IESG Problem statement Requirements Security Threats PANA protocol: Mostly completed, being revised and reviewed Expected to be completed before the end of ‘03

22 22 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Pointers Working Group web site: www.ietf.org/html.charters/pana- charter.html Additional web site: http://www.toshiba.com/tari/pana/pana.htm FAQ: http://www.toshiba.com/tari/pana/pana-faq.txt

23 23 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication PPP

24 24 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik PPP/EAP Uses LCP Configuration Option for Authentication-Protocol (as in with Simple IP service) i.e. : Description On some links it may be desirable to require a peer to authenticate itself before allowing network-layer protocol packets to be exchanged. This Configuration Option provides a method to negotiate the use of a specific protocol for authentication. A summary of the Authentication-Protocol Configuration Option format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Authentication-Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data... +-+-+-+-+

25 25 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Authentication Protocol Authentication-Protocol The Authentication-Protocol field is two octets, and indicates the authentication protocol desired. Values for this field are always the same as the PPP Protocol field values for that same authentication protocol. Value (in hex) Protocol C023Password Authentication Protocol (PAP) C223Challenge Handshake Authentication Protocol (CHAP) C227Extensible Authentication Protocol [RFC2284] (EAP) Within the EAP Request message, there is a Type field to indicate what authentication is being requested. Examples of Request Types include MD5-challenge, etc.

26 26 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication comparison

27 27 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication in TIA-835D (i.e. rfc3012 for MIPv6) AAAv6PANA / EAPPPP / EAP Message protocolExtend/re-use ICMPv6/DHCPv6/MIPv6 protocols New Pana protocolExisting PPP protocol New messagesYes - 4 new ICMPv6Yes – several Pana protocol messages no Key distributionNoYes - Via EAP Authentication methodExisting MS-AAA SA – EAP not supported Via Pana payload, EAP or other authentication methods Via PPP payload – EAP or other authentication methods New functionality in msMinimal – but low in stack/kernelPaC (Pana Client) – UDP- based application Minimal/None New functionality in PDSNYes – attendant function (can be separate from PDSN) Yes - PAA (Pana Authentication Agent) – can be separate from PDSN none IETF statusLimbo - awaiting wg statusTbd - Active in Pana wg – but behind schedule Little to no required effort SecurityNot scrutinized by ietf yet – bigger issue outside cellular Threat analysis completedn/a LayernetworkIP/UDP – link layer agnosticLink Efficiency-Message piggybacking possible – but PANA PAA discovery needed No message piggybacking possible AAA (RADIUS vs. DIAMETER) dependency None Applicable to WLANYes No – link layer specific

28 28 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik +/- analysis Plusminus Aaav6Evolutionary - similar functionality to RFC 3012 link layer agnostic attendant location can be outside PDSN (WLAN) Allows deprecation of PPP IETF uncertain on necessity New PDSN (e.g.) attendant functionality IPv6 specific mechanism (3 rd mechanism) Security risks associated with all higher layer authentication protocols - n/a for cdma2000 access Pana/EAPLink layer & IP version agnostic Standard track work – dedicated IETF wg Allows deprecation of ppp for authentication harmonizes authentication across existing modes – I.e. Simple IPv4/v6, MobileIPv4/v6, “potential” use for WLAN, Bluetooth New protocol New PDSN PaA functionality Security risks associated with all higher layer authentication protocols - n/a for cdma2000 access PPP/EAPExisting protocolLink layer specific

29 29 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik Appendix A: MIPv6 authentication 802.1x

30 30 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik 802.1x authentication The 3-year-old Wired Equivalent Privacy (WEP) protocol has been discredited so thoroughly that its authentication and encryption capabilities are not considered sufficient for use in enterprise networks. In response to the WEP fiasco, many wireless LAN vendors have latched onto IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs. The wildcard with 802.1x protocol is interoperability.

31 31 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik 802.1x authentication (cont)

32 32 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik 802.1x authentication (cont) 1.Wireless client sends authentication request to either wireless access point or 802.1x-enabled switch. 2.Wireless access point or 802.1x-enabled switch repackages authentication request to send on to RADIUS server. 3.RADIUS server examines request and may proxy the request to another server or consult an authentication database directly. 4.If access is authenticated, RADIUS server informs wireless access point or 802.1x-enabled switch. 5.Wireless access point or 802.1x-enabled switch informs client of access.

Download ppt "1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication."

Similar presentations

Authentication.

Authentication.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
Inter-Subnet Mobile IP Handoffs in 802.11b Wireless LANs Albert Hasson.

Inter-Subnet Mobile IP Handoffs in b Wireless LANs Albert Hasson.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das

July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

Similar presentations

Ads by Google