Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro

Overview Service providers may have policies that apply to the media types, codecs etc negotiated for SIP sessions. SIP WG has defined a session policy framework that defines a policy channel for mobile device to communicate with a policy server to obtain session policies during SIP session establishment and modification Currently uses SIP Event Notification mechanism (RFC 3265) to realise the policy channel SIP Event Notification mechanism is not appropriate for bandwidth constrained links. It is proposed to have an alternative realisation of the policy channel using a new EAP TLV. This could be also be used for other more general non SIP applications where clients need to obtain policies from a server using EAP.

Solution Perform initial EAP exchange. Store keying material from exchange, together with relevant state information. Re-use ERP Encapsulate the Session Policy Exchanges within a TLV (e.g. Policy Request & Info Answer). TLV is carried within ERP Determine media authorization information, at L2, in parallel to AAA authentication. Media authorization can be implemented more efficiently using EAP/ERP

Initialisation

(1) EAP Method Exchange (tunnel initialization) –An EAP exchange is performed between the mobile device and the initial network component (e.g. Packet Data Gateway) with the authentication messages being forwarded to the home network AAA server. A suitable EAP method is used to establish a tunnel (e.g. EAP-FAST), from which the relevant ERP key material is derived for subsequent use. (2) SIP registration with PCCh –Although not a part of the layer 2 exchange, it is worth showing that SIP registration between the mobile device and the PCCh (home PCC) occurs at this point. Subsequent SIP level flows are not shown.

Mobile Device Triggered

(3) EAP-Initiate/Re-auth-Start –An ERP exchange is performed between the mobile device and the INC (e.g. Packet Data Gateway) with the authentication messages being forwarded to the home AAA server. (4) ERP (Policy Request) –The policy request message is then transported within ERP (typically using a TLV) to the INC, and then forwarded (using Diameter) to the PCCh. (5) Policy-h –At the home AAA server, the home network policy is determined for subsequent SIP sessions. (6) AAA (Policy Request) –The home AAA server, then requests policy information from all visited networks PCCs, through which the SIP session will traverse, utilizing a AAA Policy Request message. (7) AAA (Policy Response) –Each visited PCC will then return its network policy back to the home network, where the session policy document is compiled. (8) ERP (Policy Response) –The session policy document is returned to the INC and is then encapsulated within ERP, before being returned to the mobile device.

Network Triggered

(9) AAA (Policy Change) –A visited PCC changes the session policy (most likely whilst the mobile device session is on-going) and indicates to the home network server that a policy change has occurred. (10) AAA (Policy Change Event) –The home network server, sends an Event message to the INC (most likely within Diameter) (11) EAP Initiate/Re-auth-Start –The INC then requests the mobile device to execute ERP. Message flow continues, as described in (4) and (8).

Future Work How exactly is the ERP payload carried in the network –Diameter? –Do these messages need to be encrypted? Can the EAP/ERP credentials be tied to the SIP session? Requirements on mobile device? –Password –Certificate –Username

Relevant Documents EAP –draft-mccann-session-policy-framework-using-eap-00 SIP –draft-ietf-sip-session-policy-framework-06 –draft-ietf-sipping-media-policy-dataset-07