Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli

Published byEspen Andersen Modified over 5 years ago

Similar presentations

Presentation on theme: "Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli"— Presentation transcript:

1 NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt)
Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli Sven Van den Bosch

2 Draft Scope This draft is:
A first attempt to describe AAA issues relevant for NSIS. It points to the importance of authorization/charging for QoS signaling. The draft is not: A summary of mathematical pricing models A new protocol proposal A motivation for a certain architecture

3 Authorization = ability to charge someone1
Introduction At the last IETF Steve Bellovin talked about security issues in NSIS. He pointed to the importance of authorization for an NSIS protocol. An interesting aspect of authorization for QoS signaling is: Authorization = ability to charge someone1 1 There are other authorization issues (e.g. session ownership).

4 Introduction (cont.) Authorization has an implication on the security architecture. We looked at two possible models: New Jersey Turnpike Model New Jersey Parkway Model

5 New Jersey Turnpike Model
Network A Network B Network C Data Sender Data Receiver Node B Node A Peering relationship is used to provide charging between neighboring networks Similar to edge pricing proposed by Schenker et. al.

6 NJ Turnpike Model Issues
Establishment of the financial settlement between end host (data sender favorable) and access network based on network access procedure (not per-session based) Simple (if data sender is charged for the reservation) More difficult: receiver-initiated signaling and charging for data receiver Unfortunately it is possible to fully avoid reverse charging (e.g. #800 numbers).

7 New Jersey Parkway Model
Network A Network B Network C Direct AAA relationship to intermediate networks Data Sender Data Receiver Node B Node A Financial settlement has to be provided on a per-session basis More complex: financial settlement to intermediate networks required (authentication alone is insufficient)

8 NJ Parkway Model Issues
Trusted third party might be required such as a clearing house since intermediate networks have no direct relationship to end host Financial settlement has to be provided on a per-session basis  scalability and deployment problem More flexible signaling protocol functionality required: A route change might require interaction with end host. Signaling protocol might support the possibility for intermediate networks to interact with the end host Aggregation in the core network might be difficult to use if per-session information is required for charging.

9 Who is charged for what? Basic question: Charging for data sender or data receiver Sender- vs. receiver oriented signaling adds some issues but is not the source of the problem. What is the problem? Per-session based establishment of financial settlement Example: Sender-initiated reservation with charging for data receiver (see next slide)

10 Sender-initiated reservation with charging for data receiver
Network A Network B Network C RESV RESV RESV RESV “Authorization Information” Data Sender Data Receiver Node B Node A Node A indicates that some other entity is paying for the reservation. Why should Network A authorize the reservation request?

11 Not enough problems already? Price Distribution
Price for a QoS reservation:  Price cannot be deferred from the destination IP address alone (unlike telephone numbers)  Price distribution required (can be in-band, out-of-band or a combination of both)  Price depends on the route (number of traversed networks)  Price is directional (due to cost and route asymmetry) An end user wants to know the price before issuing a reservation request.

12 Price distribution Building Blocks
A resource negotiation and pricing protocol (RNAP) An embedded charging approach for RSVP Border Pricing Protocol (BPP) Billing Information Protocol (BIP) Tariff Distribution Protocol (TDP) Internet Open Trading Protocol (IOTP) Open Settlement Protocol (OSP) Not surprising: Many of these protocols require the same properties as a QoS signaling protocol.

13 Conclusion Peer-to-peer security is fine for a simple charging model (NJ Turnpike). Authorization issues needs additional security protection. Charging is not only an end-to-end (application) issue. The network needs some information. Some authorization/charging objects have to be included into a NSIS protocol. An NSIS protocol needs to be flexible. (e.g. support for several roundtrips).

Download ppt "Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli"

Similar presentations

MONET Problem Scope and Requirements draft-kniveton-monet-requirements-00 T.J. Kniveton Alper Yegin IETF 53 21 March 2002.

MONET Problem Scope and Requirements draft-kniveton-monet-requirements-00 T.J. Kniveton Alper Yegin IETF March 2002.
2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.

2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.
Oct 15 th, 2009 OGF 27, Infrastructure Area: Status of FVGA-WG Status of Firewall Virtualization for Grid Applications - Working Group

Oct 15 th, 2009 OGF 27, Infrastructure Area: Status of FVGA-WG Status of Firewall Virtualization for Grid Applications - Working Group
L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.

1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.
Interdomain and end-to- end QoS issues Henning Schulzrinne Columbia University NSF QoS workshop – April 2002.

Interdomain and end-to- end QoS issues Henning Schulzrinne Columbia University NSF QoS workshop – April 2002.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Omniran-13-0064-00-0000 1 PtP Links across IEEE 802 Bridged Infrastructure Date: 2013-08-28 Authors: NameAffiliationPhone Max

Omniran PtP Links across IEEE 802 Bridged Infrastructure Date: Authors: NameAffiliationPhone Max
Ernst Langmantel Technical Director, Austrian Regulatory Authority for Broadcasting and Telecommunication (RTR GmbH) The opinions expressed in this presentation.

Ernst Langmantel Technical Director, Austrian Regulatory Authority for Broadcasting and Telecommunication (RTR GmbH) The opinions expressed in this presentation.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.

ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.
NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.
© 2006 Cisco Systems, Inc. All rights reserved. 3.3: Selecting an Appropriate QoS Policy Model.

© 2006 Cisco Systems, Inc. All rights reserved. 3.3: Selecting an Appropriate QoS Policy Model.

Similar presentations

Ads by Google