Download presentation
Presentation is loading. Please wait.
Published byMartin Henderson Modified over 9 years ago
1
11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security gmgross@IdentAware.com IETF-58, Minneapolis, MN November 10 th 2003 Multicast Security with Authentication, Authorization, and Accounting (AAA)
2
11/07/2003IETF-58 MSEC and AAA page 2 What motivates MSEC/AAA? Large-scale secure multicast groups straddle administrative/business domain boundaries AAA enforces contractual relationships, generates data usable for service accounting Allows Service Provider to securely control their multicast transit routing service Enables dynamic MSEC groups with the Service Provider AAA as the broker
3
11/07/2003IETF-58 MSEC and AAA page 3 Relevant Background Reading RFC3588, Diameter base protocol spec RFC2904, generic authorization framework NASREQ Diameter application –ietf-draft-aaa-diameter-nasreq-13.txt next rev of generic policy token draft –msec-gspt-04.txt –missed the ID cut-off
4
11/07/2003IETF-58 MSEC and AAA page 4 GDOI Roaming Pull AAA Model Administrative Domain “B” Group Owner Z authorization Authentication Server Diameter AAA Server Grp. Controller Key Server Accounting Server GM Diameter AAA Server Subordinate GC/KS Accounting Server GM Administrative Domain “A” Diameter GDOI Diameter NASREQ+MSEC Secure multicast group “Z”
5
11/07/2003IETF-58 MSEC and AAA page 5 Observations about GDOI/AAA Can leverage existing IKE/ISAKMP AAA –Q: does the group member have a NAI? –Reasonable design: extend NASREQ Diameter application to handle GDOI Undefined how to add a S-GC/KS to group Issue: currently no way to separate KS from the S-GC role if the S-GC domain is not trusted with the group’s encryption key
6
11/07/2003IETF-58 MSEC and AAA page 6 GSAKMP Push AAA Model Administrative Domain “B” Group Owner Z authorization Certificate Authority Diameter AAA Server Grp. Controller Key Server Accounting Server GM Diameter AAA Server Subordinate GC/KS Accounting Server GM Administrative Domain “A” Diameter GSAKMP Diameter accounting Secure multicast group “Z” Policy token
7
11/07/2003IETF-58 MSEC and AAA page 7 GSAKMP/AAA Observations PKI based authentication only, no NAI Multicast policy token encodes membership authorization, acts as AAA service ticket Diameter back-end used for accounting Does not fit Diameter NASREQ model Like GDOI, can not withhold group key from S-GC in partially trusted domain
8
11/07/2003IETF-58 MSEC and AAA page 8 Future MSEC/AAA directions Need to separate the S-GC and key server roles in both GSAKMP and GDOI Introduce “generic” policy token attributes to encode multiple service authorizations –nesting the tokens will avoid layer violations –multicast PT is scalable, but it is not part of GDOI today, is this feasible to add? Long-term: Diameter extensions for MSEC
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.