Presentation is loading. Please wait.

Presentation is loading. Please wait.

EN/FAD 109 0015 How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EN/FAD 109 0015 How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis."— Presentation transcript:

1 EN/FAD 109 0015 How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis

2 EN/FAD 109 0015 The future trust model Terminal/ User Visited Home PLMN operator Service Provider Service/ Content Provider Corporate Network for services that use resources in visited

3 EN/FAD 109 0015 Identifying the issues The FACT is: The AAA infrastructure has a role to play in the service plain The QUESTION is then: What is exactly the role that the AAA infrastructure could play in the service plain considering: –3G mobile roaming model –multimedia, e-Commerce applications etc.

4 EN/FAD 109 0015 Possible uses of AAA infrastructure End-User (EU) authentication –authentication always from EU-to-home Key distribution management –network-2-network (n2n) security is needed in some cases –AAA infrastructure is used for distributing keys. –Preparing for full IKE security association (SA) negotiation Transporting User profile Policy Decision Point

5 EN/FAD 109 0015 Home Distinguish btw E-U authentication and N2N security UA Home operator Home operator UA SIP Proxy SIP Proxy Home operator Home operator 3G SIP: Network-2-Network Visited End-User authentication IETF SIP: End-2-End N2N security End-User authentication In IETF SIP, the SIP proxy is transparent to End-User authentication In IETF SIP, the SIP proxy is transparent to End-User authentication In 3G, the SIP proxy cannot be transparent for various reasons, one being capability to route calls locally e.g E-911 In 3G, the SIP proxy cannot be transparent for various reasons, one being capability to route calls locally e.g E-911

6 EN/FAD 109 0015 Initial SAs: SIP Server at Home UEProxy AAAH SIP server AAAL LS Visited Home SA 2 K SA2 SA M KMKM KMKM SA 3 K SA3 SA 1 K SA1 Home network decides where the SIP server is located Home network decides where the SIP server is located UA Initial SAs according to roaming model Initial SAs according to roaming model 3G operators are considering gateways btw networks for protecting internal infrastructure 3G operators are considering gateways btw networks for protecting internal infrastructure

7 EN/FAD 109 0015 Initial SAs: SIP Server at Visited UEProxy AAAHAAAL LS Visited Home SA 2 K SA2 SA M KMKM KMKM SA 3 K SA3 Home network decides where the SIP server is located Home network decides where the SIP server is located UA SIP server UA Initial SAs according to roaming model Initial SAs according to roaming model 3G operators are considering gateways btw networks for protecting internal infrastructure 3G operators are considering gateways btw networks for protecting internal infrastructure

8 EN/FAD 109 0015 How can a AAA server be used with n2n What is the proposal 1To use the AAA infrastructure for provisioning the shared secrets. 2In addition, to use the AAA infrastructure for n2n authentication and security according to the selected mode of operation Modes of operation for Network-2-Network security –In -band: complete piggybacking of SIP:REGISTER and its response over AAA infrastructure –Out-of-band: complete piggybacking of SIP:REGISTER, SAs established when SIP:REGISTER sent externally –Transparent: AAA used only for establishing SAs.

9 EN/FAD 109 0015 Network-to-Network: In-band Home UEProxy AAAH SIP server AAAL 1 45 7 10 LS Visited 6 8 9 12 2 311 UA K s2 K s1 SIP: INVITE SIP: REGISTER PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, does Auth/Accounting & policy selection. Trusts established SIP:INVITE externally PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, does Auth/Accounting & policy selection. Trusts established SIP:INVITE externally Policies enabled

10 EN/FAD 109 0015 Network-to-Network: Out-of-band UEProxy AAAH SIP server AAAL 1 23 45 8 LS 67 VisitedHome 910 UA K s1 K s2 SIP: INVITE SIP: REGISTER PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, just authentication done & policy downloaded to SIP server SIP:REGISTER sent externally and used for key distribution management, resulting in building-up trusts. SIP:INVITE externally PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, just authentication done & policy downloaded to SIP server SIP:REGISTER sent externally and used for key distribution management, resulting in building-up trusts. SIP:INVITE externally Policies enabled

11 EN/FAD 109 0015 Network-to-Network: Transparent UEProxy AAAH SIP server AAAL 1 23 6 LS Visited Home 45 10 9 UA K s2 K s1 SIP: INVITE SIP: REGISTER 78 PRINCIPLE AAA infrastructure used for key generation & policy downloading to SIP server. SIP:REGISTER sent externally and used for key distribution management, resulting in building up trusts. SIP:INVITE externally PRINCIPLE AAA infrastructure used for key generation & policy downloading to SIP server. SIP:REGISTER sent externally and used for key distribution management, resulting in building up trusts. SIP:INVITE externally Policies enabled

12 EN/FAD 109 0015 Thank you

Download ppt "EN/FAD 109 0015 How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis."

Similar presentations

www.dynamicsoft.com Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Communication Service Identifier Requirements on SIP draft-loreto-3gpp-ics-requirements.txt

Communication Service Identifier Requirements on SIP draft-loreto-3gpp-ics-requirements.txt
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
Network Management Access Security Capabilities draft-bonica-opsec-nmasc-00 Ron Bonica Syed Ahmed.

Network Management Access Security Capabilities draft-bonica-opsec-nmasc-00 Ron Bonica Syed Ahmed.
All-IP distributed (proxy) control model architecture Henrik Basilier, Ericsson ALLIP-20000717-011__ERI_distributed_CM.

All-IP distributed (proxy) control model architecture Henrik Basilier, Ericsson ALLIP __ERI_distributed_CM.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
Rev A8/8/021 ABC Networks

Rev A8/8/021 ABC Networks
SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
All IP Network Architecture 2001 년 12 월 5 일 통신공학연구실 석사 4 차 유성균

All IP Network Architecture 2001 년 12 월 5 일 통신공학연구실 석사 4 차 유성균
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google