Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Published byLilian O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones."— Presentation transcript:

1 Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones

2 History IETF # 59: Two individual drafts on the subject: — IETF #60: The authors of the two drafts got together and wrote a new draft: Carrying Location Objects in RADIUS IETF #61: Two draft revisions —

3 Delivery Methods for Location Information Goals: Location Information must be available at the home AAA server Users privacy must be taken into consideration Why do you need the "users" location at the home AAA server? — Location-based authorization — Taxation (based on location) — Some people might use it for location based services Two means to deliver Location Information to the AAAH: — Authentication/Authorization Phase Delivery — Mid-session Delivery

4 Delivery Methods for Location Information Authentication/Authorization Phase Delivery NAS AAA Start Auth. Phase RADIUS Access-Request + LO... multiple roundtrips... Access-Accept + Privacy Attr. Auth. Accept MN RADIUS Accounting Request + LO

5 Delivery Methods for Location Information Mid-session Delivery Legend: Change of Authorization (CoA) message [RFC3576] NAS AAA COA + Service-Type "Authorize Only" COA NAK + Service-Type "Authorize Only" + Error-Cause "Request Initiated" Access-Request + Service-Type "Authorize Only" + LO Access-Accept

6 New RADIUS Attributes Reusing existing Geopriv work! Operator-Name Attribute — This attribute contains an operator name which uniquely identifies the ownership of an access network. Location-Information Attribute — Civil Location Information Format [ietf-geopriv-dhcp-civil] — Geospatial Location Information Format [RFC3825] Basic-Policy-Rules — Reuses basic authorization policies from [PDIF-LO] Extended-Policy-Rules — Points to full authorization policies [PIDF-LO] Location-Type Attribute — Classes of location types (from 'Coffee Shop' to 'Public Place')

7 Location-Information Attribute 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Code | Precision | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Location-Info... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (0) Civil (1) Geospatial (0) NAS (1) AAA server (2) User (3) Network 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LaRes | Latitude + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Latitude | LoRes | Longitude + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Longitude | AT | AltRes | Altitude + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Altitude | Datum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Countrycode | Civic address elements... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Civil Location Information Geospatial Location Information TLV elements: CAtype CAlength CAvalue Example:

8 Basic-Policy-Rules Attribute Fields of the 'usage-rules' element defined in [PIDF-LO]: — 'retransmission-allowed': '0' = Recipient is not permitted to share the enclosed Location Information '1' = Recipient is allowed to share Location Information with other parties. — 'retention-expires': Absolute date at which time the Recipient is no longer permitted to possess the location information. — 'note-well': This field contains a URI with human readable privacy instructions.

9 Extended-Policy-Rules Attribute Ruleset reference: — The text field contains a reference to the policy rules. The full ruleset cannot be carried in RADIUS due to size considerations.

10 Location-Type Attribute Classes of location types — 0 Reserved — 1 Coffee Shop — 2 Hotel — 3 Airport — 4 Mall — 5 Restaurant — 6 Bus — 7 Library — 8 Convention Center — 9 School — 10 Office — 11 Airplane — 12 Train — 13 Ship — 14 Educational Institute — 15 Public Place — 16 Other Comment from Henning Schulzrinne: — Use RPID values (and therefore the same IANA registration)

11 Questions?

12 BACKUP Slides

13 Privacy Considerations Eavesdropping Threat: Eavesdropper learning Location Information + NAI Assumption: — NAI reveals true user identity (might not be the case for some EAP methods) Solution: — Use IPsec ESP between AAA servers — Already required for key transport Cannot protect against entities participating in the signaling exchange (e.g., AAA server) itself => no true "end-to-end" security

14 Privacy Considerations Home AAA server acts as Location Server Scenario: — Home AAA server retrieves location information and wants to use it for location-based services. Typically no problem since — User has a strong trust relationship with home operator based on a contract. — Authorization policies can be provided to the home AAA server (or the home network) before the protocol execution starts.

15 Privacy Considerations Visited AAA server acts as Location Server (1) Scenario: — Visited AAA server collects and distributes location information of attached users. — The same is applicable to AAA brokers — User might not even allow location information to be forwarded to home network Problem: — End host and visited network typically shares not trust relationship. — Network access authentication procedure is executed to dynamically establish the trust relationship and to establish session keys. — These keys are available after successful authentication and authorization. — Successful authentication and authorization might require location information

16 Privacy Considerations Visited AAA server acts as Location Server (2) Approach 1: Use EAP method with active user identity confidentiality Problem: The choice of an EAP method is not only user driven Approach 2: Mandate default policy Problem: Will it be considered by all hot spots? Approach 3: Authorization policies are provided by the home AAA server - possible for mid-session delivery Problem: Addresses only some problems Approach 4: User provides authorization rules to visited network Problem: — Securing the LO/Rules is difficult (key management problem) — Existing protocols due not support this functionality (see EAP, PANA) — Not a RADIUS problem

17 Outside the Scope Protocols executed between end host and NAS (e.g., EAP) Example: — End host providing location information to RADIUS client

Download ppt "Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones."

Similar presentations

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.

1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Identities and Network Access Identifier in M2M Page 1 © 2010 3GPP2 3GPP2 and its Organizational Partners claim copyright in this document and individual.

Identities and Network Access Identifier in M2M Page 1 © GPP2 3GPP2 and its Organizational Partners claim copyright in this document and individual.
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.

QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Similar presentations

Ads by Google