Presentation is loading. Please wait.

Presentation is loading. Please wait.

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.

Published byGyles Stevenson Modified over 8 years ago

Similar presentations

Presentation on theme: "NSIS QoS NSLP Authorzation Issues Hannes Tschofenig."— Presentation transcript:

1 NSIS QoS NSLP Authorzation Issues Hannes Tschofenig

2 Current Status

3 Trust Model: New Jersey Turnpike Model Network ANetwork C Node A Node B Network B Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al. David Clark: "We know how to route packets, what we don't know how to do is route dollars." Data Sender Data Receiver

4 Two-Party Approach Properties: –Strong trust relationship between "Entity authorizing resource request" and "Entity performing QoS reservation" –Typically: Data-origin authentication sufficient –Financial establishment pre-established based on previous protocol execution Examples: –PacketCable authorization within the network where the user is attached. QoS Request Entity requesting resource Entity authorizing resource request granted/rejected End Node Node within the attached network

5 Three-Party Approach Entity Authentication Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" Properties / Usage Environment: –AAA-type authorization - splitting functional components –Dynamic re-authorization based on new incoming requests. –Typically: entity authentication between "Entity requesting resource" and "Entity authorizing resource requests" QoS Request Entity requesting resource Entity performing QoS reservations granted/rejected Entity authorizing resource request QoS Authz Request QoS Authz Response

6 Three-Party Approach Token based Mechanism Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" Properties / Usage Environment: –Common authorization tokens (e.g., OSP - Tokens; RSVP Session and Media Authorization) –Token either allows two protocols to be linked or represents a monetary value –Provides some sort of anonymity –Digital money (or e-payment) could also be used QoS Request + Token Entity requesting resource Entity performing QoS reservations granted/rejected Entity authorizing resource request (TTP) Authz Token Request Authz Token

7 Open Issues

8 Authentication, Authorization and Accounting Infrastructure Authorization might not always happen at an NSIS element itself (see roaming scenarios) Information which is exchanged between the end host (e.g., NI) needs to be forwarded to a backend server (e.g., PDP or AAA server) NSIS and AAA protocols need to aligned Work ongoing with Frank Alfano, Pete McCann

9 State-of-the-Art: TLS-based Mutual Authentication +---------+ +---------+ | MN | | R1 | +---------+ +---------+ + + | Discovery Request/Response (NTLP) | | | | Transport Layer Connection Setup | | | | | Initial | Transport Layer Security | Setup | Handshake Layer (Mutual authentication) | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | TLS Record Layer Established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | | | ----------------------------------------------> | | NTLP/NSLP QoS CREATE msg | | | | <---------------------------------------------- | | NTLP/NSLP QoS ACK msg | | | + +..........

10 Open Issue: C/R-based Authentication How long is the authorization decision valid? More flexible approach (support of different authentication protocols): EAP based authentication + Authorization QoS Request (Identity) Entity requesting resource Entity performing QoS reservations Unauthorized (challenge) Entity authorizing resource request QoS Request+Response Success/Failure AAA-QoS (identity) AAA-QoS (challenge) AAA-QoS (response) AAA-QoS (success/failure)

11 EAP-based Approach (1/2) +---------+ +---------+ | MN | | R1 | +---------+ +---------+ + + | Discovery Request/Response (NTLP) | | | | ----------------------------------------------> | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Auth/Authz requested; | Initial | EAP-Request/Identity) | Setup | | | <---------------------------------------------- | | Datagram Mode | | NTLP/NSLP QoS CREATE Resp. | | (EAP-Request/AKA-Challenge | | (AT_RAND, AT_AUTN, AT_MAC)) | | (Algorithm/Parameter Negotiation) | | ----------------------------------------------> | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Response/AKA-Challenge | | (AT_RES, AT_MAC)) | | (Algorithm/Parameter Negotiation) |

12 EAP-based Approach (2/2) | | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | Authentication Authorization finished | | Secure channel at the NSLP layer established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | <---------------------------------------------- | | NTLP/NSLP QoS CREATE Resp. | | NTLP/NSLP QoS CREATE Req. | | (EAP-Success) | | (Secure Confirmation) | | | + +.......... + + | ----------------------------------------------> | | NTLP/NSLP QoS REFRSH msg | Refresh | | Msg | <---------------------------------------------- | | NTLP/NSLP QoS ACK msg | + +

Download ppt "NSIS QoS NSLP Authorzation Issues Hannes Tschofenig."

Similar presentations

Authentication.

Authentication.
LinkSec Architecture Attempt 3

LinkSec Architecture Attempt 3
H.323 Recommended by ITU-T for implementing packet-based multimedia conferencing over LAN that cannot guarantee QoS. Specifying protocols, methods and.

H.323 Recommended by ITU-T for implementing packet-based multimedia conferencing over LAN that cannot guarantee QoS. Specifying protocols, methods and.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
All-IP distributed (proxy) control model architecture Henrik Basilier, Ericsson ALLIP-20000717-011__ERI_distributed_CM.

All-IP distributed (proxy) control model architecture Henrik Basilier, Ericsson ALLIP __ERI_distributed_CM.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
Vulnerability Analysis of Mobile and Wireless Protocols.

Vulnerability Analysis of Mobile and Wireless Protocols.
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Omniran-13-0032-04-0000 1 IEEE 802 Scope of OmniRAN Date: 2013-05-16 Authors: NameAffiliationPhone Max RiegelNSN+49 173 293

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.

 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.
Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

Similar presentations

Ads by Google