1 / 16

SIP roaming solution amongst different WLAN-based service providers

SIP roaming solution amongst different WLAN-based service providers. Julián F. Gutiérrez 1 , Alessandro Ordine 1 , Luca Veltri 2 1 DIE, University of Rome "Tor Vergata", Italy 2 Dpt. of Information Engineering - University of Parma, Italy. Overview. Scope

aderes
Download Presentation

SIP roaming solution amongst different WLAN-based service providers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SIP roaming solutionamongst different WLAN-based service providers Julián F. Gutiérrez1, Alessandro Ordine1, Luca Veltri2 1 DIE, University of Rome "Tor Vergata", Italy 2 Dpt. of Information Engineering - University of Parma, Italy

  2. Overview • Scope • roaming amongst (WLAN-based) access networks • WLAN access networks are widely used • current wireless internet providers (WISPs) use different authentication schemes • lack of an integrated and open authentication framework • Goal • open solution for secure authentication in wireless (also wired) access scenario based on a distributed AAA architecture and on SIP protocol • enabling the use through standard3Gterminals • testbed implementation • Characteristics • captive portal like solution (layer-two independent) • based on SIP registration procedure

  3. Outline • SIP authentication overview • Digest authentication • AKA • Digest-AKA • Uni-Fy architecture • SIP-based authentication scheme • Implementation • Future work

  4. SIP Digest authentication • It follows a challenge-based scheme based on a shared secret for authentication purposes (as on HTTP authentication) • Any time that a proxy server or UA receives a request, it MAY challenge the initiator of the request to provide assurance of its identity

  5. SIP AKA

  6. SIP Digest-AKA

  7. Uni-Fy • Proposed solution based on Uni-Fy distributed access control system • Uni-Fy characteristics • Wireless LAN/HotSpot management system with • distributed authentication • access and policy control • other capabilities • authentication and authorization functions implemented at application layer • access control is applied at IP layer by means of firewalling capability • overall scheme can be viewed as a captive portal implementation • used within the TWELVE research project (developed by the University of Trento)

  8. Uni-Fy architecture

  9. Uni-Fy architecture • Access network • through which mobile users can attach the rest of the network (e.g. Internet), and, after being successfully authenticated, gain connectivity towards it • Gateway • acts as access router for the access network • enforces the policy rules (as PEP) dynamically setup by the Gatekeeper • Gatekeeper • together with the Gateway enforces authentication procedure before granting access to mobile users • it works at application level redirecting specific application sessions to a proper authentication server • Authentication Provider • directly or indirectly trusted by the Gatekeeper; application sessions are redirected to it in order to force a proper authentication procedure • implementation strictly depend on the specific application supported for authentication purpose (HTTP, SIP, others) • optionally uses a backend authentication server (an AAA server such as a RADIUS or Diameter server) and an LDAP or DB repository

  10. GW and GK architecture • GW and GK can be co-located or implemented on different nodes

  11. SIP-based authentication scheme • Proposal of a captive-portal-like mechanism based on • access control scheme based on the Uni-Fy architecture • open and flexible • SIP authentication procedure • same signaling platform used for multimedia real-time service and used by 3G mobile networks • When a mobile user roams into a new visited network • it tries to authenticate with his own SIP server • such procedure is intercepted by the local GK administrated by the visited ISP • the authentication procedure between the mobile user and his SIP server goes on with some modifications

  12. SIP extension • For ISP-to-ISP authentication and correct authorization information retrieval an extension of the SIP authentication procedure is proposed • Two new header fields defined • Proxy-To-Proxy-Authenticate (pp-authenticate) • used to carry authentication request information • sent by a generic intermediate proxy to authenticate a next-hop entity, in order to correctly trust information sent as response from such next hop entity • inserted by the proxy within the second SIP request from the UAC to the next hop entity • Proxy-To-Proxy-Authorization (pp-authorization) • used to carry authentication response information • inserted in a SIP response message by the next hop entity in response to the pp-authenticate request

  13. Authentication scheme

  14. Implementation testbed • Whole authentication and authorization scenario implemented in a testbed • based on the Uni-Fy access control mechanism • GW and GK nodes have been realized based on the original Uni-Fy implementation (TWELVE project; http://netmob.unitn.it/twelve.html) • GK plugin for SIP has been developed in C++ • based on the reSIProcate C++ SIP stack library (http://www.sipfoundry.org/reSIProcate) • Proxy server (opportunely extended with proxy-to-proxy authentication) has been implemented in Java • based on the mjsip SIP stack library and reference implementation (http://www.mjsip.org)

  15. Future Work • Improve the actual shared secret mechanism between Uni-Fy and the next hop entity • Access to the 3G SIM card in order to base the authentication procedure in the credentials stored in the SIM card

  16. Thank you for your attention!! • For further details, please contact: jfgutierrezc@gmail.com

More Related