160 likes | 495 Views
SIP roaming solution amongst different WLAN-based service providers. Julián F. Gutiérrez 1 , Alessandro Ordine 1 , Luca Veltri 2 1 DIE, University of Rome "Tor Vergata", Italy 2 Dpt. of Information Engineering - University of Parma, Italy. Overview. Scope
E N D
SIP roaming solutionamongst different WLAN-based service providers Julián F. Gutiérrez1, Alessandro Ordine1, Luca Veltri2 1 DIE, University of Rome "Tor Vergata", Italy 2 Dpt. of Information Engineering - University of Parma, Italy
Overview • Scope • roaming amongst (WLAN-based) access networks • WLAN access networks are widely used • current wireless internet providers (WISPs) use different authentication schemes • lack of an integrated and open authentication framework • Goal • open solution for secure authentication in wireless (also wired) access scenario based on a distributed AAA architecture and on SIP protocol • enabling the use through standard3Gterminals • testbed implementation • Characteristics • captive portal like solution (layer-two independent) • based on SIP registration procedure
Outline • SIP authentication overview • Digest authentication • AKA • Digest-AKA • Uni-Fy architecture • SIP-based authentication scheme • Implementation • Future work
SIP Digest authentication • It follows a challenge-based scheme based on a shared secret for authentication purposes (as on HTTP authentication) • Any time that a proxy server or UA receives a request, it MAY challenge the initiator of the request to provide assurance of its identity
Uni-Fy • Proposed solution based on Uni-Fy distributed access control system • Uni-Fy characteristics • Wireless LAN/HotSpot management system with • distributed authentication • access and policy control • other capabilities • authentication and authorization functions implemented at application layer • access control is applied at IP layer by means of firewalling capability • overall scheme can be viewed as a captive portal implementation • used within the TWELVE research project (developed by the University of Trento)
Uni-Fy architecture • Access network • through which mobile users can attach the rest of the network (e.g. Internet), and, after being successfully authenticated, gain connectivity towards it • Gateway • acts as access router for the access network • enforces the policy rules (as PEP) dynamically setup by the Gatekeeper • Gatekeeper • together with the Gateway enforces authentication procedure before granting access to mobile users • it works at application level redirecting specific application sessions to a proper authentication server • Authentication Provider • directly or indirectly trusted by the Gatekeeper; application sessions are redirected to it in order to force a proper authentication procedure • implementation strictly depend on the specific application supported for authentication purpose (HTTP, SIP, others) • optionally uses a backend authentication server (an AAA server such as a RADIUS or Diameter server) and an LDAP or DB repository
GW and GK architecture • GW and GK can be co-located or implemented on different nodes
SIP-based authentication scheme • Proposal of a captive-portal-like mechanism based on • access control scheme based on the Uni-Fy architecture • open and flexible • SIP authentication procedure • same signaling platform used for multimedia real-time service and used by 3G mobile networks • When a mobile user roams into a new visited network • it tries to authenticate with his own SIP server • such procedure is intercepted by the local GK administrated by the visited ISP • the authentication procedure between the mobile user and his SIP server goes on with some modifications
SIP extension • For ISP-to-ISP authentication and correct authorization information retrieval an extension of the SIP authentication procedure is proposed • Two new header fields defined • Proxy-To-Proxy-Authenticate (pp-authenticate) • used to carry authentication request information • sent by a generic intermediate proxy to authenticate a next-hop entity, in order to correctly trust information sent as response from such next hop entity • inserted by the proxy within the second SIP request from the UAC to the next hop entity • Proxy-To-Proxy-Authorization (pp-authorization) • used to carry authentication response information • inserted in a SIP response message by the next hop entity in response to the pp-authenticate request
Implementation testbed • Whole authentication and authorization scenario implemented in a testbed • based on the Uni-Fy access control mechanism • GW and GK nodes have been realized based on the original Uni-Fy implementation (TWELVE project; http://netmob.unitn.it/twelve.html) • GK plugin for SIP has been developed in C++ • based on the reSIProcate C++ SIP stack library (http://www.sipfoundry.org/reSIProcate) • Proxy server (opportunely extended with proxy-to-proxy authentication) has been implemented in Java • based on the mjsip SIP stack library and reference implementation (http://www.mjsip.org)
Future Work • Improve the actual shared secret mechanism between Uni-Fy and the next hop entity • Access to the 3G SIM card in order to base the authentication procedure in the credentials stored in the SIM card
Thank you for your attention!! • For further details, please contact: jfgutierrezc@gmail.com