480 likes | 614 Views
Binding Authentication to Provisioning. Freek Dijkstra Utrecht University. Utrecht, 19 september 2002. Background. I’m co-author of the Access Bind PIB The Access Bind PIB is a data structure created to bind authentication to provisioning )
E N D
Binding Authentication to Provisioning Freek Dijkstra Utrecht University Utrecht, 19 september 2002 Binding Authentication to Provisioning
Background • I’m co-author of the Access Bind PIB • The Access Bind PIB is a data structure created to bind authentication to provisioning) • Created in the IETF, AAAarch research group, RAP working group. • Goal: introduce authentication, provisioning. Describe how the Access Bind PIB fits into existing models Binding Authentication to Provisioning
Talk Outline • Generic Authentication models • Provisioning • The Access Bind PIB model • Message Sequence • DiffServ model • Data Structure • Conclusions Binding Authentication to Provisioning
Generic Authentication Models • Terminology • Three authentication models Binding Authentication to Provisioning
Terminology (AAA) AAA: • AuthenticationTelling who you are (identification) • AuthorisationWhat a user may or may not do • AccountingKeeping track of what a user does Binding Authentication to Provisioning
Terminology (devices) • User = the client that requests a service • Service = The device which offers the service the User wishes to use.(PEP, Policy Enforcement Point) For example: a Network Access Device • AAA server = Authentication, Authorisation and Accounting Server(PDP, Policy Decision Point) Binding Authentication to Provisioning
User AAA server (PDP) request decision request Service (PEP) decision usage of service Pull model Binding Authentication to Provisioning
Push model User AAA server (PDP) request approval with ticket request Service (PEP) decision usage of service Binding Authentication to Provisioning
Agent model User AAA server (PDP) request decision configuration Service (PEP) usage of service Binding Authentication to Provisioning
Provisioning • Device model • COPS Provisioning = To Configure Anything can be provisioned. Typically Quality of Service (QoS) For example: DiffServ (Differentiated Services) Binding Authentication to Provisioning
Device model PDP PEP = Policy Enforcement Point PDP = Policy Decision Point configuration PEP The PDP provisions the Quality of Service (QoS) policy of the PEP Binding Authentication to Provisioning
COPS • Protocol to transport provisioning data • Created by the RAP group • Excellent state synchronization features (unlike SNMP) • Client/server model (request & response)PEP is the client, PDP is the server Binding Authentication to Provisioning
The Access Bind PIB • Why it was created • The Access Bind PIB model • What it is Binding Authentication to Provisioning
Pull model Provisioning U S E R AAA PDP service PEP Why the Access Bind PIB? • Boot-up provisioning • Per-user provisioning Access Bind PIB Provision a PEP based on the user who wants access To Bind Authentication to Provisioning Binding Authentication to Provisioning
Access Bind PIB model User PDP Any Authentication Protocol Access Bind PIB PEP usage of service Binding Authentication to Provisioning
What is the Access Bind PIB? • It’s an Internet Draft (“Framework for Binding Provisioning to Access Control”) • It’s a data structure • It’s a DiffServ element (a complex Classifier) Binding Authentication to Provisioning
Message Sequences • Overview • Authorisation sequence • Example protocols: PAP, CHAP and EAP • Configuration sequence Binding Authentication to Provisioning
Sequence Overview time P E P P D P “Capabilities” “Behaviour” U S E R Access request Access notification Access decision Access decision Access Bind PIB Binding Authentication to Provisioning
User sends traffic to PEP Credential negotiation (Using PAP or CHAP) Access request to PDP PEP sends knowledge about the user PEP sends user credentials to PDP Provision PEP with policies (optional) Access Decision (Approve or Deny) Access Decision notification to user Usage of service Message Sequence (PAP/CHAP) time U S E R P D P P E P Network Binding Authentication to Provisioning
User sends traffic to PEP Access request to PDP PEP sends knowledge about the user Credential negotiation (Using EAP) Provision PEP with policies (optional) Access Decision (Approve or Deny) Access Decision notification to user Usage of service Message Sequence (EAP) time U S E R P D P P E P Network Binding Authentication to Provisioning
Configuration request to PDP Capability exchange Provision PEP with policies Provision response Configuration Sequence time P D P U S E R P E P Binding Authentication to Provisioning
Configuration • When an access request must be sent(When an event has to be triggered) • Which information about the user must be sent along • Optionally (for PAP and CHAP): which authentication protocol must be used to retrieve user credentials (like username and password) Binding Authentication to Provisioning
P E P P D P Combine access notifi-cation and User Info Combine provisioning and session approval Combining messages Binding Authentication to Provisioning
Differentiated Services (DiffServ) • DiffServ Model • DiffServ Elements • Access Bind PIB as a Classifier • Edge devices and non-edge devices The DiffServ model describes the Quality of Service a PEP should offer. Binding Authentication to Provisioning
DiffServ Model PEP Queue Ingress Ports (Datapath start) Meter In Profile Out of Profile Dropper Classifier Egress Ports Premium Subnet A Default Tunnel encapsulation Queue MPLS Tunnel to Address Y Scheduler Queue Binding Authentication to Provisioning
The Datapath PEP Queue Ingress Ports (Datapath start) Meter In Profile Out of Profile Dropper Classifier Egress Ports Premium Subnet A Default Tunnel encapsulation Queue MPLS Tunnel to Address Y Scheduler Queue Binding Authentication to Provisioning
DiffServ Elements PEP Queue Ingress Ports (Datapath start) Meter In Profile Out of Profile Dropper Classifier Egress Ports Premium Subnet A Default Tunnel encapsulation Queue MPLS Tunnel to Address Y Scheduler Queue A DiffServ element Binding Authentication to Provisioning
DiffServ Classifier PEP Queue Scheduler Classifier Meter Classifier In Profile Out of Profile Premium User 1 User 2 Dropper Access Mgr Access Bind PIB PDP Binding Authentication to Provisioning
User Edge Device Big Bad Internet Big Bad Internet Access Server Server User Edge- and non-edge Devices Example of an edge device Example of a non-edge device Binding Authentication to Provisioning
Data structure • COPS • Terminology • What’s in the data structure? • Event Handling concept • Context Data concept • Session concept • EventHandler data structure Binding Authentication to Provisioning
COPS common header Version Flags Op Code = REQ Client-type Message Length (variable) = 88 octets Object header Length (variable) = 8 octets C-Num = 1 C-Type = 1 Client handle obj. Client Handle Object header Length = 8 octets C-Num = 2 C-Type = 1 COPS-PR Objects in Named ClientSI: Context object R-Type = Configuration Request M-Type Object header Length (variable) = 40 octets C-Num = 9 C-Type = 2 Length (variable) = 8 octets S-Num = PRID S-Type = BER Pr. Object header Instance Identifier (for event) event PRID Length (variable) = 8 octets S-Num = EPD S-Type = BER Pr. Object header BER Encoded PRI (of event) event PRI Named ClientSI object Length (variable) = 8 octets S-Num = PRID S-Type = BER Pr. Object header Instance Identifier (for ctxtL3Hdr) ctxtL3Hdr PRID Length (variable) = 12 octets S-Num = EPD S-Type = BER Pr. Object header BER Encoded PRI (of ctxtL3Hdr) ctxtL3Hdr PRI Object header Length (variable) = 24 octets C-Num = 16 C-Type = 1 Key ID Sequence Number Integrity object (optional) Keyed Message Digest COPS and COPS-PR • The Access Bind PIB defines a data structure. • The data is transported between the PEP and the PDP using the COPS and COPS-PR protocols. Binding Authentication to Provisioning
Terminology (COPS-PR) • PEP = Policy Enforcement Point • PDP = Policy Decision Point • PIB = Policy Information Base. A data structure • PRC = PRovisioning Class. A table of policy data. • PRI = PRovisioning Instance. An instance of a PRC. • PRID = PRI Identifier. Uniquely defines a PRI. Binding Authentication to Provisioning
Event Handling concept As soon as a user sends data to the PEP, the PEP checks if the data is coming from a known or unknown source address. The PEP can be configured to trigger an event when the source is unknown. Binding Authentication to Provisioning
Context Data concept The PEP has a lot of information about the userFor example source IP address, Dial-in number, modem number (s)he got connected to, etc. It is desirable that the PDP can configure which information is sent by the PEP when an event is triggered. This can be specified by Context Data classes. Binding Authentication to Provisioning
Sessions Concept • Each COPS message is preceded by a COPS “Client Handle”. • The PEP creates a new Client Handle for each event. • The COPS Client Handle is used to associate a response with a session. • The PDP and the PEP can use the Client Handle to delete a session. Binding Authentication to Provisioning
What’s in the data structure? • The Classifier: an event triggerPRC’s describing when it should be triggered, which data should be sent along, etc. • The Event • Authentication data structuresCurrently PAP, CHAP and EAP are supported • Triggers and FiltersUsually defined in extension documents. The data structure describes: Binding Authentication to Provisioning
Event Handler data structure Event Handler Authentication Protocol Authentication Protocol Event Handler Element ContextData ContextData ContextData Event Hdlr Scope Filter Event Hdlr Scope Filter Event Hdlr Scope DataPath Filter Binding Authentication to Provisioning
User AAA server User AAA server Service Service User AAA server Service Authorisation models Pull model Push model • Access Bind PIB can be used in pull model • Access Bind PIB doesn’t make sense in push model • DiffServ provisioning can be used in agent model Agent model Binding Authentication to Provisioning
Conclusions • Binds Authentication to Provisioning • Works in pull model, partly in agent model • Depends on DiffServ model • Can be used for any access server (not just edge devices) • Uses an Event Triggering concept The Access Bind PIB: Binding Authentication to Provisioning
Questions? Generic AAA models Fitting the Access Bind PIB in the AAA model Authentication protocols (PAP, CHAP, EAP) Sessions and events Edge devices and network access devices Binding Authentication to Provisioning
Generic AAA architectures • Home Organisation • Trust relations • Internals of an AAA server Binding Authentication to Provisioning
Home Organisation User Home Organisation User AAA Server request response Service Provider AAA Server request response request Service response Binding Authentication to Provisioning
Example of Trust Relations Pre-established trust relations Bank You Shop transaction Binding Authentication to Provisioning
Internals of an AAA server AAA Server (PDP) 1 Generic AAA server rule based engine 1 Policy 2 3 4 Application Specific Module Events 5 Service (PEP) usage of service Binding Authentication to Provisioning
Authentication protocols • PAP • CHAP • EAP (EAP-MD5) • HTTP, SRP, TLS • Extensibility of EAP Binding Authentication to Provisioning
User NAS (PEP) AAA Server (PDP) PPP: LCP: Negotiation PPP: PAP: identity, password RADIUS: PAP: identity, password RADIUS: PAP: accept/reject PPP: PAP: accept/reject PPP: Usage PAP Message Sequence Binding Authentication to Provisioning
User NAS (PEP) AAA Server (PDP) PPP: LCP: Negotiation PPP: CHAP: id, challenge PPP: CHAP: id, name, MD5(response) RADIUS: CHAP: id, name, challenge, MD5(response) RADIUS: CHAP: success/failure PPP: CHAP: success/failure PPP: Usage CHAP Message Sequence Binding Authentication to Provisioning
EAP-MD5 Message Sequence AAA Server (PDP) User NAS (PEP) PPP: LCP: Negotiation RADIUS Access request: EAP Start RADIUS Access challenge: EAP request: identity PPP: EAP request: identity PPP: EAP response: identity RADIUS Access request: EAP response: identity RADIUS Access challenge: EAP request: MD5-challenge PPP: EAP request: MD5-challenge PPP: EAP response: MD5-challenge RADIUS Access request: EAP response: MD5-challenge RADIUS Access-Accept: EAP success PPP: EAP success PPP: Usage Binding Authentication to Provisioning