190 likes | 204 Views
Access Control and Authentication for Converged Networks. Z. Judy Fu John Strassner Motorola Labs {judy.fu, john.strassner}@motorola.com. Content. Motivation and AAA Requirements Limitations of Existing AAA for Converged Networks Novel AAA Architecture AAA Framework RBAC Models
E N D
Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu, john.strassner}@motorola.com
Content • Motivation and AAA Requirements • Limitations of Existing AAA for Converged Networks • Novel AAA Architecture • AAA Framework • RBAC Models • Common Authentication Framework • Conclusion and Future Work
Motivation • Heterogeneous Networks are converging to Provide IP Services • Heterogeneous Access Technology • Wireless Local Access: 802.11, 802.16, HyperLAN, Bluetooth • Cellular Access: GSM, GPRS, CDMA, UMTS • Broadband Service to Home: fiber, cable, Ethernet, xDSL, or WiMax • Not only access providers but also application or content providers • Heterogeneous administrative domains • AAA Is Essential and Complex in Inter-working Between Heterogeneous Networks
Requirements of AAA for Converged Networks • Inter-working with various types of providers. • Respect each administrative domain’s policies • Support various applications based on context, user profile and policies • Common framework to facilitate reuse • Minimized design, development and deployment cost
Existing AAA Solutions for Converged Networks • Framework: EAP-RADIUS • Protocols: EAP-TLS, EAP-AKA, EAP-SIM …
Limitations of Existing AAA Solutions for Converged Networks • Do not have flexible authorization element considering heterogeneous domain policies • Do not enable support for future applications based on context, user profile etc. • Do not accommodate heterogeneous system, protocol, method, credential requirements • EAP support in native IP wireless networks like WLAN • WiMax requires certificate based authentication method while UMTS requires shared-secret based authentication method.
A Novel AAA Architecture • Proposing a modeling based AAA architecture • Generic framework that can be mapped to different networks and devices • Each domain’s security policies can be ensured • Heterogeneous policies, credentials and protocols can be accommodated.
The New AAA System • AAA server is no longer a traditional Radius server • AAA interacts with context server, identification server, and policy server • AAA Protocols to use may include Radius, Diameter, mobile IP etc.
Authentication Protocol Mapping • Method 1: EAP-xxx for all • All networks equip with EAP controller • All devices send only EAP authentication requests • All authentication protocols are encapsulated in EAP and RADIUS messages • Always use home network’s authentication method
Authentication Protocol Mapping (Cont.) • Method 2: A common authentication framework • Different authentication request/reply will be mapped to the common framework • Devices do not have to be changed • Example common authentication framework is IKEv2 authentication part MS(mobile station) AAA server ------------------------> ID, scheme (sym or asym), [cert], auth data [key] <--------------------- ID, scheme, [cert], auth data [key]
AAA models • Business view models • Focus on access control models. • System view models • Include specific authentication, authorization mechanisms, mobility management, context, policy, profiles, and identification.
RBAC Access Control Models • Propose enhanced notion of role-based access control (RBAC) for inter-working between providers • Simplified management of individual entities by assigning roles based on business functions
Conclusion Future Work • Novel AAA architecture • Support heterogeneous provider inter-working • Support both coalition or spontaneous accesses • Support various application for inter-working • Facilitate reuse • Minimize development and deployment cost • Future Work • Refine Models • Design automatic mapping techniques • Prototype
The End Thank You! Questions???