90 likes | 210 Views
Applicability of a User Registration Protocol. Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia). Access control issue (1) Managed access control. L2 access control basically provides "all-or-nothing" access control Simple and useful for some cases (DSL, Cable)
E N D
Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)
Access control issue (1)Managed access control • L2 access control basically provides "all-or-nothing" access control • Simple and useful for some cases (DSL, Cable) • Flexible access control would also be useful in certain cases (network access in public area), e.g., • Allow any user to get access to a web site within the edge subnet to get local area guide information • Deny unauthorized user to access beyond the edge subnet
Access control issue (2)Multi-homing • A host may associate with multiple Access Routers (ARs) • If all ARs belong to the same AAA domain, performing AAA per AR may not be a good idea • If each AR belongs to a different AAA domain, AAA per AR would be necessary • These ARs may speak IPv4 only, IPv6 only, or both. • A host may have multiple interfaces • If all interfaces belong to the same AAA domain, performing AAA per interface may not be a good idea AR1 AR2 H AR1 H
AAA application protocol issue • AAA application protocols: MIP, SIP, ... • Each protocol design started without AAA (base spec.) • Later on, AAA interaction is considered • Fortunately, no modification is needed for the base spec. in terms of the last two 'A's (good for modularity) • Need consideration to deal with the first 'A' • How to establish an SA with "out of the blue" client? • MIPv4 has AAA extention to carry registration keys • It would be very nice if a protocol can be "AAA-ready" without any modification to its base spec. • Coupling user registration with key distribution
BURP (Basic User Registration Protocol) • Is a client-server type protocol that • Performs user registration to the visiting AAA domain • Works with Diameter/RADIUS, leveraging AAA infrastructure in the network based on the information gathered in the registration phase • Is a light-weight, application layer protocol that is applicable • To various devices (e.g., PDA, cellular, laptop) without modifying kernel or device drivers • To flexibile access control • To multi-homing environment • Is is also used for key distribution for AAA application protocols
Example of BURP applicability to SIP Step 1: The user performs user registration by using BURP Step 2: If step 1 is successful, authorization information is pulled from AAA infrastracture. • The information includes application specific one such as: a SIP registration key • Also, access control parameters will be set to access routers Step 3: The user run SIP. • Thanks to the previous steps, authentication for SIP registration can be done w/o contacting to AAA. (The example can be applied to other protocol "X" by replacing "SIP" with "X".)
AAA infrastracture in the core network 1 2 2 BURP Server SIP Server/Proxy 2 1 3 User Terminal
Possible architecture AAA Protocol Entity AAA Protocol Entity (Diameter/RADIUS) AAA info. (incl. Registration keys) Basic Part of Each Application Protocol (independent of AAA) SIP Server BURP Server (Registration Agent) AR/AP Mobile IP Mobility Agent ... Network BURP messages User Terminal BURP Client SIP Client L2 Auth. Client Mobile IP Mobile Node ... AAA info. (incl. registratin keys)