230 likes | 250 Views
AAA: A Survey and a Policy- Based Architecture and Framework. 692430003 林谷泉. Outlines. Introduction AAA Mechanisms The IRTF AAA Architecture Problem Areas, Weaknesses, and Goals A Generic Policy-Based Architecture Conclusion Reference. Introduction.
E N D
AAA: A Survey and a Policy- Based Architecture and Framework 692430003 林谷泉
Outlines • Introduction • AAA Mechanisms • The IRTF AAA Architecture • Problem Areas, Weaknesses, and Goals • A Generic Policy-Based Architecture • Conclusion • Reference AAA
Introduction • Commercialized services do need: • Authentication. • Authorization. • Charging, based on accounting processes. • Furthermore, security-related issued issues about user and device mobility. • The network of the near feature will be the multi-service Internet. • Multiple cooperating domains. AAA
AAA Mechanisms • Authentication • Verification of the identify of a subject. • Example: • International Mobile Subscriber Identify (IMSI) in the SIM card. • IP Address • International Mobile Equipment Identity (IMEI) • Medium Access Control (MAC) Address AAA
AAA Mechanisms (cont.) • Classification of Authentication • Knowledge-based • Cryptography-based • Biometrics-based • Secure-tokens-based AAA
AAA Mechanisms (cont.) • Authorization • Access Control • Classification: • Authentication-based mechanisms • Require authentication of the subject. • Credential-based mechanisms • Use trustworthy information (credentials) being held by subjects of an authorization. AAA
AAA Mechanisms (cont.) • Accounting • Two major tasks: • Collect data from metering systems. • Aggregate and store these data in accounting records. • An accounting policy • which data has to be metered by a metering system? • how often it is metered? • How it is aggregated? • Tele-communication: Call detail records (CDRs) • Data-communication: IP detail records (IPDRs) AAA
AAA Protocols • RADIUS • The Remote Authentication Dial In User Service. • Designed for transferring authentication, authorization, and configuration data between a network access server (NAS) • The RADIUS server itself can act as a client to other RADIUS server. • Shortcomings: • Protocol-Specific, Lower fault tolerance on UDP, Security Support in P2P. AAA
AAA Protocols (cont.) • Diameter • The protocol satisfies requirements of network access using different access technologies. • COPS • The Common Open Policy Service. • It enables the exchange of policy information between a policy decision point (PDP) and policy enforcement points (PEPs). • PEPs are clients, and a PDP acts as a server. AAA
AAA Protocols (cont.) • SNMPv3 • The Simple network Management Protocol Version 3 • It proposes a new management model from v2. • Authentication and authorization in application and content services. • Application-independent protocols • Secure Socket Layer (SSL) • Application-specific protocols • HTTP-Authentication • Secure Shell (SSH) AAA
The IRTF AAA Architecture • Defined by The IRTF research group AAAArch. • AAA Components • Policy Repositories (PRs) • Rule-Based engine (RBE) • Service Equipment (SE) AAA
The IRTF AAA Architecture (cont.) • AAA Services • Authorization Service • Achieving a authorization decision to grant or deny a user’s request for services in an authorized session by setting up the SE and logging the session’s state. • User authentication may be part of the authorization process, and the authentication information will be carried in the authorization request. • Accounting Services • Recording relevant accounting information obeying the authorization’s decision and the ongoing resource use of the authorized session. AAA
The IRTF AAA Architecture (cont.) • To offer AAA services, secured and trusted relationships between different AAA servers are necessary. • Authentication between peer AAA servers is part of these services. AAA
The IRTF AAA Architecture (cont.) • AAA Architecture and Protocols • Special AAA protocol • Particular application • Programming interface • (API) or the AAA • Protocol. • (3) Depending on the PR’s • implementation. • (4) An application-specific • protocol AAA
Problem Areas, Weaknesses, and Goals • The work is performed in isolation for shortened tasks and limited scenarios. • Connectivity control through an NAS • Content delivery control through a billing system. • The IRTF’s AAA Architecture tries to resolve these restrictions. • Building generic servers and ASMs. AAA
Problem Areas, Weaknesses, and Goals (cont.) • Functions of policy decision and policy enforcement are not separated clearly. • Extensibility to functions beyond AAA, like charging an auditing, is complicated. • The functionality of the ASM has not been defined completely. • The inclusion of QoS-related, handover and paging support services has not been considered. AAA
A Generic Policy-Based Architecture • Three basic concepts for the framework • Service separation • Extended AAA point of view • Partitioning of service levels • New diversification • Policy paradigm • Reuse of existing work AAA
Partitioning of Service Levels in and Internet Service Model AAA
Conclusion • There is an increasing need for AAA services and services beyond AAA. • The generic approach takes these aspects into account and clearly distinguishes between support services and user services. • The Advantages • Can offer apart data from metering from one provider to another. • Providers can build systems on their own business palns. AAA
Reference • C. Rensing, Hasan, M. Karsten, B. Stiller, AAA: A Survey and a Policy-Based Architecture and Framework, IEEE Network Nov/Dec 2002, pp. 22-27. AAA