100 likes | 318 Views
Washinton D.C., November 2004. IETF 61 st – mip6 WG. Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00). Gerardo Giaretta Ivano Guardini Elena Demaria Telecom Italia Lab (TILab) Julien Bournelle GET/INT Rafa Marin Lopez University of Murcia. Motivation.
E N D
Washinton D.C., November 2004 IETF 61st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena DemariaTelecom Italia Lab (TILab) Julien Bournelle GET/INT Rafa Marin Lopez University of Murcia
Motivation • MIPv6 may be a service offered by a Mobility Service Provider • the MSP manages a set of HAs that can be used only by the customers that subcribed for MIPv6 service • In this case all protocol operations need to be explicitely authorized and monitored • to control service utilization and enable consistentbilling • This can be done relying on the AAA infrastructure of the MSP • the AAA infrastructure can be used also to enable dynamic Mobile IPv6 bootstrapping
AAA-HA interface • Interface between the AAA infrastructure of the MSP and the HA • the HA is a kind of Network Access Server (NAS) for MIPv6 • Core capabilities • Mobile IPv6 service authorization and maintenance (e.g. asynchronous service termination) • exchange of accounting data (e.g. time of creation and removal of binding cache entries) • Dynamic bootstrapping capabilities • mobile node authentication (e.g. EAP-based) • delivery of configuration parameters to the HA (e.g. PSK for peer authentication in IKE phase 1)
Basic Security Model • MN shares a pre-configured trust relationship with the AAA server of the MSP (AAA-MSP) • HA shares a trust relationship with the AAA-MSP server AAA-MSP Server Home Agent Trust Relationships
Usage scenario n.1 • Bootstrapping directly with the HA • using IKEv2 (draft-ietf-mip6-ikev2-00) • or using PANA multi-hop (draft-tschofenig-mip6-bootstrapping-pana-00) AAA-MSP Server Home Agent NAS EAP (IKEv2, PANA multi-hop) AAA-HA protocol User authentication and authorization (EAP transport)
Usage scenario n.2 • Bootstrapping through AAA infrastructure • using EAP (draft-giaretta-mip6-authorization-eap-02) • using RADIUS or Diameter AVPs (draft-ohba-mip6-boot-arch-dhcp-00, draft-jee-mip6-bootstrap-pana-00, draft-chowdhury-mip6-bootstrap-radius-00) AAA-MSP Server Home Agent NAS Piggybacking of MIPv6 data within EAP AAA-HA protocol A) PANA, L2 or DHCP specific extensions MIPv6 RADIUS or Diameter AVPs AAA-HA protocol B) MIPv6 state set-up
Usage scenario n.3 • MN is statically provisioned with bootstrapping data (Home Address, HA address, etc.) • Explicit authorization of MIPv6 service • service may not be authorized if MN's credit is going to exhaust AAA-MSP Server Home Agent NAS IKEv1/IKEv2 AAA-HA protocol MIPv6 Authorization
Usage scenario n.4 • IPsec SA is statically and manually configured • IPsec SA is enough to authenticate BUs and BAs, it is not to authorize MIPv6 service AAA-MSP Server Home Agent NAS BU AAA-HA protocol Binding Authorization BA
Goals Security Service Authorization • NAI to identify the MN • HA must be able to query AAA-MSP to verify MN authorization • AAA-MSP should be able to enforce auth. restrictions of HA • ....... Common goals • Mutual authentication • Integrity protection • Replay protection • Confidentiality • Inactive peer detection • Transfer of accounting records (e.g. bytes transferred in bi-directional tunneling) Accounting Mobile node authentication • MN authentication with HA as NAS and AAA-MSP as backend authentication server (e.g. EAP) • ....... Scenario n.1 Delivery of config. data • AAA-MSP should be able to poll HA for the allocation of a HoA • AAA-MSP should be able to send security data to HA (e.g. PSK) • ........ Scenario n.2
Next Steps • Identify a protocol that fulfills the goals • Diameter • RADIUS • SNMPv3 • Identify a framework and develop the interface for that? • Alternatevely, develop a more general interface for different bootstrapping scenarios?