220 likes | 344 Views
Standards First!™. AAA. Authentication, Authorization, Accounting. Gerhard Gross. Standards First!™. Why AAA? Authentication Authorization Accounting Examples Radius Diameter Intra-domain AAA. Generic AAA Server Architectural Components Generic AAA Architecture Trust Relationships
E N D
Standards First!™
AAA Authentication, Authorization, Accounting Gerhard Gross Standards First!™
Why AAA? Authentication Authorization Accounting Examples Radius Diameter Intra-domain AAA Generic AAA Server Architectural Components Generic AAA Architecture Trust Relationships IP Telephony AAA Examples Agenda
Why AAA? • Protection of investments, business • Auditing, session info (now, later) • Support for billable services: • Network access • Gateway services (IP PSTN) • High bandwidth path • Low latency path • Low jitter path
Authentication • The act of verifying a claimed identity • Pertains to users and devices • Authenticator may submit a challenge to the requestor to thwart unscrupulous access
Authorization • The act of determining if a requestor can be granted a right, such as network access, high BW service, etc. • Does this person have the right to do this? • Often based on policies
Accounting • The act of collecting any relevant data required for billing, auditing, etc. • Normally includes resource consumption data, network access data, … • Charge Settlement
NAS Example – Dialin Home ISP AAA Server 2 3 1 User 4
NAS Example : Dial-in Mobile Visited ISP Home ISP 3 AAA Server AAA Server 4 2 5 1 User 6
RADIUS • AA protocol between NAS and shared server • Centralize AA functions to one server • Vehicle for configuration info () • De facto standard – IETF proposed standard • Performance suffers in large scale systems • No support for congestion control
Diameter • AAA protocol for “network access” • Based on RADIUS – addresses protocol shortcomings • Satisfy requirements from IETF working groups Mobile-IP, NASREQ, ROAMOPS • To be adopted by IETF AAA WG as a “proposed” standard
Intra-domain AAA Media and Resource Request Auth & Correlation User 1 Session Mgmt 2 AAA Server 4 3 Trust ? 5 Resource Mgmt 6 AAA Server 8 7
Generic AAA ServerArchitectural Components AAA Server Policy Repository Application Specific Module
Generic AAA Architecture AAA ASM PR Client AAA ASM PR AAA ASM PR
Trust Relationships AAA Broker ? AAA Server AAA Server Mobile Node Foreign Agent Home Agent Foreign Domain Home Domain
IP Session Components AAA Broker AAA AAA Server AAA Server PR ASM SIP Proxy SIP Proxy SIP SIP Phone Edge Router Media Router
Auth Token SIP Path AAA Broker Domain A Domain B PR AAA Server AAA Server PR ASM ASM SIP Proxy SIP Proxy SIP Phone Edge Router Edge Router SIP Phone
Mobile IP Telephony Setup Visited Domain AAA Brokers Home Domain Called Domain 3 CHx AAA Svr AAA Svr AAA Svr 4 CHy 6 8 2 SIP Phone SIP Proxy SIP Proxy SIP Proxy SIP Phone 1 5 7 9
Auth Token AAA Path AAA Broker Domain A Domain B PR AAA Server AAA Server PR ASM ASM SIP Proxy SIP Proxy SIP Phone Edge Router Edge Router SIP Phone
Mobile IP Telephony Setup Visited Domain AAA Brokers Home Domain Called Domain 3 CHx AAA Svr AAA Svr AAA Svr CHy 4 6 8 2 SIP Phone SIP Proxy SIP Proxy SIP Proxy SIP Phone 1 5 7 9
Summary • AAA Framework needed to support billable services – Standardize! • Generic AAA work ongoing in IRTF • Includes mobility support • Brokers mitigate cross ISP business relationships
Current Activities • IETF rfcs 2903 – 2906 and others • IRTF AAAArch research group drafts • IETF AAA working group drafts (network access) • draft-ietf-rap-access-bind-00.txtdefines Authen data structures and transactions • gerhard.gross@intel.com