1 / 7

NSIS Secure Configuration Issues (with a focus on QoS signaling)

NSIS Secure Configuration Issues (with a focus on QoS signaling). Hannes Tschofenig. Acknowledgements. I would like to thank my co-authors/contributors for their input to this (and related) work A number of people from the NSIS working group Gerardo Giaretta Antonio F. Gomez-Skarmeta

tamraj
Download Presentation

NSIS Secure Configuration Issues (with a focus on QoS signaling)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NSIS Secure Configuration Issues(with a focus on QoS signaling) Hannes Tschofenig

  2. Acknowledgements I would like to thank my co-authors/contributors for their input to this (and related) work • A number of people from the NSIS working group • Gerardo Giaretta • Antonio F. Gomez-Skarmeta • Dirk Kroeselberg • James Polk • Jon Peterson • Joachim Kross • Douglas Sicker • Vishal Sankhla

  3. QoS SignalingExample QoS Router End Host • A few things to think about: • You need to authorize the user for a QoS reservation. • You need to secure the QoS signaling message exchange. • How the end host know whether the QoS router is the “right” QoS router? [ Discovery-Query ] [ Discovery-Response ] … Establishment of security association… QoS Reserve QoS Response

  4. Secure QoS messages • For RSVP and NSIS you need to think about key management • RSVP: How do you create the session key for the Integrity Object • NSIS: Depends on what you use (symmetric vs. asymmetric auth.). • Questions: • Where does a symmetric key come from? OR • Where does the PKI infrastructure come from? • → Deployment problem (and again the EAP solution shows up as a possible solution)

  5. Authorize User • Do you again want to use EAP back to the home network to authorize the user? • Most likely not. • In some cases binding the initial authentication and authorization to subsequent signaling exchange is feasible • Binding different protocol exchanges already used in other places: • SIP <-> QoS signaling

  6. Conclusion • It seems reasonable to think about associating • network access authentication and authorization with • QoS signaling • You might call it bootstrapping, key distribution, ….

  7. References • Trait-based Authorization Requirements for SIP draft-ietf-sipping-trait-authz-00.txt • Bootstrapping Kerberos draft-tschofenig-pana-bootstrap-kerberos-00.txt • Enriching Bootstrapping with Authorization Information draft-tschofenig-enroll-bootstrapping-saml-00.txt • Using SAML for SIP draft-tschofenig-sip-saml-02.txt • Extended QoS Authorization for the QoS NSLP draft-tschofenig-nsis-qos-ext-authz-00.txt • A number of RSVP documents (e.g., RFC 3520, RFC 3521)

More Related