70 likes | 78 Views
NSIS Secure Configuration Issues (with a focus on QoS signaling). Hannes Tschofenig. Acknowledgements. I would like to thank my co-authors/contributors for their input to this (and related) work A number of people from the NSIS working group Gerardo Giaretta Antonio F. Gomez-Skarmeta
E N D
NSIS Secure Configuration Issues(with a focus on QoS signaling) Hannes Tschofenig
Acknowledgements I would like to thank my co-authors/contributors for their input to this (and related) work • A number of people from the NSIS working group • Gerardo Giaretta • Antonio F. Gomez-Skarmeta • Dirk Kroeselberg • James Polk • Jon Peterson • Joachim Kross • Douglas Sicker • Vishal Sankhla
QoS SignalingExample QoS Router End Host • A few things to think about: • You need to authorize the user for a QoS reservation. • You need to secure the QoS signaling message exchange. • How the end host know whether the QoS router is the “right” QoS router? [ Discovery-Query ] [ Discovery-Response ] … Establishment of security association… QoS Reserve QoS Response
Secure QoS messages • For RSVP and NSIS you need to think about key management • RSVP: How do you create the session key for the Integrity Object • NSIS: Depends on what you use (symmetric vs. asymmetric auth.). • Questions: • Where does a symmetric key come from? OR • Where does the PKI infrastructure come from? • → Deployment problem (and again the EAP solution shows up as a possible solution)
Authorize User • Do you again want to use EAP back to the home network to authorize the user? • Most likely not. • In some cases binding the initial authentication and authorization to subsequent signaling exchange is feasible • Binding different protocol exchanges already used in other places: • SIP <-> QoS signaling
Conclusion • It seems reasonable to think about associating • network access authentication and authorization with • QoS signaling • You might call it bootstrapping, key distribution, ….
References • Trait-based Authorization Requirements for SIP draft-ietf-sipping-trait-authz-00.txt • Bootstrapping Kerberos draft-tschofenig-pana-bootstrap-kerberos-00.txt • Enriching Bootstrapping with Authorization Information draft-tschofenig-enroll-bootstrapping-saml-00.txt • Using SAML for SIP draft-tschofenig-sip-saml-02.txt • Extended QoS Authorization for the QoS NSLP draft-tschofenig-nsis-qos-ext-authz-00.txt • A number of RSVP documents (e.g., RFC 3520, RFC 3521)