Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

1 PANA-IETF70 PANA WG Work Items March 12-13, 2008 IETF 71.

Internet Protocol Security (IP Sec)

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

Internet Goes Mobile Alper Yegin KIOW 2003 at APNIC 16 August 19th, Seoul, Korea.

November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

1 © 1999, Cisco Systems, Inc. AAA/Mobile IP For 3G CDMA Systems Gopal Dommety and Allen Long.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.

IETF70 DIME WG1 ; ; Diameter Routing Extensions (draft-tsou-dime-base-routing-ext.

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

IETF65 DIME WG V. Fajardo, A. McNamee, J. Bournelle and H. Tschofenig Diameter Inter Operability Test Suites (draft-fajardo-dime-interop-test-suite-00.txt)

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

August 2, 2005draft-vidya-mipshop-fast-handover-aaa-00 Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-00.txt) Vidya Narayanan Narayanan.

PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.

SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul -> Yacine El Mghazli (Alcatel)

Mar 20, 2005IETF65 PANA WG Requirements for PANA support of location based services draft-anjum-pana-location-requirements-00.txt F. Anjum D. Famolari.

Enabling Binding Update via access authorization Charles Perkins, Basavaraj Patil IETF 82 [netext] WG / Taipei November 16, 2011.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.

August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.

Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.

DHCPv4/v6 Proxy IETF 67 DHC WG -- San Diego, USA 5-10 Nov draft-sarikaya-dhc-proxyagent-00.txt.

1 Mobility for IPv6 [MIP6] November 12 th, 2004 IETF61.

San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Diameter Mobile IPv6: HA-to-AAAH support draft-ietf-dime-mip6-split-01.txt Julien Bournelle (Ed.) Gerardo Giaretta Hannes Tschofenig Madjid Nakhjiri.

Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,

San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.

DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.

Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

IEEE MEDIA INDEPENDENT HANDOVER DCN:

Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00

Mobility for IPv6 (mip6) IETF64 November 10, 05

<draft-ohba-pana-framework-00.txt>

Booting up on the Home Link

RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

Carrying Location Objects in RADIUS

Pre-authentication Overview

for IP Mobility Protocols

with distributed anchor routers

Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008

IEEE MEDIA INDEPENDENT HANDOVER DCN:

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: March 18, 2010 Presented at IEEE session.

Security Activities in IETF in support of Mobile IP

Presentation transcript:

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria Telecom Italia Lab (TILab) Julien Bournelle GET/INT Rafa Marin Lopez University of Murcia

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 2 Motivation MIPv6 may be a service offered by a Mobility Service Provider –the MSP manages a set of HAs that can be used only by the customers that subcribed for MIPv6 service In this case all protocol operations need to be explicitely authorized and monitored – to control service utilization and enable consistent billing This can be done relying on the AAA infrastructure of the MSP –the AAA infrastructure can be used also to enable dynamic Mobile IPv6 bootstrapping

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 3 AAA-HA interface Interface between the AAA infrastructure of the MSP and the HA –the HA is a kind of Network Access Server (NAS) for MIPv6 Core capabilities –Mobile IPv6 service authorization and maintenance (e.g. asynchronous service termination) –exchange of accounting data (e.g. time of creation and removal of binding cache entries) Dynamic bootstrapping capabilities –mobile node authentication (e.g. EAP-based) –delivery of configuration parameters to the HA (e.g. PSK for peer authentication in IKE phase 1)

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 4 Basic Security Model MN shares a pre-configured trust relationship with the AAA server of the MSP (AAA-MSP) HA shares a trust relationship with the AAA- MSP server AAA-MSP Server Home Agent Trust Relationships

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 5 Usage scenario n.1 Bootstrapping directly with the HA –using IKEv2 (draft-ietf-mip6-ikev2-00) –or using PANA multi-hop (draft-tschofenig-mip6-bootstrapping- pana-00) AAA-MSP Server Home Agent NAS EAP (IKEv2, PANA multi-hop) AAA-HA protocol User authentication and authorization (EAP transport)

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 6 Usage scenario n.2 Bootstrapping through AAA infrastructure –using EAP (draft-giaretta-mip6-authorization-eap-02) –using RADIUS or Diameter AVPs (draft-ohba-mip6-boot-arch-dhcp- 00, draft-jee-mip6-bootstrap-pana-00, draft-chowdhury-mip6- bootstrap-radius-00) AAA-MSP Server Home Agent NAS AAA-HA protocol Piggybacking of MIPv6 data within EAP AAA-HA protocol MIPv6 RADIUS or Diameter AVPs PANA, L2 or DHCP specific extensions A) B) MIPv6 state set-up

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 7 Usage scenario n.3 AAA-MSP Server Home Agent NAS IKEv1/IKEv2 AAA-HA protocol MIPv6 Authorization MN is statically provisioned with bootstrapping data (Home Address, HA address, etc.) Explicit authorization of MIPv6 service –service may not be authorized if MN's credit is going to exhaust

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 8 Usage scenario n.4 IPsec SA is statically and manually configured IPsec SA is enough to authenticate BUs and BAs, it is not to authorize MIPv6 service AAA-MSP Server Home Agent NAS BU AAA-HA protocol Binding Authorization BA

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals-00 9 Goals Security Service Authorization Accounting Mobile node authentication  Mutual authentication  Integrity protection  Replay protection  Confidentiality  Inactive peer detection  NAI to identify the MN  HA must be able to query AAA- MSP to verify MN authorization  AAA-MSP should be able to enforce auth. restrictions of HA   Transfer of accounting records (e.g. bytes transferred in bi- directional tunneling) Delivery of config. data  MN authentication with HA as NAS and AAA-MSP as backend authentication server (e.g. EAP)   AAA-MSP should be able to poll HA for the allocation of a HoA  AAA-MSP should be able to send security data to HA (e.g. PSK)  Common goals Scenario n.1 Scenario n.2

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-aaa-ha-goals Next Steps Identify a protocol that fulfills the goals –Diameter –RADIUS –SNMPv3 Identify a framework and develop the interface for that? Alternatevely, develop a more general interface for different bootstrapping scenarios?