EN/FAD 109 0015 How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis.

Slides:

Advertisements

Similar presentations

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

Advertisements

Internet Protocol Security (IP Sec)

Communication Service Identifier Requirements on SIP draft-loreto-3gpp-ics-requirements.txt

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

Network Management Access Security Capabilities draft-bonica-opsec-nmasc-00 Ron Bonica Syed Ahmed.

All-IP distributed (proxy) control model architecture Henrik Basilier, Ericsson ALLIP __ERI_distributed_CM.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

Rev A8/8/021 ABC Networks

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

All IP Network Architecture 2001 년 12 월 5 일 통신공학연구실 석사 4 차 유성균

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Rev BMarch 2004 The ABC Service as a Research Infrastructure Rajesh Mishra Per Johansson Cahit Akin Salih Ergut.

History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

A Gateway For SIP Event Interworking - Sasu Tarkoma & Thalainayar Balasubramanian Ramya.

E J B J A V A X M L C O R B A M P L S D i f f S e r v I P V P N Q o S I P v 6 G P R S U M T S An Analysis.

1 Terena Networking Conference 2003 Applying Radius-based Public Access Roaming in the Finnish University Network (FUNET) Sami Keski-Kasari Karri Huhtanen.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

CDMA2000 Packet Data Network Evolution Huawei Technologies Co., Ltd. grants a free, irrevocable license to 3GPP2 and its Organizational Partners.

1 NGN Issues - Numbering and Addressing Peter Darling ACIF NGN FOG No. 3.

Doc.: IEEE /229r0 Submission Tan Pek-Yew, Panasonic Slide 1 March 2003 Interworking – QoS and Authorization Tan Pek Yew & Cheng Hong Panasonic.

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless.

50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.

Group Communications at Concordia J. William Atwood High Speed Protocols Laboratory Concordia University Montreal, Quebec, Canada.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa

CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.

1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.

1 Local Security Association (LSA) The Temporary Shared Key (TSK) draft-le-aaa-lsa-tsk-00.txt Stefano M. Faccin, Franck Le.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

1 Policy-based architecture. 2 Policy management view of the architecture IP MMed domain is a converged services domain where voice, video, data are provided.

1 3GPP2 GBA Overview Adrian Escott Chair, TSG-S WG4 24 May 2006.

Doc.: IEEE /209r0 Submission 1 March GPP SA2Slide 1 3GPP System – WLAN Interworking Principles and Status From 3GPP SA2 Presented.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Sec Title: Considerations on use of TLS for MIH protection Date Submitted: January 14, 2010.

Security Mechanisms for Delivering Ubiquitous Services in Next Generation Mobile Networks Haitham Cruickshank University of Surrey workshop on Ubiquitous.

1 © NOKIA FILENAMs.PPT/ DATE / NN AAA-SIP Requirements Current draft: draft-loughney-sip-aaa-req-00.txt draft-calhoun-sip-aaa-reqs-04.txt may not be updated.

Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

A Cooperative SIP Infrastructure for Highly Reliable Telecommunication Services BY Sai kamal neeli AVINASH THOTA.

ECRIT Basic Reqs draft-stastny-ecrit-requirements Richard Stastny Brian Rosen IETF62 Minneapolis.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

International Telecommunication Union Workshop on Satellites in IP and Multimedia Geneva, 9-11 December 2002 Multi-user operation and roaming over wide.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

György Kálmán, Josef Noll Mobile and Wireless Communications Summit, th IST 1-5, July 2007 Speaker : 黃韋綸 Right Management Infrastructure for Home.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

The Session Initiation Protocol - SIP

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

Service Control Using SIP in 3GPP’s IP Multimedia Subsystem (IMS) Xin Chen Fujitsu Laboratories of Europe LTD

End-to-middle Security in SIP

THIS IS THE WAY ENUM Variants Jim McEachern

Teleconference Agenda

Session Initiation Protocol (SIP)

3GPP and SIP-AAA requirements

IEEE MEDIA INDEPENDENT HANDOVER

SAML/SIP Profiles and Call Initiation

Presentation transcript:

EN/FAD How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis

EN/FAD The future trust model Terminal/ User Visited Home PLMN operator Service Provider Service/ Content Provider Corporate Network for services that use resources in visited

EN/FAD Identifying the issues The FACT is: The AAA infrastructure has a role to play in the service plain The QUESTION is then: What is exactly the role that the AAA infrastructure could play in the service plain considering: –3G mobile roaming model –multimedia, e-Commerce applications etc.

EN/FAD Possible uses of AAA infrastructure End-User (EU) authentication –authentication always from EU-to-home Key distribution management –network-2-network (n2n) security is needed in some cases –AAA infrastructure is used for distributing keys. –Preparing for full IKE security association (SA) negotiation Transporting User profile Policy Decision Point

EN/FAD Home Distinguish btw E-U authentication and N2N security UA Home operator Home operator UA SIP Proxy SIP Proxy Home operator Home operator 3G SIP: Network-2-Network Visited End-User authentication IETF SIP: End-2-End N2N security End-User authentication In IETF SIP, the SIP proxy is transparent to End-User authentication In IETF SIP, the SIP proxy is transparent to End-User authentication In 3G, the SIP proxy cannot be transparent for various reasons, one being capability to route calls locally e.g E-911 In 3G, the SIP proxy cannot be transparent for various reasons, one being capability to route calls locally e.g E-911

EN/FAD Initial SAs: SIP Server at Home UEProxy AAAH SIP server AAAL LS Visited Home SA 2 K SA2 SA M KMKM KMKM SA 3 K SA3 SA 1 K SA1 Home network decides where the SIP server is located Home network decides where the SIP server is located UA Initial SAs according to roaming model Initial SAs according to roaming model 3G operators are considering gateways btw networks for protecting internal infrastructure 3G operators are considering gateways btw networks for protecting internal infrastructure

EN/FAD Initial SAs: SIP Server at Visited UEProxy AAAHAAAL LS Visited Home SA 2 K SA2 SA M KMKM KMKM SA 3 K SA3 Home network decides where the SIP server is located Home network decides where the SIP server is located UA SIP server UA Initial SAs according to roaming model Initial SAs according to roaming model 3G operators are considering gateways btw networks for protecting internal infrastructure 3G operators are considering gateways btw networks for protecting internal infrastructure

EN/FAD How can a AAA server be used with n2n What is the proposal 1To use the AAA infrastructure for provisioning the shared secrets. 2In addition, to use the AAA infrastructure for n2n authentication and security according to the selected mode of operation Modes of operation for Network-2-Network security –In -band: complete piggybacking of SIP:REGISTER and its response over AAA infrastructure –Out-of-band: complete piggybacking of SIP:REGISTER, SAs established when SIP:REGISTER sent externally –Transparent: AAA used only for establishing SAs.

EN/FAD Network-to-Network: In-band Home UEProxy AAAH SIP server AAAL LS Visited UA K s2 K s1 SIP: INVITE SIP: REGISTER PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, does Auth/Accounting & policy selection. Trusts established SIP:INVITE externally PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, does Auth/Accounting & policy selection. Trusts established SIP:INVITE externally Policies enabled

EN/FAD Network-to-Network: Out-of-band UEProxy AAAH SIP server AAAL LS 67 VisitedHome 910 UA K s1 K s2 SIP: INVITE SIP: REGISTER PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, just authentication done & policy downloaded to SIP server SIP:REGISTER sent externally and used for key distribution management, resulting in building-up trusts. SIP:INVITE externally PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, just authentication done & policy downloaded to SIP server SIP:REGISTER sent externally and used for key distribution management, resulting in building-up trusts. SIP:INVITE externally Policies enabled

EN/FAD Network-to-Network: Transparent UEProxy AAAH SIP server AAAL LS Visited Home UA K s2 K s1 SIP: INVITE SIP: REGISTER 78 PRINCIPLE AAA infrastructure used for key generation & policy downloading to SIP server. SIP:REGISTER sent externally and used for key distribution management, resulting in building up trusts. SIP:INVITE externally PRINCIPLE AAA infrastructure used for key generation & policy downloading to SIP server. SIP:REGISTER sent externally and used for key distribution management, resulting in building up trusts. SIP:INVITE externally Policies enabled

EN/FAD Thank you