NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

Slides:

Advertisements

Similar presentations

MONET Problem Scope and Requirements draft-kniveton-monet-requirements-00 T.J. Kniveton Alper Yegin IETF March 2002.

Advertisements

Oct 15 th, 2009 OGF 27, Infrastructure Area: Status of FVGA-WG Status of Firewall Virtualization for Grid Applications - Working Group

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.

T Computer Networks II Introduction Adj. Prof. Sasu Tarkoma.

Interdomain and end-to- end QoS issues Henning Schulzrinne Columbia University NSF QoS workshop – April 2002.

CS 268: Future Internet Architectures Ion Stoica May 1, 2006.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

Tussle in cyberspace: Defining tomorrow ’ s internet D.Clark, J.Wroclawski, K.Sollins & R.Braden Presented by: Ao-Jan Su (Slides in courtesy of: Baoning.

1 A Course-End Conclusions and Future Studies Dr. Rocky K. C. Chang 28 November 2005.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

CS 268: Future Internet Architectures Ion Stoica May 6, 2003.

E J B J A V A X M L C O R B A M P L S D i f f S e r v I P V P N Q o S I P v 6 G P R S U M T S An Analysis.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

SP Wi-Fi Services over Residential Architectures (draft-gundavelli-v6ops-community-wifi-svcs) IETF 84 - August, 2012 Authors: Sri Gundavelli(Cisco) Mark.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

1 Integrated and Differentiated Services Multimedia Systems(Module 5 Lesson 4) Summary: r Intserv Architecture RSVP signaling protocol r Diffserv Architecture.

© 2006 Cisco Systems, Inc. All rights reserved. 3.3: Selecting an Appropriate QoS Policy Model.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 3: Introduction to IP QoS.

Tussel in Cyberspace Based on Slides by I. Stoica.

Support Services & IP Multimedia Subsystem (IMS)

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

1 Accounting, Authentication and Authorization Issues in “Well Managed” IP Multicasting Services November 9, 2005 Tsunemasa Hayashi

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

Secure Systems Research Group - FAU Classifying security patterns E.B.Fernandez, H. Washizaki, N. Yoshioka, A. Kubo.

NSIS IETF 56 MONDAY, March 17, 2003: Morning Session TUESDAY, March 18, 2003: Afternoon Sessions I.

1 Path-decoupled signaling - towards a BOF in SF NSIS working group context Path-decoupled signalling - definition –Path-oriented.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

QoS NSLP draft-ietf-nsis-qos-nslp-06.txt Slides: Sven van den Bosch, Georgios Karagiannis, Andrew McDonald.

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

OGF DMNR BoF Dynamic Management of Network Resources Documents available at: Guy Roberts, John Vollbrecht.

ACHIEVING MULTIMEDIA QOS OVER HYBRID IP/PSTN INFRASTRUCTURES QOS Signalling and Media Gateway Control ITU-T SG13/SG16 Workshop on IP Networking and Mediacom.

Privacy Considerations for Internet Protocols Alissa Cooper 1.

An NSLP for Quality of Service draft-buchli-nsis-nslp-00.txt draft-mcdonald-nsis-qos-nslp-00.txt draft-westberg-proposal-for-rsvpv2-nslp-00.txt Slides:

MIPSHOP – November, 2005 Event Services and Command Services for Media Independent Handover Presentation prepared by: Srini Sreemanthula Presented by:

RNAP: A Resource Negotiation and Pricing Protocol Xin Wang, Henning Schulzrinne Columbia University

1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

CSCI 465 D ata Communications and Networks Lecture 24 Martin van Bommel CSCI 465 Data Communications & Networks 1.

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN

Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.

17 February 2016 SIPPING - IEPREP Joint Meeting Fred Baker - IEPREP co-chair Rohan Mahy - SIPPING co-chair.

Chapter 6 outline r 6.1 Multimedia Networking Applications r 6.2 Streaming stored audio and video m RTSP r 6.3 Real-time, Interactive Multimedia: Internet.

Generic Aggregation of Resource Reservation Protocol (RSVP) for IPv4 and IPv6 Reservation over PCN domains Georgios Karagiannis, Anurag Bhargava draft-karagiannis-pcn-tsvwg-rsvp-pcn-01.

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.

Doc.: IEEE /0448r0 Submission March, 2007 Srinivas SreemanthulaSlide 1 Joiint TGU : Emergency Identifiers Notice: This document has been.

Peering and the Session Border Controller Impact of Applications in Peering Technology.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Multicast in Information-Centric Networking March 2012.

NSLP for Quality of Service Sven van den Bosch (ed) Georgios Karagiannis Andrew McDonald (et al.) draft-ietf-nsis-qos-nslp-02.txt Slides:

1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:

VoIP ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts.

Zueyong Zhu† and J. William Atwood‡

Carrying Location Objects in RADIUS

P2P Streaming for Mobile Nodes: Scenarios and Related Issues

Goals of soBGP Verify the origin of advertisements

MLEF Without Capacity Admission Does Not Satisfy MLPP Requirements

Securing the CASP Protocol

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli

Presentation transcript:

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli Sven Van den Bosch

Draft Scope This draft is: A first attempt to describe AAA issues relevant for NSIS. It points to the importance of authorization/charging for QoS signaling. The draft is not: A summary of mathematical pricing models A new protocol proposal A motivation for a certain architecture

Introduction At the last IETF Steve Bellovin talked about security issues in NSIS. He pointed to the importance of authorization for an NSIS protocol. An interesting aspect of authorization for QoS signaling is: Authorization = ability to charge someone 1 1 There are other authorization issues (e.g. session ownership).

Introduction (cont.) Authorization has an implication on the security architecture. We looked at two possible models: — New Jersey Turnpike Model — New Jersey Parkway Model

New Jersey Turnpike Model Network ANetwork C Node A Node B Network B Peering relationship is used to provide charging between neighboring networks Similar to edge pricing proposed by Schenker et. al. Data Sender Data Receiver

Establishment of the financial settlement between end host (data sender favorable) and access network based on network access procedure (not per-session based) Simple (if data sender is charged for the reservation) More difficult: receiver-initiated signaling and charging for data receiver Unfortunately it is possible to fully avoid reverse charging (e.g. #800 numbers). NJ Turnpike Model Issues

New Jersey Parkway Model Network ANetwork C Node A Node B Network B Financial settlement has to be provided on a per-session basis More complex: financial settlement to intermediate networks required (authentication alone is insufficient) Data Sender Data Receiver Direct AAA relationship to intermediate networks

Trusted third party might be required such as a clearing house since intermediate networks have no direct relationship to end host Financial settlement has to be provided on a per-session basis  scalability and deployment problem More flexible signaling protocol functionality required: A route change might require interaction with end host. Signaling protocol might support the possibility for intermediate networks to interact with the end host Aggregation in the core network might be difficult to use if per- session information is required for charging. NJ Parkway Model Issues

Who is charged for what? Basic question: Charging for data sender or data receiver Sender- vs. receiver oriented signaling adds some issues but is not the source of the problem. What is the problem? Per-session based establishment of financial settlement Example: Sender-initiated reservation with charging for data receiver (see next slide)

Sender-initiated reservation with charging for data receiver Network ANetwork C Node A Node B Network B Node A indicates that some other entity is paying for the reservation. Why should Network A authorize the reservation request? Data Sender Data Receiver RESV “Authorization Information”

Price for a QoS reservation:  Price cannot be deferred from the destination IP address alone (unlike telephone numbers)  Price distribution required (can be in-band, out-of-band or a combination of both)  Price depends on the route (number of traversed networks)  Price is directional (due to cost and route asymmetry) An end user wants to know the price before issuing a reservation request. Not enough problems already? Price Distribution

Price distribution Building Blocks A resource negotiation and pricing protocol (RNAP) An embedded charging approach for RSVP Border Pricing Protocol (BPP) Billing Information Protocol (BIP) Tariff Distribution Protocol (TDP) Internet Open Trading Protocol (IOTP) Open Settlement Protocol (OSP) Not surprising: Many of these protocols require the same properties as a QoS signaling protocol.

Conclusion Peer-to-peer security is fine for a simple charging model (NJ Turnpike). Authorization issues needs additional security protection. Charging is not only an end-to-end (application) issue. The network needs some information. Some authorization/charging objects have to be included into a NSIS protocol. An NSIS protocol needs to be flexible. (e.g. support for several roundtrips).