NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

LinkSec Architecture Attempt 3

H.323 Recommended by ITU-T for implementing packet-based multimedia conferencing over LAN that cannot guarantee QoS. Specifying protocols, methods and.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)

All-IP distributed (proxy) control model architecture Henrik Basilier, Ericsson ALLIP __ERI_distributed_CM.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

MOBILITY SUPPORT IN IPv6

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.

Vulnerability Analysis of Mobile and Wireless Protocols.

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

COMMUNICATION SYSTEMS, NETWORKS AND DIGITAL SIGNAL PROCESSING Fifth International Symposium July, 2006, Patras, Greece Security in Wireless Networks:

Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

Doc.: IEEE /751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

1 End-user Protocols, Services and QoS. 2 Layering: logical communication application transport network link physical application transport network link.

QoS NSLP draft-ietf-nsis-qos-nslp-06.txt Slides: Sven van den Bosch, Georgios Karagiannis, Andrew McDonald.

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Detailed analysis on MIA/MSA architecture Date Submitted: January 5, 2010 Present.

ACHIEVING MULTIMEDIA QOS OVER HYBRID IP/PSTN INFRASTRUCTURES QOS Signalling and Media Gateway Control ITU-T SG13/SG16 Workshop on IP Networking and Mediacom.

IETF-81, Quebec City, July 25-29, 2011

An NSLP for Quality of Service draft-buchli-nsis-nslp-00.txt draft-mcdonald-nsis-qos-nslp-00.txt draft-westberg-proposal-for-rsvpv2-nslp-00.txt Slides:

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.

IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.

Omniran CF00 1 Key Concepts of Authentication and Trust Establishment Date: Authors: NameAffiliationPhone Max RiegelNokia Networks+49.

August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.

Quality of Service Authorization Diameter QoS Application F. Alfano, P. McCann, H. Tschofenig, T. Tsenov RADIUS QoS Support H. Tschofenig, A. Mankin,T.

N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

TEE: TLS Authentication Using EAP draft-nir-tls-eap-02.txt Yoav Nir Yaron Sheffer (presenter) Hannes Tschofenig Peter Gutmann IETF-70, Vancouver, Dec.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

SPEERMINT Architecture - Reinaldo Penno Juniper Networks SPEERMINT, IETF 70 Vancouver, Canada 2 December 2007.

21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: MIH security issues Date Submitted: July, 02, 2007 Presented at.

NSLP for Quality of Service Sven van den Bosch (ed) Georgios Karagiannis Andrew McDonald (et al.) draft-ietf-nsis-qos-nslp-02.txt Slides:

EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.

1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:

Microsoft Windows NT 4.0 Authentication Protocols

IEEE 802 OmniRAN Study Group: SDN Use Case

Carrying Location Objects in RADIUS

Chapter 6: Transport Layer (Part I)

CSE 4095 Transport Layer Security TLS

– Chapter 5 (B) – Using IEEE 802.1x

* Essential Network Security Book Slides.

Server-to-Client Remote Access and DirectAccess

Securing the CASP Protocol

Enhancement to Mesh Discovery

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli

Lecture 4a Mobile IP 1.

Presentation transcript:

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig

Current Status

Trust Model: New Jersey Turnpike Model Network ANetwork C Node A Node B Network B Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al. David Clark: "We know how to route packets, what we don't know how to do is route dollars." Data Sender Data Receiver

Two-Party Approach Properties: –Strong trust relationship between "Entity authorizing resource request" and "Entity performing QoS reservation" –Typically: Data-origin authentication sufficient –Financial establishment pre-established based on previous protocol execution Examples: –PacketCable authorization within the network where the user is attached. QoS Request Entity requesting resource Entity authorizing resource request granted/rejected End Node Node within the attached network

Three-Party Approach Entity Authentication Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" Properties / Usage Environment: –AAA-type authorization - splitting functional components –Dynamic re-authorization based on new incoming requests. –Typically: entity authentication between "Entity requesting resource" and "Entity authorizing resource requests" QoS Request Entity requesting resource Entity performing QoS reservations granted/rejected Entity authorizing resource request QoS Authz Request QoS Authz Response

Three-Party Approach Token based Mechanism Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" Properties / Usage Environment: –Common authorization tokens (e.g., OSP - Tokens; RSVP Session and Media Authorization) –Token either allows two protocols to be linked or represents a monetary value –Provides some sort of anonymity –Digital money (or e-payment) could also be used QoS Request + Token Entity requesting resource Entity performing QoS reservations granted/rejected Entity authorizing resource request (TTP) Authz Token Request Authz Token

Open Issues

Authentication, Authorization and Accounting Infrastructure Authorization might not always happen at an NSIS element itself (see roaming scenarios) Information which is exchanged between the end host (e.g., NI) needs to be forwarded to a backend server (e.g., PDP or AAA server) NSIS and AAA protocols need to aligned Work ongoing with Frank Alfano, Pete McCann

State-of-the-Art: TLS-based Mutual Authentication | MN | | R1 | | Discovery Request/Response (NTLP) | | | | Transport Layer Connection Setup | | | | | Initial | Transport Layer Security | Setup | Handshake Layer (Mutual authentication) | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | TLS Record Layer Established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | | | > | | NTLP/NSLP QoS CREATE msg | | | | < | | NTLP/NSLP QoS ACK msg | | |

Open Issue: C/R-based Authentication How long is the authorization decision valid? More flexible approach (support of different authentication protocols): EAP based authentication + Authorization QoS Request (Identity) Entity requesting resource Entity performing QoS reservations Unauthorized (challenge) Entity authorizing resource request QoS Request+Response Success/Failure AAA-QoS (identity) AAA-QoS (challenge) AAA-QoS (response) AAA-QoS (success/failure)

EAP-based Approach (1/2) | MN | | R1 | | Discovery Request/Response (NTLP) | | | | > | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Auth/Authz requested; | Initial | EAP-Request/Identity) | Setup | | | < | | Datagram Mode | | NTLP/NSLP QoS CREATE Resp. | | (EAP-Request/AKA-Challenge | | (AT_RAND, AT_AUTN, AT_MAC)) | | (Algorithm/Parameter Negotiation) | | > | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Response/AKA-Challenge | | (AT_RES, AT_MAC)) | | (Algorithm/Parameter Negotiation) |

EAP-based Approach (2/2) | | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | Authentication Authorization finished | | Secure channel at the NSLP layer established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | < | | NTLP/NSLP QoS CREATE Resp. | | NTLP/NSLP QoS CREATE Req. | | (EAP-Success) | | (Secure Confirmation) | | | | > | | NTLP/NSLP QoS REFRSH msg | Refresh | | Msg | < | | NTLP/NSLP QoS ACK msg | + +