1. AAA 를 이용한 Mobile IPv6 인증체계 Kim Mi Young Soongsil University mizero31@sunny.soongsil.ac.kr

2. 목 차목 차목 차목 차 Introduction Model Diameter 서비스 구조 Assumptions Basic Features MIPv6 Application-Diameter Message Information Exchange(MN, AAA Client) Basic Protocol Overview Mobile IPv6 에서의 Diameter 프로토콜 구조 Enhanced Protocol Operation Security Consideration Mobile IPv6 를 위한 AAA 구조

3. Introduction Inter-domain mobility support in pure MIPv6 ?  Scalability Problem  Commercial Deployment Problem What about using AAA (Diameter) ?  Authentication / Authorization / Account  Inter-domain operable  Global Scale Service  Secure Communication between AAA servers What about using Diameter ext. in MIPv6 ?  Global Roaming with Secure Infrastructure  Needs new message and behavior Diameter Application  Distribution of Secure Key  Providing MIPv6 with Mobility Procedure (inter-domain)  General and Optimized AAA Service for MIPv6

4. Diameter 서비스 구조

5. Diameter vs. Radius DiameterRadius 서비스 대상여러 도메인 내의 User 상호간소규모 도메인 내에서의 End-User 간 서비스 ParadigmBroker 기반의 peer-to-peer Client / Server 연결 형태 Connection-orientedConnectionless 보안 End-to-end 보안 TLS (Client 에서는 Optional), SCPT IPSec (Mandatory) 패킷 전체를 암호화 서버와 End-user 간의 보안 CHAP / PAP 사용자 비밀번호만 암호화 Attribute Space 32 비트 AVP 지원 ( 최대 2**32 Pair)8 비트 AVP 지원 ( 최대 2**8 Pair) 전송 프로토콜 TCPUDP 메시지 전송 Request / Response Unsolicited Message Request / Response only Fail-overBuilt-in Fail-over (DWR / DWA)- Fixed network 환경 Roaming UserFixed / Roaming User 기타 Capability Negotiation(version, apps..) Extensibility 높음 Extensibility 낮음 권장 서비스 안 Mobile Network 환경 Mobile IP 사용자 Strong Security 사용자 - Diameter 와 Radius 비교

6. Model Mobility Entities  MN(Mobile Node)  HA(Home Agent)  AAA Client(Attendant)  AAA Relay Entity  사용자 ID 전달  인증 정보 전달  Access Router or AA Agent  AAAv Server  AAA Server in Visited Domain  AAAh Server  AAA Server in Home Domain

7. Assumptions Identity for MN  NAI(Network Access Identifier) : RFC2794  Home Address of MN  If MN has both : used NAI by AAA  If MN has only one : used it by AAA Shared Long-term Key (MN and AAAh)  Network and User Authentication Secure Communication (between AAAv and AAAh)   SA between AAA(Diameter) Servers  Exchange Information over Secure Channel

8. Basic Features(1) Authentication / Authorization Authentication and Authorization (AA)  Mutual AA  Visited Network : Network Resource Planning and Protection  IPv6 Node : Impersonation (false BTS Attack)

9. Basic Features(2) Dynamic Home Agent Assignment in Home Domain Network Renumbering / Unfixed Assignment  Dynamic Home Agent 할당 기능 제공 Dynamic HA Address Discovery Mechanism  IN MIPv6 : Many Round-Trips / Many Signaling / Long Delay  Over AAA Infrastructure : One Round-Trip

10. Basic Feature(3) Key Distribution Dynamic Security Associations  MN and Visited Network  Confidentiality and Integrity of data over Access Link  MN and Home Agent  BU / BA (Must be protected)  Key Distribution Algorithm (ex. IKE)

11. Basic Features(4) Optimization of Binding Updates Role of AAA Server in this I-D  Authentication / Authorization  Key Distribution  Dynamic Home Agent Allocation Optimization of BU  Pre-Assumption : MN knows its HA  MN Behavior : Embedding BU in AAA Req. Message  AAA Behavior : Processing BU (Relay it to HA) Steps for Binding Update  AAA 인프라를 통한 인증 획득  동적 홈 에이전트 주소 발견 (DHAAD)  MN 과 HA 간의 SA 설정 (e.g. 인터넷 키 교환 – IKE)  바인딩 갱신 요청 (BU) / 응답 (BA)

12. MIPv6 App. Diameter Message(1) Command Codes  ARR : AA-Registration-Request  Attendant -> AAAL -> AAAH  ARA : AA-Registration-Answer  AAAH -> AAAL -> Attendant  HOR : Home-Agent-MIPv6-Request  AAAH -> HA  HOA : Home-Agent-MIPv6-Answer  HA -> AAAH

13. MIPv6 App. Diameter Message(2) AVPs (Attribute Value Pair)  MIP-Binding-Update  Type : OctetString, Payload : BU Message  MIP-Binding-Acknowledgement  Type : OctetString, Payload : BA Message  MIPv6-Mobile-Node-Address  Type : IPAddress, Payload : Home Address of MN  MIPv6-Home-Agent-Address  Type : IPAddress, Payload : Home Agent Address of MN  MIPv6-Feature-Vector :  Type : Unsigned32, Payload : Flag  For Dynamic HA Assignment  Flag Value = 1  Requesting Dynamic HA Assignment

14. Information Exchange(1) (MN, AAA Client) MIP Feature Data  When Requesting Dynamic HA Assignment  Feature Data In ICMPv6 / New Destination Option / etc.. EAP Data  MIPv6 Node : Various AA Method (including EAP) Embedded Data  Send/Receive BU and BA in AAA Req. Message(piggyback)  Reduce the Round-Trips  BU Optimization

15. Authentication  방문 망을 엑세스 하기 전에 반드시 인증되어야 함  Mutual Authentication (MN Visited Network)  Default : Mutual Challenge Exchange (in Router Adv.)Messages  ARR : Authentication Registration Request  ARA : Authentication Registration Answer  HOR : Home-Agent-MIPv6-Request  HOA : Home-Agent-MIPv6 Answer Information Exchange(2) (MN, AAA Client)

16. Mobile IPv6 에서의 Diameter 프로토콜구조 -basic operation-

17. Enhanced Protocol Operation(1) If MN dose not know the pre-configured HA  Dynamic HA Assignment  Dynamic Home Address Assignment  Contains all features of ‘ Basic Operation ’  Key distribution  Optimized(Embedded) BU Authentication : Same as basic operation Additional Activities  Behavior of Entities  AVPs

18. Home Agent Assignment in Home Network Enhanced Protocol Operation(2)

19. Security Consideration 분석  Security  Embedded BU/BA 에 대한 보안 헛점 발생  단계 1(RA), 2(ARR), 9(ARA) 에서 보안 기능 추가 요구  Performance  총 9 단계의 메시지 교환  Embedded BU/BA

20. Mobile IPv6 를 위한 AAA 구조 (1) Proposed by F.Dupont “ AAA for Mobile IPv6 ” 특징  AAA (RADIUS / DIAMETER) 사용  MN Attendant  12 단계의 메시지 교환 AAA 메시지  AS : Attendant Solicitation  AA : Attendant Advertisement  AReq : Authentication Request  AMR : Authentication MN-Request  AMA : Authentication MN-Answer  AHR : Authentication HA-Request  AHA : Authentication HA-Answer  ARsp : Authentication Reply

21. Mobile IPv6 를 위한 AAA 구조 (2)

22. Mobile IPv6 를 위한 AAA 구조 (3) 분석  Security  일반적인 Mobile IPv6 보안 강도를 유지  Performance  총 12 단계의 메시지 교환 -> 빠른 이동성 제공에 적합하지 않음