Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accounting, Auditing and Session IDs Nevil Brownlee The University of Auckland / CAIDA Adelaide, March 2000.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Accounting, Auditing and Session IDs Nevil Brownlee The University of Auckland / CAIDA Adelaide, March 2000."— Presentation transcript:

1 Accounting, Auditing and Session IDs Nevil Brownlee The University of Auckland / CAIDA Adelaide, March 2000

2 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 1 / 13 Accounting and Auditing Auditing means “making and distributing records of network activity so that events, usage, etc. can be summarised for the users responsible for them” Accounting means “generating audit records” An Accounting ID is a globally unique identifier used by an Audit server to correlate audit records by session and sub-session Audit servers could allow controlled access to different parts of the audit database, e.g. users could see their usage records

3 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 2 / 13 Accounting IDs Several good ways to construct globally unique identifiers are already known, e.g. SMTP, DIAMETER, UUID URI, etc. A simple scheme for AAA could be nnn.ttt@server.foo.com where server.foo.com = server’s domain name ttt = time of day (UTC seconds) nnn = sequence number (set to a random value on server boot-up)

4 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 3 / 13 Using Accounting IDs Could have AAA server generate Accounting ID on authentication, and have all servers use it. This creates a bottleneck Better to have each server generate and use its own sub-session ID Each server will send audit records to one or more Audit Servers using their IDs The servers will also need to send the Audit servers information about the IDs, allowing it to keep track of the sub-session tree

5 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 4 / 13 ARAR AHAH ASAS S0S0 User Agent Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S 0 generates Accounting ID K 0, sends K 0 with Authentication Request via A R to A H A H returns Authentication Response to S 0, with list of Audit Servers (A H, A s ) User starts session

6 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 5 / 13 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S 0 sends Start Session request to its designated Audit Servers (A H, A s ) Start Session record includes the session Accounting ID, K 0 S 0 Initiates Auditing User Agent

7 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 6 / 13 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S 0 sends Audit Record(s) to its designated Audit Servers (A H, A s ) Every audit record record includes the session Accounting ID, K 0 S 0 Session Progresses User Agent

8 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 7 / 13 S 0 starts Sub-session S 1 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S1S1 Sub-session examples: Bandwidth Broker, VoIP Gateway S 0 sends S 1 a Start Sub-session request, which includes K 0 and (A H, A s ) Sub-session Server 1 User Agent

9 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 8 / 13 S 1 Initiates Auditing ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S1S1 S 1 generates sub-session Accounting ID K 1, sends Start Sub-session request to (A H, A s ), which includes K 0, K 1 and (A H, A s ) Sub-session Server 1 User Agent

10 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 9 / 13 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S1S1 S 1 sends Audit Record(s) with Accounting ID K 1 to (A H, A s ) S 1 Sub-session Progresses Sub-session Server 1 User Agent

11 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 10 / 13 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S1S1 S2S2 S 1 starts Sub-session S 2 S 1 sends S 2 a Start Sub-session request, which includes K 1 and (A H, A s ) Sub-session Server 1 Sub-session Server 2 User Agent

12 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 11 / 13 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S1S1 S2S2 S 2 Initiates Auditing S 2 generates sub-session Accounting ID K 2, sends Start Sub-session request to (A H, A s ), which includes K 1, K 2 and (A H, A s ) Sub-session Server 1 Sub-session Server 2 User Agent

13 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 12 / 13 ARAR AHAH ASAS S0S0 Home AAA Server Remote AAA Server Secondary Audit (AAA) Server S1S1 S2S2 S 2 Sub-session Progresses Sub-session Server 1 Sub-session Server 2 S 1 sends Audit Record(s) with Accounting ID K 1 to (A H, A s ) User Agent

14 Adelaide IETF, March 2000Nevil Brownlee, U of A / CAIDA 13 / 13 Summary There are several good ways to make a globally unique Accounting ID Accounting IDs can be generated by each server contributing to a session Each server must send Accounting IDs for itself and its parent to the Audit Server(s) as part of initiating sub-session audit activities Audit servers collect pairs of parent-child Accounting IDs and use them to reconstruct the session tree

Download ppt "Accounting, Auditing and Session IDs Nevil Brownlee The University of Auckland / CAIDA Adelaide, March 2000."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Session ID Georg Carle, John Vollbrecht, Sebastian Zander, Tanja Zseby San Diego, December 2000.

Session ID Georg Carle, John Vollbrecht, Sebastian Zander, Tanja Zseby San Diego, December 2000.
AAA Architecture Use of a AAA Server Application Specification to Support Generic AAA Applications Across a Mesh of Interconnected AAA Servers With Policy.

AAA Architecture Use of a AAA Server Application Specification to Support Generic AAA Applications Across a Mesh of Interconnected AAA Servers With Policy.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
Fundamentals, Design, and Implementation, 9/e Appendix A Data Structures for Database Processing.

Fundamentals, Design, and Implementation, 9/e Appendix A Data Structures for Database Processing.
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Policy-based Accounting Tanja Zseby, Georg Carle, Sebastian Zander GMD FOKUS - German National Research Institute for Information Technology Competence.

Policy-based Accounting Tanja Zseby, Georg Carle, Sebastian Zander GMD FOKUS - German National Research Institute for Information Technology Competence.
Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.

Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.
Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.

Policy-based Accounting Draft Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Institute for Information Technology Competence Center.
AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
Accounting Examples Henk Jonkers Telematica Instituut Enschede, the Netherlands IRTF AAAARCH WG Meeting 50th IETF, Minneapolis, March 22, 2001.

Accounting Examples Henk Jonkers Telematica Instituut Enschede, the Netherlands IRTF AAAARCH WG Meeting 50th IETF, Minneapolis, March 22, 2001.
Policy-based Accounting: Accounting Issues Georg Carle, Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Center for Information Technology.

Policy-based Accounting: Accounting Issues Georg Carle, Sebastian Zander, Tanja Zseby GMD FOKUS - German National Research Center for Information Technology.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.

Similar presentations

Ads by Google