Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

Published byBruce Jackson Modified over 8 years ago

Similar presentations

Presentation on theme: "Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross."— Presentation transcript:

1 Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross

2 Overview Current status of the QoS NSLP: — Two party approach (reuses properties of GIMPS) — Token-based three party (based on token concept defined for SIP/RSVP) — Generic three party approach discussed but no solution provided Draft addresses two approaches for the generic three party model — Challenge/Response based Scheme — Extensible Authentication Protocol Approach

3 Two-Party Approach Properties: — Strong trust relationship between "Entity authorizing resource request" and "Entity performing QoS reservation" — Typically: Data-origin authentication sufficient — Financial establishment pre-established based on previous protocol execution Examples: — Network access authentication reused for QoS authorization QoS Request Entity requesting resource Entity authorizing resource request granted/rejected End Node Node within the attached network

4 Three-Party Approach Token based Mechanism Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" Example: — Session Authorization Policy Element [RFC3520] — Framework for Session Set-up with Media Authorization [RFC3521] QoS Request + Token Entity requesting resource Entity performing QoS reservations granted/rejected Entity authorizing resource request (TTP) Authz Token Request Authz Token

5 Three-Party Approach Entity Authentication Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" Properties: — AAA-type authorization - splitting functional components — Dynamic re-authorization based on new incoming requests. — Typically: entity authentication between "Entity requesting resource" and "Entity authorizing resource requests" QoS Request Entity requesting resource Entity performing QoS reservations granted/rejected Entity authorizing resource request QoS Authz Request QoS Authz Response

6 Generic Three Party Approach Comparison with Token-based Approach Features: — End host must actively participate in the protocol exchange — True authentication between the end host (user) and the AAA server. — Session key establishment is provided — Provides better security properties Difference between EAP and C/R based approach is mainly flexibility: — With C/R based scheme a specific family of authentication and key exchange protocol is chosen — If this does not fit into an architecture then there is a problem. — With EAP this type of flexibility is provided since EAP acts as a container for many EAP methods — EAP is heavily used in other areas (e.g., network access)

7 Challenge/Response-based Authentication Challenge/Response based authentication protocol extensions to the QoS NSLP Could be reused by some architectures (3GPP, 3GPP2) with their C/R based authentication and key exchange protocol variant QoS Request (Identity) Entity requesting resource Entity performing QoS reservations Unauthorized (challenge) Entity authorizing resource request QoS Request+Response Success/Failure AAA-QoS (Identity) AAA-QoS (challenge) AAA-QoS (response) AAA-QoS (success/failure)

8 EAP-based Approach Advantage: More flexible due to the concept of EAP methods Disadvantage: Overhead by EAP QoS Request (EAP-Request/Identity) Entity requesting resource Entity performing QoS reservations Unauthorized (EAP-Request/AKA-Challenge) Entity authorizing resource request QoS Request (EAP-Response/AKA-Response) NSIS (EAP-Success/Failure) AAA-QoS (EAP-Request/Identity) AAA-QoS (EAP-Request/AKA-Challenge) AAA-QoS (EAP-Response/AKA-Response) AAA-QoS (EAP-Success/Failure) Legend: AKA-Challenge: (AT_RAND, AT_AUTN, AT_MAC) AKA-Response: (AT_RES, AT_MAC)

9 Technical Issues C/R and EAP Channel binding might be necessary to prevent Man-in-the-Middle attacks. Binding NSLP and NTLP security mechanisms together. Session keys need to be established and used in subsequent messages in order to bind signaling messages to the authentication/authorization step Interworking with NTLP security needs to be studied: — Unilateral authentication at the NTLP layer — Client authentication at the upper layer 'Lying NAS' problem needs to be addressed. A lot of security specific issues need to be addressed

10 Next Steps For the QoS NSLP to make progress it is necessary to decide which approach to use: — Challenge/Response based approach — EAP-based approach

11 Questions?

12 Backup

13 Trust Model: New Jersey Turnpike Model Network ANetwork C Node A Node B Network B Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al. David Clark: "We know how to route packets, what we don't know how to do is route dollars." Data Sender Data Receiver

14 Authentication, Authorization and Accounting Infrastructure Authorization might not always happen at an NSIS element itself (see roaming scenarios) Information which is exchanged between the end host (e.g., NI) needs to be forwarded to a backend server (e.g., PDP or AAA server) NSIS and AAA protocols need to aligned See also related activities in AAA working group. AAA Client NSIS Initiatior Network Entity NSIS AAA Server COPS / Diameter Authentication and Authorization Credentials Back - end AAA Server

Download ppt "Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross."

Similar presentations

Authentication.

Authentication.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Trade-offs and open issues with path discovery and transport or not all requirements are orthogonal… Henning Schulzrinne Columbia University

Trade-offs and open issues with path discovery and transport or not all requirements are orthogonal… Henning Schulzrinne Columbia University
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Omniran-13-0032-04-0000 1 IEEE 802 Scope of OmniRAN Date: 2013-05-16 Authors: NameAffiliationPhone Max RiegelNSN+49 173 293

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
Comparative studies on authentication and key exchange methods for 802.11 wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Similar presentations

Ads by Google