1 / 8

George Gross, IdentAware ™ Security gmgross@IdentAware IETF-58, Minneapolis, MN

Multicast Security with Authentication, Authorization, and Accounting (AAA). George Gross, IdentAware ™ Security gmgross@IdentAware.com IETF-58, Minneapolis, MN November 10 th 2003. What motivates MSEC/AAA?.

amber
Télécharger la présentation

George Gross, IdentAware ™ Security gmgross@IdentAware IETF-58, Minneapolis, MN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multicast Security with Authentication, Authorization, and Accounting (AAA) George Gross, IdentAware™ Security gmgross@IdentAware.com IETF-58, Minneapolis, MN November 10th 2003 IETF-58 MSEC and AAA page 1

  2. What motivates MSEC/AAA? • Large-scale secure multicast groups straddle administrative/business domain boundaries • AAA enforces contractual relationships, generates data usable for service accounting • Allows Service Provider to securely control their multicast transit routing service • Enables dynamic MSEC groups with the Service Provider AAA as the broker IETF-58 MSEC and AAA page 2

  3. Relevant Background Reading • RFC3588, Diameter base protocol spec • RFC2904, generic authorization framework • NASREQ Diameter application • ietf-draft-aaa-diameter-nasreq-13.txt • next rev of generic policy token draft • msec-gspt-04.txt • missed the ID cut-off IETF-58 MSEC and AAA page 3

  4. Diameter Diameter GDOI RoamingPull AAA Model Administrative Domain “A” Administrative Domain “B” Accounting Server Diameter NASREQ+MSEC Group Owner Z authorization Diameter AAA Server Diameter AAA Server Accounting Server Authentication Server Subordinate GC/KS Grp. Controller Key Server GDOI GDOI Secure multicast group “Z” GM GM GM GM GM GM GM IETF-58 MSEC and AAA page 4

  5. Observations about GDOI/AAA • Can leverage existing IKE/ISAKMP AAA • Q: does the group member have a NAI? • Reasonable design: extend NASREQ Diameter application to handle GDOI • Undefined how to add a S-GC/KS to group • Issue: currently no way to separate KS from the S-GC role if the S-GC domain is not trusted with the group’s encryption key IETF-58 MSEC and AAA page 5

  6. Diameter Diameter GSAKMP Push AAA Model Administrative Domain “A” Administrative Domain “B” Diameter AAA Server Diameter AAA Server Accounting Server Diameter accounting Group Owner Z authorization Accounting Server Subordinate GC/KS Grp. Controller Key Server Certificate Authority GSAKMP GSAKMP Policy token Secure multicast group “Z” GM GM GM GM GM GM GM IETF-58 MSEC and AAA page 6

  7. GSAKMP/AAA Observations • PKI based authentication only, no NAI • Multicast policy token encodes membership authorization, acts as AAA service ticket • Diameter back-end used for accounting • Does not fit Diameter NASREQ model • Like GDOI, can not withhold group key from S-GC in partially trusted domain IETF-58 MSEC and AAA page 7

  8. Future MSEC/AAA directions • Need to separate the S-GC and key server roles in both GSAKMP and GDOI • Introduce “generic” policy token attributes to encode multiple service authorizations • nesting the tokens will avoid layer violations • multicast PT is scalable, but it is not part of GDOI today, is this feasible to add? • Long-term: Diameter extensions for MSEC IETF-58 MSEC and AAA page 8

More Related