120 likes | 138 Vues
NSIS QoS NSLP Authorzation Issues Hannes Tschofenig. Current Status. Trust Model: New Jersey Turnpike Model. Network A. Network B. Network C. Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al.
E N D
Trust Model: New Jersey Turnpike Model Network A Network B Network C • Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al. • David Clark: "We know how to route packets, what we don't know how to do is route dollars." Data Sender Data Receiver Node B Node A
Two-Party Approach QoS Request Entity requesting resource • Properties: • Strong trust relationship between "Entity authorizing resource request" and "Entity performing QoS reservation" • Typically: Data-origin authentication sufficient • Financial establishment pre-established based on previous protocol execution • Examples: • PacketCable authorization within the network where the user is attached. Entity authorizing resource request granted/rejected End Node Node within the attached network
Entity authorizing resource request Three-Party ApproachEntity Authentication • Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" • Properties / Usage Environment: • AAA-type authorization - splitting functional components • Dynamic re-authorization based on new incoming requests. • Typically: entity authentication between "Entity requesting resource" and "Entity authorizing resource requests" QoS Authz Request QoS Authz Response QoS Request Entity requesting resource Entity performing QoS reservations granted/rejected
Entity authorizing resource request (TTP) Three-Party ApproachToken based Mechanism Authz Token Request • Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" • Properties / Usage Environment: • Common authorization tokens (e.g., OSP - Tokens; RSVP Session and Media Authorization) • Token either allows two protocols to be linked or represents a monetary value • Provides some sort of anonymity • Digital money (or e-payment) could also be used Authz Token QoS Request + Token Entity requesting resource Entity performing QoS reservations granted/rejected
Authentication, Authorization and Accounting Infrastructure • Authorization might not always happen at an NSIS element itself (see roaming scenarios) • Information which is exchanged between the end host (e.g., NI) needs to be forwarded to a backend server (e.g., PDP or AAA server) • NSIS and AAA protocols need to aligned • Work ongoing with Frank Alfano, Pete McCann
State-of-the-Art: TLS-based Mutual Authentication +---------+ +---------+ | MN | | R1 | +---------+ +---------+ + <---------------------------------------------> + | Discovery Request/Response (NTLP) | | | | <---------------------------------------------> | | Transport Layer Connection Setup | | | | <---------------------------------------------> | Initial | Transport Layer Security | Setup | Handshake Layer (Mutual authentication) | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | TLS Record Layer Established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | | | ----------------------------------------------> | | NTLP/NSLP QoS CREATE msg | | | | <---------------------------------------------- | | NTLP/NSLP QoS ACK msg | | | + + ..........
Open Issue: C/R-based Authentication Entity requesting resource Entity performing QoS reservations Entity authorizing resource request • How long is the authorization decision valid? • More flexible approach (support of different authentication protocols): EAP based authentication + Authorization QoS Request (Identity) AAA-QoS (identity) Unauthorized (challenge) AAA-QoS (challenge) QoS Request+Response AAA-QoS (response) Success/Failure AAA-QoS (success/failure)
EAP-based Approach (1/2) +---------+ +---------+ | MN | | R1 | +---------+ +---------+ + <---------------------------------------------> + | Discovery Request/Response (NTLP) | | | | ----------------------------------------------> | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Auth/Authz requested; | Initial | EAP-Request/Identity) | Setup | | | <---------------------------------------------- | | Datagram Mode | | NTLP/NSLP QoS CREATE Resp. | | (EAP-Request/AKA-Challenge | | (AT_RAND, AT_AUTN, AT_MAC)) | | (Algorithm/Parameter Negotiation) | | ----------------------------------------------> | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Response/AKA-Challenge | | (AT_RES, AT_MAC)) | | (Algorithm/Parameter Negotiation) |
EAP-based Approach (2/2) | | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | Authentication Authorization finished | | Secure channel at the NSLP layer established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | <---------------------------------------------- | | NTLP/NSLP QoS CREATE Resp. | | NTLP/NSLP QoS CREATE Req. | | (EAP-Success) | | (Secure Confirmation) | | | + + .......... + + | ----------------------------------------------> | | NTLP/NSLP QoS REFRSH msg | Refresh | | Msg | <---------------------------------------------- | | NTLP/NSLP QoS ACK msg | + +