How can AAA infrastructure support services and applications in roaming architectures

1. How can AAA infrastructure support services and applications in roaming architectures Ericsson Bay Area Research (EBAR) Theodore Havinis

2. The future trust model Home Corporate Network Home Terminal/ User Service Provider Home Service/ Content Provider Home Visited PLMN operator PLMN operator for services that use resources in visited

3. Identifying the issues The FACT is: • The AAA infrastructure has a role to play in the service plain The QUESTION is then: • What is exactly the role that the AAA infrastructure could play in the service plain considering: • 3G mobile roaming model • multimedia, e-Commerce applications etc.

4. Possible uses of AAA infrastructure • End-User (EU) authentication • authentication always from EU-to-home • Key distribution management • network-2-network (n2n) security is needed in some cases • AAA infrastructure is used for distributing keys. • Preparing for full IKE security association (SA) negotiation • Transporting User profile • Policy Decision Point

5. Distinguish btw E-U authentication and N2N security IETF SIP: End-2-End In IETF SIP, the SIP proxy is transparent to End-User authentication Home operator UA End-User authentication 3G SIP: Network-2-Network In 3G, the SIP proxy cannot be transparent for various reasons, one being capability to route calls locally e.g E-911 Home operator UA SIP Proxy End-User authentication N2N security Home Visited

6. AAAL AAAH SIP server SA M KM KM Initial SAs: SIP Server at Home Home Visited UA UA UE Proxy LS Home network decides where the SIP server is located SA 2 KSA2 KSA2 SA 1 KSA1 KSA1 3G operators are considering gateways btw networks for protecting internal infrastructure Initial SAs according to roaming model SA 3 KSA3 KSA3

7. AAAL AAAH SIP server UA LS SA 2 KSA2 KSA2 SA M KM KM SA 3 KSA3 KSA3 Initial SAs: SIP Server at Visited Home Visited UA UE Proxy Home network decides where the SIP server is located 3G operators are considering gateways btw networks for protecting internal infrastructure Initial SAs according to roaming model

8. How can a AAA server be used with n2n What is the proposal • To use the AAA infrastructure for provisioning the shared secrets. • In addition, to use the AAA infrastructure for n2n authentication and security according to the selected mode of operation Modes of operation for Network-2-Network security • In -band: complete piggybacking of SIP:REGISTER and its response over AAA infrastructure • Out-of-band: complete piggybacking of SIP:REGISTER, SAsestablished when SIP:REGISTER sent externally • Transparent: AAA used only for establishing SAs.

9. AAAL AAAH SIP server 11 3 2 1 4 5 6 7 8 9 10 Network-to-Network: In-band Home Visited UA UA UE Proxy LS SIP: REGISTER Policies enabled PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, does Auth/Accounting & policy selection. Trusts established SIP:INVITE externally Ks1 Ks2 SIP: INVITE 12

10. AAAL AAAH SIP server 1 2 3 4 5 6 9 7 10 8 Network-to-Network: Out-of-band Visited Home UA UA UE Proxy LS SIP: REGISTER Policies enabled PRINCIPLE SIP:REGISTER sent piggybacked through AAA infrastructure, just authentication done & policy downloaded to SIP server SIP:REGISTER sent externally and used for key distribution management, resulting in building-up trusts. SIP:INVITE externally Ks1 Ks2 SIP: INVITE

11. AAAL AAAH SIP server 8 1 9 2 3 7 6 4 5 Network-to-Network: Transparent Home Visited UA UA UE Proxy LS SIP: REGISTER Policies enabled PRINCIPLE AAA infrastructure used for key generation & policy downloading to SIP server. SIP:REGISTER sent externally and used for key distribution management, resulting in building up trusts. SIP:INVITE externally Ks1 Ks2 SIP: INVITE 10

12. Thank you