1 / 22

AAA 를 이용한 Mobile IPv6 인증체계

AAA 를 이용한 Mobile IPv6 인증체계. Kim Mi Young Soongsil University mizero31@sunny.soongsil.ac.kr. 목 차. Introduction Model Diameter 서비스 구조 Assumptions Basic Features MIPv6 Application-Diameter Message Information Exchange(MN, AAA Client) Basic Protocol Overview

kimn
Télécharger la présentation

AAA 를 이용한 Mobile IPv6 인증체계

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAA를 이용한 Mobile IPv6 인증체계 Kim Mi Young Soongsil University mizero31@sunny.soongsil.ac.kr

  2. 목 차 • Introduction • Model • Diameter 서비스 구조 • Assumptions • Basic Features • MIPv6 Application-Diameter Message • Information Exchange(MN, AAA Client) • Basic Protocol Overview • Mobile IPv6에서의 Diameter 프로토콜 구조 • Enhanced Protocol Operation • Security Consideration • Mobile IPv6를 위한 AAA 구조

  3. Introduction Inter-domain mobility support in pure MIPv6 ? Scalability Problem Commercial Deployment Problem What about using AAA (Diameter) ? Authentication / Authorization / Account Inter-domain operable Global Scale Service Secure Communication between AAA servers What about using Diameter ext. in MIPv6 ? Global Roaming with Secure Infrastructure Needs new message and behavior Diameter Application Distribution of Secure Key Providing MIPv6 with Mobility Procedure (inter-domain) General and Optimized AAA Service for MIPv6

  4. Diameter 서비스 구조

  5. Diameter vs. Radius Diameter와 Radius 비교 Diameter Radius 서비스 대상 여러 도메인 내의 User 상호간 소규모 도메인 내에서의 End-User간 서비스 Paradigm Broker 기반의 peer-to-peer Client / Server 연결 형태 Connection-oriented Connectionless 보안 End-to-end 보안 TLS (Client에서는 Optional), SCPT IPSec (Mandatory) 패킷 전체를 암호화 서버와 End-user간의 보안 CHAP / PAP 사용자 비밀번호만 암호화 Attribute Space 32비트 AVP지원 (최대 2**32 Pair) 8비트 AVP지원(최대 2**8 Pair) 전송 프로토콜 TCP UDP 메시지 전송 Request / Response Unsolicited Message Request / Response only Fail-over Built-in Fail-over (DWR / DWA) - 기타 Capability Negotiation(version, apps..) Extensibility 높음 Extensibility 낮음 권장 서비스 안 Fixed network 환경 Roaming User Fixed / Roaming User Mobile Network 환경 Mobile IP 사용자 Strong Security 사용자 -

  6. Model Mobility Entities MN(Mobile Node) HA(Home Agent) AAA Client(Attendant) AAA Relay Entity 사용자 ID 전달 인증 정보 전달 Access Router or AA Agent AAAv Server AAA Server in Visited Domain AAAh Server AAA Server in Home Domain

  7. Assumptions Identity for MN NAI(Network Access Identifier) : RFC2794 Home Address of MN If MN has both : used NAI by AAA If MN has only one : used it by AAA Shared Long-term Key (MN and AAAh) Network and User Authentication Secure Communication (between AAAv and AAAh) SA between AAA(Diameter) Servers Exchange Information over Secure Channel

  8. Basic Features(1) Authentication / Authorization Authentication and Authorization (AA) Mutual AA Visited Network : Network Resource Planning and Protection IPv6 Node : Impersonation (false BTS Attack)

  9. Basic Features(2) Dynamic Home Agent Assignment in Home Domain Network Renumbering / Unfixed Assignment Dynamic Home Agent 할당 기능 제공 Dynamic HA Address Discovery Mechanism IN MIPv6 : Many Round-Trips / Many Signaling / Long Delay Over AAA Infrastructure : One Round-Trip

  10. Basic Feature(3)Key Distribution Dynamic Security Associations MN and Visited Network Confidentiality and Integrity of data over Access Link MN and Home Agent BU / BA (Must be protected) Key Distribution Algorithm (ex. IKE)

  11. Basic Features(4)Optimization of Binding Updates Role of AAA Server in this I-D Authentication / Authorization Key Distribution Dynamic Home Agent Allocation Optimization of BU Pre-Assumption : MN knows its HA MN Behavior : Embedding BU in AAA Req. Message AAA Behavior : Processing BU (Relay it to HA) Steps for Binding Update AAA 인프라를 통한 인증 획득 동적 홈 에이전트 주소 발견 (DHAAD) MN과 HA간의 SA 설정(e.g. 인터넷 키 교환 – IKE) 바인딩 갱신 요청(BU) / 응답(BA)

  12. MIPv6 App. Diameter Message(1) Command Codes ARR : AA-Registration-Request Attendant -> AAAL -> AAAH ARA : AA-Registration-Answer AAAH -> AAAL -> Attendant HOR : Home-Agent-MIPv6-Request AAAH -> HA HOA : Home-Agent-MIPv6-Answer HA -> AAAH

  13. MIPv6 App. Diameter Message(2) AVPs (Attribute Value Pair) MIP-Binding-Update Type : OctetString, Payload : BU Message MIP-Binding-Acknowledgement Type : OctetString, Payload : BA Message MIPv6-Mobile-Node-Address Type : IPAddress, Payload : Home Address of MN MIPv6-Home-Agent-Address Type : IPAddress, Payload : Home Agent Address of MN MIPv6-Feature-Vector : Type : Unsigned32, Payload : Flag For Dynamic HA Assignment Flag Value = 1 Requesting Dynamic HA Assignment

  14. Information Exchange(1) (MN, AAA Client) MIP Feature Data When Requesting Dynamic HA Assignment Feature Data In ICMPv6 / New Destination Option / etc.. EAP Data MIPv6 Node : Various AA Method (including EAP) Embedded Data Send/Receive BU and BA in AAA Req. Message(piggyback) Reduce the Round-Trips BU Optimization

  15. Authentication 방문 망을 엑세스 하기 전에 반드시 인증되어야 함 Mutual Authentication (MN <-> Visited Network) Default : Mutual Challenge Exchange (in Router Adv.) Messages ARR : Authentication Registration Request ARA : Authentication Registration Answer HOR : Home-Agent-MIPv6-Request HOA : Home-Agent-MIPv6 Answer Information Exchange(2) (MN, AAA Client)

  16. Mobile IPv6에서의 Diameter 프로토콜구조-basic operation-

  17. Enhanced Protocol Operation(1) If MN dose not know the pre-configured HA Dynamic HA Assignment Dynamic Home Address Assignment Contains all features of ‘Basic Operation’ Key distribution Optimized(Embedded) BU Authentication : Same as basic operation Additional Activities Behavior of Entities AVPs

  18. Enhanced Protocol Operation(2) Home Agent Assignment in Home Network

  19. Security Consideration • 분석 • Security • Embedded BU/BA에 대한 보안 헛점 발생 • 단계 1(RA), 2(ARR), 9(ARA)에서 보안 기능 추가 요구 • Performance • 총 9단계의 메시지 교환 • Embedded BU/BA

  20. Mobile IPv6를 위한 AAA 구조(1) • Proposed by F.Dupont “AAA for Mobile IPv6” • 특징 • AAA (RADIUS / DIAMETER) 사용 • MN <-> Attendant • 12 단계의 메시지 교환 • AAA 메시지 • AS : Attendant Solicitation • AA : Attendant Advertisement • AReq : Authentication Request • AMR : Authentication MN-Request • AMA : Authentication MN-Answer • AHR : Authentication HA-Request • AHA : Authentication HA-Answer • ARsp : Authentication Reply

  21. Mobile IPv6를 위한 AAA 구조(2)

  22. Mobile IPv6를 위한 AAA 구조(3) • 분석 • Security • 일반적인 Mobile IPv6 보안 강도를 유지 • Performance • 총 12 단계의 메시지 교환 -> 빠른 이동성 제공에 적합하지 않음

More Related