1 / 18

Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00

Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00. Yoshihiro Ohba, Rafael Marin Lopez, Mayumi Yanagiya, Hiroyuki Ohnishi and Kuntal Chowdhury. Mobility Service, Network Access Service and AAA.

tareq
Télécharger la présentation

Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile IPv6 Bootstrapping Architecture using DHCPdraft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez, Mayumi Yanagiya, Hiroyuki Ohnishi and Kuntal Chowdhury 61st IETF MIP6 WG

  2. Mobility Service, Network Access Service and AAA • Integration of a bootstrapping architecture with AAA infrastructure is needed • Operators rely on AAA protocol to provide authentication, authorization and accounting functionalities for their subscribers of services • The services include network access service and mobility service • In many cases, AAA for network access (AAA-NA) occurs before AAA for mobility service (AAA-MS) • It is reasonable to consider a scenario where there is some dependency between AAA-NA and AAA-MS 61st IETF MIP6 WG

  3. Two Minimum Sets of Seed Information • Parameter Set 1: • The domain name or FQDN of the home agent • IKE credentials • Parameter Set 2: • Network access credentials • draft-ohba-mip6-boot-arch uses Parameter Set 2 61st IETF MIP6 WG

  4. Basic Architecture Serving or Home MSP ASP or IASP AAA-NA Server AAA protocol AAA-MS Server AAA protocol protocol DHCP Server AAA protocol AAA protocol Serving or Home MSP protocol Network access authentication protocol Home Agent NAS Mobile Node/ DHCP Client DHCPv6 61st IETF MIP6 WG

  5. Basic Architecture (cont’d) • DHCP server in the visited network is used for delivering bootstrap information to MN • The visited network may be the home network • DHCP delayed authentication is used for integrity protected delivery of bootstrap information • DHCP delayed authentication key is also bootstrapped from AAA-NA • Alper’s comment: DHCP authentication problem can be separated • NAS and/or DHCP server in the visited network is aware of MIPv6 service (but they do not need to speak MIPv6) • Two models exist depending on who is AAA-MS client • Model 1: DHCP server as AAA-MS client • DHCP server directly communicates with AAA-MS server to obtain MIP6 bootstrap information • Model 2: NAS as AAA-MS client • NAS communicates with AAA-MS server to obtain MIP6 bootstrap information • NAS passes the obtained bootstrap information to DHCP server 61st IETF MIP6 WG

  6. Model 1(DHCP Server as AAA-MS Client) (1)Network Access Authentication Protocol Client (1’)AAA-NA Network Access Client NAS AAA-Key (2) DHCPv6 with Delayed Authentication DHCP Key AAA Infrastructure (2)AAA-MS DHCP Server DHCP Client MIP6 bootinfo {HA [,HoA or HoL], DHCP-key} MIP6 bootinfo {HA [,HoA or HoL]} (2)AAA-MS Mobile Node Home Agent (3)IKE MIP6 bootinfo {IKE credentials [,HoA or HoL]} MIP6 bootinfo {[HoA or HoL]} 61st IETF MIP6 WG

  7. Model 2(NAS as AAA-MS Client) (1)Network Access Authentication Protocol (1’)AAA-NA (2)AAA-MS Client MIP6 bootinfo {HA [,HoA or HoL], AAA-Key [,DHCP-key]} Network Access Client NAS MIP6 bootinfo {HA [,HoA or HoL] [,DHCP-key]} (2’) DHCPv6 with Delayed Authentication DHCP Key AAA Infrastructure DHCP Server DHCP Client MIP6 bootinfo {HA [,HoA or HoL]} (2)AAA-MS Mobile Node Home Agent (3)IKE MIP6 bootinfo {IKE credentials [,HoA or HoL]} MIP6 bootinfo {[HoA or HoL]} 61st IETF MIP6 WG

  8. Mapping to Bootstrapping Scenarios • Bootstrapping problem statement draft identifies four cases • Mobility Service Subscription Scenario • Integrated ASP (IASP) Scenario • Third-party MSP Scenario • Infrastructure-less Scenario • Some scenarios do not assume relationship between AAA-NA and AAA-MS • Mobility service subscription scenario and infrastructure-less scenario are not supported in this bootstrapping architecture • This architecture is intended for IASP scenario and third-party ASP scenario 61st IETF MIP6 WG

  9. Integrated ASP Scenario (Model 1) IASP (ASP+MSP) NAS/ DHCP Server Mobile Node AAA-NA Server Home Agent AAA-MS Server NA Req. AAA-NA Authentication Authorization for NA AAA-NA NA Rep. DHCP Req. Parameter Req. Authorization for MS IKE credentials DHCP Rep. Parameter Req. IKEv2 IKEv2 61st IETF MIP6 WG

  10. Integrated ASP Scenario (Model 2) IASP (ASP+MSP) NAS/ DHCP Server Mobile Node AAA-NA Server Home Agent AAA-MS Server NA Req. AAA-NA Authentication Authorization for NA Parameter Req. Authorization for MS IKE credentials Parameter Rep. AAA-NA NA Rep. DHCP Req. DHCP Rep. IKEv2 IKEv2 61st IETF MIP6 WG

  11. Third-Party MSP Scenario (Model 1) Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP ASP Serving MSP Home MSP NAS/ DHCP Server Mobile Node AAA-NA Server Home Agent AAA-MS Server NA Req. AAA-NA Authentication Authorization for NA NA Rep. AAA-NA DHCP Req. Parameter Req. Authorization for MS IKE credentials DHCP Rep. Parameter Req. IKEv2 IKEv2 61st IETF MIP6 WG

  12. Third-Party MSP Scenario (Model 2) Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP ASP Serving MSP Home MSP NAS/ DHCP Server Mobile Node AAA-NA Server Home Agent AAA-MS Server NA Req. AAA-NA Authentication Authorization for NA Parameter Req. Authorization for MS IKE credentials NA Rep. Parameter Rep. AAA-NA DHCP Req. DHCP Rep. IKEv2 IKEv2 61st IETF MIP6 WG

  13. Other Bootstrapping Architectures(draft-yegin-mip6-aaa-fwk) • Uses home agent as AAA-MS client • Assumption: HA address is somehow known to MN (e.g., pre-configuration, DNS SRV record) • Simplest but operators want to provide flexibility in assignment of HA address • E.g., assigning different HA depending on the profile of subscriber 61st IETF MIP6 WG

  14. Other Bootstrapping Architectures(draft-giaretta-mip6-authorization-eap) • Uses EAP for conveying bootstrapping information between MN (EAP peer) and AAA-NA server (EAP server) • The bootstrapping procedure is transparent to access network • Potential complexity for multiple-domain case 61st IETF MIP6 WG

  15. Security Considerations • Question: Is it valid to use DHCP in ASP to deliver HA assigned by MSP? • If the ASP and MSP are separated, the MSP might not want to expose bootstrapping information to other providers • Answer: The bootstrapping information can be encrypted based on SA between MN and AAA-MS server • The DHCP server can deliver the encrypted information to mobile as opaque data if such an option is defined 61st IETF MIP6 WG

  16. Open Issues • When multiple MSPs are able to assign HA to MN, how to determine which MSP should be the assigner(s)? • This case could happen in a hybrid case of IASP scenario and third-party scenario (i.e., AAA-MS servers exist in both ASP and home MSP) • Model 1 might have some security issue • If there is no coordination between AAA-MS client (DHCP server) and AAA-NA client (NAS), AAA-MS procedure is performed without authentication • A DHCP server would initiate AAA-MS without making sure whether the requesting MN has been authorized by the NAS in the AAA-NA procedure 61st IETF MIP6 WG

  17. Next Step • If the architecture is relevant, make it part of the entire bootstrapping architecture • This architecture is NOT the only solution • Resolve the open issues 61st IETF MIP6 WG

  18. Thank you! 61st IETF MIP6 WG

More Related