Upload
hans
View
42
Download
0
Embed Size (px)
DESCRIPTION
Accessor Issues in the Access Bind PIB. Freek Dijkstra Utrecht University, the Netherlands. Goal. Make you familiar with datastructure of the Access Bind PIB. Make you aware of the dependency of the draft on other documents. Talk Outline. Introduction of keywords and physical model. - PowerPoint PPT Presentation
Citation preview
Accessor Issuesin the Access Bind PIB
Freek DijkstraUtrecht University, the Netherlands
dec 14, 2001 Auth PIB Accessor Issues 2/17
Goal
• Make you familiar with datastructure of the Access Bind PIB.
• Make you aware of the dependency of the draft on other documents.
dec 14, 2001 Auth PIB Accessor Issues 3/17
Talk Outline• Introduction of keywords and physical
model.• Discuss how and when new sessions are
created.• Explain how this is implemented in our
model.• Tell about other drafts where our data-
structure refers to.• Conclusion.
dec 14, 2001 Auth PIB Accessor Issues 4/17
Device NamesAccess request
Access decisionAccess decision
Access notification
time
USER
PEP
PDP
USER = Requester of the services
PEP = Policy Enforcement Point (a NAD, Network Access Device, in AAA-terminology)
PDP = Policy Decision Point (an AAA-Server)
Access PIB
dec 14, 2001 Auth PIB Accessor Issues 5/17
Definitions
• PEP = Policy Enforcement Point
• PDP = Policy Decision Point
• Sessions are created when an authentication dialogue starts
• PIB = Policy Information Base
• PRC, PRI, PRID = Part of PIB: Provisioning class, -instance, -identifier
• Accessor = A table in our PIB
dec 14, 2001 Auth PIB Accessor Issues 6/17
Connection Steps
PEP notices user traffic/access requestAccess request to PDPRetrieve PEP knowledge about the userCredential negotiation (not shown)Provision PEP with policiesAccess decision (approval or denial)Access decision notification to userUsage of service
time
USER
PEP
PDP
dec 14, 2001 Auth PIB Accessor Issues 7/17
Capability Exchange
Access request
Access decisionAccess decision
Access notification
time
USER
PEP
PDP
Access PIB
“Behaviour”
“Capabilities”
dec 14, 2001 Auth PIB Accessor Issues 8/17
Accessor
The Accessor table:
• … Is installed in the PEP by the PDP.
• Specifies when a new session is created.
• Specifies what information to sent along with a new authentication request.
• Specifies how to retrieve this information (using which authentication protocol: PAP, CHAP, EAP-MD5, EAP-TLS, etc.).
dec 14, 2001 Auth PIB Accessor Issues 9/17
SessionScope
ContextData
AccessorAuthProtocol
FilterSessionScopeSessionScope Filter
FilterDataPath
PIB Datastructure
Accessor Element
Accessor
ContextDataContextData
AccessorAuthProtocol
dec 14, 2001 Auth PIB Accessor Issues 10/17
SessionScope
ContextData
AccessorAuthProtocol
FilterSessionScopeSessionScope Filter
Filter
ContextDataContextData
DataPath
PIB DatastructureAuthProtocol
Accessor Element
Accessor AccessorAuthProtocol
dec 14, 2001 Auth PIB Accessor Issues 11/17
SessionScope
ContextData
AccessorAuthProtocol
FilterSessionScopeSessionScope Filter
Filter
ContextDataContextData
DataPath
PIB Datastructure
AuthContext
Accessor Element
Accessor AccessorAuthProtocol
dec 14, 2001 Auth PIB Accessor Issues 12/17
SessionScope
ContextData
AccessorAuthProtocol
FilterSessionScopeSessionScope Filter
Filter
ContextDataContextData
DataPath
PIB Datastructure
ElmRef
Accessor Element
Accessor AccessorAuthProtocol
dec 14, 2001 Auth PIB Accessor Issues 13/17
SessionScope
ContextData
AccessorAuthProtocol
FilterSessionScopeSessionScope Filter
Filter
ContextDataContextData
DataPath
Accessor
Accessor Element
PIB Datastructure
ElementScope
AccessorAuthProtocol
dec 14, 2001 Auth PIB Accessor Issues 14/17
SessionScope
ContextData
AccessorAuthProtocol
FilterSessionScopeSessionScope Filter
Filter
ContextDataContextData
DataPath
Accessor
PIB Datastructure
Accessor Element
AccessorAuthProtocol
dec 14, 2001 Auth PIB Accessor Issues 15/17
Framework PIB Filters
• IP filter
• 802 filter
• Internal label filter
dec 14, 2001 Auth PIB Accessor Issues 16/17
Conclusion
• Our model is potentially powerful; It can support any kind of trigger to create new sessions.
• We depend on other framework PIBs which may or may not need be sufficient. There should go some effort in those as well, and that is out of scope of our draft, but in scope of the IETF in general.
Freek DijkstraUtrecht University, the Netherlands
dec 14, 2001 Auth PIB Accessor Issues 18/17
PEP
meter
meter
17.0.0.0/8
other
17.1.13.15
17.5.8.1
17.1.2.4
dec 14, 2001 Auth PIB Accessor Issues 19/17
Example: Wireless
dec 14, 2001 Auth PIB Accessor Issues 20/17
Example: Dial-up
dec 14, 2001 Auth PIB Accessor Issues 21/17
Example: LAN
dec 14, 2001 Auth PIB Accessor Issues 22/17
Example: HTTP
dec 14, 2001 Auth PIB Accessor Issues 23/17
Example: Pizza phone orders