Upload
raymundo-space
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
HELSINKI UNIVERSITY OF TECHNOLOGY
AAA Architecture for hierarchical wireless Mobile IPv4
Tom Weckström
Telecommunications Software and Multimedia
Laboratory of Information Processing Science
Helsinki University of Technology
Finland
HELSINKI UNIVERSITY OF TECHNOLOGY
HELSINKI UNIVERSITY OF TECHNOLOGY
Introduction
• Wireless Internet gaining momentum• Yankee: 1billion users by 2003• Is access the wireless killer
application?• Mobile users need to be
authenticated, authorized, and correctly billed.
HELSINKI UNIVERSITY OF TECHNOLOGY
HELSINKI UNIVERSITY OF TECHNOLOGY
Problem
• Special needs for AAA protocol in • Open environment• Wireless environment
HELSINKI UNIVERSITY OF TECHNOLOGY
Trust
SecurityEfficiency
• Problem dimensions Trust Security Efficiency
HELSINKI UNIVERSITY OF TECHNOLOGY
Scope
• Mobile IPv4 environment that is– Open– Hierarchical– Wireless
• Lots of active mobile users
• Frequent, fast handoffs
HELSINKI UNIVERSITY OF TECHNOLOGY
Scope
MN
UHO
Internet
HA1
HA3
SHA
HA2HFA
FA
FAFA
FA
FA
FAFA
FA FA
MN
Foreign Network
Home Network
Wireless LAN
CN
HELSINKI UNIVERSITY OF TECHNOLOGY
Hierarchical Mobile IPv4
CN HAInternet
Home Network
WLAN
FA5
FA2
HFA1
FA1
FA4FA3 FA6FA4
Mobile Node
FA5
FA2
SFA
FA2
FA5
FA1
FA4
HFA1
Foreign Network
HELSINKI UNIVERSITY OF TECHNOLOGY
Mobile NodeMobile Node
HELSINKI UNIVERSITY OF TECHNOLOGY
Criteria
• From IDs, scope and RFC 2477
• 11 criteria, classified and prioritized
• General, dimensional and AAA criteria
• GQM approach for measuring success
HELSINKI UNIVERSITY OF TECHNOLOGY
Design principles
• Parallel AAA and MIP signaling• Reduced number of signaling
messages• Periodic payments• SPKI with RSA• Ideas from Ipay, DIAMETER and
BillNeat
HELSINKI UNIVERSITY OF TECHNOLOGY
Architectural elements
• AAAH, SHA, HA
• AAAF, HFA, FA
• Broker
• MN
• Buyer
HELSINKI UNIVERSITY OF TECHNOLOGY
Architecture
HFA1.1
FA1 .1 .1
FA1 .1 .2
FA1 .1 .1 .1
FA1 .1 .1 .2
FA1 .1 .2 .1
FA1 .1 .2 .2
FA1 .1 .2 .1 .1
FA1 .1 .2 .1 .2
FA1 .1 .2 .1 .3
1AAAH
1AAAF
2ISP
1ISP
2AAAF
HFA 2.1
FA 2 .1 .1 FA2 .1 .2
FA2 .1 .1 .1
FA2 .1 .1 .2 FA
2 .1 .2 .1FA
2 .1 .2 .2
HFA2.2
FA2 .2 .2
FA2 .2 .1 .1
FA2 .2 .1 .2
FA2 .2 .2 .1
FA2 .2 .2 .2
FA2 .2 .1
HFA 3.1
FA3 .1 .1
FA3 .1 .2
FA3 .1 .1 .1
FA3 .1 .1 .2 FA
3 .1 .2 .1FA
3 .1 .2 .2
3.1AAAF
3.2AAAF
3AAAF3ISP
AAAF4 .1
AAAF4
AAAF4 .2
AAAF4 .1 .1 AAAF
4 .1 .2AAAF
4 .2 .1
AAAF4 .2 .2
FA 4 .1 .1 .1 .1
FA4 .1 .1 .1 .1 .1
HFA4 .1 .1 .1
FA4 .1 .1 .1 .2
FA4 .1 .1 .1 .1 .2
FA4 .1 .1 .1 .2 .1
FA4 .1 .1 .1 .2 .2
FA4 .1 .2 .1 .2
HFA4 .1 .2 .1
FA4 .1 .2 .1 .1
FA4 .2 .1 .1 .2
HFA4 .2 .1 .1
FA4 .2 .1 .1 .1
FA4 .2 .2 .1 .2
HFA4 .2 .2 .1
FA4 .2 .2 .1 .1
4ISP
HA1 .1 .3
SHA1 .1
HA1 .1 .1
HA1 .1 .2
HA1 .2 .3
SHA1 .2
HA1 .2 .1
HA1 .2 .2
1UHO
xBrokeryBroker
qBroker
zBrokerpBroker
Internet
MU1 .1 .2 .1
HELSINKI UNIVERSITY OF TECHNOLOGY
Security
• RSA for signatures• SHA for payment messages• Symmetric encryption for authentication,
session keys, and signatures• Session ID• Billing ID• Timestamps for replay protection
HELSINKI UNIVERSITY OF TECHNOLOGY
Protocol operation
• Registration protocol– Slow mode: sequential, for compatibility– Fast mode: Parallel, optional grace period
• Payment protocol– Real time payments– Localized message handling– Policy based authorization– User controls the size of the bill
HELSINKI UNIVERSITY OF TECHNOLOGY
Slow mode
Internet
Advertisement
Foreign Network User Home Organization Network
FA1.1.1.1
HFA1.1
MNBuyer AAAF 1Broker x HA
1.1.2AAAH1
SHA1.1
PriorityRequest
PriorityReply
Broker y
RegRequest
(PaymSesReq)(SPKI certificate)
RegRequest
AAA(Reg.Request)
(PaymSesReq)(SPKI certificate)
(PaymSesReq)(SPKI certificate)
AAA(Reg.Request)
(PaymSesValReq)(SPKI certificate)
AAA(Reg.Request)
AAA(Reg.Request)
RegRequest
RegReply
AAA(Reg.Reply)AAA(Reg.Reply)
AAA(Reg.Reply)
(PaymSesValReply)AAA(Reg.Reply)
(PaymSesReply)RegReply
(PaymSesReply)RegReply
(PaymSesReply)
PaymSesReply
RegistrationReady
PaymSesReq
(PaymSesValReq)
(PaymSesValReq)
4
1
2
3
5
67
89
10
12
13
AAA(Reg.Request)
AAA(Reg.Reply)
11
14
1516
17
18
19
20
21
HELSINKI UNIVERSITY OF TECHNOLOGY
Fast mode
Internet
Advertisement
Foreign Network User Home Organization Network
FA2.1.2.2
HFA2.1
MNBuyer AAAF 2Broker p HA
1.1.2AAAH1
SHA1.1
PriorityRequest
PriorityReply
Broker y
RegRequest
(PaymSesReq)(SPKI certificate)
RegRequest
AAA(PaymSesReq)
(SPKI certificate)
(PaymSesReq)(SPKI certificate)
AAA(PaymSesValReq)
(SPKI certificate)
RegRequest
RegReplyRegReply
AAA(PaymSesValReply)
AAA(PaymSesReply)
RegRequest
RegReplyRegReply
PaymSesReplyPaymSesReply
AAA(RegRepIndication)
Advertisement
PriorityRequest
PriorityReply
RegRequest
(PaymSesReq)(SPKI certificate)
RegRequest
AAA(PaymSesReq)(SPKI certificate)
(PaymSesReq)(SPKI certificate)
AAA(PaymSesValReq)(SPKI certificate)
RegRequest
RegReplyRegReply
AAA(PaymSesValReply)
AAA(PaymSesReply)
RegRequest
PaymSesReply
RegReply(PaymSesReply)
(PaymSesReply)
RegReply
AAA(RegistrationReply)
AAA(RegisttrationReply)
PaymSesReq
RegistrationReady
RegistrationReady
PaymSesReq
AAA(RegRepIndicRep) AAA(Acknowledgement)
AAA(Acknowledgement)
AAA(RegRepIndication)
AAA(RegRepIndicRep)
1
2
3
4
5
67
7
7
98
10
11
12
1314
15PaymSesReply 16
17
77
7
HELSINKI UNIVERSITY OF TECHNOLOGY
Payment protocol
InternetForeign Network User Home Organization Network
FA2.1.2.2
HFA2.1
MNBuyer AAAF 2Broker p HA
1.1.2AAAH1
SHA1.1
TickPayment
Broker y
AAA(PaymSesReply)
PaymentRequest
PaymSesReply
AAA(CapacityUsed)
AAA(BillingRequest)
AAA(PaymSesValReq)
AAA(PaymSesValReply)
AAA(Accounting information)
AAA(Acknowledgement)
AAA(CapUsedReply)UsageInfo
TickPaymentTickPayment
TickPaymentTickPayment
TickPayment
AAA(CapacityUsed)
PaymentRequestPaymentRequest
PaymSesReq
(SPKI certificate) PaymSesReq
(SPKI certificate)(SPKI certificate)
(SPKI certificate)
AAA(PaymSesReq)
PaymSesReply
AAA(BillingReply)TickPayment
TickPayment
TickPayment
......
...
...
AAA(CapUsedReply)
...
1
2
22
2
22
3
4
3
4
55
66
66
66
66 7
8
HELSINKI UNIVERSITY OF TECHNOLOGY
Conclusions
• Potential for significant improvements with parallel signaling
• Static trust relationships concentrated within organizational units
• Flexibility with SPKI and Policy Management
• Tick payments: efficiency & control
HELSINKI UNIVERSITY OF TECHNOLOGY
Future research ideas
• More extensive use of SPKI• Trust relationships• Certificate management
• Improved verification of credibility
• Integration with DIAMETER
• Policy management with distributed policies
HELSINKI UNIVERSITY OF TECHNOLOGY
AAA Architecture for hierarchical wireless Mobile IPv4
Tom Weckström
WWW
http://www.cs.hut.fi/Research/Dynamics/
HELSINKI UNIVERSITY OF TECHNOLOGY