1 / 12

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig. Current Status. Trust Model: New Jersey Turnpike Model. Network A. Network B. Network C. Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al.

bkuo
Download Presentation

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSIS QoS NSLP Authorzation IssuesHannes Tschofenig

  2. Current Status

  3. Trust Model: New Jersey Turnpike Model Network A Network B Network C • Peering relationship is used to provide charging between neighboring networks - similar to edge pricing proposed by Schenker et. al. • David Clark: "We know how to route packets, what we don't know how to do is route dollars." Data Sender Data Receiver Node B Node A

  4. Two-Party Approach QoS Request Entity requesting resource • Properties: • Strong trust relationship between "Entity authorizing resource request" and "Entity performing QoS reservation" • Typically: Data-origin authentication sufficient • Financial establishment pre-established based on previous protocol execution • Examples: • PacketCable authorization within the network where the user is attached. Entity authorizing resource request granted/rejected End Node Node within the attached network

  5. Entity authorizing resource request Three-Party ApproachEntity Authentication • Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" • Properties / Usage Environment: • AAA-type authorization - splitting functional components • Dynamic re-authorization based on new incoming requests. • Typically: entity authentication between "Entity requesting resource" and "Entity authorizing resource requests" QoS Authz Request QoS Authz Response QoS Request Entity requesting resource Entity performing QoS reservations granted/rejected

  6. Entity authorizing resource request (TTP) Three-Party ApproachToken based Mechanism Authz Token Request • Financial establishment created between "Entity authorizing resource request" and "Entity performing QoS reservation" • Properties / Usage Environment: • Common authorization tokens (e.g., OSP - Tokens; RSVP Session and Media Authorization) • Token either allows two protocols to be linked or represents a monetary value • Provides some sort of anonymity • Digital money (or e-payment) could also be used Authz Token QoS Request + Token Entity requesting resource Entity performing QoS reservations granted/rejected

  7. Open Issues

  8. Authentication, Authorization and Accounting Infrastructure • Authorization might not always happen at an NSIS element itself (see roaming scenarios) • Information which is exchanged between the end host (e.g., NI) needs to be forwarded to a backend server (e.g., PDP or AAA server) • NSIS and AAA protocols need to aligned • Work ongoing with Frank Alfano, Pete McCann

  9. State-of-the-Art: TLS-based Mutual Authentication +---------+ +---------+ | MN | | R1 | +---------+ +---------+ + <---------------------------------------------> + | Discovery Request/Response (NTLP) | | | | <---------------------------------------------> | | Transport Layer Connection Setup | | | | <---------------------------------------------> | Initial | Transport Layer Security | Setup | Handshake Layer (Mutual authentication) | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | TLS Record Layer Established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | | | ----------------------------------------------> | | NTLP/NSLP QoS CREATE msg | | | | <---------------------------------------------- | | NTLP/NSLP QoS ACK msg | | | + + ..........

  10. Open Issue: C/R-based Authentication Entity requesting resource Entity performing QoS reservations Entity authorizing resource request • How long is the authorization decision valid? • More flexible approach (support of different authentication protocols): EAP based authentication + Authorization QoS Request (Identity) AAA-QoS (identity) Unauthorized (challenge) AAA-QoS (challenge) QoS Request+Response AAA-QoS (response) Success/Failure AAA-QoS (success/failure)

  11. EAP-based Approach (1/2) +---------+ +---------+ | MN | | R1 | +---------+ +---------+ + <---------------------------------------------> + | Discovery Request/Response (NTLP) | | | | ----------------------------------------------> | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Auth/Authz requested; | Initial | EAP-Request/Identity) | Setup | | | <---------------------------------------------- | | Datagram Mode | | NTLP/NSLP QoS CREATE Resp. | | (EAP-Request/AKA-Challenge | | (AT_RAND, AT_AUTN, AT_MAC)) | | (Algorithm/Parameter Negotiation) | | ----------------------------------------------> | | Datagram Mode | | NTLP/NSLP QoS CREATE Req. | | (EAP-Response/AKA-Challenge | | (AT_RES, AT_MAC)) | | (Algorithm/Parameter Negotiation) |

  12. EAP-based Approach (2/2) | | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | Authentication Authorization finished | | Secure channel at the NSLP layer established | +~+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+~+ | <---------------------------------------------- | | NTLP/NSLP QoS CREATE Resp. | | NTLP/NSLP QoS CREATE Req. | | (EAP-Success) | | (Secure Confirmation) | | | + + .......... + + | ----------------------------------------------> | | NTLP/NSLP QoS REFRSH msg | Refresh | | Msg | <---------------------------------------------- | | NTLP/NSLP QoS ACK msg | + +

More Related