Signaling Messages and AVPs for 3P-AAA framework

Dmitry Tairov, Ivan Ganchev, Mairtin O’Droma Telecommunications Research Centre

University of Limerick Limerick, Ireland

{dmitry.tairov, ivan.ganchev, mairtin.odroma}@ul.ie

Abstract— This papers looks at the details of signaling required for the implementation of the novel Third-Party Authentication, Authorization and Accounting (3P-AAA) framework. The motivation and functionality of the main 3P-AAA interfaces is discussed. As a result of this discussion, new and modified messages based on the Diameter protocol have been outlined.

Keywords-Ubiquitous consumer wireless world (UCWW); consumer-centric business model (CBM); third-party authentication, authorization and accounting (3P-AAA); Diameter; attribute-value pair (AVP); PANA.

I. INTRODUCTION Mobile networks have significantly evolved since their initial widespread rollout in the 1990s. Most mobile users have experienced not only the change in the radio technology and improvement of the physical aspects of communication, but also in the way services are offered to them. Initially voice services were the principle sources of financial benefits for mobile network providers, however, nowadays, with ubiquitous use of the smart phones, a new range of services is emerging. Also there exists a mounting pressure for the shift towards all IP network convergence. From the providers’ perspective it is crucial to diversify their services and adopt new business models in order to continue generating revenues. One of the major shifts in the mobile services business model evolution has been a shift towards more personified services. Service diversity has brought a new player – a third-party Value Added Service Provider (VASP) – into the market where each VASP tries to occupy its own niche in that expanding domain. With emergence of the modern Service Delivery Platforms (SDP) and Operation Support System (OSS) there has been a significant improvement in the time-to-market for the deployment of new services. But taking into account all of these improvements, it should be noted that there exists a great deal of rigidity in the way these novel services are offered to the end user. In order to gain access to services the end user needs to make a subscription with a network provider. Thus the mobile user’s choice of services is mostly limited to what is offered by his/her home network. As a result, the mobile user might not be able to access some desired services without change in subscription which is still quiet inflexible. The newly proposed Consumer-centric Business

Model (CBM) [1, 2] shifts the central emphasis from the home Access Network Provider (ANP) to the Mobile User (MU). This is done through decoupling of Authentication, Authorization and Accounting (AAA) services from the provision of communication access services and teleservices in the newly emerging Ubiquitous Consumer Wireless World (UCWW). By moving the AAA responsibilities under the supervision and management of third-party AAA service providers (3P-AAA-SPs), the new framework creates a more flexible environment where MU benefits from a greater degree of choice and freedom. In consequence, the mobile user will be enabled to receive best offered services anytime regardless of his/her location. One important aspect of 3P-AAA is the Hot Access network Change (HAC) that would allow vertical handover to be performed when the level of service provision falls beyond certain threshold value. What makes HAC different from other handover mechanisms is that it is performed not by ANP but rather by the mobile user or the teleservice provider (TSP). Moreover, HAC could be triggered even in cases when MU does not move at all. Third-party VASPs will also benefit from the introduction of the 3P-AAA as it would eliminate the need for development of their own AAA infrastructure or being chained by the contractual relationship to a SDP of ANP. Of course, the 3P-AAA deployment would have to be a gradual process. The reality is that many of telecommunication companies still need to upgrade their signaling infrastructure from SS7 to modern IP protocols and adopt frameworks such as IP Multimedia Subsystems (IMS). As discussed in [3], IMS and 3P-AAA can be integrated together. Since success of services and technologies is generally decided by the end users (consumers), the 3P-AAA framework has the advantage as it puts the consumer at the heart of its paradigm. In general, the 3P-AAA framework closely follows Next Generation Networks (NGN) guidelines outlined by the IMS/NGN Forum [4] as it strives for centralization of consumer and product data, service personalization, multi-dimensional charging and policy management.

The rest of this paper is organized as follows. Section II describes motivations and primary tasks of the 3P-AAA interfaces. Section III looks at the signaling protocols that must be adopted for the operations of 3P-AAA. Section IV describes new messages and attribute-value pairs (AVPs) that will be

2011 Fifth International Conference on Next Generation Mobile Applications and Services

978-0-7695-4496-0/11 $26.00 © 2011 IEEE

DOI 10.1109/NGMAST.2011.40

180

introduced by the framework. Finally, section V concludes this paper.

II. 3P-AAA INTERFACES The key role for 3P-AAA infrastructure is played by its

interfaces since they enable communication between different entities of the framework. Due to the resilience requirements and sensitivity of the data traversing these interfaces, a careful examination of each interface’s functionality should be performed. The challenge is that the creation of 3P-AAA would produce new forms of interactions and scenarios that have not been previously seen. For example, regarding the decoupling of provision of teleservices from that of access communication services, the interaction with third-party VASP should be direct through one of these interfaces. This is quite different from the way third-party VASP services are being accessed now, i.e. through home access network where a Service Level Agreement (SLA) exists between home network and third-party VASP. Thus, prior to the actual service deployment, VASP has to be plugged into IMS Open Service Access (OSA) or other Service Delivery Platform. The principle tasks of these entities is that they perform accounting and charging tasks, and provide information regarding the network resources that can be accessed by the third-party VASP. Within 3P-AAA these entities can be replaced by interface interactions since charging and accounting will be serviced by the 3P-AAA service providers and network resources access can be advertised through other entities of UCWW (Wireless Broadband Channels (WBC) and Advertisement, Discovery and Associations (ADA) agents) [5].

Fig. 1 shows the three principle interfaces envisioned for the 3P-AAA framework.

Figure 1: 3P-AAA interfaces

Interface ‘a’ This interface is responsible for the MU’s communication

with the service providing entities, i.e. ANPs, TSPs, and VASPs. It is over this interface where a session with the service of interest is established and maintained. The aliveness of the session is monitored by the signaling messages. In case of events

that might cause change in the session state, an informative update message is exchanged between communicating peers. When the mobile user has finished using the service, a session termination procedure would take place.

Security is a major concern for this interface, since it operates in the most vulnerable (i.e. wireless) environment in comparison to the other interfaces. Previously, as in Global System for Mobile Communication (GSM) networks, the authentication procedure between the mobile user and the network provider has been one-way only. However, nowadays wireless service providers can be easily spoofed by malicious attackers. Taking this fact into consideration, it is important to perform a two-way authentication between communicating parties. 3P-AAA employs X.509 certificates for mutual authentication of peers. In order to provide strong authentication features, the three-way authentication option of X.509 should be employed. The benefit of the three-way authentication is that it puts less stringent requirements for time synchronization between different devices employed. In the 3P-AAA framework, the last (third) message carries also an authentication decision back to the party that initiated the authentication procedure.

Interface ‘b’ The primary purpose for this interface is to enable interaction

between the mobile user and his/her 3P-AAA-SP. A number of diverse tasks can be attributed to this interface. The mobile user would be able to interact with his/her 3P-AAA account for purposes like checking the accounting information and possible profile settings interaction. Another key feature of the 3P-AAA framework is to provide accounting and billing transparency. Interacting with a multiple set of access- and teleservice providers, the mobile user has to be ensured that the charges applied by these diverse entities are indeed accurate. After each session termination procedure taking place, the mobile user issues a request to 3P-AAA-SP for Charging Detail Record (CDR) for the recently terminated session. The MU’s equipment can aggregate appropriate CDR information and calculate whether the charges applied have been accurate. In some scenarios where connection to the 3P-AAA SP has been lost during an on-going session, it might be appropriate for the service provider to store accounting data locally without service interruption and later forward updated data to the 3P-AAA server. Even in this case, the state machine has to ensure that the CDR data is still delivered to the end user.

Interface ‘c’ This interface performs vital task of providing important

information for authorization, accounting and charging tasks. All entities of the 3P-AAA framework that provide services would be connected by means of ‘c’ interface to the 3P-AAA-SP server. Security is also an important issue for this interface but unlike interface ‘a’, entities communicating by means of interface ‘c’ share security association through initial

181

subscription. Resilience of the interface is of paramount significance since it handles accounting and charging related streams of data. Thus it should be able to handle failover scenarios. This interface will also provide a flexible charging to the framework through adaptation of the online and offline charging capabilities. Online charging is synonymous to the idea of the prepaid services, where in order to access services first a credit check is performed on the user account and certain amount is debited or reserved. Online charging is performed in real-time and can thus influence the session state. Offline charging is less stringent and does not require the credit control facilities. When offline charging is used the usage of resource is reported and charges are applied based on the amount of resources consumed. This kind of charging is less flexible and is typically used for the subscription-based services.

III. ADOPTED SIGNALLING PROTOCOLS The success of the 3P-AAA implementation depends widely

on the choice of the signaling protocol that will not only integrate the outlined interface features but also provide underlying stability and failover mechanisms.

Diameter Diameter protocol [6] emerged in 2003 with the main goal of

replacing legacy AAA and signaling protocols such as RADIUS and SS7. This protocol has a number of architectural advantages in comparison to its predecessors, just to mention few: reliable transport, failover mechanism, extensibility, etc. Due to its rich set of features it has been widely accepted as a principle AAA protocol for NGN and has been embraced by the Third Generation Partnership Project (3GPP) collaboration body. Diameter Base protocol only provides support for general AAA features; nonetheless, extensibility has been at the heart of the protocol’s design and since its conception a number of applications (protocols) have been created based on Diameter. These protocols extend Diameter Base through definition of new signaling messages and attribute-value pairs (AVPs) in order to provide functionality targeting more specific requirements, an example being Diameter Credit Control, Session Initiation Protocol (SIP), and Mobile IP applications. The combination of the Diameter Base protocol and Credit Control Application [7] provides a suitable signaling framework for the novel ‘b’ and ‘c’ 3P-AAA interfaces. The base protocol is suitable since it provides a robust framework for the AAA session control and its accounting features are suitable for the provision of the offline charging. On the other hand, in order to provide more flexible online charging, the accounting features of the Diameter Base are insufficient. Support for the Credit Control would enable online charging. These features would allow credit reservation, account checking, account replenishment, etc. For both of these interfaces the changes to the Diameter signaling are not significant. An example of the change would be modification of some AVPs in order to support additional features of 3P-AAA,

such as Termination-Cause AVP to include additional HAC related scenarios.

Regardless of the careful architectural design and wide spread adoption, some issues have surfaced only during implementation and deployment of the Diameter protocol. Evolving standards have created different interpretations and implementations that lead to incompatibilities between vendors[8]. However, some of the problems are inherent within the base protocol itself. For example, the initial information exchange between peers, which helps establish a connection, is not clearly specified in the RFC3588 and its interpretation may be deduced from the state machines. The connection establishment is influenced by the list of the supported vendor identifiers. The problem here emerges when the corresponding end-to-end nodes support the same list of vendors but the intermediary nodes participating in the routing do not. Based on the protocol deployment experiences and in order to solve interoperability issues, the Diameter Maintenance and Extensions (DIME) Technical Working group came up with a new version of the protocol that is currently under discussion. The RFC3588bis document claims full backward compatibility with the original RFC3588 and aims at fixing the reported issues [9].

PANA PANA (Protocol for carrying Authentication for Network

Access) is defined by the RFC5191 [10]. As the name suggests, the principle purpose of this protocol is to provide authentication to the access network. PANA does not define any security protocol or procedure. Instead it relies on the use of the Extensible Authentication Protocol (EAP) infrastructure and protocols. PANA defines a state machine for performing authentication along with some basic messages. From security point of view, the integrity of the channel would depend on the chosen EAP security procedure. One of the issues is that PANA uses the transport services of the User Datagram Protocol (UDP). This means that it does not provide retransmission procedures and would not be able to handle QoS traffic.

One of the solutions that could be adopted is to include the features of the PANA protocol through the creation of an extended 3P-AAA protocol that would provide these features as an extension to the Diameter Base protocol. What makes this solution viable is the fact that both protocols have quiet similar structure. The primary source of information is contained within AVPs. Thus new extended features introduced to the 3P-AAA protocol would handle the mutual-authentication, HAC procedure’s signaling and other related tasks. These additions to the protocol are discussed in greater detail in the following section.

182

Figure 2: 3P-AAA Protocol Stack

IV. NEW MESSAGES AND AVPS New salient features of the 3P-AAA infrastructure would

require novel messages and AVPs to be defined to support them. Some of these features and scenarios include:

• Mutual authentication by means of X.509 certificates;

• Access to the 3P-AAA accounting information, including credit check, account replenishment and charging detail records reception;

• HAC related scenarios – both user- or TSP triggered; • Accommodation of asymmetric service access through

different ANPs.

Table 1 displays the principle new 3P-AAA messages and associated new AVPs. The ‘AVP Type’ column uses some of the data types defined within the Diameter Base protocol to encode data in a specific format whereas the ‘Description’ column gives a brief description of each AVP. Not listed in the table are the new request/response type messages used by the mobile user to query accounting information since these messages reuse AVP’s outlined in the Credit Control Application.

TABLE I NEW MESSAGES AND AVPS FOR 3P-AAA PROTOCOL

V. CONCLUSION This paper has outlined the principle concerns related to the

third-partry Authentication, Authorizaiton and Accounting (3P-

AAA) signaling infrastructure. This novel infrastructure based on the Consumer-centric Business Model (CBM) will enable Mobile Users (MUs) to enjoy services and network coverage that can be qualified as Always Best Connected and best Served (ABC&S). Introduction of this infrastructure would be

Messages Interface New AVP AVP Type Description 3P-AAA-MU-Initiation

(3P-AAA User Application) a - - Initiates connection to ANP/TSP

3P-AAA-Start-Request/Answer (3P-AAA User Application) a

Certificate OctetString Contains X.509 Certificate

Integrity Algorithm Enumerated HMAC-SHA1-160 0 HMAC-MD5-128 1

3P-AAA-Auth-Request/Answer (3P-AAA User Application) a

Nonce OctetString Pseudo-randomly generated number

Digital-Envelop OctetString Carries session key encoded with MU’s public key

AUTH OctetString Provides message integrity 3P-AAA-Ping-Request/Answer

(3P-AAA User Application) a Ping-Timer Unsigned32 Used to check aliveness of connection

Termination-Request/Answer (3P-AAA User Application) a/c Termination-Cause

(modified) Enumerated 3P-AAA_NO_TRANSPORT 9

3P-AAA_HAC 10

3P-AAA-Update-Request/Answer (3P-AAA User Application) a

Hot-Access-Change Grouped Contains AVPs for HAC procedure

Replenishment-Indicator UTF8String Contains Service-Context-Id for which account should be replenished

CDR-Notification Grouped Contains Session-Id and Service-Context-id; used as part of failover process.

HAC-Initiator DiameterIdentity Signals which party has initiated the HAC (also included in the Credit-Control Request)

Multiple-ANP-Provision Enumerated

MULTIPLE-ANP-PROVISION_ALLOWED 0

MULTIPLE-ANP-PROVISION _PROHIBITED 1

Old-Service-Provider DiameterIdentity ANP/TSP that MU has switched from New-Server-Provider DiameterIdentity ANP/TSP that MU has switched to

3P-AAA-CDR-Request/Answer (3P-AAA User Application) b Universal-3p3a-Charging-

Detail-Record UTF8String Contains Charging Detail Record (CDR)

183

especially beneficial for the end users (consumers) as well as third-party Value-Added Service Providers (VASPs). The key of the successful implementation lies in the creation of a robust and flexible signaling framework that would provide control and communication between different entities of the 3P-AAA. This framework rests on the design of the innovative 3P-AAA protocol that is based on the Diameter Base protocol. The principle interfaces that interconnect participating entities create an environment where a number of new telecommunication scenarios can be realized. These include a new way of interaction with the MU’s account, accounting transparency through the reception of session’s Charging-Detail Records (CDRs), vertical handover by means of the Hot Access network Change (HAC) procedure, etc. As practice shows, even the most carefully planned and devised architecture might run into problems during deployment, thus, by using Diameter as the base protocol, the 3P-AAA framework secures its ability to adapt to changes and revisions as new messages and AVPs can further be integrated into the architectural design.

ACKNOWLEDGMENT This publication has been supported by the Irish Research

Council for Science, Engineering and Technology (IRCSET)

and the Telecommunications Research Centre, University of Limerick, Ireland (http://www.ece.ul.ie/trc).

REFERENCES

[1] O'Droma, M. and I. Ganchev. “The Creation of a Ubiquitous Consumer Wireless World through Strategic ITU-T Standardization”. IEEE Communications, 2010. 48(10): p. 158-165.

[2] O’Droma, M. and I. Ganchev, “Toward a Ubiquitous Consumer Wireless World”. IEEE Wireless Communications, 2007. 14(1): p. 52-63.

[3] Tairov, D., I. Ganchev, and M. O'Droma, Third-Party AAA Framework and Signaling in UCWW (pending). 7th International Conference on Wireless Communications, Wuhan, China, 2011.

[4] IMS/NGNForum, BSS/OSS & Security for Services in NGN/IMS Paradigm Guidelines for Implementation. 2009.

[5] Zhanlin, J., I. Ganchev, and M. O'Droma. “Performance Evaluation of 'WBC over DVB-H' System”. IEEE Transactions on Consumer Electronics, 2009. 55(2): p. 754-762.

[6] Calhoun, P. and E. Guttman, Diameter Base Protocol. RFC 3588, 2003. [7] Hakala, H. and L. Mattila, Diameter Credit Control Application RFC4006,

2005. [8] IMS/NGN Forum, IMS AAA Architecture: The Diameter Advantage. 2009 [9] Fajardo, V. and J. Arrko, Diameter Base Protocol revised IETF draft.

January 20, 2011 [10] D. Forsberg, Y.O., B. Patil, Protocol for Carrying Authentication for

Network Access (PANA). RFC 5191, 2008.

184