Third-Party AAA Framework and Signaling in UCWW

Dmitry Tairov, Ivan Ganchev, Mairtin O’Droma Telecommunications Research Centre

University of Limerick Limerick, Ireland

{dmitry.tairov, ivan.ganchev, mairtin.odroma}@ul.ie

Abstract— This paper treats the signaling needs which will satisfy the requirements of the novel Third-Party Authentication, Authorization and Accounting (3P-AAA) framework. The main 3P-AAA interfaces and candidate signaling protocols are described. Some aspects of the integration of the proposed 3P-AAA framework with the currently existent 3GPP IP multimedia subsystems (IMS) are also considered.

Keywords-Ubiqutous consumer wireless world (UCWW); Consumer-centric business model (CBM); Third-Party authentication, authorization and accounting (3P-AAA); IP multimedia subsystem (IMS); signaling protocol.

I. INTRODUCTION The novel Third-Party Authentication, Authorization and

Accounting (3P-AAA) framework is one of the key components of the emerging Ubiquitous Consumer Wireless World (UCWW), a concept extensively described in [1, 2]. Probably the most important aspect of UCWW is the change of the underlying business model. The newly proposed Consumer-centric business Model (CBM) shifts the central emphasis from the home Access Network Provider (ANP) to the Mobile User (MU). This is done through decoupling of Authentication, Authorization and Accounting (AAA) services from the provision of communication access services and teleservices. By moving the AAA responsibilities under the supervision and management of third-party AAA service providers (3P-AAA-SPs), the new framework creates a more flexible environment where MU benefits from a greater degree of choice and freedom. The emergence of UCWW will play a crucial role not only to the way MUs access services but in particular to the way value added services are being developed and offered.

To describe generically the 3P-AAA operation, one might imagine a mobile user who is positioned within the area of multiple ANP providers with a variety of access technologies available. In order to use some teleservices, the user first has to establish a dynamic association with an ANP. The choice of ANP may be made based on the QoS parameters where the price of the ANP service may be included as an additional criterion. Using the transport provided by this ANP, MU would be able to request a teleservice from some Teleservice Provider (TSP). At the same time a separate session may be initiated via a different ANP and access technology to, say, a

value added service provider (VASP), who provides additional functionally to the requested basic teleservice.

Both ANPs are aware only of the connection activity through their own network. The relevant 3P-AAA-SPs of the four entities providing services will keep track of the corresponding accounting streams associated with each service session.

Another serious issue addressed by the 3P-AAA framework

is support for mobility which involves Hot Access network Change (HAC) where there is a change the access network during an ongoing teleservice session, i.e. to perform handover. 3P-AAA introduces new type of handover - Hot Access network Change (HAC). The principle difference between HAC and the conventional handover techniques is that it is user-driven or TSP-driven and usually is ANP-transparent. HAC may be initiated by either MU or TSP, for example, when the user decides to change the current ANP for some price-performance advantage. S/he initiates association with a new (preferred) ANP and notifies the serving TSP that the media stream has to be transferred via this new ANP. Once the teleservice session transfer is completed successfully, the user will terminate the association with the old ANP. Transfer of the media stream can be achieved by means of the mobile SCTP (mSCTP) transport protocol [3]. In the case when charges applied by the new ANP are higher than the old ANP’s charges, the party that has triggered the HAC handover procedure will pay the extra cost (i.e. either MU or TSP).

The rest of this paper is organized as follows. Section II describes the 3P-AAA interfaces. Section III briefly looks at the structure of the Third Generation Partnership Project’s (3GPP) IP Multimedia Subsystem (IMS) [4], which can be used as a reference model of an existing technology encompassing some of the features envisioned for the 3P-AAA framework. Section IV describes how 3P-AAA may be integrated with IMS thus enabling co-existence of the Subscriber-based business model (SBM) and CBM. Section V discusses the choice of signaling protocols. Finally, section VI concludes the paper.

978-1-4244-6252-0/11/$26.00 ©2011 IEEE

II. 3P-AAA INTERFACES As mentioned above, the principle aim of the 3P-AAA

infrastructure is to decouple the provision of AAA services from communication services and teleservices. Thus 3P-AAA-SP, ANP and TSP domains are separate entities that communicate by means of signaling interfaces.

Three types of 3P-AAA interfaces are outlined in Fig. 1 and explained below:

Figure 1. The 3P-AAA signaling interfaces.

a) Interface ‘a’ carries signaling information between MU and ANP/TSP/VASP. It is by means of this interface that the session is initiated and established with the ANP/TSP/VASP’s access point or gateway router.

b) Interface ‘b’ enables direct communication of MU with 3P-AAA-SP. It is through this interface that MU would be able to issue balance check, account replenishment and Charging Detail Record (CDR) requests.

c) Interface ‘c’ enables ANP/TSP/VASP to exchange signaling information with the corresponding 3P-AAA-SP. Accounting and credit control messages related to the MU session are exchanged over this interface.

Table I lists the main signaling messages identified for communication over these interfaces.

III. IMS OVERVIEW 3GPP provides a set of technical requirements that

introduce some of the concepts shared by the 3P-AAA, e.g.: • Interoperability between different access technologies,

namely cellular network access, WLAN and WiMAX. • Provision of the IP multimedia services through

introduction of IMS. By adapting the layered approach and separating the transport plane from the IMS plane, MU is able to access IMS services regardless of the underlying access technology.

• Inclusion of the third-party value added services through Open Service Access (OSA). OSA allows third-party VASP to provide their services to MU via a standard Parlay/OSA API.

Fig. 2 presents an overview of the IMS architecture. As can be seen from the diagram, the layered design separates the transport plane from the IMS and service planes. In order to access some application service in a visited network, MU first initiates communication with its gateway. The signaling stream is directed towards the Proxy Call/Session Control Function (P-CSCF), which authorizes the use of resources in the visited network, and the Serving CSCF (S-CSCF). S-CSCF is essentially a SIP server that processes signaling information in IMS. S-CSCF is able to query the Home Subscriber Server (HSS) for user related data, such as profile information or authentication vectors. If the user is successfully authenticated and authorized, s/he could use services provided by the Application Server (AS) including services of the registered third-party VASP.

TABLE I. MESSAGES OVER 3P-AAA INTERFACES

Messages over Interface ‘a’

(MU ↔ ANP/TSP/VASP)

Messages over Interface ‘b’

(MU ↔ 3P-AAA)

Messages over Interface ‘c’

(ANP/TSP/VASP ↔ 3P-AAA)

3P-AAA-MU-Initiation (3P-AAA User Application)

3P-AAA-Get-Credit-

Request/Answer (3P-AAA User Application)

Credit-Control-Request/Answer

(Diameter Credit-Control)

3P-AAA-Start-Request/Answer (3P-AAA User Application)

3P-AAA-Check-Balance-

Request/Answer (3P-AAA User Application)

Re-Auth-Request/Answer (Diameter Base)

3P-AAA-Auth-Request/Answer (3P-AAA User Application)

3P-AAA-CDR-Request/Answer (3P-AAA User Application)

Session-Termination-Request/Answer (Diameter Base)

3P-AAA-Ping-Request/Answer (3P-AAA User Application)

Abort-Session-

Request/Answer (Diameter Base)

3P-AAA-Termination-Request/Answer (3P-AAA User Application)

Accounting-Request/Answer (Diameter Base)

3P-AAA-Update-Request/Answer (3P-AAA User Application)

Disconnect-Peer-Request/Answer (Diameter Base)

3P-AAA-Price-Enquiry-Request/Answer (3P-AAA User Application)

Device-Watchdog-

Request/Answer (Diameter Base)

3P-AAA-ReAuth-Request/Answer (3P-AAA User Application)

Capabilities-Exchange-

Request/Answer (Diameter Base)

In terms of signaling protocols, two principle signaling

protocols stand out: the Session Initiation Protocol (SIP) [5] and Diameter AAA protocol [6]. MU, being a SIP client, is able to initiate session with the IMS framework through CSCF. SIP is used for session signaling between the Application Server and the Call/Session Control Function. About 60% of interfaces defined in IMS use Diameter as their inner signaling protocol.

Figure 2. The IMS architecture.

IV. INTEGRATING 3P-AAA WITH IMS Services described by the UCWW framework are user-

demand driven. In other words both SBM and CBM should be able to co-exist and occupy their corresponding niche in the market. It should be up to the users to evaluate and decide what services are better suited for his/her needs. Integration of 3GPP and 3P-AAA would allow mobile users to avail of services provided by both infrastructures. After making subscription with the 3P-AAA Service Provider and obtaining personal IPv6 address embedded within CIM (Consumer Identity Module) [7] the MU will be able to gain access to the 3P-AAA services as well as to that of the user’s original Home Network.

Since IMS has capability for provision of teleservices through the deployment of Application Servers and inclusion of VASP through the OSA infrastructure, it may be seen as an integrated access and teleservice provider. Deployment of the 3P-AAA framework will have an impact on the way teleservices are being offered not only from the point of view of the users but also of TSPs. If previously TSPs and VASPs had to have a contractual relationship with the access network providers, now they could be considered as separate standalone entities. Thus seeing the benefits offered by the 3P-AAA any TSP/VASP that previously had contractual relationship with ANP would be able to break away and entrust its AAA management to a 3P-AAA service provider.

Consider a scenario where MU is wishing to access some value-added service. Currently the way to do this would be through the Home ANP. TSP/VASP would have to be registered with the Home ANP through OSA. That means that MU may be limited in the choice of services that lie outside of his/her reach not because of some technology-related issues but due to the inherent limitations of the SBM. When 3P-AAA is integrated with the existing IMS, as shown in Fig. 3 MU will be able to establish a session directly with TSP/VASP through the interface ‘a’.

The three interfaces outlined by the 3P-AAA would have to be eventually standardized. One of the biggest changes here is how security associations are formed between the MU and the serving ANP/TSP. In the currently deployed IMS infrastructure users establish security associations backed by their Home ANP through subscription (U/SIM card). In

UCWW, since security associations would have to be formed on the fly, both participants -MU and ANP/TSP- would have to mutually authenticate each other. This could be done through the exchange of X.509 digital certificates.

Figure 3. 3P-AAA and IMS integration.

Another issue is mobility related. Currently mobility in IP networks is associated with the network layer. A number of schemes exist that provide solutions based on Mobile IPv6. MIPv6 is widely accepted and used in the industry however its main disadvantages are complex architecture and high overhead due to the routing optimizations. Within UCWW, mobility and handover issues may be solved through use of the mSCTP protocol. This protocol does not only provide new enhanced transport-layer features, such as multi-streaming and multi-homing, but also allows for seamless vertical handover through Dynamic Address Reconfiguration [3]. The problem with mSCTP is that currently it is only a draft and thus requires more research and test. However strategically it can be considered as the best mobility solution for cellular networks [8].

V. 3P-AAA SIGNALING PROTOCOLS The choice of appropriate protocols for use over the 3P-

AAA interfaces is a very important task. These protocols must be chosen carefully to correspond to a number of requirements such as stability, security, failover protection and scalability. Three principle protocols are considered for use in the 3P-AAA infrastructure: SIP, Diameter, and the Protocol for carrying Authentication for Network Access (PANA) [9].

PANA was designed as a protocol that allows clients to authenticate themselves to the access network using protocols of the TCP/IP stack. PANA uses UDP as its transport protocol and does not define any security protocol or procedure. However, it relies on the use of EAP (Extensible Authentication Protocol) infrastructure and protocols. PANA defines a state machine for performing authentication along with some basic messages. In order to be adapted by the 3P-AAA infrastructure new messages and AVPs would have to be added to this protocol.

The problem with PANA is that it uses UDP as its transport protocol. This means that it does not provide

retransmission procedures and would not be able to handle QoS traffic. There exists a proposed IETF draft for using the PANA over the Transport Layer Security (TLS) protocol that extends PANA functionality by running it over TCP/SCTP. However, this draft has expired in 2003.

SIP is an application-layer protocol used for session set up and control. This protocol, which resembles in its structure the HTTP protocol, is currently widely employed protocol for session control. It can run on top of UDP and TCP, as well as the newer SCTP protocol. The basic operation of the SIP can be described by the discovery and session setup between different network entities as well as negotiation of the session parameters. SIP is commonly used for control of multimedia streams. It uses SDP (Session Description Protocol) to set up a multimedia session by listing session requirements. This mechanism can be used for provision of the appropriate QoS levels.

SIP inherited some of its authentication methods from HTTP. However, its Digest Access Authentication method only allows the server to authenticate the user but does not support the reverse operation of authenticating the server to the user. However, since SIP is so widely spread, a number of security extensions were developed for it. Typically a X.509 certificate exchange takes place during the TLS setup that requires the use of TCP. However, there is an extension that allows X.509 certificate exchange over SCTP (RFC 3436). That means that X.509 certificate based authentication may be performed to mutually authenticate the MU and access network element.

Diameter is an AAA protocol defined in RFC 3588. The Base protocol itself does not define authentication procedures since these procedures are application specific. Since it was originally designed to be extensible, a number of applications currently exist, such as Diameter SIP, Diameter Credit Control, Diameter EAP, etc.

Table II compares these protocols according to the criteria listed on the left hand side of the table.

Two principle approaches may be considered for the 3P-AAA implementation. The first approach can use extended 3P-AAA Diameter for end-to-end signaling. 3P-AAA Diameter may use some of the PANA features to support authentication since both protocols have similar structure, where information is conveyed by means of AVP messages. This approach would provide an AAA and Credit Control functionality for the three interfaces. In this configuration, the access router would operate as a Diameter Proxy, which is capable of modifying the message content and, therefore, provide value-added services, enforce rules and policy on different messages, or perform administrative tasks for a specific realm.

The second approach can use SIP signaling between MU and the access router, and Diameter on the inside of the network. Disadvantage of this approach is that the message translation would be required to extract information from SIP messages in order to form Diameter messages. However, some elements of this approach can be seen in the IMS, where Call/Session Control Function performs similar tasks. On the

positive side, the use of SIP would provide a wider range of additional functionality as this protocol supports media stream negotiations and presence services.

TABLE II. COMPARISON OF CANDIDATE SIGNALING PROTOCOLS

VI. CONCLUSION This paper has looked at different aspects of the 3P-AAA

framework. Principle entities of the framework along with corresponding signaling interfaces have been outlined. Having 3GPP’s IMS as a reference technology, some solutions have been proposed to allow co-existence of the rival SBM and CBM technologies. The impact of the choice of the 3P-AAA signaling protocol has been discussed and two options have been proposed. One is to implement an end-to-end extended Diameter protocol, while the other is to use SIP between the mobile user and the network’s access router, and Diameter-based signaling within the network. Both approaches have a number of positive and negative points thus further thorough evaluation is required. Additional work is envisioned for the complete specification of the signaling messages and AVPs that will be employed by the 3P-AAA interfaces.

ACKNOWLEDGMENT

This publication has been supported by the Irish Research Council for Science, Engineering and Technology (IRCSET) and the Telecommunications Research Centre, University of Limerick, Ireland (http://www.ece.ul.ie/trc).

REFERENCES [1]. M. O’Droma and I. Ganchev, “The Creation of a Ubiquitous

Consumer Wireless World through Strategic ITU-T Standardization”. IEEE Communications Magazine, Vol. 48, Issue 10, October 2010, Pp. 158-165. ISSN: 0163-6804.

SIP PANA Diameter Base

Transport SCTP, TCP, UDP UDP TCP, SCTP

Authentication

HTTP Digest AKA (in 3GPP),

TLS X.509 certificate.

EAP negotiated

(X.509 certificates proposed)

Application defined

Scalability Scalable through SIP agents Not scalable Scalable through

Diameter agents

Presence and Location

Management

Able to provide presence and

mobility information

Not available Not available

Wide Spread Use

Wide use in multimedia

environment. Used by 3GPP’s

IMS.

Not very common

Envisioned to replace RADIUS

(the currently used AAA protocol). Used by 3GPP’s

IMS.

[2]. M. O’Droma and I. Ganchev, “Toward a Ubiquitous Consumer Wireless World”. IEEE Wireless Communications, Vol. 14, Issue 1, February 2007, Pp. 52-63. ISSN: 1536-1284.

[3]. R. R. Stewart, Q. Xie, M. Tuexen, and I. Rytina, SCTP Dynamic Addition of IP Addresses. <draft-ietf-tsvwg-addip-sctp-08.txt>, 2004.

[4]. 3GPP TS 23.002 version 9.2.0 Release 9. Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Network architecture, 2010.

[5]. J. Rosenberg and G. Camarillo, “SIP: Session Initiation Protocol”, RFC 3261, 2002.

[6]. P. Calhoun and E. Guttman, “Diameter Base Protocol”, RFC 3588, 2003.

[7]. I. Ganchev and M. O'Droma, New personal IPv6 address scheme and universal CIM card for UCWW. in Telecommunications, 2007. ITST '07. 7th International Conference on ITS.

[8]. M. Ratola, Which Layer for Mobility? - Comparing Mobile IPv6, HIP and SCTP. HUT T-110.551 Seminar on Internetworking, 2004.

[9]. D. Forsberg, Y. Ohba, and B. Patil, “Protocol for Carrying Authentication for Network Access (PANA)”, RFC 5191, 2008.