November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP...
-
Upload
eleanor-lamb -
Category
Documents
-
view
212 -
download
0
Transcript of November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP...
Mobile IPv6 Bootstrapping Architecture using DHCP
draft-ohba-mip6-boot-arch-dhcp-00
Yoshihiro Ohba, Rafael Marin Lopez,
Mayumi Yanagiya, Hiroyuki Ohnishi and Kuntal Chowdhury
Mobility Service, Network Access Service and AAA
• Integration of a bootstrapping architecture with AAA infrastructure is needed– Operators rely on AAA protocol to provide authentication,
authorization and accounting functionalities for their subscribers of services
• The services include network access service and mobility service
• In many cases, AAA for network access (AAA-NA) occurs before AAA for mobility service (AAA-MS)
• It is reasonable to consider a scenario where there is some dependency between AAA-NA and AAA-MS
Two Minimum Sets of Seed Information
• Parameter Set 1:– The domain name or FQDN of the home agent– IKE credentials
• Parameter Set 2:– Network access credentials
• draft-ohba-mip6-boot-arch uses Parameter Set 2
Basic Architecture
AAA-NAServer
DHCPServer
NASMobileNode/DHCPClient
AAA-MSServer
HomeAgent
Serving or Home MSP
Serving or Home MSPASP or IASPAAA protocol
AAA protocol
Network accessauthentication
protocol
AAA protocol
DHCPv6
protocol
protocol
AAA protocol
Basic Architecture (cont’d)• DHCP server in the visited network is used for delivering bootstrap
information to MN– The visited network may be the home network
• DHCP delayed authentication is used for integrity protected delivery of bootstrap information– DHCP delayed authentication key is also bootstrapped from AAA-NA– Alper’s comment: DHCP authentication problem can be separated
• NAS and/or DHCP server in the visited network is aware of MIPv6 service (but they do not need to speak MIPv6)
• Two models exist depending on who is AAA-MS client– Model 1: DHCP server as AAA-MS client
• DHCP server directly communicates with AAA-MS server to obtain MIP6 bootstrap information
– Model 2: NAS as AAA-MS client• NAS communicates with AAA-MS server to obtain MIP6 bootstrap
information• NAS passes the obtained bootstrap information to DHCP server
Model 1(DHCP Server as AAA-MS Client)
Client
AAAInfrastructure
NAS
DHCPServer
HomeAgent
Network AccessClient
DHCPClient
MobileNode
DHCPKey
(1’)AAA-NA
(1)Network AccessAuthentication
Protocol
(2) DHCPv6 withDelayed
Authentication
MIP6 bootinfo{HA [,HoA or HoL]}
MIP6 bootinfo{HA [,HoA or HoL], DHCP-key}
(2)AAA-MS
(3)IKE
MIP6 bootinfo{[HoA or HoL]}
(2)AAA-MS
MIP6 bootinfo{IKE credentials [,HoA or HoL]}
AAA-Key
Model 2(NAS as AAA-MS Client)
Client
AAAInfrastructure
NAS
DHCPServer
HomeAgent
Network AccessClient
DHCPClient
MobileNode
DHCPKey
(1’)AAA-NA(2)AAA-MS
(1)Network AccessAuthentication
Protocol
(2’) DHCPv6 withDelayed
Authentication
MIP6 bootinfo{HA [,HoA or HoL]}
MIP6 bootinfo{HA [,HoA or HoL] [,DHCP-key]}
(3)IKE
MIP6 bootinfo{[HoA or HoL]}
(2)AAA-MS
MIP6 bootinfo{IKE credentials [,HoA or HoL]}
MIP6 bootinfo{HA [,HoA or HoL], AAA-Key [,DHCP-key]}
Mapping to Bootstrapping Scenarios
• Bootstrapping problem statement draft identifies four cases– Mobility Service Subscription Scenario– Integrated ASP (IASP) Scenario– Third-party MSP Scenario– Infrastructure-less Scenario
• Some scenarios do not assume relationship between AAA-NA and AAA-MS– Mobility service subscription scenario and infrastructure-less
scenario are not supported in this bootstrapping architecture
• This architecture is intended for IASP scenario and third-party ASP scenario
Integrated ASP Scenario (Model 1)IASP (ASP+MSP)
AAA-NAServer
AAA-MSServer
MobileNode
HomeAgent
NAS/DHCPServer
AuthenticationAuthorization for NA
Parameter Req.
AAA-NA
AAA-NA
DHCP Req.
DHCP Rep.IKEv2
IKEv2
Parameter Req.
Authorization for MS
NA Req.
NA Rep.
IKE credentials
Integrated ASP Scenario (Model 2)IASP (ASP+MSP)
AAA-NAServer
AAA-MSServer
MobileNode
HomeAgent
NAS/DHCPServer
AuthenticationAuthorization for NA Parameter Req.
AAA-NA
AAA-NA
DHCP Req.
DHCP Rep.IKEv2
IKEv2
Parameter Rep.
Authorization for MS
NA Req.
NA Rep.
IKE credentials
Third-Party MSP Scenario (Model 1)ASP Serving MSP Home MSP
AuthenticationAuthorization for NA
Parameter Req.
AAA-NA
AAA-NA
NA Req.
NA Rep.
DHCP Req.
DHCP Rep.
IKEv2
IKEv2
Parameter Req.
Authorization for MSIKE credentials
AAA-NAServer
AAA-MSServer
MobileNode
HomeAgent
NAS/DHCPServer
Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP
Third-Party MSP Scenario (Model 2)ASP Serving MSP Home MSP
AuthenticationAuthorization for NA Parameter Req.
AAA-NA
AAA-NA
NA Req.
NA Rep.
DHCP Req.
DHCP Rep.
IKEv2
IKEv2
Parameter Rep.
Authorization for MS
IKE credentials
AAA-NAServer
AAA-MSServer
MobileNode
HomeAgent
NAS/DHCPServer
Home MSP is integrated with ASP, OR Home MSP has roaming agreement with ASP
Other Bootstrapping Architectures(draft-yegin-mip6-aaa-fwk)
• Uses home agent as AAA-MS client
• Assumption: HA address is somehow known to MN (e.g., pre-configuration, DNS SRV record)
• Simplest but operators want to provide flexibility in assignment of HA address– E.g., assigning different HA depending on the
profile of subscriber
Other Bootstrapping Architectures(draft-giaretta-mip6-authorization-eap)
• Uses EAP for conveying bootstrapping information between MN (EAP peer) and AAA-NA server (EAP server)
• The bootstrapping procedure is transparent to access network
• Potential complexity for multiple-domain case
Security Considerations
• Question: Is it valid to use DHCP in ASP to deliver HA assigned by MSP?– If the ASP and MSP are separated, the MSP might not
want to expose bootstrapping information to other providers
• Answer: The bootstrapping information can be encrypted based on SA between MN and AAA-MS server– The DHCP server can deliver the encrypted
information to mobile as opaque data if such an option is defined
Open Issues
• When multiple MSPs are able to assign HA to MN, how to determine which MSP should be the assigner(s)?– This case could happen in a hybrid case of IASP scenario and
third-party scenario (i.e., AAA-MS servers exist in both ASP and home MSP)
• Model 1 might have some security issue– If there is no coordination between AAA-MS client (DHCP
server) and AAA-NA client (NAS), AAA-MS procedure is performed without authentication
– A DHCP server would initiate AAA-MS without making sure whether the requesting MN has been authorized by the NAS in the AAA-NA procedure
Next Step
• If the architecture is relevant, make it part of the entire bootstrapping architecture– This architecture is NOT the only solution
• Resolve the open issues
Thank you!