1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of 1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6...

MIPv6 authentication in TIA-835D* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
AAAv6 Introduction
Proposes a way for IPv6 nodes (clients) to offer credentials to a local AAA server in order to be granted access to the local network
The client solicits access to the network in conjunction with some protocol. Protocols considered in this document include:
Stateless Address Autoconfiguration (RFC 2462)
Mobile IPv6
Controlled and uncontrolled access: Each network interface of the router can be configured to provide AAA services. When an interface is so configured, all transiting packets are subject to controlled access. If a packet does not pass access control, but is an AAA message addressed to the router, it is given to the Attendant in the uncontrolled access part.
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Conformance to IPv4 model
AAA servers in home and local domain
Attendant at local point of attachment (as in FA for MIPv4)
Node desiring authorization supplies identification and credentials to attendant
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
AAAv6 Router System (PDSN)
The router is the node that provides network access to the client. In addition to the usual packet forwarding functionality, the router system consists of functional blocks like the attendant and the packet filter.
Attendant: The attendant is the entity that extracts identification and authorization data sent by the client and forwards them to AAAL for verification. It is also responsible for making the necessary configuration updates (e.g., to the packet filter, and the router's Neighbor Cache) so that only authorized clients can access the network.
Packet filter: A packet filter/firewall/security gateway is the entity responsible for disallowing unauthorized datagram traffic. When a client is authorized, the access control list of the filter is updated with the corresponding client's IP address(es).
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
System Point of View
AAAv6 Messages
New ICMPv6 messages to transport AAA data between the client and the attendant. In addition, several options that can be embedded in a AAAv6 Protocol Message are defined
AAAv6 Protocol Message types
From client to attendant:
AAA Request: Request for client authorization.
AAA Home Challenge Request: Request for a new challenge from AAAH.
From attendant to client:
AAA Reply: Reply to AAA Request
AAA Teardown: Indication of termination of the currently active AAA registration. This message is always sent unsolicited to the registered AAA client.
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
General AAAv6 protocol overview
LC = Local AAA Challenge
CR = AAA Credential
ID = Client Identifier
KR = Key Reply
UCP = Uncontrolled part
CP = Controlled part
An IETF Protocol for Last-hop AAA
Alper Yegin, Basavaraj Patil
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
A network-layer (i.e., link-layer and IP Version agnostic) access authentication protocol, that can carry various authentication methods
Last-hop AAA (i.e., between host and access network)
AAA backend can be either RADIUS or Diameter
Purpose: Enable authentication and
for gaining network access
PANA is a standards-track solution that will allow any authentication method to be used on any link-layer
No need to rely on the underlying L2 for providing an authentication mechanism
No need to resort to non-standard ad-hoc schemes (e.g., web-based login)
No need to stretch and overload existing protocols (e.g., using Mobile IPv4 for network access authentication)
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Before authentication, the MT is allowed to send and receive only PANA packets (and maybe DHCP, Router Discovery)
PANA can be engaged before or after the MT has been assigned an IP address (i.e., can work with address)
After PANA is completed , MT is allowed any traffic allowed by its AAA profile
PDSN turns the gate open
PANA over already cipher-secured links (e.g., cdma2000 in 3GPP2)
PANA without any lower layer security
It can enable L2 or L3 ciphering as a result of authentication
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
PANA can be used for enabling per-packet authentication and encryption
At L2 (e.g., bootstrap WEP)
At L3 (e.g., bootstrap IPsec. See draft-mohanp-pana-ipsec-00.txt)
Uses EAP keying framework
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Can be used for any link-layer for any type of access (simple IPv4/IPv6, Mobile IPv4/IPv6)
Standard and vendor-specific AVPs
Ease to deploy: PANA can be implemented as a UDP-based application
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Useful PANA Features
Provides deployment flexibility:
PAA can be placed on any device on the last hop.
PAA, access router, and access enforcement points can be hosted on separate nodes.
Well-integrated with “Internet AAA architecture”
EAP, RADIUS, Diameter, IPsec, IKE, provisioning protocols
Mobility optimizations
Re-use of ongoing PANA session even after PAA (subnet) change
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Useful for securing other protocols (e.g., draft-tschofenig-pana-bootstrap-rfc3118-00.txt)
Authentication sequencing
Multiple parallel authenticated sessions
“Limited free access” model: Forcing authentication only after client attempts to access beyond free zone.
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Mobile IPv6 is intended for use in cdma2000 networks in Revision “D”
PANA can be used as the authentication protocol for clients before allowing Mobile IPv6 access
It can enable various levels of last-hop AAA unification, enhanced features
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Problem statement
Expected to be completed before the end of ‘03
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Additional web site:
Uses LCP Configuration Option for Authentication-Protocol (as in with Simple IP service) i.e. :
Description On some links it may be desirable to require a peer to authenticate itself before allowing network-layer protocol packets to be exchanged.
This Configuration Option provides a method to negotiate the use of a specific protocol for authentication.
A summary of the Authentication-Protocol Configuration Option format is shown below. The fields are transmitted from left to right.
0 1 2 3
The Authentication-Protocol field is two octets, and indicates the authentication protocol desired. Values for this field are always the same as the PPP Protocol field values for that same authentication protocol.
Value (in hex) Protocol
C223 Challenge Handshake Authentication Protocol (CHAP)
C227 Extensible Authentication Protocol [RFC2284] (EAP)
Within the EAP Request message, there is a Type field to indicate what authentication is being requested. Examples of Request Types include MD5-challenge, etc.
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
Via Pana payload, EAP or other authentication methods
Via PPP payload – EAP or other authentication methods
New functionality in ms
Yes - PAA (Pana Authentication Agent) – can be separate from PDSN
Little to no required effort
Threat analysis completed
No message piggybacking possible
Evolutionary - similar functionality to RFC 3012 link layer agnostic attendant location can be outside PDSN (WLAN) Allows deprecation of PPP
IETF uncertain on necessity New PDSN (e.g.) attendant functionality IPv6 specific mechanism (3rd mechanism) Security risks associated with all higher layer authentication protocols - n/a for cdma2000 access
Link layer & IP version agnostic Standard track work – dedicated IETF wg Allows deprecation of ppp for authentication harmonizes authentication across existing modes – I.e. Simple IPv4/v6, MobileIPv4/v6, “potential” use for WLAN, Bluetooth
New protocol New PDSN PaA functionality Security risks associated with all higher layer authentication protocols - n/a for cdma2000 access
The 3-year-old Wired Equivalent Privacy (WEP) protocol has been discredited so thoroughly that its authentication and encryption capabilities are not considered sufficient for use in enterprise networks.
In response to the WEP fiasco, many wireless LAN vendors have latched onto IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs. The wildcard with 802.1x protocol is interoperability.
* © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik
802.1x authentication (cont)
Wireless client sends authentication request to either wireless access point or 802.1x-enabled switch.
Wireless access point or 802.1x-enabled switch repackages authentication request to send on to RADIUS server.
RADIUS server examines request and may proxy the request to another server or consult an authentication database directly.
If access is authenticated, RADIUS server informs wireless access point or 802.1x-enabled switch.