H ELSINKI U NIVERSITY OF T ECHNOLOGY AAA Architecture for hierarchical wireless Mobile IPv4 Tom Weckström Telecommunications Software and Multimedia Laboratory

HELSINKI UNIVERSITY OF TECHNOLOGY

AAA Architecture for hierarchical wireless Mobile IPv4

Tom Weckström

Telecommunications Software and Multimedia

Laboratory of Information Processing Science

Helsinki University of Technology

Finland



Introduction

• Wireless Internet gaining momentum• Yankee: 1billion users by 2003• Is access the wireless killer

application?• Mobile users need to be

authenticated, authorized, and correctly billed.



Problem

• Special needs for AAA protocol in • Open environment• Wireless environment


Trust

SecurityEfficiency

• Problem dimensions Trust Security Efficiency


Scope

• Mobile IPv4 environment that is– Open– Hierarchical– Wireless

• Lots of active mobile users

• Frequent, fast handoffs


Scope

MN

UHO

Internet

HA1

HA3

SHA

HA2HFA

FA

FAFA

FA

FA

FAFA

FA FA

MN

Foreign Network

Home Network

Wireless LAN

CN


Hierarchical Mobile IPv4

CN HAInternet

Home Network

WLAN

FA5

FA2

HFA1

FA1

FA4FA3 FA6FA4

Mobile Node

FA5

FA2

SFA

FA2

FA5

FA1

FA4

HFA1

Foreign Network


Mobile NodeMobile Node


Criteria

• From IDs, scope and RFC 2477

• 11 criteria, classified and prioritized

• General, dimensional and AAA criteria

• GQM approach for measuring success


My solution

AAA Architecture with tick payments


Design principles

• Parallel AAA and MIP signaling• Reduced number of signaling

messages• Periodic payments• SPKI with RSA• Ideas from Ipay, DIAMETER and

BillNeat


Architectural elements

• AAAH, SHA, HA

• AAAF, HFA, FA

• Broker

• MN

• Buyer


Architecture

HFA1.1

FA1 .1 .1

FA1 .1 .2

FA1 .1 .1 .1

FA1 .1 .1 .2

FA1 .1 .2 .1

FA1 .1 .2 .2

FA1 .1 .2 .1 .1

FA1 .1 .2 .1 .2

FA1 .1 .2 .1 .3

1AAAH

1AAAF

2ISP

1ISP

2AAAF

HFA 2.1

FA 2 .1 .1 FA2 .1 .2

FA2 .1 .1 .1

FA2 .1 .1 .2 FA

2 .1 .2 .1FA

2 .1 .2 .2

HFA2.2

FA2 .2 .2

FA2 .2 .1 .1

FA2 .2 .1 .2

FA2 .2 .2 .1

FA2 .2 .2 .2

FA2 .2 .1

HFA 3.1

FA3 .1 .1

FA3 .1 .2

FA3 .1 .1 .1

FA3 .1 .1 .2 FA

3 .1 .2 .1FA

3 .1 .2 .2

3.1AAAF

3.2AAAF

3AAAF3ISP

AAAF4 .1

AAAF4

AAAF4 .2

AAAF4 .1 .1 AAAF

4 .1 .2AAAF

4 .2 .1

AAAF4 .2 .2

FA 4 .1 .1 .1 .1

FA4 .1 .1 .1 .1 .1

HFA4 .1 .1 .1

FA4 .1 .1 .1 .2

FA4 .1 .1 .1 .1 .2

FA4 .1 .1 .1 .2 .1

FA4 .1 .1 .1 .2 .2

FA4 .1 .2 .1 .2

HFA4 .1 .2 .1

FA4 .1 .2 .1 .1

FA4 .2 .1 .1 .2

HFA4 .2 .1 .1

FA4 .2 .1 .1 .1

FA4 .2 .2 .1 .2

HFA4 .2 .2 .1

FA4 .2 .2 .1 .1

4ISP

HA1 .1 .3

SHA1 .1

HA1 .1 .1

HA1 .1 .2

HA1 .2 .3

SHA1 .2

HA1 .2 .1

HA1 .2 .2

1UHO

xBrokeryBroker

qBroker

zBrokerpBroker

Internet

MU1 .1 .2 .1


Trust relationships



Security

• RSA for signatures• SHA for payment messages• Symmetric encryption for authentication,

session keys, and signatures• Session ID• Billing ID• Timestamps for replay protection


Protocol operation

• Registration protocol– Slow mode: sequential, for compatibility– Fast mode: Parallel, optional grace period

• Payment protocol– Real time payments– Localized message handling– Policy based authorization– User controls the size of the bill


Slow mode

Internet

Advertisement

Foreign Network User Home Organization Network

FA1.1.1.1

HFA1.1

MNBuyer AAAF 1Broker x HA

1.1.2AAAH1

SHA1.1

PriorityRequest

PriorityReply

Broker y

RegRequest

(PaymSesReq)(SPKI certificate)

RegRequest

AAA(Reg.Request)



AAA(Reg.Request)

(PaymSesValReq)(SPKI certificate)

AAA(Reg.Request)

AAA(Reg.Request)

RegRequest

RegReply

AAA(Reg.Reply)AAA(Reg.Reply)

AAA(Reg.Reply)

(PaymSesValReply)AAA(Reg.Reply)

(PaymSesReply)RegReply

(PaymSesReply)RegReply

(PaymSesReply)

PaymSesReply

RegistrationReady

PaymSesReq

(PaymSesValReq)

(PaymSesValReq)

4

1

2

3

5

67

89

10

12

13

AAA(Reg.Request)

AAA(Reg.Reply)

11

14

1516

17

18

19

20

21


Fast mode

Internet

Advertisement

Foreign Network User Home Organization Network

FA2.1.2.2

HFA2.1

MNBuyer AAAF 2Broker p HA

1.1.2AAAH1

SHA1.1

PriorityRequest

PriorityReply

Broker y

RegRequest


RegRequest

AAA(PaymSesReq)

(SPKI certificate)


AAA(PaymSesValReq)

(SPKI certificate)

RegRequest

RegReplyRegReply

AAA(PaymSesValReply)

AAA(PaymSesReply)

RegRequest

RegReplyRegReply

PaymSesReplyPaymSesReply

AAA(RegRepIndication)

Advertisement

PriorityRequest

PriorityReply

RegRequest


RegRequest

AAA(PaymSesReq)(SPKI certificate)


AAA(PaymSesValReq)(SPKI certificate)

RegRequest

RegReplyRegReply


AAA(PaymSesReply)

RegRequest

PaymSesReply

RegReply(PaymSesReply)

(PaymSesReply)

RegReply

AAA(RegistrationReply)

AAA(RegisttrationReply)

PaymSesReq

RegistrationReady

RegistrationReady

PaymSesReq

AAA(RegRepIndicRep) AAA(Acknowledgement)

AAA(Acknowledgement)

AAA(RegRepIndication)

AAA(RegRepIndicRep)

1

2

3

4

5

67

7

7

98

10

11

12

1314

15PaymSesReply 16

17

77

7


Payment protocol

InternetForeign Network User Home Organization Network

FA2.1.2.2

HFA2.1

MNBuyer AAAF 2Broker p HA

1.1.2AAAH1

SHA1.1

TickPayment

Broker y

AAA(PaymSesReply)

PaymentRequest

PaymSesReply

AAA(CapacityUsed)

AAA(BillingRequest)

AAA(PaymSesValReq)


AAA(Accounting information)

AAA(Acknowledgement)

AAA(CapUsedReply)UsageInfo

TickPaymentTickPayment

TickPaymentTickPayment

TickPayment

AAA(CapacityUsed)

PaymentRequestPaymentRequest

PaymSesReq

(SPKI certificate) PaymSesReq

(SPKI certificate)(SPKI certificate)

(SPKI certificate)

AAA(PaymSesReq)

PaymSesReply

AAA(BillingReply)TickPayment

TickPayment

TickPayment

......

...

...

AAA(CapUsedReply)

...

1

2

22

2

22

3

4

3

4

55

66

66

66

66 7

8


Conclusions

• Potential for significant improvements with parallel signaling

• Static trust relationships concentrated within organizational units

• Flexibility with SPKI and Policy Management

• Tick payments: efficiency & control


Future research ideas

• More extensive use of SPKI• Trust relationships• Certificate management

• Improved verification of credibility

• Integration with DIAMETER

• Policy management with distributed policies


Q & A

?


AAA Architecture for hierarchical wireless Mobile IPv4

Tom Weckström

[email protected]

WWW

http://www.cs.hut.fi/Research/Dynamics/


Documents

H ELSINKI U NIVERSITY OF T ECHNOLOGY AAA Architecture for hierarchical wireless Mobile IPv4 Tom Weckström Telecommunications Software and Multimedia Laboratory