SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome

SIP roaming solutionSIP roaming solutionamongst different WLAN-amongst different WLAN-based service providersbased service providers

Julián F. Gutiérrez1, Alessandro Ordine1, Luca Veltri2

11 DIE, University of Rome "Tor Vergata", Italy DIE, University of Rome "Tor Vergata", Italy

22 Dpt. of Information Engineering - University of Parma, Italy Dpt. of Information Engineering - University of Parma, Italy

WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP

OverviewOverview Scope

roaming amongst (WLAN-based) access networks

• WLAN access networks are widely used

• current wireless internet providers (WISPs) use different authentication schemes

• lack of an integrated and open authentication framework

Goal open solution for secure authentication in wireless (also wired)

access scenario based on a distributed AAA architecture and on SIP protocol

• enabling the use through standard 3G terminals testbed implementation

Characteristics captive portal like solution (layer-two independent) based on SIP registration procedure


OutlineOutline SIP authentication overview

Digest authentication AKA Digest-AKA

Uni-Fy architecture

SIP-based authentication scheme

Implementation

Future work


SIP Digest authenticationSIP Digest authentication It follows a challenge-based scheme based on a shared secret for

authentication purposes (as on HTTP authentication)

Any time that a proxy server or UA receives a request, it MAY challenge the initiator of the request to provide assurance of its identity

INVITE / REGISTER

challenge generation

response generation

INVITE / REGISTER(with response)

responseverification

200/OK

A

B

C

D

UAC UASRegister/Redirect/Proxy Server

401 /407(with nonce)


SIP AKASIP AKA

MT Auth Server HSS

USIM

AV request

[User Id]Generation of

AV=RAND,AUTN,XRES,IK,CK

Authentication challenge

[RAND,AUTN]RAND,AUTN

RES

Run AKA algorithm:- verify AUTN- compute RES- generate IK,CK

Authentication response

[RES]

User Id Retrieval

AV push

[RAND,AUTN,XRES,IK,CK]


SIP Digest-AKASIP Digest-AKA

GenerationAV={RAND,AU T N ,

XRES, I K ,CK}

Start o f AKAalgorithm

Digest calculation of"response" usingRES as password

Checks Digest"response" using

XRES as password

A K A S IM

S IP U A C

A K A H SS

SI P R equest

A V request

A V

SI P response 401/ 407

[cha llenge= R A ND,A UTN]

SI P R equest

[cha llenge,response]

R A N D,A UTN

R ES

A C K

SI P R equest

(authenticated)

S IP serv er


Uni-FyUni-Fy Proposed solution based on Uni-Fy distributed access control

system

Uni-Fy characteristics Wireless LAN/HotSpot management system with

• distributed authentication

• access and policy control

• other capabilities authentication and authorization functions implemented at

application layer access control is applied at IP layer by means of firewalling

capability overall scheme can be viewed as a captive portal implementation used within the TWELVE research project (developed by the

University of Trento)


Uni-Fy architectureUni-Fy architecture


Uni-Fy architectureUni-Fy architecture Access network

through which mobile users can attach the rest of the network (e.g. Internet), and, after being successfully authenticated, gain connectivity towards it

Gateway acts as access router for the access network enforces the policy rules (as PEP) dynamically setup by the Gatekeeper

Gatekeeper together with the Gateway enforces authentication procedure before

granting access to mobile users it works at application level redirecting specific application sessions to a

proper authentication server

Authentication Provider directly or indirectly trusted by the Gatekeeper; application sessions are

redirected to it in order to force a proper authentication procedure implementation strictly depend on the specific application supported for

authentication purpose (HTTP, SIP, others) optionally uses a backend authentication server (an AAA server such as a

RADIUS or Diameter server) and an LDAP or DB repository


GW and GK architectureGW and GK architecture GW and GK can be co-located or implemented on different nodes


SIP-based authentication SIP-based authentication schemescheme

Proposal of a captive-portal-like mechanism based on access control scheme based on the Uni-Fy architecture

• open and flexible SIP authentication procedure

• same signaling platform used for multimedia real-time service and used by 3G mobile networks

When a mobile user roams into a new visited network it tries to authenticate with his own SIP server such procedure is intercepted by the local GK administrated by

the visited ISP the authentication procedure between the mobile user and his SIP

server goes on with some modifications


SIP extensionSIP extension For ISP-to-ISP authentication and correct authorization

information retrieval an extension of the SIP authentication procedure is proposed

Two new header fields defined Proxy-To-Proxy-Authenticate (pp-authenticate)

• used to carry authentication request information

• sent by a generic intermediate proxy to authenticate a next-hop entity, in order to correctly trust information sent as response from such next hop entity

• inserted by the proxy within the second SIP request from the UAC to the next hop entity

Proxy-To-Proxy-Authorization (pp-authorization)

• used to carry authentication response information

• inserted in a SIP response message by the next hop entity in response to the pp-authenticate request


Authentication schemeAuthentication scheme

CLIENT REGISTER(WITH RESPONSE)

New header “Proxy-To-Proxy-Authenticate”

added by Uni-Fy

CLIENT REGISTER(WITH RESPONSE)

+pp-authenticate

Answer to the usual supplicant authentication

procedure+

Answer to the challenge coming from Uni-Fy (“Proxy-

To-Proxy-Authorization”)

200/OK+

pp-authorization

Uni-Fy checks the response to the challenge.Independently, the 200/OK is sent to the

supplicant

200/OK

CLIENT (UAC) Uni-Fy SIP SERVER (UAS)

CLIENT REGISTER

401 UNAUTHORIZED(WITH CHALLENGE)


Implementation testbedImplementation testbed Whole authentication and authorization scenario implemented in

a testbed based on the Uni-Fy access control mechanism

GW and GK nodes have been realized based on the original Uni-Fy implementation (TWELVE project; http://netmob.unitn.it/twelve.html)

GK plugin for SIP has been developed in C++ based on the reSIProcate C++ SIP stack library

(http://www.sipfoundry.org/reSIProcate)

Proxy server (opportunely extended with proxy-to-proxy authentication) has been implemented in Java based on the mjsip SIP stack library and reference implementation

(http://www.mjsip.org)


Future WorkFuture Work

Improve the actual shared secret mechanism between Uni-Fy and the next hop entity

Access to the 3G SIM card in order to base the authentication procedure in the credentials stored in the SIM card


Thank you for your attention!!

For further details, please contact:

[email protected]

Documents

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome