AAA AAA 를 를를를 를 를를를 Mobile IPv6 Mobile IPv6 를를를를 를를를를 Kim Mi Young Soongsil University [email protected]
Dec 18, 2015
AAAAAA 를 이용한 를 이용한 Mobile IPv6 Mobile IPv6 인증체계인증체계
Kim Mi Young
Soongsil University
목 차목 차
IntroductionModelDiameter 서비스 구조AssumptionsBasic FeaturesMIPv6 Application-Diameter MessageInformation Exchange(MN, AAA Client)Basic Protocol OverviewMobile IPv6 에서의 Diameter 프로토콜 구조Enhanced Protocol OperationSecurity ConsiderationMobile IPv6 를 위한 AAA 구조
IntroductionIntroduction
Inter-domain mobility support in pure MIPv6 ?Inter-domain mobility support in pure MIPv6 ? Scalability Problem Commercial Deployment Problem
What about using AAA (Diameter) ?What about using AAA (Diameter) ? Authentication / Authorization / Account Inter-domain operable Global Scale Service Secure Communication between AAA servers
What about using Diameter ext. in MIPv6 ?What about using Diameter ext. in MIPv6 ? Global Roaming with Secure Infrastructure Needs new message and behavior
Diameter ApplicationDiameter Application Distribution of Secure Key Providing MIPv6 with Mobility Procedure (inter-
domain) General and Optimized AAA Service for MIPv6
Diameter Diameter 서비스 구조서비스 구조
PDA
Computer
Diameter서버
Diameter서버
Diameter브로커
Visited Network Home Network
AAA messages AAA messages
PPP
Wireless
Diameter vs. RadiusDiameter vs. Radius
Diameter Radius
서비스 대상 여러 도메인 내의 User 상호간 소규모 도메인 내에서의 End-User 간서비스 Paradigm Broker 기반의 peer-to-peer Client / Server
연결 형태 Connection-oriented Connectionless
보안End-to-end 보안TLS (Client 에서는 Optional), SCPTIPSec (Mandatory)패킷 전체를 암호화
서버와 End-user 간의 보안CHAP / PAP사용자 비밀번호만 암호화
Attribute Space 32 비트 AVP 지원 ( 최대 2**32 Pair) 8 비트 AVP 지원 ( 최대 2**8 Pair)
전송 프로토콜 TCP UDP
메시지 전송 Request / ResponseUnsolicited Message
Request / Response only
Fail-over Built-in Fail-over (DWR / DWA) -
Fixed network 환경 Roaming User Fixed / Roaming User
기타 Capability Negotiation(version, apps..)Extensibility 높음
Extensibility 낮음
권장 서비스 안
Mobile Network 환경 Mobile IP 사용자Strong Security 사용자 -
Diameter 와 Radius 비교
abc.comAAAvserver
Xyz.comAAAHserver
AAAClient
Home Agent
AAAClient
server- servercommunication
(3)
Visited domain Home Domain
(4)(2) client- server communication
(1)
MobileNode
(2)
ModelModel
Mobility EntitiesMobility Entities MN(Mobile Node) HA(Home Agent) AAA Client(Attendant)
AAA Relay Entity 사용자 ID 전달 인증 정보 전달 Access Router or AA Agent
AAAv Server AAA Server in Visited Domain
AAAh Server AAA Server in Home Domain
AssumptionsAssumptions
Identity for MNIdentity for MN NAI(Network Access Identifier) : RFC2794 Home Address of MN If MN has both : used NAI by AAA If MN has only one : used it by AAA
Shared Long-term Key (MN and AAAh)Shared Long-term Key (MN and AAAh) Network and User Authentication
Secure Communication (between AAAv and AAAh)Secure Communication (between AAAv and AAAh) SA between AAA(Diameter) Servers Exchange Information over Secure Channel
Basic Features(1) Basic Features(1) Authentication / AuthorizationAuthentication / Authorization
Authentication and Authorization (AA)Authentication and Authorization (AA) Mutual AA Visited Network : Network Resource Planning and
Protection IPv6 Node : Impersonation (false BTS Attack)
Basic Features(2) Basic Features(2) Dynamic Home Agent Assignment in Home DomainDynamic Home Agent Assignment in Home Domain
Network Renumbering / Unfixed AssignmentNetwork Renumbering / Unfixed Assignment Dynamic Home Agent 할당 기능 제공
Dynamic HA Address Discovery MechanismDynamic HA Address Discovery Mechanism IN MIPv6 : Many Round-Trips / Many Signaling / Long
Delay Over AAA Infrastructure : One Round-Trip
Basic Feature(3)Basic Feature(3) Key DistributionKey Distribution
Dynamic Security AssociationsDynamic Security Associations MN and Visited Network
Confidentiality and Integrity of data over Access Link MN and Home Agent
BU / BA (Must be protected) Key Distribution Algorithm (ex. IKE)
Basic Features(4)Basic Features(4) Optimization of Binding UpdatesOptimization of Binding Updates
Role of AAA Server in this I-DRole of AAA Server in this I-D Authentication / Authorization Key Distribution Dynamic Home Agent Allocation
Optimization of BUOptimization of BU Pre-Assumption : MN knows its HA MN Behavior : Embedding BU in AAA Req. Message AAA Behavior : Processing BU (Relay it to HA)
Steps for Binding UpdateSteps for Binding Update AAA 인프라를 통한 인증 획득 동적 홈 에이전트 주소 발견 (DHAAD) MN 과 HA 간의 SA 설정 (e.g. 인터넷 키 교환 – IKE) 바인딩 갱신 요청 (BU) / 응답 (BA)
MIPv6 App. Diameter Message(1)MIPv6 App. Diameter Message(1)
Command CodesCommand Codes ARR : AA-Registration-Request
Attendant -> AAAL -> AAAH ARA : AA-Registration-Answer
AAAH -> AAAL -> Attendant HOR : Home-Agent-MIPv6-Request
AAAH -> HA HOA : Home-Agent-MIPv6-Answer
HA -> AAAH
MIPv6 App. Diameter Message(2)MIPv6 App. Diameter Message(2)
AVPs (Attribute Value Pair)AVPs (Attribute Value Pair) MIP-Binding-Update
Type : OctetString, Payload : BU Message MIP-Binding-Acknowledgement
Type : OctetString, Payload : BA Message MIPv6-Mobile-Node-Address
Type : IPAddress, Payload : Home Address of MN MIPv6-Home-Agent-Address
Type : IPAddress, Payload : Home Agent Address of MN MIPv6-Feature-Vector :
Type : Unsigned32, Payload : Flag For Dynamic HA Assignment Flag Value = 1
Requesting Dynamic HA Assignment
Information Exchange(1)Information Exchange(1) (MN, AAA Client) (MN, AAA Client)
MIP Feature DataMIP Feature Data When Requesting Dynamic HA Assignment Feature Data In ICMPv6 / New Destination Option / etc..
EAP DataEAP Data MIPv6 Node : Various AA Method (including EAP)
Embedded DataEmbedded Data Send/Receive BU and BA in AAA Req. Message(piggyback) Reduce the Round-Trips BU Optimization
AuthenticationAuthentication 방문 망을 엑세스 하기 전에 반드시 인증되어야 함 Mutual Authentication (MN <-> Visited Network) Default : Mutual Challenge Exchange (in Router Adv.)
MessagesMessages ARR : Authentication Registration Request ARA : Authentication Registration Answer HOR : Home-Agent-MIPv6-Request HOA : Home-Agent-MIPv6 Answer
Information Exchange(2)Information Exchange(2) (MN, AAA Client) (MN, AAA Client)
Mobile IPv6Mobile IPv6 에서의 에서의 Diameter Diameter 프로토콜구조프로토콜구조-basic operation--basic operation-
RA
EAP(AReq)
ARR
ARR
HOR
HOAARA
ARA
EAP(ARsp)
MNAttendant/AAA Client
AAAL AAAH HA
Local ChallengeId of Visited NetworkPrefix of Visited network
Local ChellengeNAI of MNLSK with AAAhHome AddrHome Agent AddrAuthentication DatBU
User name option (NAI of MN)MIPv6-Feature-List OptionEmbedded Data (BU)Home Agent Addr BU Message
Authentication DataSecurity Materials
Embedded BASession Key(MN, Attendant)Keying MaterialsAuthentication DataResult Code(success/fail)Keying Materials
Authentication DataEmbedded BA
Verify AReq with Local Challenge
Find AAAH from NAI of MN
Authenticate ARR using AAA
Diameter Message ProcessingBinding Update(Generate BCE)Create Session Key(AAAClient,MN)Generate Authentication Data
Copy Session Keyinto Local Storage
Authenticate ARAGenerate Session KeyAuthenticate BA
ARA Authentication using AAA
Enhanced Protocol Operation(1)Enhanced Protocol Operation(1)
If MN dose not know the pre-configured HAIf MN dose not know the pre-configured HA Dynamic HA Assignment Dynamic Home Address Assignment Contains all features of ‘Basic Operation’
Key distribution Optimized(Embedded) BU
Authentication : Same as basic operationAuthentication : Same as basic operation
Additional ActivitiesAdditional Activities Behavior of Entities AVPs
Home Agent Assignment in Home Home Agent Assignment in Home NetworkNetwork
RA
EAP(AReq)
ARR
ARR
HOR
HOAARA
ARA
EAP(ARsp)
MNAttendant/AAA Client
AAAL AAAH HA
Local ChallengeId of Visited NetworkPrefix of Visited network
Local ChellengeNAI of MNLSK with AAAhAuthentication DatBU
User name option (NAI of MN)MIPv6-Feature-List Option(Mobile-Node-Home-Address-Request=1)(Home-Agent-Request=1)Embedded Data (BU)
BU Message(new_BU)Authentication Data
Embedded BAMIPv6-Mobile-Node-Address AVPMIPv6-Home_Agent-Address AVPSession Key(MN, Attendant)Keying Materials(MN, Attendant)Authentication DataResult Code(success/fail)
Keying Materials(MN, Attendant)Authentication DataEmbedded BA
Verify AReq with Local Challenge
Find AAAH from NAI of MN
ARR Authenticate using AAA
HA assignment(new_HA)
Reconfig BU message(new_HA)Diameter Message Processing
Assign MN’s Home Address
(if not MIPv6-Mobile-Node-Address) &&
(if HAO(BU) is null)
Binding Update(Generate BCE)
Create Session Key(AAAClient,MN)
Generate Authentication Data
Copy Session Key
into Local Storage
ARA Authentication using AAA
Embedded BASession Key(MN, Attendant)Keying Materials(MN, Attendant)Authentication DataResult Code(success/fail)MIPv6-Mobile-Node-Address AVPMIPv6-Home-Agent-Address AVP
Authenticate ARsp
Authenticate BA
Generate Session Key
Save MN’s Address
Save HA’s address from BA
Enhanced Protocol Operation(2) Enhanced Protocol Operation(2)
Security ConsiderationSecurity Consideration
분석분석 Security
Embedded BU/BA 에 대한 보안 헛점 발생 단계 1(RA), 2(ARR), 9(ARA) 에서 보안 기능 추가 요구
Performance 총 9 단계의 메시지 교환 Embedded BU/BA
Mobile IPv6Mobile IPv6 를 위한 를 위한 AAA AAA 구조구조 (1)(1)
Proposed by F.Dupont “AAA for Mobile IPv6”Proposed by F.Dupont “AAA for Mobile IPv6”특징특징 AAA (RADIUS / DIAMETER) 사용
MN <-> Attendant 12 단계의 메시지 교환
AAA AAA 메시지메시지 AS : Attendant Solicitation AA : Attendant Advertisement AReq : Authentication Request AMR : Authentication MN-Request AMA : Authentication MN-Answer AHR : Authentication HA-Request AHA : Authentication HA-Answer ARsp : Authentication Reply
Mobile IPv6Mobile IPv6 를 위한 를 위한 AAA AAA 구조구조 (2)(2)
AS
AA
AReq
AMR
AMR AHR
AHA
AMAAMA
AReq
BU
BA
MN AAAL AAAH HA
Local Challenge
AReq 의 메시지 전송
AReq 의 메시지 전송
AHA 의 메시지 전송
Authenticate Areq with Local ChallengeConvert Areq to AAA protocol
Find AAAH with domain name NAIAAAL AAAH 과 간에 사전 로밍 계약존재AAA AAAL 기반의 인증 AAAL AAAH 과 간에 사전
로밍 계약존재AAA AAAL 기반의 인증
MN 인증Session key 생성(MN <- > Attendant)
AAAL AAAH 과 간에 사전 로밍 계약존재
AAA AAAL 기반의 인증Session key 저장
AHA 의 메시지 전송
Session key 생성
Attendant
SecuParam_r(HASH, SA, Nr, …)RC code, Session Key,
Local ChallengeMN 의 NAI, 홈주 ,소홈에이전트주 , 소
,SecuPam_i인증자
MN 의 홈주소SecuParam_i
(HASH, SA, Ni, …), 인증자
SecuParm_r