1 © 1999, cisco systems, inc. aaa/mobile ip for 3g cdma systems gopal dommety and allen long

1© 1999, Cisco Systems, Inc.

AAA/Mobile IP For 3G CDMA Systems

Gopal Dommety and Allen Long

AAA/Mobile IP For 3G CDMA Systems

Gopal Dommety and Allen Long

2© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential

OutlineOutline

• Requirements

• Architecture and trust Model

• VPN access

• Optimizations

• Conclusions


RequirementsRequirements

• Authentication of the HA and MN

• Authentication of the HA and FA

• Compulsory secure tunneling between the HA and the FA

• Roaming support to non-home wireless carrier networks (Could be ISP)


RequirementsRequirements

• The Handoff delay should be minimized.

• Dynamic Home Address Allocation

• Assurance of service offering to the Home-WL/ISP

• Dynamic Home Agent Allocation.


Desirable FeaturesDesirable Features

• No changes to the RADIUS protocols

• No Changes to IKE/IPsec

• No Changes to Mobile IP

• Perform IKE and IPsec in order to secure traffic into the corporate network

• It may not be feasible for HAAA to be outside the Firewall


Architecture

Foreign Wireless operators AAA Server

2Gnarrowband digitalGSMIS-54/13PDC

Home Wireless operator or ISP

HAHA

Home AAA Server

HAHAPDSN/FAPDSN/FA


SecuritySecurity

• HA-MN Shared Key

• HA and FA have Certificates

• Shared Key between FA and FAAA, and HA and HAAA


Authentication-Basic

Req Req (NAI)Req Req (NAI)

MN PDSN FAAA

Advertisement

HA HAAA

Opt-AccessReply

AccessReq

AccessReply

Home-WL/ISP

Opt- AccessReq Opt- AccessReq

Opt-AccessReply

IKE Messages (3 round trips)

RegReplyRegReply

Req (NAI)Req (NAI)

Uses existing protocols

Additionally uses NAI Draft

Access Request and IKE can happen in parallel



Access Request and IKE can happen in parallel


Optimizations/Optional FlowsOptimizations/Optional Flows

• Challenge Response

• Tokens

• IKE Private Payloads

• Public Key methods can be used to sign mobile IP Reg Req/Rep message

• IPSec or SSL between entities


Opt-Challenge ResponseOpt-Challenge Response

Req Req (NAI, opt- Challenge, responce)Req Req (NAI, opt- Challenge, responce)

MN PDSN FAAA

Advertisement (opt-Challenge)

HA HAAA

Opt-AccessReply

AccessReq (CHAP)

AccessReply

Home-WL/ISP

Opt- AccessReq (CHAP) Opt- AccessReq (CHAP)

Opt-AccessReply


RegReplyRegReply

Req (NAI)Req (NAI)


Additionally uses NAI Draft, and Challenge Response


Additionally uses NAI Draft, and Challenge Response


Opt-IKE Private PayloadsOpt-IKE Private Payloads

• Send mobile IP registration message as a Private Payload in IKE phase I messages

Req Req (NAI)Req Req (NAI)

MN PDSN FAAA

Advertisement

HA HAAA

Opt-AccessReply

AccessReq

AccessReply

Home-WL/ISP

Opt- AccessReq Opt- AccessReq

Opt-AccessReply




Have to define mobileip payload



Have to define mobileip payload

Req (NAI)Req (NAI)

RegReplyRegReplyRegReply


Opt- TokenOpt- Token• Token is sent by the HA to the FA

Option 1: HA generates a token (signing with Private Key)

Option 2: Obtain the Token from Home-WL/ISP (Similar to OSP (Open Settlement Protocol- ETSI TIPHON))

MN PDSN FAAA HA HAAAHome-WL/ISP

RegReply[Token]RegReply

Req (NAI)Req (NAI)

Opt-Authorization Req[Token]Opt-Authorization Req[Token]

Opt-Authorization Rep[Token]Opt-Authorization Rep[Token]


ConclusionsConclusions

• Proposal uses existing protocols

• Optimizations for consideration


ReferencesReferences

• Mobile IP (RFC2002, draft-ietf-mobileip-mn-nai-00.txt, draft-ietf-mobileip-challenge-01.txt, draft-gupta-mobileip-inline-secparams-00.txt)

• IP Security (RFC2401, RFC2402, RFC2406)

• IKE (RFC2409)

• TIPHON Inter-domain, pricing, authorization, and usage exchange TS 101 321 V1.4.2 (1998-12)


Enabling Wireless Data Services

1 © 1999, cisco systems, inc. aaa/mobile ip for 3g cdma systems gopal dommety and allen long

Documents