1 © 1999, cisco systems, inc. aaa/mobile ip for 3g cdma systems gopal dommety and allen long
TRANSCRIPT
1© 1999, Cisco Systems, Inc.
AAA/Mobile IP For 3G CDMA Systems
Gopal Dommety and Allen Long
AAA/Mobile IP For 3G CDMA Systems
Gopal Dommety and Allen Long
2© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
OutlineOutline
• Requirements
• Architecture and trust Model
• VPN access
• Optimizations
• Conclusions
3© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
RequirementsRequirements
• Authentication of the HA and MN
• Authentication of the HA and FA
• Compulsory secure tunneling between the HA and the FA
• Roaming support to non-home wireless carrier networks (Could be ISP)
4© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
RequirementsRequirements
• The Handoff delay should be minimized.
• Dynamic Home Address Allocation
• Assurance of service offering to the Home-WL/ISP
• Dynamic Home Agent Allocation.
5© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Desirable FeaturesDesirable Features
• No changes to the RADIUS protocols
• No Changes to IKE/IPsec
• No Changes to Mobile IP
• Perform IKE and IPsec in order to secure traffic into the corporate network
• It may not be feasible for HAAA to be outside the Firewall
6© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Architecture
Foreign Wireless operators AAA Server
2Gnarrowband digitalGSMIS-54/13PDC
Home Wireless operator or ISP
HAHA
Home AAA Server
HAHAPDSN/FAPDSN/FA
7© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
SecuritySecurity
• HA-MN Shared Key
• HA and FA have Certificates
• Shared Key between FA and FAAA, and HA and HAAA
8© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Authentication-Basic
Req Req (NAI)Req Req (NAI)
MN PDSN FAAA
Advertisement
HA HAAA
Opt-AccessReply
AccessReq
AccessReply
Home-WL/ISP
Opt- AccessReq Opt- AccessReq
Opt-AccessReply
IKE Messages (3 round trips)
RegReplyRegReply
Req (NAI)Req (NAI)
Uses existing protocols
Additionally uses NAI Draft
Access Request and IKE can happen in parallel
Uses existing protocols
Additionally uses NAI Draft
Access Request and IKE can happen in parallel
9© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Optimizations/Optional FlowsOptimizations/Optional Flows
• Challenge Response
• Tokens
• IKE Private Payloads
• Public Key methods can be used to sign mobile IP Reg Req/Rep message
• IPSec or SSL between entities
10© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Opt-Challenge ResponseOpt-Challenge Response
Req Req (NAI, opt- Challenge, responce)Req Req (NAI, opt- Challenge, responce)
MN PDSN FAAA
Advertisement (opt-Challenge)
HA HAAA
Opt-AccessReply
AccessReq (CHAP)
AccessReply
Home-WL/ISP
Opt- AccessReq (CHAP) Opt- AccessReq (CHAP)
Opt-AccessReply
IKE Messages (3 round trips)
RegReplyRegReply
Req (NAI)Req (NAI)
Uses existing protocols
Additionally uses NAI Draft, and Challenge Response
Uses existing protocols
Additionally uses NAI Draft, and Challenge Response
11© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Opt-IKE Private PayloadsOpt-IKE Private Payloads
• Send mobile IP registration message as a Private Payload in IKE phase I messages
Req Req (NAI)Req Req (NAI)
MN PDSN FAAA
Advertisement
HA HAAA
Opt-AccessReply
AccessReq
AccessReply
Home-WL/ISP
Opt- AccessReq Opt- AccessReq
Opt-AccessReply
IKE Messages (3 round trips)
Uses existing protocols
Additionally uses NAI Draft
Have to define mobileip payload
Uses existing protocols
Additionally uses NAI Draft
Have to define mobileip payload
Req (NAI)Req (NAI)
RegReplyRegReplyRegReply
12© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Opt- TokenOpt- Token• Token is sent by the HA to the FA
Option 1: HA generates a token (signing with Private Key)
Option 2: Obtain the Token from Home-WL/ISP (Similar to OSP (Open Settlement Protocol- ETSI TIPHON))
MN PDSN FAAA HA HAAAHome-WL/ISP
RegReply[Token]RegReply
Req (NAI)Req (NAI)
Opt-Authorization Req[Token]Opt-Authorization Req[Token]
Opt-Authorization Rep[Token]Opt-Authorization Rep[Token]
13© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
ConclusionsConclusions
• Proposal uses existing protocols
• Optimizations for consideration
14© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
ReferencesReferences
• Mobile IP (RFC2002, draft-ietf-mobileip-mn-nai-00.txt, draft-ietf-mobileip-challenge-01.txt, draft-gupta-mobileip-inline-secparams-00.txt)
• IP Security (RFC2401, RFC2402, RFC2406)
• IKE (RFC2409)
• TIPHON Inter-domain, pricing, authorization, and usage exchange TS 101 321 V1.4.2 (1998-12)
15© 1999, Cisco Systems, Inc. Cisco ConfidentialCisco Confidential
Enabling Wireless Data Services