AAA를 이용한 Mobile IPv 6 인증체계 Kim Mi

AAA를 이용한 Mobile IPv 6 인증체계 Kim Mi Young Soongsil University mizero 31@sunny. soongsil. ac. kr

목차 Introduction Model Diameter 서비스 구조 Assumptions Basic Features MIPv 6 Application-Diameter Message Information Exchange(MN, AAA Client) Basic Protocol Overview Mobile IPv 6에서의 Diameter 프로토콜 구조 Enhanced Protocol Operation Security Consideration Mobile IPv 6를 위한 AAA 구조

Introduction Inter-domain mobility support in pure MIPv 6 ? ¾ ¾ Scalability Problem Commercial Deployment Problem What about using AAA (Diameter) ? ¾ ¾ Authentication / Authorization / Account Inter-domain operable Global Scale Service Secure Communication between AAA servers What about using Diameter ext. in MIPv 6 ? ¾ ¾ Global Roaming with Secure Infrastructure Needs new message and behavior Diameter Application ¾ ¾ ¾ Distribution of Secure Key Providing MIPv 6 with Mobility Procedure (inter-domain) General and Optimized AAA Service for MIPv 6

Diameter 서비스 구조

Diameter vs. Radius Diameter와 Radius 비교 Diameter 서비스 대상 서비스 Paradigm 연결 형태 보안 Attribute Space 전송 프로토콜 메시지 전송 Fail-over 기타 Radius 여러 도메인 내의 User 상호간 Broker 기반의 peer-to-peer Connection-oriented 소규모 도메인 내에서의 End-User간 Client / Server Connectionless End-to-end 보안 TLS (Client에서는 Optional), SCPT IPSec (Mandatory) 패킷 전체를 암호화 서버와 End-user간의 보안 CHAP / PAP 사용자 비밀번호만 암호화 32비트 AVP지원 (최대 2**32 Pair) TCP 8비트 AVP지원(최대 2**8 Pair) UDP Request / Response Unsolicited Message Request / Response only Built-in Fail-over (DWR / DWA) - Capability Negotiation(version, apps. . ) Extensibility 높음 Extensibility 낮음 권장 서비스 안 Fixed network 환경 Mobile Network 환경 Roaming User Mobile IP 사용자 Strong Security 사용자 Fixed / Roaming User -

Model Mobility Entities ¾ ¾ ¾ MN(Mobile Node) HA(Home Agent) AAA Client(Attendant) ¾ ¾ ¾ AAAv Server ¾ ¾ AAA Relay Entity 사용자 ID 전달 인증 정보 전달 Access Router or AA Agent AAA Server in Visited Domain AAAh Server ¾ AAA Server in Home Domain

Assumptions Identity for MN ¾ ¾ NAI(Network Access Identifier) : RFC 2794 Home Address of MN If MN has both : used NAI by AAA If MN has only one : used it by AAA Shared Long-term Key (MN and AAAh) ¾ Network and User Authentication Secure Communication (between AAAv and AAAh) ¾ ¾ SA between AAA(Diameter) Servers Exchange Information over Secure Channel

Basic Features(1) Authentication / Authorization Authentication and Authorization (AA) ¾ ¾ ¾ Mutual AA Visited Network : Network Resource Planning and Protection IPv 6 Node : Impersonation (false BTS Attack)

Basic Features(2) Dynamic Home Agent Assignment in Home Domain Network Renumbering / Unfixed Assignment ¾ Dynamic Home Agent 할당 기능 제공 Dynamic HA Address Discovery Mechanism ¾ ¾ IN MIPv 6 : Many Round-Trips / Many Signaling / Long Delay Over AAA Infrastructure : One Round-Trip

Basic Feature(3) Key Distribution Dynamic Security Associations ¾ MN and Visited Network ¾ ¾ Confidentiality and Integrity of data over Access Link MN and Home Agent ¾ ¾ BU / BA (Must be protected) Key Distribution Algorithm (ex. IKE)

Basic Features(4) Optimization of Binding Updates Role of AAA Server in this I-D ¾ ¾ ¾ Authentication / Authorization Key Distribution Dynamic Home Agent Allocation Optimization of BU ¾ ¾ ¾ Pre-Assumption : MN knows its HA MN Behavior : Embedding BU in AAA Req. Message AAA Behavior : Processing BU (Relay it to HA) Steps for Binding Update ¾ ¾ AAA 인프라를 통한 인증 획득 동적 홈 에이전트 주소 발견 (DHAAD) MN과 HA간의 SA 설정(e. g. 인터넷 키 교환 – IKE) 바인딩 갱신 요청(BU) / 응답(BA)

MIPv 6 App. Diameter Message(1) Command Codes ¾ ARR : AA-Registration-Request ¾ ¾ ARA : AA-Registration-Answer ¾ ¾ AAAH -> AAAL -> Attendant HOR : Home-Agent-MIPv 6 -Request ¾ ¾ Attendant -> AAAL -> AAAH -> HA HOA : Home-Agent-MIPv 6 -Answer ¾ HA -> AAAH

MIPv 6 App. Diameter Message(2) AVPs (Attribute Value Pair) ¾ MIP-Binding-Update ¾ ¾ MIP-Binding-Acknowledgement ¾ ¾ Type : IPAddress, Payload : Home Address of MN MIPv 6 -Home-Agent-Address ¾ ¾ Type : Octet. String, Payload : BA Message MIPv 6 -Mobile-Node-Address ¾ ¾ Type : Octet. String, Payload : BU Message Type : IPAddress, Payload : Home Agent Address of MN MIPv 6 -Feature-Vector : ¾ Type : Unsigned 32, Payload : Flag ¾ ¾ For Dynamic HA Assignment Flag Value = 1 ¾ Requesting Dynamic HA Assignment

Information Exchange(1) (MN, AAA Client) MIP Feature Data ¾ ¾ When Requesting Dynamic HA Assignment Feature Data In ICMPv 6 / New Destination Option / etc. . EAP Data ¾ MIPv 6 Node : Various AA Method (including EAP) Embedded Data ¾ ¾ ¾ Send/Receive BU and BA in AAA Req. Message(piggyback) Reduce the Round-Trips BU Optimization

Information Exchange(2) (MN, AAA Client) Authentication ¾ ¾ ¾ 방문 망을 엑세스 하기 전에 반드시 인증되어야 함 Mutual Authentication (MN <-> Visited Network) Default : Mutual Challenge Exchange (in Router Adv. ) Messages ¾ ¾ ARR : Authentication Registration Request ARA : Authentication Registration Answer HOR : Home-Agent-MIPv 6 -Request HOA : Home-Agent-MIPv 6 Answer

Mobile IPv 6에서의 Diameter 프로토콜구조 -basic operation-

Enhanced Protocol Operation(1) If MN dose not know the pre-configured HA ¾ ¾ ¾ Dynamic HA Assignment Dynamic Home Address Assignment Contains all features of ‘Basic Operation’ ¾ ¾ Key distribution Optimized(Embedded) BU Authentication : Same as basic operation Additional Activities ¾ ¾ Behavior of Entities AVPs

Enhanced Protocol Operation(2) Home Agent Assignment in Home Network

Security Consideration 분석 ¾ Security ¾ ¾ ¾ Embedded BU/BA에 대한 보안 헛점 발생 단계 1(RA), 2(ARR), 9(ARA)에서 보안 기능 추가 요구 Performance ¾ ¾ 총 9단계의 메시지 교환 Embedded BU/BA

Mobile IPv 6를 위한 AAA 구조(1) Proposed by F. Dupont “AAA for Mobile IPv 6” 특징 ¾ AAA (RADIUS / DIAMETER) 사용 ¾ ¾ MN <-> Attendant 12 단계의 메시지 교환 AAA 메시지 ¾ ¾ ¾ ¾ AS : Attendant Solicitation AA : Attendant Advertisement AReq : Authentication Request AMR : Authentication MN-Request AMA : Authentication MN-Answer AHR : Authentication HA-Request AHA : Authentication HA-Answer ARsp : Authentication Reply

Mobile IPv 6를 위한 AAA 구조(2)

Mobile IPv 6를 위한 AAA 구조(3) 분석 ¾ Security ¾ ¾ 일반적인 Mobile IPv 6 보안 강도를 유지 Performance ¾ 총 12 단계의 메시지 교환 -> 빠른 이동성 제공에 적합하지 않음