DIAMETER and AAA Protocols

1
DIAMETER and AAA Protocols
2
AAA Protocols

• AAA Stands for Authentication, Authorization and
  Accounting.
• Authentication is used to determine who you are
• Authorization is used to verify whether you can
  do what you have asked (access control). The
  authorization phase also allows the AAA server to
  return specific information about the service to
  be provided to the user (i.e. filters, QOS).
• Accounting is used to record a users usage
  pattern. This can be used for capacity planning,
  billing, etc.

3
Todays NAS

• Since the early 1990s, the NAS has become a much
  more complex system than it once was. Recently,
  the RADIUS Internet-Drafts still described a NAS
  as a system with low processing power and memory
  (obviously, this was removed when it became an
  RFC).
• NASes now enjoy the following
• Much higher capacity (e.g. ingress T3s)
• New services (e.g. IP Telephony, Quality of
  Service, Mobility, etc)
• More stringent Security Requirements
• Support for roaming users is expected.

4
Why another AAA protocol?

• New non-Dial-up products are now available that
  support RADIUS, in a proprietary fashion, such
  as
• Aventails SOCKS Server
• Checkpoints Firewall-One
• XaCCTs XaCCTusage (tracks IP streams)
• Various E-commerce user authentication modules
  for web servers.
• IKEs Xauth (Extended Auth) has support for
  RADIUS, and is not supported by two vendors.

5
Why another AAA protocol?

• Although extending an existing protocol is a
  reasonable goal, current AAA protocols were not
  designed to be extended beyond the Dial-in and
  terminal server arena.
• The DIAMETER protocol was specifically designed
  to make use of exiting RADIUS dictionaries and
  user profiles. This allows DIAMETER servers to
  read in configuration information from existing
  databases, easing the customers transition
  period.

6
The Goal?

• The ultimate AAA goal is to be able to have a
  single protocol provide AAA support for most IETF
  protocols (or services).
• This would allow the service provider to define a
  single user profile, with different authorization
  information based on the service.
• Some view this as the SS7 of the Internet, but
  done right )

7
DIAMETER

• The DIAMETER protocol has been under development
  for the past 3.5 years by many vendors and
  Service Providers including 3Com, Sun, Ascend,
  Merit, Nortel, MCI and many others.
• The architecture defines a base protocol that
  handles message formatting, security, etc.
  Services such as PPP, QOS, Mobility are added to
  the base protocol, and are known as extensions.

8
DIAMETER Extensions

• Currently there are many DIAMETER extensions
  drafts that have been submitted to the IETF
• Dial-up User Authentication (P. Calhoun, W.
  Bulley)
• Mobile IP (P. Calhoun, C. Perkins)
• Bandwidth Broker (P.Calhoun, M. Speer, K. Pierce)
• SIP Extension (P. Pan, H. Schulzrinne, P.
  Calhoun)
• SS7 Extension (N. Greene, F. Cuervo)
• IPDC (Taylor, Elliott and others)
• IP Security (R. Pereira) - Soon to be published

9
DIAMETER Work in Progress

• The IETFs AAA WG will take ownership of the AAA
  problem. The group already met twice as a BOF,
  and the Minneapolis IETF will be the first WG
  meeting. The DIAMETER protocol is the only
  protocol in this space.
• The Chairs will be Brian Lloyd (Lucent) and Nancy
  Greene (Nortel).

10
DIAMETER Work in Progress

• The Internet-2s QOS WG is currently
  investigating DIAMETER as the transport for their
  Bandwidth Broker. This is lead by Sue Hares
  (Merit Networks).
• We are currently defining the DIAMETER IP
  Telephony extensions necessary to scale such a
  service.

11
Turnkey Mobility SolutionMobile IP and DIAMETER
12
Security Associations

• One the problems with the existing Mobile IP is
  the scaling problem associated with the number of
  Security Associations required.
• The following SAs are specified
• Mobile-Foreign Security Extension
• Foreign-Home Security Extension
• Mobile-Home Security Extension

13
Security Associations

• In our design we have successfully minimized the
  number of Security Associations required.
• Only a single secret is required between both
  Administrative Domains

14
Mobility Advertisement

• The Mobile Node receives Mobility Advertisements
  that includes the Foreign Agents NAI and a
  Challenge Value
• The Mobile Node checks the FAs NAI and notices
  that it is no longer at home.

15
MIP Registration Request

• The Mobile Node computes the response using SS1
  and the Challenge. The challenge is time
  sensitive.
• The MNs NAI, Challenge and Response is added to
  the Registration Request and sent off to the
  Foreign Agent.

16
DIAMETER AMR

• The Foreign Agent validates the challenge and
  creates the DIAMETER AA-Mobile-Node-Request
  message.
• The message includes the Session-Id, RR, MN NAI,
  FA NAI, timestamp and integrity using SS3
  (FA-AAAF).

17
MN Domain AAA Lookup

• The AAAF strips the domain name from the MNs NAI
  and looks up the AAA responsible for the domain.
• If one does not exist, the AAAF may be configured
  to send the request to a broker.

18
AMR Proxy

• The AAAF adds the Proxy-State AVP and any
  additional AVPs as required by local policy.
• The existing Security AVPs are replaced using the
  SS4 (AAAF-AAAH).

19
User/MN Authentication

• The AAAH find the user/MN entry in the user
  database and the corresponding password.
• The MN-FA-Response is authenticated using the
  password and the MN-FA-Challenge AVP.

20
Home Agent Assignment (1)

• In this scenario the Mobile Node stated a
  preferred Home Agent.
• The AAAH can authorize the usage of the requested
  Home Agent, or choose another one if local policy
  requires it.

21
Home Agent Assignment (2)

• In this case the users profile has a static Home
  Agent, which is assigned to the user every time.

22
Home Agent Assignment (3)

• The AAAH has a pool of Home Agents that can be
  allocated to Mobile Nodes.
• Using some load balancing algorithm, a Home Agent
  is assigned to the Mobile Node.

23
Home IP Address Allocation (1)

• If the Mobile Node requested an IP Address, the
  AAAH can allocate the address.
• The AAAH can also defer allocation of the address
  to the Home Agent.

24
Session-Key Generation

• The AAAH creates three short-lived session keys
  and SPIs which are used for further Mobile IP
  communication.
• The keys have a specific lifetime associated with
  them. Once the keys have expired, they can no
  longer be used.

25
Session-Key Generation

• The AAAH encrypts the session keys in three
  different ways.
• MN-FA using SS1, MN-HA using SS1 for the Mobile
  Node.
• MN-FA using SS4, FA-HA using SS4 for the Foreign
  Agent.
• MN-HA using SS2, FA-HA using SS2 for the Home
  Agent.

26
Home-Agent-Request

• The AAAH creates the Home-Agent-Request message
  which includes a new Proxy-State, the RR, MN NAI,
  FA NAI, MN IP Address and all of the key and SPI
  AVPs.
• The message is protected using SS2 (AAAH-HA).

27
Home IP Address Allocation (2)

• If the Mobile Node requested an address to be
  allocated to it and the AAAH deferred to the Home
  Agent, the HA can assign an address either from a
  local pool or using a protocol such as DHCP.

28
HA Processes MIP RR

• The Home Agent processes the Mobile IP
  Registration Request, adds the user to the
  Mobility Binding Table.
• The Home Agent keeps the MN-HA and FA-HA keys and
  SPIs in the local security association table.

29
HA Processes MIP RR

• The Home Agent creates the Registration Reply,
  which includes the Home Agent, Home IP Address,
  the Mobile Node keys and SPIs (MN-FA and MN-HA)
  as well as the key expiration time.

30
Home-Agent-Answer

• The Home Agent sends the DIAMETER Message (HAA)
  which includes the Proxy-State Result Code, keys
  and SPIs for the Foreign Agent, Registration
  Reply and the Mobile Nodes Home IP Address.

31
DIAMETER AMA

• The Proxy-State AVP in the HAA identifies the
  AAAF.
• The AMA is created which includes all of the AVPs
  in the HAA and the old Proxy-State AVP, but with
  new Security AVPs (using SS4).

32
AMA Proxy

• The AAAF identifies the target for the message
  using the Proxy-State AVP.
• The AAAF decrypts the keys destined for the
  Foreign Agent using SS4 and re-encrypts the keys
  using SS3.

33
FA Saves Session Keys

• The Foreign Agent decrypts the MN-FA and FA-HA
  keys from the AMA and saves them in the Security
  Association table indexed using the SPI.
• The Foreign Agent retrieves the Home Agent and
  Address.

34
Registration-Reply Processing

• The Foreign Agent processes the Registration
  Reply, adds the Mobile Node to the visitors list.

35
Registration-Reply Processing

• The Mobile Node decrypts the session keys using
  SS1 and saves them in its security association
  table.
• The Mobile Node saves its Home IP Address and
  Home Agent Address.

36
Operation Complete

• At this point all Mobility Agents share a
  short-lived security association, and access was
  authorized by all AAA entities.

37
Future MIP Exchanges

• The Mobile Node sends a Registration Request
  using the previously created session keys, which
  forwards the request to the Home Agent.
• This removes the full mesh security association
  that would otherwise be required.