AAA Management in the Internet for Wireless and 3G Users

Transcription

1 AAA Management in the Internet for Wireless and Users Y. Rebahi FhG Fokus, Berlin, Germany D. Sisalem FhG Fokus, Berlin, Germany Abstract Today, IP based multimedia services are becoming increasingly important in wireless communications. Wireless LANs and Cellular networks are used in particular as an access mechanism to the Internet. Security was always a subject attached to the Internet connectivity. This paper provides a survey of the way of authenticating users who are requiring IP multimedia services through or technologies. It also provides the state-of-the-art of how the AAA components in the different domains interwork while keeping the communications seamless 1 Introduction Two major trends are driving the actual development in the telecommunication market: the Internet and the mobility. The Internet simply means providing cost effective data while mobility stands for reachability everywhere. The popularity of mobile devices has increased due to the technology that enables the user to connect his device to his home domain or to a visited one and gain full access to the Internet. Usually Internet Providers, offering network access or Internet services, are different and might interact to provide seamless services to the user. The AAA concept appears essentially as a response to this issue. Within the Internet Engineering Task Force (IETF), an architecture of Authentication, Authorization and Accounting (AAA) activities is defined and standardized [2], [3] and [4]. In general, a visited domain may not have enough information to authenticate a user presenting his credentials and must contact the home domain, which stores the user s profile. Thereby security associations should be settled between the home and the visited providers and should involve, in particular, the way of authenticating users, authorizing the required services and charging the consumption. To be authenticated in the Internet, a client needs to issue a request towards a AAA server using a AAA protocol such as Radius [6] or Diameter [5]. To be more precise, the user presents his Network Access Identifier (NAI) which is of the form user@ realm. The first part of the NAI identifies the user while the second one involves information regarding the home domain. The realm part will be used by the foreign domain to route the authentication request to its destination. However, in a UMTS (Universal Mobile Telecommunications System) network, a mobile subscriber needs to present his International Mobile Subscriber Identity (IMSI) to be identified. The IMSI as well as other information are contained in a Universal Subscriber Identity Modules (USIM), which is a form of a smart card. By inserting a USIM card in a UMTS terminal, the subscriber is able to initiate calls and receive calls as well as subscribed services. 2 Problem Statement technology includes high-rate data transmission and could in particular complement Cellular networks in hot spots. A GPRS or UMTS subscriber who gains access to the Internet

2 in a public place such as an airport or a hotel, will get an easy connection as well as a smooth access to the Internet services. The main challenges that might be faced in this heterogeneous environment are, to authenticate a GPRS/UMTS user when accessing a network, and on the other side, to route the billing information related to the consumption of the local services between the and the cellular network. Another issue that could be also addressed is how to manage the authorization of the services when the user is roaming between the and the network. Among the challenges mentioned above, only the authentication and the authorization activities as well as the roaming process will be treated here. As for accounting, a way to achieve it could be found in [7]. 3 Solution Proposal The solution that seems to be natural and convenient (see [7]), consists of introducing the IMSI as a part of the NAI during the authentication phase. The AAA server, to which the authentication request was addressed, will handle the routing of the request to the cellular network. In this paper, the authors propose a solution based on the idea triggered above. The AAA infrastructure that is going to be described is a part of the architecture of the Evolute s platform. This last is an all IP-based infrastructure providing multimedia services to users who access the network through or technologies. The AAA infrastructure has the following features: It assumes that the Network Provider and the Service Provider are different which is the general case in the real world. Service Providers here are for example coffee shops or malls Only one AAA server is used in this infrastructure to authenticate users and subscribers. For access, the standard IEEE 802.1x is used for authenticating and authorizing the end user. This protocol is E based. However, for a user, UMTS AKA authentication mechanism is used for granting the access to the network. AKA is used within E which allows the use of authentication mechanism in the context of s and IEEE 802.1x technology Since the access might be via a network or a network, a mixture between the NAI and the IMSI is used. The Access Credentials in this case are of the form user@realm where the attribute user involves the IMSI as mentioned in [1]. The local AAA server needs to recognize the IMSI when parsing the NAI and forward the request to the appropriate destination The requested multimedia services are controlled via SIP. To gain access, the user needs to be authenticated to the local through HTTP Digest or another authentication mechanism The Evolute s infrastructure also aims to provide seamless services when the user moves from one network to another. In this heterogeneous environment, a trust relationship is needed between the AAA servers in the home and the foreign domains. A broker might also be needed as well as Gateways for translating between different AAA protocols 3.1 Single Domain Model We mean by single domain model the case involving a user authentication against the Evolute s AAA infrastructure without moving to another network. The corresponding architecture is depicted in Figure 1 below :

3 AAA Gateway AAA server ss7 Radius/Diameter SIP Access Point 802.1x Mobile Host Figure 1: Evolute AAA Architecture In short, using the Evolute AAA architecture, a user comes into a foreign network and presents his identity using the locally supported AAA mechanisms. Based on the identity of the user, the network can decide on the home provider of the user and contact him through the AAA infrastructure. In case the home provider is using a different AAA protocols than the foreign provider then a gateway needs to be provided to translate between the two protocols. As depicted in Figure 1, a user wishing to access the services offered by the foreign network indicates its wish to use the service and gives the provider its network address identifier (NAI). This identity if forwarded from the access to the AAA server If the NAI contains an IMSI, then the access request is forwarded to a gateway that translates the AAA request into the equivalent AAA protocol request. This gateway might be pre-configured or might be dynamically searched for through some brokerage service. o The access request might then be further forwarded over SS7 signalling to another network (home network of the user). o Replies to the request are forwarded back to the user over the gateway In case the NAI does not include an IMSI then the AAA server tries to contact the home network of the user as identified by the NAI over the AAA infrastructure, i.e., either directly if a trust relation is available between the foreign and home network or through an AAA broker 3.2 Roaming Model We assume here that the end user has already gained access to the Internet through the Evolute s AAA infrastructure and wishes to move to another network. Depending on the user s home domain, two cases arise: the user may have a contract with a operator or may have an agreement with an Internet Service provider (ISP). In this scenario, a subscriber enters a network. To authenticate and authorize the user, the of the home provider needs to be contacted. This scenario is as follows, see Figure 2 (left) : The user starts its mobile device and contacts the Access Point () using the standard 802.1x The contacts the AAA server The AAA server checks the home provider of the user and contacts the AAA server of that provider. As the home provider is a provider, so it provides only a /AAA gateway The AAA/ gateway contacts the to authenticate the user

4 The authentication data go all the way back to the Access Point In case of successful AAA procedure the user gets IP access and is assigned a dynamic home agent () In case the user wants to use SIP based services, he needs to authenticate with the local SIP proxy which in turn contacts the AAA server, which contacts the AAA server of the home provider in the same way as the IP access authentication. (Note that the SIP home provider and the network home provider might be different, Figure 2 (left) assumes them to be the same) IP Network /AAA /AAA IP Netw ork Figure 2: subscriber in (left) and user roams to a network (right) In the next step, see Figure 2 (right), the user roams to a network. Here, again, the user needs to authenticate himself (we assume no direct relation between the previous wireless provider and this provider). The user contacts the AAA server, i.e. the VLR of the network using the local authentication technology (AKA UMTS) The VLR contacts the The user needs also to inform the DHR about its new position (IP address) so that all started flows would keep on running without interruption. New flows should be started with the new address so that when all the flows initiated with through the DHR are terminated the binding at the DHR can be deleted. An ISP user describes a user that has an ISP as his home provider (the ISP could be a network provider, an application provider such as yahoo or a banking entity such as VISA, the only thing that matters here is that this entity has a AAA server). In Figure 3 (left), the user starts his mobile device in a wireless LAN The user contacts the Access router using the local authentication technology (802.1x) The Access Point contacts the AAA server The AAA server checks the home provider of the user and contacts the AAA server of that provider The home AAA server sends the authentication data go all the way back to the In case of successful AAA procedure the user gets IP access and is assigned a dynamic home agent In case the user wants to use SIP based services, he needs to authenticate with the local SIP proxy which in its turn contacts the AAA server, which contacts the AAA server of the home provider in the same way as the IP access authentication. (note

5 that the SIP home provider and the IP home provider might be different, Figure 3 (left) assumes them to be the same) AAA server IP Network /AAA ISP User Home Provider ISP User Home Provider Figure 3: ISP user in a (left) and ISP user in network (right) In Figure 3 (right) the user has roamed into a network The user contacts the AAA server, i.e., VLR, of the network using the local authentication technology (AKA UMTS) The VLR contacts the of the home provider (here it is a /AAA gateway), which contacts the AAA server of the ISP. The user needs also to inform the DHR about its new position (IP address) so that all started flows would keep on running without interruption. New flows should be started with the new address so that when all the flows initiated with, through the DHR are terminated, the binding at the DHR can be deleted. References [1] J. Arkko, H. Haverinen, E AKA Authentication, Internet Draft, draft-arkkoppext-eap-aka-01, Nov 2001 [2] J. Vollbrecht, P. Calhoun, and others, AAA Authorization Framework, Internet Engineering Task Force, RFC 2904, August 2000 [3] S. Farrell, J. Vollbrecht, and others, AAA authorization requirements, Internet Engineering Task Force, RFC 2906, August 2000 [4] C. Laat, G. Gross, and others, Generic AAA Architecture, Internet Engineering Task Force, RFC 2903, August 2000 [5] P. R. Calhoun, J. Arkko, and others, Diameter Base Protocol, Internet Draft, <draft-ietf-aaa-diameter-09.txt>, March 2002 [6] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial in User Service (RADIUS)", RFC 2865, June [7] J. Ala-Laurila, J. Mikkonen, J. Rinnemaa, Wireless LAN, Access Network Architecture for Mobile Operators, IEEE Communications Magazine, November 2001

6