Access Control and Authentication for Converged Networks

1
Access Control and Authentication for Converged
Networks

• Z. Judy Fu
• John Strassner
• Motorola Labs
• judy.fu, john.strassner_at_motorola.com

2
Content

• Motivation and AAA Requirements
• Limitations of Existing AAA for Converged
  Networks
• Novel AAA Architecture
• AAA Framework
• RBAC Models
• Common Authentication Framework
• Conclusion and Future Work

3
Motivation

• Heterogeneous Networks are converging to Provide
  IP Services
• Heterogeneous Access Technology
• Wireless Local Access 802.11, 802.16, HyperLAN,
  Bluetooth
• Cellular Access GSM, GPRS, CDMA, UMTS
• Broadband Service to Home fiber, cable,
  Ethernet, xDSL, or WiMax
• Not only access providers but also application or
  content providers
• Heterogeneous administrative domains
• AAA Is Essential and Complex in Inter-working
  Between Heterogeneous Networks

4
Requirements of AAA for Converged Networks

• Inter-working with various types of providers.
• Respect each administrative domains policies
• Support various applications based on context,
  user profile and policies
• Common framework to facilitate reuse
• Minimized design, development and deployment cost

5
Existing AAA Solutions for Converged Networks

• Framework
• EAP-RADIUS
• Protocols
• EAP-TLS,
• EAP-AKA,
• EAP-SIM

6
Limitations of Existing AAA Solutions for
Converged Networks

• Do not have flexible authorization element
  considering heterogeneous domain policies
• Do not enable support for future applications
  based on context, user profile etc.
• Do not accommodate heterogeneous system,
  protocol, method, credential requirements
• EAP support in native IP wireless networks like
  WLAN
• WiMax requires certificate based authentication
  method while UMTS requires shared-secret based
  authentication method.

7
A Novel AAA Architecture

• Proposing a modeling based AAA architecture
• Generic framework that can be mapped to different
  networks and devices
• Each domains security policies can be ensured
• Heterogeneous policies, credentials and protocols
  can be accommodated.

8
The New AAA System

• AAA server is no longer a traditional Radius
  server
• AAA interacts with context server, identification
  server, and policy server
• AAA Protocols to use may include Radius,
  Diameter, mobile IP etc.

9
Authentication Protocol Mapping

• Method 1 EAP-xxx for all
• All networks equip with EAP controller
• All devices send only EAP authentication requests
• All authentication protocols are encapsulated in
  EAP and RADIUS messages
• Always use home networks authentication method

10
Authentication Protocol Mapping (Cont.)

• Method 2 A common authentication framework
• Different authentication request/reply will be
  mapped to the common framework
• Devices do not have to be changed
• Example common authentication framework is IKEv2
  authentication part
• MS(mobile station)
  AAA server
• ------------------------gt ID, scheme (sym or
  asym), cert, auth data key
• lt--------------------- ID, scheme, cert, auth
  data key

11
AAA models

• Business view models
• Focus on access control models.
• System view models
• Include specific authentication, authorization
  mechanisms, mobility management, context, policy,
  profiles, and identification.

12
RBAC Access Control Models

• Propose enhanced notion of role-based access
  control (RBAC) for inter-working between
  providers
• Simplified management of individual entities by
  assigning roles based on business functions

13
RBAC Control of Resource
14
Conclusion Future Work

• Novel AAA architecture
• Support heterogeneous provider inter-working
• Support both coalition or spontaneous accesses
• Support various application for inter-working
• Facilitate reuse
• Minimize development and deployment cost
• Future Work
• Refine Models
• Design automatic mapping techniques
• Prototype

15
The End

• Thank You!
• Questions???

16

• Backup Slides

17
Logical Resource
18
Logical Resource
19
(No Transcript)