AAA Framework based on Authentic IPv6 Address

1
AAA Framework based on Authentic IPv6
Address

• Hong Zhang
• zhang-hong04_at_mails.tsinghua.edu.cn

2
Outline

• Background
• Terminology
• System Architecture
• AAA Framework
• AAA architecture
• Intra-domain authentication
• Inter-domain authentication
• Security consideration
• Conclusion

3
I. Background

• The IPv6 is conceived with two main goals
• Increase the IP address space
• From 32 bit to 128 bit
• Problem
• All the following IPv6 addresses are valid
• 01
• fe8025056fffec0
• 2001250f001f00225089ef2fb88fd6
• FFFFltIPv4 addressgt

• Annoying for user to remember the IPv6 address

4
I. Background (cont.)

• Improve security, relative to IPv4
• Mandating IP Security (IPSec)
• Problem
• IPv6 is facing some threats the same with IPv4
• The basic mechanism stay mostly unchanged
• The upper-layer protocols are mostly unaffected

• Desirable to deploy some additional security
  mechanisms

5
II. Terminology

• Authentic IPv6 Address Every node accesses the
  Internet with Address
• authorized ISP allocated
• accountable billing, traced-back

6
II. Terminology (cont.)

• PDN (Personal Domain Name)
• Domain Name assigned to a user
• In the form of UserName_at_DomainName
• Useful for IPv6 applications

7
II. Terminology (cont.)

• DDN (Device Domain Name)
• Domain Name assigned to a network device
• In the form of Devicename.DomainName
• Useful for managing the devices in IPv6 network

8
III. System Architecture

• Our Research is performed within one of
  CNGI(China Next
• Generation Internet ) projects
• Authentic IPv6 Address Network Architecture

9
III. System Architecture (cont.)

• Authentic IPv6 Address Infrastructure
• Provides services relative to authentic IPv6
  address.
• Service Layer
• AAA Framework
• Provides AAA service
• DNSSEC
• Provides DNSSEC service
• IPv6 Applications

10
IV. AAA Framework

• AAA (Authentication, Authorization, Accounting)
• Authentication determines a requestors validity
• Authorization determines whether the access to a
  resource should be granted or denied
• Accounting is fulfilled to collect billing
  information

11
IV. I. AAA architecture
12
IV. I. AAA architecture (cont.)

• Components function
• Authenticator delivers the users request to the
  AAA server.
• Relayer acts as an AAA server to the
  authenticator and as a client to the AAA server.
• AAA Server is used to authenticate the users
  requests , grant access and collect bill
  information.
• DHCPv6 Server is used for IPv6
  autoconfiguration.
• DNSSEC Server is used to support PDN and DDN.

13
IV.II. Authentication Procedure

• Intra-domain Authentication
• Inter-domain Authentication

14
IV.II.I. Intra-domain Authentication
DHCPv6 A
AAA Server A
Relayer A
User A
Authen- ticator A
DNSSEC A
15
IV.II.I. Intra-domain Authentication
16
IV.II.I. Intra-domain Authentication (cont.)

• Step (1). The user initializes the AAA procedure.
  
• Step (2). The Authenticator sends an AAA Request
  message to the
• Relayer through a secure
  channel (e.g. EAP-TLS).
• Step (3). Relayer determines to perform
  intra-domain authentication.
• Step (4). AAA server authenticates, authorizes
  and accounts the user.
• Step (5). Relayer decides whether to grant access
  to the user based
• on the AAA response message
  and local policy.
• Step (6). Authenticator decides whether to allow
  user to access
• network.
• Step (7). The user sends multicast DHCPv6 SOLICIT
  message.
• Step (8). DHCPv6 server sends DHCPv6 ADVERTISE
  message to the
• host.
• Step (9). Relayer sends a DNS Binding Update
  message to the
• DNSSEC server.

17
IV.II.II. Inter-domain Authentication
DHCPv6 A
DHCPv6 B
AAA Server B
AAA Server A
Relayer B
Relayer A
Authen- ticator B
Authen- ticator A
User B
DNSSEC B
DNSSEC A
Domain B
Domain A
18
IV.II.II. Inter-domain Authentication
19
IV.II.II. Inter-domain Authentication (cont.)

• Step (1). The user B initializes the AAA
  procedure.
• Step (2). The Authenticator A sends an AAA
  Request message to
• Relayer A through a secure channel (e.g.
  EAP-TLS).
• Step (3). Relayer A determines to perform
  inter-domain authentication.
• Step (4). Relayer B check the validity of the AAA
  request and forward it
• to the AAA server B.
• Step (5). AAA server B authenticates, authorizes
  and accounts the user.
• Step (6). Relayer B forwards the AAA response
  message to the Relayer A.
• Step (7). Relayer A decides whether to grant
  access to the user based
• on the AAA response message
  and local policy.
• Step (8). Authenticator A decides whether to
  allow user B to access network.
• Step (9). The user B sends multicast DHCPv6
  SOLICIT message.
• Step (10). DHCPv6 server A sends DHCPv6 ADVERTISE
  message to the
• host.
• Step (11). Relayer A sends a DNS Binding Update
  message to the DNSSEC
• server B.

20
IV.III. Security Considerations

• Communication between Relayer and AAA Server .
• Communication between Relayer and DNSSEC server.
• Communication between Relayers in different
  domains

21
V. Conclusion

• Support consistent user management in
  CNGI-CERNET2.
• Provide a uniform AAA mechanism in CNGI-CERNET2.
• Support user roaming in the IPv6 network.
• Make the AAA mechanism be easy and convenient for
  extensible and scalable in the IPv6 network.
• Support IPv6 applications.
• Helpful for IP traceback.

22
Thank You

• Q A