Upload
carter-mays
View
28
Download
0
Embed Size (px)
DESCRIPTION
URP Usage Scenarios for Mobility. James Kempf Sun Microsystems, Inc. Problem Statement:Service Authorization. - PowerPoint PPT Presentation
Citation preview
URP Usage Scenarios for Mobility
James Kempf
Sun Microsystems, Inc.
Problem Statement:Service Authorization
• Protocol exchange involved in authorizing a Mobile Node for particular network services after handover is often more extensive than actually setting up the service itself (ex. COPS flows in draft-thomas-seamoby-rsvp-analysis-00.txt).
– Could seriously delay Mobile Node obtaining authorized service.– Possible to solve efficiently at edge with context transfer.– Difficult to solve back in network, alternatives unappealing:
• Context transfer flooding.
• Selective context transfer based on tracking of mobile node’s routes.
• Initial URP registration provides Mobile Node with something like a lightweight encrypted capabilities token, the possession of which is sufficient to identify the Mobile Node as authorized for a collection of network level services.
– Each router examines token, grants Mobile Node’s packets the requested service if allowed.
– Router acts as both PDP and PEP since Mobile Node’s initial packets contain authorization token.
Problem Statement: Authentication Challenge
• The network requires some means to issue a lightweight challenge the Mobile Node to authenticate, for example, after handover
• The Mobile Node requires some means to challenge the network.– Especially true for 802.11, where anybody can set up an access
point (e.g. fake bank teller problem).
• Initial URP exchange sets up.– URP RA provides the Mobile Node with a cryptographically
protected response token to present when challenged.
– Mobile Node provides URP RA with a cryptographically protected response token with which to reply when challenged.
Motivation: Privacy
• Network operator or user may want to hide the fact that a particular mobile is in a particular subnet.– Can’t use IPv6 <subnet id,interface id> for IP address.
• Draft talks about using an identity token.– Possible but better ways to do this (e.g. SUCV, BAKE, etc.).
– Somewhat half baked.
• BUT...URP can provide the vehicle for setting up initial conditions (keying, etc.).
Requirements• Provide a means whereby a Mobile Node’s
packets can securely prove authorization for a particular network level service after handover without requiring an extensive protocol exchange.
• Provide a secure authentication tokens whereby a Mobile Node can challenge the network after handover, and the network can challenge the Mobile Node.
• Set up initial conditions for masking Mobile Node’s location and origin.