Madjid Nakhjiri, Mahsa Nakhjiri
AAA and Network Security for Mobile Access
Radius, Diameter, Eap, Pki and IP Mobility
Madjid Nakhjiri, Mahsa Nakhjiri
AAA and Network Security for Mobile Access
Radius, Diameter, Eap, Pki and IP Mobility
- Gebundenes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
AAA (Authentication, Authorization, Accounting) describes a framework for intelligently controlling access to network resources, enforcing policies, and providing the information necessary to bill for services.
AAA and Network Security for Mobile Access is an invaluable guide to the AAA concepts and framework, including its protocols Diameter and Radius. The authors give an overview of established and emerging standards for the provision of secure network access for mobile users while providing the basic design concepts and motivations.
AAA and Network Security for Mobile Access: _…mehr
Andere Kunden interessierten sich auch für
- Farooq AnjumSecurity for Wireless AD Hoc Networks146,99 €
- Gilbert HeldSecuring Wireless LANs136,99 €
- Paolo SantiTopology Control in Wireless AD Hoc and Sensor Networks140,99 €
- Axel SikoraWireless Personal and Local Area Networks160,99 €
- Mobile Peer to Peer (P2p)102,99 €
- Christian JacquenetService Automation and Dynamic Provisioning Techniques in IP / MPLS Environments149,99 €
- Mario MarcheseQoS Over Heterogeneous Networks149,99 €
-
-
-
AAA (Authentication, Authorization, Accounting) describes a framework for intelligently controlling access to network resources, enforcing policies, and providing the information necessary to bill for services.
AAA and Network Security for Mobile Access is an invaluable guide to the AAA concepts and framework, including its protocols Diameter and Radius. The authors give an overview of established and emerging standards for the provision of secure network access for mobile users while providing the basic design concepts and motivations.
AAA and Network Security for Mobile Access:
_ Covers trust, i.e., authentication and security key management for fixed and mobile users, and various approaches to trust establishment.
_ Discusses public key infrastructures and provides practical tips on certificates management.
_ Introduces Diameter, a state-of-the-art AAA protocol designed to meet today's reliability, security and robustness requirements, and examines Diameter-Mobile IP interactions.
_ Explains RADIUS (Remote Authentication Dial-In User Services) and its latest extensions.
_ Details EAP (Extensible Authentication Protocol) in-depth, giving a protocol overview, and covering EAP-XXX authentication methods as well as use of EAP in 802 networks.
_ Describes IP mobility protocols including IP level mobility management, its security and optimizations, and latest IETF seamless mobility protocols.
_ Includes a chapter describing the details of Mobile IP and AAA interaction, illustrating Diameter Mobile IP applications and the process used in CDMA2000.
_ Contains a section on security and AAA issues to support roaming, discussing a variety of options for operator co-existence, including an overview of Liberty Alliance.
This text will provide researchers in academia and industry, network security engineers, managers, developers and planners, as well as graduate students, with an accessible explanation of the standardsfundamental to secure mobile access.
Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
AAA and Network Security for Mobile Access is an invaluable guide to the AAA concepts and framework, including its protocols Diameter and Radius. The authors give an overview of established and emerging standards for the provision of secure network access for mobile users while providing the basic design concepts and motivations.
AAA and Network Security for Mobile Access:
_ Covers trust, i.e., authentication and security key management for fixed and mobile users, and various approaches to trust establishment.
_ Discusses public key infrastructures and provides practical tips on certificates management.
_ Introduces Diameter, a state-of-the-art AAA protocol designed to meet today's reliability, security and robustness requirements, and examines Diameter-Mobile IP interactions.
_ Explains RADIUS (Remote Authentication Dial-In User Services) and its latest extensions.
_ Details EAP (Extensible Authentication Protocol) in-depth, giving a protocol overview, and covering EAP-XXX authentication methods as well as use of EAP in 802 networks.
_ Describes IP mobility protocols including IP level mobility management, its security and optimizations, and latest IETF seamless mobility protocols.
_ Includes a chapter describing the details of Mobile IP and AAA interaction, illustrating Diameter Mobile IP applications and the process used in CDMA2000.
_ Contains a section on security and AAA issues to support roaming, discussing a variety of options for operator co-existence, including an overview of Liberty Alliance.
This text will provide researchers in academia and industry, network security engineers, managers, developers and planners, as well as graduate students, with an accessible explanation of the standardsfundamental to secure mobile access.
Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
Produktdetails
- Produktdetails
- Verlag: Wiley & Sons
- 1. Auflage
- Seitenzahl: 318
- Erscheinungstermin: 1. Oktober 2005
- Englisch
- Abmessung: 250mm x 175mm x 22mm
- Gewicht: 745g
- ISBN-13: 9780470011942
- ISBN-10: 0470011947
- Artikelnr.: 14834611
- Herstellerkennzeichnung
- Libri GmbH
- Europaallee 1
- 36244 Bad Hersfeld
- 06621 890
- Verlag: Wiley & Sons
- 1. Auflage
- Seitenzahl: 318
- Erscheinungstermin: 1. Oktober 2005
- Englisch
- Abmessung: 250mm x 175mm x 22mm
- Gewicht: 745g
- ISBN-13: 9780470011942
- ISBN-10: 0470011947
- Artikelnr.: 14834611
- Herstellerkennzeichnung
- Libri GmbH
- Europaallee 1
- 36244 Bad Hersfeld
- 06621 890
Madjid Nakhjiri is currently a researcher and network architect with Motorola Labs. He has been involved in the wireless communications industry since 1994. Over the years, Madjid has participated in the development of many cellular and public safety mission-critical projects, ranging from cellular location detection receiver design and voice modeling simulations to the design of architecture and protocols for QoS-based admission, call control, mobile VPN access and AAA procedures for emergency response networks. Madjid has been active in the standardization of mobility and security procedures in IETF, 3G and IEEE since 2000 and is a coauthor of a few IETF RFCs. Madjid has also coauthored many IEEE papers, chaired several IEEE conference session and has many patent applications in process. Mahsa Nakhjiri is currently a systems engineer with Motorola Personal Devices and is involved in future cellular technology planning. Mahsa holds degrees in Mathematics and Electrical Engineering and has specialized in mathematical signal processing for antenna arrays. She has been involved in research on cellular capacity planning and modeling, design and simulation of radio and link layer protocols and their interaction with transport protocols in wireless environments. Mahsa has also worked with cellular operators on mobility and AAA issues from an operator perspective.
Foreword xv
Preface xvii
About the Author xxi
Chapter 1 The 3 "A"s: Authentication, Authorization, Accounting 1
1.1 Authentication Concepts 1
1.1.1 Client Authentication 2
1.1.2 Message Authentication 4
1.1.3 Mutual Authentication 5
1.1.4 Models for Authentication Messaging 6
1.1.5 AAA Protocols for Authentication Messaging 7
1.2 Authorization 8
1.2.1 How is it Different from Authentication? 8
1.2.2 Administration Domain and Relationships with the User 9
1.2.3 Standardization of Authorization Procedures 10
1.3 Accounting 13
1.3.1 Accounting Management Architecture 13
1.3.2 Models for Collection of Accounting Data 15
1.3.3 Accounting Security 17
1.3.4 Accounting Reliability 17
1.3.5 Prepaid Service: Authorization and Accounting in Harmony 19
1.4 Generic AAA Architecture 19
1.4.1 Requirements on AAA Protocols Running on NAS 21
1.5 Conclusions and Further Resources 23
1.6 References 23
Chapter 2 Authentication 25
2.1 Examples of Authentication Mechanisms 25
2.1.1 User Authentication Mechanisms 26
2.1.2 Example of Device Authentication Mechanisms 31
2.1.3 Examples of Message Authentication Mechanisms 33
2.2 Classes of Authentication Mechanisms 36
2.2.1 Generic Authentication Mechanisms 41
2.3 Further Resources 44
2.4 References 45
Chapter 3 Key Management Methods 47
3.1 Key Management Taxonomy 47
3.1.1 Key Management Terminology 47
3.1.2 Types of Cryptographic Algorithms 49
3.1.3 Key Management Functions 50
3.1.4 Key Establishment Methods 51
3.2 Management of Symmetric Keys 54
3.2.1 EAP Key Management Methods 54
3.2.2 Diffie-Hellman Key Agreement for Symmetric Key Generation 58
3.2.3 Internet Key Exchange for Symmetric Key Agreement 61
3.2.4 Kerberos and Single Sign On 62
3.2.5 Kerberized Internet Negotiation of Keys (KINK) 66
3.3 Management of Public Keys and PKIs 67
3.4 Further Resources 68
3.5 References 69
Chapter 4 Internet Security and Key Exchange Basics 71
4.1 Introduction: Issues with Link Layer-Only Security 71
4.2 Internet Protocol Security 73
4.2.1 Authentication Header 74
4.2.2 Encapsulating Security Payload 74
4.2.3 IPsec Modes 75
4.2.4 Security Associations and Policies 77
4.2.5 IPsec Databases 78
4.2.6 IPsec Processing 78
4.3 Internet Key Exchange for IPsec 79
4.3.1 IKE Specifications 79
4.3.2 IKE Conversations 81
4.3.3 ISAKMP: The Backstage Protocol for IKE 83
4.3.4 The Gory Details of IKE 86
4.4 Transport Layer Security 91
4.4.1 TLS Handshake for Key Exchange 93
4.4.2 TLS Record Protocol 95
4.4.3 Issues with TLS 96
4.4.4 Wireless Transport Layer Security 96
4.5 Further Resources 96
4.6 References 97
Chapter 5 Introduction on Internet Mobility Protocols 99
5.1 Mobile IP 99
5.1.1 Mobile IP Functional Overview 102
5.1.2 Mobile IP Messaging Security 107
5.2 Shortcomings of Mobile IP Base Specification 109
5.2.1 Mobile IP Bootstrapping Issues 110
5.2.2 Mobile IP Handovers and Their Shortcomings 113
5.3 Seamless Mobility Procedures 117
5.3.1 Candidate Access Router Discovery 118
5.3.2 Context Transfer 120
5.4 Further Resources 125
5.5 References 126
Chapter 6 Remote Access Dial-In User Service (RADIUS) 127
6.1 RADIUS Basics 127
6.2 RADIUS Messaging 128
6.2.1 Message Format 129
6.2.2 RADIUS Extensibility 130
6.2.3 Transport Reliability for RADIUS 130
6.2.4 RADIUS and Security 131
6.3 RADIUS Operation Examples 135
6.3.1 RADIUS Support for PAP 135
6.3.2 RADIUS Support for CHAP 136
6.3.3 RADIUS Interaction with EAP 138
6.3.4 RADIUS Accounting 139
6.4 RADIUS Support for Roaming and Mobility 141
6.4.1 RADIUS Support for Proxy Chaining 142
6.5 RADIUS Issues 143
6.6 Further Resources 144
6.6.1 Commercial RADIUS Resources 144
6.6.2 Free Open Source Material 145
6.7 References 145
Chapter 7 Diameter: Twice the RADIUS? 147
7.1 Election for the Next AAA Protocol 147
7.1.1 The Web of Diameter Specifications 148
7.1.2 Diameter Applications 151
7.1.3 Diameter Node Types and their Roles 152
7.2 Diameter Protocol 153
7.2.1 Diameter Messages 153
7.2.2 Diameter Transport and Routing Concepts 157
7.2.3 Capability Negotiations 159
7.2.4 Diameter Security Requirements 160
7.3 Details of Diameter Applications 162
7.3.1 Accounting Message Exchange Example 162
7.3.2 Diameter-Based Authentication, NASREQ 163
7.3.3 Diameter Mobile IP Application 167
7.3.4 Diameter EAP Support 167
7.4 Diameter Versus RADIUS: A Factor 2? 168
7.4.1 Advantages of Diameter over RADIUS 168
7.4.2 Issues with Use of Diameter 170
7.4.3 Diameter-RADIUS Interactions (Translation Agents) 171
7.5 Further Resources 172
7.6 References 172
Chapter 8 AAA and Security for Mobile IP 175
8.1 Architecture and Trust Model 177
8.1.1 Timing Characteristics of Security Associations 178
8.1.2 Key Delivery Mechanisms 181
8.1.3 Overview of Use of Mobile IP-AAA in Key Generation 182
8.2 Mobile IPv4 Extensions for Interaction with AAA 184
8.2.1 MN-AAA Authentication Extension 184
8.2.2 Key Generation Extensions (IETF work in progress) 186
8.2.3 Keys to Mobile IP Agents? 187
8.3 AAA Extensions for Interaction with Mobile IP 187
8.3.1 Diameter Mobile IPv4 Application 188
8.3.2 Radius and Mobile IP Interaction: A CDMA2000 Example 196
8.4 Conclusion and Further Resources 200
8.5 References 201
Chapter 9 PKI: Public Key Infrastructure: Fundamentals and Support for
IPsec and Mobility 203
9.1 Public Key Infrastructures: Concepts and Elements 204
9.1.1 Certificates 204
9.1.2 Certificate Management Concepts 205
9.1.3 PKI Elements 209
9.1.4 PKI Management Basic Functions 210
9.1.5 Comparison of Existing PKI Management Protocols 212
9.1.6 PKI Operation Protocols 221
9.2 PKI for Mobility Support 222
9.2.1 Identity Management for Mobile Clients: No IP Addresses! 222
9.2.2 Certification and Distribution Issues 225
9.3 Using Certificates in IKE 227
9.3.1 Exchange of Certificates within IKE 229
9.3.2 Identity Management for ISAKMP: No IP Address, Please! 231
9.4 Further Resources 232
9.5 References 232
9.6 Appendix A PKCS Documents 233
Chapter 10 Latest Authentication Mechanisms, EAP Flavors 235
10.1 Introduction 235
10.1.1 EAP Transport Mechanisms 237
10.1.2 EAP over LAN (EAPOL) 237
10.1.3 EAP over AAA Protocols 238
10.2 Protocol Overview 239
10.3 EAP-XXX 242
10.3.1 EAP-TLS (TLS over EAP) 244
10.3.2 EAP-TTLS 248
10.3.3 EAP-SIM 257
10.4 Use of EAP in 802 Networks 259
10.4.1 802.1X Port-Based Authentication 259
10.4.2 Lightweight Extensible Authentication Protocol (LEAP) 260
10.4.3 PEAP 262
10.5 Further Resources 262
10.6 References 263
Chapter 11 AAA and Identity Management for Mobile Access: The World of
Operator Co-Existence 265
11.1 Operator Co-existence and Agreements 265
11.1.1 Implications for the User 266
11.1.2 Implications for the Operators 267
11.1.3 Bilateral Billing and Trust Agreements and AAA Issues 269
11.1.4 Brokered Billing and Trust Agreements 272
11.1.5 Billing and Trust Management through an Alliance 274
11.2 A Practical Example: Liberty Alliance 275
11.2.1 Building the Trust Network: Identity Federation 276
11.2.2 Support for Authentication/Sign On/Sign Off 279
11.2.3 Advantages and Limitations of the Liberty Alliance 282
11.3 IETF Procedures 283
11.4 Further Resources 285
11.5 References 285
Index 287
Preface xvii
About the Author xxi
Chapter 1 The 3 "A"s: Authentication, Authorization, Accounting 1
1.1 Authentication Concepts 1
1.1.1 Client Authentication 2
1.1.2 Message Authentication 4
1.1.3 Mutual Authentication 5
1.1.4 Models for Authentication Messaging 6
1.1.5 AAA Protocols for Authentication Messaging 7
1.2 Authorization 8
1.2.1 How is it Different from Authentication? 8
1.2.2 Administration Domain and Relationships with the User 9
1.2.3 Standardization of Authorization Procedures 10
1.3 Accounting 13
1.3.1 Accounting Management Architecture 13
1.3.2 Models for Collection of Accounting Data 15
1.3.3 Accounting Security 17
1.3.4 Accounting Reliability 17
1.3.5 Prepaid Service: Authorization and Accounting in Harmony 19
1.4 Generic AAA Architecture 19
1.4.1 Requirements on AAA Protocols Running on NAS 21
1.5 Conclusions and Further Resources 23
1.6 References 23
Chapter 2 Authentication 25
2.1 Examples of Authentication Mechanisms 25
2.1.1 User Authentication Mechanisms 26
2.1.2 Example of Device Authentication Mechanisms 31
2.1.3 Examples of Message Authentication Mechanisms 33
2.2 Classes of Authentication Mechanisms 36
2.2.1 Generic Authentication Mechanisms 41
2.3 Further Resources 44
2.4 References 45
Chapter 3 Key Management Methods 47
3.1 Key Management Taxonomy 47
3.1.1 Key Management Terminology 47
3.1.2 Types of Cryptographic Algorithms 49
3.1.3 Key Management Functions 50
3.1.4 Key Establishment Methods 51
3.2 Management of Symmetric Keys 54
3.2.1 EAP Key Management Methods 54
3.2.2 Diffie-Hellman Key Agreement for Symmetric Key Generation 58
3.2.3 Internet Key Exchange for Symmetric Key Agreement 61
3.2.4 Kerberos and Single Sign On 62
3.2.5 Kerberized Internet Negotiation of Keys (KINK) 66
3.3 Management of Public Keys and PKIs 67
3.4 Further Resources 68
3.5 References 69
Chapter 4 Internet Security and Key Exchange Basics 71
4.1 Introduction: Issues with Link Layer-Only Security 71
4.2 Internet Protocol Security 73
4.2.1 Authentication Header 74
4.2.2 Encapsulating Security Payload 74
4.2.3 IPsec Modes 75
4.2.4 Security Associations and Policies 77
4.2.5 IPsec Databases 78
4.2.6 IPsec Processing 78
4.3 Internet Key Exchange for IPsec 79
4.3.1 IKE Specifications 79
4.3.2 IKE Conversations 81
4.3.3 ISAKMP: The Backstage Protocol for IKE 83
4.3.4 The Gory Details of IKE 86
4.4 Transport Layer Security 91
4.4.1 TLS Handshake for Key Exchange 93
4.4.2 TLS Record Protocol 95
4.4.3 Issues with TLS 96
4.4.4 Wireless Transport Layer Security 96
4.5 Further Resources 96
4.6 References 97
Chapter 5 Introduction on Internet Mobility Protocols 99
5.1 Mobile IP 99
5.1.1 Mobile IP Functional Overview 102
5.1.2 Mobile IP Messaging Security 107
5.2 Shortcomings of Mobile IP Base Specification 109
5.2.1 Mobile IP Bootstrapping Issues 110
5.2.2 Mobile IP Handovers and Their Shortcomings 113
5.3 Seamless Mobility Procedures 117
5.3.1 Candidate Access Router Discovery 118
5.3.2 Context Transfer 120
5.4 Further Resources 125
5.5 References 126
Chapter 6 Remote Access Dial-In User Service (RADIUS) 127
6.1 RADIUS Basics 127
6.2 RADIUS Messaging 128
6.2.1 Message Format 129
6.2.2 RADIUS Extensibility 130
6.2.3 Transport Reliability for RADIUS 130
6.2.4 RADIUS and Security 131
6.3 RADIUS Operation Examples 135
6.3.1 RADIUS Support for PAP 135
6.3.2 RADIUS Support for CHAP 136
6.3.3 RADIUS Interaction with EAP 138
6.3.4 RADIUS Accounting 139
6.4 RADIUS Support for Roaming and Mobility 141
6.4.1 RADIUS Support for Proxy Chaining 142
6.5 RADIUS Issues 143
6.6 Further Resources 144
6.6.1 Commercial RADIUS Resources 144
6.6.2 Free Open Source Material 145
6.7 References 145
Chapter 7 Diameter: Twice the RADIUS? 147
7.1 Election for the Next AAA Protocol 147
7.1.1 The Web of Diameter Specifications 148
7.1.2 Diameter Applications 151
7.1.3 Diameter Node Types and their Roles 152
7.2 Diameter Protocol 153
7.2.1 Diameter Messages 153
7.2.2 Diameter Transport and Routing Concepts 157
7.2.3 Capability Negotiations 159
7.2.4 Diameter Security Requirements 160
7.3 Details of Diameter Applications 162
7.3.1 Accounting Message Exchange Example 162
7.3.2 Diameter-Based Authentication, NASREQ 163
7.3.3 Diameter Mobile IP Application 167
7.3.4 Diameter EAP Support 167
7.4 Diameter Versus RADIUS: A Factor 2? 168
7.4.1 Advantages of Diameter over RADIUS 168
7.4.2 Issues with Use of Diameter 170
7.4.3 Diameter-RADIUS Interactions (Translation Agents) 171
7.5 Further Resources 172
7.6 References 172
Chapter 8 AAA and Security for Mobile IP 175
8.1 Architecture and Trust Model 177
8.1.1 Timing Characteristics of Security Associations 178
8.1.2 Key Delivery Mechanisms 181
8.1.3 Overview of Use of Mobile IP-AAA in Key Generation 182
8.2 Mobile IPv4 Extensions for Interaction with AAA 184
8.2.1 MN-AAA Authentication Extension 184
8.2.2 Key Generation Extensions (IETF work in progress) 186
8.2.3 Keys to Mobile IP Agents? 187
8.3 AAA Extensions for Interaction with Mobile IP 187
8.3.1 Diameter Mobile IPv4 Application 188
8.3.2 Radius and Mobile IP Interaction: A CDMA2000 Example 196
8.4 Conclusion and Further Resources 200
8.5 References 201
Chapter 9 PKI: Public Key Infrastructure: Fundamentals and Support for
IPsec and Mobility 203
9.1 Public Key Infrastructures: Concepts and Elements 204
9.1.1 Certificates 204
9.1.2 Certificate Management Concepts 205
9.1.3 PKI Elements 209
9.1.4 PKI Management Basic Functions 210
9.1.5 Comparison of Existing PKI Management Protocols 212
9.1.6 PKI Operation Protocols 221
9.2 PKI for Mobility Support 222
9.2.1 Identity Management for Mobile Clients: No IP Addresses! 222
9.2.2 Certification and Distribution Issues 225
9.3 Using Certificates in IKE 227
9.3.1 Exchange of Certificates within IKE 229
9.3.2 Identity Management for ISAKMP: No IP Address, Please! 231
9.4 Further Resources 232
9.5 References 232
9.6 Appendix A PKCS Documents 233
Chapter 10 Latest Authentication Mechanisms, EAP Flavors 235
10.1 Introduction 235
10.1.1 EAP Transport Mechanisms 237
10.1.2 EAP over LAN (EAPOL) 237
10.1.3 EAP over AAA Protocols 238
10.2 Protocol Overview 239
10.3 EAP-XXX 242
10.3.1 EAP-TLS (TLS over EAP) 244
10.3.2 EAP-TTLS 248
10.3.3 EAP-SIM 257
10.4 Use of EAP in 802 Networks 259
10.4.1 802.1X Port-Based Authentication 259
10.4.2 Lightweight Extensible Authentication Protocol (LEAP) 260
10.4.3 PEAP 262
10.5 Further Resources 262
10.6 References 263
Chapter 11 AAA and Identity Management for Mobile Access: The World of
Operator Co-Existence 265
11.1 Operator Co-existence and Agreements 265
11.1.1 Implications for the User 266
11.1.2 Implications for the Operators 267
11.1.3 Bilateral Billing and Trust Agreements and AAA Issues 269
11.1.4 Brokered Billing and Trust Agreements 272
11.1.5 Billing and Trust Management through an Alliance 274
11.2 A Practical Example: Liberty Alliance 275
11.2.1 Building the Trust Network: Identity Federation 276
11.2.2 Support for Authentication/Sign On/Sign Off 279
11.2.3 Advantages and Limitations of the Liberty Alliance 282
11.3 IETF Procedures 283
11.4 Further Resources 285
11.5 References 285
Index 287
Foreword xv
Preface xvii
About the Author xxi
Chapter 1 The 3 "A"s: Authentication, Authorization, Accounting 1
1.1 Authentication Concepts 1
1.1.1 Client Authentication 2
1.1.2 Message Authentication 4
1.1.3 Mutual Authentication 5
1.1.4 Models for Authentication Messaging 6
1.1.5 AAA Protocols for Authentication Messaging 7
1.2 Authorization 8
1.2.1 How is it Different from Authentication? 8
1.2.2 Administration Domain and Relationships with the User 9
1.2.3 Standardization of Authorization Procedures 10
1.3 Accounting 13
1.3.1 Accounting Management Architecture 13
1.3.2 Models for Collection of Accounting Data 15
1.3.3 Accounting Security 17
1.3.4 Accounting Reliability 17
1.3.5 Prepaid Service: Authorization and Accounting in Harmony 19
1.4 Generic AAA Architecture 19
1.4.1 Requirements on AAA Protocols Running on NAS 21
1.5 Conclusions and Further Resources 23
1.6 References 23
Chapter 2 Authentication 25
2.1 Examples of Authentication Mechanisms 25
2.1.1 User Authentication Mechanisms 26
2.1.2 Example of Device Authentication Mechanisms 31
2.1.3 Examples of Message Authentication Mechanisms 33
2.2 Classes of Authentication Mechanisms 36
2.2.1 Generic Authentication Mechanisms 41
2.3 Further Resources 44
2.4 References 45
Chapter 3 Key Management Methods 47
3.1 Key Management Taxonomy 47
3.1.1 Key Management Terminology 47
3.1.2 Types of Cryptographic Algorithms 49
3.1.3 Key Management Functions 50
3.1.4 Key Establishment Methods 51
3.2 Management of Symmetric Keys 54
3.2.1 EAP Key Management Methods 54
3.2.2 Diffie-Hellman Key Agreement for Symmetric Key Generation 58
3.2.3 Internet Key Exchange for Symmetric Key Agreement 61
3.2.4 Kerberos and Single Sign On 62
3.2.5 Kerberized Internet Negotiation of Keys (KINK) 66
3.3 Management of Public Keys and PKIs 67
3.4 Further Resources 68
3.5 References 69
Chapter 4 Internet Security and Key Exchange Basics 71
4.1 Introduction: Issues with Link Layer-Only Security 71
4.2 Internet Protocol Security 73
4.2.1 Authentication Header 74
4.2.2 Encapsulating Security Payload 74
4.2.3 IPsec Modes 75
4.2.4 Security Associations and Policies 77
4.2.5 IPsec Databases 78
4.2.6 IPsec Processing 78
4.3 Internet Key Exchange for IPsec 79
4.3.1 IKE Specifications 79
4.3.2 IKE Conversations 81
4.3.3 ISAKMP: The Backstage Protocol for IKE 83
4.3.4 The Gory Details of IKE 86
4.4 Transport Layer Security 91
4.4.1 TLS Handshake for Key Exchange 93
4.4.2 TLS Record Protocol 95
4.4.3 Issues with TLS 96
4.4.4 Wireless Transport Layer Security 96
4.5 Further Resources 96
4.6 References 97
Chapter 5 Introduction on Internet Mobility Protocols 99
5.1 Mobile IP 99
5.1.1 Mobile IP Functional Overview 102
5.1.2 Mobile IP Messaging Security 107
5.2 Shortcomings of Mobile IP Base Specification 109
5.2.1 Mobile IP Bootstrapping Issues 110
5.2.2 Mobile IP Handovers and Their Shortcomings 113
5.3 Seamless Mobility Procedures 117
5.3.1 Candidate Access Router Discovery 118
5.3.2 Context Transfer 120
5.4 Further Resources 125
5.5 References 126
Chapter 6 Remote Access Dial-In User Service (RADIUS) 127
6.1 RADIUS Basics 127
6.2 RADIUS Messaging 128
6.2.1 Message Format 129
6.2.2 RADIUS Extensibility 130
6.2.3 Transport Reliability for RADIUS 130
6.2.4 RADIUS and Security 131
6.3 RADIUS Operation Examples 135
6.3.1 RADIUS Support for PAP 135
6.3.2 RADIUS Support for CHAP 136
6.3.3 RADIUS Interaction with EAP 138
6.3.4 RADIUS Accounting 139
6.4 RADIUS Support for Roaming and Mobility 141
6.4.1 RADIUS Support for Proxy Chaining 142
6.5 RADIUS Issues 143
6.6 Further Resources 144
6.6.1 Commercial RADIUS Resources 144
6.6.2 Free Open Source Material 145
6.7 References 145
Chapter 7 Diameter: Twice the RADIUS? 147
7.1 Election for the Next AAA Protocol 147
7.1.1 The Web of Diameter Specifications 148
7.1.2 Diameter Applications 151
7.1.3 Diameter Node Types and their Roles 152
7.2 Diameter Protocol 153
7.2.1 Diameter Messages 153
7.2.2 Diameter Transport and Routing Concepts 157
7.2.3 Capability Negotiations 159
7.2.4 Diameter Security Requirements 160
7.3 Details of Diameter Applications 162
7.3.1 Accounting Message Exchange Example 162
7.3.2 Diameter-Based Authentication, NASREQ 163
7.3.3 Diameter Mobile IP Application 167
7.3.4 Diameter EAP Support 167
7.4 Diameter Versus RADIUS: A Factor 2? 168
7.4.1 Advantages of Diameter over RADIUS 168
7.4.2 Issues with Use of Diameter 170
7.4.3 Diameter-RADIUS Interactions (Translation Agents) 171
7.5 Further Resources 172
7.6 References 172
Chapter 8 AAA and Security for Mobile IP 175
8.1 Architecture and Trust Model 177
8.1.1 Timing Characteristics of Security Associations 178
8.1.2 Key Delivery Mechanisms 181
8.1.3 Overview of Use of Mobile IP-AAA in Key Generation 182
8.2 Mobile IPv4 Extensions for Interaction with AAA 184
8.2.1 MN-AAA Authentication Extension 184
8.2.2 Key Generation Extensions (IETF work in progress) 186
8.2.3 Keys to Mobile IP Agents? 187
8.3 AAA Extensions for Interaction with Mobile IP 187
8.3.1 Diameter Mobile IPv4 Application 188
8.3.2 Radius and Mobile IP Interaction: A CDMA2000 Example 196
8.4 Conclusion and Further Resources 200
8.5 References 201
Chapter 9 PKI: Public Key Infrastructure: Fundamentals and Support for
IPsec and Mobility 203
9.1 Public Key Infrastructures: Concepts and Elements 204
9.1.1 Certificates 204
9.1.2 Certificate Management Concepts 205
9.1.3 PKI Elements 209
9.1.4 PKI Management Basic Functions 210
9.1.5 Comparison of Existing PKI Management Protocols 212
9.1.6 PKI Operation Protocols 221
9.2 PKI for Mobility Support 222
9.2.1 Identity Management for Mobile Clients: No IP Addresses! 222
9.2.2 Certification and Distribution Issues 225
9.3 Using Certificates in IKE 227
9.3.1 Exchange of Certificates within IKE 229
9.3.2 Identity Management for ISAKMP: No IP Address, Please! 231
9.4 Further Resources 232
9.5 References 232
9.6 Appendix A PKCS Documents 233
Chapter 10 Latest Authentication Mechanisms, EAP Flavors 235
10.1 Introduction 235
10.1.1 EAP Transport Mechanisms 237
10.1.2 EAP over LAN (EAPOL) 237
10.1.3 EAP over AAA Protocols 238
10.2 Protocol Overview 239
10.3 EAP-XXX 242
10.3.1 EAP-TLS (TLS over EAP) 244
10.3.2 EAP-TTLS 248
10.3.3 EAP-SIM 257
10.4 Use of EAP in 802 Networks 259
10.4.1 802.1X Port-Based Authentication 259
10.4.2 Lightweight Extensible Authentication Protocol (LEAP) 260
10.4.3 PEAP 262
10.5 Further Resources 262
10.6 References 263
Chapter 11 AAA and Identity Management for Mobile Access: The World of
Operator Co-Existence 265
11.1 Operator Co-existence and Agreements 265
11.1.1 Implications for the User 266
11.1.2 Implications for the Operators 267
11.1.3 Bilateral Billing and Trust Agreements and AAA Issues 269
11.1.4 Brokered Billing and Trust Agreements 272
11.1.5 Billing and Trust Management through an Alliance 274
11.2 A Practical Example: Liberty Alliance 275
11.2.1 Building the Trust Network: Identity Federation 276
11.2.2 Support for Authentication/Sign On/Sign Off 279
11.2.3 Advantages and Limitations of the Liberty Alliance 282
11.3 IETF Procedures 283
11.4 Further Resources 285
11.5 References 285
Index 287
Preface xvii
About the Author xxi
Chapter 1 The 3 "A"s: Authentication, Authorization, Accounting 1
1.1 Authentication Concepts 1
1.1.1 Client Authentication 2
1.1.2 Message Authentication 4
1.1.3 Mutual Authentication 5
1.1.4 Models for Authentication Messaging 6
1.1.5 AAA Protocols for Authentication Messaging 7
1.2 Authorization 8
1.2.1 How is it Different from Authentication? 8
1.2.2 Administration Domain and Relationships with the User 9
1.2.3 Standardization of Authorization Procedures 10
1.3 Accounting 13
1.3.1 Accounting Management Architecture 13
1.3.2 Models for Collection of Accounting Data 15
1.3.3 Accounting Security 17
1.3.4 Accounting Reliability 17
1.3.5 Prepaid Service: Authorization and Accounting in Harmony 19
1.4 Generic AAA Architecture 19
1.4.1 Requirements on AAA Protocols Running on NAS 21
1.5 Conclusions and Further Resources 23
1.6 References 23
Chapter 2 Authentication 25
2.1 Examples of Authentication Mechanisms 25
2.1.1 User Authentication Mechanisms 26
2.1.2 Example of Device Authentication Mechanisms 31
2.1.3 Examples of Message Authentication Mechanisms 33
2.2 Classes of Authentication Mechanisms 36
2.2.1 Generic Authentication Mechanisms 41
2.3 Further Resources 44
2.4 References 45
Chapter 3 Key Management Methods 47
3.1 Key Management Taxonomy 47
3.1.1 Key Management Terminology 47
3.1.2 Types of Cryptographic Algorithms 49
3.1.3 Key Management Functions 50
3.1.4 Key Establishment Methods 51
3.2 Management of Symmetric Keys 54
3.2.1 EAP Key Management Methods 54
3.2.2 Diffie-Hellman Key Agreement for Symmetric Key Generation 58
3.2.3 Internet Key Exchange for Symmetric Key Agreement 61
3.2.4 Kerberos and Single Sign On 62
3.2.5 Kerberized Internet Negotiation of Keys (KINK) 66
3.3 Management of Public Keys and PKIs 67
3.4 Further Resources 68
3.5 References 69
Chapter 4 Internet Security and Key Exchange Basics 71
4.1 Introduction: Issues with Link Layer-Only Security 71
4.2 Internet Protocol Security 73
4.2.1 Authentication Header 74
4.2.2 Encapsulating Security Payload 74
4.2.3 IPsec Modes 75
4.2.4 Security Associations and Policies 77
4.2.5 IPsec Databases 78
4.2.6 IPsec Processing 78
4.3 Internet Key Exchange for IPsec 79
4.3.1 IKE Specifications 79
4.3.2 IKE Conversations 81
4.3.3 ISAKMP: The Backstage Protocol for IKE 83
4.3.4 The Gory Details of IKE 86
4.4 Transport Layer Security 91
4.4.1 TLS Handshake for Key Exchange 93
4.4.2 TLS Record Protocol 95
4.4.3 Issues with TLS 96
4.4.4 Wireless Transport Layer Security 96
4.5 Further Resources 96
4.6 References 97
Chapter 5 Introduction on Internet Mobility Protocols 99
5.1 Mobile IP 99
5.1.1 Mobile IP Functional Overview 102
5.1.2 Mobile IP Messaging Security 107
5.2 Shortcomings of Mobile IP Base Specification 109
5.2.1 Mobile IP Bootstrapping Issues 110
5.2.2 Mobile IP Handovers and Their Shortcomings 113
5.3 Seamless Mobility Procedures 117
5.3.1 Candidate Access Router Discovery 118
5.3.2 Context Transfer 120
5.4 Further Resources 125
5.5 References 126
Chapter 6 Remote Access Dial-In User Service (RADIUS) 127
6.1 RADIUS Basics 127
6.2 RADIUS Messaging 128
6.2.1 Message Format 129
6.2.2 RADIUS Extensibility 130
6.2.3 Transport Reliability for RADIUS 130
6.2.4 RADIUS and Security 131
6.3 RADIUS Operation Examples 135
6.3.1 RADIUS Support for PAP 135
6.3.2 RADIUS Support for CHAP 136
6.3.3 RADIUS Interaction with EAP 138
6.3.4 RADIUS Accounting 139
6.4 RADIUS Support for Roaming and Mobility 141
6.4.1 RADIUS Support for Proxy Chaining 142
6.5 RADIUS Issues 143
6.6 Further Resources 144
6.6.1 Commercial RADIUS Resources 144
6.6.2 Free Open Source Material 145
6.7 References 145
Chapter 7 Diameter: Twice the RADIUS? 147
7.1 Election for the Next AAA Protocol 147
7.1.1 The Web of Diameter Specifications 148
7.1.2 Diameter Applications 151
7.1.3 Diameter Node Types and their Roles 152
7.2 Diameter Protocol 153
7.2.1 Diameter Messages 153
7.2.2 Diameter Transport and Routing Concepts 157
7.2.3 Capability Negotiations 159
7.2.4 Diameter Security Requirements 160
7.3 Details of Diameter Applications 162
7.3.1 Accounting Message Exchange Example 162
7.3.2 Diameter-Based Authentication, NASREQ 163
7.3.3 Diameter Mobile IP Application 167
7.3.4 Diameter EAP Support 167
7.4 Diameter Versus RADIUS: A Factor 2? 168
7.4.1 Advantages of Diameter over RADIUS 168
7.4.2 Issues with Use of Diameter 170
7.4.3 Diameter-RADIUS Interactions (Translation Agents) 171
7.5 Further Resources 172
7.6 References 172
Chapter 8 AAA and Security for Mobile IP 175
8.1 Architecture and Trust Model 177
8.1.1 Timing Characteristics of Security Associations 178
8.1.2 Key Delivery Mechanisms 181
8.1.3 Overview of Use of Mobile IP-AAA in Key Generation 182
8.2 Mobile IPv4 Extensions for Interaction with AAA 184
8.2.1 MN-AAA Authentication Extension 184
8.2.2 Key Generation Extensions (IETF work in progress) 186
8.2.3 Keys to Mobile IP Agents? 187
8.3 AAA Extensions for Interaction with Mobile IP 187
8.3.1 Diameter Mobile IPv4 Application 188
8.3.2 Radius and Mobile IP Interaction: A CDMA2000 Example 196
8.4 Conclusion and Further Resources 200
8.5 References 201
Chapter 9 PKI: Public Key Infrastructure: Fundamentals and Support for
IPsec and Mobility 203
9.1 Public Key Infrastructures: Concepts and Elements 204
9.1.1 Certificates 204
9.1.2 Certificate Management Concepts 205
9.1.3 PKI Elements 209
9.1.4 PKI Management Basic Functions 210
9.1.5 Comparison of Existing PKI Management Protocols 212
9.1.6 PKI Operation Protocols 221
9.2 PKI for Mobility Support 222
9.2.1 Identity Management for Mobile Clients: No IP Addresses! 222
9.2.2 Certification and Distribution Issues 225
9.3 Using Certificates in IKE 227
9.3.1 Exchange of Certificates within IKE 229
9.3.2 Identity Management for ISAKMP: No IP Address, Please! 231
9.4 Further Resources 232
9.5 References 232
9.6 Appendix A PKCS Documents 233
Chapter 10 Latest Authentication Mechanisms, EAP Flavors 235
10.1 Introduction 235
10.1.1 EAP Transport Mechanisms 237
10.1.2 EAP over LAN (EAPOL) 237
10.1.3 EAP over AAA Protocols 238
10.2 Protocol Overview 239
10.3 EAP-XXX 242
10.3.1 EAP-TLS (TLS over EAP) 244
10.3.2 EAP-TTLS 248
10.3.3 EAP-SIM 257
10.4 Use of EAP in 802 Networks 259
10.4.1 802.1X Port-Based Authentication 259
10.4.2 Lightweight Extensible Authentication Protocol (LEAP) 260
10.4.3 PEAP 262
10.5 Further Resources 262
10.6 References 263
Chapter 11 AAA and Identity Management for Mobile Access: The World of
Operator Co-Existence 265
11.1 Operator Co-existence and Agreements 265
11.1.1 Implications for the User 266
11.1.2 Implications for the Operators 267
11.1.3 Bilateral Billing and Trust Agreements and AAA Issues 269
11.1.4 Brokered Billing and Trust Agreements 272
11.1.5 Billing and Trust Management through an Alliance 274
11.2 A Practical Example: Liberty Alliance 275
11.2.1 Building the Trust Network: Identity Federation 276
11.2.2 Support for Authentication/Sign On/Sign Off 279
11.2.3 Advantages and Limitations of the Liberty Alliance 282
11.3 IETF Procedures 283
11.4 Further Resources 285
11.5 References 285
Index 287