HSCTechnicalWiki


view edit history print Talk subscribe
SearchWiki
Inspired by: Support Wikipedia

Views: 585

Full site statistics

Authors:

edit SideBar

Main » wimax authentication authorization and accounting

PageList

Papers

Tutorials

HSC welcomes all external visitors to this site, especially students and members of the academic community. Please use the comments box at the bottom of each page to record any comments or suggestions for improvement.

AAA Architecture

Introduction

AAA RFC 2903 refers to a framework that specifies the protocols and procedures for authentication, authorization, and accounting associated with the user.

Authentication:

Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials like digital certificates.

Authorization:

Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.

Accounting:

Accounting refers to the tracking of the consumption of network resources by users. This information is used for billing and planning. Online accounting refers to accounting information that is delivered concurrently with the consumption of the resources e.g. Prepaid services. Offline accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.

Design Architecture

Following diagram depicts basic blocks of WiMAX AAA architecture.

MS : MS (Mobile Station) is a generalized mobile equipment that provides connectivity to base station (BS). Terms SS (Subscriber Station) and user are used alternatively for MS.

ASN: ASN (Access Service Network) is a complete set of network function that provides Radio service to MS. All L2 (layer 2) services are handled by ASN. ASN implements mechanism of the network.

CSN : CSN (Connectivity Service Network) is a set of network function that provide IP connectivity to MS. More, CSN may offer functionality like ASN-CSN tunneling, subscriber billing, hosting of AAA server etc. In nutshell, it is a entity which implements policy of the network.

NAS : NAS (Network Access Server) is a service equipment, that provides connectivity to MS. NAS is a part of ASN functionality.

NSP : NSP (Network Service Provider) is is a business entity that provides WiMAX services to MS, compliant to SLA(Service Level Agreements) with MS. NSP makes contractual agreements with Network Access Provider (NAP), which establishes ASN for NSP.

NAP : NAP (Network Access Provider) is a business entity that provides radio access infrastructure to one or more WiMAX NSPs. A NAP implements this infrastructure using one or more ASNs.

Accounting Agent : Accounting Agent is the network entity which collects accounting information for MS.

AAA Client : AAA architecture is based on client server model. AAA client initiates AAA procedures for MS.

AAA Server : All the AAA queries are being answered by AAA server. It contains database for MS.

Authentication and Authorization Procedures

  • After SS enters in to the network, it immediately initiates authentication process with BS. Scanning downlink channel, sync with uplink channel, Paging and Ranging are steps for SS to enter in to the network.
  • All SS have factory-installed X.509 digital certificate. X.509 digital certificate is unique for each SS and contains SS's MAC address and RSA public key. SS have RSA private/public key pairs or have capability to generate it dynamically, both are widely used scheme.
  • SS begins authentication by sending an Authentication Information message to its BS. The Authentication Information message contains the SS manufacturers X.509 certificate. The Authentication Information message is strictly informative; i.e., the BS may choose to ignore it. However, it does provide a mechanism for a BS to learn the manufacturer certificates of its client SS.
  • Immediately, the SS sends an Authorization Request message to its BS. This is a request for an AK, as well as for the SAIDs identifying any Static Security SAs the SS is authorized to participate in. SA, SAID, AK and such terms are explained in the later section.
  • Authorization Request includes:
  1. A X.509 certificate.
  2. A description of the Cryptographic algorithms the SS supports i.e. SSs cryptographic capabilities.
  3. The SSs Basic CID (Connection Identifier) , which SS got during initial ranging.
  • In response to an Authorization Request message, a BS validates the requesting SSs identity (ofcorse by verifying X.509 digital certificate), determines the encryption algorithm and protocol support it shares with the SS, activates an AK for the SS, encrypts it with the SSs public key, and sends it back to the SS in an Authorization Reply message. The authorization reply includes:
  1. An AK encrypted with the SSs public key.
  2. A 4-bit key sequence number, used to distinguish between successive generations of AKs.
  3. A key lifetime.
  4. The SAIDs and properties of the single primary and zero or more static SAs the SS is authorized.

Certainly, there is a question that why the message is Authorization Request instead of Authentication Request ? Ofcourse SS has to authenticate itself before it is authorized for any service. It's little bit tricky in a way that authentication is implicit here. So when SS is asking for authorization it is also sending material for authentication. They (WiMAX Forum) would have given message name that justifies both the process (Authentication and Authorization).

Again, how authentication is done is purely protocol dependent. Protocols PKMv1, PKMv2 and EAP are used to performs authentication. Depends upon the protocol, authentication procedure varies slightly.

Role of AAA Client -Server for Authentication and Authorization Procedures

  • When SS requests for Authentication, the request is submitted to AAA client.
  • AAA client request to AAA server for to authenticate SS. AAA client and AAA server communicates over RADIUS (Remote Access Dial In User Service) messages.
  • AAA server validates/rejects AAA client request.
  • If SS is in visited NSP, AAA server of visited NSP calls AAA server of home NSP to validate SS.

Accounting Procedures

Accounting procedures are performed by means of accounting agent, AAA server and AAA client. Following is accounting terminology.

  • Airlink Records: Airlink record is the measure of radio resources being used by particular SS.
  • UDR (Usage Data Records) : UDR is rated usage of SS. Usage of resources by SS is being aggregated and rated to form UDRs.
  • Negative Volume Count : Any unsent or discarded data is considered as Negative Volume Count. Accounting agent keeps track of it and submit the report to AAA client.
  • Offline Accounting: In Offline accounting user is not charged on the spot while he is being served, instead UDRs are generated. After billing cycle ends, bill is generated.
  • Online Accounting: In Online accounting user is continuously monitored against its remaining balance. Once he consumes its prepaid balance, he is denied to be served.

Role of AAA Client -Server for Offline Accounting

  • BS generates Airlink records : When SS connects to BS, it sends Active Start Airlink Record and when disconnects it sends Active Stop Airlink Record.
  • On receiving of Airlink messages (and several other triggers) AAA client generates and maintains UDRs. When SS gets disconnected, AAA client send UDRs to AAA servers.

Role of AAA Client- Server for Online Accounting

  • There is a Prepaid Server (PPS) which maintains SS's prepaid information. A Prepaid Client (PPC) handles prepaid accounting request and response. PPS generally implemented as a part of AAA server only.
  • Whenever an Authorization request is made by AAA client (which is originated by SS) , PPS allocated fraction of subscribers balance to a quota.
  • When subscriber consumes allocated quota, it again sends Authentication request to request new quota.

Terminology

SA & SAID:

A Security Association (SA) is the set of security information that two entities share in order to support secure communication. SA includes Data Encryption Standard key, initialization vector digital certificates etc. The fundamental requirement of SA arrives when two entities communicate over more than one channel. Take an example of mobile subscriber and a base station. Subscriber may subscribe itself for more than one service. So for every service there may be different service primitives like data encryption algorithm, public key, initialization vector. Now to make things easier, all this security information is grouped logically. This logical group itself is Security Association. Each SA has its own ID called SAID. So now base station and mobile subscriber will share SAID and they will derive all the security parameter, making things a lot easier. SS and BS share one primary and zero or more static and dynamic SA. Each SA has its own TEK and other cryptographic parameter. Static and dynamic SA can be shared among multiple SS by BS, while primary SA is exclusive to particular SS.

In nutshell, Security Association (SA) is nothing but just a logical group of some security parameters, that ease sharing the info to other entity.

AK ( Authorization Key) :

All the non-traffic and management message data are encrypted directly by AK or by some key that is derived from AK. That means AK is the key given to SS after it has been authorized. Several other keys are derived from AK e.g. KEK (Key Encryption Key), MAK (Message Authentication Key), H-MAK (Hashed MAK), H-MAK Digest. AK is periodically regenerated by BS on request from SS (SS makes this request on AK lifetime timer expires). Ofcourse, AK re-request makes intruder's work difficult and ease online accounting)

TEK (Traffic Encryption Key) :

TEK is the key used for encrypting user traffic. TEK is generated by BS and encrypted by KEK. SS decrypts it by KEK it has. TEK is periodically regenerated by BS on request from SS (SS makes this request on TEK life time expires). SS may have multiple SAs. Each SA has its own TEK.

MAC (Message Authentication Code) :

MAC is used to authenticate message that flows between SS and BS. MAC is derived from AK. Whenever BS receives any message from SS, it validates message first for valid MAC.

Reference

  • WiMAX End-to-End Network Systems Architecture (Stage 2: Architecture Tenets, Reference Model and Reference Points).
  • RFC2865 Remote Authentication Dial In User Service (RADIUS)
  • RFC2866 RADIUS Accounting.
  • RFC2904 AAA Authorization Framework.
  • IEEE 802.16-2004 October 2004, Air Interface for Fixed and Mobile Broadband Wireless Access Systems.
  • IEEE 802.16e/D12 September 2005, Local and Metropolitan Area Networks.

Number of views: ###

Categories: Wimax

Comments

Add Comment 
Email address(will be kept hidden) 
Enter code:

Page last modified on May 27, 2009, at 06:03 AM
View My Stats © 2009 Hughes Systique Corporation