Internet DRAFT - draft-chen-pcp-authentication-sim
draft-chen-pcp-authentication-sim
Network Working Group G. Chen
Internet-Draft China Mobile
Intended status: Informational D. Zhang
Expires: April 30, 2015 Huawei
T. Reddy
Cisco
October 27, 2014
(U)SIM based PCP Authentication
draft-chen-pcp-authentication-sim-01
Abstract
With (U)SIM support, PCP authentication could leverage the
credentials stored in (U)SIM. The document details PCP
authentication considerations based on (U)SIM support. The
authentication procedures in EAP and GBA framework have been
specifically elaborated. In order to complete the process, new code
and option are also proposed.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 30, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Chen, et al. Expires April 30, 2015 [Page 1]
Internet-Draft pcp-auth-sim October 2014
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. PCP Authentication with (U)SIM . . . . . . . . . . . . . . . 2
2.1. EAP Framework . . . . . . . . . . . . . . . . . . . . . . 3
2.2. GBA Framework . . . . . . . . . . . . . . . . . . . . . . 4
3. Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Mobile network is experiencing the significant traffic changes over
the past few years. With Long Term Evolution (LTE) advance, plenty
of data services have been appreared to be major traffic on the
network. The Port Control Protocol[RFC6887] could facilitate data
paths through NAT/Firewell and optimize data traffic behavior. It's
obvious a 3rd Generation Partnership Project (3GPP) network can
benefit from the use of the PCP service.
[I-D.chen-pcp-mobile-deployment]has enumurated several considerations
in a mobile environment. Subsribers take advantage of (U)SIM to
provide the security guarantee. Hence, PCP clients could also
leverage the credential to perform authentication.
This document describes the uses of (U)SIM specific authentication
which is compatible with [I-D.ietf-pcp-authentication]. A new option
is proposed to assist the completion of process.
2. PCP Authentication with (U)SIM
A permanent key is stored on the (U)SIM card and in AAA nodes (e.g.
HLR/HSS) in the mobile network. The key has been to pass through the
authentication. Afterwards, derived keys are generated for chipering
and integrity protection of user-plan and control plane traffic. The
use of (U)SIM to PCP authentication is applicable to WLAN access and
3GPP access cases. The following demonstrates the scenarios with
different frameworks.
Chen, et al. Expires April 30, 2015 [Page 2]
Internet-Draft pcp-auth-sim October 2014
2.1. EAP Framework
With the support of (U)SIM cards, UEs could take the credentials from
(U)SIM cards and perform EAP-SIM[RFC4186]/EAP-AKA[RFC4187]/EAP-
AKA'[RFC5448] get through the authentication. The network has been
shown as the below.
+-----------------+ +----------------+
+----+ | | +----------+ | |
| UE | ----- | WLAN IP Access | ----- |PCP Server|---| Public Internet|
+----+ | Network | +----------+ | |
+-----------------+ | +----------------+
+------+
| AAA |
+------+
Figure1: WLAN Access with EAP Support
The process of authentication in the EAP framework is compliant with
[I-D.ietf-pcp-authentication]. In additon, the PCP server takes the
authenticator rule and operates as pass-through behavior. It
forwards EAP packets received from the PCP client and destined the
backend authentication server (i.e., AAA server); packets received
from the AAA server destined to the PCP client are forwarded to it.
PCP server is required to have interconnection with AAA server over
RADIUS[RFC5580] or DIAMETER[RFC6733] protocol. The Figure 2 shows an
example with EAP-AKA/EAP-AKA' process.
Chen, et al. Expires April 30, 2015 [Page 3]
Internet-Draft pcp-auth-sim October 2014
PCP Client PCP Server(EAP Autenticator) AAA Server(EAP Server)
| 1. PCP-Auth-Initiation | |
|-------------------------------->| |
| 2. PCP-Auth-Server(EAP-Request)| |
|<--------------------------------| |
| 3.1 EAP-Response/Identity | 3.2 EAP-Response/Identity |
|-------------------------------->|---------------------------------->|
| 4.2 EAP-Request/AKA-Chanllenge | 4.1 EAP-Request/AKA-Chanllenge |
| (RAND, AUTH, MAC) |(RAND, AUTH, MAC) |
|<--------------------------------|<----------------------------------|
| | |
Verify AUTH and MAC, | |
derive RES,session key | |
| 5.1 EAP-Response/AKA-Chanllege | 5.2 EAP-Response/AKA-Chanllege |
| (RES, MAC) | (RES, MAC) |
|-------------------------------->| --------------------------------->|
| | Check RES and MAC
| 6.2 AUTHENTICAION-SUCCESSD | 6.1 AUTHENTICAION-SUCCESSD |
|<--------------------------------|<----------------------------------|
Figure2: PCP authentication with EAP-AKA/EAP-AKA'
The EAP framework could be used to support authentication of WLAN
users with (U)SIM. Direct WLAN or WLAN interworking with 3GPP
networks can adopt this method.
2.2. GBA Framework
[TS33.220] has specified Generic Bootstrapping Architecture (GBA) to
offer bootstrap authentication and key agreement for application
security. This archtecture has been already used to support the
authentication of 3GPP access users to service platform with 3GPP AKA
mechanism, for example Ut interface authentication in IMS network.
GBA has merits of flexibility so the service platforms could benefit
from the adoption and do not have to introduce additional process and
new credentials. Therefore, it's desirable to accomodate the PCP
authetication in such framework. Figure 3 shows the network with
GBA.
Chen, et al. Expires April 30, 2015 [Page 4]
Internet-Draft pcp-auth-sim October 2014
+-----------------+ +----------------+
+----+ | | +----------+ | |
| UE | ----- | 3GPP Access | ----- |PCP Server|---| Public Internet|
+----+ | Network | +----------+ | |
+-----------------+ | +----------------+
+-------+ +------+
|HSS/HLR| -------- | BSF |
+-------+ +------+
Figure3: 3GPP Access with GBA Support
A Bootstrapping Server Function (BSF) and the UE mutually
authenticate using the AKA protocol, and agree on session keys that
are afterwards applied between UE and a PCP Server. The set of all
user security material is stored in the Home Subscriber System (HSS).
Once BSF requires the security material for a user, HSS identity the
specific material by matching UE indentity(e.g. MSISDN or IMSI) and
reponse BSF with Authentication Vector (AV, AV =
RAND||AUTN||XRES||CK||IK). Afterwards, HTTP AKA[RFC3310] is taken
place between UE and BSF. As a sequence, both the UE and the BSF
shall use the Ks to derive the key material Ks, whichi is used for
securing the path between PCP server and UE. BSF also generates a
Bootstrapping Transaction Identifier (B-TID) as an index in order to
facilitate the conversation between PCP Server and BSF.
After the bootstrapping has been completed, the authentication of
messages will be exchanged between the UE and a PCP server based on
those session keys generated during the mutual authentication between
UE and BSF. Figure4 shows the process.
Chen, et al. Expires April 30, 2015 [Page 5]
Internet-Draft pcp-auth-sim October 2014
PCP Client PCP Server BSF HSS
| 1. PCP-Auth-Initiation | | |
|-------------------------------->| | |
|2. PCP-Auth-Server(bootstrapping)| | |
|<--------------------------------| | |
| 3.Request(User Identity) | 4.Retrieve AV |
|-------------------------------------------------------------->|<--------------->|
| 5.401 Unauthorized WWW-Authenticat |
| Digest (RAND, AUTH) |
|<--------------------------------------------------------------|
| 6.Request Authorization: Digest (RES is used) |
|-------------------------------------------------------------->|
| | Server checks the given Digest
| | and drive Ks
| 7.200 OK, B-TID, Key lifetime |
|<--------------------------------------------------------------|
| 8. PCP-Auth-Request | 9. Authentication Request |
| (B-TID) | (B-TID) |
|-------------------------------->|---------------------------->|
| | 10.Authentication Answer |
| 11.AUTHENTICAION-SUCCESSD | (Ks, Key lifetime) |
|<--------------------------------|<----------------------------|
Figure4: PCP authentication in GBA
3. Proposal
In order to fullfill the process of PCP authentication in GBA, one
result code is required and company with
[I-D.ietf-pcp-authentication].
TBD BOOTSTRAPPING-INITIATION
The code is applied to above step 2 in Figure4.
B-TID option is also proposed to perform step 8 in Figure 4.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| B-TID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: it's to identify the B-TID use.
Chen, et al. Expires April 30, 2015 [Page 6]
Internet-Draft pcp-auth-sim October 2014
Option-Length: The length of the B-TID Option (in octet), including
the 4 octet fixed header and the variable length of the B-TID
message.
B-TID: According to ,The B-TID value shall be also generated in
format of Network Access Identi (NAI) by taking the base64 encoded
[RFC3548], RAND value , and the BSF server name, i.e.
base64encode(RAND)@BSF_servers_domain_name.
4. Security Considerations
TBD
5. IANA Considerations
TBD
6. References
6.1. Normative References
[RFC3310] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
Protocol (HTTP) Digest Authentication Using Authentication
and Key Agreement (AKA)", RFC 3310, September 2002.
[RFC4186] Haverinen, H. and J. Salowey, "Extensible Authentication
Protocol Method for Global System for Mobile
Communications (GSM) Subscriber Identity Modules (EAP-
SIM)", RFC 4186, January 2006.
[RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication
Protocol Method for 3rd Generation Authentication and Key
Agreement (EAP-AKA)", RFC 4187, January 2006.
[RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved
Extensible Authentication Protocol Method for 3rd
Generation Authentication and Key Agreement (EAP-AKA')",
RFC 5448, May 2009.
[RFC5580] Tschofenig, H., Adrangi, F., Jones, M., Lior, A., and B.
Aboba, "Carrying Location Objects in RADIUS and Diameter",
RFC 5580, August 2009.
[RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn,
"Diameter Base Protocol", RFC 6733, October 2012.
Chen, et al. Expires April 30, 2015 [Page 7]
Internet-Draft pcp-auth-sim October 2014
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013.
[TS33.220]
"Generic Authentication Architecture (GAA); Generic
Bootstrapping Architecture (GBA)", 10.1.0 3GPP TS 33.220,
March 2012.
6.2. Informative References
[I-D.chen-pcp-mobile-deployment]
Chen, G., Cao, Z., Boucadair, M., Ales, V., and L.
Thiebaut, "Analysis of Port Control Protocol in Mobile
Network", draft-chen-pcp-mobile-deployment-04 (work in
progress), July 2013.
[I-D.ietf-pcp-authentication]
Wasserman, M., Hartman, S., Zhang, D., and T. Reddy, "Port
Control Protocol (PCP) Authentication Mechanism", draft-
ietf-pcp-authentication-06 (work in progress), October
2014.
[RFC3548] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 3548, July 2003.
Authors' Addresses
Gang Chen
China Mobile
53A,Xibianmennei Ave.,
Xuanwu District,
Beijing 100053
China
Email: phdgang@gmail.com
Dacheng Zhang
Huawei
Beijing
China
Email: zhangdacheng@huawei.com
Chen, et al. Expires April 30, 2015 [Page 8]
Internet-Draft pcp-auth-sim October 2014
Tirumaleswar Reddy
Cisco Systems, Inc.
Cessna Business Park, Varthur Hobli
Sarjapur Marathalli Outer Ring Road
Bangalore, Karnataka 560103
India
Email: tireddy@cisco.com
Chen, et al. Expires April 30, 2015 [Page 9]