1 AAA Introduction
AAA refers to Authentication, Authorization (Authorized), Accounting. Since the birth of the network, certification, authorization, and billing system (AAA) have become the foundation of its operations. The use of various resources in the network needs to be managed by authentication, authorization, and billing. The development and change in AAA attracts the gaze of operators from start. For a commercial system, the identification is critical. Only by confirming the user's identity can you know who is charged, while preventing illegal users (hackers) from damaging the network. After confirming the user's identity, the system can grant the customer according to the authority according to the service category applied by the user. Finally, when the user uses system resources, there is a need for corresponding devices to count the user's occupation of resources, accordingly, the corresponding fees are charged to customers.
Among them, authentication refers to the confirmation of the user's identity when the user is using the resources in the network system. This process, by obtaining identity information (such as username-password combination, biometrics, biometrics, etc.), then submits to authentication servers; the latter checks the identity information with the user information stored in the database, then Confirm that the user identity is correct based on the processing result. For example, the GSM mobile communication system can identify the flag and user flag of network terminal devices within its network. Authorization Network System Authorized Users use their resources in a specific manner, which specifies the authenticated users who can use the services and their permissions that can be used after accessing the network, such as granted IP addresses. The legitimate user of the GSM mobile communication system is still certified, and whether the business permission (whether to open the international call is called business, etc.) is that users and operators have established in advance. Accounting network system collected, record the user's use of network resources to charge users, or for audits. Taking the Internet Access Service Supplier ISP as an example, the user's network access usage can be accurately recorded in traffic or time.
Certification, authorization, and billing implementation of an accurate record of network resource usage of specific users. This effectively guarantees the rights and interests of legitimate users to a certain extent, and effectively ensuring that the network system is safe and reliably. Considering the integration of different networks and the development of the Internet itself, the new generation of IP-based AAA technology is urgently needed. So the Diameter protocol appeared.
2 Application of AAA in Mobile Communication System
In the mobile communication system, the user wants to access network resources, first of all, users' access to network, so that users can access network resources. The process of identification is to verify the legality of the user's identity; after the authentication is completed, the user can access the network resources to be authorized, and the user access to network resources will be charged. In general, the identification process is accomplished by three entities. User (Client), Authenticator, AAA Server (Authentication, Authorization, and Accounting Server). In the earlier versions of the third generation mobile communication system, the user is also known as the MN (mobile node), and the Authenticator is implemented in the NAS (Network Access Server), which uses a AAA protocol between the PPP protocol, the authenticator, and the AAA server. (In the previous way, the remote access Dial User Service; RADUIS English is the radius, the original purpose is to identify and account for dialing users. Later, after many improvements, it has formed a general purpose Identification accounting agreement). RADIUS is a C / S structure protocol that initially is the NAS (NET Access Server) server, and now any computer running the RADIUS client software can be a client of RADIUS. The RADIUS protocol certification mechanism is flexible and can be used in PAP, CHAP or UNIX login authentication. RADIUS is an extensible protocol that is all based on the vector based on attribute-length-value. The basic working principle of RADIUS is: User Access NAS, NAS Submit user information to the RADIUS server, including related information such as username, password, etc., where the user password is encrypted by MD5, and the two parties use the shared key. This key is not transmitted by the network; the RADIUS server checks the legality of the username and password. If necessary, a Challenge can be proposed, requiring the user to authenticate, or a similar authentication for NAS; if legal, return Access to NAS- Accept packets, allow users to perform the next step, otherwise returning the Access-Reject packet, rejects user access; if you are allowed, NAS presented accounting requests Account-Require to the RADIUS server, Radius server responds to Account-Accept, the user's The fee begins, and the user can perform its own related operations.
Radius is one of the most commonly used certification billing agreements, it is simple and safe, easy to manage, and has good extension, so it is widely used. However, due to the defects of the agreement itself, such as UDP-based transmission, simple packet loss mechanism, there is no other regulations and centralized billing services, which make it less adapt to the development of the current network, need further improvement.
With the introduction of new access technology (such as wireless access, DSL, mobile IP and Ethernet) and access network fast expansion, increasingly complex routers and access servers are put forward, proposed for the AAA protocol. The new request makes the traditional RADIUS structure have become increasingly obvious. At present, the 3G network is gradually evolving to all IP networks, not only in the core network to support IP network entities, but also use IP-based technologies in the access network, but also mobile terminals are also activated IP clients. If the R6 version of WCDMA is currently added to the following features: UTRAN and CN transmission enhancement; wireless interface enhancement; multimedia broadcast and multicast (MBMS); Digital Permissions Management (DRM); WLAN-UMTS interoperability; priority service; Information (GUP); network sharing; interoperability between different networks. In such a network, mobile IP will be widely used. A terminal that supports mobile IP can be moved in a registered hometown network, or roam to other operators. When the terminal is accessible to the network and uses the services provided by the operator, there is a strict AAA process. The AAA server is to authenticate the mobile terminal, authorize the service to allow the user to use, and collect the user's use of resources to generate billing information. This requires a new generation of AAA protocols - Diameter. In addition, in the draft recommendation of the IEEE's wireless LAN protocol 802.16e, the network reference model also includes authentication and authorization server ASA Server to support switching between mobile stations in different base stations. It can be seen that in future mobile communication systems, the AAA server has a very important location. After discussion, the IETF AAA Working Group agreed to use the Diameter protocol as the next generation of AAA protocol standards. Diameter, intended to be a Diameter protocol is an upgrade version of the RADIUS protocol. The protocol includes basic protocol, NAS (Network Access Service) protocol, EAP (Extensible authentication) protocol, MIP (mobile IP) protocol, CMS (password message Syntax) protocol, etc. The Diameter protocol supports the authentication, authorization, and billing work of mobile IP, NAS requests, and mobile agents. The implementation of the protocol is similar, but also AVP, attribute value pair (using attribute-length-value terment group form), but The error handling, the Failover mechanism, the TCP protocol, supports distributed billing, overcomes many of RADIUS's shortcomings, and is the AAA protocol that is best for future mobile communication systems.
3 new generation AAA protocol - Diameter
The relationship between the Diameter application protocol and other network protocols is shown in Figure 1:
(1) Diameter's Basic Agreement (Base Protocol)
Diameter Basic Protocol provides the most basic services such as user sessions, billing, etc., such as user sessions, billboards, and other applications, such as user sessions, billing, and so on. The protocol element is composed of numerous commands and AVP (attribute value pairs), and authentication, authorization, and billing information can be passed between clients, agents, and servers. However, regardless of the client, agent or server, you can actively issue a session request, and the other party gives an answer, so it is also called the protocol between the peer entity. Command code, AVP values, and types can be extended by application needs and rules.
(2) Diameter's NAS protocol DIAMETER's NAS protocol is both a Network Access Service protocol. The access request (Regreq) of the NAS client is handled, and the received customer authentication information is transferred to the NAS server; the server authenticates the customer, and the result (Success / Fail) will be sent to the client; the client will pass REGREPLY The result is sent back to the MN, and the MN is correspondingly processed according to the results.
The NAS is used as a network access server, and when the user port is received, the message exchanges between the AAA servers will start with the AAA server, and the information about the call, the user identity, and user authentication information are packaged into a AAA message to the AAA server. . In fact, the FA in the mobile IP can be seen as a NAS server that receives the service connection request of the mobile terminal MN through the air MPP link, which is exchanged as a client of the AAA server, and exchanges NAS messaging requests and answers between the two.
(3) DIAMETER's EAP protocol
The Diameter EAP (Extensible Authentication Protocol - Scalable Identification Agreement) provides a standard mechanism that supports various authentication methods. EAP is actually a framework, a frame format, can accommodate various authentication information. The multi-round identification provided by EAP does not have PAP and CHAP.
EAP Protocol Description User, NAS (AAA Client) and AAA Server For the Requests and Answers of the EAP Identification Message, complete a response to the authentication request, and multiple messaging processes may be required. In the environment of mobile terminal MN, the authentication extension between Mn and FA uses EAP, ie, as a NAS, which is a client, Diameter AAA server as a backend server, both of the EAP, both Intermolicious EAP grouping. End-to-end EAP identification occurs between users and its H-AAA.
(4) DIAMETER's CMS protocol
Diameter CMS (Cryptographic Message Syntax - Password Message Syntax) protocol implements the peer-to-peer encryption of protocol data. Due to untrusted Relay and Proxy (proxy) in the Diameter network, IPsec and TLS can only implement the security of jump to jump, so IETF defines the Diameter CMS application protocol to ensure data security.
(5) Diameter's MIP protocol is gradually evolved to the entire IP network due to future mobile communication networks, which inevitably encounters issues that users move to external domains. The Diameter MIP application protocol allows users to roam to the external domain and receive services provided by external domain Server and Agent after authentication. In future mobile communications, this situation will be very common, so the MIP protocol is critical to the mobile communication system. When the user moves to the external domain, a series of message exchange needs to be safely accessing the external network. Accept the services provided. MN and HA can be in the hometown or in the field in the realization environment of the MIP protocol, in which one is a typical situation is the MN in the outer region and HA is in the home domain. The access procedure is shown in step.
(6) One typical MN registration process using Diameter MIP is shown in Figure 2 (only the MN is given in the external region and the HA in the hometown of the country):
i. Before the boot registration, the MN only has information on NAI and the security associated with AAAH, without HOME Address.
II. After powering, the MN issues a registration request to the FA, which contains Home address = 0.0.0.0, home agent address = 255.255.255.255255.255552555.255III. After receiving the registration request, the information generated by the information generates AAAF, where MIP -Feature-Vector AVP SET Home-Agent-Request = 1, Home-Address- Allocatable-Only-in-Home-Realm = 1
IV. AAAF received AMR and forwarded to AAAH.
V. AAAH Received AMR, the Mn assigns HA, allocates the key material between Mn-Ha, Mn-Fa, and the key between the Fa-HA, and the HAR is issued to the HAR, where MIP-REG-REQUEST AVP Contains Mobile IP registration request information.
Vi. HA received HAR, assigns home address to MN, processing MIP-REG-REQUEST AVP, generates MIP-REG-Reply AVP, which is included in HAA to return AAAH.
VII. AAAH receives HAA, generates AMA, contains MIP-Home-Agent-Address, Mip-Mobile-Node-Address AVPS, sent to AAAF.
Viii. AAAF forwards AMA to FA.
IX. FA Receives the AMA to retain the FA-HA key, send the key material between the FA-MN, the HA-MN to the MN by registration. Registration-reply.
The nouns involved are:
· HA: Home Agent, Hometown Agent
· FA: Foreign Agent, external agent
· MN: Mobile Node, mobile node
· AAAH: AAA HOME Server, AAA Hometown Server
· AAAF: AAA Foreign Server, AAA Foreign Domain Server
· AMR: AAA-Mobile-Node- Request, AAA Mobile Node Request Message
· AMA: AAA-Mobile-Node- Answer, AAA Mobile Node Reply Message
· Har: Home-agent-mip-request, hometown agent MIP request message
· HAA: Home-agent-mip-answer, hometown agent MIP reply message
HA and MN are similar to this in terms of foreign geographies or other combinations of hometowns, and this is not one.
4 future outlook
The current Internet protocol IPv4 supported address space is very limited, but the global mobile users are constantly growing rapidly, which achieves such a huge scale, which gives the current IP protocol currently used in future mobile communication full IP networks in future mobile communication - Bring this heavy pressure. In order to resolve the problem of serious insufficient address, people put forward the new version of IP protocol - IPv6. IPv6 can support 3.4x10e38 only 128-bit addresses, so that IPv4 looks like. Since billions of equipment and users in the world require their respective IP addresses, this huge addressing capacity will be a key factor in implementing "always online" communication. Although people are mainly concerned about IPv6 addressing capabilities, it also has many other important advantages, such as improved and simplified routes. IPv6 also introduces new security levels and improves mobile services - including WCDMA technology-based network support, which will be increasingly important as China's population is 3G. Therefore, the AAA protocol in the future mobile communication network must be a protocol that supports distributed processing based on mobile IPv6. However, there are still many problems that the industry needs to consider and solve. IPv4 may be a mature and gradual agreement, but it can still make important contributions and may coexist and interoperability with IPv6 in the next period. As a AAA protocol, which is aimed at the future network, Diameter is compatible with the current network, provides support for both version MIP (of course, mainly support for MIPv4). It is believed that the Diameter protocol that supports mobile IP (including V4 and V6) will be widely used in the future, mobile communication systems, will be widely used in applications that need to be authenticated, authorized, and billing mobile terminals.
references
[1] Ietf AAA Working Group. Diameter Base Protocol. RFC3588. September 2003
[2] Sami Huusko. Nokia All-IP System Design Principles. Nokia Inc. 2000.2
[3] Ietf AAA Working Group. Mobile IP AAA Requirements. RFC2977. October 2000
[4] Ietf AAA Working Group. Diameter Mobile IPv4 Application. Internet-Draft. October 2002
[5] Ietf AAA Working Group. Diameter NAS Application. Internet-Draft. Jun 2003
[6] C. Perkins. Mobile IPv4 Challenge / Response. RFC 3012. November 2000
[7] NetWork Working Group. Radius Accounting. RFC 2866. June 2000
[8] IEEE 802.16 Working Group, IEEE P802.16-REVD / D5, 2004
Zhao Yuanchao School of Information Engineering, Beijing University of Posts and Telecommunications, Ph.D., mainly engaged in research on communication system security.
Chen Jian Beijing University of Posts and Telecommunications Information Engineering, master's degree, mainly engaged in research on communication system security.
Professor Li Dao, a doctoral tutor, mainly engaged in the study of LAS-CDMA mobile communication system. Working group. Diameter- ??
---- "China Data Communication" (C001)
