A Proposal of PPP Independent Access Authentication Schema Based on Extended DHCP Masazumi OTA, Mayu

1
A Proposal of PPP Independent Access
Authentication Schema Based on Extended
DHCPMasazumi OTA, Mayumi YANAGIYA, and Tadashi
ITOH NTT Network Service Systems
Laboratories,NTT Corporation, Japan
2
Outline

• Back ground
• Requirement and Evaluation
• Propose methods
• Summary

3
Back ground

• PPP is usually used in NSP model (Wholesale).
• PPP can be applied to dial-up, ADSL, and FTTH.
• PPP can be used to control connections at a BRAS.
• PPP can separate broadcast domains.
• The triple play service is becoming an essential
  service plan for ISP.
• IP TV needs IP multicast.
• However PPP is not suitable for multicast
  services.

PPP Point-to-Point Protocol NSP Network Service
Provider BRAS Broadband Remote Access Server
4
Issues to use PPP

• The PPP tunnel has been established in the
  section between the BB-R and the LNS on NSP.
• Multicast packets are copied per PPP session in
  LNS.
• The hardware cost increases.
• The line cost increases.

ISP2
ISP1
LNS
LNS
L2TP
VR
VR
BRAS
ATM or Ethernet
SW
DSLAM
DSLAM
PPP
BB-R
BB-R BroadBand Router, LNS L2TP Network Server
5
Requirements

• We want to bring the place where the packet is
  copied close to the edge side.
• We want to apply all disposition form.
• We need a new access control mechanism instead of
  PPP.
• To provide IP multicast services efficiently.
• To perform IP multicasting by servers placed on
  IX, ISP, or NSP

Contents Delivery Server
LNS
RADIUS
RADIUS
IX
ISP-A
ISP-B
GW
GW
SW
SW
AR
6
Requirements of Next Generation Network (NGN)

• IPv6 network and IPv6 prefix delegation
• Much IP address will be needed
• IPv6 multicast will be needed
• Automatic setting
• The function to use a lot of terminals easily
  will be needed

Contents Delivery Server
RADIUS
RADIUS
IX
ISP-A
ISP-B
GW
GW
IPv6 multicast
AR
Automatic download the configuration data
BB-R
Much IP address
7
Assumed NGN

• Wholesale model
• IPv6 network and IPv6 prefix delegation
• RADIUS server placed on ISP network
• Automatic setting

Contents Delivery Server
3. The existing RADIUS server
RADIUS
RADIUS
IX
ISP-A
ISP-B
GW
GW
AR
1. Changing the connected ISP
4. Automatic setting the configuration data
BB-R
2. Prefix delegation
8
The function of PPP

• We need to replace PPP with a protocol that is
  appropriate for IP multicasting
• PPP provides the following functions.
• User authentication provided by the CHAP
• Addressing provided by the IPCP
• Access control provided by the session
• Separating broadcast domains by encapsulation
  packets
• A new access control mechanism is required to
  achieve these functions.

CHAP challenge handshake authentication
protocol IPCP Internet protocol control protocol
9
Evaluation of access control technologies

• A comparison of following access control
  technologies and DHCPv6 is shown in the table
• IKEv2
• 802.1x/PANA
• Overall, we noticed DHCPv6 to be good.

?
?
?
?
?

?
?
?
?
?
?
?
?
?
? good ? in the middle bad
10
The reason of using DHCPv6

• The merit and feature
• DHCPv6 can configure several settings.
• DHCPv6 have already used for IPv6 prefix
  delegation.
• There is a capital investment cost advantage.
• We propose a new access control mechanism using
  DHCPv6.

RADIUS
IP address Pool
IPv6 Prefix Pool
BRAS
DHCPv6 Server
Access control ? session control
Access control ? Prefix Delegation
PPP
User authentication ? CHAP
User authentication ? Authentication option
Address assignment ? IPCP
Address assignment ? Prefix Delegation
Terminal
BB-R
11
Proposed method

• I introduce our proposed authentication methods.
• The timing and reason for authentication
• To distinguish whether an authorized user has
  logged onto the network.
• To perform a regular confirmation determining
  whether that user is authorized to use network.

Network
(a) Prefix delegation
(b) renew
Terminal
12
In using delayed authentication

• Delayed authentication is the original
  authentication mechanism specified in DHCPv6.
• An example of a sequence is shown below.
• We study how to use this authentication mechanism
  as a new authentication method.

DHCP Server
DHCP Client
Auth. Format has existed
Using message Hash Value
SOLICITE
Auth. solicite
ADVERTISE
Hash Value
Compare hash value
Authenticate Server
Check the other
REQUEST
Hash Value
Authenticate Client
ACK
Hash Value
13
The problem to use delayed authentication

• Problems
• User authentication cannot be performed.
• The connection destination ISP cannot be
  distinguished.
• Cooperation with the RADIUS server is not
  provided.
• We examined the authentication method to solve
  these problems.

DHCP Client
DHCP Server
RADIUS Server
User authentication
DHCP message
Hash value
Authentication option
Cooperation with the RADIUS server
ISP selection
14
CHAP-based Authentication

• It can be introduced with minimal changes.
• This method can be applied to the DHCPv6
  authentication option as it is.
• Radius server doesnt need any changes.

RADIUS Server
DHCP Server
DHCP Client
User name and password are shared beforehand
SOLICITE
Auth. solicit
ADVERTISE
No change from existing sequence
REQUEST
REPLY
15
The problem to use CHAP-based authentication

• This method solve the three problems.
• New problem
• Two way authentication cannot be done

DHCP Client
DHCP Server
RADIUS Server
User authentication
User-Name_at_domain
ISP selection
DHCP message
Hash value
Authentication option
Cooperation with RADIUS server
16
Hybrid Authentication
RADIUS Server
DHCP Server
DHCP Client
User name and password are shared beforehand
Four way sequence
SOLICITE
Auth. solicit
ADVERTISE
Challenge
Calculate Response Value
REQUEST
Response
RADIUS Access-Request
Client authentication
RADIUS Access-Accept
REPLY
Success
RENEW
Two way sequence
REPLY
17
Achievement

• This method performed the following functions.
• User authentication collaborated with RADIUS
  servers in ISP networks
• Work for managing many server and client keys is
  decreased
• Access control by appropriate address assignment
  corresponding to authentication result
• This methods can replace PPP with several point.
• User authentication provided by Hybrid method.
• Addressing provided by prefix delegation.
• Access control provided by address assignment.
• Separating broadcast domains

18
Summary

• We proposed a new economical access control
  mechanism that is achieved by expanding the
  DHCPv6 authentication mechanism.
• Our method introduces user authentication and
  Diffie-Hellman key exchange to the DHCPv6 option.
  
• This method enables PPP independent access
  control.
• This method enables IP Multicasting.

19
Backup Slides
20
Future work

• We think there are following problems to use this
  method in commercial network.
• Broadcast domain separation method
• Access control mechanism
• Connection method
• Method of connecting to many xSPs
• These functions can be achieved by being combined
  with other methods