Title: A Proposal of PPP Independent Access Authentication Schema Based on Extended DHCP Masazumi OTA, Mayu
1A Proposal of PPP Independent Access
Authentication Schema Based on Extended
DHCPMasazumi OTA, Mayumi YANAGIYA, and Tadashi
ITOH NTT Network Service Systems
Laboratories,NTT Corporation, Japan
2Outline
- Back ground
- Requirement and Evaluation
- Propose methods
- Summary
3Back ground
- PPP is usually used in NSP model (Wholesale).
- PPP can be applied to dial-up, ADSL, and FTTH.
- PPP can be used to control connections at a BRAS.
- PPP can separate broadcast domains.
- The triple play service is becoming an essential
service plan for ISP. - IP TV needs IP multicast.
- However PPP is not suitable for multicast
services.
PPP Point-to-Point Protocol NSP Network Service
Provider BRAS Broadband Remote Access Server
4Issues to use PPP
- The PPP tunnel has been established in the
section between the BB-R and the LNS on NSP. - Multicast packets are copied per PPP session in
LNS. - The hardware cost increases.
- The line cost increases.
ISP2
ISP1
LNS
LNS
L2TP
VR
VR
BRAS
ATM or Ethernet
SW
DSLAM
DSLAM
PPP
BB-R
BB-R BroadBand Router, LNS L2TP Network Server
5Requirements
- We want to bring the place where the packet is
copied close to the edge side. - We want to apply all disposition form.
- We need a new access control mechanism instead of
PPP. - To provide IP multicast services efficiently.
- To perform IP multicasting by servers placed on
IX, ISP, or NSP
Contents Delivery Server
LNS
RADIUS
RADIUS
IX
ISP-A
ISP-B
GW
GW
SW
SW
AR
6Requirements of Next Generation Network (NGN)
- IPv6 network and IPv6 prefix delegation
- Much IP address will be needed
- IPv6 multicast will be needed
- Automatic setting
- The function to use a lot of terminals easily
will be needed
Contents Delivery Server
RADIUS
RADIUS
IX
ISP-A
ISP-B
GW
GW
IPv6 multicast
AR
Automatic download the configuration data
BB-R
Much IP address
7Assumed NGN
- Wholesale model
- IPv6 network and IPv6 prefix delegation
- RADIUS server placed on ISP network
- Automatic setting
Contents Delivery Server
3. The existing RADIUS server
RADIUS
RADIUS
IX
ISP-A
ISP-B
GW
GW
AR
1. Changing the connected ISP
4. Automatic setting the configuration data
BB-R
2. Prefix delegation
8The function of PPP
- We need to replace PPP with a protocol that is
appropriate for IP multicasting - PPP provides the following functions.
- User authentication provided by the CHAP
- Addressing provided by the IPCP
- Access control provided by the session
- Separating broadcast domains by encapsulation
packets -
- A new access control mechanism is required to
achieve these functions.
CHAP challenge handshake authentication
protocol IPCP Internet protocol control protocol
9Evaluation of access control technologies
- A comparison of following access control
technologies and DHCPv6 is shown in the table - IKEv2
- 802.1x/PANA
- Overall, we noticed DHCPv6 to be good.
?
?
?
?
?
?
?
?
?
?
?
?
?
?
? good ? in the middle bad
10The reason of using DHCPv6
- The merit and feature
- DHCPv6 can configure several settings.
- DHCPv6 have already used for IPv6 prefix
delegation. - There is a capital investment cost advantage.
- We propose a new access control mechanism using
DHCPv6.
RADIUS
IP address Pool
IPv6 Prefix Pool
BRAS
DHCPv6 Server
Access control ? session control
Access control ? Prefix Delegation
PPP
User authentication ? CHAP
User authentication ? Authentication option
Address assignment ? IPCP
Address assignment ? Prefix Delegation
Terminal
BB-R
11Proposed method
- I introduce our proposed authentication methods.
- The timing and reason for authentication
- To distinguish whether an authorized user has
logged onto the network. - To perform a regular confirmation determining
whether that user is authorized to use network.
Network
(a) Prefix delegation
(b) renew
Terminal
12In using delayed authentication
- Delayed authentication is the original
authentication mechanism specified in DHCPv6. - An example of a sequence is shown below.
- We study how to use this authentication mechanism
as a new authentication method.
DHCP Server
DHCP Client
Auth. Format has existed
Using message Hash Value
SOLICITE
Auth. solicite
ADVERTISE
Hash Value
Compare hash value
Authenticate Server
Check the other
REQUEST
Hash Value
Authenticate Client
ACK
Hash Value
13The problem to use delayed authentication
- Problems
- User authentication cannot be performed.
- The connection destination ISP cannot be
distinguished. - Cooperation with the RADIUS server is not
provided. - We examined the authentication method to solve
these problems.
DHCP Client
DHCP Server
RADIUS Server
User authentication
DHCP message
Hash value
Authentication option
Cooperation with the RADIUS server
ISP selection
14CHAP-based Authentication
- It can be introduced with minimal changes.
- This method can be applied to the DHCPv6
authentication option as it is. - Radius server doesnt need any changes.
RADIUS Server
DHCP Server
DHCP Client
User name and password are shared beforehand
SOLICITE
Auth. solicit
ADVERTISE
No change from existing sequence
REQUEST
REPLY
15The problem to use CHAP-based authentication
- This method solve the three problems.
- New problem
- Two way authentication cannot be done
DHCP Client
DHCP Server
RADIUS Server
User authentication
User-Name_at_domain
ISP selection
DHCP message
Hash value
Authentication option
Cooperation with RADIUS server
16Hybrid Authentication
RADIUS Server
DHCP Server
DHCP Client
User name and password are shared beforehand
Four way sequence
SOLICITE
Auth. solicit
ADVERTISE
Challenge
Calculate Response Value
REQUEST
Response
RADIUS Access-Request
Client authentication
RADIUS Access-Accept
REPLY
Success
RENEW
Two way sequence
REPLY
17Achievement
- This method performed the following functions.
- User authentication collaborated with RADIUS
servers in ISP networks - Work for managing many server and client keys is
decreased - Access control by appropriate address assignment
corresponding to authentication result - This methods can replace PPP with several point.
- User authentication provided by Hybrid method.
- Addressing provided by prefix delegation.
- Access control provided by address assignment.
- Separating broadcast domains
18Summary
- We proposed a new economical access control
mechanism that is achieved by expanding the
DHCPv6 authentication mechanism. - Our method introduces user authentication and
Diffie-Hellman key exchange to the DHCPv6 option.
- This method enables PPP independent access
control. - This method enables IP Multicasting.
19Backup Slides
20Future work
- We think there are following problems to use this
method in commercial network. - Broadcast domain separation method
- Access control mechanism
- Connection method
- Method of connecting to many xSPs
- These functions can be achieved by being combined
with other methods