QoS NSLP Authorization Issues (draft-tschofenig-nsis-qos-authz-issues-00.txt)

1
QoS NSLP Authorization Issues (draft-tschofenig-n
sis-qos-authz-issues-00.txt)

• Authors
• H. Tschofenig
• H. Schulzrinne
• M. Buechli
• S. Van den Bosch
• T. Chen

2
Background / History

• At the 55th IETF Steve Bellovin talked about
  security issues in NSIS.
• He pointed to the importance of authorization for
  an NSIS protocol.
• As a result we worked on the NSIS AAA draft to
  capture the details (see draft-tschofenig-nsis-aaa
  -issues-01.txt)
• The draft has not received the necessary
  attention due to problems with the terminology
  (e.g. the term AAA is, by many, associated with
  the AAA working group).

3
Why the new draft?

• The new QoS NSLP Authorization Issues draft
  does not replace the NSIS AAA draft.
• It has a different focus and describes the
  problem from a different point of view.
• It is shorter.
• It is more abstract.
• It raises short and precise questions.
• The questions demand some answers.

4
Applicability Statement

• Draft addresses only authorization issues for QoS
  NSLPs.
• Authorization for NAT/firewall traversal is
  covered in the NSIS-Midcom Problem Statement and
  Framework draft.
• The draft primarily addresses the problems of
  User-to- authorization.
• Authorization handling for intra-domain signaling
  is, in general, different.
• Work is also important for the RSVP Security
  Properties draft
• What does RSVP offer? ? What is required?

5
Question 1 What information should be used to
compute the authorization decision?

• Price
• (price of the end-to-end QoS reservation)
• QoS objects
• (based on the QoS resource request)
• Policy rules
• (e.g. time of day, subscription to certain
  services, membership, etc.)

6
Question 2 How long is the authorization
decision valid?

• Per request
• (e.g. a request for more QoS resources than
  previously requested)
• Per session
• (e.g. only during the initial setup of a QoS
  resource)
• Periodically
• (authorization decision is repeated after a
  certain time interval)
• Event triggered
• (as soon as something changes e.g. price
  change due to mobility)

7
Question 3 Which entity should be involved in
the authorization decision?

• This is actually a more difficult question. It is
  necessary to read the draft (see two-party vs.
  three-party scenarios).
• Example A mobile host is attached to a visited
  network.
• Should a authorization request always travel
  to the users home network? i.e.
• Should the users home network always be
  involved in the authorization decision?
• Should the mobile host (or user) always
  participate in this exchange? (three party
  exchange)

8
Summary and Next Steps

• Authorization is an important aspect for a QoS
  NSLP.
• It must be considered when new features (e.g.
  proxy behavior) are introduced.
• The approach chosen for authorization will
  heavily influence mobility performance.
• Some decisions have to be made and documented.
• How to handle QoS authorization document?
• Separate document?
• Incorporated into the QoS NSLP document(s)?