Docstoc

EAP

Document Sample
EAP Powered By Docstoc
					異質無線網路整合、互通、漫
  遊及換手之基本觀念

此投影片源自交通大學資工系曹孝櫟教授,唯內容已
作部分調整
    Heterogeneous Wireless Network Integration (1/4)
• Generic Architecture
Mobile Terminal   Radio Access Network        Core Network    Service Network

                   WiMAX/
                  WiMAX relay
                                 WLAN/
                                WLAN mesh

                    3G/B3G
                                                               Fixed Mobile
                                 New Air/          All IP
                                   4G
                                                               Convergence

                    BT/UWB
                                    …



Multi-mode &       Heterogeneous &           Broadband & IP       IMS/SIP
Heterogeneous          overlay

                                     AAA Network
  Heterogeneous Wireless Network Integration (2/4)


• IETF (Internet Engineering Task Force) Perspective


                    WiMAX/
       Mobility




                   WiMAX relay                      All IP
                                  WLAN/
                                 WLAN mesh             +
                                             Application Mobility
                     3G/B3G
                                                                     IP-based
                                  New Air/           Or
                                    4G
                                                                    applications
                                                   All IP
                    BT/UWB                           +
                                     …
                                              Network Mobility


Multi-mode &      Heterogeneous Access          IPv4 or IPv6
Heterogeneous        Networks (ANs)
         Heterogeneous Wireless Network Integration (3/4)


  • IEEE Perspective
         – IEEE 802.21 (Media-Independent Handover) Spec.

                        WiMAX/
            Mobility




                       WiMAX relay                                    All IP
                                      WLAN/
                                     WLAN mesh                           +
                                                               Application Mobility




                                                 IEEE 802.21
                         3G/B3G
                                                                                       IP-based
802.21
 IEEE




                                      New Air/                         Or
                                        4G
                                                                                      applications
                                                                     All IP
                        BT/UWB                                         +
                                         …
                                                                Network Mobility


  Multi-mode &         Heterogeneous ANs                          IPv4 or IPv6
  Heterogeneous
   Heterogeneous Wireless Network Integration (4/4)


 • 3GPP/WiMAX Perspective

                      UMA

                              3GPP         3GPP
                               AN          Core


                  WLAN AN            PDG            IP Core   CSCF/…


                                           WiMAX
                            WiMAX AN
                                            Core



3GPP/WLAN/WiMAX   3GPP/WLAN/WiMAX          3GPP/WiMAX &       IMS/SIP
     Terminal            AN                IP Core Network
  802.21 Overview
802.21: Key Services
         Applications (VoIP/RTP)
                Link Layer Triggers
          Connection    Handover
          Management        Policy
                                Change
                             State
          Handover ManagementPredictive
                     Network Initiated




                                              IETF
       Mobility Management Protocols
                                                              Network Information
                802.21 MIH Function                           Available Networks
        Smart       Handover    Information                   Neighbor Maps

                                                IEEE 802.21
        Triggers    Messages    Service
        Handover Commands                                     Network Services
  L2 Triggers   Handover  Client Initiated
                           Information
  and Events    Messages   Service
                       Network Initiated
                      Vertical Handovers
       WLAN         Cellular      WMAN
      Protocol and Device Hardware



                      802.21 uses multiple services to optimize vertical handovers
   2013-04-10                                                                       6
 http://ieee802.org/21/
3GPP Perspective
             Inter-working Model




                                           UE: User Equipment




PLMN: Public Land Mobile Network (指電信網路)
                Simplified Reference Model
PS: Packet Switching
CS: Circuit Switching
UTRAN: UMTS Terrestrial Radio Access Network
GERAN: GSM/EDGE Radio Access Network
EDGE: Enhanced Data-rates for GSM                 External IP Networks                            PSTN

HLR: Home Location Register
PSTN: Public Switched Telephone Network. The 'phone
system'                                                                                                  3GPP System
                                                       3GPP
                                                      3GPP
                                                                                                     3GPP System
                                                     3GPP
                                                      Billing
                                                                                                   3GPP System
                                                      Billing
                                                     Billing                 3GPP PS
                                                      System
                                                     System                   Services
                                                     System                   (e.g. IMS)
                                                                                                   CS Domain
                  M WLAN system
                    . WLAN system
                      . WLAN system
                      WLAN      Access                                         PS Domain
                        2 WLAN system
                                  Access
                        WLAN Authentication
                      Access
                            1        system
                      Control WLAN Access
                          WLAN Authentication
                        Access Charging
                                       Access
                             WLAN Authentication
                          Access Charging
                        Control           Access
                                WLAN Authentication
                            Access Charging
                          Control                                                                   HLR
                                          Authentication
                                Access Charging
                            Control                                                                 Access
                                          Charging
                       WLAN Control                                                                 Authentication
                         WLAN             Mobility
                                    AP                                                              Charging              N
                            WLAN                                                                    Encryption
                              WLAN AP                                               UTRAN/GERAN     Mobility
                                                                                                                      .
                            Network AP
                                WLAN
                                           AP
                                                                      Node -B/BTS                                 1
                                              AP


                                                                 UE
                                                                UE
     An Interworking Scenario
WLANs higher throughput + UMTS (3G) broader
 connectivity




                              - Integrated authentication & billing
                              - Security in line with UMTS
                              - AAA is a MUST
                      名詞釋意
• AAA = Authentication, Authorization, Accounting
• Authentication
   – Recognize the user
   – Who are you? (show proof)
• Authorization
   – Enforce access control and deliver services
   – What can you access?
• Accounting
   – Track user’s usage of network resources
   – How long/much data have you accessed?
   – For billing purpose
                    AAA Roaming
• Generic model
                              l
              AAAL            m     AAAH
                            SA3
            k n SA2

                                     Home domain
         NAS            SA1
      (attendant)
         jo
                                        Access protocol flow
         Identity & credentials         AAA protocol flow
                                        Security association (SA)
                                  AAAL: Local AAA
                                  AAAH: Home AAA
      AAA Roaming — 名詞釋意
• Network Access Server (NAS)
  – A single point of access to a remote resource
  – Act as a gateway to guard access to a protected resource.
    This can be anything from a telephone network, to
    printers, to the Internet
  – The client connects to the NAS. The NAS then connects to
    another resource asking whether the client's supplied
    credentials are valid. Based on that answer the NAS then
    allows or disallows access to the protected resource.
  – The NAS contains no information about what clients can
    connect or what credentials are valid. All the NAS does is
    send the credentials the client supplied to a resource
    which does know how to process the credentials.
       AAA Roaming — 名詞釋意
• Network Access Identifier (NAI)
   – A standard way of identifying users who request access to
     a network
   – Standard syntax is “user@realm” (類e-mail地址格式)
• Security association (SA)
   – Establishment of shared security information between two
     network entities to support secure communication
   – An SA may include cryptographic keys, initialization vectors
     or digital certificates.
   – An SA is a one-way channel and logical connection which
     endorses and provides a secure data connection between
     the network devices.
         實現AAA的通訊協定
• 實現AAA的通訊協定主要有二種
  – RADIUS: Remote Authentication Dial-In User
    Service
  – Diameter
• RADIUS
  – RFCs (IETF Request for Comments) 2865, 2866
• Diameter
  – RFC 3588
  – Applications: RFCs 4004, 4005, 4072, 4006, 4740
        Simplified WLAN Network Model
                                                                   Intranet / Internet




                                                              3GPP Network
                                                                3GPP AAA
                           WLAN Access Network
         WLAN                                                     Server
                              (with or without an
         UE                 intermediate network)
                                                                  Packet
                                                                 Data GW

                                                                             WLAN3GPP IP Access
                                                                                  3GPP PS
The shaded area refers to WLAN 3GPP                                                services
                                                                                 (including
IP Access functionality.                                                          access to
                                                                                  internet)


  WLAN 3GPP IP Access: Access to an IP network via a PLMN via a tunnel. A related term is WLAN
  3GPP Direct IP Access.

  The Packet Data Gateway supports WLAN 3GPP IP Access to External IP networks. The WLAN
  includes WLAN access points and intermediate AAA elements. It may additionally include other
  devices such as routers. The WLAN User Equipment (WLAN UE) includes all equipment that is in
  possession of the end user, such as a computer, WLAN radio interface adapter etc.
Network Advertising and Selection
           Scenario
            3GPP Home
             Network




   3GPP Visited   3GPP Visited   3GPP Visited
    Network #1     Network #2     Network #n




             WLAN AN


                  UE
Network Advertising and Selection
        Scenario (Cont.)
                  3GPP Home
                   Network




  3GPP Visited   3GPP Visited               3GPP Visited
   Network #1     Network #2                 Network #n




                                WLAN AN#2          WLAN AN#n
         WLAN AN#1



                                   UE
       Non-Roaming Reference Model
                                                              3GPP Home Network
                   Intranet / Internet             SLF          HSS                 HLR

                                                                                           Offline
                                                                          r'              Charging
                                                                         G




                                                   Dw

                                                         Wx
                                                                       /
                                                                  D'           Wf         System

                                              Wa    3GPP AAA
                                                                        Wo          OCS




                                                                                               Wz
                WLAN Access Network                   Server




                                                                                    Wy
                                                         Wg
                                                                       Wm
WLAN     Ww
 UE                                           Wn                                                    Wi
                                                        WAG              Wp              PDG

                                                    WLAN 3GPP IP Access
                                         Wu

HSS: Home Subscriber Server
OCS: Online Charging System
WAG: WLAN Access Gateway
SLF: The Service Location Function is used to find the address of a subscriber's
HSS, if necessary.
              Roaming Reference Model
                      Intranet / Internet


                                                                                  3GPP Visited Network

                                                                                                                 Offline
                                                                                               3GPP AAA   Wf
                                                                                                                Charging
                                                                             Wa                  Proxy
                                                                                                                System
                    WLAN Access Network
                                                                                      Wg
          WLAN Ww
           UE                                          Wn         WAG




                                                                                                    Wd
                                            WLAN 3GPP IP Access


                                                                                                                    SLF
                                                                   Wp                                     Dw
                                                                                               3GPP AAA   Wx
                                                                                                                    HSS
                                                                                                 Server




                                                                                                          D
                                                                                                          '/
                                                                                      m




                                                                                                    Wo
                                                                                  W




                                                                                                              G
                                                                                                               r'
                                                                                                                    HLR




                                                                                                          W
                                                                                                          f
                                                                                          Wy
                             Wu                                   Packet Data                       OCS
                                                                   Gateway
                                                                                               Wz
The home network is responsible                                                                                Offline
for access control and tunnel                                                                                 Charging
                                                                        Wi




                                                                                                              System
establishment, and the traffic is                                                 3GPP Home Network
routed through the visited network
(using the WAG).
         Roaming Reference Model (Cont.)
                                                               3GPP Visited Network

                                                                                              3GPP AAA
                                                               Wa                               Proxy
                                                                    Wg         Wm
                    WLAN Access Network




                                                                                           f
                                                                                          W
          WLAN Ww                            Wn           Wp   Packet Data         Wz
           UE                                     WAG           Gateway                  Offline
                                                                                        Charging
                                                                                        System




                                                                     Wi
                                        Wu          WLAN 3GPP
                                                     IP Access




                                                                                                        Wd
                       Intranet / Internet

                                                    SLF                   Dw
The home network is responsible for                                       Wx                   3GPP AAA
                                                   HSS
access control, but the authorization                                                            Server
                                                                               '
                                                                      D' / Gr
decision of tunnel establishment will
                                                    HLR




                                                                                                   Wo
be taken by the 3GPP proxy AAA                                            Wf
based on own information plus
information received from the home                 Offline
                                                  Charging                                         OCS
network. The visited network will take            System
part in tunnel establishment (either the
                                                               3GPP Home Network
WAG or the PDG).
Tunneling: IP-in-IP Encapsulation



                               Original IP Packet

    Encapsulated IP Packet    Header   Payload
  Outer
  Header   Header   Payload

                              Packet Data Gateway
      Tunnel
Tunneling: Intranet Packet Delivery




  Form L2 connectivity
  Protocol Stack between the WLAN UE                                                                                           3GPP Visited Network



  and PDG
                                                                 Intranet / Internet
                                                                                                                                                                    3GPP AAA
                                                                                                                               Wa                                     Proxy
                                                                                                                                3GPPg
                                                                                                                                  W Visited Network
                                                                                                                                            m       W
                                                          WLAN Access Network




                                                                                                                                                                 f
                                                                                                                                                                W
                                                                                                                                                          Offline
                                                WLAN Ww                                Wn                                 Wp   Packet Data3GPP AAA Wf Charging
                                                                                                                                             Wz
                                                                                                                          Wa                Proxy
 The tunnellinglayer is is usedof a WLAN
       transport layer consists the
The remote IP IP layer used by by tunnelling     UE
                                                               WLAN Access Network
                                                                                                              WAG               Gateway
                                                                                                                                    Wg
                                                                                                                                                  Offline System
                                                                                                                                                              Charging
                                                                                                                                                              System




                                                                                                                                         Wi
                                                     WLAN Ww                     Wu                            WLAN 3GPP
 intermediate entities/networks and WLAN
 header, addressed in the external packet AN
UE to be which allows end-to-end tunnelling                                                        Wn           IP
                                                                                                               WAGAccess




                                                                                                                                                                               Wd
                                                      UE




                                                                                                                                                        Wd
 in order a WLAN on and a reference point).
 betweento transport the remote IP layer
data networks (i.e. UE the Wi PDG. It is used




                                                                                        WLAN 3GPP IP Access
 packets. Between the WLAN the remote
 to this layer, the WLAN UE isUE and the IP
On encapsulate IP packets withaddressed by                  Intranet / Internet
                                                                                                                                                                Dw
                                                                                                                                                                           SLF




                                                                                                                Wp
                                                                                                                SLF                            Dw3GPP AAA       Wx
                                                                                                                                                                           HSS
 layer. When encapsulated IP used by the
 WAG, the transport IP layer is
its remote IP address and the packets are                                                                                                          Server




                                                                                                                                                                D'
                                                                                                                                    m          Wx                    3GPP AAA
                                                                                                                HSS




                                                                                                                                                                   /G
                                                                                                                                                        Wo
                                                                                                                                W                                      Server




                                                                                                                                                                     r'
                                                                                                                                             D' / Gr'                      HLR




                                                                                                                                                               W
 encrypted, between the WLAN UE and an a
 WLAN UE the tunnelling header contains
exchanged to be addressed within the WLAN




                                                                                                                                                                 f
                                                                                                                                        Wy
                                                                        Wu                                     Packet Data                              OCS
                                                                                                                HLR




                                                                                                                                                                          Wo
                                                                                                                Gateway                         W fz
                                                                                                                                                W
 field the intermediate networks the remote
 AN, which is The to identify the any) and
external entity.used PDG routes (if peer and                                                                   Offline
                                                                                                                                                                     Offline
                                                                                                                                                                    Charging




                                                                                                                     Wi
                                                                                                              Charging                                              System
                                                                                                                                                                         OCS
 decrypt the packets.
 3G networks. On modifying them.
IP packets without this layer, the WLAN UE is                                                                 System            3GPP Home Network



 addressed by its local IP address.                                                                                            3GPP Home Network




   WLAN
                     WLAN AN                    WAG                                                                                 PDG
    UE

  Remote IP                                                                                                                    Remote IP

  Tunneling                                                                                                     Tunneling
    layer                                                                                                         layer
  Transport      Transport   Transport   Transport     Transport                                                 Transport
     IP             IP          IP          IP            IP                                                        IP
                                                                                                                                                        L2/L1

   L2/L1          L2/L1       L2/L1       L2/L1           L2/L1                                                      L2/L1
         I-WLAN and VPLMN Selection
                 Procedure
     WLAN UE                          WLAN AN               3GPP AAA
                                                            Server/Proxy


        1. WLAN AN connection establishment

       2. Start Access Authentication with a NAI


                  3. VPLMN advertisement


                       4. Access Authentication procedure



I-WLAN: Interworking WLAN
VPLMN: Visited PLMN (Public Land Mobile Network)
EAP: Extensible Authentication Protocol

    WLAN Access Authentication and Authorization
                                                           3GPP AAA
              WLAN UE            WLAN AN                                                         HSS/HLR      WAG
                                                             Server

                1. WLAN ConnectionSetup



                                                                     3. Authentication  Info
                                                                        retrievalfrom HSS if
                  2. Necessaryamountof EAP Request& EAP                 info not yet available
                     Responsemessageexchanges betweenUE                 in 3GPP AAA server
                     and 3GPP AAA Server as specifiedin the
                     utilisedEAP type
                                                                     4. Subscriberprofile
                                                                        retrieval from HSS if
                                                                        info not yet available in
                                                                        this 3GPP AAA server


                                                                                                 info
                                                                              5. Policyenforcement delivery

                                           6. Access Accept
                                       [keyingmaterial and
                                       authorisation information
                    7. EAP/Success     within message]

                                          8. AccountingStart

                                                   9. Validate the new session


                                                                     10. WLAN Registration   to
                                                                       HSS if WLAN usernot
                                                                       yet registeredto this
                                                                       3GPP AAA Server
 WLAN Session Authentication and Authorization                                                       Intranet / Internet
                                                                                                                                                                   3GPP Visited Network

                                                                                                                                                                                                      3GPP AAA
                                                                                                                                                                   Wa                                   Proxy
                                                                         3GPP AAA                                                                                   3GPPgVisited Network
                                                                                                                                                                      W        Wm
       WLAN                          3GPP AAA Proxy                                           WLAN Access Network




                                                                                                                                                                                                  f
                                                                                                                                                                                                  W
                                                                           Server                                                                                                                            Offline
                                                                                    WLAN Ww                                Wn    Packet Data 3GPP AAA Wf Charging
                                                                                                                                               Wz             Wp
                                                                                     UE                               WAG         Gateway      Proxy Offline  Wa
                                                                                                                                                             System
                                                                                               WLAN Access Network                                   Charging
                                                                                                                                    Wg               System




                                                                                                                                                                             Wi
                                                                                       WLAN Ww           Wu             WLAN 3GPP
                                                                                                                   Wn    IP
                                                                                                                       WAGAccess




                                                                                                                                                                                                                  Wd
                                                                                        UE
EAP authentication is




                                                                                                                                                                                            Wd
initiated between UE
      and WLAN




                                                                                                                            WLAN 3GPP IP Access
                                                                                                Intranet / Internet                                                                                           SLF
            1. Wa: Access_Request                                                                                                                                                                 Dw




                                                                                                                                                    Wp
                                                                                                                                                    SLF                           Dw3GPP AAA      Wx
            (EAP Response/Identity(NAI))                                                                                                                                                                      HSS
                                                                                                                                                                                        Server
                                                                                                                                                                                                       3GPP AAA




                                                                                                                                                                                                  D'
                                                                                                                                                                                  Wx
                                                                                                                                                   HSS                  m




                                                                                                                                                                                                      /G
                                                                                                                                                                                            Wo
                                                                                                                                                                    W                                    Server




                                                                                                                                                                                                        r'
                                                                                                                                                                             D' / Gr'                         HLR




                                                                                                                                                                                                  W
                                                                                                                                                                                                  f
                                                                                                                                                                            Wy
                                                                                                            Wu                                     Packet Data
                                                                                                                                                    HLR                                     OCS




                                                                                                                                                                                                             Wo
                                              2. Wd: Access_Request                                                                                 Gateway                        Wf
                                                                                                                                                                                   W    z
                                                                                                                                                                                                       Offline
                                              (EAP Response/Identity(NAI))                                                                         Offline                                            Charging




                                                                                                                                                         Wi
                                                                                                                                                  Charging                                            System
                                                                                                                                                                                                          OCS
                                                                                                                                                  System            3GPP Home Network
                                              3. Wd:Access_Challenge                                                                                               3GPP Home Network
                                                     (EAP Request)


               4. Wa: Access_Challenge
                    (EAP Request)

                5. Wa: Access_Request
                   (EAP Response)


                                                 6.Wd: Access_Request
                                                    (EAP Response)
                                                  2N Wd: Access_Accept
                                               (EAP Success, Authorization
                                               Info, Session Keying Material)



                2N Wa: Access_Accept
             (EAP Success, Authorization
             Info, Session Keying Material)
EAP/SIM Procedure
 UE
                           WLAN                      3GPP                     HSS/
                            AN
                             AN                     AAA-serv
                                                     AAA                      HLR
                                                                               HLR

                 1.

        2. EAP Request/Identity

       3. EAP Response/Identity
       [NAI based on a pseudonym or IMSI]

                              4.

                               5. EAP Response/Identity
                               [NAI based on a pseudonym or IMSI]
                                   6. EAP Request/SIM Start
                                   [Any identity]
        7. EAP Request/SIM-Start
        [Any identity]

   8. EAP Response/SIM-Start
   [Identity, NONCE_MT]
                          9. EAP Response/SIM-Start
                          [Identity, NONCE_MT]

                                                                     10.
                                                                    10.

                                                                    11.

                             12. EAP Request/SIM-Challenge
               [RAND, MAC, Protected { pseudonym, Next re-auth id }, Result ind]

       13. EAP Request/SIM-Challenge
       [RAND, MAC, Protected pseudonym, Next re-auth id, Result ind]


 14.

   15. EAP Response/SIM-Challenge
   [MAC, Result ind]

                               16. EAP Response/SIM-Challenge
                               [MAC, Result ind]
   8. EAP Response/SIM-Start
   [Identity, NONCE_MT]
                          9. EAP Response/SIM-Start
                          [Identity, NONCE_MT]



EAP/SIM Procedure                                                    10.
                                                                    10.

                                                                    11.

                             12. EAP Request/SIM-Challenge
               [RAND, MAC, Protected { pseudonym, Next re-auth id }, Result ind]

       13. EAP Request/SIM-Challenge
       [RAND, MAC, Protected pseudonym, Next re-auth id, Result ind]


 14.

   15. EAP Response/SIM-Challenge
   [MAC, Result ind]

                               16. EAP Response/SIM-Challenge
                               [MAC, Result ind]

                                                      17.

                                 18. EAP Request/SIM/Notification
                                 [Success notification]

   19. EAP Request/SIM/Notification
   [Success notification]

       20. EAP Response/SIM/Notification
                             21. EAP Response/SIM/Notification

                                 22. EAP Success
                                 + keying material
         23. EAP Success

                                                       25
                                                       24
                                                      24.
EAP SIM Fast Re-authentication
              UE                      WLAN
                                       AN
                                                              3GPP
                                                             AAA-serv
                1. EAP Request/Identity


                2. EAP Response/Identity
                  [Re-auth. id]


                                           3. EAP Response/Identity
                                             [Re-auth. id]

                                                        -
                                   4. EAP Request/SIM/Re authentication
                      [Counter, NONCE, MAC, Protected Next re -auth. Id, Resultind]


                               -
          5. EAP Request/SIM/Re authentication
      [Counter, NONCE, MAC, Next re-auth. Id, Resultind]


                               -authentication
          6. EAP Response/SIM/Re
                [Counter, MAC, Result ]
                                    ind

                                                        -authentication
                                   7. EAP Response/SIM/Re
                                       [Counter, MAC, Result ]
                                                           ind

                                         8. EAP-Request/SIM/Notification
                                                               ,
                                           [Success notificationCounter]
        9. EAP-Request/SIM/Notification
                               ,
           [Success notificationCounter]

        10. EAP-Response/SIM/Notification
                                         11. EAP-Response/SIM/Notification

                                             12. EAP Success + keying material
                    13. EAP Success
EAP/AKA Procedure
  UE                        WL AN                       3 GP P                     HSS /
                            AN                          A AA -serv                 HLR

                 1.


    2 . EA P Re qu est/Id en tity


         3. EA P Resp on se /Identity
         [NAI b ased o n a pseudo nym or IMSI]



                               4.

                                    5 . EA P Response/Ide ntity
                                    [NA I based on a pseu do nym or IMS I]


                                                                           6.

                                    7 . E AP R eq uest/AKA- Ide ntity
                                    [Any id entity]

         8. EA P Request/AKA -Id entity
         [Any ide ntity]


         9. EA P Resp on se /AKA -Id entity
         [Iden tity]

                                    1 0. EAP Re sp on se /AKA -Id entity
                                    [Identity]


                                                                        1 1.


                                                                           12 .


                               1 3. E AP Req uest/AKA- Ch all eng e
     [RA ND, AUTN, MA C, Pr otected { pse udon ym, Ne xt r e- auth i d }, Resul t ind ]


       1 4. E AP R eq uest/AK A- Chall en ge
     [RA ND, AUTN, MA C, Pr otected pseu do nym, Next re- au th id, Result ind ]

  15 .

       1 6. E AP Response/A KA-Challe ng e
     [RE S, M AC, Resu lt in d]

                                    1 7. E AP Respon se /A KA -Cha lle nge
          [NAI b ased o n a pseudo nym or IMSI]



                                4.

                                       5 . EA P Response/Ide ntity



EAP/AKA Procedure
                                       [NA I based on a pseu do nym or IMS I]


                                                                              6.

                                       7 . E AP R eq uest/AKA- Ide ntity
                                       [Any id entity]

          8. EA P Request/AKA -Id entity
          [Any ide ntity]


          9. EA P Resp on se /AKA -Id entity
          [Iden tity]

                                       1 0. EAP Re sp on se /AKA -Id entity
                                       [Identity]


                                                                           1 1.


                                                                              12 .


                                1 3. E AP Req uest/AKA- Ch all eng e
      [RA ND, AUTN, MA C, Pr otected { pse udon ym, Ne xt r e- auth i d }, Resul t ind ]


        1 4. E AP R eq uest/AK A- Chall en ge
      [RA ND, AUTN, MA C, Pr otected pseu do nym, Next re- au th id, Result ind ]

   15 .

        1 6. E AP Response/A KA-Challe ng e
      [RE S, M AC, Resu lt in d]

                                       1 7. E AP Respon se /A KA -Cha lle nge
                                     [RE S, MAC, Res ult in d]


                                                              18.


                                       1 9. EAP -Request/A KA- Noti ficati on
                                       [Se ccess notifica tion]

          20. E AP -Request/AK A- No tifica tion
          [Seccess n otifica tio n]


          21. EAP -Req ue st/AKA-Notifi cation

                                       22. EAP-Re quest/A KA -Notification

                                     23. EAP Su ccess
                                     + keying material
          24. E AP S ucce ss

                                                             25.
EAP AKA Fast Re-authentication
           UE                           WLAN                      3GPP                     HSS/
                                         AN                      AAA -serv                 HLR


              1. EAP Request/Identity


              2. EAP Response/Identity
                [Re -auth. id]

                                           3. EAP Response/Identity
                                             [Re -auth. id]


                                    4. EAP R equest /AKA -Reauthentication
                          [Counter, NONCE, MAC, Protected Next re auth. Id, Result ind ]

       5. EAP R equest /AKA -Reauthentication
     [Counter, NONCE, MAC, Next re -auth. Id, Result ind ]


       6. EAP Response/AKA - Reauthentication
             [Counter, MAC, Result ind ]


                                    7. EAP Response/AKA -Reauthentication
                                          [Counter, MAC, Result ind ]


                                           8. EAP - Request/AKA -Notification
     9. EAP - Request/AKA -Notification      [Success notification , Counter ]
       [Success notification , Counter ]


       10. EAP -Response/AKA -Notification

                                            11. EAP -Response/AKA -Notification


                                               12. EAP Success + keying material
                  13. EAP Success
   Subscriber Profile Update
                                     3GPP AAA
WLAN UE   WLAN AN                      Server                      HSS



                                                        1. User is registered to a
                                                           3GPP AAA server


                                                        2. User subscription is
                                                           modified in HSS



                                           3. Wx "Subscriber
                                              Profile" procedure



               4. Access authorisation
                  information is updated
                  to the WLAN
Access and Service Authorization
 Information Update Procedure
  WLAN AN           WAG                                        3GPP AAA
                                        PDG                                                HSS
                                                                 Server


                                                                                 1. User is registered to a
                                                                                     3GPP AAA server


                                                                                     2. User’s service
                                                                                   subscription is modified
                                                                                           in HSS


                                                                       3. Wx "Subscriber
                                                                          Profile" procedure
        4. Access authorisation information is updated to the WLAN



                                                   5. Service
                                              Authorisation info is
                                              updated to the PDGs


                       6. Filtering policy information update to WAG
         W-APN Resolution and Tunnel
               Establishment
                                                     3GPP AAA                                    3GPP AAA
WLAN UE            WLAN AN            WAG                                Visited PDG                               Home PDG
                                                     Server/Proxy                                  Server

      1. WLAN Access Authentication and Authorization and WLAN UE local IP address allocation

 2. W-APN resolution and tunnel establishment to PDG in Visited PLMN
 2.1 DNS query:
                                                                                   2.3 Retrieving
                                                                                   Authentication
       2.2 End-to-end tunnel establishment                                              and
                                                                                   Authorization
                                                                                        data
                                         2.4 Tunnel packet flow filter exchange




 3. W-APN resolution and tunnel establishment to PDG in Home PLMN
  3.1 DNS query:
                                                                                                        3.3 Retrieving
        3.2 End-to-end tunnel establishment                                                             Authentication
                                                                                                             and
                                                                                                        Authorization
                                                                                                             data
                                                        3.4 Tunnel packet flow filter exchange
     WLAN AN Connected to a Single ISP


                                                     Internet


                                                                           PLMN


              Layer 2        ISP back born network
     WLAN                                                 Wn                      Wi
             connection Access
UE   Access                                                          WAG    PDG        Internet
                        router                          Layer 3
     Network
                                                      connectivity
WiMAX Forum Perspectives
WiMAX-3GPP Interworking (Non-
       Roaming Case)




    ASN: Access Service Network   CSN: Connectivity Service Network
Loosely-Coupled Interworking of
      WiMAX with 3GPP2
DSL Reference Architecture
  WiMAX IEEE 802.16 FWA
Deployment in a DSL Network
WiMAX Integration with DSL
        Services
WiMAX Integration with DSL
    Access Networks
補充
 EAP — Extensible Authentication
           Protocol
• EAP
  – Generic transport protocol for different
    authentication mechanisms (EAP methods)
                        802.1X

               TLS   MD5 USIM-AKA EAP/SIM   Method Layer
                                            EAP
        VPN                                 APIs

                           EAP              EAP Layer
                                            NDIS
                                            APIs
         PPP           802.11      802.3     MAC Layer
                 Authentication Overview

  UE blocks port for data           Authenticator blocks port                      Authentication
          traffic                        for data traffic
                                                                                      Server
          802.1X/EAP-Request Identity

             802.1X/EAP-Response
           Identity (EAP type specific)
                                                                RADIUS Access
                                                                Request/Identity

                                      EAP type specific
                                     mutual authentication

Derive Pairwise Master Key (PMK)                                     Derive Pairwise Master Key (PMK)

                                                        RADIUS Accept (with PMK)

              802.1X/EAP-SUCCESS

                                                                  RADIUS
 EAP Packet Format




                 (variable length …)




0x01: Request         For EAP-Request and EAP-Response,
0x02: Response        EAP-type = 1, Identity
0x03: Success                  = 2, Notification
0x04: Failure                  = 3, NAK (negative ACK)
                               ≧ 4, authentication algorithm

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:4/8/2013
language:Unknown
pages:48