draftmccannsessionpolicyframeworkusingeap00doc IETF 76 Hiroshima Stephen McCann Mike Montemurro Overview Service providers may have policies that apply to the media types codecs etc negotiated for SIP sessions ID: 616143
Download Presentation The PPT/PDF document "Session Policy Framework using EAP" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Session Policy Framework using EAPdraft-mccann-session-policy-framework-using-eap-00.doc
IETF 76 – Hiroshima
Stephen McCann, Mike MontemurroSlide2
Overview
Service providers may have policies that apply to the media types, codecs etc negotiated for SIP sessions.
SIP WG has defined a session policy framework that defines a policy channel for mobile device to communicate with a policy server to obtain session policies during SIP session establishment and modification
Currently uses SIP Event Notification mechanism (RFC 3265) to realise the policy channel
SIP Event Notification mechanism is not appropriate for bandwidth constrained links.
It is proposed to have an alternative realisation of the policy channel using a new EAP TLV. This could be also be used for other more general non SIP applications where clients need to obtain policies from a server using EAP.Slide3
Solution
Perform initial EAP exchange.
Store keying material from exchange, together with relevant state information.
Re-use ERP
Encapsulate the Session Policy Exchanges within a TLV (e.g. Policy Request & Info Answer).
TLV is carried within ERP
Determine media authorization information, at L2, in parallel to AAA authentication.
Media authorization can be implemented more efficiently using EAP/ERPSlide4
InitialisationSlide5
Initialisation
(1) EAP Method Exchange (tunnel initialization)
An EAP exchange is performed between the mobile device and the initial network component (e.g. Packet Data Gateway) with the authentication messages being forwarded to the home network AAA server. A suitable EAP method is used to establish a tunnel (e.g. EAP-FAST), from which the relevant ERP key material is derived for subsequent use.
(2)
SIP registration with PCCh
Although not a part of the layer 2 exchange, it is worth showing that SIP registration between the mobile device and the PCCh (home PCC) occurs at this point. Subsequent SIP level flows are not shown.Slide6
Mobile Device TriggeredSlide7
Mobile Device Triggered
(3) EAP-Initiate/Re-auth-Start
An ERP exchange is performed between the mobile device and the INC (e.g. Packet Data Gateway) with the authentication messages being forwarded to the home AAA server.
(4) ERP (Policy Request)
The policy request message is then transported within ERP (typically using a TLV) to the INC, and then forwarded (using Diameter) to the PCCh.
(5)
Policy-h
At the home AAA server, the home network policy is determined for subsequent SIP sessions.
(6)
AAA (Policy Request)
The home AAA server, then requests policy information from all visited networks PCCs, through which the SIP session will traverse, utilizing a AAA Policy Request message.
(7)
AAA (Policy Response)
Each visited PCC will then return its network policy back to the home network, where the session policy document is compiled.
(8) ERP (Policy Response)
The session policy document is returned to the INC and is then encapsulated within ERP, before being returned to the mobile device.Slide8
Network TriggeredSlide9
Network Triggered
(9)
AAA (Policy Change)
A visited PCC changes the session policy (most likely whilst the mobile device session is on-going) and indicates to the home network server that a policy change has occurred.
(10)
AAA (Policy Change Event)
The home network server, sends an Event message to the INC (most likely within Diameter)
(11) EAP Initiate/Re-auth-Start
The INC then requests the mobile device to execute ERP.
Message flow continues, as described in (4) and (8).Slide10
Future Work
How exactly is the ERP payload carried in the network
Diameter?
Do these messages need to be encrypted?
Can the EAP/ERP credentials be tied to the SIP session?
Requirements on mobile device?
Password
Certificate
UsernameSlide11
Relevant Documents
EAP
draft-mccann-session-policy-framework-using-eap-00
SIP
draft-ietf-sip-session-policy-framework-06
draft-ietf-sipping-media-policy-dataset-07