Session Policy Framework using EAP - PowerPoint Presentation

Slide1

Session Policy Framework using EAPdraft-mccann-session-policy-framework-using-eap-00.doc

IETF 76 – Hiroshima

Stephen McCann, Mike MontemurroSlide2

Overview

Service providers may have policies that apply to the media types, codecs etc negotiated for SIP sessions.

SIP WG has defined a session policy framework that defines a policy channel for mobile device to communicate with a policy server to obtain session policies during SIP session establishment and modification

Currently uses SIP Event Notification mechanism (RFC 3265) to realise the policy channel

SIP Event Notification mechanism is not appropriate for bandwidth constrained links.

It is proposed to have an alternative realisation of the policy channel using a new EAP TLV. This could be also be used for other more general non SIP applications where clients need to obtain policies from a server using EAP.Slide3

Solution

Perform initial EAP exchange.

Store keying material from exchange, together with relevant state information.

Re-use ERP

Encapsulate the Session Policy Exchanges within a TLV (e.g. Policy Request & Info Answer).

TLV is carried within ERP

Determine media authorization information, at L2, in parallel to AAA authentication.

Media authorization can be implemented more efficiently using EAP/ERPSlide4

InitialisationSlide5

Initialisation

(1) EAP Method Exchange (tunnel initialization)

An EAP exchange is performed between the mobile device and the initial network component (e.g. Packet Data Gateway) with the authentication messages being forwarded to the home network AAA server. A suitable EAP method is used to establish a tunnel (e.g. EAP-FAST), from which the relevant ERP key material is derived for subsequent use.

(2)

SIP registration with PCCh

Although not a part of the layer 2 exchange, it is worth showing that SIP registration between the mobile device and the PCCh (home PCC) occurs at this point. Subsequent SIP level flows are not shown.Slide6

Mobile Device TriggeredSlide7

Mobile Device Triggered

(3) EAP-Initiate/Re-auth-Start

An ERP exchange is performed between the mobile device and the INC (e.g. Packet Data Gateway) with the authentication messages being forwarded to the home AAA server.

(4) ERP (Policy Request)

The policy request message is then transported within ERP (typically using a TLV) to the INC, and then forwarded (using Diameter) to the PCCh.

(5)

Policy-h

At the home AAA server, the home network policy is determined for subsequent SIP sessions.

(6)

AAA (Policy Request)

The home AAA server, then requests policy information from all visited networks PCCs, through which the SIP session will traverse, utilizing a AAA Policy Request message.

(7)

AAA (Policy Response)

Each visited PCC will then return its network policy back to the home network, where the session policy document is compiled.

(8) ERP (Policy Response)

The session policy document is returned to the INC and is then encapsulated within ERP, before being returned to the mobile device.Slide8

Network TriggeredSlide9

Network Triggered

(9)

AAA (Policy Change)

A visited PCC changes the session policy (most likely whilst the mobile device session is on-going) and indicates to the home network server that a policy change has occurred.

(10)

AAA (Policy Change Event)

The home network server, sends an Event message to the INC (most likely within Diameter)

(11) EAP Initiate/Re-auth-Start

The INC then requests the mobile device to execute ERP.

Message flow continues, as described in (4) and (8).Slide10

Future Work

How exactly is the ERP payload carried in the network

Diameter?

Do these messages need to be encrypted?

Can the EAP/ERP credentials be tied to the SIP session?

Requirements on mobile device?

Password

Certificate

UsernameSlide11

Relevant Documents

EAP

draft-mccann-session-policy-framework-using-eap-00

SIP

draft-ietf-sip-session-policy-framework-06

draft-ietf-sipping-media-policy-dataset-07