1. Field of the Invention
The present application relates to computer networks, especially dynamic host configuration, multicast security and network access authentication.
2. Background Discussion
Networks and Internet Protocol:
There are many types of computer networks, with the Internet having the most notoriety. The Internet is a worldwide network of computer networks. Today, the Internet is a public and self-sustaining network that is available to many millions of users. The Internet uses a set of communication protocols called TCP/IP (ie., Transmission Control Protocol/Internet Protocol) to connect hosts. The Internet has a communications infrastructure known as the Internet backbone. Access to the Internet backbone is largely controlled by Internet Service Providers (ISPs) that resell access to corporations and individuals.
With respect to IP (Internet Protocol), this is a protocol by which data can be sent from one device (e.g., a phone, a PDA [Personal Digital Assistant], a computer, etc.) to another device on a network. There are a variety of versions of IP today, including, e.g., IPv4, IPv6, etc. Each host device on the network has at least one IP address that is its own unique identifier.
IP is a connectionless protocol. The connection between end points during a communication is not continuous. When a user sends or receives data or messages, the data or messages are divided into components known as packets. Every packet is treated as an independent unit of data.
In order to standardize the transmission between points over the Internet or the like networks, an OSI (Open Systems Interconnection) model was established. The OSI model separates the communications processes between two points in a network into seven stacked layers, with each layer adding its own set of functions. Each device handles a message so that there is a downward flow through each layer at a sending end point and an upward flow through the layers at a receiving end point. The programming and/or hardware that provides the seven layers of function is typically a combination of device operating systems, application software, TCP/IP and/or other transport and network protocols, and other software and hardware.
Typically, the top four layers are used when a message passes from or to a user and the bottom three layers are used when a message passes through a device (e.g., an IP host device). An IP host is any device on the network that is capable of transmitting and receiving IP packets, such as a server, a router or a workstation. Messages destined for some other host are not passed up to the upper layers but are forwarded to the other host. The layers of the OSI model are listed below. Layer 7 (i.e., the application layer) is a layer at which, e.g., communication partners are identified, quality of service is identified, user authentication and privacy are considered, constraints on data syntax are identified, etc. Layer 6 (i.e., the presentation layer) is a layer that, e.g., converts incoming and outgoing data from one presentation format to another, etc. Layer 5 (i.e., the session layer) is a layer that, e.g., sets up, coordinates, and terminates conversations, exchanges and dialogs between the applications, etc. Layer-4 (i.e., the transport layer) is a layer that, e.g., manages end-to-end control and error-checking, etc. Layer-3 (i.e., the network layer) is a layer that, e.g., handles routing and forwarding, etc. Layer-2 (i.e., the data-link layer) is a layer that, e.g., provides synchronization for the physical level, does bit-stuffing and furnishes transmission protocol knowledge and management, etc. The Institute of Electrical and Electronics Engineers (IEEE) sub-divides the data-link layer into two further sub-layers, the MAC (Media Access Control) layer that controls the data transfer to and from the physical layer and the LLC (Logical Link Control) layer that interfaces with the network layer and interprets commands and performs error recovery. Layer 1 (i.e., the physical layer) is a layer that, e.g., conveys the bit stream through the network at the physical level. The IEEE sub-divides the physical layer into the PLCP (Physical Layer Convergence Procedure) sub-layer and the PMD (Physical Medium Dependent) sub-layer.
Wireless Networks:
Wireless networks can incorporate a variety of types of mobile devices, such as, e.g., cellular and wireless telephones, PCs (personal computers), laptop computers, wearable computers, cordless phones, pagers, headsets, printers, PDAs, etc. For example, mobile devices may include digital systems to secure fast wireless transmissions of voice and/or data. Typical mobile devices include some or all of the following components: a transceiver (i.e., a transmitter and a receiver, including, e.g., a single chip transceiver with an integrated transmitter, receiver and, if desired, other functions); an antenna; a processor; one or more audio transducers (for example, a speaker or a microphone as in devices for audio communications); electromagnetic data storage (such as, e.g., ROM, RAM, digital data storage, etc., such as in devices where data processing is provided); memory; flash memory; a full chip set or integrated circuit; interfaces (such as, e.g., USB, CODEC, UART, PCM, etc.); and/or the like.
Wireless LANs (WLANS) in which a mobile user can connect to a local area network (LAN) through a wireless connection may be employed for wireless communications. Wireless communications can include, e.g., communications that propagate via electromagnetic waves, such as light, infrared, radio, microwave. There are a variety of WLAN standards that currently exist, such as, e.g., Bluetooth, IEEE 802.11, and HomeRF.
By way of example, Bluetooth products may be used to provide links between mobile computers, mobile phones, portable handheld devices, personal digital assistants (PDAs), and other mobile devices and connectivity to the Internet. Bluetooth is a computing and telecommunications industry specification that details how mobile devices can easily interconnect with each other and with non-mobile devices using a short-range wireless connection. Bluetooth creates a digital wireless protocol to address end-user problems arising from the proliferation of various mobile devices that need to keep data synchronized and consistent from one device to another, thereby allowing equipment from different vendors to work seamlessly together. Bluetooth devices may be named according to a common naming concept. For example, a Bluetooth device may possess a Bluetooth Device Name (BDN) or a name associated with a unique Bluetooth Device Address (BDA). Bluetooth devices may also participate in an Internet Protocol (IP) network. If a Bluetooth device functions on an IP network, it may be provided with an IP address and an IP (network) name. Thus, a Bluetooth Device configured to participate on an IP network may contain, e.g., a BDN, a BDA, an IP address and an IP name. The term “IP name” refers to a name corresponding to an IP address of an interface.
An IEEE standard, IEEE 802.11, specifies technologies for wireless LANs and devices. Using 802.11, wireless networking may be accomplished with each single base station supporting several devices. In some examples, devices may come pre-equipped with wireless hardware or a user may install a separate piece of hardware, such as a card, that may include an antenna. By way of example, devices used in 802.11 typically include three notable elements, whether or not the device is an access point (AP), a mobile station (STA), a bridge, a PCMCIA card or another device: a radio transceiver; an antenna; and a MAC (Media Access Control) layer that controls packet flow between points in a network.
In addition, Multiple Interface Devices (MIDs) may be utilized in some wireless networks. MIDs may contain two independent network interfaces, such as a Bluetooth interface and an 802.11 interface, thus allowing the MID to participate on two separate networks as well as to interface with Bluetooth devices. The MID may have an IP address and a common IP (network) name associated with the IP address.
Wireless network devices may include, but are not limited to Bluetooth devices, Multiple Interface Devices (MIDs), 802.11x devices (IEEE 802.11 devices including, e.g., 802.11a, 802.11b and 802.11g devices), HomeRF (Home Radio Frequency) devices, Wi-Fi (Wireless Fidelity) devices, GPRS (General Packet Radio Service) devices, 3G cellular devices, 2.5G cellular devices, GSM (Global System for Mobile Communications) devices, EDGE (Enhanced Data for GSM Evolution) devices, TDMA type (Time Division Multiple Access) devices, or CDMA type (Code Division Multiple Access) devices, including CDMA2000. Each network device may contain addresses of varying types including but not limited to an IP address, a Bluetooth Device Address, a Bluetooth Common Name, a Bluetooth IP address, a Bluetooth IP Common Name, an 802.11 IP Address, an 802.11 IP common Name, or an IEEE MAC address.
Wireless networks can also involve methods and protocols found in, e.g., Mobile IP (Internet Protocol) systems, in PCS systems, and in other mobile network systems. With respect to Mobile IP, this involves a standard communications protocol created by the Internet Engineering Task Force (IETF). With Mobile IP, mobile device users can move across networks while maintaining their IP Address assigned once. See Request for Comments (RFC) 3344. NB: RFCs are formal documents of the Internet Engineering Task Force (IETF). Mobile IP enhances Internet Protocol (IP) and adds means to forward Internet traffic to mobile devices when connecting outside their home network. Mobile IP assigns each mobile node a home address on its home network and a care-of-address (CoA) that identifies the current location of the device within a network and its subnets. When a device is moved to a different network, it receives a new care-of address. A mobility agent on the home network can associate each home address with its care-of address. The mobile node can send the home agent a binding update each time it changes its care-of address using, e.g., Internet Control Message Protocol (ICMP).
In basic IP routing (i.e. outside mobile IP), routing mechanisms rely on the assumptions that each network node always has a constant attachment point to, e.g., the Internet and that each node's IP address identifies the network link it is attached to. In this document, the terminology “node” includes a connection point, which can include, e.g., a redistribution point or an end point for data transmissions, and which can recognize, process and/or forward communications to other nodes. For example, Internet routers can look at, e.g., an IP address prefix or the like identifying a device's network. Then, at a network level, routers can look at, e.g., a set of bits identifying a particular subnet. Then, at a subnet level, routers can look at, e.g., a set of bits identifying a particular device. With typical mobile IP communications, if a user disconnects a mobile device from, e.g., the Internet and tries to reconnect it at a new subnet, then the device has to be reconfigured with a new IP address, a proper netmask and a default router. Otherwise, routing protocols would not be able to deliver the packets properly.
Dynamic Host Configuration Protocol:
Dynamic Host Configuration Protocol (DHCP) is a communications protocol which enables administrators to manage and/or automate IP address assignments in a network. With Internet Protocol (IP), every device that connects to the Internet needs a unique IP address. When an ISP or organization connects a user's computer to the Internet, an IP address needs to be assigned to that device. DHCP enables an administrator to distribute IP addresses and send a new IP address when a computer is plugged into a different place in the network. DHCP also supports static addresses for computers containing Web servers that need a permanent IP address. DHCP is an extension of an earlier network IP management protocol, Bootstrap Protocol (BOOTP).
As detailed in RFC2131 entitled Dynamic Host Configuration Protocol by R. Droms, March, 1997, DHCP provides configuration parameters to Internet hosts. DHCP includes two components: a protocol for delivering host-specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts. See RFC2131. “DHCP is built on a client-server model, where designated DHCP server hosts allocate network addresses and deliver configuration parameters to dynamically configured hosts.” Id.
As described in RFC2131, a DHCP server refers to a host providing initialization parameters through DHCP and a DHCP client refers to a host requesting initialization parameters from a DHCP server. A host does not act as a DHCP server unless appropriately configured by a system administrator. DHCP supports three mechanisms for IP address allocation: 1) “automatic allocation” in which DHCP assigns a permanent IP address to a client; 2) “dynamic allocation” in which DHCP assigns an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address); and 3) “manual allocation” in which a client's IP address is assigned by a network administrator, and DHCP is used to convey the assigned address to the client. Of these, dynamic allocation allows automatic reuse of an address that is no longer needed by a client to which it was assigned. Thus, dynamic allocation is useful for assigning an address to a client that will be connected to the network only temporarily or for sharing a limited pool of IP addresses among a group of clients that do not need permanent IP addresses. See Id. In addition, “dynamic allocation may also be a good choice for assigning an IP address to a new client being permanently connected to a network where IP addresses are sufficiently scarce that it is important to reclaim them when old clients are retired.” Id.
While a variety of systems and methods are known, there remains a need for improved systems and methods.
The preferred embodiments of the present invention can significantly improve upon existing methods and/or apparatuses.
According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between an Authentication Agent (e.g., PAA) and a DHCP server, such as, e.g., for synchronization between an authentication SA state (e.g., a PANA SA state) and a DHCP SA state, such as, e.g., for maintaining synchronization when a connection is lost.
According to some embodiments, systems and methods for binding network bridge and network access authentication are provided related to, inter alia, interactions between an Authentication Agent (e.g., a PAA) and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above.
According to some embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.
The preferred embodiments of the present invention are shown by a way of example, and not limitation, in the accompanying figures, in which:
FIGS. 31 to 37 are schematic diagrams showing illustrative example 2: Step 1-A to 7-A, respectively;
While the present invention may be embodied in many different forms, a number of illustrative embodiments are described herein with the understanding that the present disclosure is to be considered as providing examples of the principles of the invention and that such examples are not intended to limit the invention to preferred embodiments described herein and/or illustrated herein.
In the following detailed description, preferred embodiments of the invention are described in three parts. Part I entitled Binding Dynamic Host Configuration and Network Access Authentication relates to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP server. Among other things, Part I describes methodologies for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. On the other hand, Part II entitled Binding Network Bridge and Network Access Authentication relates to, inter alia, interactions between a PAA and a layer-2 switch. Among other things, Part II describes methodologies for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of Part I. On the other hand, Part III entitled Bootstrapping Multicast Security from Network Access Authentication Protocol relates to, inter alia, key management for protected IP multicast streams. Among other things, Part III describes methodologies of avoiding IP multicast streams being unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of Part I.
PART I: Binding Dynamic Host Configuration and Network Access Authentication
1. Existing Protocols
RFC2131, discussed above and incorporated herein by reference in its entirety, of the Internet Engineering Task Force (IETF) defines Dynamic Host Configuration Protocol (DHCP). As discussed above, DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP has the capability of automatic allocation of reusable network addresses and additional configuration options.
RFC3118, incorporated herein by reference in its entirety, of the IETF describes Authentication for DHCP Messages, which defines the DHCP option through which authorization tickets can be easily generated and newly attached hosts with proper authorization can be automatically configured from an authenticated DHCP server.
RFC3315, incorporated herein by reference in its entirety, of the IETF defines Dynamic Host Configuration Protocol for IPv6 (DHCPv6). DHCPv6 enables DHCP servers to pass configuration parameters such as IPv6 network addresses to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. RFC3315 also includes Delayed Authentication Protocol for DHCPv6.
The Internet Draft-document entitled Bootstrapping RFC3118 Delayed DHCP Authentication Using EAP-based Network Access Authentication, by A. Yegin, et al., dated 02-09-2004 found at [http://www ieff.org/internet-drafts/Yegin-Eap-Boot-RFC3118-00.txt] and incorporated herein by reference in its entirety describes bootstrapping RFC3118 Delayed DHCP Authentication using EAP-based Network Access Authentication. It outlines how EAP-based network access authentication mechanisms can be used to establish a local trust relation and generate keys that can be used in conjunction with RFC3118.
2. Some Current Limitations
RFC3118 and RFC3315 describe how DHCP/DHCPv6 message can be authenticated using Delayed Authentication Protocol, but they do not describe anything about configuring shared keys required to initiate Delayed Authentication Protocol. On the other hand, Draft-Yegin-EAP-Boot-rfc3118-00.txt describes how to generate keys using EAP-based network access authentication mechanisms, so it enables to initiate Delayed Authentication Protocol at the very first time a DHCP client host attached to the network.
However, Draft-Yegin-EAP-Boot-rfc3118-00.txt does not contemplate nor describe how EAP-based authentication session and DHCP sessions can most effectively interact each other after the first bootstrapping of DHCP.
The present inventors have developed new architectures and relationships between network access authentication mechanisms and host configuration mechanisms having significant advantages over existing art. Among other things, according to some preferred embodiments of the invention, systems and methods for how DHCP and authentication sessions can be dealt with in following cases are provided:
Although
While some illustrative examples are described in the context wherein PANA is used as the protocol to carry authentication information for network access and EAP is used as the actual authentication protocol that is carried by the protocol to carry authentication information for network access, these are merely some examples. Various embodiments of the present invention can, as would be well appreciated based on this disclosure, can be applied to any protocol or set of protocols that provides a similar functionality as PANA and EAP—e.g., functionality to establish an authentication session key between a client and an authenticator as a result of successful authentication and authorization. As some examples, the systems and methods of the preferred embodiments can be employed within an access network where IEEE 802.1X is used as a protocol to carry EAP.
In addition, although the figures illustrate cases where a EAP-server and a PANA-server are co-located in a single node, these two entities can be implemented in separate nodes, such as, e.g., using an AAA protocol to carry EAP messages between them. Also, in such examples, authentication session keys may be expressed as AAA Keys.
3.1. Server Behavior When Authentication Session Is Terminated
This section describes how the Authenticator and the DHCP server behave when the authentication session is terminated purposely or accidentally in some preferred embodiments. In this regard,
(1) Typically, the Authenticator notices the authentication session has terminated. The cases the Authenticator can notice the termination of an authentication session include:
(2) According to some preferred embodiments of the invention, the Authenticator can inform the DHCP server that the DHCP key derived from the authentication session that just terminated is no longer valid. Among other things, this can be advantageous because the DHCP server typically stores old configuration files even when a session has terminated. Preferably, the Authenticator informs the DHCP server as soon as the authenticator recognizes the termination of the authentication session. In various embodiments, there are a number of potential implementations for Authenticator to inform the DHCP server of an invalidity or change of the status of DHCP keys.
(3) In some systems, optional features may include that if the DHCP server receives a message of a DHCP key revocation, and if the Host Configuration Protocol allows, the DHCP server requests the DHCP client to release bindings allocated to the client in the previous DHCP messages. By way of example, a DHCPv6 server can request the client to update its bindings by following illustrative steps:
In some instances, if the client notices the termination of the authentication session, then the client will discard the previous key by itself. Accordingly, the above step 2 and the subsequent steps may not happen in such cases.
(4) In some systems, the DHCP server removes the DHCP key and makes the binding disabled. The following possible implementations to make binding entries disabled exist:
This subsection describes how the client deals with termination of the authentication session from the viewpoint of the client. In this regard,
(1) First, as shown at (1) in the figure, the client notices the authentication session is terminated. In this regard, the cases that the client can notice the termination of an authentication session include:
(2) Second, the client stops using resources allocated by the DHCP server. The client may or may not send a Release message to release the bindings using the previous DHCP key.
(3) Third, as shown at (3) in the figure, the client restarts a new authentication session and get new keys, if necessary.
3.2. The Case That Authentication Session Keys Are Updated
According to some preferred embodiments, DHCP keys are specially dealt with when the authentication session keys are updated. In the preferred embodiments, three potential methodologies are available.
In some embodiments, the client and the authenticator and/or the dynamic host configuration server can negotiate regarding which methodologies are to be employed. For example, in some embodiments, the client may send a signal indicating which methods it supports. For example, in some embodiments, a method performed by a client device for use in a system for binding dynamic host configuration and network access authentication when authentication session keys are updated might include: upon termination of either of said authentication session or said dynamic host configuration session or upon beginning such a session, said client device sends a message identifying which dynamic host configuration key handling methodologies that client device supports to deal with such termination or beginning. In some embodiments, said client device sends said message to the authenticator. In some embodiments, said client device sends said message to the dynamic host configuration server.
3.2.1. DHCP Key Remains Unchanged (METHOD 1)
According to a first embodiment, a first method includes that the DHCP key remains unchanged, while the authentication keys are changed.
(1) First, as shown at (1) in the figure, the authentication session keys are changed in the authentication session.
(2) Second, as shown at (2) in the figure, the client updates the authentication session keys, while leaving the DHCP key untouched. The Authenticator does not send anything about the DHCP key to the DHCP server.
(3) Third, as shown at (3) in the figure, when DHCP message exchanges are required by the client or the DHCP server, they keep using the same DHCP key.
3.2.2 Deferred DHCP Key Update (METHOD 2)
According to a second embodiment, a second method includes that the DHCP key is updated at a later time. Notably, the changing of the authentication session keys does not cause immediate DHCP message exchanges. Thus, in some preferred embodiments, the DHCP server and the client will update the DHCP key, when they need DHCP message exchanges for the first time after changing keys. In this regard,
(1) First, as shown at (1) in the figure, an authentication session key update is triggered by an event;
(2) Second, as shown at (2) in the figure, the Authenticator sends the new DHCP key to the DHCP server;
(3) Third, as shown at (3) in the figure, a new authentication session key is established between the authenticator and the client;
(4) Fourth, as shown at (4) in the figure, the client also stores a new DHCP key as an alternative key in this step;
(5) Fifth, as shown at (5) in the figure, the DHCP server and the client will use the new DHCP key, if it is applicable, for message exchanges after obtaining the new authentication key. Once the DHCP server and the client use the new DHCP key, the DHCP server and the client will remove the old DHCP key.
3.2.3. Immediate DHCP Key Update (METHOD 3)
According to a third embodiment, a third method includes that the DHCP session is restarted using the new DHCP key immediately after the changing of keys.
(1) First, as shown at (1) in the figure, the authentication session keys are changed in the authentication session.
(2) Second, as shown at (2) in the figure, a new authentication session key is established between the authenticator and the client. According to the preferred embodiments of the invention, the Authenticator preferably sends the new DHCP key to the DHCP server by the end of this step.
(3) Third, as shown at (3) in the figure, the client preferably initiates a new DHCP session using the new DHCP key.
3.3. The Case That The DHCP Server Needs to be Restarted
According to some preferred embodiments, the DHCP server is restarted after rebooting or for other reasons in a special manner. In the preferred embodiments, there are three potential methodologies that can be employed.
In some embodiments, the client and the authenticator and/or the dynamic host configuration server can negotiate regarding which methodologies are to be employed. For example, in some embodiments, the client may send a signal indicating which methods it supports. For example, in some examples, a method performed by a client device for use in a system for binding dynamic host configuration and network access authentication when the lifetime of dynamic host configuration bindings expire might include: upon expiration of dynamic host configuration bindings (or similarly upon beginning a dynamic host configuration session), the client device can send a message identifying which dynamic host configuration key handling methodologies that client device supports to deal with such termination or beginning. In some embodiments, said client device sends said message to the authenticator. In some embodiments, said client device sends said message to the dynamic host configuration server.
3.3.1. Recover the Entire States from Non-Volatile Storage (METHOD 1)
According to a first embodiment of the invention, a first method includes using non-volatile memory storage to recover the states. In this regard,
(1) First, as shown at (1) in the figure, the DHCP server preferably saves the DHCP key table and the binding table to a non-volatile memory storage. The DHCP server may update the non-volatile memory anytime when tables are updated and/or may update it periodically. The non-volatile memory storage can be implemented using any appropriate data storage or memory, such as, e.g., hard drives, magnetic disks, flash memories or the like.
(2) Second, the DHCP server preferably restarts for some reason.
(3) Third, as shown at (3) in the figure, the DHCP server preferably restores the key table and the binding table from the non-volatile memory storage. Preferably, the DHCP server removes the entries for which lifetimes have expired.
(4) Fourth, as shown at (4), the DHCP server and the client preferably use the same key until the lifetime of the key expires.
3.3.2. Reboot Notification from DHCP Server or Reboot Detection by the Authenticator (METHOD 2)
According to another embodiment, a second method can include that the DHCP restarts from the scratch. In that regard, the previous key table and the binding table will be discarded. And, each client needs to restart the authentication session.
(1) The DHCP server restarts for some reason.
(2) All DHCP keys obtained dynamically from Authenticator and corresponding entries in the binding table will be lost. The DHCP server may or may not check resources possibly allocated for previous bindings to prevent multi-allocation. Some ways of implementation to do this include:
(3) According to some preferred embodiments, a step can optionally be employed in which a) the DHCP Server informs the Authenticator that DHCP keys have been erased or b) the Authenticator has the ability to know of a reboot of the DHCP server without notification from the DHCP server. In such cases, the Authenticator preferably updates the DHCP keys for each client and sends them to the DHCP server.
(4) The client restarts the authentication session and the DHCP sessions when the Authenticator so requests, or the client notices terminations of DHCP sessions.
3.3.3. Ask Authenticator for Keys (Method 3)
According to another embodiment of the invention, a third method includes that the DHCP server requests the Authenticator to resend key information and restores the DHCP key table.
(1) First, as shown at (1) in the figure, the DHCP server requests the Authenticator to resend DHCP keys when the DHCP server starts.
(2) Second, as shown at (2) in the figure, the Authenticator sends all valid DHCP keys to the DHCP server.
(3) Third, as shown at (3) in the figure, the DHCP server restores the DHCP key table. In this regard, the binding table entries may or may not be restored.
This section describes how a DHCP client behave when the lifetime of DHCP bindings expire. There are a number of potential methodologies that can be implemented.
3.4.1. Keep Current DHCP Key
An existing methodology involves that the DHCP client and server use the current key to extend the lifetime. In this regard,
(1) First, as shown at (1) in the figure, the timer for the DHCP binding update expires.
(2) Second, as shown at (2) in the figure, the DHCP server or the client initiate a DHCP message exchange using the current DHCP key to extend the lifetime.
3.4.2. Require Re-Authentication
According to the preferred embodiments of the invention, another method can be employed that includes having the DHCP client request to renew the authentication session prior to DHCP message exchanges. In this regard,
(1) First, the timer for the DHCP binding update expires.
(2) Second, as shown at (2) in the figure, the client requests the Authenticator to re-authenticate and update the DHCP key. In some embodiments, the DHCP server can request the Authenticator to re-authenticate and update the DHCP key.
(3) Third, as shown at (3) in the figure, the Authenticator sends the new DHCP key to the DHCP server. Preferably, the PANA client informs the DHCP client of the new DHCP key.
(4) Fourth, as shown at (4) in the figure, the client begins a new DHCP session using the new DHCP key.
3.5. Server Behavior When a New Authentication Session Is Established
According to the preferred embodiments, while authentication messages are exchanged to create a new DHCP key between the authenticator and the client, the Authenticator preferably will not return a message which indicates that a new authentication session has been successfully established until the DHCP key is successfully installed on the DHCP server. In this manner, the client can begin a new DHCP session with the new key promptly after the successful authentication session establishment while, at the same time, avoiding a race condition.
PART II: Binding Network Bridge and Network Access Authentication
1. Existing Methods
Internet Draft-IETF-EAP-RFC2284bis-09, incorporated herein by reference in its entirety, defines Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods.
Internet Draft-IETF-PANA-PANA-04, incorporated herein by reference in its entirety, defines the Protocol for Carrying Authentication for Network Access (PANA), a link-layer agnostic transport for Extensible Authentication Protocol (EAP) to enable network access authentication between clients and access networks.
As discussed above, RFC3118 describes authentication for DHCP Messages, which defines the DHCP option through which authorization tickets can be generated and newly attached hosts with proper authorization can be automatically configured from an authenticated DHCP server.
As also discussed above, RFC3315 defines Dynamic Host Configuration Protocol for IPv6 (DHCPv6). DHCPv6 enables DHCP servers to pass configuration parameters such as IPv6 network addresses to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. RFC3315 also includes Delayed Authentication Protocol for DHCPv6.
As also described above, Draft-Yegin-EAP-Boot-RFC3118-00.txt describes bootstrapping RFC3118 Delayed DHCP Authentication using EAP-based Network Access Authentication. It describes how EAP-based network access authentication mechanisms can be used to establish a local trust relation and generate keys that can be used in conjunction with RFC3118.
In addition, IEEE DRAFT P802.1X entitled “Draft Stands for Local and Metropolitan Area Networks: Standard for Port based Network Access Control,” incorporated herein by reference in its entirety, describes the architectural framework within which the authentication, and consequent actions, take place. However, it does not describe interactions among different physical ports of a switch.
The Switch Book by Rich Seifert, JOHN WILEY & SONS, INC.ISBN 0-471034586-5, incorporated herein by reference in its entirety, explains how existing switches and bridges operate.
2. Limitations of Existing Methods
EAP and PANA provide frameworks for authentication for network access. In addition, Delayed DHCP Authentication can be used to authenticate DHCP packets. Once these processes are done, clients may begin sending and receiving packets such as, e.g., application data. At this point, EAP/PANA and DHCP authentication no longer provide per-packet protection for such packets and there may be a possibility of service theft.
On the other hand, part (b) shows the network which uses a L2 bridge as a LAN instead of the broadcasting medium. The bridge does not send unicast packets addressed to Client1 to any nodes other than Client1 usually. But once an Attacker sends a packet spoofing the MAC address of Client1, the bridge updates its forwarding database according to the malicious information, and forwards subsequent packets addressed to Client1 to the Attacker instead of the legitimate Client1. The service theft is, thus, still possible. By using these methods of attack, the attacker can gain network access without any authentication.
There has, thus, been a need for new methods to prevent malicious attackers from gaining unauthorized network accesses in these environments.
3. Proposed Models
3.1. The Outline of the Example Network
In addition, the bridge also has other physical ports connected to client hosts and networks. These are referred to as “client ports.” For example, each client port has a name like P1, P2 and P3. In the embodiment shown in
3.2. Forwarding Databases
An existing network bridge has a table named a forwarding database, which stores relations between MAC addresses and bridge ports. In the preferred embodiments of the invention, a number of new types of forwarding databases are introduced into the bridge.
3.2.1. Authorized Forwarding Database
A first illustrative new database is referred to as an Authorized Forwarding Database (AFD) which preferably includes a list of pairs of a MAC address and a port number. An exemplary AFD is shown in the following Table 1
Preferably, the AFD is maintained in a way that any MAC address never appears two or more times. Preferably, if a record of a given MAC address exists in the AFD, it means that the client node which has the MAC address and is connected to the port is authenticated by the authenticator. In the preferred embodiments, all authenticated client nodes connected to the bridge appear in the AFD of the bridge. Preferably, when the authentication session between the client and the authenticator is deleted, the record corresponding to the MAC address of the client is promptly removed from the AFD. Preferably, when a record is removed from the AFD, the authentication session corresponding to the MAC address of the removed record is promptly deleted.
In the preferred embodiments, the authenticator is configured to request the bridge to add or remove a record in the AFD. In some embodiments, physical disconnection of the client node may or may not remove the record of the client from the AFD, such as, e.g., depending on the policy of the network provider and/or the client node.
A second illustrative new database is referred to as an Unauthorized Forwarding Database (UFD) which preferably includes a list of pairs of a MAC address and a port number—i.e., similar to that of the AFD. Preferably, any MAC address never appears two or more times in the UFD. Preferably, the system is prohibited from adding a MAC address that already exists in the AFD or UFD. In the preferred embodiments, if a record of a given MAC address exists in the UFD, it means that the client node which has the MAC address and is considered to be connected to the port is not authenticated by the authenticator yet.
Preferably, when the authentication session between the client and the authenticator is established (i.e., it is authenticated), the record corresponding to the MAC address of the client is removed from the UFD and added to the AFD. On the other hand, preferably, when the authentication message exchanges fail, such as, e.g., with an error or a timeout, the record corresponding to the client is preferably removed from the UFD.
In the preferred embodiments, when a record needs to be deleted upon events such as, e.g., described above, the authenticator requests the bridge to add or remove the record in the UFD. Preferably, a record in the UFD has a lifetime. Preferably, there is an upper limit of the lifetime. If it exceeds the lifetime, the record is preferably removed from the UFD. In some embodiments, if a record in the UFD is removed in the middle of authentication message exchanges between the client and the authenticator, the authentication promptly fails.
Removal of the record and failure of the authentication session should preferably be performed synchronously. By way of example, a simple method to maintain the synchronization is that only the authenticator determines timeout of records in the UFD. In other embodiments, any other methods to maintain the synchronization may be employed as desired.
Preferably, if the bridge receives a packet from a MAC address through a port and the MAC address does not appear in any forwarding database(s), then the record of the MAC address and the port is added to the UFD. Preferably, the record stays until the upper limit of the lifetime passes or until the authenticator requests the record to be removed or to be moved to the AFD. In some embodiments, when an authentication failure or a timeout occurs, the record may or may not be moved to a penalty list described in the next section.
In some preferred embodiments, limiting the maximum number of records for a respective port can be employed to help prevent kinds of DoS attacks that aim at overflowing the UFD. If the number of records which has the same port number reaches the limit, the bridge preferably denies a request to add records for the port and blocks any packets not matching existing records in UFD until the number of records for that port decreases to below a certain threshold.
In some preferred embodiments, the bridge notifies promptly the authenticator and/or the dynamic host configuration server (e.g., DHCP server) of an addition of a record to the UFD and of a removal of a record from UFD. The notification preferably includes the port number and the MAC address of the record. Using the notification, the authenticator and/or the dynamic host configuration server can know the port identifier of each client. The authenticator and/or the dynamic host configuration server can, thus, e.g., block requests from suspicious clients according to the port identifier. See
In some preferred embodiments, the bridge can answer a query from the authenticator and/or the dynamic host configuration server (e.g., DHCP server) about a record of UFD, so that the authenticator and/or the DHCP server can know the port identifier of clients. In some embodiments, the authenticator and/or the DHCP server, for example, can block requests from suspicious clients according to the port identifier. See
3.2.3. Penalty List
A third illustrative new database is referred to as a Penalty List (PL) which includes a list of pairs of a MAC address and a port number just like the AFD and UFD. Preferably, a record in the PL also has timeout information, such as, e.g., a time stamp or a timer, to deal with timeout. Preferably, each record in the PL has a lifetime, which may be set to a particular length statically or changed dynamically depending on implementations. When the lifetime timer expires, the record is preferably removed from the PL automatically.
Preferably, a MAC address can appear two or more times in the PL, but a combination of a MAC address and a port is preferably unique in a PL. An exemplary Penalty List is shown below in Table 2.
In various embodiments, the actual format of the column “Timeout Information” may depend on implementation circumstances. By way of example, one illustrative implementation may store seconds left to expire (such as, e.g., in the example show in Table 2). As another example, another implementation may store the time of the day when the record is added to the PL and may determine the time of expiration dynamically.
In some alternative embodiments, the PL could be extended to include a “counter” field to the records. In this regard, when the same combination of a MAC address and a port are requested to be added to PL, the counter for the combination is preferably increased. In some embodiments, the network administrator may or may not configure the bridge not to start blocking until the counter reaches a certain value (e.g., to start blocking upon reaching a certain value). Among other things, this can enable the user to try an authentication soon after a password typo and/or another honest error. Preferably, an upper threshold for the counter may be used to block any further access from the same MAC address and port combination to prevent excessive wrong accesses.
In addition, limiting the maximum number of records per port is a good way to prevent kinds of DoS attacks that intend to make the PL overflow. Preferably, if the number of records which has the same port number P reaches a limit, the bridge adds a “wildcard” record (*, P) and removes other records which have a port number P to make a room for PL. The wildcard record may have, e.g., a maximum lifetime allowed. In addition, the wildcard record may take effect regardless of the counter. Preferably, the wildcard record does not affect packets matching records in the UFD or the AFD. If there is a wildcard record for a port P, the bridge preferably blocks any unmatching packets from port P.
3.2.4. Packet Filtering
In the preferred embodiments, the bridge preferably filters packets according to the AFD, the UFD and the PL forwarding databases described above. Preferably, a packet received at a client port P is considered to match exactly with a record in a forwarding database, if the MAC address field of the record equals to the source MAC address of the packet and the port number field of the record contains P. On the other hand, preferably a packet received at a server port is considered to match exactly with a record in a forwarding database, if the MAC address field of the record equals to the destination MAC address of the packet.
By way of example,
In the preferred embodiments, each packet is checked for filtering purposes in the following manner (i.e., according to at least some, preferably all, of the following schema):
In this document, a combination of an identifier of a bridge (i.e., bridge identifier) and a port number is referred to as a “port identifier.” Preferably, a bridge identifier is unique among bridges used in the access network.
In preferred embodiments, a port identifier is advantageously attached to a packet. In this disclosure, this is referred to as a “Port Identifier Tag” (PIT). If a Port Identifier Tag feature is enabled, the bridge tags a port identifier to a packet addressed to an authenticator or a DHCP server and forwards the tagged packet instead of the original one. When the bridge receives a tagged packet sent from an authenticator or a DHCP server, the bridge looks at a port identifier in the tag and forwards an untagged packet to the port specified in the tag.
In
3.3.2. Session Identification
Some network servers distinguish sessions by MAC addresses of their client nodes. PAA (PANA server) and DHCP server are examples of these types of servers. However, if it is assumed that multiple nodes can have the same MAC address because of accidental and/or deliberate attacks, a MAC address is not enough to identify sessions.
In this regard,
3.3.3. Security Considerations on Port Identifier Tag
Port Identifier Tag is so powerful that it should preferably be kept away from wrong or malicious use. In order to inhibit an attacker from using a PIT as an attacking tool, it is preferable to configure bridges to block packets with a PIT sent from client ports. For example, with reference to
Another way to increase the reliability of PIT is to use HMAC (Keyed-Hashing for Message Authentication: a hash function based message authentication code) or similar techniques for message authentication.
3.3.4. Potential Implementations of Port Identifier Tag
In some illustrative embodiments, a number of ways to implement PIT can include, for example:
1. The bridge checks the packet to determine whether it can be forwarded or should be blocked according to the AFD, the UFD and the PL. If the packet is to be blocked, it is discarded.
2. The bridge looks up the destination MAC address in a table, such as, e.g., a “PIT Node Table,” which preferably includes records of IP addresses and PSKs (Pre-shared Keys) indexed by MAC address. In some embodiments, a PIT Node table may be preconfigured in the bridge by the administrator. Preferably, if the destination MAC address of the Ethernet packet is not found in the table, the packet will be forwarded in the ordinary way without PIT.
3. The bridge constructs a new UDP/IP packet encapsulating the original Ethernet packet. The destination IP address is copied from the record in the PIT Node Table. The record may include the UDP port number to receive the PIT packets at the destination IP node. The source IP address may be the IP address of the bridge itself. If the bridge identifier is represented by its IP address, the “Bridge Identifier” field below may be omitted to reduce the size of PIT packets. The bridge also fills PIT-specific fields including “Bridge Identifier” field and “Bridge Port Number” field. The Bridge Identifier is a number unique among all bridges used in the network. The administrator of the network may pre-configure such for each bridge. The Bridge Port Number is to identify a port in the bridge. An HMAC field may be used, for example, to authenticate the PIT packet. The bridge preferably uses PSK in the record in the PIT Node Table to calculate the HMAC of the PIT message. The HMAC is preferably calculated over the entire IP datagram.
3.4. Other Considerations on the Bridge
In some preferred embodiments, in order to prevent the faking of a PAA and/or a DHCP server, the bridge may also be configured not to forward PANA and DHCP packets from a client port to another client port.
4. Implementation Examples
In the following subsections, two illustrative implementation examples are described. It should be understood based on this disclosure that these are merely illustrative examples.
4.1. First Example of Implementations
4.1.1. Scenario of the First Example
According to a first illustrative implementation, a system can employ an AFD, a UFD and, optionally, a PL. In the preferred embodiments, the system would perform at least some, preferably all, of the following:
1-A. With reference to
2-A. With reference to
3-A. With reference to
4-A. With reference to
5-A. With reference to
On the other hand, if the Client1 fails in the authentication or if the Client1 record in the UFD expires during the above step 3-A, the steps 4-A to 5-A are preferably replaced with following steps 4-B to 6-B:
4-B. With reference to
5-B. With reference to
6-B. In this step, the Client1 may or may not try another authentication beginning once again with the step 1-A.
4.1.2. Security Considerations
4.1.2.1. Threat 1: Service Theft by Spoofing
With reference to
However, any packet exchanges from/to MAC1 via ports other than P1 are preferably prohibited during a period that a record (e.g., MAC1, P1) exists in either of the AFD and the UFD. As a result, this type of attack would fail during the above-noted step 5-A (i.e., the AFD has the record) and steps 2-A to 4-A (i.e., the UFD has the record).
4.1.2.2. Threat 2: DoS Attack Without Authentication
With reference to
Then, the attacker could repeat steps 1-A to 3-A and steps 4-B to 6-B. During the period in which the state of the attacker is between the steps 1-A and 4-B, the legitimate Client1 would not be able to gain access to the network. This is another illustrative type of denial-of-service attack (DoS attack).
In addition, if an attacker fails in their authentication attempt and the step 5-B is enabled, the record (MAC1, P2) for the attacker may be added to a penalty list (PL). However, during the period that the record lasts, the Client1 may not be able to send a packet to the bridge that creates a record (MAC1, P1) for the Client1 in the UFD. However, once the Client1 gets the record in the UFD, the Client1 can try an authentication without being bothered by the attacker. If the attacker can use multiple ports for the DoS attack, the attacker can potentially fill up time durations with other attacking nodes that are in PL.
With reference to
In some embodiments, one illustrative solution to this type of attack is to increase the lifetime of the PL record in proportion to the number of UFD and PL records which have the same MAC address. In illustrative example of this type of solution is shown in chart (2) of
In other embodiments, further possible extensions of the PL implementation may include increasing the lifetime of a PL record at an increasing rate or exponentially when the same combination of a MAC address and a port is added to PL repeatedly. This would make the DoS attack described in this section even less feasible. However, it could result in making another type of DoS attack easier. In that regard, if an attacker and a victim use the same port P1, the attacker may try to add a MAC address MAC1 to PL excessive times from P1. After that, the victim might try to connect a node which MAC address is MAC1 to Port 1, but it could fail because the record (MAC1, P1) in PL has an exponentially large duration. To prevent this latter type of DoS attack, a moderate upper time limit may be useful for such an exponential increase.
4.1.2.3. Threat 3: DoS Attack with Authentication
With reference to
In some embodiments, such that the Authenticator can know the port identifier of the client, more flexible configurations are possible for the Authenticator. See, e.g., examples listed at the end of Section 4.2.2.3 below.
4.2. Second Example of Implementations
4.2.1. Scenario of the Second Example
According to a second illustrative implementation, a system can employ an AFD, a PIT and, optionally, a PL. In the preferred embodiments, the system would perform at least some, preferably all, of the following:
1-A. With reference to
2-A. With reference to
3-A. With reference to
4-A. With reference to
5-A. With reference to
6-A. With reference to
7-A. With reference to
In some preferred embodiments, if the Client1 fails in the authentication at the step 5-A above, the authenticator may request the bridge to add a new record in the PL for the Client1.
4.2.2. Security Considerations
4.2.2.1. Threat 1: Service Theft by Spoofing
With reference to
4.2.2.2. Threat 2: DoS Attack Without Authentication
Also with reference to
Because the Authenticator and the DHCP server can distinguish multiple sessions, the Client1 can always try its authentication, while the Attacker is sending spoofing packets. See
4.2.2.3. Threat 3: DoS Attack With Authentication
Reference is now made to illustrative cases in which a) a user “User1” uses a node “Client1” and a user “User2” uses a node “Client2,” b) Client1 is connected to port P1 and Client2 is connected to port P2, and c) each of User1 and User2 have their own accounts on the authenticator. To prevent the User1 from connecting to the network, the attacker User2 can connect Client2 to the network, spoofing the MAC address of Client1. If User2 fails in an authentication, the case is similar to threat 2 described in the previous section. However, this time, the User2 can get authenticated using the user's own user credential because the User2 has a valid account on the authenticator. Furthermore, because Client2 is authenticated using the credential of User2, a record for Client2 is created in the AFD. As a result, the Client1 can thus be disabled from connecting to the bridge B1.
In order to prevent this type of attack, the network administrator can revoke the credential of the wrongdoing User2. Alternatively, the administrator may configure the authenticator so that only the credential of User1 can be used for the authentication of MAC1.
The PIT enables more flexible configurations for the Authenticator. For example, because the authenticator knows the port identifier for each message, it is possible to specify limitations using port identifiers. For example, some or all of the following rules may be implemented in some illustrative embodiments:
The following general background references are incorporated herein by reference in their entireties.
In this disclosure, the terminology “Multicast Router” includes, e.g., a router that is capable of forwarding IP multicast packets. In some examples, there may be multiple IP multicast routers in the same IP link.
In this disclosure, the terminology “Multicast Listener” includes, e.g., a host or a router that has a desire to receive IP multicast packets.
1.3. IP Multicast Overview
1.4. Multicast Listener Discovery
Multicast Listener Discovery (MLD) is a protocol that is designed to run among IPv6 multicast routers and IPv6 multicast listeners on the same IP link for maintaining multicast listener states.
An overview of version 2 of MLD protocol is described below (see also [RFC3810]). For IPv4, IGMP (Internet Group Management Protocol) (see [RFC3376]) is used for similar purposes as MLD. Because MLD and IGMP provide the similar functionality, a similar explanation and discussion (except for differences with regard to message names and address types) can be applied to IGMP. Accordingly, in this disclosure, a discussion in relation to IGMP is not elaborated upon further in this disclosure.
A multicast listener state is maintained per link of a multicast router and conceptually involves of a set of records of the form:
(IPv6 multicast address, filter mode, source list).
The filter mode indicates either INCLUDE or EXCLUDE, where INCLUDE indicates that multicast packets sent from any source address listed in the source list and destined for the IPv6 multicast address is forwarded on the link and EXCLUDE indicates that multicast packets sent from any source address listed in the source list and destined for the IPv6 multicast address is not forwarded on the link.
In MLDv2, a multicast router multicasts a Multicast Listener Query (MLQ) message periodically or on demand on each link. An MLQ message is sent on demand when a Multicast Listener Report (MLR) message that causes a change in the multicast listener state of a link is received on the link. A multicast listener sends an MLR message when it expresses its desire to listen to or to no longer listen to a particular multicast address (or source) or when it receives an MLQ message. A multicast router updates the multicast listener state when it receives an MLR. The multicast router forwards multicast packets originated from a particular source S and destined for a particular multicast address G on an link if and only if the multicast listener state of the link indicates that forwarding packets with source-destination address pair (S,G) are explicitly allowed or not explicitly prohibited.
1.5. MLD Snooping
1.6. MLD Authentication
A secure extension to MLD called MLD authentication protocol or MLDA protocol is defined in the above-cited reference [MLDA]. The MLDA protocol provides the functionality for a multicast listener to authenticate to a multicast router so that only authenticated multicast listeners on a link can update the multicast listener state of the link of the multicast router. In this manner, MLD authentication can be used for subscription-based multicast streaming contents delivery by forwarding data traffic only to authenticated and authorized subscriber nodes. MLDA supports PAP (Password Authentication Protocol) and CHAP (Challenge-Response Authentication Protocol) authentication protocols for authenticating multicast listeners, which allows multicast listeners to be authenticated by backend AAA (Authentication, Authorization and Accounting) servers by having AAA client functionality on the multicast routers in order to avoid passwords of multicast listeners to be stored on every multicast router in the access networks.
1.7. SRTP
SRTP (Secure Real-time Transport Protocol) is set forth in the above-cited reference [RFC371 1] and provides application-layer per-packet encryption, integrity protection and replay protection.
2. Problem with Existing Methods
As described below, there are a variety of problems with and limitations in existing methods.
Problem 1:
A first problem involves that the MLD itself does not prevent unauthorized listeners from sending MLR messages to change the multicast listener state to receive multicast packets, which would result in free-riding of multicast-based services, regardless of whether the type of the link (e.g., point-to-point or shared) between the listeners and the multicast router and regardless of whether a MLD snooping technique is used on the link or not in the case of a shared link.
In this regard, MLDA could be used for solving this security problem by, e.g., employing an appropriate access control tied with listener authentication and authorization provided by MLDA. However, there has been no such an access control method tied with a listener authentication and authorization mechanism such as MLDA.
Problem 2:
A second problem involves a security problem due to the weakness of the authentication protocols supported by MLDA. Since both PAP and CHAP supported by MLDA are known to be vulnerable against dictionary attack when static passwords of multicast listeners are used as the shared secrets of PAP and CHAP, the use of those algorithms are dangerous and not recommended unless these authentication protocols are run over a secure communication channel. Especially, PAP and CHAP should not be used over a wireless LAN where an attacker can easily be a bogus access point to obtain or guess user passwords.
Problem 3:
A third problem involves that MLDA does not provide confidentiality of MLDA payloads. Furthermore, MLDA requires modification to MLD.
Problem 4:
A fourth problem involves that although MLDA can be integrated with AAA, since most commercial access networks require network access authentication which is also integrated with AAA, it is possible that a network access client which is also a multicast listener would result in an inefficient signaling in view of performing the AAA procedure twice, presenting once for network access authentication for obtaining a global IP address and once for receiving credentials, which should preferably be avoided as much as possible.
Problem 5:
A fifth problem involves that solutions relying solely on network layer and/or link-layer security mechanisms including MLDA and IEEE 802.11i cannot prevent clients that are authenticated and authorized for network access over a wireless access link from receiving and decoding multicast data packets that are forwarded on the link to other multicast listeners. This means that a higher-layer per-packet security mechanism such as SRTP (see [RFC3711]) is needed to avoid free-riding of multicast services over fully shared access links. Such a higher-layer per-packet multicast security mechanism needs exchange protocols to deliver multicast cipher keys to the multicast listeners in order to automate the multicast key distribution procedure. The above-noted MIKEY (see [MIKEY]) and KINK (see [KINK]) are designed to function as such. However, there is no practical solution for establishing credentials needed for using such multicast key exchange protocols.
3. Proposed Solutions
3.1. Bootstrapping MLDA from Network Access Authentication
One problem of using MLDA is due to the use of static passwords of multicast listeners as the shared secrets of PAP and CHAP in MLDA. One solution is to use a dynamically generated shared secret for PAP and CHAP in MLDA. The shared secret preferably has a lifetime so that the secret is valid only for a limited amount of time. In this disclosure, a security association between a multicast listener and a multicast router based on the shared secret used in MLDA is referred to as the MLDA security association or the MLDA SA and the shared secret is referred to as the MLDA-Key. In the preferred embodiments, two exemplary methods to archive dynamic generation of an MLDA-Key are described below.
In the first method, the MLDA-Key is derived from an authentication session key which is dynamically created by using a network access authentication protocol such as, e.g., PANA (see [PANA]) and IEEE 802.1X (see [802.1X]). When PANA or IEEE 802.1X is used for a network access authentication protocol, the authentication session key can be derived from an EAP (see [RFC3748]) Master Session Key (MSK) through an AAA-Key (see [EAP-KEY]).
In the second method, the MLDA-Key can be encrypted and carried over a network access authentication protocol such as, e.g., PANA and IEEE 802.1X. When PANA is used as a network access authentication, the encrypted MLDA-Key may be carried in, e.g., PANA-Bind-Request and PANA-Bind-Answer messages. In this case, the MLDA-Key can be generated or managed by, e.g., a key distribution center (KDC). In this regard, an MLDA key distribution mechanism can be implemented for such purposes as appropriate based on this disclosure.
By using a short-term shared secret as an MLDA-Key instead of using a long-term password, the security level of MLDA can be improved. Among other things, this provides a solution to Problem 2 described above in the preceding section 2. In addition, these illustrative methods are efficient in that an additional AAA procedure for MLDA is not needed once an AAA procedure for network access authentication is done. As a result, these also provide solutions to Problem 4 described above in the preceding section 2.
In various embodiments, an MLDA key derivation algorithm can be implemented by those in the art as appropriate based on this disclosure.
With reference to
With reference to
3.2. Protecting MLD with Multicast IPsec
Instead of using MLDA, it is possible to use IPsec AH and/or ESP to protect MLD protocol exchanges. This method provides not only integrity protection and replay protection but also confidentiality of the contents of the MLD message. In addition, this method does not require any modification to the MLD protocol itself. These two (IPsec AH and/or ESP) provide a solution for Problem 3 described above in the preceding section 2. Since the MLD protocol is based on (e.g., link-local) multicast communications, the underlying IPsec SA forms a Group Security Association or a GSA (see [RFC3740]) which is a many-to-many association (e.g., between multicast listeners and multicast routers in the case of MLD). In order to automatically create an IPsec GSA, a multicast key management protocol can be used. There are a number of key management protocols that can be used for establishing a GSA, such as, e.g., GSAKMP (see [GSAKMP]), MIKEY (see [MIKEY]) and KINK (see [KINK]).
Similar to unicast key management protocols such as, e.g., IKE, a multicast key management protocol would generally be based on unicast communications and should have mutual authentication of end-points in order to avoid a multicast key to be established by wrong entities. This means that a certain key used for mutual authentication in the multicast key management protocol should be pre-configured on each end-point of the multicast key management protocol. Such a key is referred to as a Multicast Key Management Key or an MKM-Key. In the preferred embodiments, the proposed method is based on deriving an MKM-Key and is derived from a network access authentication protocol in the same way as deriving an MLDA-Key.
This key derivation model can be used not only for securing MLD with multicast IPsec, but also for securing other multicast communication protocols, such as, e.g., IPv6 Neighbor Discovery (see [RFC2461]) and RTP (see [RFC3550]), with multicast IPsec.
This illustrative scheme can be very efficient in that, e.g., an additional AAA procedure for MLDA is not required once an AAA procedure for network access authentication is done. As a result, this provides a solution to Problem 4 described above in the preceding section 2.
In various embodiments, an MKD-Key derivation algorithm for each possible multicast key management protocol can be implemented by those in the art as appropriate based on this disclosure.
In
3.3. Integration of MLD or MLDA and Link-Layer Multicast Access Control
In some embodiments, a link-layer switch that supports copying of layer-2 multicast frames to a limited set of ports, (e.g., a limited multicast functionality), can be used for access control of multicast traffic over a shared link.
When MLDA or MLD with IPsec is used for securely maintaining multicast listener states, a multicast router can control such a link-layer switch on the link in a way that multicast packets are forwarded to the ports where there are multicast listeners from which cryptographically valid MLR messages are received. In this method, MLDA and MLD with IPsec can be bootstrapped from a network access authentication protocol such as PANA and IEEE 802.1X by using the methods described in the preceding sections 3.1 and 3.2.
If a link-layer switch with a limited multicast functionality also supports the schemes described in the above Part II entitled “Binding Network Bridge and Network Access Control,” it is possible to filter out MLR and MLQ messages originated from and destined for listeners that have not been successfully authenticated and authorized for network access. If the switch also supports MLD snooping, it is possible to perform link-layer multicast access control without relying on MLDA or MLD with IPsec. In this method, multicast listeners are authenticated and authorized for network access by using a network access authentication protocol such as, e.g., PANA and IEEE 802.1X.
Thus, these two methods can advantageously provide a solution to Problem 1 of section 2.
If, by using a signaling mechanism that is provided independently of MLD or MLDA, multicast traffic filtering information (such as, e.g., authorized multicast group addresses and/or authorized multicast source address) for a multicast listener is installed to a link-layer switch and delivery of the subsequent authorized multicast traffic to the link-layer is enabled, then MLD or MLDA may not be used between multicast listeners and the multicast router.
3.4. Bootstrapping Secure Multicast Application Session from Network Access Authentication
As discussed above in section 2 with respect to Problem 5, a higher-layer per-packet security mechanism such as, e.g., SRTP (see [RFC3711]) is needed to avoid free-riding of multicast services over fully shared access links. Such a mechanism includes encryption of application data traffic. For such an application-layer security to work in large-scale environment, a mechanism would be used to automatically establish a security association for a secure application session with multicast keys. In some embodiments, there are two illustrative methods to archive this which are described in detail below.
The first method is based on bootstrapping a multicast key management protocol that is used for establishing a security association for a secure application session. In various embodiments, there are a number of key management protocols that can be used for establishing a security association for a secure multicast application session, such as, e.g., GSAKMP (see [GSAKMP]), MIKEY (see [MIKEY]) and KINK (see [KINK]). In addition, SIP may be used as a multicast key management protocol. As described above in section 3.2, an MKM-Key is needed for mutual authentication in the multicast key management protocol. The method derives an MKM-Key from a network access authentication protocol in the same way as described above in section 3.2.
The second method is based on carrying application session keys over a network access authentication protocol such as, e.g., PANA and IEEE 802.1X. When PANA is used as a network access authentication, application session keys such as, e.g., SRTP master keys (see [RFC3711]) may be carried with encrypted in PANA-Bind-Request and PANA-Bind-Answer messages. In this case, the application session keys can be generated or managed by a key distribution center (KDC). The application session key distribution mechanism can be implemented by those in the art as appropriate based on this disclosure.
In some embodiments, these two methods can provide solutions to Problem 5 described above in section 2, and may be used together with other methods described in sections 3.1 through 3.3.
In
In
Broad Scope of the Invention
While illustrative embodiments of the invention have been described herein, the present invention is not limited to the various preferred embodiments described herein, but includes any and all embodiments having equivalent elements, modifications, omissions, combinations (e.g., of aspects across various embodiments), adaptations and/or alterations as would be appreciated by those in the art based on the present disclosure. The limitations in the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. For example, in the present disclosure, the term “preferably” is non-exclusive and means “preferably, but not limited to.” In this disclosure and during the prosecution of this application, means-plus-function or step-plus-function limitations will only be employed where for a specific claim limitation all of the following conditions are present in that limitation: a) “means for” or “step for” is expressly recited; b) a corresponding function is expressly recited; and c) structure, material or acts that support that structure are not recited. In this disclosure and during the prosecution of this application, the terminology “present invention” or “invention” may be used as a reference to one or more aspect within the present disclosure. The language present invention or invention should not be improperly interpreted as an identification of criticality, should not be improperly interpreted as applying across all aspects or embodiments (i.e., it should be understood that the present invention has a number of aspects and embodiments), and should not be improperly interpreted as limiting the scope of the application or claims. In this disclosure and during the prosecution of this application, the terminology “embodiment” can be used to describe any aspect, feature, process or step, any combination thereof, and/or any portion thereof, etc. In some examples, various embodiments may include overlapping features. In this disclosure, the following abbreviated terminology may be employed: “e.g.” which means “for example;” and “NB” which means “note well.”
Number | Date | Country | |
---|---|---|---|
60586400 | Jul 2004 | US |