1、 International Telecommunication Union ITU-T Y.2703TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2009) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security The application of AAA service in NGN Recommendation ITU-
2、T Y.2703 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and protocols Y.400Y.499 Numbe
3、ring, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource management Y.1200Y.129
4、9 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 NEXT GENERATION NETWORKS Frameworks and functional architecture models Y.2000Y.2099 Quality
5、of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network management Y.2400Y.2499 Network control architectur
6、es and protocols Y.2500Y.2599 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T Y.2703 (01/2009) i Recommendation ITU-T Y.2703 The application of AAA service in NGN Summary Recommendation ITU-T Y.2703 provides a
7、n application of authentication, authorization and accounting (AAA) for NGN release 1. Source Recommendation ITU-T Y.2703 was approved on 23 January 2009 by ITU-T Study Group 13 (2009-2012) under the WTSA Resolution 1 procedure. ii Rec. ITU-T Y.2703 (01/2009) FOREWORD The International Telecommunica
8、tion Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff que
9、stions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendatio
10、ns on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation,
11、 the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or a
12、pplicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance wi
13、th the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or appl
14、icability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to impl
15、ement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any m
16、eans whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2703 (01/2009) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation. 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 General concepts for the AA
17、A service . 2 6.1 Overview 2 6.2 The AAA process . 2 6.3 AAA procedure 3 7 Application model for authentication and authorization in NGN 3 8 AAA architecture in NGN 5 8.1 User to network access . 6 8.2 User to network service attachment . 7 8.3 Authentication and authorization of user for access to
18、3rd party service. 7 9 Enrolment . 8 10 Authentication 8 10.1 Authentication entities 8 10.2 Procedure for authentication. 8 11 Authorization 10 11.1 Authorization aspects for NGN 10 11.2 Authorization entities . 10 11.3 Procedure for authorization 10 12 Accounting 11 12.1 Security accounting 11 12.
19、2 Functions for security accounting 11 Appendix I Authentication protocol for AAA in NGN 13 I.1 EAP protocol for AAA service in NGN. 13 I.2 AAA protocols 14 Appendix II X.509 digital certificates as credentials 15 Appendix III Authentication and authorization use-case 16 III.1 Authentication and aut
20、horization of user for network access 16 III.2 NGN service provider authentication and authorization of user for access to service/application 18 III.3 User authentication and authorization of NGN providers 20 iv Rec. ITU-T Y.2703 (01/2009) Page III.4 NGN provider authentication and authorization of
21、 3rd party service/application provider . 21 III.5 Use of 3rd party authentication and authorization service . 22 Bibliography. 24 Rec. ITU-T Y.2703 (01/2009) 1 Recommendation ITU-T Y.2703 The application of AAA service in NGN 1 Scope This Recommendation describes an application for authentication,
22、authorization and accounting (AAA) for next generation networks (NGNs) based on b-ITU-T Y.2201: NGN release 1 requirements, b-ITU-T Y.2012: Functional requirements and architecture of the NGN release 1 (FRA), b-ITU-T Y.2701: Security requirements for NGN release 1, and b-ITU-T Y.2702: NGN authentica
23、tion. This Recommendation applies to the authentication, authorization and accounting process in accessing an NGN using the AAA client and AAA server. In particular, this Recommendation addresses the accounting function only from the standpoint of its contribution to security accounting. The scope o
24、f this Recommendation is: 1) The enrolment process. 2) Authentication functions and procedures. 3) Authorization functions and procedures. 4) Security-accounting functions and procedures. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This Recommendation makes use of the following term
25、s defined elsewhere: 3.1.1 authentication b-ITU-T X.811: The provision of assurance of the claimed identity of an entity. 3.1.2 authentication certificate b-ITU-T X.811: A security certificate that is guaranteed by an authentication authority and that may be used to assure the identity of an entity.
26、 3.1.3 authentication information b-ITU-T X.811: Information used for authentication purposes. 3.1.4 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.5 claimant b-ITU-T X.811: An entity which is or represents a principal for the p
27、urposes of authentication. A claimant includes the functions necessary for engaging in authentication exchanges on behalf of a principal. 3.1.6 security audit trail b-ITU-T X.800: Data collected and potentially used to facilitate a security audit. 3.2 Terms defined in this Recommendation This Recomm
28、endation defines the following term: 3.2.1 security accounting: The role that tracks security-related actions or events that can be included as resources in the security audit function. 2 Rec. ITU-T Y.2703 (01/2009) 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: A
29、AA Authentication, Authorization and Accounting AM-FE Access Management Functional Entity ANI Application-to-Network Interface EAP Extensible Authentication Protocol ID Identity as defined by the network, service, or entity being accessed NAS Network Access Server NGN Next Generation Network NNI Net
30、work-to-Network Interface NP Network Provider OAMP Operations, Administration, Maintenance, and Provision RACF Resource Access Control Function SCTP Stream Control Transport Protocol SR Service Resource TAA-FE Transport Authentication and Authorization Functional Entity TE Terminal Equipment TUP-FE
31、Transport User Profile Functional Entity UNI User-to-Network Interface 5 Conventions None. 6 General concepts for the AAA service This clause deals with the basic concepts of AAA. 6.1 Overview The authentication, authorization and accounting service provides the functions by which a users identity i
32、s verified (authentication), is given access to the services (authorization) and a means by which consumption of resources is measured (accounting). 6.2 The AAA process The individual processes within the AAA framework are as follows: Authentication validates the end users identity prior to permitti
33、ng network access. The end user presents a set of credentials such as a username/password combination, a security key, a certificate or biometric data (for example, fingerprints). These credentials are normally agreed during the enrolment process. Verification of the credentials leads to the authori
34、zation process. Authorization defines the privileges and services the end user is allowed once network access is granted. This might include providing an IP address or invoking a filter to determine which applications or protocols are supported. Authentication and authorization are performed togethe
35、r in an AAA-managed environment. Rec. ITU-T Y.2703 (01/2009) 3 Accounting provides the methodology for collecting information about the end users resource consumption which can then be processed for billing, auditing, and capacity-planning purposes. Certain accounting data is relevant to the develop
36、ment of a security audit trail. These three processes are centralized into a set of functions which together provide access control. 6.3 AAA procedure The AAA service system is composed of an AAA server and an AAA client. The AAA server has access to a database of user profiles and configuration dat
37、a. It communicates with AAA clients residing on network components such as NAS (network access server) and routers, to provide distributed AAA services. The AAA service scenarios are summarized in the following steps: The end user connects to the point-of entry device and requests access to the netw
38、ork. The AAA client forwards the end users identity/authentication credentials to the AAA server. The AAA server authenticates the user based on the credentials. If authentication is successful, the server then determines which service(s) are authorized and returns an accept or reject response and o
39、ther relevant data to the AAA client. The AAA client notifies the end user that access to specified resources has been granted or denied. The AAA client sends an accounting message to the AAA server during connection set-up and termination for record collection and storage. 7 Application model for a
40、uthentication and authorization in NGN This Recommendation is based on security requirements for NGN in b-ITU-T Y.2701 and the NGN authentication reference model in b-ITU-T Y.2702. The NGN authentication reference model (Figure 7-1) depicts eight authentication reference points; three of which are c
41、onsidered/taken into account by this Recommendation: They are: (1) access of user to network; (2) access of user to network provided service; (4) access of service provider to receiving user. Reference points (1) and (4) refer to transport of user traffic and may be viewed as depending on “horizonta
42、l“ access control at the transport control level, whereas reference points (2) and (8) may be viewed as depending on control data between the transport and service control layers and therefore as being “vertical.“ This relationship is displayed in Figure 7-2. 4 Rec. ITU-T Y.2703 (01/2009) Y.2703(09)
43、_F7-1Access TransportService Provider BApplication ServersSoftswitch CSCFService StratumTransitAccess 3 partyproviderrdDeviceTransportApplication ServersSoftswitch CSCFService StratumUser UserDevice(1)(2)(4)(5)(6)(8)(7)(3)Service Provider A Figure 7-1 End-to-end reference architectural model (Y.2702
44、 NGN authentication) Rec. ITU-T Y.2703 (01/2009) 5 Y.2703(09)_F7-2Transport stratumService stratumControl MediaNNIUNIManagementApplication support functions and service support functionsService controlfunctions Service userprofiles Transport userprofiles Resource andadmissioncontrol functions Networ
45、k attachmentcontrol functions Transport control functions Transport functionsANIEnd-userfunctionsManagementfunctionsOthernetworksApplications(4)(2)(8)(1)Figure 7-2 NGN architecture and AAA related domains (Y.2702 NGN authentication) 8 AAA architecture in NGN This clause describes the relationship be
46、tween the AAA reference model and the functional architectural model described in b-ITU-T Y.2012. 6 Rec. ITU-T Y.2703 (01/2009) 8.1 User to network access Y.2703(09)_F8-1Transport stratumService stratumControl MediaNNIUNIManagementApplication support functions and service support functionsService co
47、ntrolfunctions Service userprofiles Resource andadmissioncontrol functions Network attachmentcontrol functions Transport control functions Transport functionsANIEnd-userfunctionsManagementfunctionsOthernetworksApplicationsAAAclientfunctionAAAserverfunctionAuthentication request/responseNetwork acces
48、sFigure 8-1 Authentication and authorization of a user for network access Figure 8-1 shows the application of AAA for user to network access (i.e., an application of type-1 in Figure 7-1 above). Once an entity in the transport control functions (typically, T-14 AM-FE) detects the connection request
49、from a user terminal, it starts acting as an AAA client. It requests the entities in the transport control functions which play the role of AAA server (such as T-11 TAA-FE, and T-12 TUP-FE), for authentication of the user and authorization for the use of NGN resources. The protocols such as RADIUS or Diameter can be used for this request and response procedure. Based on the request from an AAA client, an AAA server authenticates the user by explicit (e.g., EAP) or implicit (e.g., access-line authentication) pro
