Authentication, Authorization, Admission, and Accounting for QoS Applications (original) (raw)

Abstract

The main objective of the IETF Differentiated Services (DiffServ) model is to allow the support on the Internet of different levels of service to different sessions and information flows, aggregated in a few number of traffic classes. The flow classification is supported by some of the IP packet header fields. This approach shows some security limitations that are inherent to the DiffServ model. Being the edge routers (ER) the responsible for the admission and marking of packets, according to the class of service, they are the most vulnerable element to attacks. A security hole in ERs could be propagated to the entire domain, compromising the QoS of all the domain flows. To overcome these limitations, this paper proposes an architecture for Authentication, Authorization, Admission control and Accounting (AAAA) of QoS client applications with dynamic identification of sessions and flows. The proposal functionalities are described and analyzed in some detail, focusing the main modules and message exchange among modules. The paper ends with the discussion of the main advantages of the proposal over existing solutions.

Preview

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

1. Blake, S., et al.: An Architecture for Differentiated Services, RFC 2475. IETF (December 1998)
   Google Scholar
2. Nichols, K., et al.: Definition of the Differentiated Services Fields (DS Fields) in the IPv4 and IPv6 Headers. RFC 2474, IETF (December 1998)
   Google Scholar
3. Rabadão, C., Monteiro, E.: Segurança e QoS no Modelo DiffServ (Security and QoS in the DiffServ Model). In: 5th Conference on Computer Networks (CRC 2002), Faro, Portugal, September 26-27, University of Algarve (2002)
   Google Scholar
4. Fu, Z., et al.: Security Issues for Differentiated Service Framework. Internet Draft (expired) (October 1999)
   Google Scholar
5. Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP).RFC 2406 (November 1998)
   Google Scholar
6. Atkinson, R.: IP Authentication Header. RFC 1826, IETF (August 1995)
   Google Scholar
7. Striegel, A.: Security Issues in a Differentiated Services Internet.In: Proc. of Trusted Internet Workshop - HiPC,Bangalore, India (December 2002)
   Google Scholar
8. Postel, J. (ed.): Internet Protocol. RFC 791, IETF (September 1981)
   Google Scholar
9. Maughan, D., et al.: The ARQoS Project: Protection of Network Quality of Service Against Denial of Service Attacks, http://arqos.csc.ncsu.edu/ ,State University of North Carolina, University of California and MCNC
10. Fulp, E., et al.: Preventing Denial of Service Attacks on Quality of Service. In: Proc. of DARPA Information Survivability Conference and Exposition (DISCEXII 2001), IEEE Computer Society, Los Alamitos (2001)
    Google Scholar
11. Braden, R., et al.: Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification. RFC2205, IETF (September 1997)
    Google Scholar
12. Herzog, S.: RSVP extensions for policy control. RFC2750, IETF (January 2000)
    Google Scholar
13. Hahn, S., et al.: Resource Allocation Protocol. IETF, http://www.ietf.org/html.charters/rap-charter.html
14. Rosenberg, J., et al.: SIP: Session Initiation Protocol. RFC 3261, IETF (June 2002)
    Google Scholar
15. Access Security for IP-based Services, Technical Specification 3GPP TS 33.203, Version 6.1.0, 3rd Generation Partnership Project (December 2003)
    Google Scholar
16. Yadav, S., et al.: Identity Representation for RSVP, RFC 3182. IETF (October 2001)
    Google Scholar
17. Hamer, L.-N., et al.: Session Authorization Policy Element, RFC3520. IETF (April 2003)
    Google Scholar
18. Loughney, J., et al.: Next Steps in Signaling (NSIS). IETF, http://www.ietf.org/html.charters/nsis-charter.html
19. Hancock, R., et al.: Next Steps in Signaling: Framework, Internet Draft (work in progress). IETF (October 2003)
    Google Scholar
20. Van den Bosch, S., Karagiannis, G., McDonald, A.: NSLP for Quality-of-Service Signaling, Internet Draft (work in progress).IETF (February 2004)
    Google Scholar
21. Pujolle, G., Chaouchi, H.: QoS, Security, and Mobility Management for Fixed and Wireless Networks under Policy-based Techniques.In: IFIP World Computer Congress (2002)
    Google Scholar
22. Mykoniati, E., et al.: Admission Control for Providing QoS in DiffServ IP Networks: The TEQUILA Approach. IEEE Communications Magazine, 38–44 (January 2003)
    Google Scholar
23. Ponnappan, A., et al.: A Policy Based QoS Management System for the IntServ/DiffServ Based Internet. In: Proc. of 3rd International Workshop on Policies for Distributed Systems and Networks, POLICY 2002, Monterey-California, June 5-7 (2002)
    Google Scholar
24. Sander, V., et al.: End-to-End Provision of Policy Information for Networks QoS. In: Proc. of 10th IEEE International Symposium of High Performance Distributed Computing, San Francisco-California, August 07-09 (2001)
    Google Scholar
25. PacketCable Dynamic Quality of Service Specification, CableLabs (December 1999)
    Google Scholar
26. Vollbrecht, J., et al.: AAA Authorization Framework. RFC 2904, IETF (August. 2000)
    Google Scholar
27. Hamer, L.-N., Gage, B., Shieh, H.: Session Authorization Policy Element. RFC3521, IETF (April 2003)
    Google Scholar
28. Durham, D.: The COPS (Common Open Policy Service) Protocol. RFC2748, IETF (January 2000)
    Google Scholar
29. Boyle, J., et al.: COPS usage for RSVP. RFC2749, IETF (January 2000)
    Google Scholar

Download references

Author information

Authors and Affiliations

1. Superior School of Technology and Management Polytechnic Institute of Leiria, Morro do Lena Alto do Vieiro, 2411-901, Leiria, Portugal
   Carlos Rabadão
2. Laboratory of Communications and Telematics CISUC / DEI, University of Coimbra, Polo II, Pinhal de Marrocos, 3030-290, Coimbra, Portugal
   Carlos Rabadão & Edmundo Monteiro

Authors

1. Carlos Rabadão
2. Edmundo Monteiro

Editor information

Editors and Affiliations

1. Department of Computer Science, University of Beira Interior, Rua Marques d’Avila e Bolama, 6201-001, Covilha, Portugal
   Mário Marques Freire
2. France Telecom, Research and Development, CORE/SPP, 37-40 rue du Général Leclerc, 92794, Issy-les-Moulineaux Cedex 9, France
   Prosper Chemouil
3. IUT, University of Haute Alsace, 34, rue du Grillenbreit, 68008, Colmar, France
   Pascal Lorenz
4. Département Informatique, ENST-Bretagne, CS 83818, 29238, Brest Cedex 3, France
   Annie Gravey

Rights and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rabadão, C., Monteiro, E. (2004). Authentication, Authorization, Admission, and Accounting for QoS Applications. In: Freire, M.M., Chemouil, P., Lorenz, P., Gravey, A. (eds) Universal Multiservice Networks. ECUMN 2004. Lecture Notes in Computer Science, vol 3262. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30197-4\_44

Download citation

• .RIS
• .ENW
• .BIB
• DOI: https://doi.org/10.1007/978-3-540-30197-4\_44
• Publisher Name: Springer, Berlin, Heidelberg
• Print ISBN: 978-3-540-23551-4
• Online ISBN: 978-3-540-30197-4
• eBook Packages: Springer Book Archive

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Publish with us