NSIS-ka
A free C++ implementation of NSIS protocols

Implementation of a Session Authorization Object

NSIS signaling applications perform critical operations inside a network, i.e. they install, maintain, or remove state on network nodes, reserve network resources, or manipulate firewalls and NAT gateways. These operations must therefore be authenticated and authorized. Furthermore, signaling messages traversing the network should be integrity protected in order to detect any unauthorized manipulation of a signaling message.

These tasks can be accomplished by means of a Session Authorization Object as being proposed by the NSIS working group. This Session Authorization Object was extended in order to allow for a fine-grained integrity protection of selected NSIS objects of the NTLP as well as of the NSLP layer.

The following figure illustrates the layout of a Signed NSLP Object List where all those objects of the NTLP and NSLP layer are listed that are computationally included into the signature data.

Signed NSLP Object List

An example of a Session Authorization Object containing a hash-based message authentication code is exemplified in the following figure:

An example AUTH_SESSION object containing a hash-based message authentication code

This approach allows for a fine-grained per-user or per-session authentication where not only the signature of a signaling message is bound to a session or a user, but also only some particular objects are included into the signature computation. This is important in order to allow some objects, like specific parts of the QSPEC object for instance, to be still modifiable by intermediate NSIS nodes.

How such a Session Authorization Object may be used in a Kerberos-based domain is exemplified in the following figure. The overall procedure works as follows:

  • The user requests a Ticket Granting Ticket (TGT) from the Ticket Granting Server (TGS), shown in step 1.
  • The user gets the answer back (step 2) and extracts the session key from the received ticket and uses it for the HMAC computation. The user sends the TGT as Session Authorization Object, together with the proposed extended Session Authorization Object as signature for the QoS NSLP message to the next signaling hop (step 3).
  • The router extracts the TGT and the session key. It stores the session key under the key index that is specified in the extended Session Authorization Object (step 4). The key should have a validity that corresponds to the lifetime of the ticket, i.e., the key will expire automatically after some time. Furthermore, the key ID must also point to the user identity, so that a corresponding user profile can be fetched in order to perform (local) policy-based admission control.

Overview of an initial session authorization using Kerberos

In order to provide a good scalability, subsequent messages usually carry only the start timestamp and the key index. The router then fetches the symmetric key from its internal map, calculates and verifies the HMAC. This is shown in the following figure:

Overview of a subsequent session authorization

Our proposed changes were published at ICC 2010 Secure Signaling in Next Generation Networks with NSIS and are already incorporated into the corresponding Internet-Draft draft-ietf-nsis-nslp-auth.

The current implementation can be found here:

svn co https://svn.ipv6.tm.uka.de/nsis/dist/nsis-ka/branches/20100618-authsession-to-trunk

There exist some offline evaluation test scripts that can be invoked inside the authsession/eval directory via

make eval
Last modified 7 years ago Last modified on Jun 22, 2010, 4:59:37 PM

Attachments (4)

Download all attachments as: .zip