Internet Engineering Task Force                                     NSIS
Internet Draft                                H. Tschofenig, M. Buechli,
                                        S. Van den Bosch, H. Schulzrinne
                                        Siemens/Alcatel/Alcatel/Columbia
draft-tschofenig-nsis-aaa-issues-01.txt
3 March 2003
Expires: September 2003


        NSIS Authentication, Authorization and Accounting Issues

STATUS OF THIS MEMO

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups.  Note that other groups
may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress".

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

To view the list Internet-Draft Shadow Directories, see
http://www.ietf.org/shadow.html.

Abstract

This document describes the implications of authentication,
authorization and accounting for an NSIS QoS signaling protocol. We try
to show that authorization and charging are very important for the
internal machinery of a signaling protocol and for the security and
trust model behind it. This document only addresses charging aspects for
unicast data traffic.



1 Introduction

When RSVP [1] was designed a few assumptions had to be made. These
assumptions are, however, not described in too much detail. With regard
to authorization and charging a few issues still need to be resolved to
make it easier for network providers to create a more performant
solution. This document tries to highlight some of these issues and



H. Tschofenig et. al.                                         [Page 1]


Internet Draft                                              3 March 2003


explain why NSIS should consider them during the design phase. This
document does not try to introduce a new charging or accounting
infrastructure and does not aim to provide a literature review of
pricing mechanisms or mathematical models. Instead, an abstract view on
authentication, authorization and charging is provided as far as
relevant for NSIS and to QoS signaling in particular.

2 Terminology

Accounting terminology used in this document tries to be consistent with
[2]. NSIS terminology is taken from [3]. The term Policy Decision Point
(PDP) refers to the logical entity defined in [4].

     Charging: The determination of the charge units to be assigned to
          the service utilization (i.e. the usage of chargeable related
          elements) [5].

     Authentication: Entity authentication is the process whereby one
          party is assured (thorough acquisition of corroborative
          evidence) of the identity of a second party involved in a
          protocol, and that the second has actually participated (i.e.,
          is active at, or immediately prior to, the time the evidence
          is acquired) [6]. Entity authentication is a special type of
          authentication. In this document the term authentication
          refers to entity authentication in nearly all cases.

     Authorization: The act of determining if a particular right, such
          as access to some resource, can be granted to the presenter of
          a particular credential [2].

     Accounting: The act of collecting information on resource usage for
          the purpose of trend analysis, auditing, billing, or cost
          allocation [2].

     Domain: Refers to one or more networks under control of a single
          administrative entity.

     Chain-of-Trust: Assume a security association between node A and
          node B and another one between node B and node C. In case node
          A sends a message to node C it assumes that B acts in the
          intended manner to securely forward the message to C. This
          principle of security provides overall security which is as
          good as the weakest link in the chain.

     Financial settlement: The process of authentication and
          authorization between participating entities to establish the
          necessary infrastructure which provides the service provider
          with the necessary assurance that a service requestor can be



H. Tschofenig et. al.                                         [Page 2]


Internet Draft                                              3 March 2003


          charged. In this document two types of financial settlements
          are used: per-session and per-channel.

Reverse charging denotes charging the receiver of the data traffic in
contrast to charging the data sender.

3 The Relationship between Authorization and Accounting

RSVP is currently only deployed in closed environments such as
enterprise networks. In such an environment authorization usually means
role-based access control based on group membership or special rights to
use a service. Users are typically not charged directly for their
generated QoS traffic nor for QoS reservations. If the signaling
messages (and thereby the QoS reservation) travel beyond the
administrative domain, then the enterprise network is charged and not
the individual end user directly.

With mobility and telecommunication networks today authorization can (or
should) be seen in an abstract form as "Is one of the signaling
participants able to pay for the reservation?". This abstraction is
supported by the fact that QoS reservations require some form of penalty
for not reserving too many resources.

Authorization is strongly related to the availability of funds/credits
and therefore with charging. Some service provider might use some
additional information based on the subscriber profile stored data to
assist in the authorization process.

4 The Two Trust Models

4.1 New Jersey Turnpike Model

On the New Jersey Turnpike, motorists pick up a ticket at a toll booth
when entering the highway. At the highway exit the ticket is presented
and payment is made at the toll booth for the distance driven. An
abstract form of this model is given in Figure 1 where security is
provided in a peer-to-peer or network-to-network fashion since the
accounting and charging model is also accomplished in the same fashion.


The model shown in Figure 1 uses peer-to-peer relationships between
different administrative domains as a basis for accounting and charging.
Based on the peering relationship a chain-of-trust is established. There
are several issues which come to mind when considering this type of
model:

     · Since accounting and charging requires some protocol interaction
       with the end host, it is reasonable to assume that a QoS



H. Tschofenig et. al.                                         [Page 3]


Internet Draft                                              3 March 2003



 +--------------------+  +--------------------+  +--------------------+
 |            Network |  |            Network |  |            Network |
 |               X    |  |               Y    |  |               Z    |
 |                    |  |                    |  |                    |
 |                ----------->            ----------->                |
 |                    |  |                    |  |                    |
 |                    |  |                    |  |                    |
 +--------^-----------+  +--------------------+  +---------+----------+
          |                                                .
          |                                                .
          |                                                v
       +--+---+  Data                         Data      +--+---+
       | Node |  ====================================>  | Node |
       |  A   |  Sender                      Receiver   |  B   |
       +------+                                         +------+

  Legend:

  ----> Peering relationship which allows neighboring networks/entities
        to charge each other for the QoS reservation and data traffic

  ====> Data flow

  ..... Communication to the end host




Figure 1: New Jersey Turnpike Model


       signaling protocol is not the first protocol executed between an
       end host and the attached network. Typically, some network access
       protocols are executed which establish a relationship between the
       user and his home network (subscription-based scenario). A more
       detailed description of this environment is given in Section 6.
       Network access procedures which include authentication and
       authorization establish the necessary financial settlement
       between the access network and some other entity. For traditional
       subscription based environments this other entity is the user's
       home network. In case of alternative means of access the user's
       home network is replaced by credit card companies or other
       entities which establish the necessary financial settlement.
       Generating additional accounting records for QoS reservations and
       QoS data traffic does not require a major change for the existing
       accounting infrastructure. We refer to this as a per-channel
       financial establishment which provides much better performance



H. Tschofenig et. al.                                         [Page 4]


Internet Draft                                              3 March 2003


       characteristics as the per-session financial settlement
       procedures. Per-session financial settlement cannot be completely
       avoided since it is required for reverse charging.

     · The price for a QoS reservation needs to be determined somehow
       and communicated to the charged entity and to the network where
       the charged entity is attached. The description of this model
       assumes that the data sender is charged. Section 6 addresses the
       issue of charging either one of the two end points.

       Appendix A describes two mechanisms for price distribution: in-
       band (or probing) and out-off band price distribution protocols

     · This architecture seems to be simple enough to allow a scalable
       solution (ignoring reverse charging, multicast issues and price
       distribution).

     · Depending on the signaling protocol and the price distribution
       protocol (especially in case of an in-band protocol) it might be
       possible that a malicious node is able to cause harm by modifying
       signaling messages in such a way that the end point is charged
       more than intended. (TBD: This issue needs to be elaborated in
       more detail.)

Charging the data sender applied to this model simplifies security
handling by demanding only peer-to-peer security protection. Node A
would perform authentication and key establishment. The established
security association (together with the session key) would allow the
user to protect QoS signaling messages. The identity used during the
authentication and key establishment phase would be used by Network X
(see Figure 1) to perform the so-called policy-based admission control
procedure. In our context this user identifier would be used to
establish the necessary infrastructure to provide authorization and
charging. Signaling messages later exchanged between the different
networks are then also subject to authentication and authorization. The
authenticated entity thereby is, however, the neighboring network and
not the end host.

The New Jersey Turnpike model is attracting because of its simplicity.
S. Schenker et. al. [7] discuss various accounting implications and
introduced the edge pricing model. The edge pricing model shows
similarity to the model described in this section with the exception
that mobility and the security implications itself are not addressed.

4.2 New Jersey Parkway Model

On the New Jersey Parkway highway, drivers have to deposit 20 or 25
cents every few miles, with toll booths in the middle of the road in



H. Tschofenig et. al.                                         [Page 5]


Internet Draft                                              3 March 2003


addition to entrance or exit ramps. (With electronic toll tags, each
such toll is deducted individually.)


+--------------------+  +--------------------+  +--------------------+
|            Network |  |            Network |  |            Network |
|               X    |  |               Y    |  |               Z    |
|                    |  |                    |  |                    |
|                    |  |                    |  |                    |
|                    |  |                    |  |                    |
|                    |  |                    |  |                    |
+-------^ -----------+  +----------^---------+  +-----^---+----------+
        |                          |                  |   .
        |+-------------------------+                  |   .
        ||+-------------------------------------------+   .
        |||                                               .
      +-+++--+  Data                        Data       +--+---+
      | Node |  ====================================>  | Node |
      |  A   |  Sender                      Receiver   |  B   |
      +------+                                         +------+

Legend:

 ----> Direct authorization and charging relationship

 ====> Data flow

 ..... Communication to the end host




Figure 2: New Jersey Parkway Model



In this model one of the NSIS end points (initiator or responder) is
charged directly by all traversed domains along the path. In other
words, each network charges the end point only for the incurred costs in
its own network. Each network maintains only local pricing information.
Figure 2 shows this model when the data sender is charged.

Below are some issues of this model:

     · Since the end point probably does not have agreements with all
       traversed networks there is a need for a trusted third party for
       authentication, authorization and financial settlement. Such a
       trusted third party might be a clearing house.



H. Tschofenig et. al.                                         [Page 6]


Internet Draft                                              3 March 2003


     · Authentication and authorization of reservation requests needs to
       be done on a per-reservation request basis. The authorizing
       entity needs to provide a per-session financial settlement with
       the intermediate domains. A route change might therefore trigger
       an authorization process which requires interaction by the
       authorizing entity.

     · There are, however, some concerns related to scalability and
       deployment. If the NSIS initiator is located in the end host (and
       the NSIS initiator is charged), then the number of end points may
       be too large to handle by a clearing house. Therefore, some kind
       of proxy in the access network which interacts with the clearing
       house on behalf of several end points may be required. Another
       approach is to use a distributed clearing house. If this model is
       deployed on an Internet-wide scale, there is a need for multiple
       clearinghouses that need to communicate with each other. This
       introduces additional complexity.

     · A route change might require a new end-to-middle
       authentication/authorization for the purpose of charging. Hence a
       route change might not be handled locally anymore. This has an
       impact on the local repair mechanism. In the New Jersey Turnpike
       model a route change in the middle of the network does not
       require any interaction with nodes other than the involved ones.
       The New Jersey Parkway model is different since it might require
       an interaction with the end points and thereby destroying the
       local repair mechanism.

     · To reduce state maintenance, processing and signaling message
       exchanges in the core network some sort of aggregation (see [8],
       [9], [10] ) is used. Aggregation causes per-flow end-to-end
       signaling messages to be hidden in the core network and a
       separate signaling message exchange to be used. Because the New
       Jersey Parkway model might require some interaction with an
       individual end host aggregation might be much more difficult to
       deploy.

     · Per-session financial settlement is necessary and serves as a
       basis for the protocol interaction.

5 What Should Be Charged?

In the description above, we assumed that data sender is simply charged
for something. There are, however, some more fine-grained charging
considerations which affect the complexity of the interaction. In
Section 6, we consider which entity to charge. Closely related is what a
user is charged for:




H. Tschofenig et. al.                                         [Page 7]


Internet Draft                                              3 March 2003


     Signaling messages: Although it is possible to charge signaling
          message originators for generated messages it is currently
          rarely used. In some cases charging for signaling can prevent
          denial of service attacks or the misuse of end-to-end
          signaling messages as a covert channel.

     QoS reservations: Charging for resource reservations implies
          charging for reserved resources regardless of whether they are
          used or not.

     Transmitted data traffic: Charging based on transmitted data
          traffic is based on the amount of bytes or packets that have
          been sent by the data source. This type of charging will
          constrain the traffic volume of the data source but not the
          duration or amount of the reservation. Therefore, this type of
          charging can only be applied for QoS classes that allow for
          overbooking of resources (i.e., resources are not provisioned
          with regard to their specified peak rate).

     Application cost: Finally, there are costs associated to the usage
          of a particular service such as a conferencing or video
          streaming. This cost might already include the cost of the
          above-mentioned costs for more end user transparency. Costs
          for applications are outside the scope of NSIS.

6 Who Should Be Charged?

Which entity is charged is one of the most important questions for an
AAA framework. To provide the required functionality the following
issues need to be addressed:

     · Negotiation which entity is charged for which part of the costs;

     · Price distribution;

     · Authorization of a reservation;

     · QoS signaling;

These individual steps might be combined and merged with the QoS
signaling messages. As an example, in RSVP the signaling messages PATH
or RESV might be used to piggyback information related to price
distribution and charging. Whether this is possible depends on the
flexibility of the signaling protocol, the number of round-trips
executed by the signaling protocol and the semantic of the messages.

Subsequently the above-described issues are discussed in more detailed:




H. Tschofenig et. al.                                         [Page 8]


Internet Draft                                              3 March 2003


     Negotiation which entity is charged:

          First the end points need to negotiate or determine which
          entity will be charged for what part of the total cost. Once
          it has been decided the networks along the path (Parkway
          model) or the access networks have to be informed about this
          decision since they finally need to know where to get the
          money from. In existing telecommunication networks it is not
          only possible to provide this negotiation capability at the
          beginning of the session but also during an established
          session or even afterwards. Because of the stateless principle
          we assume that there is no such session concept and hence it
          is fair to say that the negotiation is done first (but with
          the option to be changed at any time).

          In this context it is interesting to mention that ST-II [11]
          provides an object to indicate which entity to charge for the
          reservation. Such object is not included in the base RSVP
          RFCs. We believe that such information should belong to a QoS
          signaling protocol since it delivers the necessary information
          to the networks in order to setup the accounting and charging
          procedures.

          In the literature (for example in [7], in [12] and in [13]),
          an additional degree of control has been introduced by
          allowing the sender and the receiver to divide the cost
          between them. Furthermore, it is possible the the two parties
          share different types of costs (see Section 5). Hence it would
          be possible to charge the sender for the QoS reservation but
          to charge the receiver for application-specific costs.
          Needless to say, this adds complexity.

     Price distribution:

          Aspects of price distribution are discussed in Appendix A, but
          a summary of the most important issues is given in this
          section. Two problems arise when determining the price of the
          reservation. First, the price cannot be immediately inferred
          from the destination IP address. Second, the asymmetry of
          routes at router and AS level (see [14]) and the possibility
          of asymmetric costs for a single link in the uplink or
          downlink direction requires that the direction is considered.

          The process of price determination, price distribution and
          authorization is likely to be periodic since the duration of
          the QoS reservation is unknown at the beginning of the
          signaling message exchange. The soft-state principle used in
          NSIS requires periodic refresh messages to keep a reservation



H. Tschofenig et. al.                                         [Page 9]


Internet Draft                                              3 March 2003


          in place. Hence, there is a question whether the price
          determination, price distribution and authorization mechanism
          should be closely tied to this refresh interval. There is
          clearly a tradeoff between performance (computational and
          bandwidth requirements) and efficiency. If price
          determination, price distribution and authorization mechanism
          is bound to the refresh interval and the refresh messages are
          transmitted at a very high rate, then substantial overhead
          might be caused.

          From a user perspective, it is important that cost
          transparency is provided and that the end host has the ability
          to determine the cost of a reservation and has the ability to
          perform cost control.

     Authorization of a reservation:

          Whenever authorization is discussed in this context then the
          ability to provide assurance for charging is meant. This is,
          however, only of interest where an end host is participating
          in the signaling message exchange and depending on the chosen
          model which part of the signaling path is considered. For
          intra-domain traffic (traffic within an administrative domain)
          authorization is much simpler: An incoming signaling message
          hitting a router within the domain is authenticated and
          verification is required to ensure that the message is
          transmitted from a known router within the same domain. This
          assumes that the borders are properly protected and discard
          unprotected signaling message from other domains.

          The establishment of the necessary infrastructure is either
          based on a per-session communication (e.g., micro-macro
          payment protocols, authorization tokens) or more traditionally
          as part of the network access procedure (e.g., AAA
          communication). Depending on the model (NJ Turnpike or NJ
          Parkway model) and on the choice for charging of the data
          sender or the data receiver per-session established
          authorization setup might be required. From a performance
          perspective, the per-session based approach is less favorable.

     QoS signaling:

          Finally. there is the question how the above-described steps
          should be most efficiently combined with the behaviour of a
          QoS signaling protocol.

Principally either the data sender or the data receiver can be charged
for a QoS reservation. Since signaling protocols are typically



H. Tschofenig et. al.                                        [Page 10]


Internet Draft                                              3 March 2003


characterised as either sender- or receiver-initiated, an answer has to
be provided which approach allows a better integration with various
charging strategies. Unfortunately, it is not possible to consider only
charging for the data sender since charging for the data receiver is
often used in todays telecommunication networks (e.g., 800 numbers,
collect calls).  In this version of the document we mainly focus on the
simpler NJ Turnpike model. Future versions will extend the descriptions
to the NJ Parkway model.

To simplify representation the AAA infrastructure is not shown in Figure
3, 4, 5 and in 6. Hence to get a complete picture the reader has to take
the AAA infrastructure into account. This might involve interaction with
local AAA servers, interaction with a Credit Control Server for the
purpose of real-time cost and credit control as described in [15] or
home AAA servers in case of mobility as depicted in Section 7.

6.1 Sender initiated reservations with charging for the data sender

This model is the simplest in relationship with the NJ Turnpike model
since the data sender S which triggers the reservation is also charged.
The necessary charging infrastructure is likely to be established as
part of network access authentication and the interaction with a AAA
infrastructure. When AS 1 receives a QoS reservation request which asks
for the establishment of a QoS reservation then an authorization check
can immediately be executed. Authorization might not only be based on
credit availablility but also on some information stored with the
subscriber's contract such as contract type or some form of policy which
might also be distributed as part of the initial network access
procedures or on-demand accessible via the AAA infrastructure. The
subscriber's contract is a business relationship between the user and
his home provider.

To provide cost control for the data sender it is likely that additional
communication between AS 1 and the initiator S is necessary to
distribute the necessary information. The initiator S might want to know
the price for the QoS reservation in advance before issuing a QoS
reservation message (RESV message in Figure 3 based on the RSVP
terminology). Hence for in-band price distribution a separate roundtrip
is required. For out-of-band price determination such a roundtrip can be
omitted but some tariff or price information has to be communicated
between the sender S and the access network (AS1 in our case) - if not
already known for some other reason.

For in-band price distribution each network (or even each router) along
the path accumulates cost and AS 1 charges S for the total amount. Based
on the existing peering relationship between neighboring networks each
provider charges its neighboring provider. This procedure might be
comparable with the postal service where a customer gives a letter to a



H. Tschofenig et. al.                                        [Page 11]


Internet Draft                                              3 March 2003


post post office and delegates responsibility to perform the required
shipping. The post office might itself delegate the responsibility to
other companies to transport the letter to its final destination. The
sender pays for the total amount for the shipment at the post office
which knows the total cost for the entire delivery. Each participating
party receives the monetary amount negotiated with its "peer" based on
the previously agreed price. A similar description is provided in [16].



      +----+ RESV +----+ RESV +----+ RESV +----+ RESV +----+
      |AS 1|----->|AS 2|----->|AS 3|----->|AS 4|----->|AS 5|
      +----+      +----+      +----+      +----+      +----+
        ^                                               |RESV
        |RESV                                           v
      +----+                                          +----+
      | S  |                                          | R  |
      +----+                                          +----+
                          Data Traffic
        ================================================>
          Charging (S -> AS1 -> AS2 -> AS3 -> AS4 -> AS5)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>

  Legend:

  ----> Signaling message
  ====> Data flow
  ~~~~> Charging direction




Figure 3: Sender-initiated reservation with charging for the data sender



6.2 Sender initiated reservation with charging for the data receiver

Charging for the data receiver is more complex in comparison to charging
for the data sender. The reason is not due to the QoS signaling
machinery - such as sender- or receiver-initiated reservations but
caused by the complicated charging relationships. The following
description tries to describe the problem in more detail which is
depicted in Figure 4:

When AS 1 receives the RESV signaling message from S which indicates
that R is charged for the price of the QoS reservation then AS 1 needs
some assurance that the entity R is willing to pay for the indicated



H. Tschofenig et. al.                                        [Page 12]


Internet Draft                                              3 March 2003


reservation. Hence a plain identifier containing the identity of R is
insufficient to provide enough assurance.

Hence the sender needs to possess some from of authorization token which
allows AS 1 to establish the necessary association to a party which is
able to provide the financial settlement. Following the idea of such an
authorization token the subsequently described interaction is necessary.

An authorization token previously send from R to S and then transmitted
to AS 1 might allow AS 1 to establish the necessary infrastructure
(possibly to a trusted third party or to R's home network) to execute a
real-time credit check and to be able to charge R via this
infrastructure by AS 1 for a given QoS reservation. Then the QoS
reservation is done in the same way as a sender-initiated reservation
with charging for a data sender. The total cost for the session cannot
be fully determined during the reservation setup because the duration of
a call and other factors are unknown at the beginning. Hence periodic
communication is necessary between AS 1 and a trusted third party or R's
home network. R needs to be given a mechanism to allow the QoS
reservation and therefore the costs to be restricted without always
transmitting authorization tokens to the data sender for periodic re-
authentication and re-authorization procedures.

Note that the sender S communicate the name of the data senders access
network (in this case AS 1) to the receiver R. This allows the data
receiver R to request an authorization token for a specific network with
the indicated QoS parameters to include some additional restrictions in
the token.

It is not very likely that the data receiver R provides direct payment
to S before triggering a QoS reservation. Such an infrastructure is not
likely to be available.


6.3 Receiver initiated reservation with charging for the data receiver

The properties of the sender initiated reservation with charging for the
data receiver described-above are similar to those of a receiver
initiated reservation.

When AS 1 receives a PATH signaling message then S has to indicate that
R is willing to pay for the QoS reservation. Unfortunately the PATH
message (with the semantics defined within RSVP) cannot be used to
determine the price of a reservation since the receiver is allowed to
change the QoS parameters. Hence the computed price might only serve to
compute the upper-bound and would therefore only serve R as a hint. AS 5
cannot use an out-of-band price distribution mechanism because of
asymmetric routes. Hence price distribution can only be probing based



H. Tschofenig et. al.                                        [Page 13]


Internet Draft                                              3 March 2003




      +----+ RESV +----+ RESV +----+ RESV +----+ RESV +----+
      |AS 1|----->|AS 2|----->|AS 3|----->|AS 4|----->|AS 5|
      +----+      +----+      +----+      +----+      +----+
        ^                                               |RESV
        |RESV                                           v
      +----+                                          +----+
      | S  |                                          | R  |
      +----+                                          +----+
                          Data Traffic
        ================================================>
                     Payment (R -> AS1 or R -> S)
        <~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          Charging ([S ->] AS1 -> AS2 -> AS3 -> AS4 -> AS5)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>

  Legend:

  ----> Signaling message
  ====> Data flow
  ~~~~> Charging direction




Figure 4:  Sender-initiated  reservation  with  charging  for  the  data
receiver


(in-band).

Finally after a successful reservation the receiver R (or some party
associated with R) has to provide a financial settlement with AS 1 to
transfer the desired QoS costs.

A major question is therefore whether it is possible for R to provide
financial settlement with AS5 although the reservation price is
determined from S to R (data flow direction).

AS 1 therefore has to determine the price for the reservation and
communicate the accumulated price along the path to AS 5 and to R.

TBD: Is it possible for R establish a financial settlement with AS5 to
provide peer-to-peer charging in the reverse direction(R -> AS 5 -> AS 4
-> AS 3 -> AS 2 -> AS 1) although authorization for the RESV message
would be required at AS 1?




H. Tschofenig et. al.                                        [Page 14]


Internet Draft                                              3 March 2003


  +----+ PATH +----+ PATH +----+ PATH +----+ PATH +----+
  |AS1 |.....>|AS2 |.....>|AS3 |.....>|AS4 |.....>|AS5 |
  |    |<-----|    |<-----|    |<-----|    |<-----|    |
  +----+ RESV +----+ RESV +----+ RESV +----+ RESV +----+
    ^ |                                            .  ^RESV
PATH. v RESV                                  PATH v  |
  +----+                                          +----+
  | S  |                                          | R  |
  +----+                                          +----+
                       Data Traffic
     ================================================>
                  Charging (R -> AS1 or R -> S)
     <~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       Charging ([S ->] AS1 -> AS2 -> AS3 -> AS4 -> AS5)
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>

  Legend:

  ----> Signaling message with RSVP RESV semantic
  ....> Signaling message with RSVP PATH semantic
  ====> Data flow
  ~~~~> Charging direction




Figure 5: Receiver-initiated reservation  with  charging  for  the  data
receiver



6.4 Receiver initiated reservation with charging for the data sender

When the sender S transmits a PATH message neither S nor AS 1 are able
to determine the cost for the reservation solely based on the semantic
of the PATH message. The PATH message is forwarded towards the data
receiver. R then finally decides about the reservation and its
parameters but S is charged for the reservation.

It seems to be difficult for the sender S to restrict the QoS parameters
selected by the receiver R when transmitting the RESV message. It would
therefore be better if either a double roundtrip is used or if the
semantics of the PATH message is changed.


6.5 NJ Parkway Model Example





H. Tschofenig et. al.                                        [Page 15]


Internet Draft                                              3 March 2003




  +----+ PATH +----+ PATH +----+ PATH +----+ PATH +----+
  |AS1 |.....>|AS2 |.....>|AS3 |.....>|AS4 |.....>|AS5 |
  |    |<-----|    |<-----|    |<-----|    |<-----|    |
  +----+ RESV +----+ RESV +----+ RESV +----+ RESV +----+
    ^ |                                            .  ^RESV
PATH. v RESV                                  PATH v  |
  +----+                                          +----+
  | S  |                                          | R  |
  +----+                                          +----+
                       Data Traffic
     ================================================>
       Charging (S -> AS1 -> AS2 -> AS3 -> AS4 -> AS5)
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>

  Legend:

  ----> Signaling message with RSVP RESV semantic
  ....> Signaling message with RSVP PATH semantic
  ====> Data flow
  ~~~~> Charging direction




Figure  6:  Receiver-initiated  reservation  with  charging for the data
sender


The following example shows the implications for a sender initiated
reservations with charging for the data sender based on the NJ Parkway
model.

The sender needs some mechanisms to provide information to all
intermediate domains which request independent charging from the data
sender (i.e. from S). This mechanism can be provided by the following
procedures:

     · Information carried within the NSIS protocol (e.g. OSP tokens)
       which immediately allow the intermediate domain to contact some
       trusted third party (such as a clearing house).

     · The possibility for an intermediate network to request
       authentication / authorization from the data sender S via NSIS.
       Such a mechanism might therefore be similar to SIP.





H. Tschofenig et. al.                                        [Page 16]


Internet Draft                                              3 March 2003


     · An out-of-band mechanism which is triggered by intermediate
       networks to request authentication and authorization from
       intermediate networks.

In-band price distribution (or probing) is difficult to use since the
data sender is not aware of the QoS reservation costs along the entire
path (without a previous query). Out-of-band price distribution might
provide this functionality but a separate interaction with each domain
to the end host is required. When transmitting some sort of
authorization tokens it might be useful for the data sender S to have
information about the QoS reservation costs of all individual
intermediate domains along the path.

7 Implication of Mobility

This section addresses some of the implications of mobility. Starting
with a simple model at the beginning which allows limited mobility in
the same administrative domain some basic observations are made.
Extending the basic model to support to mobility to support mobility
where both users are registered at the same home network but roam to
different access networks (different from the home network). Finally
even this restriction is abolished.

7.1 Simple model without mobility

In Figure 7 two nodes are attached to a single administrative domain
either in a non-mobile environment (traditional enterprise network) or
with limited mobility in this network. No roaming agreements are
necessary and even authentication during network access might be
simplified due to a larger degree of freedom for selecting the proper
security infrastructure (for example Kerberos everywhere). To provide
authorization of a QoS reservation request role based access control
might be used since momentary authorization might not be applicable in
an enterprise network. Instead users or groups with specific rights
might be allowed to trigger QoS reservations. In this case it might not
even be necessary to communicate information who is charged for which
information to the network elements. Inter-domain communication for QoS
signaling messages and for AAA communication is not required.


7.2 Split between access and home network(s)

With Figure 8 the basic environment described in Figure 7 is extended by
allowing end hosts to roam to networks (denoted as access network)
beyond their home networks. As part of the network access authentication
the end host is authenticated to its home network involving entities
(such as the local AAA server in the access network). AAA inter-domain
communication is required. The QoS signaling messages stay within the



H. Tschofenig et. al.                                        [Page 17]


Internet Draft                                              3 March 2003




   +------------------------------------------------------------------+
   |                                                                  |
   |                            +------+                   Network    |
   |                           -+ AAA/ +--                    X       |
   |                        --- | PDP  |  ----                        |
   |                     ---    +------+      -----                   |
   |                  ---                          -----              |
   |               ---                                  ----          |
   |          -----                                         ---       |
   |      +---+----+                                      +---+----+  |
   |      | Router |                                      | Router |  |
   +------|   1    |--------------------------------------|   n    |--+
          +---+----+                                      +---+----+
              |                                               |
           +--+---+                                        +--+---+
           | Node |                                        | Node |
           |  A   |                                        |  B   |
           +------+                                        +------+



Figure 7: Simple model without mobility


same access network which is different than the home network.
Additionally the user might be registered at different home networks.
These networks primarily serve the purpose of providing a guarantee that
the indicated user requesting resources (and network access) is able to
pay. This functionality can be provided by a traditional
telecommunication network, by a credit card company or by something
similar.

In comparison to the previous model it is likely that role-based access
control is not sufficient for the purpose of QoS reservation request
authorization. Hence it might be necessary for the end hosts to decide
which entity (user A at node A or user B at node B) has to be charged
for which resource (QoS reservation, QoS data traffic, etc.). The access
network then collects accounting records and transmits bills to the
indicated home network of the authenticated user. Since the QoS
signaling messages travel only within a single administrative domain it
is not necessary to address issues raised in Section 4.


7.3 Global mobility





H. Tschofenig et. al.                                        [Page 18]


Internet Draft                                              3 March 2003




+----------------------+                      +----------------------+
| +------+             |                      | +------+             |
| | AAA  |     Home    |                      | | AAA  |     Home    |
| |      |     Network |                      | |      |     Network |
| +--+---+     (User A)|                      | +--+---+     (User B)|
|    |                 |                      |    |                 |
|    |                 |                      |    |                 |
+----+-----------------+                      +----+-----------------+
     |                                             |
     +---------------------------+-----------------+
                                 |
+--------------------------------+-----------------------------------+
|                             +--+---+                Access Network |
|                             | AAA/ |                               |
|                             | PDP  |                               |
|                             +--+---+                               |
|          +---------------------+-----------------------+           |
|          |                                             |           |
|      +---+----+                                    +---+----+      |
|      | Router |                                    | Router |      |
+------|   x    |------------------------------------|   y    |------+
       +---+----+                                    +---+----+
           |                                             |
        +--+---+                                      +--+---+
        | Node |                                      | Node |
        |  A   |                                      |  B   |
        +------+                                      +------+




Figure 8: Split between access and home network(s)


As an extension of the previous model global mobility is considered
where users are subscribed at different home networks and they roam in
different networks. The networks between the two access networks (X and
Y), which are traversed by the QoS signaling message, are omitted. This
scenario addresses issues discussed in Section 4 and 6. Note that the
AAA Broker is not necessarily required if the two home networks (of user
A and B) share a business and trust relationship (and consequently a
security association).


8 Security Considerations




H. Tschofenig et. al.                                        [Page 19]


Internet Draft                                              3 March 2003



                             +----------+
                             |   AAA    |
     +-----------------------+  Broker  +----------+
     |                       +----------+          |
+----+-----------------+                      +----+-----------------+
| +--+---+             |                      | +--+---+             |
| | AAA  |     Home    |                      | | AAA  |     Home    |
| |      |     Network |                      | |      |     Network |
| +--+---+     (User A)|                      | +--+---+     (User B)|
|    |                 |                      |    |                 |
|    +----+            |                      |    +----+            |
|         |            |                      |         |            |
+---------+------------+                      +---------+------------+
          |                                             |
+---------+------------+                      +---------+------------+
|         |            |                      |         |            |
|      +--+---+        |                      |      +--+---+        |
|      | AAA/ |        |                      |      | AAA/ |        |
|      | PDP  |        |                      |      | PDP  |        |
|      +---+--+        |                      |      +---+--+        |
|          |           |                      |          |           |
|   Access Network X   |                      |   Access Network Y   |
|          |           |                      |          |           |
|      +---+----+      |                      |      +---+----+      |
|      | Router |      |                      |      | Router |      |
+------|   x    |------+                      +------|   y    |------+
       +---+----+                                    +---+----+
           |                                             |
        +--+---+                                      +--+---+
        | Node |                                      | Node |
        |  A   |                                      |  B   |
        +------+                                      +------+



Figure 9: Global mobility


This document describes the implications of two accounting and charging
models (i.e. the New Jersey Turnpike and the New Jersey Parkway model)
for NSIS QoS signaling. As excepted, there are implications for the
security architecture. The New Jersey Turnpike model is based on the
peer-to-peer security and the chain-of-trust. This model, although often
criticised, serves as the basis for RSVP and some of its mechanisms such
as local repair and the aggregation mechanism. The second model, the New
Jersey Parkway model, relaxes the assumption of the first model. The
introduced end-to-middle authentication adds additional complexity.



H. Tschofenig et. al.                                        [Page 20]


Internet Draft                                              3 March 2003


This document does not discuss concrete security mechanisms for both
models, instead the implications are presented at an abstract level.
Hence it is not useful to give detailed security requirements and
threats.

Based on the topics discussed in this draft the NSIS working group
should decide on which model QoS signaling should be based. Additionally
it is necessary to discuss sender- and receiver-initiated signaling and
finally the impacts of price distribution need to be addressed.

As a special type of authorization per-session and per-channel financial
settlement procedures are introduced.

9 Open Issues

     · Non-repudiation is a security property where one party is later
       unable to deny the execution of a specific action. For QoS
       signaling this might be a desirable property. When added to a
       signaling protocol this property, unfortunately, is not for free.
       Hence it is an open question whether real-world applications and
       architectures demand this property. This issue will be addressed
       in a more solution oriented description.

     · For intra-domain mobility it is necessary to provide context
       transfer for the purpose of re-authentiation and authorization.
       This version of the document does not describe proposal for fast
       and efficient re-authorization during intra-domain mobility
       procedures.

10 Acknowledgements

We would like to thank Tianwei Chen for his comments to the draft.

A Price Distribution

How much an entity is charged for individual parts of a QoS reservation
(see Section 5) is mainly a matter of business/marketing decisions and
will not be discussed in this document and is outside the scope of NSIS.
The task of determining the price is called pricing. Unfortunately the
price of a QoS reservation cannot easily determined based on the
structure of the IP address unlike with E.164 phone numbers. Depending
on the chosen price distribution mechanism implications for an NSIS
signaling protocol exist.

Principally, two ways of price distributions can be identified:

     Out-of-band price distribution: Using this approach the inter-
          domain prices for certain destinations a distributed by



H. Tschofenig et. al.                                        [Page 21]


Internet Draft                                              3 March 2003


          mechanisms executed separate from a NSIS in-path signaling
          protocol. In case of out-of-band price distribution it is
          required that the price is determined based on destination AS
          and the ASes along the path to this network. If the price for
          one or more networks along this path then some additional
          signaling is required. The main assumption of this scheme is
          that the information obtained by the BGP-based sink tree
          mechanism provides a good approximation to the path
          subsequently taken by the later data packets.

     In-band probing: The signaling messages enable some functions to
          query the costs along the path to determine the costs between
          the source and the destination. To discover the networks along
          the path is fairly simple if a signaling protocol used used
          (in-band probing). As a disadvantage a signaling protocol
          needs to carry new objects and additional processing is
          required at each network along the path. Hence it is required
          that each network understands and processes these objects.

In the past a number of price distribution protocols have been proposed
which have a strong relationship to the signaling machinery, since they
share common properties:

     · The determined price depends on the route between source network
       and destination network. Protocols which allow their objects to
       be embedded into the signaling protocol (in-band probing) are
       able to more accurately determine the path and therefore the
       associated costs.

     · Some flexibility and extensibility is required to allow
       autonomous systems to determine the price for a QoS reservation
       independently of other domains.

     · Signaling price information between various networks suffers from
       the same signaling protocol requires (such as scalability, "in-
       path" discovery, etc.) as QoS signaling protocols. To tackle
       scalability similar mechanisms for aggregation are therefore
       considered such as those used in [9].

     · Unfortunately none of the proposals cares about the issues
       described in Section 4 introduced by the two different models.

In [13] an in-band probing approach is presented which allows price
information to be communicated. The pricing object is updated along the
path to reflect costs. The idea of the Simple RSVP protocol [17] also
seems to follow a similar strategy.





H. Tschofenig et. al.                                        [Page 22]


Internet Draft                                              3 March 2003


RNAP [12] is a proposal which allows both in-band probing and out-of-
band price distribution. The out-of-band price distribution mechanism is
modeled according to the same principles as BGRP's aggregation and
protocol mechanism [9]. The aggregation mechanism of BGRP is inspired by
BGP [18]. A very similar idea was chosen by the Border Pricing Protocol
(BPP) [19], which uses the same aggregation mechanism but only allows
out-of-band price distribution.

The Tariff Distribution Protocol (TDP) [20] is an attempt to define
message formats (using XML, HTML, plain text or even in a binary format
e.g. JAVA classes) and attributes for exchanging tariff information
either in an in-band (for example with RSVP) or out-of-band fashion.
Instead of exchanging price information in [20] tariff are communicated.
The term tariff is thereby defined as: "A tariff is a set of rules for
calculating the charge advices for session of one service" (see Section
2 of[20]). The difference between charge and charge advice is also
described in Section 2 of [20]. Unlike in other proposals aggregation is
not considered.

In the Billing Information Protocol (BIP) [21] only attributes used to
deliver price information are described (in BNF notation). The current
specification mainly addresses SIP as a transport mechanism but can be
used for other protocols as well.

Related to the work described above is the Open Settlement Protocol [22]
which is mainly focused on charging and not on price distribution. Hence
it should be seen as complementary to the above schemes which could be
used to support the New Jersey Parkway Model described in Section 4.

The work in the Internet Open Trading Protocol (IOTP) working group (see
[23] for the IOTP Version 1.0 specification) aims to map real world
transactions to the internet and is as such a superset of the
functionality described in this document.

B Authors' Addresses

Sven Van den Bosch
Alcatel
Francis Wellesplein 1
B-2018
Antwerpen
Phone: 32-3-240-8103
EMail: sven.van_den_bosch@alcatel.be

Maarten Büchli
Alcatel
Francis Wellesplein 1
B-2018



H. Tschofenig et. al.                                        [Page 23]


Internet Draft                                              3 March 2003


Antwerpen
EMail: maarten.buchli@alcatel.be

Henning Schulzrinne
Dept. of Computer Science
Columbia University
1214 Amsterdam Avenue
New York, NY 10027
USA
EMail: schulzrinne@cs.columbia.edu

Hannes Tschofenig
Siemens AG
Otto-Hahn-Ring 6
81739 Munich
Germany
EMail: Hannes.Tschofenig@siemens.com


C Bibliography

[1] R. Braden, Ed., L. Zhang, S. Berson, S. Herzog, and S. Jamin,
"Resource ReSerVation protocol (RSVP) -- version 1 functional
specification," RFC 2205, Internet Engineering Task Force, Sept. 1997.

[2] B. Aboba, P. Calhoun, S. Glass, T. Hiller, P. McCann, H. Shiino, G.
Zorn, G. Dommety, C. Perkins, B. Patil, D. Mitton, S. Manning, M.
Beadles, P. Walsh, X. Chen, S. Sivalingham, A. Hameed, M. Munson, S.
Jacobs, B. Lim, B. Hirschman, R. Hsu, Y. Xu, E. Campbell, S. Baba, and
E. Jaques, "Criteria for evaluating AAA protocols for network access,"
RFC 2989, Internet Engineering Task Force, Nov. 2000.

[3] R. Hancock, I. Freytsis, G. Karagiannis, J. Loughney, and S. V. den
Bosch, "Next steps in signaling: Framework," Internet Draft, Internet
Engineering Task Force, 2002.  Work in progress.

[4] R. Yavatkar, D. Pendarakis, and R. Guerin, "A framework for policy-
based admission control," RFC 2753, Internet Engineering Task Force,
Jan. 2000.

[5] "European telecommunications standards institute (etsi), internet
protocol (ip) based networks; parameters and mechanisms for charging
technical report 101 734 version 1.1.1," 1999.

[6] 1997.

[7] S. Shenker, D. Clark, D. Estrin, and S. Herzog, "Pricing in computer
networks: Reshaping the research agenda," in Proc. of TPRC 1995 , 1995.



H. Tschofenig et. al.                                        [Page 24]


Internet Draft                                              3 March 2003


[8] F. Baker, C. Iturralde, F. L. Faucheur, and B. Davie, "Aggregation
of RSVP for IPv4 and IPv6 reservations," RFC 3175, Internet Engineering
Task Force, Sept. 2001.

[9] P. Pan, E. Hahne, and H. Schulzrinne, "Bgrp: Sink-tree-based
aggregation for inter-domain reservations," in Journal of Communications
and Networks, Vol. 2, No. 2, pp. 157-167, http://www.cs.columbia.edu/
pingpan/papers/bgrp.pdf , 2000.

[10] Y. Bernet, P. Ford, R. Yavatkar, F. Baker, L. Zhang, M. Speer, R.
Braden, B. Davie, J. Wroclawski, and E. Felstaine, "A framework for
integrated services operation over diffserv networks," RFC 2998,
Internet Engineering Task Force, Nov. 2000.

[11] C. Topolcic, "Experimental internet stream protocol: Version 2 (ST-
II)," RFC 1190, Internet Engineering Task Force, Oct. 1990.

[12] X. Wang and H. Schulzrinne, "Rnap: A resource negotiation and
pricing protocol," in International Workshop on Network and Operating
Systems Support for Digital Audio and Video (NOSSDAV'99), pages 77--93,
Basking Ridge, New Jersey

[13] M. Karsten, J. Schmitt, and R. Steinmetz, "An embedded charging
approach for rsvp," in International Workshop on Quality of Service '98,
Napa, California, USA , May 1998.

[14] L. Amini and H. Schulzrinne, "Observations from router-level
internet traces," in DIMACS Workshop on Internet and WWW Measurement,
Mapping and Modeling, (Piscataway, New Jersey) , Feb. 2002.

[15] H. Hakala et al.  , "Diameter credit control application," Internet
Draft, Internet Engineering Task Force, June 2002.  Work in progress.

[16] J. Gerke, H. Ritter, J. Schiller, and K. Wehrle, "Elements of an
open framework for pricing in the future internet," in Proceedings of
the Conference on Quality of future Internet Services (QofIS 2000),
pages 300--311, Berlin , 2000.

[17] K. Fujikawa and Y. Goto, "Simple resource ReSerVation protocol
(SRSVP)," Internet Draft, Internet Engineering Task Force, Feb. 2000.
Work in progress.

[18] Y. Rekhter and T. Li, "A border gateway protocol 4 (BGP-4)," RFC
1771, Internet Engineering Task Force, Mar. 1995.

[19] V. Oberle, H. Ritter, and K. Wehrle, "Bpp: A protocol for
exchanging pricing information between autonomous systems," in
Proceedings of HPSR 2001 (IEEE Workshop on High-Performance Switching



H. Tschofenig et. al.                                        [Page 25]


Internet Draft                                              3 March 2003


and Routing), Dallas (USA) , May 2001.

[20] O. Heckmann et al.  , "Tariff distribution protocol (TDP),"
Internet Draft, Internet Engineering Task Force, Mar. 2002.  Work in
progress.

[21] R. Prasanna, "Bip: Billing information protocol," Internet Draft,
Internet Engineering Task Force, 2002.  Work in progress.

[22] E. T. S. Institute, "Telecommunications and internet protocol
harmonization over networks (tiphon); open settlement protocol (osp) for
inter- domain pricing, authorization, and usage exchange, technical
specification 101 321.  version 2.1.0."

[23] D. Burdett, "Internet open trading protocol - IOTP version 1.0,"
RFC 2801, Internet Engineering Task Force, Apr. 2000.



































H. Tschofenig et. al.                                        [Page 26]