Authorization for NSIS Signaling Layer Protocols
RFC 5981
Internet Engineering Task Force (IETF) J. Manner
Request for Comments: 5981 Aalto University
Category: Experimental M. Stiemerling
ISSN: 2070-1721 NEC
H. Tschofenig
Nokia Siemens Networks
R. Bless, Ed.
KIT
February 2011
Authorization for NSIS Signaling Layer Protocols
Abstract
Signaling layer protocols specified within the Next Steps in
Signaling (NSIS) framework may rely on the General Internet Signaling
Transport (GIST) protocol to handle authorization. Still, the
signaling layer protocol above GIST itself may require separate
authorization to be performed when a node receives a request for a
certain kind of service or resources. This document presents a
generic model and object formats for session authorization within the
NSIS signaling layer protocols. The goal of session authorization is
to allow the exchange of information between network elements in
order to authorize the use of resources for a service and to
coordinate actions between the signaling and transport planes.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5981.
Manner, et al. Experimental [Page 1]
RFC 5981 NSLP AUTH February 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. Session Authorization Object . . . . . . . . . . . . . . . . . 4
3.1. Session Authorization Object format . . . . . . . . . . . 5
3.2. Session Authorization Attributes . . . . . . . . . . . . . 6
3.2.1. Authorizing Entity Identifier . . . . . . . . . . . . 7
3.2.2. Session Identifier . . . . . . . . . . . . . . . . . . 9
3.2.3. Source Address . . . . . . . . . . . . . . . . . . . . 9
3.2.4. Destination Address . . . . . . . . . . . . . . . . . 11
3.2.5. Start Time . . . . . . . . . . . . . . . . . . . . . . 12
3.2.6. End Time . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.7. NSLP Object List . . . . . . . . . . . . . . . . . . . 13
3.2.8. Authentication Data . . . . . . . . . . . . . . . . . 15
4. Integrity of the SESSION_AUTH Object . . . . . . . . . . . . . 15
4.1. Shared Symmetric Keys . . . . . . . . . . . . . . . . . . 15
4.1.1. Operational Setting Using Shared Symmetric Keys . . . 16
4.2. Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3. Public Key . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3.1. Operational Setting for Public-Key-Based
Authentication . . . . . . . . . . . . . . . . . . . . 19
4.4. HMAC Signed . . . . . . . . . . . . . . . . . . . . . . . 21
5. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1. The Coupled Model . . . . . . . . . . . . . . . . . . . . 23
5.2. The Associated Model with One Policy Server . . . . . . . 23
5.3. The Associated Model with Two Policy Servers . . . . . . . 24
5.4. The Non-Associated Model . . . . . . . . . . . . . . . . . 24
Show full document text