| In the past several years, many kinds of business based on internet technology have gone deely into people's daily life. This makes shortage of IPv4 address more critical increasingly. To solve this question, IETF bring up next generation IP protocol——IPv6 protocol. Compared with IPv4, IPv6 has many advantages: larger address space, pithy route table and better security. With more and more complete of IPv6 protocol, IPv6 is coming to our life more and more close.The original Authentication Authorization and Accounting(AAA) technology, such as RADIUS etc, would hardly satisfy the demand of IPv6's mobility and security. So IETF workgroup bring up a new generation AAA service framework which is grouped by Diameter protocol, PANA protocol and EAP protocol.Diameter protocol is maintained by IETF dime work group. Now Diameter family are formed with Diameter base protocol and others application protocols and dafts which extended from Diameter base protocol, such as draft of Diameter Quality of Service Application, draft of Diameter Mobile IPv6: Support for Home Agent to Diameter Server Interaction, and so on. Diameter base protocol defined Diameter message format, headers'structure, the rules of AVP format, role of the nodes, security regulations, and state machine of each session. And Others application protocol and draft extended from Diameter base protocol must followed Diameter base protocol. Extensible Authentication Protocol (EAP) provided a framework supported extensibility of Authentication method on link layer. This improved mobile node's roaming ability. Protocol for carrying Authentication for network access define a way to use UDP carry EAP method between PANA client and network access service provider. PANA makes EAP Implement have no relationship with link layer. And PANA makes mobile node has roaming ability through deferent link layer network. When MN has no permission to access the network, MN can only communicat with PAA use PANA message with EAP payload, PAA acts as AAA client, encapsulate EAP method in Diameter message, and sent it to the AAA server. On the other hand many services need to distinguish users'identity and their authority. To reduce users'log in and out through many services, increase services'ability to communicate with each other, developers carry out conception of identity federalization and single sign on. In identity federalization User only need to be authenticated once, and can use many service without sign on again. Security Assertion marked language defines a framework to describe and carry security information. Security information represent as SAML assertion, and these assertions are sent through application of deferent domain. Presently SAML is normally used in web service access control. How to combine with IPv6's characteristics, extend the identity federalization and SSO into network access control scope is a hotspot of research now.Role based access control imported concept of role into access control, security administrator can define roles in term of requirement, and associate role with proper authority. This separate access control process into two part, user-role management and role-authority management. And RBAC realize user isolate from authority management in logic, this simplify user authorization manage work.Based on study Diameter protocol, SAML protocol and RBAC authority model, this paper designed a AAA service structure which use Diameter message carry SAML assertion. This structure can be used to implement integration network access control andsyncretize.OpenDiameter is an open-source Diameter base protocol implementation which provided a series of C++ library for AAA service framework. OpenDiameter is composed of application core, session management, transmission management and message parser. OpenDiameter has high compatibility w because it made full use of ACE library's advantage of design model and abstract OS layer, etc. Diameter base protocol didn't define authorization process clearly, and left a large space to extend authorization framework based on diameter base protocol. OpenDiameter has no implement of authorization decision and transmission, but OpenDiameter provided ability of define commands and AVPs by user on their demand.Diameter based protocol permit user to define their own commands and AVPs for extended diameter applications. Based on OpenDiameter implement, this paper define AUTHSAMLReq AVP, AUTHSAMLAns AVP and thire container to carry RBAC information. In this paper, SAML AVPs are used in Authentication session's AAR/AAA message and ReAuthentication session. By the SAML AVP parser in the MessageHandler, SAML assertion can be abstracted from the message.After solved transmission of SAML assertion, this paper design a policy decision (PDP) point model on AAA server and a policy enforcement point (PEP) model on AAA client. In the PDP model, there are two methods, GetAssertion and DealAssertion. The function of GetAssertion is to generate a SAML assertion answer for the SAML request from the peer. DealAssertion method is in charge of dealing SAML assertion answer from the peer, such as role transform. PEP model is usually deployed on nas server. PEP has tow method InitReqSAMLAVP and DealAnsSAMLAVP. InitReqSAMLAVP is used to initialize SAML request assertion AVP in AAR and RAR message. DealAnsSAMLAVP method is responsible for deal with the SAML answer assertion from AAA server, and enforce policy according to the Subject, Attribute and Condition element in the assertion, such as EP and QoS operation etc.All design of this paper based on C++ source package of Linux system, so development and experiment of this paper is under CENT OS environment. Because of the limitation of condition, experiment of this paper used wired network instead of wireless environment. The experiment just test mobile node's authentication and authorization process in home domain and foreign domain, but did not test the performance in the handover procedure.Through experiment in home and foreign domain, design of this paper implement using SAML assertion in Diameter base protocol to carry RBAC authorization information. And this design provide a way to syncretize network access control and current web resource access control with identity federalization and SSO. Base on this paper's design, more research can be done on authorization management and SSO in MIPv6 roaming process. |
PDF Full Text Request