TPS 서비스를 위한 가입자 인증 및 보안 기술: [1]인증 프로토콜 소개

Authentication and Security for TPS: [1] Authentication Protocol

By Netmanias (tech@netmanias.com)

코멘트 (0)

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.

Transcript

Netmanias 기술문서: TPS 서비스를위한가입자인증및보안기술[1] 인증프로토콜소개(PPP, DHCP, RADIUS)

2006년12월16일
NMC Consulting Group(tech@netmanias.com)

2
PPP (Point-to-point Protocol): RFC 1661
.PPP provides
.Frame formatto be exchanged between devices. (PPP frame)
.Establishment of the data linkbetween devices (LCP)
.Link configuration and Error detection (LCP)
.Link Quality testing (LCP)
.Authentication methods(PAP, CHAP)
.Network layer Address negotiation (ex. IP address)encapsulated  in the data link frame. (NCP)
.Multiple network layer protocol multiplexing (NCP)
.PPP Layered architecture
IP
IPX
Layer 3 Protocol
NCP (Network Control Protocol)
IPCP
IPXCP
Many others
Authentication (PAP, CHAP)
Link Control Protocol (LCP)
Physical media
(Serial, ATM, Ethernet, etc)
PPP
Physical layer
Data Link Layer
Network Layer

3
PPP Functionality
.Link management:The link control protocol (LCP) is responsible for establishing, configuring, and negotiating a data-link connection. LCP also monitors the link qualityand is used to terminate the link.
.Authentication:Authentication is optional.  PPP supports two authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
.Network protocol configuration:PPP has network control protocols (NCPs) for numerous network layer protocols. The IP control protocol (IPCP) negotiates  IP address assignmentsand other parameters when IP is used as network layer.

4
PPP Operations
.PPP Operations
.Link Establishing State (LCP)
.Link Establishment
.Configuration Negotiation
.Authenticating State (PAP, CHAP)
.PAP (Password Authentication Protocol)
.ID/Password pair is sent “in clear text”
.Two Way handshake (Authenticate-Request, Authenticate-Ack/Nak)
.CHAP (Challenge Handshake Authentication Protocol)
.Use a “secrete” known only to authenticator and peer
.Three way handshake (Challenge, Response, Accept/Reject)
.Networking State (NCP)
.Network-Layer protocol configuration negotiation
.Deliver Layer 3 Protocol such as IP, IPX
.Link Terminating State (LCP)
.Standards
.RFC 1661, “The Point-to-Point Protocol (PPP)”
.RFC 1332, “The PPP Internet Protocol Control Protocol (IPCP)”
.RFC 1994, “PPP Challenge Handshake Authentication Protocol”
.RFC 1334, “PPP Authentication Protocol”
.RFC 2865, “Remote Authentication Dial In User Service (RADIUS)”
.RFC 2866, “RADIUS Accounting”

5
PPP -IP encapsulation
.Flag: Delimiter (framing)
.Address: Does nothing (only one option)
.Control: Does nothing; in the future possible
.Protocol: Upper layer protocol to which frame delivered (eg, PPP-LCP, IP, IPCP, etc)
.Data: Upper layer data being carried
.CRC: Cyclic redundancy check for error detection
NCP
LCP
7E
flag
1
FF
addr
1
3
ctrl
1
2
protocol
<= 1500
data
2 or 4
CRC
7E
flag
1
8021
Network control data
C021
Link Control data
PAP
C023
PAP data
IP Datagram
21
IP datagram
CHAP
C223
CHAP data

6
PPP Transition Phase
NCP configuration(IP address, etc)
Carrier detected
Both sides agree on option to establish the link
Authentication success
Finish
Carrier dropped
Establishing
(LCP)
Networking(NCP)
Terminating(LCP)
Idle
Authenticating
(PAP, CHAP)
Failed
Failed
A PPP connection goes through  different states
#NAME?
#NAME?
#NAME?
#NAME?
1. Link Establishing (LCP)
2. Authenticating (PAP, CHAP)
3. Network Layer establishment (IPCP)
6. Terminating data link (LCP)
7. Idle state
cloud_G120
RAS
(NSP/ISP)
1107378_L1
PC (User)
5. Network Layer termination (IPCP)
4. Data Transfer

7
LCP (Link Control Protocol)
.Code: Type of LCP packet.
.ID: Value used to match a request with reply. One endpoint inserts  a value in this field, which will be copied in the reply packet.
.Length: Length of the entire LCP packet.
.Information: Data needed for LCP packets.

8
Code
Packet Type
Description
Functionality

1
Configure-request
List of proposed options and values
Link establish frames

2
Configure-ack
All options are accepted

3
Configure-nak
Some options are not acceptable

4
Configure-reject
Some options are not recognized

5
Terminate-request
Requests to shut down the line
Link termination frames

6
Terminate-ack
OK, line shut down

7
Code-reject
Unknown request received
Link maintenance frames

8
Protocol-reject
Unknown protocol received

9
Echo-request
Please send this frame back to check if the other end is alive

0A
Echo-reply
Response to the echo-request message

0B
Discard-request
Just discard this frame (testing)

.Link Establish frames: Used to establish the link between the two endpoints
.Link termination frames: Used to disconnect  the link  between two endpoints
.Link Maintenance frames: Used for monitoring  and debugging the link
LCP Packets

9
cloud_G120
RAS
(NSP/ISP)
1107378_L1
User
Home-User
Authenticator
User name: 홍길동
Password: abcd
PAP
2-way handshake
Password is clear text
LCP Complete
Authenticate-request (User name: 홍길동, Password: adcd)
Authenticate-Ack/Nak (User name: 홍길동)
Authentication based on User’s Password (Clear text format)
User profileUser name: 홍길동Password: abcd
PPP Authenticationn : PAP

10
cloud_G120
RAS
(NSP/ISP)
1107378_L1
User
Home-User
Authenticator
User name: 홍길동
Password: abcd
CHAP
3-way handshake
Password is hashed
LCP Complete
CHAP-Challenge (ID #, Challenge value: random value, Name: RAS ID)
CHAP-Response (ID #, Response value: MD5 hash, Name: 홍길동)
User profileUser name: 홍길동Password: abcd
MD5
Password: abcd
MD5 hash
MD5
ID #
Random value
Password: abcd
MD5 hash
Compare
??
CHAP-Success
CHAP-Failure
Match!!!
No Match!!!
RAS generation
PPP Authenticationn : CHAP

11
PPP Authenticationn : CHAP Packets

12
.IP Control Protocol (IPCP)
.IP Address
.Primary DNS Server Address
.Secondary DNS Server Address
.etc
Code
Packet Type
Description

1
Configure-request
List of proposed options and values

2
Configure-ack
All options are accepted

3
Configure-nak
Some options are not acceptable

4
Configure-reject
Some options are not recognized

5
Terminate-request
Requests to shut down the line

6
Terminate-ack
OK, line shut down

7
Code-reject
Unknown request received

NCP (Network Control Protocol)

13
DHCP (Dynamic Host Configuration Protocol)
.Most popular method of automatic IP configurationwithin Ethernet based IP networks
.Simple & Easy (Plug & Play)
.Standards
.RFC 2131 : Dynamic Host Configuration Protocol
.RFC 2132 : DHCP Options and BOOTP Vendor Extensions
.RFC 3046 : DHCP Relay Agent Information Option (option 82)
.
.
.
Server 1
Client
Server 2
-1
-1
-2
-2
-3
-3
-4
-5
1) A client first broadcasts a DHCP DISCOVERYmessage on its local physical network
2) Each server may respond with a DHCP OFFERmessage with the Your IP Address field
3) The client may receives more than one DHCP OFFER messages and chooses one server The client then broadcasts a DHCP REQUESTmessage
4) Only the chosen server responds with a DHCP ACKmessage
5) The client may send a DHCP RELEASEmessage to the server to relinquish the lease on the network address

14
DHCP message format
1: Boot request from client
2: Boot reply from server
1 for an Ethernet MAC address
Length of the hardware address
Optionally used by relay agents
Randomly assigned to link requests and replies between a client and a server
Elapsed time in seconds since the client began an address acquisition or renewal process
Broadcast flag. Used when a client cannot receive a unicast IP datagram before its interface is configured
IP address of the next server to use in bootstrap
Client’s IP address from DHCP server
Use when the client is in BOUND, RENEW, and REBINDING
Gateway IP address (or Relay agent IP address)
For an Ethernet address, the first 6 bytes are filled and the remaining bytes are set to 0
Hostname of the DHCP server
Boot filename
RFC 2132 : DHCP Options and BOOTP Vendor Extensions
RFC 3046: DHCP Relay Agent Information Option (option 82)

15
DHCP message type
53
DHCP Option code
1
Length
Type
1 ~ 8
Type
Packet Type
Direction
Description

1
DHCP Discover
Client .Sever
Client broadcast to locate available servers.

2
DHCP Offer
Client .Sever
Server to client in response to DHCPDISCOVER with offered parameters

3
DHCP Request
Client .Sever
Requesting offered parameters from one server

4
DHCP Decline
Client .Sever
Network address is already in use.

5
DHCP Ack
Client .Sever
Acknowledge with configuration parameters

6
DHCP Nak
Client .Sever
Client’s network address is incorrect

7
DHCP Release
Client .Sever
Request relinquish network address

8
DHCP Inform
Client .Sever
Client already has externally configured network address

.DHCP Discover (Broadcast)
.Source MAC=Client MAC, Destination MAC = Broadcast
.Source IP address =0, Destination IP address = Broadcast
.UDP port=67
.UDP data = DHCP Discover message (DHCP message type: 1)
.DHCP Offer (Unicast)
.Source MAC=Server MAC, Destination MAC = Client MAC
.Source IP address = Server IP address, Destination IP address = Offered IP address
.UDP port = 68
.UDP data = DHCP Offer message (DHCP message type: 2)
.DHCP Request (Broadcast)
.Source MAC=Client mac address, Destination MAC = Broadcast
.Source IP address =0, Destination IP address = Broadcast
.UDP port=67
.UDP data = DHCP Ack message (DHCP message type: 3)
.DHCP Ack (Unicast)
.Source MAC=Server MAC, Destination MAC = Client MAC
.Source IP address = Server IP address, Destination IP address = Allocated IP address
.UDP port = 68
.UDP data = DHCP Ack message (DHCP message type: 5)

16
Generic DHCP Operation
DSLAM
DSLAM
CPE
(Modem)
BRAS
(DHCP Relay)
PC
UTP
DSL
DHCP Server
4
1
2
Relayed to DHCP server
3
DHCP offer
5
6
Relayed to DHCP server
8
7
DHCP ACK
DHCP Request(“I accept the server 20.20.20.1. Will you give me an IP address?”)
DHCP Offer(“I’m DHCP server 20.20.20.1. Would you receive IP address 100.100.100.11 from me?)
DHCP Discover(“Hello, any DHCP server out there?”)
DHCP ACK(“Okay, use the IP address 100.100.100.11 for 8 hours from now on.”)
IP address allocation
100.100.100.11
.Dynamically get IP address from a Server
.“Plug-and Play” : No Authentication
.DHCP Message
.User UDP as its transport protocol
.Client -> Server : 67
.Server -> Client : 68
1107378_L1

17
DHCP Renewal operation
DHCP Client
Server
1. Broadcast DHCP request message
DHCP request
DHCP ack (ip address, T1 timer value,…)
BOUND
T1 timer
T2 timer
2. Renewal timer(T1) expires
3. Send DHCP request message to Original Leaser Server
RENEWING
BOUND
T1 timer
T2 timer
DHCP request
DHCP ack (ip address, T1 timer value,…)
4. Renewal timer(T1) expires
5. Send DHCP request message to Original Leaser Server
RENEWING
BOUND
DHCP request
DHCP ack (ip address, T1 timer value,….)
IP renewal timer
= 10 ~ 30sec
IP renewal timer
= 10 ~ 30sec
…

18
RADIUS: Means & Goals
.RADIUS: Remote Authentication Dial In User Service
.AAA (authentication, authorization and accounting) protocol for applications such as network access
.Client/Server Model
.NAS (Network Access Server)
.Client of RADIUS
.Passing user information to designated RADIUS Server
.RADIUS server
.Receives user connection requests
.Authenticating the users
.Returns information for the client to deliver service to the user.
.Can act as a proxy client to other RADIUS servers.
.Standards
.RFC2865: Remote Authentication Dial In User Service (RADIUS)
.RFC2886: RADIUS Accounting

19
1.NAS sends its Access-Requestto the Radius server.
2.Radius server sends an Access-Accept to the NAS which delivers the service to the user.
Radius Server
Database
of Users
Credentials
Access-Request
Find User
Access-Reject
Access-Challenge
Access-Accept
Service
1107378_L1
Dial In User
1
2
NAS
(Radius Client)
NAS
(Authenticator)
Authentication
server
User’sDevice
AAA Infrastructure
RADIUS
PPP, IEEE 802.1x
Link
(PAP, CHAP,EAP)
Authentication
client
1107378_L1
RADIUS Operation

20
RADIUS Flow: Proxy Radius Scenario
earth
Internet
NAS
(Radius Client)
Radius Server
(“Proxy”: acting
as a Client to
others servers)
Radius Server
(“Remote”: need
validate the
sending client.)
Database
of Users
Credentials
Access-Request
Access-Request
Find User
Access-Accept
Access-Reject
Access-Challenge
Service
Access-Accept
1
2
3
4
1.NAS (Radius client) sends its Access-Requestto the Radius proxy server.
2.Radius proxy server server forwards the Access-Requestto the Radius server.
3.Radius server sends an Access-Accept, Access-Reject or Access-Challengeback to the proxy server.
4.Radius proxy server sends the Access-Accept to the NAS which delivers the service to the user.
1107378_L1
Dial In User

21
UDP and RADIUS Packet
Source Port
(2 octets=16 bits)
Destination Port
-1812
Checksum
(2 octets)
Length
(2 octets)
Data Field
(Multiple of 2 octets, 4 octets each line)
RADIUS Packet
.RADIUS uses UDP as transport protocol
.Exactly one RADIUS packet is encapsulated in the UDP Data field

22
RADIUS Packet
Code
(1 octet=8 bits)
Identifier
(1 octet)
Length
(2 octets)
Attributes…
Authenticator
(4 lines of 4 octets each = 16 octets)
.Code: identifies the type of RADIUS packet.
.Authentication/Authorization: 1 for Access-Request, 2 for Access-Accept, 3 for Access-Reject, 11 for Access-Challenge
.Accounting: 4 for Accounting-Request, 5 for Accounting-Response
.Experimental: 12 for Status-Server, 13 for Status-Client (experimental)
.Identifier: matching requests and replies.
.Length: length of the packet including the Code, Identifier, Length, Authenticator and Attribute fields.
.Authenticator: used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm.
.E.g.. MD5(Code+ID+Length+RequestAuth+Attributes+Secret)
.Attributes:  carry the specific authentication, authorization, information and configuration details for the request and reply.

23
End of Document