Network Working Group G. Zorn Internet-Draft Microsoft Corporation Category: Standards Track P. Calhoun Sun Microsystems Limiting Fraud in Roaming Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. The distribution of this memo is unlimited. It is filed as and expires November 6, 1999. Please send comments to the Roaming Operations Working Group mailing list (roamops@tdmx.rutgers.edu) or to the authors. Abstract The potential for fraud exists in several places in an Internet roaming situation: at the visited service provider's Network Access Server (NAS) and RADIUS [1] server(s) as well as the broker (if any). This document describes a method of providing roaming services while allowing the home service provider to strictly limit losses from fraud. Zorn & Calhoun [Page 1] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 Specification of Requirements In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as described in [2]. 1. RADIUS-based Roaming Currently Internet roaming is generally implemented using the RADIUS protocol, and suffers from many attacks and the possibility of fraud [3]. The following figure depicts an example of a roaming network, where a user (joe@bigco.com) wishes to get Internet Access from a third party (big-isp.net). +---------------------------+ +------------------+ | | | | +-------+ | +-------+ +--------+ | Inet | +--------+ | | PPP |--------| NAS |----| RADIUS |--------------| RADIUS | | +-------+ | +-------+ +--------+ | | +--------+ | joe@bigco.com | | | | | Big ISP's Network | | Big Co's Network | +---------------------------+ +------------------+ In the above figure, when the user dials into Big-ISP's NAS, he presents his identity as joe@bigco.com, which is known as the Network Access Identifier [2]. The NAS generates a RADIUS request, which is sent to the Big-ISP's RADIUS server. This exchange is secured using a long- lived security association between the NAS and the RADIUS server. Upon receipt of the request, the RADIUS server examines the NAI and determines that the request cannot be processed locally. This determination is made by examining the realm portion of the NAI, which is bigco.com. The RADIUS server then forwards the request to BigCo's RADIUS server, which is responsible for authenticating the user and authorizing the user to access the requested dial-up service. BigCo's RADIUS server returns a response back to Big-ISP's RADIUS server, and includes authorization information in the message, such as Access Control Lists, IP address information, etc. The NAS then provides service to the PPP [4] dial-up user, and generates a RADIUS Accounting-Start record [5]. The Accounting-Start record includes such information as the modem type, the connection rate, the dial-up port type, the user name, and a session identifier. The RADIUS Accounting- Start message is sent to Big-ISP's RADIUS accounting server, which logs the information and forwards it (possibly throgh several intermediate RADIUS proxies) to BigCo's RADIUS accounting server. During the PPP session, the NAS may send Interim-Accounting updates, which include the session identifier and cumulative session statistics, such as connection Zorn & Calhoun [Page 2] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 time, number of bytes transfered, etc. When the user disconnects from the NAS, an Accounting-Stop message is generated, which is similar to the Interim-Accounting message but indicates that the PPP session has terminated. One problem with this model is that there is no way to ensure that the Big-ISP's NAS or RADIUS server send accounting records that include the correct session time. The session time could be increased by an hour, and the home network would have no way to verify how long the session really lasted. Another problem is the possibility of replay attacks. If the dial-up user uses PAP [6] for authentication, the plain-text password is provided to Big-ISP's NAS and RADIUS server, therefore the provider has enough information to "pretend" that the user is requesting service in the future. If CHAP [7] is used to authenticate the user, the NAS issues the Challenge, which the dial-up user uses to generate the CHAP response. In this case, Big-ISP's NAS and RADIUS server could capture a valid Challenge/Response pair which could be replayed in the future. The Extensible Authentication Protocol (EAP) [8] solves many of these problems because (in a RADIUS environment) the authentication occurs end-to-end, meaning between the dial-up PPP user and the home RADIUS server. Therefore, it is recommended that EAP be used as the PPP authentication protocol in roaming situations. In the ROAMOPS model, a third entity may also exist, which is known as the broker [3]. The broker has long-lived security associations with all of its roaming partners, and therefore eliminates the problem where all roaming partners must have a security association with all other partners. The following figure provides an example of such a network. All of the RADIUS requests always flow through the broker, which in turn forwards it to the home RADIUS server. Similarly, the response must flow through the broker back towards the visited network's RADIUS server. +---------------+ +---------------+ +---------------+ | | | | | | | +--------+ | Inet | +--------+ | Inet | +--------+ | | | RADIUS |-------------| RADIUS |-------------| RADIUS | | | +--------+ | | +--------+ | | +--------+ | | | | | | | | Big ISP's | | Broker's | | Big Co's | | Network | | Network | | Network | +---------------+ +---------------+ +---------------+ In this scenario, all authentication and authorization messages must flow through the broker, since the broker needs to be able to ensure that the home network's RADIUS server successfully authenticated and Zorn & Calhoun [Page 3] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 authorized a user if it receives an accounting message. The addition of another RADIUS server adds additional processing cost and internet traversals of the RADIUS messages, which increases the possibility that the request may be lost and retransmitted. Since the RADIUS protocol uses hop-by-hop security to ensure integrity of the message, the broker has the ability to modify information within the accounting record, such as the session time, before passing it to BigCo's RADIUS server. Lastly, many service providers today employ different proprietary schemes to create stateful RADIUS servers, to reduce fraudulent access on behalf of the user. Given that many service providers offer unlimited internet access for a single price, it becomes very easy for users to hand out their username/password pair to others. Therefore, in order to prevent the same username from having multiple concurrent sessions, session state is maintained in the RADIUS server. Unfortunately, this becomes very difficult to manage in roaming scenarios, since it is mostly built using proprietary methods. 2. The DIAMETER Approach This section will define how the use of DIAMETER [10] can solve the fraudulent attacks and other issues that were described in the previous section. The DIAMETER protocol makes use of the same network architecture that was described in the previous section, meaning that there is the concept of the visited domain (Big-ISP), a broker, and a home domain (BigCo). However, DIAMETER allows the broker to act as a Certification Authority (CA), where the broker would issue a public-key certificate for each of the roaming partners' DIAMETER server. When the dial-up user provides his credentials to the visited provider's (Big-ISP) NAS, a DIAMETER request is issued to the local DIAMETER Server, which in turn forward the request to the broker. Upon receipt of the message, the broker can do one of two things: - If the broker's policy allows roaming partners to exchange messages directly, it can return a Diameter redirect message to Big-ISP's server. Big-ISP would forward the DIAMETER request directly to BigCo's server signed using its private key. - If the broker's policy does not allow roaming partner's to exchange messages directly, it can proxy the request to the BigCo server. Upon receipt of the request, BigCo's DIAMETER server authenticates and authorizes the user. In doing so, it creates a signed object which Zorn & Calhoun [Page 4] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 includes the Session Identifier (which is created by Big-ISP), a locally generated accounting session identifier, the username, a timestamp and a session lifetime. The session lifetime is determined via local policy, and informs the visited domain of the amount of time before the user must be re-authorized. This message is returned back to Big-ISP's NAS via the broker and Big-ISP's DIAMETER Server. The NAS then generates an Accounting-Start record, which includes the signed object that was returned in the authentication/authorization reply, and forwards it to its local DIAMETER server, which logs the information and proxies the request to the broker. Even if the broker did not participate in the authentication phase, it can verify the signed object as assurance that the user was authenticated and authorized. The information is logged and the request is proxied to the home domain's DIAMETER server, which validates the signed object, and ensures that the object is not a replay of a previous session by validating the locally generated accounting session identifier (this information must be kept as state information). If the object is validated, a successful acknowledgement is returned, otherwise the reply contains a Result Code AVP indicating an error. When the session timeout expires, the home domain's DIAMETER Server issues an unsolicited EAP challenge back to the visited network's DIAMETER server (either directly if it can, or through the broker). If CHAP was used to authenticate the user, the home domain could simply return a challenge. The EAP message, or the CHAP Challenge is presented to the user and the response is again forwarded to BigCo's DIAMETER Server. If the user can be successfully re-authenticated, a new object is created with an updated timestamp, and signed using the private key. This information is sent back in the reply back to Big-ISP. Upon receipt of this message, an Interim Accounting message is generated which includes the signed object. Zorn & Calhoun [Page 5] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 +---------------------------+ +------------------+ | | | | +-------+ | +-------+ +--------+ | Inet | +--------+ | | PPP |--------| NAS |----| RADIUS |--------------| RADIUS | | +-------+ | +-------+ +--------+ | | +--------+ | joe@bigco.com | | | | | Big ISP's Network | | Big Co's Network | +---------------------------+ +------------------+ <--------------------------------------------------> EAP or CHAP Authentication (may be a single request) <---------------------------------------- Successful reply w/signed object and lifetime -----------------------------------------> Accounting-Start Request w/signed object <----------------------------------------- Accounting Response w/Result Code <--------------------------------------------------------- EAP or CHAP Challenge --------------------------------------------------------> EAP or CHAP Response <---------------------------------------- Successful reply w/signed object and lifetime -----------------------------------------> Interim-Accounting Request w/signed object <----------------------------------------- Accounting Response w/Result Code -----------------------------------------> Accounting-Stop Request w/signed object <----------------------------------------- Accounting Response w/Result Code This proposal has the following properties: - Does not allow an intermediate node (broker) to modify information in messages due to the end-to-end security. However, the broker is able to add new information to the messages. - The session lifetime ensures that the user is periodically Zorn & Calhoun [Page 6] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 re-authenticated and authorized, therefore the home can set a limit on the loss it will accept. If the session lifetime is set to 5 minutes, then the visited domain could add up to 5 minutes to an accounting request. However, if the user is re-authenticated before the disconnect, this fraud can be minimized (unless the telephone line disconnects, or the user's PC hangs). 3. References [1] Rigney, C., Rubens, A., Simpson, W., Willens, S., "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 [3] Aboba, B., Vollbrecht, J., "Proxy Chaining and Policy Implementation in Roaming", draft-ietf-roamops-auth-10.txt (work in progress), February 1999 [4] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994 [5] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997 [6] Lloyd, B., Simpson, W., "PPP Authentication Protocols", RFC 1334, October 1992 [7] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996 [8] Blunk, L. and Vollbrecht, J., "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998 [9] Aboba, B., Zorn, G., "Criteria for Evaluating Roaming Protocols", RFC 2477, January 1999. [10] Calhoun, P. R., Rubens, A. C., "DIAMETER Base Protocol", draft- calhoun-diameter-07.txt (work in progress), November 1998 4. Authors' Addresses Questions about this memo can be directed to: Pat R. Calhoun Network and Security Research Center Zorn & Calhoun [Page 7] INTERNET-DRAFT Limiting Fraud in Roaming May 1999 Sun Microsystems, Inc. 15 Network Circle Menlo Park, California, 94025 USA Phone: 1-650-786-7733 Fax: 1-650-786-6445 E-mail: pcalhoun@eng.sun.com Glen Zorn Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA Phone: 1-425-703-1559 Fax: 1-425-936-7329 E-Mail: gwz@acm.org 5. Expiration Date This memo is filed as and expires November 6, 1999. Zorn & Calhoun [Page 8]