Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
net/publication/267544777
Article
CITATION READS
1 57
13 authors, including:
Gabor Kovacs
Budapest University of Technology and Economics
17 PUBLICATIONS 71 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Pieter Nooren on 21 November 2014.
Hans Mickelsson*), Arnoud van Neerbosα), Pieter Noorenα), Mark Prinsα), Karsten Oberle+), Dávid JochaΩ), Benoit Radierδ)
Gábor Kovács∂), Mohit Thakur∆), Iñigo Pinilla∏), Enrique Areizaga∏, António Gamelas#), Arkadiusz Sitekт),
Page 1 of 6
BroadBand Europe Geneva, Switzerland
11-14 December 2006
Use case #1: Nomadism use case with video call and mode. His colleague tells him that he will probably be a bit
IPTV service upgrade late to the meeting.
Jose has a broadband access with High Speed Internet to While they discuss some details for the meeting, Bob
his home and subscribes to two services: IPTV (HDTV leaves home. Shortly after his phone gets out of the reach of
quality) and video-telephony including the nomadic feature the wireless home network (WiFi), it connects to a WiMAX
options. He is visiting his mother. As a nomadic subscriber, (or UMTS) base station (Figure 3). Since bandwidth is
he will be able to access his subscribed services from more expensive on this network, Bob receives a message on
different locations. At his parents’ place, who also have a his screen asking whether he wants to continue with the
High Speed Internet subscription, he starts their PC and video path. Since video is not really important while
access the Web portal of his Service provider. He walking, Bob decides to save money and tells his colleague
authenticates himself (by means of token or an that he will end the video path (the applicability of this
username/password) and due to the nomadic characteristic feature depends on the tariff arrangements). The audio path
associated to his services, he gains access to them according stays active, so they will be able to continue their
to the service profile. conversation. According to Bob’s preferences, the video
Then he initiates a video over IP call from the PC to his path will be re-established as soon as the cost of bandwidth
video capable multimedia phone at home using his own is low enough again.
subscription to let his wife know his whereabouts. Next, he Arriving at the company’s site, the phone connects
uses the Internet to access his media-center (which can be automatically with the company’s wireless network (WiFi)
located either in his CPN (Customer Premises Network) or and the video connection becomes active again. At his
at another location) where he has stored all the pictures office, he transfers the running video call from the mobile
from his daughter’s last birthday, and shows them on the terminal (WiMAX, UMTS) to his notebook connected to a
TV screen at his parents home. After watching the pictures fixed access network.
he decides to watch a film with his parents. They do have a Company's
standard IPTV subscription but have just bought a new Bob's home building
HDTV set. As Jose has a HDTV subscription, he contacts Access network Park
his service provider and upgrades the IPTV service to
HDTV. Now, they sit all together watching the film in
HDTV quality, while Jose´s wife keeps the ability to stay at Home Gateway
audio + video
audio+video
Wifi / WiMAX /
UMTS
audio
Page 2 of 6
BroadBand Europe Geneva, Switzerland
11-14 December 2006
Access network
Access network At his office he transfers the running AA
video call from the mobile terminal Continue
SEC AA
session on
(WiMAX, UMTS) to his Notebook different
HOV SEP
connected to a fixed access ROA LOC
terminal
Home Gateway Home Gateway
network. LOC
settop box
Use Case 3
Some of the houses nearby provide
AA
802.11b/g
public access over their private WiFi
Public ACC
network. According to the network
802.11b/g Television
access over ARD AA
settings on his multimedia device,
a private RP LOC
Bob gets connected to one of these
domain SEC
networks and orders the pizza over
Bobs multi media device
LOC
the Internet.
Figure 4. Bob uses a public access over a private domain -Authentication, authorization (AA) and accounting
(ACC) is discussed in the next section.
FMC requirements from the use cases
-Media adaptation (MEA) may be necessary when a
The use cases presented above imply some high level
nomadic user or device changes his connection point and
requirements. Without giving an extensive requirement list
the service quality or access characteristics at the new
here, the main network and service related aspects of these
location are different. This should be automatically done by
requirements are presented. The table below shows how the
the content provider or the connectivity provider. If media
various FMC aspects can be derived from each use case.
adaptation is not possible, the user has to deactivate the
The acronyms are explained below the table.
current service and activate another service with the same
Table 1. FMC aspects of the three use cases
content but with the quality related to the new location.
User Network Service
Use case description
aspects related related -Access rights to a domain (ARD): A nomadic user can
Use Case 1 find two kinds of access rights in a visited domain: public
.. he starts his parents PC and
Access to
AA
AA
or private. In case of public access the visitor can connect
access the Web portal of this SP
services from
authenticates himself and due to his remote terminal
ACC
ARD
SEC without the intervention of the owner. Typical use cases are
SEP
nomadic features, he has access to NRP
LOC
LOC the public WLAN in the continuous mobility case and the
all his services.
Video call
free Internet access point through a fixed private network
He then initiates a video over IP call service can be ARD
ACC
MEA for nomadic users in the discrete mobility case. In the
from the PC to his video capable used from a NRP
multimedia phone at home using his different LOC
SEC
SEP
private access case, the access owner may restrict the access
own subscription access network
connection
MSA
LOC to the visited domain.
..he uses the Internet to access his SEP
Photo viewing
-Resource policy (RP): Although the owner of the
media-center, where he has stored Remote access
all the pictures from his daughter’s to private
ARD
NLR
software (e.g. visited network grants the access to the visiting user, the
webserver) or
last birthday, and shows it on the TV server SEC
FTP server in visitor’s resources (e.g. by means of rate limitation) can be
screen at his parents home the CPN
DRM
restricted. Such access resource policy can be applied by
MEA owner of the visited CPN, by the NAP or by the nomadic
SEP
As Jose has a HDTV subscription, DRM ACC LOC user’s device itself.
he contacts his service provider and Service quality
upgrades the IP TV service to HDTV upgrade for a
ARD
NRP
Jose logs-on
onto his -Service environment policy (SEP) is related to the
nomadic user LOC account to
requests the
service set available for a nomadic user away from his
video stream in home network. At home the user can access all subscribed
Simultaneous
HDTV format.
services, but when away only a subset of them can be
sessions from
different ACC
available. The service environment may be restricted by the
Jose´s wife stays home watching locations MSA operator, by the packager, by the owner of the visited CPN,
other IPTV channels
or by the nomadic user himself. The nomadic users may be
accounted on SEP
same
subscriber
contract
provided with the substitute services that replace the
Use Case 2 original ones that can not be offered by visited service
Session
continuity
provider.
Shortly after, his phone gets out of between
AA
ACC -Digital Rights Management (DRM) may impose several
private home
the reach of the wireless home
network and a
SEC SEP constraints for nomadic services, e.g. restriction to access
network, the phone is connected to HOV LOC
a WIMAX (or UMTS) base station.
WiMAX /
UMTS network
ROA the media stream only through a specific device, or
constraints in terms of time or number of users per service.
LOC
or public
hotspot
Since bandwidth is more expensive See also MSA.
on this network, Bob receives a -Network resource policy (NRP): Network resources
message on his screen asking Media
whether he wants to continue with adaptation ACC must be allocated and managed properly in the aggregation
based on ACC MEA
the video path. Since video is not network LOC SEP network by the Network Access Provider for each nomadic
really important while walking, Bob capability and
decides to save money and tells his price
LOC
user. This aspect impacts media adaptation and QoS issues.
colleague that he will end the video
path. The audio path stays active,
Page 3 of 6
BroadBand Europe Geneva, Switzerland
11-14 December 2006
-Security, privacy (SEC): User traffic separation and than simply accessing the services as the network provider
encryption in case of wireless environment, support for in addition to grant access to its IP network has to deal with
VPN services and keep the security and privacy for both QoS adaptation for particular service (e.g. IPTV).
nomadic and local users. Authentication could be based on:
-Network Layer Reachability (NLR): Users and 1. Per Device.
terminals must be addressable at layer 3, while maintaining 2. Per Session.
security and privacy, supporting firewall and/or NAT 3. Per End-user
(Network Address Translator) in a CPN. The above mentioned authentication techniques could
-Roaming (ROA): Roaming between different operators' be implemented using different frameworks by different
networks. The users should be able to access their profile operators/providers. As the service provider is generally the
via different access networks. one to authenticate the user and authorize access to the
-Handover (HOV): Continuous service access services, a mutual agreement in terms of policing and trust
independently from the terminal, location or available issues between the service provider and the connectivity
bandwidth. provider is assumed.
-Location (LOC): Location of the user must be known Considering use case 1, the user (Jose) changes his
by the network, even when session continuity or continuous location from his home to his parents home and tries to
mobility are ensured. Geographical location must be known access the his services over his parents terminal using his
by the services (eg. in order to support emergency calls, own account. The CPE (Customer Premises Equipment)
geographical services, billing …) launches an authentication request to its access node present
-Multiple access to the same service (MSA): If service in the Network Access Provider (NAP), which in turn
environment allows, the user may use the same service from extends the request from the CPE to the Network Service
multiple different locations simultaneously. Provider (NSP) through the Connectivity Provider (CP).
Requirements should cover the above mentioned aspects The NSP checks the user’s identity in order to authenticate
and can be grouped as CPN related (ARD, RP, NLR, SEC), and authorize this user, based on the credentials supplied by
access network related (NRP, AA, ACC, ROA, SEC, HOV, the CPE. Finally, the 2-way connection is established i.e. an
LOC) and service specific requirements (SEP, AA, ACC, High Speed Internet. In terms of the video over IP, SIP
DRM, MEA, MSA, LOC). protocol provides solution to authenticate user against the
ASP. Conversational services over IP employ service
AAA requirements per use case mobility - the SIP's inherent feature to become nomadic.
The first challenge on AAA is to find the requirements Another challenge of Use Case 1 is when the nomadic
and corresponding solutions to nomadism. It is important to user wants to upgrade the quality of IPTV. User accesses
understand what type of authentication is suited for a his HDTV content from a terminal that is not his own.
nomadic user and what options exist for AAA in a public Considering the requirements carefully, it can be assumed
(hot-spot) and private (residential) scenarios. that the provisioning of the HDTV service involves the
The alternatives described take into account the bandwidth and QoS parameters negotiation. Other initial
IP-forwarding model developed in MUSE [1] but are also IPTV service already running on the same access line
aligned with DSLF TR-101 [4]. The scenarios will be should not be overlooked.
demonstrated during MUSE nomadism lab-trials planned Within this paper, in order to study the AAA
for December 2006. requirements for the service upgrade, it is considered that
The increasing number of ways (wireless or wire-line) there is only one ASP (Application Service Provider, i.e.
to access the services by a user adds more requirements to IPTV service provider) in the network. Both José and his
the existing models of the AAA solutions. These parents are served by the same ASP and thus neither
requirements can be quite complicated depending on the roaming nor SLA (Service Level Agreement) are
scenario of how the service is being accessed. In our three considered between the different business role players. In
use cases, we try to cover most of the possible scenarios in this scenario, end-user will be authenticated per device (Set-
accessing a service by the nomadic/mobile user. top box). Therefore when José moves to his parents’ place
Use Case 1 depicts the users effort to access his/her he can directly access his ASP service manager via his
desired services from a remote location (nomadism). From parents’ Set-top box using his own credentials. On the other
the authentication point of view, the user would be required hand, when José requests to watch the film and to upgrade
to use some credentials to authenticate him/her for gaining the IPTV quality, the ASP service manager will request to
access to his/her services. Possible methods are e.g. by authenticate José as a valid user based on end-
login/password, tokens, or SIM card. Every method has its user/customer credentials. Upon successful authentication
pros and cons. Where there is an ease of having login and of José, the different elements in the access network should
password being cracked, there is also a hassle of carrying a enhance their QoS capabilities to be able to deliver the TV
SIM card all the time with the user (even though it provides stream in HDTV quality to the Set-top box owned by Jose´s
more security and better credentials). From the network parents. Figure 5 depicts the scenario described above in
provider point of view, the problem is much more complex
Page 4 of 6
BroadBand Europe Geneva, Switzerland
11-14 December 2006
which nomadic user authentication and QoS adaptation on allow him to access his services regardless of the access
different network elements takes place. network he attaches to. EAP-AKA as well as EAP-SIM
within IKEv2 could be used for mutual authentication to
create an IPsec security association for a tunnel between UE
and Packet Data Gateway (PDG). PDG is the gateway to
the compatible services domain between fixed and mobile
network. I-WLAN architecture provides either "direct IP
access" (directly to the Internet) or "3GPP IP access"
(through the 3G provider intranet) to UE with a common
authentication based on credentials provided by mobile
operator (Figure 6). It must be noted that I-WLAN provides
solely network layer authentication. Service layer
authentication is out of scope of I-WLAN specification and
must be carried out by appropriate protocols (e.g. SIP).
Figure 5. Nomadic user authentication in Single ASP
environment.
Use case 1 becomes a challenge for AAA framework
due to the possible access to various services from a single
access line. For example:
1. Enhanced IPTV service accessed from Jose
parents’ place using Jose’s account
2. Normal IPTV service accessed from Jose’s place
using Jose’s account.
3. Other possible services like gaming and video on
demand.
The key motivation for use case 1 is to let nomadic user
to enjoy his/her services at its best as if he/she was at home.
However, making AAA process completely transparent to
the user is not only up to the service provider but the
connectivity provider as well. User has to be authenticated
Figure 6. Distributed access AAA architecture based on
and network elements have to be reconfigured to support
I-WLAN and service AAA architecture based on IMS.
increased bandwidth demand. Finally the service
Another solution to authorize nomadic user access the
consumption has to be accounted, so the user (José) will
provider’s network is based on SIP. SIP based service
receive the fee included in his/her ordinary bill.
authentication is a mandatory method in IMS (also in case
Use case 2 covers the mobile aspects of user nature in I-WLAN provides secure network access mechanism). SIP
accessing the services. User requirement to maintain the does not require network layer tunnelling (IPsec) to be used
session of the Voice and Video over IP call, poses between mobile terminal and the network. The access proxy
significant challenges concerning session continuity and - Session Border Controller (SBC) grants mobile terminal
differences of the AAA architectures between the various the access to the service provider network. To support use
access network providers. Different frameworks have been case 2 the service layer mutual authentication employing
proposed to support the AAA interworking by 3GPP and SIP registration mechanisms (AKA, SIM) may be
WiMAX forum. In MUSE, we study these requirements to sufficient. Security of the SIP signalling and media flows
work out a novel, robust and scalable AAA architecture for can be provided by SIPSecure and SecureRTP thanks to
the future deployments of the nomadic services. TLS (Figure 7).
According to Use Case 2, mobile terminal must have SBC is able to provide location information via
several radio interfaces operating different technologies interworking with CLF (Connectivity Session Location and
(WLAN, UMTS, WiMax). While in the move, Bob Repository Function). Accurate location information is used
authenticates itself against the different access networks. A as a criteria o control mobility according to user profile and
mutual authentication based on single credential and air link is inevitable to manage emergency calls.
encryption must be used since security of the networks Bob
attaches to can not be taken for granted. Finally, Bob
transfers his call from mobile terminal to his office
notebook. Consequently, AAA mechanism can not be based
on device authentication. Two authentication solutions have
been proposed in Muse for Use Case 2: I-WLAN and SIP.
Considering the SAE 3GPP frameworks, I-WLAN
solution offers a good way to authenticate the user and
Page 5 of 6
BroadBand Europe Geneva, Switzerland
11-14 December 2006
Page 6 of 6