Side_1_360

(Dana P.) #1

the authorisation may have a Resource Manager
component to keep track of the state of the ses-
sion and be able to affect changes to the session
if required. Resource Managers may keep com-
plex cross-administrative domain information
supported by dialogues with peer Resource Man-
agers.


6.2 Accounting Management

Accounting is the collection of resource con-
sumption data. Hence, accounting management
requires that resource consumption is measured,
rated, assigned and transferred between appro-
priate parties. Accounting data is needed for pur-
poses such as trend analysis and capacity plan-
ning, billing, auditing and cost allocation.


The accounting management architecture in-
volves interactions between routers, accounting
servers and billing servers. Network devices col-
lect resource consumption data in the form of
accounting metrics. This information is then
transferred to an accounting server by means of
a protocol such as SNMP, see Figure 17. The
accounting server may process the received
accounting data to produce session records. The
processed data is then transferred to a billing
server, which handles rating and invoice genera-
tion, but may also carry out auditing, cost alloca-
tion, trend analysis and capacity planning. Note
that some sources operate with mediation and
charging levels as well.


6.3 Security

Several security mechanisms can be imple-
mented. In this section IP secure (IPsec) and
firewalls are outlined. While IPsec operates on
the IP level, another applied mechanism, the
Transport Layer Security (TLS) – formerly
Secure Socket Layer (SSL), is applied on the
TCP layer.


6.3.1 IP secure
Currently, most security concerns are taken care
of by the applications. IP secure (IPsec) is a fam-
ily of protocols, procedures and cryptographic
algorithms that provide security services for traf-
fic at the IP layer in both the IPv4 and IPv6 en-
vironments. The services provided are: access
control, integrity, data origin authentication, pro-
tection against replays, confidentiality, and lim-
ited traffic flow confidentiality.


IPsec is based on two security protocols:
Authentication Header (AH), which provides
integrity, data origin authentication and anti-
replay service, and Encapsulating Security Pay-
load (ESP), which may provide either confiden-
tiality or integrity, authentication and anti-
replay.


AH is a new header subfield, which can be
inserted into IPv4 or IPv6 packets. The authenti-
cation is calculated over the application data and
the IP header fields (fields not being changed
during the forwarding (e.g. omitting the TTL
field).

EPS is a new header to be inserted in front of the
original IP packet header. Hence, the total origi-
nal IP packet can be encrypted. Both AH and
ESP can be applied on the same packet.

The IPsec security model is based on Security
Associations (SA). An SA is a simplex, i.e. uni-
directional connection that allows security ser-
vices to the traffic carried by it. If traffic should
be protected by both protocols, it must be pro-
cessed by two SAs in sequence.

A unidirectional security association is estab-
lished between a sender and a receiver. The
association is identified by a Security Parameter
Index (SPI) and the receiver address. The SPI is
defined by several parameters including the
authentication and encryption algorithms, keys
and association life times. Each association is
unidirectional which means that a bidirectional
connection needs one security association in
each direction.

As mentioned above, the authentication header
offers both data integrity and authentication of
IP packets. In IPv6, the authentication header
includes a length field, an SPI and the authenti-
cation data. The authentication algorithm is cal-
culated over the entire packet, excluding proto-
col fields that are modified in intermediate
routers. Authentication is done between the
sender and the receiver, or between the sender
and a firewall.

The ESP provides data integrity and privacy to
the users. The ESP header starts with a length
field and a 32 bit SPI. The rest of the header, if

Figure 17 Example of servers
and information involved in
accounting and billing

bills to
customers

accounting
information
between
operators/
providers

billing
server

router

accounting
server
Free download pdf