What is AAA?
When a user wants to access a resource or to receive a service in the Internet, AAA is indispensable for service providers. AAA stands for Authentication, Authorization, and Accounting.
- Authentication is a procedure to make sure whether the identity of the requestor is trustworthy.
- Authorization is a procedure grant the requestor the right to access the resource or to receive the service.
- Accounting is a procedure to collect the information of user’s usage.
For example, suppose the case that Alice wants to access the Internet from her laptop.
- Authentication: the ISP makes sure whether the requestor is really Alice.
- Authorization: the ISP makes sure whether she has right to access the Internet. If yes, the ISP gives her a session key to access the Internet.
- Accounting: the ISP collects the information of her usage, which may be used for billing.
What is Universal AAA Infrastructure?
Building a AAA system for a few numbers of services in a single administrative domain (realm) would be easy. However, the Internet consists of a large number of realms, they provides various types of services, and users are mobile; a user may want to receive a service in a realm to which the user doesn’t belong. It would be a lot of trouble to implement AAA functions in each service used in the environment mentioned above, i.e., multi-realms, a lot of types of services, and user mobility. The universal AAA infrastructure aims at providing uniform interfaces to all services that require AAA functions.
Steps to the Universal AAA Infrastructure
As the 1st step to build the universal AAA Infrastructure, we are evaluating the AAA architecture standardized in the IETF by implementing AAA protocols and performing test operation. We adopt the IETF AAA architecture to build the universal AAA infrastructure if it is made sure that the architecture is appropriate. Otherwise, we will design a new AAA architecture for the universal AAA infrastructure.
Building IETF AAA Infrastructure
IETF standardized Diameter Base Protocol[RFC3588] as a AAA protocol that securely and reliably carries AAA information between AAA clients and AAA servers. Diameter Base Protocol is a successor of RADIUS[RFC2865], which is widely used in the current Internet. However, RADIUS is basically designed for single domain use and doesn’t define reliable/secure message transmission mechanisms.
Diameter Base Protocol only carries AAA information between AAA clients and servers. Functions specific to a service are defined as a Diameter application on top of Diameter Base Protocol. We implemented and are distributing the following protocols:
- freeDiameter: an implementation of Diameter Base Protocol (implemented in NICT)
- DiamEAP: an implementation of Diameter EAP application, which authenticates and authorizes a user who wants to access the Internet.