Access Control for Carrier Ethernet-based Service Delivery: The Service-Port Policy Enforcement
|Series:||-||Book title:||TERENA Networking Conference 2010 (TNC 2010)|
Broadband access networks have experienced a significant evolution in the last few years, in terms of convergence, QoS, security or ubiquity. In this context, Carrier Ethernet has appeared as a technology which claims to address all this aspects, and whose deployment is supported by the Metro Ethernet Forum and Broadband Forum.
Nowadays, providers tend to offer multi-play services (voice, video and data) over the same network and service delivery is shifting from traditional scenarios to new ones, in which services are provided by third-party entities.
A new secure and dynamic scenario is presented, in which end users can access simultaneously a variable number of services. These users are authenticated and authorized per service before access is granted to them. Extensions to IEEE 802.1X standard are introduced: the service port and EAPoM protocol are the two main contributions to this new scenario. Furthermore, a profile based configuration procedure allows the secure configuration of nodes.
The main restriction of 802.1X is that the access control is done by user instead of by service. This proposal introduces the service port as the basic element for policy enforcement of access control that enables the operation of the EAPoM protocol. This splits the logical port into new ports, each of which has its own associated AAA process that rules the access to each service. This multiplicity of authentication processes is supported by EAPoM, which is able to differentiate multiple EAP processes from the same customer.
A working prototype has been implemented in a Linux-based environment.