Overview of ISG
Information About ISG
7
Trust Model
Trust levels are determined by the security needs of a particular application domain and the inherent
security afforded by the subscriber network. In the following situations, it may not be necessary to
authenticate subscriber identity:
• When security is not considered paramount
• When end-to-end security is provided in-band
• When the subscriber network is intrinsically secure
Whether or not subscribers must be authenticated will influence the choice of access protocol. When
authentication is not required, control policies may be used to determine authorization and other session
policy on the basis of subscriber identity.
Where authentication is considered necessary, the authenticated identity may be trusted:
• For the duration of the session
• Until a periodic reauthentication is instigated
• Beyond the duration of a session; for example, for the lifetime of a subscription
For complete security, cryptographic methods may be used to secure the session (to the edge) following
authentication, obviating the need for reauthentication. However, there are administrative and
performance overheads associated with this practice.
Subscriber Access Model
The trust model will, to a large extent, determine the choice of access protocol. However, the access
model will also depend on other factors such as the underlying media (for example, ATM versus
Ethernet), type of endpoint (for example, PC, cell phone, PDA), mobility requirements, the system’s
ability to influence the software installed on a subscriber device, and scalability requirements.
Single Sign-On Requirements
Where a subscriber will have access to services provided by other devices in the administrative domain
of the access or service provider, is an additional authentication required, or should the identity of the
subscriber be trusted? It may be necessary for the latter device to query the access device to collect
additional subscriber identity information and ascertain whether the subscriber has already been
authenticated by the access device. The single sign-on facility is provided through the “session query”
capability of CoA.
Network Forwarding
How should subscribers be given access to network services? Network forwarding options include the
following:
• Layer 2 connections; for example, a Layer 2 Tunneling Protocol (L2TP) tunnel to an L2TP network
server (LNS)
• Layer 3 connections, by associating all session packets with a particular VRF or routing domain
To Next Page
Loading...
Need help?
General