ereg: an intelligent network capability set for user and infrastructure enum
DESCRIPTION
V1.0 30-Jan-04. ETSI 1 st ENUM Workshop Sophia Antipolis, France 24-25 Feb 2004. EREG: an Intelligent Network capability set for User and Infrastructure ENUM. Tony Rutkowski [email protected] VeriSign Switzerland Andrew Newton [email protected] VeriSign Labs. Outline. - PowerPoint PPT PresentationTRANSCRIPT
EREG: an Intelligent Network capability set for User and Infrastructure ENUM
Tony [email protected] Switzerland
Andrew [email protected] Labs
ETSI 1st ENUM WorkshopSophia Antipolis, France24-25 Feb 2004
V1.0 30-Jan-04
Outline Overview of EREG – the ENUM Registry
“Intelligent Network” Reference models and interfaces Security and authentication Applications Policy developments Activities and status
Capability Sets
PSTN Intelligent Network
(IN) Capability Sets
definable provider relationships and access arrangements
protocol suite for discovery and query of distributed subscriber data among telecom providers
ENUM Internet Registry
Information Service (IRIS) EREG
definable provider relationships and access arrangements
protocol suite for discovery and query of distributed ENUM registration data among ENUM registries
Internet Registry Information Service (IRIS) Developed in IETF to provide capability sets existing in
telecom Intelligent Network environment Text based protocol designed to allow registries of
Internet resources to express query and result types specific to their needs while providing a framework for authentication, structured
data, entity references and search continuations Encompasses the following
a decentralized system using DNS hierarchies where possible for location
built upon standard Internet building blocks does not impose any informational trees or matrices may be used with multiple application transports,
including BEEP
IRIS Status Prime focus of CRISP (Cross Registry Information
Service Protocol) working group of the IETF Chaired by April Marine [email protected]
and George Michaelson [email protected] A new specification for use by registries of Internet
resources globally Requirements are done Protocol selection is done Now refining IRIS for publication as a standard
Applying what we have learned about operating services over the Internet from the 20 intervening years to the problems of today
Implementation tool sets available as freeware and for plugtest demonstrations
IRIS attributes XML based Internationalization
Localization of data tags and content Identifying contact equivalences Support of Internationalized Domain Names
Unified Service Structured queries and results
IRIS General Concepts Each kind of Internet registry is identified by a registry type
The identifier for a registry type is a URI used within the XML instances to identify the XML schema formally describing the set of queries, results, and entity classes allowed within that type of registry
The structure of these URN's makes no assumptions or restrictions on the type of registries IRIS may support multiple registry types of disparate or similar nature; it is only a matter of definition a single registry type may be defined for domain name registries while multiple registry types may be
defined for the various IP address registries A registry information server may handle queries and serve results for multiple registry types
Each registry type that a particular registry operator serves is a registry service instance IRIS and the XML schema are independent of the registry service maintenance systems
IRIS is a specification for a framework with which these registries can be defined, used, and interoperate The framework merely specifies the elements for registry identification and the elements which must be
used to derive queries and results Allows a registry type to define its own structure for naming, entities, queries, etc. through the
use of XML namespaces and XML schemas a registry type is identified by the same URI that identifies its XML namespace.
Framework defines certain structures common to all registry types references to entities, search continuations, entity classes, and more registry type may declare its own definitions for all of these, or it may mix its derived definitions with the
base definitions IRIS defines two types of referrals, an entity reference and a search continuation
An entity reference indicates specific knowledge about an individual entity A search continuation allows for distributed searches Both referrals may span differing registry types and instances No assumptions or specifications are made about roots, bases, or meshes of entities
IRIS Framework
Registry-Specific :: Defines queries, results, and entity classes of a specific type of registry. Each specific type of registry is identified by a URN
Common-Registry :: Defines base operations and semantics common to all registry types such as referrals, entity references, etc. It also defines the syntaxes for talking about specific registry types.
Application-Transport :: Defines the mechanisms for authentication, message passing, connection and session management, etc. It also defines the URI syntax specific to the application-transport mechanism. However, because of the separation of the layers, other transports can be used and have been defined.
IRIS
[any defined transport]
Registry-Specific
Common-Registry
Application-Transport
Domain Address etc
ENUM Registry Information Service (EREG) An IRIS implementation developed specifically for
infrastructure and user ENUM Meets requirements in Secs. 10.2,10.4, C.2 of ETSI
TS 102 051 V1.1.1 (2002-07), ENUM Administration in Europe
Provides WHOIS/NICNAME equivalent requirements in Sec. 3 of ETSI TS 102 172 V1.1.1 (2003-03), Services and Protocols for Advanced Networks (SPAN); Minimum requirements for interoperability of European ENUM trials
Meets requirements in ETSI TS 101 331 V1.1.1 (2001-08), Telecommunications security; Lawful Interception (LI); Requirements of Law Enforcement Agencies
Allows potential IN-like capabilities such as caller-id or fraud checking
EREG Framework
EREG ModelTier 0 Registry
Tier 1 Registry
ENUM Tier 2Nameserver Provider
ENUM Registrar
Registrant(ENUM End User)
Applications
Validation function
EREG Security Designed for distributed data that occurs in ENUM
architectures, with defined methods for finding the right server
Ability to control who gets the info Critical need for network administration and law
enforcement
$iris kosters.net Kosters, Mark US
$iris –cert fbi.cert kosters.net Kosters, Mark 13121 Fox Shadow Lane Clifton, VA 20124 US 703-948-3362
Authentication and Authorization Distinction
Authentication – the process used to verify the identity of a user
Authorization – the access policies applied to a user based on authentication
Authentication mechanisms facilitate authorization schemes Authentication mechanisms
passwords, one-time passwords, digital certificates, references
Authorization schemes user-based, sequence-based, chain-based, attribute-based,
time-based, referee-based
Digital Certificates Use a branch of mathematics called public key
cryptography to conduct authentication. Used in conjunction with TLS, they also allow for server
authentication and session encryption. Facilitate the following authorization schemes:
user-based chain-based attribute-based time-based
Certificate ChainsAuthorization can be based on
one of the certificates in the chain.
Example: If the certificate is signed by
the “lea CA” Allow access to all contact
data If the certificate is signed by
the “regr CA” Allow access only to all
domain and registrant data
Attributes in Certificates Information attributes in
certificates are cryptographically secure.
Example: If the “Type” attribute in the
certificate equals “LEA” Allow access to all contact
data If the “Type” attribute in the
certificate equals “Registrar” Allow access only to all
domain and registrant data
EREG Referrals The IRIS protocol
allows a server to pass extra information via a client to a referent server.
This information may contain authentication data, thus allowing a referee-based authorization policy.
EREG Navigation of Servers and Data Navigation of DNS to help
find an authoritative server. Query Distribution with
entity references and search continuations.
Relay bags to enable common index servers.
Structured queries and results give clients the knowledge to display relationships.
EREG: query types and elements
<findEnumsByRegistrant> finds ENUMs by searches on fields associated with a
registrant Allowable search fields include <contactHandle>
<commonName>, <organization> <eMail> <sip> <city>, <region>, <postalCode>, <country>
Provides optional <language> elements containing language tags
<findContacts> Query <findEnumsByHost> Query
Includes host name, host handle, IPv4 address, or IPv6 address of the name server
EREG: enum result elements <e164Number> <enumHandle> <nameServer> <registrant> <contact>
<technicalContact> <administrativeContact>
status <reservedDelegationStatus> - permanently inactive <assignedAndActiveStatus> - normal state <assignedAndInactiveStatus> - new delegation <assignedAndOnHoldStatus> - dispute <revokedStatus> - database purge pending <unspecifiedStatus>
<delegationReference> <registry> <registrar> <initialDelegationDateTime> <lastRenewalDateTime> <iris:seeAlso>
EREG: other result types
<host> <contact> <registrationAuthority> <authenticationAuthority> <iris:lookupEntity> Error results
<searchTooWide> <languageNotSupported>
EREG XML Schema
EREG Policy Developments Operational
EREG provides critical capabilities among providers to securely maintain the basic services to troubleshoot to create new applications and offerings to subscribers such as callerID,
fraud detection, etc EREG allows providers to define policies and contractual
obligations among themselves and express them as access rights EREG can support multiple transport layer options and different
subscriber maintenance systems Governmental
EREG provides capabilities long demanded of communication service providers by national regulators and law enforcement authorities to maintain authoritative subscriber information to produce subscriber information quickly upon lawful order
EREG is an open protocol based on XML that is being supported by eGovernment initiatives in Europe and worldwide
Extensive open source software and information available by VeriSign Labs for PlugTestshttp://iris.verisignlabs.com
dregquery
EREG Implementations and Interoperability Underway at providers and university
testbeds - Q2 2004 Plugtest interoperability demonstrations for
EREG in conjunction with infrastructure and user ENUM - Q3 2004
Additional Links and Information See A. Newton, IRIS - An ENUM Registry
(ereg) Type for the Internet Registry Information Service, draft-newton-iris-ereg-01, October 24, 2003
IETF CRISP Working Group http://www.ietf.org/html.charters/crisp-charter.html