 Let's look at the security mechanisms which have been adopted for NGN. Now we've studied a lot about NGN architecture and the functional elements, the transport stratum, the service stratum, and the functional entities which are provided at both these stratum. But once we try to look at it from the security perspective, then we would be interested in knowing exactly what is the overall goal of providing security and how does the NGN community look at it. So we'd look at the security mechanisms from NGN with regards to the definition of the trusted computing base known as the TCB for defining the scope of security. Then we'd look at some trust models which are normally considered to provide certain security services, then well known mechanisms and then finally we are going to look at AAA provisioning which is most important concern in NGN through the framework. So the security in NGN is very important from the security of non-NGN architecture primarily because it is about IP based networks. So in IP based networks the diversity of devices, the heterogeneity is so huge that each device cannot be considered safe and each device cannot be trusted as such. So it means that this is a concern that every device comes with its own software implementation and it is very hard to determine if it is going to be secure or if it is not going to attack itself. So that's one concern. The second concern is with smartphones and newer devices coming to the market. The overall intelligence of the user equipment is increasing. So it means the role of software is increasing. So a user could be a naive like a backhoe operator and could be actually through social engineering falling prey to certain security threats and attacks. So it means the security of NGN is very important and it has to be based on some kind of formal model. So the trust model which is formally defined here in NGN is actually either single network trust model or peering network trust model. Single network trust model actually means that the overall concern of security is limited to a single network. For even a single network there are different zones which have to be understood and handled individually. The first one is the trusted zone. Trusted zone actually means the inner most and the completely owned infrastructure of the NGN service provider. It actually implies own network elements. Then there are certain elements which are which may be trusted at the starting time but may become vulnerable because these devices are the devices which are related to the interfacing at the border level with other networks. So these are the border gateways which may be trusted but may not be which may be trusted but may be vulnerable at some other point in time. Then we have untrusted users user equipment and we have the provider controlled and provided equipment for instance home gateway in like LTE and LTEA we have the E node B and home E node B. Then the other option of the trust model is the peering network trust model where the NGN as a network is connected to another network. Now is that network also another NGN network or it's a non-NGN network? So the the overall trust or the level of security that can be provided is going to depend upon the physical connection between the NGN network and another NGN network or maybe a non-NGN network as a direct connection. If this direct connection is secured in a building then we can say that well the connection is going to be secure and the overall peering of the networks is going to be secured or if it is going to be done through some kind of third party based transit transport network provider then the overall security would be dependent upon how secure that transport provider network is. There's another concern in trust that is the overall business relationship between these networks. For instance are these service level agreements between these networks well defined and if they are well defined do they also specify security aspects and if not then it means then an NGN providers have to consider other NGN providers as untrustworthy. It means all the security measures have to be provided at their end. So this case being the hardest to cater for. Then we have certain security mechanisms. These security mechanisms actually come from the requirements which are specified in the trust model. Of course the most obvious one is AAA. We've been talking about it earlier as well. In NGN providing AAA service is very mandatory. It's not optional but as far as the data encryption is concerned it is optional because it actually depends on the user requirements the type of data and the type of network through which the traffic is being sent over. AAA as an authentication authorization and accounting actually starts from the identification and validation of user through certain parameters which are known as a user profile like username, password, certificate etc. The authorization actually means that to what services and to what parts of network is a user entitled the access to. Then we have the accounting that is actually the metering or the measurement of how many seconds, minutes or what is the total time elapsed, the total volume of data, the number of messages, number of packets, number of transactions. So this accounting is actually used to keep track of the overall utilization of the network, the subscription of the network so that a user can be billed, prepaid, postpaid, whatever. And very importantly in addition for capacity planning that is if the number of users are more and the network actually is under budgeted then it will degrade the service. So using these accounting based measurements some modeling can be done with regards to the load forecasting and the resource planning. The overall architecture of AAA is again is client server based. Once we say client server it actually means that the request to initiate authentication, authorization and accounting would be done by someone and then it would be responded to by someone. So AAA system overall system consists of the clients and the servers. Now the servers are actually the ones which are going to authenticate, authorize and account a particular user. So it means a server is connected to a database of user profiles and configuration information. An example could be a home subscriber home subscriber server can act like a AAA server. So the client actually is on the access network site. Typically it is incorporated either in the user equipment as such or in the access network routers. So the server is centralized and the user equipment or user access network based client actually can move from one device to the other and so forth because mobility and portability are very important considerations in NGN. If AAA service is to be provided at the transport stratum so the client and server actually belong to the network attachment control function. When the transport control function detects a connection request from a user equipment it starts acting like a AAA server, a AAA client. Now this AAA client makes a request and this request is sent to the AAA server that is on the same NSCF at the transport stratum to perform authentication and authorization. Now the AAA server requests the resource and admission control function, RSCF for reservation and allocation of resources. So once it receives a grant or a permit from RSCF it notifies the client that you can carry on with connecting the user and its equipment. This is more or less quite similar at the service stratum as well when a AAA client detects a certain connection request for a certain service. It follows the same procedure which is followed for the transport control stratum for connectivity. This is the overall architecture. You can see that we have the transport stratum first and then we have the service stratum. At the transport stratum we have the network attachment control function. Here we have AAA client and AAA server functions at the same network element. Similarly, we have in the service stratum we have the client and the server functions incorporated at the service control function and the request response interaction is actually taking place between these two probably on the same network element.