EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

Slides:



Advertisements
Similar presentations
Authentication Authorization Accounting and Auditing
Advertisements

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 ANCP protocol draft updates draft-ietf-ancp-protocol-00.txt ANCP.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
CLUE Framework IETF 84 July 30 – Aug 3, 2012 Mark Duckworth Allyn Romanow Brian Baldino Andy Pepperell.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
Dean Cheng Jouni Korhonen Mehamed Boucadair
Draft-tarapore-mbone- multicast-cdni-05 Percy S. Tarapore, AT&T Robert Sayko, AT&T Greg Shepherd, Cisco Toerless Eckert, Cisco Ram Krishnan, Brocade.
EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)
Doc.: IEEE /0394r0 Submission March 2008 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
Operational Security Capabilities for IP Network Infrastructure
© 1998 R. Gemmell IETF WG Presentation1 Robert Gemmell ROAMOPS Working Group.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )
1 © NOKIA diameter-cca-update.PPT Diameter Credit-control Application Harri Hakala.
Draft-ietf-fecframe-config-signaling-02 1 FEC framework Configuration Signaling draft-ietf-fecframe-config-signaling-02.txt IETF 76 Rajiv Asati.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
IETF66 DIME WG John Loughney, Hannes Tschofenig and Victor Fajardo 3588-bis: Current Issues.
SDP Simple Capability Negotiation (SDP Simcap) draft-andreasen-mmusic-sdp-simcap-reqts-00.txt draft-andreasen-mmusic-sdp-simcap-01.txt 50th IETF - March.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
1 Network Selection Problem Definition Draft-ietf-eap-netsel-problem-01.txt Jari Arkko Bernard Aboba.
IETF #65 Network Discovery and Selection Problem draft-ietf-eap-netsel-problem-04 Farooq Bari Jouni Korhonen.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.
Extensions to the Path Computation Element Communication Protocol for Enhanced Errors and Notifications draft-pouyllau-pce-enhanced-errors-03 H. Pouyllau.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.
Draft-ietf-p2psip-base-08 Cullen Jennings Bruce Lowekamp Eric Rescorla Salman Baset Henning Schulzrinne March 25, 2010.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 73 – Minneapolis draft-ietf-ancp-framework-07.txt.
August 4, 2004EAP WG, IETF 601 Authenticated service identities for EAP (draft-arkko-eap-service-identity-auth-00) Jari Arkko Pasi Eronen.
Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:
SNMP (Simple Network Management Protocol) Overview
CAPWAP Threat Analysis
Georg Carle, Sebastian Zander, Tanja Zseby
Open issues with PANA Protocol
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
PANA Issues and Resolutions
Katrin Hoeper Channel Bindings Katrin Hoeper
IEEE 802 OmniRAN EC SG July 2013 Conclusion
Jari Arkko Bernard Aboba
ERP extension for EAP Early-authentication Protocol (EEP)
Discussions on FILS Authentication
SNMP (Simple Network Management Protocol) Overview
CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
draft-ipdvb-sec-01.txt ULE Security Requirements
Working Group Draft for TCPCLv4
Framework for DWDM interface Management and Control
STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,
IEEE IETF Liaison Report
IETF Network Discovery and Selection Overview
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
PW Control Word Stitching
Qin Wu Zhen Cao Yang Shi Baohong He
draft-ietf-stir-oob-02 Out of Band
Working Group Draft for TCPCLv4
Presentation transcript:

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009

Document (Recent) History, March `09 – consensus that draft is ready for WGLC at IETF 74, May `09 – tried to address comments from Klaas detailed review, July `09 – added clarifying text to address more comments on list – more discussions about “authorization” capabilities of channel bindings and EAP in general, October `09 – narrowed scope to solving lying NAS/ lying provider problems, i.e. removed authorization capabilities – updated AAA attributes for channel binding TLVs

Change #1: “scope of draft” What aspect of channel bindings should and can be solved by the proposed protocol? – mitigate lying NAS problem – mitigate lying provider problem Removed: – check whether peer is authorized to access requested services in manner described by NAS Section 1

Change #1: “scope of draft” (cont’d) Solution: specify channel binding protocol – protocol includes verification of channel binding information Removed: policy data base i1 Local DB info CB_success/failure(i1, i2, info) i2 AAAEAP peer EAP server Authenticator

Why we still need a local database AAA protocol not sufficient for comparing i1 and i2 – i1 and i2 may be both false – i2 likely not sufficient to detect lying providers due to “message laundering” by AAA intermediaries – i1 is not restricted to AAA attributes not all information of interest can be encoded in AAA attributes and defining numerous new AAA attributes seems like a bad idea! Using a local DB enables to check – against a trustworthy set of information – consistency of i1 and i2 rather than equality, e.g. do MAC and IP address belong to the same device ⇒ authentication & integrity of channel binding info (not authorization!)

Change #2: “what is verified”? Channel binding information – i1: any info part of the NAS beacon/EAP Identity request – i2: any AAA attribute exchanged between authenticator and AAA server as part of on-going EAP exchange Channel binding verifications, check whether 1.the authenticator is lying to the peer (i1 false?) 2.the authenticator (or AAA intermediaries) is lying to the AAA server (i2 false?) Removed: – rules derived from network policies & stored in local DB – check whether authenticator is violating any policies Section 5.2

Change #3: “set up local database” Simplified set up of local data base – only needs to contain known information about authenticators and roaming partners e.g. MAC/IP addresses, roaming fees used for consistency check of i1 and i2 Removed: – policy engines – training phase to learn behavior that should be authorized – policy rules for home and service provider networks Section 10

Change #4: “attribute update” Removed outdated s attribute from list of channel binding TLVs Section 7.3

Conclusions All open issues on the list have been addressed in the -04 draft Request WG review of -04 version Ready for WG last call?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.