Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Slides:



Advertisements
Similar presentations
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Advertisements

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
RadSec – A better RADIUS protocol
Internet Protocol Security (IP Sec)
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Using Digital Credentials On The World-Wide Web M. Winslett.
802.1x EAP Authentication Protocols
Adaptive Web Caching: Towards a New Caching Architecture Authors and Institutions: Scott Michel, Khoi Nguyen, Adam Rosenstein and Lixia Zhang UCLA Computer.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Internet Protocol Security (IPSec)
1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.
ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman
1 Multi-Protocol Label Switching (MPLS) presented by: chitralekha tamrakar (B.S.E.) divya krit tamrakar (B.S.E.) Rashmi shrivastava(B.S.E.) prakriti.
Host Identity Protocol
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
WIRELESS LAN SECURITY Using
Chapter 6: Packet Filtering
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
Connect. Communicate. Collaborate Combining RADIUS with Secure DNS for Dynamic Trust Establishment between Domains Henk Eertink †, Arjan Peddemors †, Roy.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
CH2 System models.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
SECURITY-AWARE AD-HOC ROUTING FOR WIRELESS NETWORKS Seung Yi, Prasad Naldurg, Robin Kravets Department of Computer Science University of Illinois at Urbana-Champaign.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Security in Ad Hoc Networks. What is an Ad hoc network? “…a collection of wireless mobile hosts forming a temporary network without the aid of any established.
Interdomain multicast routing with IPv6 Stig Venaas University of Southampton Jerome Durand RENATER Mickael Hoerdt University Louis Pasteur - LSIIT.
Interdomain IPv6 multicast Stig Venaas UNINETT. PIM-SM and Rendezvous Points Interdomain multicast routing is usually done with a protocol called PIM-SM.
Draft-ietf-abfab-aaa-saml Josh Howlett IETF 90. Remaining issues (recap from IETF 89) SAML naming of AAA entities The focus of this presentation Alejandro.
IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.
1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Dynamic Host Configuration Protocol (DHCP)
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Workshop roaming services: eduroam / govroam
CMSC Presentation An End-to-End Approach to Host Mobility An End-to-End Approach to Host Mobility Alex C. Snoeren and Hari Balakrishnan Alex C. Snoeren.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Introduction to Active Directory
Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01 Ele Hepworth (*), Robert Hancock, Srinivas.
Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Project Moonshot Daniel Kouřil EGI Technical Forum
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.
CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López
IMPROVING OF WIRELESS MESH NETWORKS.
Integration of and Third-Generation Wireless Data Networks
European AFS & Kerberos Conference 2010
Lecture 4a Mobile IP 1.
Presentation transcript:

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

Introduction The ABFAB architecture does not require any particular AAA strategy for connecting RPs to IdPs. This presentation describes a particular strategy that has some advantages over some existing strategies. The good news: the technology is very simple. The bad news: the motivations are less obvious. Most of this presentation is about describing the problem.

ABFAB architecture The ABFAB substrate provides four functions: – Transport: how messages are conveyed between client and server – Server discovery: how messages find a server – Trust establishment: how the client/server establish confidence that they are talking to the right client/server. – Rules determination: how the client/server decide what they should infer from the messages, and how they should behave in that regime. AAA client AAA server Relying party domain Identity Provider domain ABFAB substrate User

RADIUS substrate (1) Transport Hop-by-hop UDP datagram Server discovery Hop-by-hop realm matching, static configuration at each hop. Trust establishment Hop-by-hop shared secret, static configuration at each hop. Rules determination Locally configured policy, static configuration at each hop. AAA client AAA server Relying party domain Identity Provider domain

Static configuration is simple… AAA client AAA server IETF 80 eduroam network JANET(UK) cz eu uk Send ‘ja.net’ towards destination ‘uk’

…until it isn’t. AAA client AAA server IETF 80 eduroam network JANET(UK).cz.eu.uk Send ‘ja.net’ towards destination ‘uk’ AAA client IETF 81 eduroam network.us.ca Send ‘ja.net’ towards destination ‘eu’

Static configuration doesn’t scale… As an AAA system scales, you need to maintain more configuration across more nodes. The configuration is necessarily dissimilar between AAA nodes, but the entire system needs to behave as though all nodes share a consistent view of the entire system. Inconsistency may result in undesirable behaviour. Inventing an ad hoc solution within a single domain is trivial. The multi- domain case is also tractable, providing there is close coordination. However, if ABFAB is successful the potential number of domains and overall system size is considerable: coordination will be challenging. We need a standard mechanism that enables AAA nodes within a large and loosely-coupled AAA system to behave as though they share a consistent view of the entire system.

…that’s why we have routing protocols We already have a protocol that allows IP routers to replicate routing configuration: BGP. What if AAA configuration could be replicated between AAA nodes using a ‘trust router’ protocol? AAA nodes could use this protocol to advertise: – NAI realms: for server discovery. – Rules regimes: for rules determination.

Trust router protocol eu usca uk Announce eduroam: ja.net ja.net

Trust router RADIUS substrate (2) Transport Hop-by-hop UDP datagram Server discovery Realm matching using Trust Router protocol Trust establishment Hop-by-hop shared secret, static configuration at each hop Rules determination Trust router protocol; peer known implicitly. AAA client AAA server Relying party domain Identity Provider domain

Well, we have RadSec… RadSec is RADIUS over TLS or DTLS Invoke PKI to banish hop-by-hop security; permits e2e trust establishment. Knowing your peer explicitly may improve rules determination. Other benefits: – Prevents exposure of information to intermediate AAA nodes. – Reduces EAP transmission latency.

DNS & PKI RadSec substrate (1) Transport TLS/TCP Server discovery DNS Trust establishment PKI Rules determination Locally configured policy, peer known explicitly; static configuration at each hop. AAA client AAA server Relying party domain Identity Provider domain

A single PKI for ABFAB deployments? A PKI environment is a one-to-many relationship; an issuer’s policies may impose costs on some subset of those RPs that are not relevant to their business relationship(s). A one-to-one relationship allows the actors to agree their requirements without consideration of irrelevant actors in the system. But pairwise credentials don’t scale, right?

Didn’t we just fix the multiple credential problem? We’ve just invented a mechanism that enables a single EAP credential to be used against all RPs that trust the EAP server. An AAA server is just another RP; let’s apply ABFAB to RadSec! “WTF!” is a perfectly understandable response at this point.

RadSec substrate (2) AAA client (EAP peer) AAA server (EAP authenticator) Relying party domain Identity Provider domain EAP server Transport TLS/TCP Server discovery Trust Router Trust establishment ABFAB Rules determination Trust Router ABFAB EAP credential AAA credential

Key Negotiation Protocol KNP enables a RadSec client and server to dynamically establish a short-lived credential for a subsequent RadSec connection. KNP uses EAP authentication of credentials issued to the AAA client by an EAP server that is also trusted by the AAA server. The EAP server is called the ‘Introducer’. The process of establishing the RadSec credential between AAA client and server is called ‘Introduction’.

KNP substrate AAA client (EAP peer) AAA server (EAP authenticator) Relying party domain Identity Provider domain Introducer (EAP server) Transport TLS/TCP Server discovery Trust Router Trust establishment KNP Introduction Rules determination Trust Router KNP Introduction

Transitive operation Not all AAA nodes share a common Introducer. An Introducer can also be party as AAA client or server to an Introduction. This enables transitive introduction: the AAA client recurses along a path of Introducers to the AAA server.

Trust router Transitive KNP substrate AAA client AAA server Relying party domain Identity Provider domain Introducer Transport TLS/TCP Server discovery Trust Router Trust establishment Transitive KNP Introduction Rules determination Trust Router Introducer K1 K2 K3

System overview The system actors are Introducers and KNP-aware (‘active’) AAA nodes. Introducers credential trusted AAA nodes, and each other with long-lived credentials. These probably correspond to business agreements. Introducers announce and consume routing configuration data (names and rules). Transitive KNP and these long- term credentials allow the dynamic establishment of short-lived RadSec credentials. The short-lived credentials may be cached to avoid repetitive recursion. The active nodes may be proxies for non-KNP aware (‘passive’) AAA nodes. Introducer cloud ‘Active’ AAA nodes ‘Passive’ AAA nodes

Conclusions RadSec KNP places the costs associated with establishing a business relationship with the parties concerned, without drawing in irrelevant actors. KNP and the Trust Router protocol complement the ABFAB architecture by providing a substrate with properties that are particularly suitable for loosely- coupled systems. KNP is itself an application of ABFAB, that re-uses existing components. Therefore, it does not require substantial new invention. Project Moonshot is planning a KNP implementation for Q3/Q

Example 1: no cached state User connected to service. Its AAA client obtains the server realm from the user’s NAI. example.com

Example 1: no cached state AAA client determines a path through the Introducer cloud to the AAA server that meets its policy. example.com

Example 1: no cached state AAA client walks along the Introducer path, establishing a short-lived RadSec credential at each hop. example.com K1 K2 K3 K4

Example 1: no cached state AAA client establishes a RadSec connection with the AAA server, and the user’s credentials are authenticated across this connection. example.com

Example 2: intermediate cached state User connects to service. Its AAA client obtains the server realm from the user’s NAI. example.com

Example 2: intermediate cached state AAA client determines a path through the Introducer cloud to the AAA server that meets its policy. example.com

Example 2: intermediate cached state AAA client determines that it already has a non- expired key for an intermediate Introducer. The client begins walking from this Introducer, avoiding the first two hops, establishing a short-lived RadSec credential at the subsequent hops. example.com K1 K2

Example 2: intermediate cached state AAA client establishes a RadSec connection with the AAA server, and the user’s credentials are authenticated across this connection. example.com

Example 3: AAA server cached state User connected to service. Its AAA client obtains the server realm from the user’s NAI. example.com

Example 3: AAA server cached state AAA client determines that it already has a non- expired key for the AAA server. example.com

Example 3: AAA server cached state AAA client establishes a RadSec connection with the AAA server, and the user’s credentials are authenticated across this connection. example.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.