ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Slides:



Advertisements
Similar presentations
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Secure Network Bootstrapping Infrastructure May 15, 2014.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman
Abstraction and Control of Transport Networks (ACTN) BoF
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)
Digital Object Architecture
EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.
Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.
Introduction to OSPF Nishal Goburdhan. Routing and Forwarding Routing is not the same as Forwarding Routing is the building of maps Each routing protocol.
Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF Beijing, China.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Peering Considerations for Directory Assistance and Operator Services - John Haluska Telcordia SPEERMINT, IETF 68 Prague, Czech Republic 20 March 2007.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao
Draft-ietf-abfab-aaa-saml Josh Howlett IETF 90. Remaining issues (recap from IETF 89) SAML naming of AAA entities The focus of this presentation Alejandro.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
RFC 4477 DHCP: Dual-Stack Issues Speaker: Ching-Chen Chang Date:
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Support of fragmentation of RADIUS packets in authorization exchanges draft-perez-radext-radius-fragmentation IETF87 – RADEXT Diego R. Lopez - Telefónica.
Doc.: IEEE 11-04/0319r0 Submission March 2004 W. Steven Conner, Intel Corporation Slide 1 Architectural Considerations and Requirements for ESS.
KAIS T On the problem of placing Mobility Anchor Points in Wireless Mesh Networks Lei Wu & Bjorn Lanfeldt, Wireless Mesh Community Networks Workshop, 2006.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Introduction to Active Directory
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.
Content Distribution Internetworking IETF BOF December 12, 2000 Phil Rzewski Gary Tomlinson.
Extensions to PCEP for Hierarchical Path Computation Elements PCE draft-zhang-pcep-hierarchy-extensions-00 Fatai Zhang Quintin Zhao.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,
Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Project Moonshot Daniel Kouřil EGI Technical Forum
DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.
Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.
CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López
Diagnosing PIM Protocol States PIM Working Group
Cryptography and Network Security
European AFS & Kerberos Conference 2010
Authentication Applications
Presentation transcript:

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Why Am I Here? Published new draft on how to support a Multihop Federations in ABFAB – draft-mrw-abfab-multihop-fed-01.txt Presenting new technical work we are doing on top of the core ABFAB framework – This work is not in the ABFAB charter (yet) – Not asking the WG to adopt this work (yet) Here to get your feedback/comments

Multihop Federations Draft describes a mechanism for establishing trust across a multihop ABFAB federation – Where not all AAA Clients and Servers are connected via a single AAA server – Replaces current multihop AAA substrate with manual configuration at every hop Introduces a new ABFAB entity called the Trust Router – Trust router and KNP are combined to provide support for multihop federations

Trust router protocol eu usca uk Announce eduroam: ja.net ja.net

Trust router RADIUS substrate Trust Router allows path selection through the AAA fabric But, static configuration is still required at each hop for trust establishment AAA client AAA server Relying party domain Identity Provider domain

RadSec with ABFAB AAA client (EAP peer) AAA server (EAP authenticator) Relying party domain Identity Provider domain EAP server Allows trust to be established using ABFAB, not PKI However, not all AAA clients and AAA servers in a large federation will be connected via a single AAA server ABFAB EAP credential AAA credential

Key Negotiation Protocol KNP enables a RadSec client and server to dynamically establish a short-lived credential for a subsequent RadSec connection. KNP uses EAP authentication of credentials issued to the AAA client by an EAP server that is also trusted by the AAA server. The EAP server is called the ‘Introducer’. The process of establishing the RadSec credential between AAA client and server is called ‘Introduction’.

KNP Introduction AAA client (EAP peer) AAA server (EAP authenticator) Relying party domain Identity Provider domain Introducer (EAP server) When an AAA Client and a AAA Server are connected via a single KNP Introducer, this is referred to as a Trust Link KNP Introduction

Transitive operation Not all AAA nodes share a common Introducer. An Introducer can also be party as AAA client or server to an Introduction. This enables transitive introduction: the AAA client recurses along a path of Introducers to the AAA server.

Transitive Use of KNP AAA client AAA server Relying party domain Identity Provider domain Introducer When a AAA Client can reach a AAA Server through a chain of KNP Introducers, this is a Trust Path How does the RP know what path to traverse? It asks it’s local Trust Router! Introducer K1 K2 K3

Trust Link A Trust Link represents an available KNP hop between a Trust Router and and another Trust Router or a AAA Server A Trust Link is an assertion that a Trust Router is willing to provide temporary identities to access another element in the ABFAB system – Another Trust Router – Or a AAA Server (Radius, RadSec or Diameter) Shown as a realm name and realm name (type), separated by an arrow – A->B(T) indicates there is a Trust Link from realm A to a Trust Router in realm B – ja.net -> oxford.ac.uk(R) indicates there is a Trust Link from ja.net to a AAA Server in oxford.ac.uk

Trust Path A Trust Path is a series of KNP hops that can be used to reach a AAA server in a destination realm Each KNP hop is called a Trust Link Shown as series of realms and types, connected by arrows – Currently defined types are Trust Router (T) or AAA Server (R) – Example: A -> B(T) -> C(T) -> D(T) -> D(R)

Trust Router Functions Trust Router Protocol – Distributes information about available Trust Links in the network – Calculates a tree of Trust Paths to reach target destinations Trust Path Query – Provide “best” path to a destination realm in response to queries from local RPs Temporary Identity Request – Provision temporary identities that RPs can use to reach the next hop in the Trust Path, in response to KNP requests from RPs – AKA, serve as a KNP Introducer

Trust Router Protocol Exchange information about Trust Links between Trust Routers – Trust Links are unidirectional and of a specific type A -> B(T) does not imply A -> B(R), B -> A(T) or B -> A(R) – Realm names are not necessarily hierarchical, but they may be example-u.ac.uk is not necessarily reached via.uk or.ac.uk Tree of available Trust Paths rooted in local realm is calculated by each Trust Router

Trust Path Query Generated by an RP to request a Trust Path to reach a AAA server in a destination realm When a Trust Path Query is received, the Trust Router: – Authenticates the RP, and checks local policy to determine whether or not to reply – Searches its tree of Trust Paths to find the best path to reach the destination – Returns the best path, if found, to the RP

Temporary Identity Request The RP issues a Temporary Identity Request to obtain an identity that will be used to traverse each link in the Trust Path – The existence of the Trust Link implies that a Temporary Identity Request will be granted

Trust Router Protocol ABFAB Multihop Federation AAA client AAA server Relying party domain Identity Provider domain Introducer Uses ABFAB, KNP and Trust Routers to allow RPs to reach AAA Servers in all destination realms that can be reached through a transitive Trust Path across the federation Minimal per-hop configuration, as needed to define one- to-one trust relationships and express local policy Introducer K1 K2 K3

This Week Presented Trust Router concept in RADEXT and OpsArea – Received constructive feedback – No major objections raised from the AAA community, but there was some discussion about alternative solutions

Questions? Feedback? Questions about what we are proposing? Feedback on this proposal?