July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

Slides:



Advertisements
Similar presentations
RadSec – A better RADIUS protocol
Advertisements

B. Davie, L. Peterson et al. draft-davie-cdni-framework-00.txt.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Georgy Melamed Eran Stiller
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Security Association Establishment for Handover Protocols Jari Arkko Ericsson Research NomadicLab.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Draft-campbell-dime-load- considerations-01 IETF 92 DIME Working Group Meeting Dallas, Texas.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.
Identities and Network Access Identifier in M2M Page 1 © GPP2 3GPP2 and its Organizational Partners claim copyright in this document and individual.
IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.
1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
IETF 51, IPv6 WG1 Multilink Subnets draft-thaler-ipngwg-multilink-subnets-01.txt Dave Thaler
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )
11 December, th IETF, AAA WG1 AAA Proxies draft-ietf-aaa-proxies-01.txt David Mitton.
July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),
Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.
1 Arkko, 57th IETF: SEND base protocol issue list Issues in the SEND base document draft-ietf-send-ipsec-01.txt
Node Information Queries July 2002 Yokohama IETF Bob Hinden / Nokia.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Enabling Binding Update via access authorization Charles Perkins, Basavaraj Patil IETF 82 [netext] WG / Taipei November 16, 2011.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
IETF66 DIME WG John Loughney, Hannes Tschofenig and Victor Fajardo 3588-bis: Current Issues.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.
RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:
IETF68 DIME WG Open Issues for RFC3588bis Victor Fajardo (draft-ietf-dime-rfc3588bis-02.txt)
IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.
Revising RFC 3775 MEXT WG, IETF 70 Vijay Devarapalli
Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
DIME WG IETF 84 Diameter Design Guidelines draft-ietf-dime-app-design-guide-15 Tuesday, July 31, 2012 Lionel Morand.
August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.
1 Extensible Authentication Protocol (EAP) Working Group IETF-57.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.
IETF68 DIME WG Diameter Applications Design Guidelines Document (draft-fajardo-dime-app-design-guide-00.txt)
Core and Framework DIRAC Workshop October Marseille.
August 4, 2004EAP WG, IETF 601 Authenticated service identities for EAP (draft-arkko-eap-service-identity-auth-00) Jari Arkko Pasi Eronen.
11/20/2002IETF 55 - AAA WG, NASREQ-101 Diameter-Nasreq-10 Dave Mitton, Most recent Document Editor With Contributions from David Spence & Glen Zorn.
Booting up on the Home Link
Open issues with PANA Protocol
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Third Party Transfers & Attribute URI ideas
Presentation transcript:

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Outline of the Presentation Part 1: Introduction Part 2: Redirects Part 3: Protocol details Part 4: Security considerations Part 5: Next Steps

July 16, Part 1: Introduction

July 16, Introduction ”2869bis plus key AVPs for Diameter” Scope –One EAP conversation, no role reversal –One NAS, no handoffs or key distribution to multiple NASes –No new NAS-to-home-server security mechanisms, but works end-to-end between the NAS and the home server

July 16, Basic sequence (initiate EAP) ClientServerNAS Diameter-EAP-Request EAP-Payload(EAP start) Diameter-EAP-Answer Result-Code=SUCCESS EAP-Master-Session-Key EAP-Payload(Success) EAPOL(Request(…)) EAPOL(Success) Diameter-EAP-Answer Result-Code=MULTI_ROUND_AUTH EAP-Payload(Request(…)) Diameter-EAP-Request EAP-Payload(Response(…)) EAPOL(Response (…)) (4-way handshake)

July 16, Changes in -02 Redirects / NASREQ interaction Added various protocol details RADIUS translation –RFC 2548 translation desirable, too Security considerations

July 16, Part 2: Redirects

July 16, Redirects and NASREQ interaction Without CMS, proxy agents can see the EAP MSK Solution in –02 for avoiding proxies: –NAS contacts the home server directly; redirects used if there would otherwise be a proxy –An optional separate request to retrieve authorization AVPs through the proxy chain

July 16, Finding server with redirects Diameter-EAP-Request EAP-Payload(EAP start) Diameter-EAP-Answer Redirect-Host=… Redirect-Host-Usage= R EALM_AND_APPLICATION NASServer Diameter-EAP-Request EAP-Payload(EAP start) Proxy

July 16, Diameter-EAP-Request Auth-Request-Type=A UTHORIZE_AUTHENTICATE Proxy Diameter-EAP-Answer Result-Code=D IAMETER_LIMITED_SUCCESS EAP-Master-Session-Key (some authorization AVPs) NASREQ-AA-Request Auth-Request-Type=A UTHORIZE_ONLY (some AVPs from previous message) NAS Server Separate Authorization AVP Retrieval

July 16, Separate Authorization AVP Retrieval Diameter-EAP-Request Auth-Request-Type=A UTHENTICATE_ONLY Proxy Diameter-EAP-Answer Result-Code=D IAMETER_SUCCESS EAP-Master-Session-Key (possibly some authorization AVPs) NASREQ-AA-Request Auth-Request-Type=A UTHORIZE_ONLY (some AVPs from previous message) NAS Server

July 16, Issues in Redirects The authorization AVP retrieval uses NASREQ, since Diameter realm routing table isn’t command-specific Who decides whether the separate proxy pass is needed? What exactly does a redirect + elimination of proxies buy us?

July 16, Proxy Elimination + Key is not shown to other parties + Lengthy EAP runs become faster + We authenticate the node on the other side - But untrusted proxies can still misbehave! –Proxy might not send a Redirect –Proxy might send the wrong server’s address => We need additional authorization –Configuration –Attributes in server certs? –NAI realm vs. FQDN in server check

July 16, Diameter authorization TLS authenticates Diameter nodes, but… When the NAS talks to foo.example.com, is this actually the server for realm example.com? –Local configuration –Trust redirect agent –Trust DNS –Separate CA for servers –Certificate name matching (+possibly separate CA) –Certificate extensions When the server gets a connection from bar.example.com, is this a valid access point? –Separate CA for access points –Certificate extensions

July 16, Part 3: Protocol Details

July 16, Protocol details Invalid packets Fragmentation EAP retransmission Accounting-EAP-Auth-Method EAP-Master-Session-Key

July 16, Protocol details: Invalid packets In RADIUS, this message contains a copy of the previous EAP Request, but we don’t want to keep inter-request state Some alternatives –EAP-Reissued-Payload AVP (instead of EAP-Payload), and normal D IAMETER_MULTI_ROUND_AUTH Result-Code –New D IAMETER_EAP_INVALID_PACKET Result-Code, and normal EAP-Payload AVP –But BASE and NASREQ contain multiple statements like ”if Result-Code is D IAMETER_MULTI_ROUND_AUTH, then…”

July 16, Protocol details: Fragmentation New AVP: EAP-MTU –Link MTU != max. size of EAP packet –E.g., IKEv2 can carry large EAP packets, but the MTU of the IPsec tunnel set up by IKEv2 is something different RADIUS translation waiting for clarification of 2869bis and/or draft-congdon-radius-8021x

July 16, Protocol details: Accounting-EAP-Auth-Method How NAS determines the method? –Not specified for MS-Acct-EAP-Type –Proposed solution: server returns it in successful Diameter-EAP-Answer RFC2548 has also MS-Acct-Auth-Type –PAP/CHAP/EAP/MS-CHAP-2/etc. –Should we add Accounting-Auth-Method to NASREQ or here?

July 16, Protocol details: EAP-Master-Session-Key Simple AVP (OctetString) Can be translated to MS-MPPE-* But EAP WG is discussing key naming! We may need more AVPs

July 16, Part 4: Security Considerations

July 16, Security considerations: System perspective No document contains security considerations for the whole system? –Gets even more complex if we have handoffs or key distribution to multiple NASes –(May require changes not just to all three components, but to interfaces between them) Diameter EAP

July 16, Part 5: Next Steps

July 16, Next steps Very much dependent on EAP keying framework security discussion & Russ’ requirements from IETF-56 –Finish that discussion first Identify other issues that still need work –Comments really welcome! Finish document –Keep current scope

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.