EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao.

Slides:



Advertisements
Similar presentations
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
Advertisements

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
EAP-TTLS Status draft-funk-eap-ttls-v0-00.txt draft-funk-eap-ttls-v1-00.txt draft-funk-tls-inner-application-extension-01.txt Paul Funk Funk Software.
sec IEEE MEDIA INDEPENDENT HANDOVER DCN: sec-mih-level-security-considerations Title: MIH-level Security Considerations.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.
DIME Rechartering Hannes Tschofenig & Dave Frascone.
Collaborate on Documents Microsoft Word Introduction Word 2010 makes it easy for groups of people to edit one document. You can easily edit documents.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Proposal for IEEE Study Group on Security Signaling Optimization.
Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.
November 10, 2003EAP WG, IETF 581 EAP State Machines (draft-ietf-eap-statemachine-01) John Vollbrecht, Pasi Eronen, Nick Petroni, Yoshihiro Ohba.
IETF71 DIME WG RFC3588bis and Extensibility Status Victor Fajardo (draft-ietf-dime-rfc3588bis-10.txt)
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao
EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Detailed analysis on MIA/MSA architecture Date Submitted: January 5, 2010 Present.
Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard.
Enabling Binding Update via access authorization Charles Perkins, Basavaraj Patil IETF 82 [netext] WG / Taipei November 16, 2011.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: IETF Liaison Report Date Submitted: November 16, 2006 Presented.
Mobile IPv4 – Diameter Draft Status Tom Hiller Lucent Technologies.
MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).
Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
Extensions to the Emergency Services Architecture for dealing with Unauthenticated and Unauthorized Devices draft-ietf-ecrit-unauthenticated-access-03.txt.
DIME WG IETF 84 Diameter Design Guidelines draft-ietf-dime-app-design-guide-15 Tuesday, July 31, 2012 Lionel Morand.
EAP in Unauthenticated Network Access to Emergency Services draft-schulzrinne-ecrit-unauthenticated-access-06 H. Schulzrinne, S. McCann, G. Bajko, H. Tschofenig,
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
Globally Identifiable Number (GIN) Registration Adam Roach draft-martini-roach-gin-01 IETF 77 – Anaheim, CA, USA March 22, 2010.
SPEERMINT Architecture - Reinaldo Penno Juniper Networks SPEERMINT, IETF 70 Vancouver, Canada 2 December 2007.
7/24/2007IETF69 PANA WG1 PANA Issues and Resolutions draft-ietf-pana-pana-17.txt draft-ietf-pana-framework-09.txt Yoshihiro Ohba Alper Yegin.
DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.
EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.
Open issues with PANA Protocol
Hokey Architecture Deployment and Implementation
draft-ietf-dime-erp-02
Carrying Location Objects in RADIUS
Diameter Base and CCA MIBs
for IP Mobility Protocols
ERP extension for EAP Early-authentication Protocol (EEP)
draft-ietf-geopriv-lbyr-requirements-02 status update
The Tunneled Extensible Authentication Method (TEAM)
ERP/AAK support for Inter-AAA realm handover discussion
Glen Zorn Cisco Systems
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
IEEE MEDIA INDEPENDENT HANDOVER
Mobile IP Regional Registration
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Qin Wu Zhen Cao Yang Shi Baohong He
Working Group Draft for TCPCLv4
Presentation transcript:

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao

Status First Presented in IETF 78, Masstricht Initial version, no changes to RFC5296

Three key issues raised by Erratas Insert ER server in the path of EAP messages ER edit AAA messages –The local ER server is an ERP entity, incapable of inserting anything into a AAA message Places unnecessar restrictions upon deployment options, makes two unwarranted assumptions –the EAP server in the home domain is located on a back-end authentication (i.e., AAA) server –the home ERP server is also located there Suggestion/Action: –Need to Revise the RFC5296bis to reflect these key issues?

Open issues (1) Is there any difference between “EAP Extensions for EAP Re-authentication Protocol “ and “EAP Re-authentication Extension”? –Not clear what needs to be extended? EAP or Re-authentication when say “EAP Re- authentication Extension” –EAP extension or ER extension

Open Issues (2) Original text in RFC5296: “keyName-NAI - ERP messages are integrity protected with the rIK or the DS-rIK. The use of rIK or DS-rIK for integrity protection of ERP messages is indicated by the EMSKname [RFC5295]; the protocol, which is ERP; and the realm, which indicates the domain name of the ER server. The EMSKname is copied into the username part of the NAI. “ Notes: –The text in this defintion does not tell what the keyName-NAI is but how to look up rIK based on EMSKname Suggested text instead of original one “keyName-NAI - Refers to one instance of NAI with EMSKname as the username part. the EMSKname can be used to look up rIK or DS-rIK for integrity protection of ERP message. The realm part of keyName-NAI could be "home domain" or "local domain" name and can be obtained from original text in the full EAP exchange, through a lower-layer mechanism or the ERP exchange.”

Open Issues (3) Structure of Section 3.1 to RFC5296 –The title of the section 3.1 is not consistent with the texts in the section 3.1 –Unlike section 3.2 “ERP with a Local ER Server”, no clear text to address ERP with home ER server

Open Issues (4) Original text in section 3.1 of RFC5296: “ The exchange (ERP) itself may happen when the peer attaches to a new authenticator supporting EAP re-authentication, or prior to attachment. ” Notes “ The ERP exchange is difficult to happen before attachment” Without attachment, how does the peer receive the ERP message from the authenticator tied with that attachment point “ Suggested text: Remove the “or prior to attachment” from original text

Open Issues (5) Original text in sec 3.1 of RFC5296 “The peer sends an EAP-Initiate/Re-auth message that contains the keyName-NAI to identify the ER server's domain and the rIK used to protect the message, and a sequence number for replay protection.” Notes: “Cause confusion to say that the ERP message contain the rIK” “rIK will not leave Peer and ER server according to RFC5296. And the ER server can use EMSKname in the ERP message to look up the rIK.” Suggested text: “The peer sends an EAP-Initiate/Re-auth message that contains the keyName-NAI to identify the rIK used to protect the message, ER server’s domain, and a sequence number for replay protection”

Open Issues (6) Original text of RFC5296: “Figure 3 shows the full EAP and subsequent local ERP exchange; Figure 4 shows it with a local ER server.” Notes: Figure 3 doesn’t show the local exchange with the local ER server, figure 4 show how local ERP exchange works. Suggested text instead of original one: “Figure 3 shows the full EAP with the involvement of Local ER Server; Figure 4 shows subsequent local ERP exchange with a local ER server.”

Open Issues (6) Original figure 3 of RFC5296 Notes: Figure 3 didn’t show local ERP exchange, what we can see is DSRK is pushed from the Home EAP server to the local ER server Suggested revision

Follow Up Expect to incorporate existing Technical Errata into this draft and continue filing new errata Issue new version based on feedback from group and errata. Encourage more review of draft and early feedback

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.