Presentation is loading. Please wait.

Presentation is loading. Please wait.

Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008

Published byArabella Parrish Modified over 6 years ago

Similar presentations

Presentation on theme: "Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008"— Presentation transcript:

1 Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008

2 isConsistant(i1, i2, Policy)
Basic Approach During an EAP execution peer sends advertised network information i1 to server server checks whether i1 from the peer, i2 from the last AAA hop and the respective policy are consistent server sends notification to the peer indicating the result Policy DB i1 i2 i1 Policy isConsistant(i1, i2, Policy)

3 Network Models Enterprise network Service provider network i1 i2
Policy DB i1 i2 NAS Home Network Policy DB i1 proxy i2 local NAS local proxy Visited Network Home Network

4 Document Status Version -00 submitted before IETF 71
Version -01 presented at IETF 71 submitted in June Version -02 submitted after IETF 72 addressed comments from EMU meeting addressed Joe’s comments Version -03 submitted in October Version -04 submitted in November addressed Bernard’s comments on -02 &03

5 Resolved Issues NAS information not used for authorizations
sometimes important which NAS (authenticator) the peer is connected to, e.g. if EAP server controls access to several networks including NAS information into channel binding verification, thus, improving EAP’s ability to provide authorization

6 Resolved Issues-(ii) Information i1 not sufficiently described
described differences for enterprise and service provider models provided examples of attributes in general: NAS-Port Type, Cost information IEEE : Called-Station-Id IEEE r: Mobility-Domain-Id IEEE s: Mesh-Key-Distributor-Domain-Id

7 Resolved Issues–(iii)
Last hop information not utilized in verification added information i2 from last AAA hop to channel binding verification explored impact of local proxies in service provider scenario and discussed usefulness and verifiability of “laundered” information defined which AAA attributes can and should be validated User-Name, NAS-IP-Address, Called-Station-Id, Calling-Station-Id, NAS-Identifier, NAS-Port-Type

8 Resolved Issues–(iv) Misstatement of “lying NAS” problem in roaming case in service provider networks the lying entity is not necessarily the local NAS could be lying local authentication server or local proxies introduced “lying provider problem” EAP channel bindings detect if one (or more) of the local entities is lying

9 Resolved Issues–(v) Incomplete comparison of main EAP channel binding approaches removed “fuzzy comparisons” described policy-based comparisons added more advantages to exchanging plaintext information “logging mode” consistent information canonicalization and formatting unnecessary

10 Resolved Issues–(vi) Lack of transport protocol description
defined transport protocol requirements and explored options channel binding protocol must be transported after keying material has been derived between peer and server transport protocol for carrying channel binding information MUST support end-to-end message integrity protection transport protocol SHOULD provide confidentiality [I-D.clancy-emu-aaapay] is one possible option

11 Resolved–(vii) Missing privacy discussion
if channel binding messages contain identifiers of peer and/or network entities, the privacy property of the executed EAP method may be violated discussed privacy violations as part of the “Security Considerations”

12 Resolved–(viii) Lack of operations and management considerations
analyzed system impact (Section 10.1) explored required modifications to EAP peers & EAP servers provided examples how server database can be set up more cost efficiently auto-population phase (secure environment) self-learn approach incremental implementation

13 Resolved–(ix) Lack of examples on how EAP channel bindings prevent attacks added Appendix describing attacks enterprise subnetwork masquerading forced roaming downgrading attacks bogus beacons in IEEE r forcing false authorization in IEEE i

14 Open Issues Cost-benefit analysis only provide impact discussion
no hard numbers on how much a deployment would cost and how much money would be saved by supporting channel bindings

15 Open Issues–(ii) Lower layer binding
need a way to transport the RSN-IE define attributes for IEEE , wired 802.1x, PPP, IKEv2, 3GPP2, PANA

16 Conclusion Request support with open issues
Request WG review of -04 version Request adoption as WG item to satisfy channel bindings charter requirement

Download ppt "Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008"

Similar presentations

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
Omniran-13-0063-00-0000 1 IEEE 802 Enhanced Network Detection and Selection Date: 2013-08-26 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran IEEE 802 Enhanced Network Detection and Selection Date: Authors: NameAffiliationPhone Max RiegelNSN
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and 802.11i IKEv2 EAP authentication.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-06-0348-06-0000 Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG 2012.07.30.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0164-06-0sec Title: Detailed analysis on MIA/MSA architecture Date Submitted: January 5, 2010 Present.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Detailed analysis on MIA/MSA architecture Date Submitted: January 5, 2010 Present.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.

Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE 802.21 WG.

August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.

Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.

August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.

Similar presentations

Ads by Google