Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

Published byFred Troughton Modified over 10 years ago

Similar presentations

Presentation on theme: "EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009."— Presentation transcript:

1 EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009

2 Document (Recent) History, March `09 – consensus that draft is ready for WGLC at IETF 74, May `09 – tried to address comments from Klaas detailed review, July `09 – added clarifying text to address more comments on list – more discussions about “authorization” capabilities of channel bindings and EAP in general, October `09 – narrowed scope to solving lying NAS/ lying provider problems, i.e. removed authorization capabilities – updated AAA attributes for channel binding TLVs

3 Change #1: “scope of draft” What aspect of channel bindings should and can be solved by the proposed protocol? – mitigate lying NAS problem – mitigate lying provider problem Removed: – check whether peer is authorized to access requested services in manner described by NAS Section 1

4 Change #1: “scope of draft” (cont’d) Solution: specify channel binding protocol – protocol includes verification of channel binding information Removed: policy data base i1 Local DB info CB_success/failure(i1, i2, info) i2 AAAEAP peer EAP server Authenticator

5 Why we still need a local database AAA protocol not sufficient for comparing i1 and i2 – i1 and i2 may be both false – i2 likely not sufficient to detect lying providers due to “message laundering” by AAA intermediaries – i1 is not restricted to AAA attributes not all information of interest can be encoded in AAA attributes and defining numerous new AAA attributes seems like a bad idea! Using a local DB enables to check – against a trustworthy set of information – consistency of i1 and i2 rather than equality, e.g. do MAC and IP address belong to the same device ⇒ authentication & integrity of channel binding info (not authorization!)

6 Change #2: “what is verified”? Channel binding information – i1: any info part of the NAS beacon/EAP Identity request – i2: any AAA attribute exchanged between authenticator and AAA server as part of on-going EAP exchange Channel binding verifications, check whether 1.the authenticator is lying to the peer (i1 false?) 2.the authenticator (or AAA intermediaries) is lying to the AAA server (i2 false?) Removed: – rules derived from network policies & stored in local DB – check whether authenticator is violating any policies Section 5.2

7 Change #3: “set up local database” Simplified set up of local data base – only needs to contain known information about authenticators and roaming partners e.g. MAC/IP addresses, roaming fees used for consistency check of i1 and i2 Removed: – policy engines – training phase to learn behavior that should be authorized – policy rules for home and service provider networks Section 10

8 Change #4: “attribute update” Removed outdated 802.11s attribute from list of channel binding TLVs Section 7.3

9 Conclusions All open issues on the list have been addressed in the -04 draft Request WG review of -04 version Ready for WG last call?

Download ppt "EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 ANCP protocol draft updates draft-ietf-ancp-protocol-00.txt ANCP.

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 ANCP protocol draft updates draft-ietf-ancp-protocol-00.txt ANCP.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.

NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
CLUE Framework IETF 84 July 30 – Aug 3, 2012 Mark Duckworth Allyn Romanow Brian Baldino Andy Pepperell.

CLUE Framework IETF 84 July 30 – Aug 3, 2012 Mark Duckworth Allyn Romanow Brian Baldino Andy Pepperell.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.

Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
Dean Cheng Jouni Korhonen Mehamed Boucadair

Dean Cheng Jouni Korhonen Mehamed Boucadair
Draft-tarapore-mbone- multicast-cdni-05 Percy S. Tarapore, AT&T Robert Sayko, AT&T Greg Shepherd, Cisco Toerless Eckert, Cisco Ram Krishnan, Brocade.

Draft-tarapore-mbone- multicast-cdni-05 Percy S. Tarapore, AT&T Robert Sayko, AT&T Greg Shepherd, Cisco Toerless Eckert, Cisco Ram Krishnan, Brocade.
EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)

EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)
Doc.: IEEE 802.11-08/0394r0 Submission March 2008 Dorothy Stanley, Aruba NetworksSlide 1 IEEE 802.11-IETF Liaison Report Date: 2008-03-19 Authors:

Doc.: IEEE /0394r0 Submission March 2008 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
Operational Security Capabilities for IP Network Infrastructure

Operational Security Capabilities for IP Network Infrastructure
© 1998 R. Gemmell IETF WG Presentation1 Robert Gemmell ROAMOPS Working Group.

© 1998 R. Gemmell IETF WG Presentation1 Robert Gemmell ROAMOPS Working Group.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.

EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )

March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )

Similar presentations

Ads by Google