Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao.

Published byDiane Cornelia Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao."— Presentation transcript:

1 EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao

2 Status First Presented in IETF 78, Masstricht Initial version, no changes to RFC5296

3 Three key issues raised by Erratas Insert ER server in the path of EAP messages ER edit AAA messages –The local ER server is an ERP entity, incapable of inserting anything into a AAA message Places unnecessar restrictions upon deployment options, makes two unwarranted assumptions –the EAP server in the home domain is located on a back-end authentication (i.e., AAA) server –the home ERP server is also located there Suggestion/Action: –Need to Revise the RFC5296bis to reflect these key issues?

4 Open issues (1) Is there any difference between “EAP Extensions for EAP Re-authentication Protocol “ and “EAP Re-authentication Extension”? –Not clear what needs to be extended? EAP or Re-authentication when say “EAP Re- authentication Extension” –EAP extension or ER extension

5 Open Issues (2) Original text in RFC5296: “keyName-NAI - ERP messages are integrity protected with the rIK or the DS-rIK. The use of rIK or DS-rIK for integrity protection of ERP messages is indicated by the EMSKname [RFC5295]; the protocol, which is ERP; and the realm, which indicates the domain name of the ER server. The EMSKname is copied into the username part of the NAI. “ Notes: –The text in this defintion does not tell what the keyName-NAI is but how to look up rIK based on EMSKname Suggested text instead of original one “keyName-NAI - Refers to one instance of NAI with EMSKname as the username part. the EMSKname can be used to look up rIK or DS-rIK for integrity protection of ERP message. The realm part of keyName-NAI could be "home domain" or "local domain" name and can be obtained from original text in the full EAP exchange, through a lower-layer mechanism or the ERP exchange.”

6 Open Issues (3) Structure of Section 3.1 to RFC5296 –The title of the section 3.1 is not consistent with the texts in the section 3.1 –Unlike section 3.2 “ERP with a Local ER Server”, no clear text to address ERP with home ER server

7 Open Issues (4) Original text in section 3.1 of RFC5296: “ The exchange (ERP) itself may happen when the peer attaches to a new authenticator supporting EAP re-authentication, or prior to attachment. ” Notes “ The ERP exchange is difficult to happen before attachment” Without attachment, how does the peer receive the ERP message from the authenticator tied with that attachment point “ Suggested text: Remove the “or prior to attachment” from original text

8 Open Issues (5) Original text in sec 3.1 of RFC5296 “The peer sends an EAP-Initiate/Re-auth message that contains the keyName-NAI to identify the ER server's domain and the rIK used to protect the message, and a sequence number for replay protection.” Notes: “Cause confusion to say that the ERP message contain the rIK” “rIK will not leave Peer and ER server according to RFC5296. And the ER server can use EMSKname in the ERP message to look up the rIK.” Suggested text: “The peer sends an EAP-Initiate/Re-auth message that contains the keyName-NAI to identify the rIK used to protect the message, ER server’s domain, and a sequence number for replay protection”

9 Open Issues (6) Original text of RFC5296: “Figure 3 shows the full EAP and subsequent local ERP exchange; Figure 4 shows it with a local ER server.” Notes: Figure 3 doesn’t show the local exchange with the local ER server, figure 4 show how local ERP exchange works. Suggested text instead of original one: “Figure 3 shows the full EAP with the involvement of Local ER Server; Figure 4 shows subsequent local ERP exchange with a local ER server.”

10 Open Issues (6) Original figure 3 of RFC5296 Notes: Figure 3 didn’t show local ERP exchange, what we can see is DSRK is pushed from the Home EAP server to the local ER server Suggested revision

11 Follow Up Expect to incorporate existing Technical Errata into this draft and continue filing new errata Issue new version based on feedback from group and errata. Encourage more review of draft and early feedback

Download ppt "EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao."

Similar presentations

1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0014-00-0sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE 802.21.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
EAP-TTLS Status draft-funk-eap-ttls-v0-00.txt draft-funk-eap-ttls-v1-00.txt draft-funk-tls-inner-application-extension-01.txt Paul Funk Funk Software.

EAP-TTLS Status draft-funk-eap-ttls-v0-00.txt draft-funk-eap-ttls-v1-00.txt draft-funk-tls-inner-application-extension-01.txt Paul Funk Funk Software.
21-08-0054-01-0sec IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-08-0054-01-0sec-mih-level-security-considerations Title: MIH-level Security Considerations.

sec IEEE MEDIA INDEPENDENT HANDOVER DCN: sec-mih-level-security-considerations Title: MIH-level Security Considerations.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.

1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.

RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.
DIME Rechartering Hannes Tschofenig & Dave Frascone.

DIME Rechartering Hannes Tschofenig & Dave Frascone.
Collaborate on Documents Microsoft Word 2010. Introduction Word 2010 makes it easy for groups of people to edit one document. You can easily edit documents.

Collaborate on Documents Microsoft Word Introduction Word 2010 makes it easy for groups of people to edit one document. You can easily edit documents.
21-06-0727-01-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0727-01-0000 Title: Proposal for IEEE 802.21 Study Group on Security Signaling Optimization.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Proposal for IEEE Study Group on Security Signaling Optimization.
2015-10-17Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.

Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.
November 10, 2003EAP WG, IETF 581 EAP State Machines (draft-ietf-eap-statemachine-01) John Vollbrecht, Pasi Eronen, Nick Petroni, Yoshihiro Ohba.

November 10, 2003EAP WG, IETF 581 EAP State Machines (draft-ietf-eap-statemachine-01) John Vollbrecht, Pasi Eronen, Nick Petroni, Yoshihiro Ohba.
IETF71 DIME WG RFC3588bis and Extensibility Status Victor Fajardo (draft-ietf-dime-rfc3588bis-10.txt)

IETF71 DIME WG RFC3588bis and Extensibility Status Victor Fajardo (draft-ietf-dime-rfc3588bis-10.txt)
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Similar presentations

Ads by Google