1 / 9

EAP Channel Bindings

EAP Channel Bindings. Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009. Document (Recent) History . <draft-ietf-emu-chbind-01>, March `09 consensus that draft is ready for WGLC at IETF 74 <draft-ietf-emu-chbind-02>, May `09

avedis
Download Presentation

EAP Channel Bindings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009

  2. Document (Recent) History • <draft-ietf-emu-chbind-01>, March `09 • consensus that draft is ready for WGLC at IETF 74 • <draft-ietf-emu-chbind-02>, May `09 • tried to address comments from Klaas detailed review • <draft-ietf-emu-chbind-03>, July `09 • added clarifying text to address more comments on list • more discussions about “authorization” capabilities of channel bindings and EAP in general • <draft-ietf-emu-chbind-04>, October `09 • narrowed scope to solving lying NAS/ lying provider problems, i.e. removed authorization capabilities • updated AAA attributes for channel binding TLVs

  3. Change #1: “scope of draft” Section 1 • What aspect of channel bindings should and can be solved by the proposed protocol? • mitigate lying NAS problem • mitigate lying provider problem • Removed: • check whether peer is authorized to access requested services in manner described by NAS

  4. Change #1: “scope of draft” (cont’d) • Solution: specify channel binding protocol • protocol includes verification of channel binding information • Removed: policy data base Local DB Authenticator i1 EAP server EAP peer i2 AAA i1 info CB_success/failure(i1, i2, info)

  5. Why we still need a local database • AAA protocol not sufficient for comparing i1 and i2 • i1 and i2 may be both false • i2 likely not sufficient to detect lying providers due to “message laundering” by AAA intermediaries • i1 is not restricted to AAA attributes • not all information of interest can be encoded in AAA attributes and defining numerous new AAA attributes seems like a bad idea! • Using a local DB enables to check • against a trustworthy set of information • consistency of i1 and i2 rather than equality, e.g. do MAC and IP address belong to the same device ⇒ authentication & integrity of channel binding info (not authorization!)

  6. Change #2: “what is verified”? Section 5.2 • Channel binding information • i1: any info part of the NAS beacon/EAP Identity request • i2: any AAA attribute exchanged between authenticator and AAA server as part of on-going EAP exchange • Channel binding verifications, check whether • the authenticator is lying to the peer (i1 false?) • the authenticator (or AAA intermediaries) is lying to the AAA server (i2 false?) • Removed: • rules derived from network policies & stored in local DB • check whether authenticator is violating any policies

  7. Change #3: “set up local database” Section 10 • Simplified set up of local data base • only needs to contain known information about authenticators and roaming partners • e.g. MAC/IP addresses, roaming fees • used for consistency check of i1 and i2 • Removed: • policy engines • training phase to learn behavior that should be authorized • policy rules for home and service provider networks

  8. Change #4: “attribute update” Section 7.3 • Removed outdated 802.11s attribute from list of channel binding TLVs

  9. Conclusions • All open issues on the list have been addressed in the -04 draft • Request WG review of -04 version • Ready for WG last call?

More Related