1 / 23

Diameter EAP Application (draft-ietf-aaa-eap-02.txt)

Diameter EAP Application (draft-ietf-aaa-eap-02.txt). Jari.Arkko@ericsson.com on behalf of ... Pasi.Eronen@nokia.com. Outline of the Presentation. Part 1: Introduction Part 2: Redirects Part 3: Protocol details Part 4: Security considerations Part 5: Next Steps. Part 1: Introduction.

chava
Download Presentation

Diameter EAP Application (draft-ietf-aaa-eap-02.txt)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Diameter EAP Application(draft-ietf-aaa-eap-02.txt) Jari.Arkko@ericsson.com on behalf of ...Pasi.Eronen@nokia.com

  2. Outline of the Presentation • Part 1: Introduction • Part 2: Redirects • Part 3: Protocol details • Part 4: Security considerations • Part 5: Next Steps

  3. Part 1: Introduction

  4. Introduction • ”2869bis plus key AVPs for Diameter” • Scope • One EAP conversation, no role reversal • One NAS, no handoffs or key distribution to multiple NASes • No new NAS-to-home-server security mechanisms, but works end-to-end between the NAS and the home server

  5. Basic sequence Client NAS Server (initiate EAP) Diameter-EAP-RequestEAP-Payload(EAP start) Diameter-EAP-AnswerResult-Code=MULTI_ROUND_AUTHEAP-Payload(Request(…)) EAPOL(Request(…)) EAPOL(Response (…)) Diameter-EAP-RequestEAP-Payload(Response(…)) Diameter-EAP-AnswerResult-Code=SUCCESSEAP-Master-Session-Key EAP-Payload(Success) EAPOL(Success) (4-way handshake)

  6. Changes in -02 • Redirects / NASREQ interaction • Added various protocol details • RADIUS translation • RFC 2548 translation desirable, too • Security considerations

  7. Part 2: Redirects

  8. Redirects and NASREQ interaction • Without CMS, proxy agents can see the EAP MSK • Solution in –02 for avoiding proxies: • NAS contacts the home server directly; redirects used if there would otherwise be a proxy • An optional separate request to retrieve authorization AVPs through the proxy chain

  9. Finding server with redirects NAS Proxy Server Diameter-EAP-RequestEAP-Payload(EAP start) Diameter-EAP-AnswerRedirect-Host=…Redirect-Host-Usage=REALM_AND_APPLICATION Diameter-EAP-RequestEAP-Payload(EAP start)

  10. Separate Authorization AVP Retrieval NAS Server Diameter-EAP-RequestAuth-Request-Type=AUTHORIZE_AUTHENTICATE Diameter-EAP-AnswerResult-Code=DIAMETER_LIMITED_SUCCESSEAP-Master-Session-Key(some authorization AVPs) NASREQ-AA-RequestAuth-Request-Type=AUTHORIZE_ONLY(some AVPs from previous message) Proxy

  11. Issues in Redirects • The authorization AVP retrieval uses NASREQ, since Diameter realm routing table isn’t command-specific • Who decides whether the separate proxy pass is needed? • What exactly does a redirect + elimination of proxies buy us?

  12. Proxy Elimination + Key is not shown to other parties + Lengthy EAP runs become faster + We authenticate the node on the other side - But untrusted proxies can still misbehave! • Proxy might not send a Redirect • Proxy might send the wrong server’s address => We need additional authorization • Configuration • Attributes in server certs? • NAI realm vs. FQDN in server check

  13. Diameter authorization • TLS authenticates Diameter nodes, but… • When the NAS talks to foo.example.com, is this actually the server for realm example.com? • Local configuration • Trust redirect agent • Trust DNS • Separate CA for servers • Certificate name matching (+possibly separate CA) • Certificate extensions • When the server gets a connection from bar.example.com, is this a valid access point? • Separate CA for access points • Certificate extensions

  14. Part 3: Protocol Details

  15. Protocol details • Invalid packets • Fragmentation • EAP retransmission • Accounting-EAP-Auth-Method • EAP-Master-Session-Key

  16. Protocol details: Invalid packets • In RADIUS, this message contains a copy of the previous EAP Request, but we don’t want to keep inter-request state • Some alternatives • EAP-Reissued-Payload AVP (instead of EAP-Payload), and normal DIAMETER_MULTI_ROUND_AUTH Result-Code • New DIAMETER_EAP_INVALID_PACKET Result-Code, and normal EAP-Payload AVP • But BASE and NASREQ contain multiple statements like ”if Result-Code is DIAMETER_MULTI_ROUND_AUTH, then…”

  17. Protocol details: Fragmentation • New AVP: EAP-MTU • Link MTU != max. size of EAP packet • E.g., IKEv2 can carry large EAP packets, but the MTU of the IPsec tunnel set up by IKEv2 is something different • RADIUS translation waiting for clarification of 2869bis and/or draft-congdon-radius-8021x

  18. Protocol details:Accounting-EAP-Auth-Method • How NAS determines the method? • Not specified for MS-Acct-EAP-Type • Proposed solution: server returns it in successful Diameter-EAP-Answer • RFC2548 has also MS-Acct-Auth-Type • PAP/CHAP/EAP/MS-CHAP-2/etc. • Should we add Accounting-Auth-Method to NASREQ or here?

  19. Protocol details:EAP-Master-Session-Key • Simple AVP (OctetString) • Can be translated to MS-MPPE-* • But EAP WG is discussing key naming! We may need more AVPs

  20. Part 4: Security Considerations

  21. EAP 802.11 Diameter Security considerations: System perspective • No document contains security considerations for the whole system? • Gets even more complex if we have handoffs or key distribution to multiple NASes • (May require changes not just to all three components, but to interfaces between them)

  22. Part 5: Next Steps

  23. Next steps • Very much dependent on EAP keying framework security discussion & Russ’ requirements from IETF-56 • Finish that discussion first • Identify other issues that still need work • Comments really welcome! • Finish document • Keep current scope

More Related