1 / 10

802.1AF - directions

802.1AF - directions. define requirements to find and create connections in terms of Discovery - Authentication - Enable Discover of what can be done and rule based decision resulting in specific requests for Action Authenticate entities required for the connection requested by discovery

keene
Download Presentation

802.1AF - directions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.1AF - directions • define requirements to find and create connections in terms of Discovery - Authentication - Enable • Discover of what can be done and rule based decision resulting in specific requests for Action • Authenticate entities required for the connection requested by discovery • Enable [turn on] the actual connection

  2. example of proposed sequence • Discovery • find what devices are available for connection • get capabilities of possible connections • request connection(s) as define by rules • Authentication • execute an EAP method requested remote • get session key • do authorization with remote • Enable • authorize based on AS requirements (not EAP authorization) • do four way handshake using key info from Authentication

  3. 802.1AF Model Discovery Discovery backend(s) Authen Authen dev dev Enable Enable

  4. Beginnings of Interface Requirements - Discovery • Intent is to find what opportunities for connection exist and request connection to what is best • Implies ability to find possible remote connection points • May imply knowing what each connection point can provide (e.g. what addresses it can reach) • Implies rules about how decisions are made • Group should review what is currently done and what people want to do [e.g. connect/disconnect to wired ethernet when wireless is available]

  5. Beginnings of Requirements -Authentication • Assume that EAP style interface is preference • EAP methods allowed will have specific requirements and will include a “required” method • may have it define a required method and have it vetted by security community • Authentication will create keying material that will be passed to other elements which will use it to create keys for other devices • this should use well defined keying hierarchy model to be published by IETF • Authentication will have the ability [in appropriate circumstances] to reauth using key generated rather than reauthenticating and creating a new key

  6. Beginnings of Requirements -Enable • This will do 4-way handshake • It will check some rules allowing connection [e.g. is it after 5pm] • It tracks connection establishment and points to physical connection info • It may get attribute information from the Authentication phase • It derives keys and Security Association for session(s) from material sent by Authentication phase • It tracks multiple connections based on the key from the Authentication phase

  7. Enable - issues • what is the ouput of an enable - • just the connection, or other things like firewall • is the decision for framework or just for AF? • what elements are enabled e.g. - • time of connection • bandwidth • etc. • how is connect information maintained

  8. Beginnings of Requirements-General • elements will talk to backend • may use RADIUS or Diameter or LDAP as appropriate. May also consider using SAML as is used by much WEB access and by Global Grid Forum • Security association is required between all elements talking to each other - possibilities: • secure connection between elements in machine • Security association between elements • Assertions of Attributes with proof of origin

  9. Some other assumptions • Framework will provide tools to use in specific instances • each instance will use a limited number of tools which are specified for the instance • Architecture allows work on specific subjects independently of others • discovery can be defined independently of authorization • authorization can be vetted by security experts without knowledge of discovery or device specifics • 4-way handshake can is done independently of authorization • key derivation for Sessions is done outside EAP methods

  10. Other applications to investigate • 802.11 connection and reconnection • EAP key hierarchy • EAP Network Selection Draft • Global Grid Forum • Discover required resources/ Reserve/ Enable • 802.1X • Oasis and WEB services • Other ??

More Related