802.1AF - directions
•
define requirements to find and create
connections in terms of
Discovery - Authentication - Enable
1. Discover of what can be done and rule based
decision resulting in specific requests for Action
2. Authenticate entities required for the connection
requested by discovery
3. Enable [turn on] the actual connection
example of proposed sequence
• Discovery
– find what devices are available for connection
– get capabilities of possible connections
– request connection(s) as define by rules
• Authentication
– execute an EAP method requested remote
• get session key
• do authorization with remote
• Enable
– authorize based on AS requirements (not EAP
authorization)
– do four way handshake using key info from
Authentication
802.1AF Model
Discovery
backend(s)
Authen
Enable
Discovery
dev
dev
Authen
Enable
Beginnings of Interface
Requirements - Discovery
• Intent is to find what opportunities for connection
exist and request connection to what is best
• Implies ability to find possible remote connection
points
• May imply knowing what each connection point
can provide (e.g. what addresses it can reach)
• Implies rules about how decisions are made
• Group should review what is currently done and
what people want to do [e.g. connect/disconnect to
wired ethernet when wireless is available]
Beginnings of Requirements Authentication
• Assume that EAP style interface is preference
• EAP methods allowed will have specific requirements and
will include a “required” method
– may have it define a required method and have it vetted
by security community
• Authentication will create keying material that will be
passed to other elements which will use it to create keys
for other devices
– this should use well defined keying hierarchy model to
be published by IETF
• Authentication will have the ability [in appropriate
circumstances] to reauth using key generated rather than
reauthenticating and creating a new key
Beginnings of Requirements Enable
• This will do 4-way handshake
• It will check some rules allowing connection [e.g.
is it after 5pm]
• It tracks connection establishment and points to
physical connection info
• It may get attribute information from the
Authentication phase
• It derives keys and Security Association for
session(s) from material sent by Authentication
phase
• It tracks multiple connections based on the key
from the Authentication phase
Enable - issues
• what is the ouput of an enable – just the connection, or other things like firewall
• is the decision for framework or just for AF?
• what elements are enabled e.g. – time of connection
– bandwidth
– etc.
• how is connect information maintained
Beginnings of RequirementsGeneral
• elements will talk to backend
– may use RADIUS or Diameter or LDAP as appropriate.
May also consider using SAML as is used by much
WEB access and by Global Grid Forum
• Security association is required between all
elements talking to each other - possibilities:
– secure connection between elements in machine
– Security association between elements
– Assertions of Attributes with proof of origin
Some other assumptions
• Framework will provide tools to use in specific
instances
– each instance will use a limited number of tools which
are specified for the instance
– Architecture allows work on specific subjects
independently of others
• discovery can be defined independently of authorization
• authorization can be vetted by security experts without
knowledge of discovery or device specifics
• 4-way handshake can is done independently of authorization
• key derivation for Sessions is done outside EAP methods
Other applications to investigate
•
•
•
•
802.11 connection and reconnection
EAP key hierarchy
EAP Network Selection Draft
Global Grid Forum
– Discover required resources/ Reserve/ Enable
• 802.1X
• Oasis and WEB services
• Other ??