802.1AF - directions • define requirements to find and create connections in terms of Discovery - Authentication - Enable 1. Discover of what can be done and rule based decision resulting in specific requests for Action 2. Authenticate entities required for the connection requested by discovery 3. Enable [turn on] the actual connection example of proposed sequence • Discovery – find what devices are available for connection – get capabilities of possible connections – request connection(s) as define by rules • Authentication – execute an EAP method requested remote • get session key • do authorization with remote • Enable – authorize based on AS requirements (not EAP authorization) – do four way handshake using key info from Authentication 802.1AF Model Discovery backend(s) Authen Enable Discovery dev dev Authen Enable Beginnings of Interface Requirements - Discovery • Intent is to find what opportunities for connection exist and request connection to what is best • Implies ability to find possible remote connection points • May imply knowing what each connection point can provide (e.g. what addresses it can reach) • Implies rules about how decisions are made • Group should review what is currently done and what people want to do [e.g. connect/disconnect to wired ethernet when wireless is available] Beginnings of Requirements Authentication • Assume that EAP style interface is preference • EAP methods allowed will have specific requirements and will include a “required” method – may have it define a required method and have it vetted by security community • Authentication will create keying material that will be passed to other elements which will use it to create keys for other devices – this should use well defined keying hierarchy model to be published by IETF • Authentication will have the ability [in appropriate circumstances] to reauth using key generated rather than reauthenticating and creating a new key Beginnings of Requirements Enable • This will do 4-way handshake • It will check some rules allowing connection [e.g. is it after 5pm] • It tracks connection establishment and points to physical connection info • It may get attribute information from the Authentication phase • It derives keys and Security Association for session(s) from material sent by Authentication phase • It tracks multiple connections based on the key from the Authentication phase Enable - issues • what is the ouput of an enable – just the connection, or other things like firewall • is the decision for framework or just for AF? • what elements are enabled e.g. – time of connection – bandwidth – etc. • how is connect information maintained Beginnings of RequirementsGeneral • elements will talk to backend – may use RADIUS or Diameter or LDAP as appropriate. May also consider using SAML as is used by much WEB access and by Global Grid Forum • Security association is required between all elements talking to each other - possibilities: – secure connection between elements in machine – Security association between elements – Assertions of Attributes with proof of origin Some other assumptions • Framework will provide tools to use in specific instances – each instance will use a limited number of tools which are specified for the instance – Architecture allows work on specific subjects independently of others • discovery can be defined independently of authorization • authorization can be vetted by security experts without knowledge of discovery or device specifics • 4-way handshake can is done independently of authorization • key derivation for Sessions is done outside EAP methods Other applications to investigate • • • • 802.11 connection and reconnection EAP key hierarchy EAP Network Selection Draft Global Grid Forum – Discover required resources/ Reserve/ Enable • 802.1X • Oasis and WEB services • Other ??