Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman

Published byMadeline Knight Modified over 8 years ago

Similar presentations

Presentation on theme: "Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman"— Presentation transcript:

1 Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman mrw@painless-security.com

2 Problem Statement https://datatracker.ietf.org/doc/draft-howlett- abfab-trust-router-ps/https://datatracker.ietf.org/doc/draft-howlett- abfab-trust-router-ps/ Describes the problems that motivated the Trust Router work

3 Trust Router Draft https://datatracker.ietf.org/doc/draft-mrw-abfab- trust-router/https://datatracker.ietf.org/doc/draft-mrw-abfab- trust-router/ Describes the role and purpose of a Trust Router Defines the concept of communities COIs and APCs Defines two protocols Temporary Identity (TID) Protocol Trust Router Protocol

4 Trust Router Overview Trust Router Motivations Trust Router Operation Communities Temporary Identity Protocol Message contents Role of Trust Router as gateway Trust Router Protocol Message contents Trust link types Implementation Status

5 Trust Router Motivations Scalability of ABFAB Federations Eliminate need to configure credentials for every pair of RPs and IdPs Eliminate need to configure manual “routing” information in intermediate AAA Proxies Reduce costs of adding new members, removing members, changes in peer relationships Flexibility to create new Communities Groups that want to share access to a set of services, m apped to registrar Communities for authentication Eliminate need to set up new Registrar Community for every group

6 Looks Familiar? Current SAML Federations are reminiscent of early Internet SAML metadata (like host tables) is distributed manually and configured by every IdP or RP Need for every end-site to know about every other end-site, or they can’t connect Solution: Routing! Although we won’t be forwarding IP packets, the distribution of trust information looks a lot like the distribution of routing information

7 Communities Authentication Policy Communities (APCs) Used to authenticate access to RP Services Communities of Interest (COIs) Group of RP Clients, IdPs and Trust Routers that share access to a set of services COI must be resolved to an APC (for a given IdP Realm), before authentication can be achieved

8 Trust Router Operation

9 Temporary Identity Protocol Used by an RP to negotiate a Temporary Identity on a (set of) AAA Server(s) in a target realm TID Request is sent to the RP’s local Trust Router and forwarded across a Trust Path to the target AAA Server(s) Response is returned by reversing the Trust Path

10 Temporary Identity Protocol Simple request/response protocol Messages are encoded in JSON Uses GSS-API for authentication Request include ½ of a DH exchange Server replies with a list of AAA Server IP Addresses Response includes the other ½ of a DH exchange for each AAA Server Both ends can compute a shared key that is used for the subsequent AAA authentication Key cannot be computed by intermediate Trust Routers

11 Example TID Request {"msg_type": "TIDRequest", "msg_body": {"rp_realm": ”mit.edu", "target_realm": ”oxford.uk.ac", "community": ”abfab-hackers.communities.ja.net", "dh_info": {"dh_p”: "FFFFFFFF…", "dh_g": "02", "dh_pub_key": "FBF98ABB…”} } }

12 Trust Router as TID Gateway Trust Router receives a TID Request from an RP Client (e.g. AAA Proxy) Determines appropriate APC for the community included in the original request If different, moves original COI into orig-coi field Finds matching rp_client entry (from gss_name), applies filters, and adds constraints to the message Determines “Trust Path” and adds it to the message. Forwards message to AAA Server (or next hop Trust Router)

13 Trust Router Protocol Runs between pairs of Trust Routers Configured as “peers” with GSS credentials to reach each other “Routing” protocol used to dynamically distribute information about Available Trust Links Used to route TID requests and responses across the federation RP Client membership in COIs APC to use for each IdP Realm/COI pair

14 Trust Link Types Trust Link Types (named by target type) Routing Links Trust Router Link Indicates that the originating trust router can provide temporary IDs to reach the target trust router IdP Realm Link Indicates that the originating trust router can provide temporary IDs to reach the AAA servers in the target realm Information Flooding Links COI RP Membership Link Indicates that the the target RP Client is a member of the indicated COI APC Link Indicates that authentication for a target realm and COI should use the target APC

15 Trust Path A Trust Path is a set of Trust Links that forms a path across a federation between an RP and the AAA Server(s) in a Target IdP Realm A Trust Path is valid for a given Community Trust Routers forward TID Requests/Responses along Trust Paths, ultimately resulting in a TID that the RP can use to reach AAA Servers in the Target IdP Realm.

16 Next Steps [We held a Bar BOF at lunch today] We hope to hold a Pre-WG BoF at IETF 87 Need active discussion on the list Join our mailing list! trust-router@ietf.org

17 Questions? Feedback?

Download ppt "Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman"

Similar presentations

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.
Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman

Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Trust Router Workshop 15 th October 2014. Introduction to the Day Moonshot Workshop.

Trust Router Workshop 15 th October Introduction to the Day Moonshot Workshop.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI Network Layer Network Fundamentals – Chapter 5.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI Network Layer Network Fundamentals – Chapter 5.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.
ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman
DHCP for Multi-hop Wireless Ad-Hoc Networks Presented by William List.

DHCP for Multi-hop Wireless Ad-Hoc Networks Presented by William List.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Guide to TCP/IP, Third Edition

Guide to TCP/IP, Third Edition
Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Similar presentations

Ads by Google