4 Current Status 802.1AE Stable, but frozen until AF maturity 802.1AF concept stageDevice Identity definitionNot needed to complete this projectIf MK provisioned manually, no need for device identity at all
5 Group based security Rationale Key explosion / deployment considerationsMulticast / broadcast considerationsOthers?Built on initial (undefined?) authenticationLikely P2P – 802.1X based / otherAE Shared symmetric key within groupProne to spoofing – no data origin authenticityContrary to project PAR!Compromising a single node can cause havoc in the CANode leaving the CA will force fresh master keys refresh everyone!Acceptable if every node implements TPM (TCG/TNC) like security – unlikely!AF Applicability to leaf nodes (platform / host)Group membership = 2Redundancy in KSP negotiation fields for groupsLive List, potential list, …Group membership > 2KC is not authentic and may be spoofed – does it matter?Alternative AF protocol (manual / P2P)Group sharing attractive administratively, but does not offer all security services in claim=> Likely to be deployed with misconceptions about security offerings
6 AE / AF Interdependencies No need for tight couplingAE useable without AF definition – OOB keysDifferent AF (like) protocols may be mapped to AELeaf nodes Vs. core network / provider use casesLeaf nodes leverage P2P key derivation protocolCore leverages group based – if shared key acceptableAbstract group based architecture from AEPure L2 encapsulation descriptionSeparate ‘context’ for environment
7 Platform Authentication ProtocolHost has 1:1 (client-server) relationship with infrastructure device (e.g. switch)Mobility considerationsSingle (mobile) host will support wired and wireless mediaConsolidation of protocols / algorithms for ease of use / deploymentsingle HW to service wired / wireless crypto requirementsRequires a P2P authentication protocolE.g i (like) or PSK with n=2Simple 4-way handshake based on PMK to derive PTK
8 Platform Authentication PostureAuthentication alone insufficient for applying policyNeed platform configuration / state to ensure platform conformance to IT policy‘posture’Using authentication / posture, PDP can make better informed policy decisionPosture carrier protocol – which layer?Post authentication mechanism (over controlled port)802.1X extensionEAPOL-Posture?802.1AB TLVs extensions?Other?E.g. EAP extensionIf posture part of overall authentication / key derivation, then SAK can be used as a demux for policy!!!!!!!!
9 Platform Authentication PolicyResult of authentication / posture evaluationPDP conveys policy to PEPFormat?Single statusExpanded status (specific filter rules)Granular policyProtocolExtension of 802.1X (EAPOL-Success)?Other (OOB / EAP extension)?
10 Data path considerations Frame format consolidation (Wired / Wireless)802.1AE Vs iSeparation of media specific params from encapsulationAfter all – Frame encapsulation is Frame encapsulation is Frame encapsulation!!!!All require Key-ID, enc, auth, PN (IV), [media specific stuff]AlgorithmsGCM Vs. CCM (assuming CCMP)Shared HW
12 MIC is weak, hence encrypted 802.11i Frame FormatMIC is weak, hence encryptedCCMP is Similar
13 Other Observations Aggregation Hub considerations in 802.1X Seen as multiple logical ports within 802.1X?Analogous to wirelessVMs (next page)
14 More Observations VMs => Multi-core / multi-OS (vanderpool) Multiple identities for 802.1X to decipherPossibly over same Port / MAC!Multiple network stacksSingle / multiple NICsOne physical port per VM – OKOne physical port per multiple VMsProxy model at L2Single Linksec entity representing all VMsLocal PEP – for VMsWhat is ‘device identity / posture’ in this context?
15 Conclusion De-couple AE / AF Authentication protocol Remove group based constraints from AE – this is really pertinent to usage model and could be an opaque contextMultiple AFs map to a single AE based on usageAuthentication protocolCan leverage existing work802.1X / EAPSession key may be associated with posture / privilege and transparently used for policyCreate synergies between wired & wirelessAssists in implementation: common algorithms / protocols for wired / wirelessInherent value in adoptionConvergence of algorithms (GCM CCM) over AES?Considerations of VMs for identity / authentication / authorization