802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

Authentication.

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.

© 2006 Open Grid Forum Network Services Interface Introduction to NSI Guy Roberts.

Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update

Configuration management

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

NextGRID & OGSA Data Architectures: Example Scenarios Stephen Davey, NeSC, UK ISSGC06 Summer School, Ischia, Italy 12 th July 2006.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Wireless and Security CSCI 5857: Encoding and Encryption.

Interworking Architecture Between 3GPP and WLAN Systems 張憲忠, 何建民, 黃瑞銘, 紀嘉雄, 李有傑.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

1 Vrijendra Gokhale, Bernard Menezes K. R. School of Information Technology IIT Bombay User Interfaces for Jini Services The Jini Pattern Language Workshop.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

802.1 af discussion First two slides are my picture of ae requirements - these may need some refining Next slide is my interpretation of KSP implementation.

Access Control for Federation of Emulab-based Network Testbeds Ted Faber, John Wroclawski 28 July 2008

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

June 15, 2009GITB Open Meeting, Brussels1 GITB Alternative Architectures and Business Models CEN/ISSS eBIF Global eBusiness Interoperability Test Bed Methodologies.

Integrating and Troubleshooting Citrix Access Gateway.

Service Service metadata what Service is who responsible for service constraints service creation service maintenance service deployment rules rules processing.

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.

SAML FTF #4 Workitems Bob Blakley. SAML “SenderVouches” SubjectConfirmation Method: A Proposed Alternative to Bindings 0.5 Proposals.

CAPWAP Arch-Draft Issues IETF 59, Seoul 4 March 2004.

Timothy Putprush Baltimore, MD September 30, 2009 Federal Emergency Management Agency (FEMA) Integrated Public Alert and Warning System Presentation to.

CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.

DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.

Wireless Network Security CSIS 5857: Encoding and Encryption.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.

Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.

M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Doc.: IEEE /0448r0 Submission March, 2007 Srinivas SreemanthulaSlide 1 Joiint TGU : Emergency Identifiers Notice: This document has been.

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

Access Control Chapter 3 Part 4 Pages 227 to 241.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

Doc.: IEEE /0085r1 Submission June 2010 Tuncer Baykas, NICTSlide TG1 and System Design Document Notice: This document has been prepared.

RADIUS attributes commonly used in fixed networks draft-klammorrissette-radext-very-common-vsas-00 Devasena Morrissette, Frederic Klamm, Lionel Morand.

Doc.: IEEE /0122r0 Submission January 2012 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:

Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services.

Open issues with PANA Protocol

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

Building Distributed Educational Applications using P2P

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

P802.11aq Waiver Request Additional Information

Agenda retrospective - B. Aboba Lunch

Diameter ABFAB Application

Presentation transcript:

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done and rule based decision resulting in specific requests for Action 2.Authenticate entities required for the connection requested by discovery 3.Enable [turn on] the actual connection

example of proposed sequence Discovery –find what devices are available for connection –get capabilities of possible connections –request connection(s) as define by rules Authentication –execute an EAP method requested remote get session key do authorization with remote Enable –authorize based on AS requirements (not EAP authorization) –do four way handshake using key info from Authentication

802.1AF Model dev Discovery Authen Enable backend(s) Discovery Authen Enable dev

Beginnings of Interface Requirements - Discovery Intent is to find what opportunities for connection exist and request connection to what is best Implies ability to find possible remote connection points May imply knowing what each connection point can provide (e.g. what addresses it can reach) Implies rules about how decisions are made Group should review what is currently done and what people want to do [e.g. connect/disconnect to wired ethernet when wireless is available]

Beginnings of Requirements - Authentication Assume that EAP style interface is preference EAP methods allowed will have specific requirements and will include a required method –may have it define a required method and have it vetted by security community Authentication will create keying material that will be passed to other elements which will use it to create keys for other devices –this should use well defined keying hierarchy model to be published by IETF Authentication will have the ability [in appropriate circumstances] to reauth using key generated rather than reauthenticating and creating a new key

Beginnings of Requirements - Enable This will do 4-way handshake It will check some rules allowing connection [e.g. is it after 5pm] It tracks connection establishment and points to physical connection info It may get attribute information from the Authentication phase It derives keys and Security Association for session(s) from material sent by Authentication phase It tracks multiple connections based on the key from the Authentication phase

Enable - issues what is the ouput of an enable - –just the connection, or other things like firewall is the decision for framework or just for AF? what elements are enabled e.g. - –time of connection –bandwidth –etc. how is connect information maintained

Beginnings of Requirements- General elements will talk to backend –may use RADIUS or Diameter or LDAP as appropriate. May also consider using SAML as is used by much WEB access and by Global Grid Forum Security association is required between all elements talking to each other - possibilities: –secure connection between elements in machine –Security association between elements –Assertions of Attributes with proof of origin

Some other assumptions Framework will provide tools to use in specific instances –each instance will use a limited number of tools which are specified for the instance –Architecture allows work on specific subjects independently of others discovery can be defined independently of authorization authorization can be vetted by security experts without knowledge of discovery or device specifics 4-way handshake can is done independently of authorization key derivation for Sessions is done outside EAP methods

Other applications to investigate connection and reconnection EAP key hierarchy EAP Network Selection Draft Global Grid Forum –Discover required resources/ Reserve/ Enable 802.1X Oasis and WEB services Other ??