Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.

Slides:

Advertisements

Similar presentations

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Advertisements

IETF-IEEE Relationship Status Report. Agenda Administrivia – Nose count and agenda bash – Approval of minutes from leadership meeting RFC 4441bis status.

Lionel Morand DIME WG IETF 79 Diameter Design Guidelines Thursday, November 11, 2010 Lionel Morand.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

IETF DMM WG Mobility Exposure and Selection WT Call#2 Nov 6, 2014.

Doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft IEEE 802.1X and RADIUS Security Bernard Aboba Ashwin.

RFC 3361: DHCP Option for SIP Servers Speaker: Chung yu Wu Teacher: Quincy Wu.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

WebDAV Issues Munich IETF August 11, Property URL encoding At present, spec. allows encoding of the name of a property so it can be appended to.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

BEHAVE BOF (Behavior Engineering for Hindrance AVoidancE) Cullen Jennings Jiri Kuthan.

© 1998 R. Gemmell IETF WG Presentation1 Robert Gemmell ROAMOPS Working Group.

DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.

1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.

July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.

IAB Report Technical Plenary IETF 81 July 25, 2011.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

Do We Need a New Network Management Framework? David Harrington IETF66 OPS Area Meeting Montreal, Quebec, Canada.

Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.

7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.

Extended Attributes RADEXT - IETF 79 Alan DeKok FreeRADIUS Avi Lior Bridgewater.

March 2006IETF 65, Dallas1 Diameter NASreq (RFC 4005) and RADIUS Compatibility David Mitton RSA Security Inc. draft-mitton-diameter-radius-vsas-01.txt.

RADEXT WG IETF 91 Rechartering. Why? Current charter doesn’t allow us to take on new work that is waiting in the queue Has an anachronistic Diameter entanglement.

Guidelines for Cryptographic Algorithm Agility Russ Housley IETF 89 - SAAG Session.

OSPF WG – IETF 69 - Chicago OSPF WG Document Abhay Roy/Cisco Systems Acee Lindem/Redback Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

Management Considerations Sharon Chisholm

RADEXT WG RADIUS Attribute Guidelines Greg Weber March 21 st, 2006 IETF-65, Dallas v1 draft-weber-radius-attr-guidelines-02.txt draft-wolff-radext-ext-attribute-00.txt.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.

RADEXT WG IETF 81 Agenda July 25, Please join the Jabber room:

Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.

RADEXT WG RADIUS Attribute Guidelines Greg Weber IETF-63, Paris.

A RTCP-based Retransmission Protocol for Unicast RTP Streaming Multimedia draft-podolsky-avt-rtprx-00.txt Matthew Podolsky, Koichi Yano, and Steven McCanne.

NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.

RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.

NEA Working Group IETF meeting July 27, 2011 Jul 27, 2011IETF 81 - NEA Meeting1.

Diameter Group Signaling Thursday, August 02 nd, 2013 draft-ietf-diameter-group-signaling-01 Mark Jones, Marco Liebsch, Lionel Morand IETF 87 Berlin, Germany.

Extended Attributes RADEXT - IETF 81 Alan DeKok FreeRADIUS Avi Lior Bridgewater.

Extended Attributes RADEXT - Interim Alan DeKok FreeRADIUS.

RADEXT WG Virtual Interim Agenda Monday, October 11, :00 AM – 10:00 AM PDT Please join the Jabber room:

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

ISIS IETF 68 Chris Hopps, David Ward. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

DIME WG IETF 84 Diameter Design Guidelines draft-ietf-dime-app-design-guide-15 Tuesday, July 31, 2012 Lionel Morand.

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Dhc WG 3/2/2004, IETF 59, Seoul. 3/2/2004dhc WG - IETF 59, Seoul2 Agenda Administrivia, Agenda bashing Ralph Droms 05 minutes DHCP Option for Proxy Server.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.

11/20/2002IETF 55 - AAA WG, NASREQ-101 Diameter-Nasreq-10 Dave Mitton, Most recent Document Editor With Contributions from David Spence & Glen Zorn.

Chapter 22 Next Generation IP

RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt

RADEXT WG RADIUS Attribute Guidelines

Diameter NASreq (RFC 4005) and RADIUS Compatibility

August 2004 at IETF-60 Thoughts on RADIUS Data Model Issues and Some Possible New Approaches -- Including Diameter Compatibility.

ALTO Protocol draft-ietf-alto-protocol-14

Diameter NASReq Application Status

RADEXT WG RADIUS Attribute Guidelines draft-weber-radius-attr-guidelines-01.txt Greg Weber November 8th, 2005 v1 IETF-64, Vancouver.

Migration-Issues-xx Where it’s been and might be going

IETF-IEEE Relationship RFC 4441 Summary

Proposal for Extensible Security

Chapter 11: Network Address Translation for IPv4

BPSec: AD Review Comments and Responses

Agenda Wednesday, March 30, :00 – 11:30 AM

Presentation transcript:

Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL

Where We Are Design guidelines is a key deliverable on which other documents depend. New document editor: Alan DeKok Principles (from IETF 66): Guidelines document should focus on current data model only, not extensions. Description of current data model needs to provide thorough coverage of existing usage. Existing formats should not be deprecated, since implementations already support it. Guidelines document should articulate key design principles consistent with existing practice.

Document Outline Section 1: Introduction Goal: To provide guidelines for the design of RADIUS attributes both within the IETF as well as within other SDOs. 1.1 Applicability This document applies to attributes used to encode data. RADIUS protocol changes (such as new commands) is out of scope. This document does not provide guidance on changes to the RADIUS operational model. 1.2 Terminology 1.3 Requirements language

Document Outline (cont’d) Section 2: RADIUS Data Model Section 2.1: Standard Space Section Basic Data Types  Text [RFC2865]  String [RFC2865]  IPv4 Address [RFC2865]  32-bit unsigned Integer [RFC2865]  Time [RFC2869]  IPv6 address [RFC3162]  64-bit unsigned integer [RFC2869][RFC3162]  Note: no support for signed integers or unsigned integers of other sizes (e.g. UINT8, 16, 128)

Document Outline (cont’d) Section 2: RADIUS Data Model Section 2.1: Standard Space Section Tagging  One octet tag value, used in RFC 2868  Drawbacks:  Limited number of unique tags (31)  Can’t always tell if the first byte after the length is the tag or the first byte of the untagged value  When integer values are tagged, the value portion is reduced to 3 bytes.  No support for nesting or grouping.

Document Outline (cont’d) Section 2: RADIUS Data Model Section Complex Attributes  Authentication attributes: changes to both client and server would have been required anyway  CHAP-Password: [RFC2865] Section 5.3  Tunnel-Password: [RFC2868] Section 3.5  ARAP-Password: [RFC2869] Section 5.4  ARAP-Features: [RFC2869] Section 5.5  Address Prefixes  Framed-IPv6-Prefix [RFC3162] Section 2.3  Delegated-IPv6-Prefix [RFC4818] Section 3  Issues with Complex Attributes  From server to client: Need to change server dictionary and forms code to support the complex data type.  From client to server: Need to upgrade the RADIUS server policy engine to support sub-element matching

Document Outline (cont’d) Section 2: RADIUS Data Model Section 2.2 Vendor Space Issues with single octet Vendor Type:  SDOs or vendors that need more attributes  SDOs with sub-groups that individually need their own space  Should we recommend an alternative, such as a 16-bit Vendor Type? Problems in translation between RADIUS VSAs and Diameter  What should we do to fix this?  Option 1: Support Type 26 in Diameter? (David Mitton Proposal)  Option 2: Encourage implementations to keep track of and support multiple VSA formats?

Document Outline (cont’d) Section 3: Data Model Issues Standard RADIUS attributes have a more constrained data model than within the vendor space. Translation between the vendor and standard spaces can be difficult. Substantial changes in format can be required Many standard attributes can be required to translate a single VSA with sub-attributes, depleting the standard space. Conclusion: While some enhancements made in the vendor space may migrate to the standard space (e.g. RADIUS Attribute Extension document), divergence of standard and vendor spaces is probably a fact of life.

Document Outline (cont’d) Section 3: Data Model Issues Section 3.1 Vendor Space Theory: [RFC2865] Section 6.2: “Use… should be encouraged for functions specific only to one vendor's implementation of RADIUS, where no interoperability is deemed useful.” Reality: VSAs are now used where interoperability is not only useful, but essential! (e.g. SDO specifications) Reasons  Efficiency:  SDOs want to design their own RADIUS attributes  Few companies willing to fund employees to participate in an SDO and IETF to develop a RADIUS attribute specification  Long tradition of SNMP enterprise MIB development  Attribute scarcity  Not enough standards space attributes to satisfy SDO (or even IETF) needs.

Document Outline (cont’d) Section 3: Data Model Issues Section 3.1 Vendor Space VSA limitations (RFC 2865, Section 5.26):  VSAs cannot affect the operation of the RADIUS protocol (e.g. no new commands, changes to the protocol exchanges, new protocol variants, etc.)  Servers not equipped to interpret VSAs MUST ignore it  Clients which don’t receive desired VSAs SHOULD make an attempt to operate with out How serious are these limitations, really?  Inability to change the RADIUS protocol: not a problem (from the IETF’s point of view)  Handling of VSAs: Does not appear to preclude most VSA uses (e.g. still possible to negotiate use of VSAs between consenting parties). Conclusion: VSAs should not be treated like a “second class citizen”.

Document Outline (cont’d) Section 3: Data Model Issues Section 3.1 Vendor Space Recommendation: IETF should separate review, publication and allocation processes  IETF should encourage publication of SDO RADIUS attribute specifications as RFCs.  IETF should support SDOs in designing their own RADIUS attributes by publishing Design Guidelines and providing review (such as via RADEXT mailing list or AAA Doctors)  RADIUS attribute specifications intended primarily for use within an SDO (or even more than one SDO) should be allocated from the vendor space, not the RADIUS standard space. Section 3.2 Polymorphic Attributes Definition: An attribute whose format is dynamic. Polymorphism is NOT RECOMMENDED.

Document Outline (cont’d) Section 4: Diameter Compatibility Issues with translation of RADIUS VSAs to Diameter. Section 5: IANA Considerations Section 6: Security Considerations The current standard mechanism for “attribute hiding” (e.g. MD5-based stream cipher) is weak. It is NOT RECOMMENDED for use in new specifications. New RADIUS attribute utilizing cryptographic algorithms SHOULD support algorithm negotiation, as well as a mandatory-to-implement algorithm.

Next Steps Posting of a revised Internet Draft Request for WG review Discussion! On existing formats: On compound attributes: Acceptance as a WG work item WG last call

Feedback?