Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

Published byΚλαύδιος Κορομηλάς Modified over 5 years ago

Similar presentations

Presentation on theme: "Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski"— Presentation transcript:

1 Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski
E. Lear, O. Friel, N. Cam-Winget Cisco

2 draft-friel-brski-over-802dot11
Related Draft BRSKI over IEEE draft-friel-brski-over-802dot11 O. Friel, E. Lear, M. Pritikin cisco M. Richardson Sandelman Software Works

3 What problems are we trying to solve?
Network A What Wi-Fi networks support BRSKI? How to avoid the device onboarding against the wrong network? What credentials does the device use before and after BRSKI bootstrap against a Wi-Fi network? How long does it take / what signalling is required for the device to determine that the network is untrusted? How complicated is the device state machine when switching from candidate network A to candidate network B? How complicated is the device state machine during network onboarding? ? Network B Network C draft-friel-brski-over-802dot11 outlines some possible solutions but does not make any final recommendations draft-lear-eap-teap-brski focuses on one candidate solution: running BRSKI inside a TEAP tunnel

4 Refresher: ANIMA BRSKI
1a. SIGP(requestvoucher) 1b. SIGR(SIGP(requestvoucher)) Pledge Registrar MASA 1d. SIGM(voucher) 1c. SIGM(voucher) 2a. simpleenroll + CSR EST RA 2b. Sign CSR CA 2c. LDevID Bootstrapping pledge trusts nothing except the manufacturer Pledge discovers registrar service on local domain (GRASP, mDNS, DNS options) Registrar is akin to a smart middlebox that proxies voucher requests to a manufacturer service that the device trusts Manufacturer issues a signed voucher instructing the pledge to trust the registrar

5 What we could do with current mechanisms
connect and 802.1X using IDevID Network A 2. DHCP, IP, DNS 3. Reject Network A 3. BRSKI Voucher Request / Reject MASA 4. Reboot connect and 802.1X using IDevID 6. DHCP, IP, DNS Network B 7. BRSKI Voucher Request / Accept 7. Voucher Network B 8. Reboot connect and 802.1X using LDevID 10. DHCP, IP, DNS 11. Access resources

6 What we would like to do MASA Network A Network B
connect and 802.1X using IDevID with BRSKI messages tunnelled inside EAP TLS tunnel Network A 1. Reject Network A MASA connect and 802.1X using IDevID with BRSKI messages tunnelled inside EAP TLS tunnel 3. DHCP, IP, DNS Network B 2. Voucher Network B 4. Access resources

7 ANIMA BRSKI Provisional TLS connection to Registrar
Establish Trust via Voucher Verify TLS connection Download Trust Anchors Enrol to get a cert

8 EAP-TEAP is a good fit Provisional TLS connection to Registrar
Establish Trust via Voucher Verify TLS connection Download Trust Anchors Enrol to get a cert TEAP supports Server Unauthenticated Provisioning New TLVs can be transported in TLS tunnel Device can verify server after TEAP Phase 2 completes Trusted-Server-Root TLV exists PKCS#7 and PKCS#10 TLVs exist

9 EAP-TEAP BRSKI Architecture
TEAP server and BRSKI Registrar could be co-located BRSKI Registrar and CA could be co-located

10 EAP-TEAP BRSKI Flow New TEAP TLVs defined
VoucherRequest Voucher VoucherStatus* EnrollmentStatus* CSR-Attributes* BRSKI TLVs must be exchanged prior to Crypto-Binding BRSKI is not a new EAP Method BRSKI exchange is not an inner method No need for Channel-Binding * Usage shown in detailed flows in draft

11 Summary Running BRSKI as part of 802.1X simplifies device onboarding state machine EAP TEAP is a good fit for BRSKI Defining new TEAP TLVs vs. a new EAP method seems simpler Request EMU adoption for draft-lear-eap-teap-brski

12 Discussion

Download ppt "Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski"

Similar presentations

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
COS 420 DAY 22. Agenda Assignment 4 Corrected 2 B’s Assignment 5 posted Chap 22-26 Due May 4 Final exam will be take home and handed out May 4 and Due.

COS 420 DAY 22. Agenda Assignment 4 Corrected 2 B’s Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Eugene Chang EMU WG, IETF 70

Eugene Chang EMU WG, IETF 70
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and 802.11i IKEv2 EAP authentication.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
Doc.: IEEE 802.11-04/751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.

Doc.: IEEE /751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.
1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.

1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.
draft-ietf-netconf-zerotouch

draft-ietf-netconf-zerotouch
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
Some use cases and requirements for handover Information Services Greg Daley MIPSHOP Session IETF 64.

Some use cases and requirements for handover Information Services Greg Daley MIPSHOP Session IETF 64.
SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

Similar presentations

Ads by Google