Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Published byRosemary McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague."— Presentation transcript:

1 Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

2 Introduction The ABFAB architecture does not require any particular AAA strategy for connecting RPs to IdPs. This presentation describes a particular strategy that has some advantages over some existing strategies. The good news: the technology is very simple. The bad news: the motivations are less obvious. Most of this presentation is about describing the problem.

3 ABFAB architecture The ABFAB substrate provides four functions: – Transport: how messages are conveyed between client and server – Server discovery: how messages find a server – Trust establishment: how the client/server establish confidence that they are talking to the right client/server. – Rules determination: how the client/server decide what they should infer from the messages, and how they should behave in that regime. AAA client AAA server Relying party domain Identity Provider domain ABFAB substrate User

4 RADIUS substrate (1) Transport Hop-by-hop UDP datagram Server discovery Hop-by-hop realm matching, static configuration at each hop. Trust establishment Hop-by-hop shared secret, static configuration at each hop. Rules determination Locally configured policy, static configuration at each hop. AAA client AAA server Relying party domain Identity Provider domain

5 Static configuration is simple… AAA client AAA server IETF 80 eduroam network JANET(UK) cz eu uk Send ‘ja.net’ towards destination ‘uk’

6 …until it isn’t. AAA client AAA server IETF 80 eduroam network JANET(UK).cz.eu.uk Send ‘ja.net’ towards destination ‘uk’ AAA client IETF 81 eduroam network.us.ca Send ‘ja.net’ towards destination ‘eu’

7 Static configuration doesn’t scale… As an AAA system scales, you need to maintain more configuration across more nodes. The configuration is necessarily dissimilar between AAA nodes, but the entire system needs to behave as though all nodes share a consistent view of the entire system. Inconsistency may result in undesirable behaviour. Inventing an ad hoc solution within a single domain is trivial. The multi- domain case is also tractable, providing there is close coordination. However, if ABFAB is successful the potential number of domains and overall system size is considerable: coordination will be challenging. We need a standard mechanism that enables AAA nodes within a large and loosely-coupled AAA system to behave as though they share a consistent view of the entire system.

8 …that’s why we have routing protocols We already have a protocol that allows IP routers to replicate routing configuration: BGP. What if AAA configuration could be replicated between AAA nodes using a ‘trust router’ protocol? AAA nodes could use this protocol to advertise: – NAI realms: for server discovery. – Rules regimes: for rules determination.

9 Trust router protocol eu usca uk Announce eduroam: ja.net ja.net

10 Trust router RADIUS substrate (2) Transport Hop-by-hop UDP datagram Server discovery Realm matching using Trust Router protocol Trust establishment Hop-by-hop shared secret, static configuration at each hop Rules determination Trust router protocol; peer known implicitly. AAA client AAA server Relying party domain Identity Provider domain

11 Well, we have RadSec… RadSec is RADIUS over TLS or DTLS Invoke PKI to banish hop-by-hop security; permits e2e trust establishment. Knowing your peer explicitly may improve rules determination. Other benefits: – Prevents exposure of information to intermediate AAA nodes. – Reduces EAP transmission latency.

12 DNS & PKI RadSec substrate (1) Transport TLS/TCP Server discovery DNS Trust establishment PKI Rules determination Locally configured policy, peer known explicitly; static configuration at each hop. AAA client AAA server Relying party domain Identity Provider domain

13 A single PKI for ABFAB deployments? A PKI environment is a one-to-many relationship; an issuer’s policies may impose costs on some subset of those RPs that are not relevant to their business relationship(s). A one-to-one relationship allows the actors to agree their requirements without consideration of irrelevant actors in the system. But pairwise credentials don’t scale, right?

14 Didn’t we just fix the multiple credential problem? We’ve just invented a mechanism that enables a single EAP credential to be used against all RPs that trust the EAP server. An AAA server is just another RP; let’s apply ABFAB to RadSec! “WTF!” is a perfectly understandable response at this point.

15 RadSec substrate (2) AAA client (EAP peer) AAA server (EAP authenticator) Relying party domain Identity Provider domain EAP server Transport TLS/TCP Server discovery Trust Router Trust establishment ABFAB Rules determination Trust Router ABFAB EAP credential AAA credential

16 Key Negotiation Protocol KNP enables a RadSec client and server to dynamically establish a short-lived credential for a subsequent RadSec connection. KNP uses EAP authentication of credentials issued to the AAA client by an EAP server that is also trusted by the AAA server. The EAP server is called the ‘Introducer’. The process of establishing the RadSec credential between AAA client and server is called ‘Introduction’.

17 KNP substrate AAA client (EAP peer) AAA server (EAP authenticator) Relying party domain Identity Provider domain Introducer (EAP server) Transport TLS/TCP Server discovery Trust Router Trust establishment KNP Introduction Rules determination Trust Router KNP Introduction

18 Transitive operation Not all AAA nodes share a common Introducer. An Introducer can also be party as AAA client or server to an Introduction. This enables transitive introduction: the AAA client recurses along a path of Introducers to the AAA server.

19 Trust router Transitive KNP substrate AAA client AAA server Relying party domain Identity Provider domain Introducer Transport TLS/TCP Server discovery Trust Router Trust establishment Transitive KNP Introduction Rules determination Trust Router Introducer K1 K2 K3

20 System overview The system actors are Introducers and KNP-aware (‘active’) AAA nodes. Introducers credential trusted AAA nodes, and each other with long-lived credentials. These probably correspond to business agreements. Introducers announce and consume routing configuration data (names and rules). Transitive KNP and these long- term credentials allow the dynamic establishment of short-lived RadSec credentials. The short-lived credentials may be cached to avoid repetitive recursion. The active nodes may be proxies for non-KNP aware (‘passive’) AAA nodes. Introducer cloud ‘Active’ AAA nodes ‘Passive’ AAA nodes

21 Conclusions RadSec KNP places the costs associated with establishing a business relationship with the parties concerned, without drawing in irrelevant actors. KNP and the Trust Router protocol complement the ABFAB architecture by providing a substrate with properties that are particularly suitable for loosely- coupled systems. KNP is itself an application of ABFAB, that re-uses existing components. Therefore, it does not require substantial new invention. Project Moonshot is planning a KNP implementation for Q3/Q4 2011.

22 Example 1: no cached state User connected to service. Its AAA client obtains the server realm from the user’s NAI. example.com anon@example.com

23 Example 1: no cached state AAA client determines a path through the Introducer cloud to the AAA server that meets its policy. example.com anon@example.com

24 Example 1: no cached state AAA client walks along the Introducer path, establishing a short-lived RadSec credential at each hop. example.com anon@example.com K1 K2 K3 K4

25 Example 1: no cached state AAA client establishes a RadSec connection with the AAA server, and the user’s credentials are authenticated across this connection. example.com anon@example.com

26 Example 2: intermediate cached state User connects to service. Its AAA client obtains the server realm from the user’s NAI. example.com anon@example.com

27 Example 2: intermediate cached state AAA client determines a path through the Introducer cloud to the AAA server that meets its policy. example.com anon@example.com

28 Example 2: intermediate cached state AAA client determines that it already has a non- expired key for an intermediate Introducer. The client begins walking from this Introducer, avoiding the first two hops, establishing a short-lived RadSec credential at the subsequent hops. example.com anon@example.com K1 K2

29 Example 2: intermediate cached state AAA client establishes a RadSec connection with the AAA server, and the user’s credentials are authenticated across this connection. example.com anon@example.com

30 Example 3: AAA server cached state User connected to service. Its AAA client obtains the server realm from the user’s NAI. example.com anon@example.com

31 Example 3: AAA server cached state AAA client determines that it already has a non- expired key for the AAA server. example.com anon@example.com

32 Example 3: AAA server cached state AAA client establishes a RadSec connection with the AAA server, and the user’s credentials are authenticated across this connection. example.com anon@example.com

Download ppt "Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman

Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.

Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Adaptive Web Caching: Towards a New Caching Architecture Authors and Institutions: Scott Michel, Khoi Nguyen, Adam Rosenstein and Lixia Zhang UCLA Computer.

Adaptive Web Caching: Towards a New Caching Architecture Authors and Institutions: Scott Michel, Khoi Nguyen, Adam Rosenstein and Lixia Zhang UCLA Computer.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google