1. 802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done and rule based decision resulting in specific requests for Action 2.Authenticate entities required for the connection requested by discovery 3.Enable [turn on] the actual connection

2. example of proposed sequence Discovery –find what devices are available for connection –get capabilities of possible connections –request connection(s) as define by rules Authentication –execute an EAP method requested remote get session key do authorization with remote Enable –authorize based on AS requirements (not EAP authorization) –do four way handshake using key info from Authentication

3. 802.1AF Model dev Discovery Authen Enable backend(s) Discovery Authen Enable dev

4. Beginnings of Interface Requirements - Discovery Intent is to find what opportunities for connection exist and request connection to what is best Implies ability to find possible remote connection points May imply knowing what each connection point can provide (e.g. what addresses it can reach) Implies rules about how decisions are made Group should review what is currently done and what people want to do [e.g. connect/disconnect to wired ethernet when wireless is available]

5. Beginnings of Requirements - Authentication Assume that EAP style interface is preference EAP methods allowed will have specific requirements and will include a required method –may have it define a required method and have it vetted by security community Authentication will create keying material that will be passed to other elements which will use it to create keys for other devices –this should use well defined keying hierarchy model to be published by IETF Authentication will have the ability [in appropriate circumstances] to reauth using key generated rather than reauthenticating and creating a new key

6. Beginnings of Requirements - Enable This will do 4-way handshake It will check some rules allowing connection [e.g. is it after 5pm] It tracks connection establishment and points to physical connection info It may get attribute information from the Authentication phase It derives keys and Security Association for session(s) from material sent by Authentication phase It tracks multiple connections based on the key from the Authentication phase

7. Enable - issues what is the ouput of an enable - –just the connection, or other things like firewall is the decision for framework or just for AF? what elements are enabled e.g. - –time of connection –bandwidth –etc. how is connect information maintained

8. Beginnings of Requirements- General elements will talk to backend –may use RADIUS or Diameter or LDAP as appropriate. May also consider using SAML as is used by much WEB access and by Global Grid Forum Security association is required between all elements talking to each other - possibilities: –secure connection between elements in machine –Security association between elements –Assertions of Attributes with proof of origin

9. Some other assumptions Framework will provide tools to use in specific instances –each instance will use a limited number of tools which are specified for the instance –Architecture allows work on specific subjects independently of others discovery can be defined independently of authorization authorization can be vetted by security experts without knowledge of discovery or device specifics 4-way handshake can is done independently of authorization key derivation for Sessions is done outside EAP methods

10. Other applications to investigate 802.11 connection and reconnection EAP key hierarchy EAP Network Selection Draft Global Grid Forum –Discover required resources/ Reserve/ Enable 802.1X Oasis and WEB services Other ??