802.1AF - directions - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

802.1AF - directions

Description:

802.1AF - directions. define requirements to find and create connections in terms ... It may get attribute information from the Authentication phase ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 11
Provided by: johnvol
Learn more at: http://www.ieee802.org
Category:
Tags: 1af | directions | get

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 802.1AF - directions


1
802.1AF - directions
  • define requirements to find and create
    connections in terms of
  • Discovery - Authentication - Enable
  • Discover of what can be done and rule based
    decision resulting in specific requests for
    Action
  • Authenticate entities required for the connection
    requested by discovery
  • Enable turn on the actual connection

2
example of proposed sequence
  • Discovery
  • find what devices are available for connection
  • get capabilities of possible connections
  • request connection(s) as define by rules
  • Authentication
  • execute an EAP method requested remote
  • get session key
  • do authorization with remote
  • Enable
  • authorize based on AS requirements (not EAP
    authorization)
  • do four way handshake using key info from
    Authentication

3
802.1AF Model
Discovery
Discovery
backend(s)
Authen
Authen
dev
dev
Enable
Enable
4
Beginnings of Interface Requirements - Discovery
  • Intent is to find what opportunities for
    connection exist and request connection to what
    is best
  • Implies ability to find possible remote
    connection points
  • May imply knowing what each connection point can
    provide (e.g. what addresses it can reach)
  • Implies rules about how decisions are made
  • Group should review what is currently done and
    what people want to do e.g. connect/disconnect
    to wired ethernet when wireless is available

5
Beginnings of Requirements -Authentication
  • Assume that EAP style interface is preference
  • EAP methods allowed will have specific
    requirements and will include a required method
  • may have it define a required method and have it
    vetted by security community
  • Authentication will create keying material that
    will be passed to other elements which will use
    it to create keys for other devices
  • this should use well defined keying hierarchy
    model to be published by IETF
  • Authentication will have the ability in
    appropriate circumstances to reauth using key
    generated rather than reauthenticating and
    creating a new key

6
Beginnings of Requirements -Enable
  • This will do 4-way handshake
  • It will check some rules allowing connection
    e.g. is it after 5pm
  • It tracks connection establishment and points to
    physical connection info
  • It may get attribute information from the
    Authentication phase
  • It derives keys and Security Association for
    session(s) from material sent by Authentication
    phase
  • It tracks multiple connections based on the key
    from the Authentication phase

7
Enable - issues
  • what is the ouput of an enable -
  • just the connection, or other things like
    firewall
  • is the decision for framework or just for AF?
  • what elements are enabled e.g. -
  • time of connection
  • bandwidth
  • etc.
  • how is connect information maintained

8
Beginnings of Requirements-General
  • elements will talk to backend
  • may use RADIUS or Diameter or LDAP as
    appropriate. May also consider using SAML as is
    used by much WEB access and by Global Grid Forum
  • Security association is required between all
    elements talking to each other - possibilities
  • secure connection between elements in machine
  • Security association between elements
  • Assertions of Attributes with proof of origin

9
Some other assumptions
  • Framework will provide tools to use in specific
    instances
  • each instance will use a limited number of tools
    which are specified for the instance
  • Architecture allows work on specific subjects
    independently of others
  • discovery can be defined independently of
    authorization
  • authorization can be vetted by security experts
    without knowledge of discovery or device
    specifics
  • 4-way handshake can is done independently of
    authorization
  • key derivation for Sessions is done outside EAP
    methods

10
Other applications to investigate
  • 802.11 connection and reconnection
  • EAP key hierarchy
  • EAP Network Selection Draft
  • Global Grid Forum
  • Discover required resources/ Reserve/ Enable
  • 802.1X
  • Oasis and WEB services
  • Other ??
About PowerShow.com