Authenticated service identities for EAP (draft-arkko-eap-service-identity-auth-00)

1
Authenticated service identities for EAP
(draft-arkko-eap-service-identity-auth-00)

• Jari ArkkoPasi Eronen

2
Background

• EAP does not have a concept of service (NAS)
  identity (identifier)
• Since theres no identitifier, its not
  authenticated to the client
• This leads to a 2.5 party protocol
• Client is talking to some NAS trusted by the AAA
  server
• Trivial consequence compromised NAS can
  impersonate any other NAS

3
Solution

• Part 1 Channel bindings
• Send integrity-protected identifier inside EAP
  method
• Part 2 AAA server verifies that this identifier
  belongs to the node its sending MSK to

4
Questions

• What identifier?
• SSID
• BSSID
• AP IP address
• AP DNS name
• Human-readable network name
• Which direction?

5
This draft

• Method-independent, extensible container for
  service identifiers
• Identifiers for some EAP lower layers
• 802.11, PPP, PANA, IKEv2
• AVPs to send this container in some EAP methods
• EAP-TLS, PEAPv2, EAP-SIM, EAP-AKA

6
Example Identifiers for 802.11

• Service_Type IEEE 802.11i
• Service_Provider Joes Coffee Shop, Heathrow
  airport, London, UK
• 802_11_SSID joecoffee
• 802_11_BSSID 112233445566
• 802_11_Protection_Mechanism 802.11i

7
Example EAP-TLS

• Add extension to ClientHello ServerHello
  messages

8
What next?

• Comment welcome!