diameter eap application (draft-ietf-aaa-eap-02.txt)
DESCRIPTION
Diameter EAP Application (draft-ietf-aaa-eap-02.txt). [email protected] on behalf of ... [email protected]. Outline of the Presentation. Part 1: Introduction Part 2: Redirects Part 3: Protocol details Part 4: Security considerations Part 5: Next Steps. Part 1: Introduction. - PowerPoint PPT PresentationTRANSCRIPT
July 16, 2003 1
Diameter EAP ApplicationDiameter EAP Application(draft-ietf-aaa-eap-02.txt)(draft-ietf-aaa-eap-02.txt)
[email protected] on behalf of [email protected]
July 16, 2003 2
Outline of the PresentationOutline of the Presentation• Part 1: Introduction• Part 2: Redirects• Part 3: Protocol details• Part 4: Security considerations• Part 5: Next Steps
July 16, 2003 3
Part 1: IntroductionPart 1: Introduction
July 16, 2003 4
IntroductionIntroduction• ”2869bis plus key AVPs for Diameter”• Scope
– One EAP conversation, no role reversal– One NAS, no handoffs or key distribution
to multiple NASes– No new NAS-to-home-server security
mechanisms, but works end-to-end between the NAS and the home server
July 16, 2003 5
Basic sequenceBasic sequence
(initiate EAP)
Client ServerNASDiameter-EAP-RequestEAP-Payload(EAP start)
Diameter-EAP-AnswerResult-Code=SUCCESS
EAP-Master-Session-Key EAP-Payload(Success)
EAPOL(Request(…))
EAPOL(Success)
Diameter-EAP-AnswerResult-Code=MULTI_ROUND_AUTH
EAP-Payload(Request(…))
Diameter-EAP-RequestEAP-Payload(Response(…))
EAPOL(Response (…))
(4-way handshake)
July 16, 2003 6
Changes in -02Changes in -02• Redirects / NASREQ interaction• Added various protocol details• RADIUS translation
– RFC 2548 translation desirable, too• Security considerations
July 16, 2003 7
Part 2: RedirectsPart 2: Redirects
July 16, 2003 8
Redirects and Redirects and NASREQ interactionNASREQ interaction
• Without CMS, proxy agents can see the EAP MSK
• Solution in –02 for avoiding proxies:– NAS contacts the home server
directly; redirects used if there would otherwise be a proxy
– An optional separate request to retrieve authorization AVPs through the proxy chain
July 16, 2003 9
Finding server with Finding server with redirectsredirects
Diameter-EAP-RequestEAP-Payload(EAP start)
Diameter-EAP-AnswerRedirect-Host=…
Redirect-Host-Usage=REALM_AND_APPLICATION
NAS Server
Diameter-EAP-RequestEAP-Payload(EAP start)
Proxy
July 16, 2003 10
Diameter-EAP-RequestAuth-Request-Type=AUTHORIZE_AUTHENTICATE
Proxy
Diameter-EAP-AnswerResult-Code=DIAMETER_LIMITED_SUCCESS
EAP-Master-Session-Key(some authorization AVPs)
NASREQ-AA-RequestAuth-Request-Type=AUTHORIZE_ONLY(some AVPs from previous message)
NAS Server
Separate Authorization AVP Separate Authorization AVP RetrievalRetrieval
July 16, 2003 12
Issues in RedirectsIssues in Redirects• The authorization AVP retrieval
uses NASREQ, since Diameter realm routing table isn’t command-specific
• Who decides whether the separate proxy pass is needed?
• What exactly does a redirect + elimination of proxies buy us?
July 16, 2003 13
Proxy EliminationProxy Elimination+ Key is not shown to other parties+ Lengthy EAP runs become faster+ We authenticate the node on the other side- But untrusted proxies can still misbehave!
– Proxy might not send a Redirect– Proxy might send the wrong server’s address
=> We need additional authorization– Configuration– Attributes in server certs?– NAI realm vs. FQDN in server check
July 16, 2003 14
Diameter authorizationDiameter authorization• TLS authenticates Diameter nodes, but…• When the NAS talks to foo.example.com, is this
actually the server for realm example.com?– Local configuration– Trust redirect agent– Trust DNS– Separate CA for servers– Certificate name matching (+possibly separate CA)– Certificate extensions
• When the server gets a connection from bar.example.com, is this a valid access point?– Separate CA for access points– Certificate extensions
July 16, 2003 15
Part 3: Protocol DetailsPart 3: Protocol Details
July 16, 2003 16
Protocol detailsProtocol details• Invalid packets• Fragmentation• EAP retransmission• Accounting-EAP-Auth-Method• EAP-Master-Session-Key
July 16, 2003 17
Protocol details: Protocol details: Invalid packetsInvalid packets
• In RADIUS, this message contains a copy of the previous EAP Request, but we don’t want to keep inter-request state
• Some alternatives– EAP-Reissued-Payload AVP (instead of EAP-Payload),
and normal DIAMETER_MULTI_ROUND_AUTH Result-Code– New DIAMETER_EAP_INVALID_PACKET Result-Code, and
normal EAP-Payload AVP– But BASE and NASREQ contain multiple statements
like ”if Result-Code is DIAMETER_MULTI_ROUND_AUTH, then…”
July 16, 2003 18
Protocol details: Protocol details: FragmentationFragmentation
• New AVP: EAP-MTU– Link MTU != max. size of EAP packet– E.g., IKEv2 can carry large EAP
packets, but the MTU of the IPsec tunnel set up by IKEv2 is something different
• RADIUS translation waiting for clarification of 2869bis and/or draft-congdon-radius-8021x
July 16, 2003 19
Protocol details:Protocol details:Accounting-EAP-Auth-MethodAccounting-EAP-Auth-Method
• How NAS determines the method?– Not specified for MS-Acct-EAP-Type– Proposed solution: server returns it in
successful Diameter-EAP-Answer• RFC2548 has also MS-Acct-Auth-Type
– PAP/CHAP/EAP/MS-CHAP-2/etc.– Should we add Accounting-Auth-Method to
NASREQ or here?
July 16, 2003 20
Protocol details:Protocol details:EAP-Master-Session-KeyEAP-Master-Session-Key
• Simple AVP (OctetString)• Can be translated to MS-MPPE-
*• But EAP WG is discussing key
naming! We may need more AVPs
July 16, 2003 21
Part 4: Security Part 4: Security ConsiderationsConsiderations
July 16, 2003 22
Security considerations: Security considerations: System perspectiveSystem perspective
• No document contains security considerations for the whole system?– Gets even more complex if we have handoffs or
key distribution to multiple NASes– (May require changes not just to all three
components, but to interfaces between them)
Diameter
EAP
802.11
July 16, 2003 23
Part 5: Next StepsPart 5: Next Steps
July 16, 2003 24
Next stepsNext steps• Very much dependent on EAP keying
framework security discussion & Russ’ requirements from IETF-56– Finish that discussion first
• Identify other issues that still need work– Comments really welcome!
• Finish document– Keep current scope