Diameter EAP Application
(draft-ietf-aaa-eap-02.txt)
[email protected] on behalf of ...
[email protected]
July 16, 2003
1
Outline of the Presentation
•
•
•
•
•
Part 1: Introduction
Part 2: Redirects
Part 3: Protocol details
Part 4: Security considerations
Part 5: Next Steps
July 16, 2003
2
Part 1: Introduction
July 16, 2003
3
Introduction
• ”2869bis plus key AVPs for Diameter”
• Scope
– One EAP conversation, no role reversal
– One NAS, no handoffs or key distribution to
multiple NASes
– No new NAS-to-home-server security
mechanisms, but works end-to-end
between the NAS and the home server
July 16, 2003
4
Basic sequence
Client
NAS
(initiate EAP)
Server
Diameter-EAP-Request
EAP-Payload(EAP start)
Diameter-EAP-Answer
Result-Code=MULTI_ROUND_AUTH
EAP-Payload(Request(…))
EAPOL(Request(…))
EAPOL(Response (…))
Diameter-EAP-Request
EAP-Payload(Response(…))
Diameter-EAP-Answer
Result-Code=SUCCESS
EAP-Master-Session-Key
EAP-Payload(Success)
EAPOL(Success)
(4-way handshake)
July 16, 2003
5
Changes in -02
• Redirects / NASREQ interaction
• Added various protocol details
• RADIUS translation
– RFC 2548 translation desirable, too
• Security considerations
July 16, 2003
6
Part 2: Redirects
July 16, 2003
7
Redirects and
NASREQ interaction
• Without CMS, proxy agents can
see the EAP MSK
• Solution in –02 for avoiding proxies:
– NAS contacts the home server directly;
redirects used if there would otherwise
be a proxy
– An optional separate request to retrieve
authorization AVPs through the proxy
chain
July 16, 2003
8
Finding server with redirects
NAS
Proxy
Server
Diameter-EAP-Request
EAP-Payload(EAP start)
Diameter-EAP-Answer
Redirect-Host=…
Redirect-Host-Usage=
REALM_AND_APPLICATION
Diameter-EAP-Request
EAP-Payload(EAP start)
July 16, 2003
9
Separate Authorization AVP Retrieval
Server
NAS
Diameter-EAP-Request
Auth-Request-Type=AUTHORIZE_AUTHENTICATE
Diameter-EAP-Answer
Result-Code=DIAMETER_LIMITED_SUCCESS
EAP-Master-Session-Key
(some authorization AVPs)
NASREQ-AA-Request
Auth-Request-Type=AUTHORIZE_ONLY
(some AVPs from previous message)
July 16, 2003
Proxy
10
Issues in Redirects
• The authorization AVP retrieval uses
NASREQ, since Diameter realm routing
table isn’t command-specific
• Who decides whether the separate
proxy pass is needed?
• What exactly does a redirect +
elimination of proxies buy us?
July 16, 2003
12
Proxy Elimination
+ Key is not shown to other parties
+ Lengthy EAP runs become faster
+ We authenticate the node on the other side
- But untrusted proxies can still misbehave!
– Proxy might not send a Redirect
– Proxy might send the wrong server’s address
=> We need additional authorization
– Configuration
– Attributes in server certs?
– NAI realm vs. FQDN in server check
July 16, 2003
13
Diameter authorization
• TLS authenticates Diameter nodes, but…
• When the NAS talks to foo.example.com, is this
actually the server for realm example.com?
–
–
–
–
–
–
Local configuration
Trust redirect agent
Trust DNS
Separate CA for servers
Certificate name matching (+possibly separate CA)
Certificate extensions
• When the server gets a connection from
bar.example.com, is this a valid access point?
– Separate CA for access points
– Certificate extensions
July 16, 2003
14
Part 3: Protocol Details
July 16, 2003
15
Protocol details
•
•
•
•
•
Invalid packets
Fragmentation
EAP retransmission
Accounting-EAP-Auth-Method
EAP-Master-Session-Key
July 16, 2003
16
Protocol details:
Invalid packets
• In RADIUS, this message contains a copy of
the previous EAP Request, but we don’t want
to keep inter-request state
• Some alternatives
– EAP-Reissued-Payload AVP (instead of EAP-Payload), and
normal DIAMETER_MULTI_ROUND_AUTH Result-Code
– New DIAMETER_EAP_INVALID_PACKET Result-Code, and
normal EAP-Payload AVP
– But BASE and NASREQ contain multiple statements like ”if
Result-Code is DIAMETER_MULTI_ROUND_AUTH, then…”
July 16, 2003
17
Protocol details:
Fragmentation
• New AVP: EAP-MTU
– Link MTU != max. size of EAP packet
– E.g., IKEv2 can carry large EAP packets,
but the MTU of the IPsec tunnel set up by
IKEv2 is something different
• RADIUS translation waiting for
clarification of 2869bis and/or
draft-congdon-radius-8021x
July 16, 2003
18
Protocol details:
Accounting-EAP-Auth-Method
• How NAS determines the method?
– Not specified for MS-Acct-EAP-Type
– Proposed solution: server returns it in successful
Diameter-EAP-Answer
• RFC2548 has also MS-Acct-Auth-Type
– PAP/CHAP/EAP/MS-CHAP-2/etc.
– Should we add Accounting-Auth-Method to
NASREQ or here?
July 16, 2003
19
Protocol details:
EAP-Master-Session-Key
• Simple AVP (OctetString)
• Can be translated to MS-MPPE-*
• But EAP WG is discussing key
naming! We may need more AVPs
July 16, 2003
20
Part 4: Security
Considerations
July 16, 2003
21
Security considerations:
System perspective
EAP
802.11
Diameter
• No document contains security
considerations for the whole system?
– Gets even more complex if we have handoffs or
key distribution to multiple NASes
– (May require changes not just to all three
components, but to interfaces between them)
July 16, 2003
22
Part 5: Next Steps
July 16, 2003
23
Next steps
• Very much dependent on EAP keying
framework security discussion & Russ’
requirements from IETF-56
– Finish that discussion first
• Identify other issues that still need work
– Comments really welcome!
• Finish document
– Keep current scope
July 16, 2003
24