[from draft-morris-privacy-considerations-03] 5.2. AAA for Network Access On a high-level, AAA for network access uses the communication model shown in Figure 3. When an end host requests access to the network it has to interact with a Network Access Server (NAS) using some front-end protocol (often at the link layer, such as IEEE 802.1X). When asked by the NAS, the end host presents a Network Access Identifier (NAI), an email alike identifier that consists of a username and a domain part. This NAI is then used to discover the AAA server authorized for the users' domain and an initial access request is forwarded to it. To deal with various security, accounting and fraud prevention aspects an end-to-end authentication procedure, run between the end host (the peer) and a separate component within the AAA server (the server) is executed using the Extensible Authentication Protocol (EAP). After a successful authentication protocol exchange the user may get authorized to access the network and keying material is provided to the NAS to enable link layer security over the air interface. From a privacy point of view, the entities participating in this eco- system are the user, an end host, the NAS, a range of different intermediaries, and the AAA server. The user will most likely have some form of contractual relationship with the entity operating the AAA server since credential provisioning had to happen someone but, in certain deployments like coffee shops, this is not guaranteed. In many deployment during this initial registration process the subscriber is provided with credentials after showing some form of identification information (e.g. a passport) and consequently the NAI together with credentials can be used to linked to a specific subscriber, often a single person. The username part of the NAI is data provided by the end host provides during network access authentication that intermediaries do not need to fulfill their role in AAA message routing. Hiding the user's identity is, as discussed in RFC 4282 [RFC4282], possible only when NAIs are used together with a separate authentication method that can transfer the username in a secure manner. Such EAP methods have been designed and requirements for offering such functionality have have become recommended design criteria, see [RFC4017]. More than just identity information is exchanged during the network access authentication is exchanged. The NAS provides information about the user's point of attachment towards the AAA server and the AAA server in response provides data related to the authorization decision back. While the need to exchange data is motivated by the service usage itself there are still a number of questions that could be asked, such as o What mechanisms can be utilized to offer users ways to authorize sharing of information (considering that the ability for protocol interaction is limited without sucessful network access connectivity)? o What are the best current practices for a privacy-sensitive operation of intermediaries? Since end hosts are not interacting with intermediaries explicitly and users have no relationship with those who operate them it is quite likely their practices are less widely known. o Are there alternative approaches to trust establishment between the NAS and the AAA server so that the involvement of intermediaries can be limited or avoided? +--------------+ | AAA Server | +-^----------^-+ * EAP | RADIUS/ * | Diameter --v----------v-- /// \\\ // AAA Proxies, \\ *** | Relays, and | back- | Redirect Agents | end \\ // *** \\\ /// --^----------^-- * EAP | RADIUS/ * | Diameter +----------+ Data +-v----------v-- + | |<---------------->| | | End Host | EAP/EAP Method | Network Access | | |<****************>| Server | +----------+ +--------------- + *** front-end *** Legend: <****>: End-to-end exchange <---->: Hop-by-hop exchange Figure 3: Network Access Authentication Architecture