IETF Logo Mail Archive

Re: [Secauth] secauth use case - What is next?

"Hosnieh Rafiee" <hosnieh@iknowlaws.de> Wed, 03 December 2014 23:56 UTC

Return-Path: <hosnieh@iknowlaws.de>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5750A1ACF0B for <secauth@ietfa.amsl.com>; Wed, 3 Dec 2014 15:56:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9k2DDRQVo4o for <secauth@ietfa.amsl.com>; Wed, 3 Dec 2014 15:56:12 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98DCE1A1BFB for <secauth@ietf.org>; Wed, 3 Dec 2014 15:56:12 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id D9AB725CA0C6; Wed, 3 Dec 2014 23:56:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id puHxcgbOxy1G; Thu, 4 Dec 2014 00:55:39 +0100 (CET)
Received: from kopoli (p5B340A1D.dip0.t-ipconnect.de [91.52.10.29]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 081A625CA066; Thu, 4 Dec 2014 00:55:38 +0100 (CET)
From: Hosnieh Rafiee <hosnieh@iknowlaws.de>
To: 'Rafa Marin Lopez' <rafa@um.es>
References: <814D0BFB77D95844A01CA29B44CBF8A7A7D2F1@lhreml513-mbb.china.huawei.com> <13B39BFF-50D1-4892-A159-9F8F75BC5C6B@deployingradius.com> <BC5E7A40-8A54-4FEA-9C97-66F194080D74@um.es>
In-Reply-To: <BC5E7A40-8A54-4FEA-9C97-66F194080D74@um.es>
Date: Thu, 04 Dec 2014 00:55:37 +0100
Message-ID: <00d001d00f54$a316e300$e944a900$@iknowlaws.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIXOWrPTEaPUgM/1gzQCkacbs2gWAJSFHerAkBwjwCby58gIA==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/secauth/6M05tC6hfHO4AlV_IBUW4HBaskM
Cc: secauth@ietf.org
Subject: Re: [Secauth] secauth use case - What is next?
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 23:56:15 -0000

Hi Rafa,

Thanks  a lot for sharing your comments.

> I agree with Alan's points here. The usage of EAP/AAA is important because
> typical access points already provide that feature. Also AAA is used for
cross-
> domain authentication. As University we are used to the case where
students
> coming from other Universities can access our APs with his credentials in
their
> home institution. Eduroam and AAA-based federation make this possible.

I do not ignore the usefulness of such approaches, but the problem is that I
am not quite sure about this communication between controller and then
resources. In other words, it is no longer direct access to some
authentication server since hotspot is no longer the decision maker  but
there are some other components that might break this communication and
therefore, the current standards might need some changes to fit to such
scenario.

> Having said that, regarding the problem statement, if we want the user to
> access ISP1 and ISP2 , then there must be at some point some source of
> common trust (e.g. some IdP or entity that ISP1 and ISP2 both trust). For
> example, ISP1 and ISP2 may belong to a federation though they do not have
> direct SLAs.

Yes true. This is done via either using a shared apps provided by SDN
provider or the third party apps provided by third party company that
followed the standards and can run on different controllers from different
industries. In former case, there needs to be a SLA among SDN providers. In
latter case, SDN providers only need so follow the same common standards so
that the apps can use a common standard plugin to access and run on them.
This app can by default use a resource server. So there might be a third
party companies who provide this trust by producing apps and follow some
standards. 
Secuath role in former case might be exchanging this SLAs 
Secauth role in latter case might be a standard for the communication of
this special app to controller including authentication and authorization of
this app and all the communication of this app to controller. In this case,
the communication can be based on one of common approaches like Openstack
and secauth can provide plugin for openstak and controller to support this
shared resources.

> In fact, what I understand from slide 5 is that, somehow, that trust is
defined
> above southbound API with relationships that allow a user moving from
Hotel
> A to Hotel B.
> 
True.

Thanks,
Best,
Hosnieh

v2.23.0 | Report a Bug | By Email