Re: [Secauth] secauth use case - What is next?
Rafa Marin Lopez <rafa@um.es> Wed, 03 December 2014 19:42 UTC
Return-Path: <rafa@um.es>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58C31A90EF for <secauth@ietfa.amsl.com>; Wed, 3 Dec 2014 11:42:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbs5xXgT9Hiu for <secauth@ietfa.amsl.com>; Wed, 3 Dec 2014 11:42:07 -0800 (PST)
Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id 9D8701A8ABF for <secauth@ietf.org>; Wed, 3 Dec 2014 11:42:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id 4C4A74535; Wed, 3 Dec 2014 20:42:03 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon22.um.es
Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BLZS-iuRsCLn; Wed, 3 Dec 2014 20:42:03 +0100 (CET)
Received: from [192.168.1.34] (171.Red-79-144-178.dynamicIP.rima-tde.net [79.144.178.171]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon22.um.es (Postfix) with ESMTPSA id 168974508; Wed, 3 Dec 2014 20:42:00 +0100 (CET)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <13B39BFF-50D1-4892-A159-9F8F75BC5C6B@deployingradius.com>
Date: Wed, 03 Dec 2014 20:41:59 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <BC5E7A40-8A54-4FEA-9C97-66F194080D74@um.es>
References: <814D0BFB77D95844A01CA29B44CBF8A7A7D2F1@lhreml513-mbb.china.huawei.com> <13B39BFF-50D1-4892-A159-9F8F75BC5C6B@deployingradius.com>
To: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/secauth/6hX12ZqlNz97Yb5THETVxdmGIn4
Cc: "secauth@ietf.org" <secauth@ietf.org>
Subject: Re: [Secauth] secauth use case - What is next?
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 19:42:09 -0000
Hi Hosnieh: I think the slides reflect the use case better. I agree with Alan's points here. The usage of EAP/AAA is important because typical access points already provide that feature. Also AAA is used for cross-domain authentication. As University we are used to the case where students coming from other Universities can access our APs with his credentials in their home institution. Eduroam and AAA-based federation make this possible. Having said that, regarding the problem statement, if we want the user to access ISP1 and ISP2 , then there must be at some point some source of common trust (e.g. some IdP or entity that ISP1 and ISP2 both trust). For example, ISP1 and ISP2 may belong to a federation though they do not have direct SLAs. In fact, what I understand from slide 5 is that, somehow, that trust is defined above southbound API with relationships that allow a user moving from Hotel A to Hotel B. Best Regards. El 03/12/2014, a las 19:44, Alan DeKok <aland@deployingradius.com> escribió: > On Dec 3, 2014, at 11:59 AM, Hosnieh Rafiee <hosnieh.rafiee@huawei.com> wrote: > >> Folks, >> I have created some slides to explain where secauth can work in this specific scenario that is hotspot entities' authentication and authorization. >> I reviewed all previous comments. > > They explain the situation well. > >> @Paul: >>> Other forums are working on the problem: https://www.wi-fi.org/passpoint-release-2-operator-best-practices-for-aaa-interface-deployment-v200 >> I have checked it. This is true that they want to have similar function, but their main actor is end user. I am thinking about fully transparency for end-user and also Hotels or hotspot domain admins. > > I’ve spent time working at a WiFi inter-connect provider. Interconnections are *hard*. They require human involvement. The protocols are easy. RADIUS, IPSec, etc. The hard part is that everyone’s business methods, billing, etc. are different. The interconnect providers do significant work to mangle each packet to / from disparate ISPs. > >> Is there any operators in this group to share the opinions from operators' point of view? Telekom? O2? Vodafone? I only can discuss this from industrial point of view. > > The operators tend to not be involved in the IETF. I spend a fair amount of time talking to them, though. > >> Where secauth can work: >> 1- If more than one industries, communication between SDN controllers.(interoperability of two different SDN providers) >> 2- The whole process for interdomain and cross domain authentication & probably authorization (if any specific policy should be applied in new network) including considering shared resources (for tokens and policies, etc.). Current standards like RADIUS, etc. cannot provide cross domain authentication. > > I have no idea what that means. RADIUS is *widely* used on cross-domain authentication. I can say without exaggeration that outside of 3G, it’s the *only* protocol used for cross-domain authentication. > > Eduroam is widely used. IETF WGs like Abfab are standardizing cross-domain authentication, where the domains require no previous coordination to communicate. They only require a common CA, which shows that both domains are part of the same roaming consortium. > >> 3- seamless authentication and authorization (this is especially true for sensors or small devices without keyboard to set the authentication) > > These scenarios are widely deployed today. e.g. medical devices which send telemetry data back to a central monitoring system. The devices use EAP for authentication, and RADIUS for cross-domain authentication. > > Alan DeKok. > > _______________________________________________ > Secauth mailing list > Secauth@ietf.org > https://www.ietf.org/mailman/listinfo/secauth ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es -------------------------------------------------------
- [Secauth] secauth use case - What is next? Hosnieh Rafiee
- Re: [Secauth] secauth use case - What is next? Alan DeKok
- Re: [Secauth] secauth use case - What is next? Alan DeKok
- Re: [Secauth] secauth use case - What is next? Rafa Marin Lopez
- Re: [Secauth] secauth use case - What is next? Hosnieh Rafiee
- Re: [Secauth] secauth use case - What is next? Alan DeKok
- Re: [Secauth] secauth use case - What is next? Alan DeKok
- Re: [Secauth] secauth use case - What is next? Hosnieh Rafiee
- Re: [Secauth] secauth use case - What is next? Alan DeKok
- Re: [Secauth] secauth use case - What is next? Hosnieh Rafiee
- Re: [Secauth] secauth use case - What is next? Hosnieh Rafiee
- [Secauth] (perhaps, wrong wifi access/usage model… Rene Struik
- Re: [Secauth] (perhaps, wrong wifi access/usage m… Hosnieh Rafiee
- Re: [Secauth] secauth use case - What is next? Alexandre Petrescu