Re: [Secauth] Can we also be protected against such attacks?
Hosnieh Rafiee <hosnieh.rafiee@huawei.com> Thu, 27 November 2014 09:29 UTC
Return-Path: <hosnieh.rafiee@huawei.com>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6374F1A1B4F for <secauth@ietfa.amsl.com>; Thu, 27 Nov 2014 01:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mckufjXmGl6O for <secauth@ietfa.amsl.com>; Thu, 27 Nov 2014 01:29:28 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2669E1A00E0 for <secauth@ietf.org>; Thu, 27 Nov 2014 01:29:28 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BPH15150; Thu, 27 Nov 2014 09:29:26 +0000 (GMT)
Received: from LHREML513-MBB.china.huawei.com ([fe80::b810:863:a57e:3ff]) by lhreml403-hub.china.huawei.com ([::1]) with mapi id 14.03.0158.001; Thu, 27 Nov 2014 09:29:25 +0000
From: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>
To: "secauth@ietf.org" <secauth@ietf.org>
Thread-Topic: [Secauth] Can we also be protected against such attacks?
Thread-Index: AdAJkimCrxm7yXjaSqSrT77Yg3foNgACUfUAAB9tGwA=
Date: Thu, 27 Nov 2014 09:29:25 +0000
Message-ID: <814D0BFB77D95844A01CA29B44CBF8A7A79E92@lhreml513-mbb.china.huawei.com>
References: <814D0BFB77D95844A01CA29B44CBF8A7A78C6B@lhreml513-mbb.china.huawei.com> <547608CA.7070500@gmail.com>
In-Reply-To: <547608CA.7070500@gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.221.82.91]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/secauth/7bDRLKZlyrdI3fXC7nyQkdtbhC4
Subject: Re: [Secauth] Can we also be protected against such attacks?
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 09:29:30 -0000
Hi Alex, > > When I read this article I wonder when was the last time I clicked on a > linkedin button, whether Symantec covers the Regin risk, and try to > remember whether this person in Belgium invented the AES candidate or > is it somebody else. > > But, what is an open authentication domain? By considering the case where each hotspot might be under the control of different administrative domains but they would need to open their service to end-users, then such phrase might cover the meaning or I might use a bad phrase for that. My main message is that, I guess with openness (that we call it automation of interdomain and crossdomain authentication and authorization), the risk of similar attacks might increase since an infected node in a new network might increase a risk of other nodes' infection in its visited network. There are some thoughts about this scenario The use case for secauth that I am thinking about is not only a simple cross domain authentication but also considering a case where the management/controlling and interfaces of the physical devices are somewhere on datacenters except the physical layer located, e.g., at the hotel or airport (physical hotspot). IMO, This is actually where we are going and there is good efforts by different groups of manufactures/vendors. I guess this would change internet architectures since the administrative domains are virtually controlled. One example is that, there is one operator who offered its service to hotel x, y and z. this is true that the customers can control their own devices via their user interface placed somewhere on cloud but operator has higher privilege on this service and can set this inter domain authentication agreement for all these hotels by easily asking them whether they want to support this feature (because of these advantages), if yes, they can set it as a default settings of their customers (hotel x, hotel y, hotel z) Now, we want to extend this to different operators (cross domain authentication). So, the client first time register with first hotel and in each new hotel, the automatically sent its request with its token (that might be kept somewhere on cloud that is accessible to all operators) controller and handled in a centralized controller/s. We need a way of communication between controllers from different vendors so that this cross domain authentication can happen. In other word, in my opinion the focus of secauth should not be only end user who request this service but vendors who can enable this service. In other word, we need transparency to offer such service to end-users. I hope I could clearly explain my thoughts. Any thoughts? Thanks, Best, Hosnieh Therefore, it is not only 1-
- [Secauth] Can we also be protected against such a… Hosnieh Rafiee
- Re: [Secauth] Can we also be protected against su… Alexandru Petrescu
- Re: [Secauth] Can we also be protected against su… Hosnieh Rafiee