Re: [Secauth] My Summary of the December Conference Call
Alan DeKok <aland@deployingradius.com> Mon, 12 January 2015 15:48 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82E71ABC0F for <secauth@ietfa.amsl.com>; Mon, 12 Jan 2015 07:48:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bio_OxTMZbcf for <secauth@ietfa.amsl.com>; Mon, 12 Jan 2015 07:48:20 -0800 (PST)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2558C1AC3EE for <secauth@ietf.org>; Mon, 12 Jan 2015 07:48:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 8B7EA224064E; Mon, 12 Jan 2015 16:47:49 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5nl1AUEFizYU; Mon, 12 Jan 2015 16:47:49 +0100 (CET)
Received: from [192.168.20.49] (198-84-181-115.cpe.teksavvy.com [198.84.181.115]) by power.freeradius.org (Postfix) with ESMTPSA id 9FD2D22403FB; Mon, 12 Jan 2015 16:47:48 +0100 (CET)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <54AEA0DA.7080103@gmx.net>
Date: Mon, 12 Jan 2015 10:47:46 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <14A64D27-232B-4991-B808-9F598FA0B416@deployingradius.com>
References: <54AEA0DA.7080103@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secauth/g6pnu45_GMY2UbXzLJT4aJdSKe0>
Cc: "secauth@ietf.org" <secauth@ietf.org>
Subject: Re: [Secauth] My Summary of the December Conference Call
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 15:48:22 -0000
On Jan 8, 2015, at 10:23 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hosnieh explained a model using OpenFlow where the AAA client is > actually moved into the cloud. Consequently, there is no need to use > RADIUS or Diameter in such a model since the network access > authentication messages are just forwarded from the access point to the > cloud infrastructure using some tunneling mechanism. This model is used today. Access points talk to local systems which in turn forward the authentication request to a home network. This is called AAA proxying. The “tunnelled mechanism” here is RADIUS or Diameter. > Now, there is still a problem with that model since at the end of the > protocol dance the access point (who was previously running the AAA > client) now has to be informed about the authorization decision. At a > minimum it has to get the keys for enabling link layer security. From > the discussions on the call I got the impression that this transfer of > authorization information from the cloud infrastructure to the access > point has not yet been standardized in an OpenFlow alike model. (Note > that OpenFlow just served as an example and similar technologies could > be used that aim to delegate the execution to some other nodes.) I agree. It would be best to re-use an existing method to solve this problem. > Did others understood the problem description in the same way? > > If "yes", then the question is > > * Is this a worthwhile problem to solve? In some sense this could be > seen as a competitor to RADIUS and Diameter. Because RADIUS and Diameter can do this today. > * Are we just moving problems around here and not really advancing the > state of the art (which might a general question with OpenFlow alike > technologies IMHO)? In this case, I think so. > * Is there indeed a standardization gap (or are we just uninformed > about the state of the art)? I’m not sure there’s a need for a new protocol. But there could be a need for new standards about how to solve this problem. > * Is the IETF the right venue to do this type of standardization work? It might be useful to have a standard architecture, and a standard provisioning method for the scenarios raised here. But I would largely see this as similar to ABFAB. That working group spent its time documenting where and why people would use it, and standardizing extensions to existing protocols. Alan DeKok.
- [Secauth] My Summary of the December Conference C… Hannes Tschofenig
- Re: [Secauth] My Summary of the December Conferen… Hosnieh Rafiee
- Re: [Secauth] My Summary of the December Conferen… Alan DeKok
- Re: [Secauth] My Summary of the December Conferen… Alexandre Petrescu
- Re: [Secauth] My Summary of the December Conferen… Hannes Tschofenig
- Re: [Secauth] My Summary of the December Conferen… Alexandre Petrescu