Re: [Secauth] My Summary of the December Conference Call
Alexandre Petrescu <alexandre.petrescu@gmail.com> Tue, 13 January 2015 09:38 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019411ACD55 for <secauth@ietfa.amsl.com>; Tue, 13 Jan 2015 01:38:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.983
X-Spam-Level:
X-Spam-Status: No, score=-4.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HELO_EQ_FR=0.35, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaGaKlGpEtKY for <secauth@ietfa.amsl.com>; Tue, 13 Jan 2015 01:38:53 -0800 (PST)
Received: from oxalide-out.extra.cea.fr (oxalide-out.extra.cea.fr [132.168.224.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 323971ACE33 for <secauth@ietf.org>; Tue, 13 Jan 2015 01:38:53 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide.extra.cea.fr (8.14.2/8.14.2/CEAnet-Internet-out-2.3) with ESMTP id t0D9coq7020747 for <secauth@ietf.org>; Tue, 13 Jan 2015 10:38:50 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id D485920712B for <secauth@ietf.org>; Tue, 13 Jan 2015 10:38:59 +0100 (CET)
Received: from muguet2.intra.cea.fr (muguet2.intra.cea.fr [132.166.192.7]) by pisaure.intra.cea.fr (Postfix) with ESMTP id C7A90207116 for <secauth@ietf.org>; Tue, 13 Jan 2015 10:38:59 +0100 (CET)
Received: from [127.0.0.1] (is010446-4.intra.cea.fr [10.8.33.116]) by muguet2.intra.cea.fr (8.13.8/8.13.8/CEAnet-Intranet-out-1.2) with ESMTP id t0D9cmgl015497 for <secauth@ietf.org>; Tue, 13 Jan 2015 10:38:50 +0100
Message-ID: <54B4E7A8.9080006@gmail.com>
Date: Tue, 13 Jan 2015 10:38:48 +0100
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: secauth@ietf.org
References: <54AEA0DA.7080103@gmx.net>
In-Reply-To: <54AEA0DA.7080103@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secauth/hZakvUtiXX1KTC8I5tzxwBG-udA>
Subject: Re: [Secauth] My Summary of the December Conference Call
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 09:38:56 -0000
Hello, Le 08/01/2015 16:23, Hannes Tschofenig a écrit : > Hi all, > > in December we had a conference call and it clarified many aspects for > me. I wanted to post a short summary of what I understood (in an attempt > to see whether others got the same impression at the call). > > Hosnieh explained a model using OpenFlow where the AAA client is > actually moved into the cloud. Consequently, there is no need to use > RADIUS or Diameter in such a model since the network access > authentication messages are just forwarded from the access point to the > cloud infrastructure using some tunneling mechanism. > > Now, there is still a problem with that model since at the end of the > protocol dance the access point (who was previously running the AAA > client) now has to be informed about the authorization decision. At a > minimum it has to get the keys for enabling link layer security. From > the discussions on the call I got the impression that this transfer of > authorization information from the cloud infrastructure to the access > point has not yet been standardized in an OpenFlow alike model. (Note > that OpenFlow just served as an example and similar technologies could > be used that aim to delegate the execution to some other nodes.) > > Did others understood the problem description in the same way? Architecting the placement of AAA elements may be realized by SDN/NFV tools, such as to obtain a more efficient authentication step for WiFi. But I would suggest to clarify another dimension of the problem: that of the usecase scenario where this is needed. Do we consider WiFi hotspots? And web portal authentication? Or do we consider cellular systems and EAP authentication? > If "yes", then the question is > > * Is this a worthwhile problem to solve? In some sense this could be > seen as a competitor to RADIUS and Diameter. I consider the portal automation in WiFi hotspots to be a problem hampering smooth connectivity. Does it need a RADIUS or EAP kind of solution? Or an enhancement of some other protocol (http? dns?) to realize this automation? > * Are we just moving problems around here and not really advancing the > state of the art (which might a general question with OpenFlow alike > technologies IMHO)? We would need to identify where is a practical problem, and where is problem of intelect only. Just exercising protocol design is obviously not enough to pursue; this should be an engineering activity aiming at deploying product useful to an end user. > * Is there indeed a standardization gap (or are we just uninformed > about the state of the art)? Yes, there are a few protocols like dns and http which allow the web portals authenticators to be mean to the end user, to restrain connectivity, to reduce number of customers. > * Is the IETF the right venue to do this type of standardization work? This is a good question. If the protocols we look at are IETF protocols, and if the problem is understood as real by several IETFers, then this is the venue. If the protocols are not IETF, or if the problem is not understood as real by several IETFers then this is not the venue. Alex > > Thoughts? > > Ciao > Hannes > > > > _______________________________________________ > Secauth mailing list > Secauth@ietf.org > https://www.ietf.org/mailman/listinfo/secauth >
- [Secauth] My Summary of the December Conference C… Hannes Tschofenig
- Re: [Secauth] My Summary of the December Conferen… Hosnieh Rafiee
- Re: [Secauth] My Summary of the December Conferen… Alan DeKok
- Re: [Secauth] My Summary of the December Conferen… Alexandre Petrescu
- Re: [Secauth] My Summary of the December Conferen… Hannes Tschofenig
- Re: [Secauth] My Summary of the December Conferen… Alexandre Petrescu