Re: [Secauth] secauth use case - What is next?

["Hosnieh Rafiee" <ietf@rozanak.com>]

Hi Alan,

Thanks a lot for sharing your comments. See my comments inline.

> > @Paul:
> >> Other forums are working on the problem:  https://www.wi-
> fi.org/passpoint-release-2-operator-best-practices-for-aaa-interface-
> deployment-v200
> > I have checked it. This is true that they want to have similar function,
but
> their main actor is end user. I am thinking about fully transparency for
end-
> user and also Hotels or hotspot domain admins.
> 
>  I've spent time working at a WiFi inter-connect provider.
Interconnections
> are *hard*.  They require human involvement.  The protocols are easy.
> RADIUS, IPSec, etc.  The hard part is that everyone's business methods,
billing,
> etc. are different.  The interconnect providers do significant work to
mangle
> each packet to / from disparate ISPs.

I understand your concerns completely and I know the difficulty of this
scenario IF and IF we only think about end users and we only want to put all
overloads on operators. Then, there will be no motivation for this. This is
why I suggested the SDN scenario and shared the possible architecture (my
slides in my last message) that you could find in my message.  In other
words, It is so much administrative works if only everything should be done
either by operators or by interfaces between end users and operators (such
as hotels, etc.) but  with SDN scenario the capability are added to the
infrastructure and manageable by operators. Therefore, via management
interfaces, operators need only enable/disable this feature based on the
request of their customers. So, In one hand, it appears that the overhead is
on industries who wants to offer this service or develop such protocols for
communications on data centers, etc. 


>  The operators tend to not be involved in the IETF.  I spend a fair amount
of
> time talking to them, though.

I am not quite sure about what you said since I saw some of them active in
other groups and I think a few of them are a member of this group too.

> > Where secauth can work:
> > 1- If more than one industries, communication between SDN
> controllers.(interoperability of two different SDN providers)
> > 2- The whole process for interdomain and cross domain authentication &
> probably authorization (if any specific policy should be applied in new
> network) including considering shared resources (for tokens and policies,
> etc.). Current standards like RADIUS, etc. cannot provide cross domain
> authentication.
> 
>  I have no idea what that means.  RADIUS is *widely* used on cross-domain
> authentication.  I can say without exaggeration that outside of 3G, it's
the
> *only* protocol used for cross-domain authentication.

Maybe I also should highlight the trust between two controllers especially
when a user wants to receive the same service in target network under the
control of different industries. In other words, user a used voip in first
network and wants to continue using it in second network. Maybe by default
this service is not enable on firewall in the second network. So there might
be a need to enable this service based on policy for this user (this is of
course an example). In one hand that we talk about this trust, in other
hand, we have to consider a shield controller. This is why, I am also not
sure RADIUS or other approaches will be considered in SDN architecture.
There might be new requirements that is not supported by RADIUS or not
easily handled. Like the example scenario I have explained. 
I agree that in mobile network, such scenario was implemented but mostly it
is only for one Operator. I saw some exceptional cases where, for example, a
user moves from one country to another and operator in source country does
not have coverage, then this user might be registered with a new operator
that has SLA with his operator in source country. But how this SLA
exchanged? How many administrative work it was needed that this happened?
This is maybe the demotivation for operators. Now, how we can simplify this
use case  (of course this time only for internet) ? I do not think  Abfab or
other groups covered this scenario.
We can of course consider other groups as a base of secauth to work on such
specific use cases that depends on what folks think to proceed and work on
such scenario.


>  Eduroam is widely used.  IETF WGs like Abfab are standardizing
cross-domain
> authentication, where the domains require no previous coordination to
> communicate.  They only require a common CA, which shows that both
> domains are part of the same roaming consortium.

So, is the assumption the existence of a public CA? In other word, any
network who wants to use this service needs to have a valid certificate? or
it is like trusted anchor?

I do want to skip the use of CA in secauth and find different solution to
provide this trust because of privacy and perhaps security reasons.

> > 3- seamless authentication and authorization (this is especially true
for
> sensors or small devices without keyboard to set the authentication)
> 
>  These scenarios are widely deployed today.  e.g. medical devices which
send
> telemetry data back to a central monitoring system.  The devices use EAP
for
> authentication, and RADIUS for cross-domain authentication.

True, however, I think, it supports a limited scope because
pre-configuration needed for such scenarios. Can you move this sensor
devices to unknown networks that it never supposed to move to that network?
How much efforts is needed to make this happened?

Now what if we consider an automated process that is infrastructural based
and not by the agreements of each single players with each other in this
scenario but the agreements are in higher level?

Thanks,
Best,
Hosnieh