Re: [Secauth] My Summary of the December Conference Call
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 13 January 2015 11:36 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCD951A8A94 for <secauth@ietfa.amsl.com>; Tue, 13 Jan 2015 03:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7w0Q2uk_m9aB for <secauth@ietfa.amsl.com>; Tue, 13 Jan 2015 03:36:23 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B6B1A8A8B for <secauth@ietf.org>; Tue, 13 Jan 2015 03:36:23 -0800 (PST)
Received: from [192.168.131.144] ([80.92.123.55]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MB1C4-1Y18Ol2GGK-00A02P; Tue, 13 Jan 2015 12:36:19 +0100
Message-ID: <54B50332.2060905@gmx.net>
Date: Tue, 13 Jan 2015 12:36:18 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>, secauth@ietf.org
References: <54AEA0DA.7080103@gmx.net> <54B4E7A8.9080006@gmail.com>
In-Reply-To: <54B4E7A8.9080006@gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="buSpOuGgtAEqgRh0Rq8OpApE6L4Fkq8Wh"
X-Provags-ID: V03:K0:cB3eN9wtxxuKkvAz0zJPf/Y9iW+XeAw8piurG2B8vLFyzVPGsUl rTNAx2K/wxxdXtGZiwAbNK/qyGtypJVkJyhTYwKojAvQtePr7WjnSdxOzhP+52GqJK/54R+ UsPT+RCKFQ9XujvavBfTPqQJiyvxtibsRmB9XRFSkq1dFulgBk62Mb007ShanNlnbelXgAe I3J5NNTFx5s6OoXNAm3Qg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/secauth/y1LQ0FWZNxJQHfIoYLJbHPntREM>
Subject: Re: [Secauth] My Summary of the December Conference Call
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 11:36:26 -0000
Regarding web portals and their impact on security and usability: I agree that those are indeed problems. There may even be simple solutions to those problems but the real challenge is with the existing infrastructure. How do you provide incentives for the small and medium enterprises (like all the small hotels and restaurants) to change their infrastructure to make this happen? Ciao Hannes On 01/13/2015 10:38 AM, Alexandre Petrescu wrote: > Hello, > > Le 08/01/2015 16:23, Hannes Tschofenig a écrit : >> Hi all, >> >> in December we had a conference call and it clarified many aspects for >> me. I wanted to post a short summary of what I understood (in an attempt >> to see whether others got the same impression at the call). >> >> Hosnieh explained a model using OpenFlow where the AAA client is >> actually moved into the cloud. Consequently, there is no need to use >> RADIUS or Diameter in such a model since the network access >> authentication messages are just forwarded from the access point to the >> cloud infrastructure using some tunneling mechanism. >> >> Now, there is still a problem with that model since at the end of the >> protocol dance the access point (who was previously running the AAA >> client) now has to be informed about the authorization decision. At a >> minimum it has to get the keys for enabling link layer security. From >> the discussions on the call I got the impression that this transfer of >> authorization information from the cloud infrastructure to the access >> point has not yet been standardized in an OpenFlow alike model. (Note >> that OpenFlow just served as an example and similar technologies could >> be used that aim to delegate the execution to some other nodes.) >> >> Did others understood the problem description in the same way? > > Architecting the placement of AAA elements may be realized by SDN/NFV > tools, such as to obtain a more efficient authentication step for WiFi. > > But I would suggest to clarify another dimension of the problem: that of > the usecase scenario where this is needed. Do we consider WiFi > hotspots? And web portal authentication? Or do we consider cellular > systems and EAP authentication? > >> If "yes", then the question is >> >> * Is this a worthwhile problem to solve? In some sense this could be >> seen as a competitor to RADIUS and Diameter. > > I consider the portal automation in WiFi hotspots to be a problem > hampering smooth connectivity. Does it need a RADIUS or EAP kind of > solution? Or an enhancement of some other protocol (http? dns?) to > realize this automation? > >> * Are we just moving problems around here and not really advancing the >> state of the art (which might a general question with OpenFlow alike >> technologies IMHO)? > > We would need to identify where is a practical problem, and where is > problem of intelect only. Just exercising protocol design is obviously > not enough to pursue; this should be an engineering activity aiming at > deploying product useful to an end user. > >> * Is there indeed a standardization gap (or are we just uninformed >> about the state of the art)? > > Yes, there are a few protocols like dns and http which allow the web > portals authenticators to be mean to the end user, to restrain > connectivity, to reduce number of customers. > >> * Is the IETF the right venue to do this type of standardization work? > > This is a good question. If the protocols we look at are IETF > protocols, and if the problem is understood as real by several IETFers, > then this is the venue. If the protocols are not IETF, or if the > problem is not understood as real by several IETFers then this is not > the venue. > > Alex > >> >> Thoughts? >> >> Ciao >> Hannes >> >> >> >> _______________________________________________ >> Secauth mailing list >> Secauth@ietf.org >> https://www.ietf.org/mailman/listinfo/secauth >> > > _______________________________________________ > Secauth mailing list > Secauth@ietf.org > https://www.ietf.org/mailman/listinfo/secauth
- [Secauth] My Summary of the December Conference C… Hannes Tschofenig
- Re: [Secauth] My Summary of the December Conferen… Hosnieh Rafiee
- Re: [Secauth] My Summary of the December Conferen… Alan DeKok
- Re: [Secauth] My Summary of the December Conferen… Alexandre Petrescu
- Re: [Secauth] My Summary of the December Conferen… Hannes Tschofenig
- Re: [Secauth] My Summary of the December Conferen… Alexandre Petrescu