IETF Logo Mail Archive

Re: [Secauth] secauth use case - What is next?

Alan DeKok <aland@deployingradius.com> Wed, 03 December 2014 18:44 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: secauth@ietfa.amsl.com
Delivered-To: secauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A43DD1A9061 for <secauth@ietfa.amsl.com>; Wed, 3 Dec 2014 10:44:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqLh-KfsltsA for <secauth@ietfa.amsl.com>; Wed, 3 Dec 2014 10:44:30 -0800 (PST)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 3BF2E1A904D for <secauth@ietf.org>; Wed, 3 Dec 2014 10:44:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 8B81F224046C; Wed, 3 Dec 2014 19:44:29 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T7KOJUwKe-O1; Wed, 3 Dec 2014 19:44:29 +0100 (CET)
Received: from [192.168.20.59] (69-196-165-104.dsl.teksavvy.com [69.196.165.104]) by power.freeradius.org (Postfix) with ESMTPSA id 5F1122240467; Wed, 3 Dec 2014 19:44:28 +0100 (CET)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <814D0BFB77D95844A01CA29B44CBF8A7A7D2F1@lhreml513-mbb.china.huawei.com>
Date: Wed, 03 Dec 2014 13:44:26 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <13B39BFF-50D1-4892-A159-9F8F75BC5C6B@deployingradius.com>
References: <814D0BFB77D95844A01CA29B44CBF8A7A7D2F1@lhreml513-mbb.china.huawei.com>
To: Hosnieh Rafiee <hosnieh.rafiee@huawei.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/secauth/yKNKWJH9WRE4j5cogQtr3lFsATA
Cc: "secauth@ietf.org" <secauth@ietf.org>
Subject: Re: [Secauth] secauth use case - What is next?
X-BeenThere: secauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Omni-purpose Network-layer based Secure Authentication and Authorization non-working group discussion list <secauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secauth>, <mailto:secauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secauth/>
List-Post: <mailto:secauth@ietf.org>
List-Help: <mailto:secauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secauth>, <mailto:secauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 18:44:31 -0000

On Dec 3, 2014, at 11:59 AM, Hosnieh Rafiee <hosnieh.rafiee@huawei.com> wrote:

> Folks,
> I have created some slides to explain where secauth can work in this specific scenario that is hotspot entities' authentication and authorization. 
> I reviewed all previous comments. 

 They explain the situation well.

> @Paul:
>> Other forums are working on the problem:  https://www.wi-fi.org/passpoint-release-2-operator-best-practices-for-aaa-interface-deployment-v200
> I have checked it. This is true that they want to have similar function, but their main actor is end user. I am thinking about fully transparency for end-user and also Hotels or hotspot domain admins. 

 I’ve spent time working at a WiFi inter-connect provider.  Interconnections are *hard*.  They require human involvement.  The protocols are easy.  RADIUS, IPSec, etc.  The hard part is that everyone’s business methods, billing, etc. are different.  The interconnect providers do significant work to mangle each packet to / from disparate ISPs.

> Is there any operators in this group to share the opinions from operators' point of view? Telekom? O2? Vodafone? I only can discuss this from industrial point of view. 

 The operators tend to not be involved in the IETF.  I spend a fair amount of time talking to them, though.

> Where secauth can work: 
> 1- If more than one industries, communication between SDN controllers.(interoperability of two different SDN providers)
> 2- The whole process for interdomain and cross domain authentication & probably authorization (if any specific policy should be applied in new network) including considering shared resources (for tokens and policies, etc.). Current standards like RADIUS, etc. cannot provide cross domain authentication.

 I have no idea what that means.  RADIUS is *widely* used on cross-domain authentication.  I can say without exaggeration that outside of 3G, it’s the *only* protocol used for cross-domain authentication.

 Eduroam is widely used.  IETF WGs like Abfab are standardizing cross-domain authentication, where the domains require no previous coordination to communicate.  They only require a common CA, which shows that both domains are part of the same roaming consortium.

> 3- seamless authentication and authorization (this is especially true for sensors or small devices without keyboard to set the authentication)

 These scenarios are widely deployed today.  e.g. medical devices which send telemetry data back to a central monitoring system.  The devices use EAP for authentication, and RADIUS for cross-domain authentication.

 Alan DeKok.

v2.23.0 | Report a Bug | By Email