70 likes | 160 Vues
draft-gaonkar-radext-erp-attrs-00. Kedar Gaonkar Lakshminath Dondeti. New RADIUS attributes. a visited domain AAA server requesting a key Key Request The home domain (AS) delivering the key Key Response. ERP Exchange with Local Re-auth Server. Local Re-auth Server. Peer. Auth1. Auth2.
E N D
draft-gaonkar-radext-erp-attrs-00 Kedar Gaonkar Lakshminath Dondeti
New RADIUS attributes • a visited domain AAA server requesting a key • Key Request • The home domain (AS) delivering the key • Key Response
ERP Exchange with Local Re-auth Server Local Re-auth Server Peer Auth1 Auth2 AS Initial EAP Exchange Full EAP Exchange MSK, EMSK, DSRK MSK, EMSK, DSRK1, DS-rRK1, DS-rIK1 EAP Success EAP Success EAP Success (MSK) (MSK, VMSK1) MSK DSRK1, DS-rRK1, DS-rIK1 Subsequent EAP-ER Exchange EAP Request Identity (Optional message) EAP Re-auth Initiate (authenticated with L-rIK1) rMSK11 EAP Re-auth Finish (authenticated with L-rIK1) (rMSK11) rMSK11 rMSK11
Key-Request Attribute Type Length Key-Type Requesting Entity’s Identity (String) … Key Type: 0 : Reserved 1 : Domain Specific Root Key (DSRK)
Key-Response attribute Type Length Key type Key Length Key Lifetime (4 octets) …… Key Name (8 octets) …… Key (Variable) … ... Requesting Entity’s Identity (String, Variable) … …
Security Considerations • The draft at the moment says use IPsec • There was discussion on this topic • End-to-end encapsulation using keywrap • The technique of the keyreq document can be used with these attributes as well
Next Steps • We presented this at the HOKEY WG • After a brief discussion, it appears that we can use draft-zorn-radius-keywrap-13 • We have one more use case for that I-D now