Authenticated service identities for EAP (draft-arkko-eap-service-identity-auth-01)

1
Authenticated service identities for EAP
(draft-arkko-eap-service-identity-auth-01)

• Jari ArkkoPasi Eronen

2
Problem

Client
A
B
C
D
ZZZ
AAA server
3
Problem

Client
?
A
B
C
D
ZZZ
AAA server
4
Problem

• EAP does not have a concept of service (or NAS)
  identity
• All identifiers come from the service itself

5
Solution overview

• AAA server tells the client Im sending the
  AAA-Key to service X

6
Channel bindings?

• Channel bindings (w/o authentication)
• Im sending the AAA-Key to a box that claims to
  be X
• Authenticated service identities
• Im sending the AAA-Key to a box I believe to
  be X

7
This draft

• Method-independent, extensible framework for
  service identifiers
• Identifiers for some EAP lower layers
• Currently 802.11i and IKEv2
• No single right identifier more can be added
  later
• AVPs to send this container in some EAP methods
• EAP-TLS, PEAPv2, EAP-SIM, EAP-AKA

8
Next steps

• Is this a relevant problem?
• Relationship to handovers?
• If the client wants to tell X and Y apart, both
  have to get their keys from the AAA server
• And not from each other via some context
  transfer protocol