Topic/Title: EAP defaults for devices that need to onboard Name of Presenter(s): Michael Richardson (with Alan DeKok) Length of time requested: 5 minutes (new work) Document If applicable: https://datatracker.ietf.org/doc/draft-richardson-emu-eap-onboarding/
Alan and I have written a -00 document (just posted), on using unauthenticated EAP-TLS (no client-side certificate) to allow a supplicant (a pledge) to get enough IP connectivity in order to run an authenticated onboarding solution, such BRSKI (RFC8995). As described in the document, the network would put these clients onto a (L2) quarantined network, much as it would if a device was found that did not pass it's remote attestation process (cf: RFC 5209 and friends). While there are proposals to run BRSKI over EAP using TEAP, etc, the challenges of MTU, limited amount of traffic that can travel over EAP, and the hassle of implementing yet-another mechanism seem excessive to us. Enterprise networks already have quarantine/captive-portal (V)LANs with full isolation between hosts. Smaller networks can easily afford to add such things, and there are projects to isolate every single IoT device into it's own L2 domain until it proves it needs to communicate. We are working on code. I'm happy to present at EMU as well. EMU may wish to adopt this document. But first, I think that the ANIMA WG, as a consumer of this, may like to say if it satifies a need. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
