Re: [Emu] [saag] Fwd: New Version Notification for draft-aura-eap-noob-00.txt

2016-02-18 Thread Stefan Winter 
Hi,

> Of course, the benefits of EAP-NOOB will be greater in organizations which 
> already use 802.1X authentication and which have larger numbers of IoT 
> devices than a single home. 

Particularly because many "home" access points / integrated
all-layer-devices do not support 802.1X so do not qualify as a NAS.

Which is unfortunate and yes it would be great to have 802.1X NASes
everywhere. :-) But for your scenario, it's a significant limitation if
you exclude a large percentage of homes.

(I don't dare make up any real percentage numbers; I'm sure this varies
a lot per country and per operator)

Greetings,

Stefan Winter


> 
> Anything else that we need to address?
> 
> Tuomas
> 
> 
> 
> -Original Message-
> From: Josh Howlett [mailto:josh.howl...@jisc.ac.uk] 
> Sent: Thursday, 18 February, 2016 19:28
> To: Mohit Sethi ; s...@ietf.org; emu@ietf.org
> Cc: Aura Tuomas 
> Subject: RE: [saag] Fwd: New Version Notification for 
> draft-aura-eap-noob-00.txt
> 
> Hi Mohit,
> 
> This is an interesting draft, but I'm struggling to understand how this would 
> be deployed in the consumer settings that the document alludes to. For 
> example, who do you anticipate will be operating the NAS (the consumer?), AAA 
> server (the vendor?), and the AAA fabric between these actors?
> 
> Josh.
> 
>> -Original Message-
>> From: saag [mailto:saag-boun...@ietf.org] On Behalf Of Mohit Sethi
>> Sent: 08 February 2016 15:34
>> To: s...@ietf.org; emu@ietf.org
>> Cc: tuomas.a...@aalto.fi
>> Subject: [saag] Fwd: New Version Notification for 
>> draft-aura-eap-noob-00.txt
>>
>> Dear all
>>
>> We have just submitted a new IETF Draft titled “Nimble out-of-band 
>> authentication for EAP (EAP-NOOB)”.
>>
>> The draft defines an EAP method where the authentication is based on a 
>> user-assisted out-of-band (OOB) channel between the server and peer. 
>> It is intended as a generic bootstrapping solution for 
>> Internet-of-Things devices which have no pre-configured authentication 
>> credentials and which are not yet registered on the authentication 
>> server. Consider devices you just bought or borrowed.
>>
>> The EAP-NOOB method is more generic than most ad-hoc bootstrapping 
>> solutions in that it supports many types of OOB channels. We specify 
>> the exact in-band messages but only the OOB message contents and not 
>> the OOB channel details. Also, EAP-NOOB supports ubicomp devices with 
>> only output (e.g. display) or only input (e.g. camera). Moreover, it 
>> makes combined use of both secrecy and integrity of the OOB channel 
>> for more robust security than the ad-hoc solutions. We have put a lot 
>> of effort into designing a robust security protocol.
>>
>> For one application example, we have used an earlier version of the 
>> protocol for bootstrapping security for ubiquitous displays: the user 
>> can configure wireless network access, link the device to a cloud 
>> service, and register ownership of the device for a specific cloud 
>> user – all in one simple step of scanning a QR code with a smart 
>> phone. There seemed to more potential to this idea than just using it 
>> for our own system, and thus we decided to write a generic EAP method for 
>> out-of-band authentication.
>>
>> The draft is available here:
>> https://tools.ietf.org/html/draft-aura-eap-noob-00
>>
>> Please see if you can make use of it. We look forward to your feedback 
>> and comments.
>>
>> Regards
>> /--Mohit
>>
>>
>>  Forwarded Message 
>> Subject: New Version Notification for draft-aura-eap-noob-00.txt
>> Date:Mon, 08 Feb 2016 04:30:35 -0800
>> From:internet-dra...@ietf.org
>> To:  Tuomas Aura , Mohit Sethi
>> 
>>
>>
>>
>> A new version of I-D, draft-aura-eap-noob-00.txt has been successfully 
>> submitted by Tuomas Aura and posted to the IETF repository.
>>
>> Name:draft-aura-eap-noob
>> Revision:00
>> Title:   Nimble out-of-band authentication for EAP (EAP-NOOB)
>> Document date:   2016-02-08
>> Group:   Individual Submission
>> Pages:   35
>> URL:https://www.ietf.org/internet-drafts/draft-aura-eap-noob-00.txt
>> Status:https://datatracker.ietf.org/doc/draft-aura-eap-noob/
>> Htmlized:https://tools.ietf.org/html/draft-aura-eap-noob-00
>>
>>
>> Abstract:
>> Extensible Authentication Protocol (EAP) [RFC3748] provides support
>> for multiple authentication methods.  This document defines the EAP-
>> NOOB authentication method for nimble out-of-band (OOB)
>> authentication and key derivation.  This EAP method is intended for
>> bootstrapping all kinds of Internet-of-Things (IoT) devices that have
>> a minimal user interface and no pre-configured authentication
>> credentials.  The method makes use of a user-assisted one-directional
>> OOB channel between the peer device and authentication server.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of 
>> submission until t

Re: [Emu] [saag] Fwd: New Version Notification for draft-aura-eap-noob-00.txt

2016-02-18 Thread Aura Tuomas 
Hi Josh,

Good observation; we may need to be clearer about the intended usage scenarios 
for EAP-NOOB.

In the home setting, the AAA server would typically be a cloud-based service, 
where the consumer can register a user account. This does require the 802.1X 
authentication (i.e. WPA2-Enterprise) to be configured at the home NAS, so that 
authentication for "@eap-noob.net" is forwarded to the cloud-based AAA server. 
You only need to configure the NAS once, and all future devices can be 
connected without touching the NAS.

This is a change from the way home wireless routers are configured today. We 
think that, as the number of IoT devices grows, configuring them with a shared 
passphrase will be too inconvenient. Obviously, the shared passphrase is also 
vulnerable to a single untrusted IoT device that may leak the passphrase, and 
using EAP helps to isolate the devices. 

Of course, the benefits of EAP-NOOB will be greater in organizations which 
already use 802.1X authentication and which have larger numbers of IoT devices 
than a single home. 

Anything else that we need to address?

Tuomas



-Original Message-
From: Josh Howlett [mailto:josh.howl...@jisc.ac.uk] 
Sent: Thursday, 18 February, 2016 19:28
To: Mohit Sethi ; s...@ietf.org; emu@ietf.org
Cc: Aura Tuomas 
Subject: RE: [saag] Fwd: New Version Notification for draft-aura-eap-noob-00.txt

Hi Mohit,

This is an interesting draft, but I'm struggling to understand how this would 
be deployed in the consumer settings that the document alludes to. For example, 
who do you anticipate will be operating the NAS (the consumer?), AAA server 
(the vendor?), and the AAA fabric between these actors?

Josh.

> -Original Message-
> From: saag [mailto:saag-boun...@ietf.org] On Behalf Of Mohit Sethi
> Sent: 08 February 2016 15:34
> To: s...@ietf.org; emu@ietf.org
> Cc: tuomas.a...@aalto.fi
> Subject: [saag] Fwd: New Version Notification for 
> draft-aura-eap-noob-00.txt
> 
> Dear all
> 
> We have just submitted a new IETF Draft titled “Nimble out-of-band 
> authentication for EAP (EAP-NOOB)”.
> 
> The draft defines an EAP method where the authentication is based on a 
> user-assisted out-of-band (OOB) channel between the server and peer. 
> It is intended as a generic bootstrapping solution for 
> Internet-of-Things devices which have no pre-configured authentication 
> credentials and which are not yet registered on the authentication 
> server. Consider devices you just bought or borrowed.
> 
> The EAP-NOOB method is more generic than most ad-hoc bootstrapping 
> solutions in that it supports many types of OOB channels. We specify 
> the exact in-band messages but only the OOB message contents and not 
> the OOB channel details. Also, EAP-NOOB supports ubicomp devices with 
> only output (e.g. display) or only input (e.g. camera). Moreover, it 
> makes combined use of both secrecy and integrity of the OOB channel 
> for more robust security than the ad-hoc solutions. We have put a lot 
> of effort into designing a robust security protocol.
> 
> For one application example, we have used an earlier version of the 
> protocol for bootstrapping security for ubiquitous displays: the user 
> can configure wireless network access, link the device to a cloud 
> service, and register ownership of the device for a specific cloud 
> user – all in one simple step of scanning a QR code with a smart 
> phone. There seemed to more potential to this idea than just using it 
> for our own system, and thus we decided to write a generic EAP method for 
> out-of-band authentication.
> 
> The draft is available here:
> https://tools.ietf.org/html/draft-aura-eap-noob-00
> 
> Please see if you can make use of it. We look forward to your feedback 
> and comments.
> 
> Regards
> /--Mohit
> 
> 
>  Forwarded Message 
> Subject:  New Version Notification for draft-aura-eap-noob-00.txt
> Date: Mon, 08 Feb 2016 04:30:35 -0800
> From: internet-dra...@ietf.org
> To:   Tuomas Aura , Mohit Sethi
> 
> 
> 
> 
> A new version of I-D, draft-aura-eap-noob-00.txt has been successfully 
> submitted by Tuomas Aura and posted to the IETF repository.
> 
> Name: draft-aura-eap-noob
> Revision: 00
> Title:Nimble out-of-band authentication for EAP (EAP-NOOB)
> Document date:2016-02-08
> Group:Individual Submission
> Pages:35
> URL:https://www.ietf.org/internet-drafts/draft-aura-eap-noob-00.txt
> Status:https://datatracker.ietf.org/doc/draft-aura-eap-noob/
> Htmlized:https://tools.ietf.org/html/draft-aura-eap-noob-00
> 
> 
> Abstract:
> Extensible Authentication Protocol (EAP) [RFC3748] provides support
> for multiple authentication methods.  This document defines the EAP-
> NOOB authentication method for nimble out-of-band (OOB)
> authentication and key derivation.  This EAP method is intended for
> bootstrapping all kinds of Internet-of-Things (IoT) devices that ha

Re: [Emu] [saag] Fwd: New Version Notification for draft-aura-eap-noob-00.txt

2016-02-18 Thread Aura Tuomas 
Hi Abhijan,

Thank you for the questions.

There is a one-to-one mapping between the EAP server and authenticator. The EAP 
server is determined by how the authenticator or local AAA server is 
configured. That is, the local network administrators can route access requests 
for “@eap-noob.org” to any server they choose.

In our own setup, we have configured the RADIUS server at our local wireless 
network to trust another, remote RADIUS server for NAIs that end 
“@eap-noob.org”. That remote server handles EAP-NOOB for all the stations in 
our wireless network.

Tuomas

P.S. Sorry about the cross-posting. Let’s send the follow-ups only to 
s...@ietf.org.



From: Abhijan Bhattacharyya [mailto:abhijan.bhattachar...@tcs.com]
Sent: Monday, 15 February, 2016 09:31
To: Mohit Sethi 
Cc: s...@ietf.org; emu@ietf.org; Aura Tuomas ; 
'c...@ietf.org' ; 't2...@irtf.org' 
Subject: Re: [saag] Fwd: New Version Notification for draft-aura-eap-noob-00.txt

Hi Mohit,
I was going through your draft. Looks to be a promising proposition. However, I 
have got a few questions first hand.

The authenticator acts as a transparent node and forwards the packets to the 
server soon after the first message for EAP Identity request. In a typical 
network would a single authenticator map to several servers or the assumption 
is that there is always one to one mapping between server and authenticator?

How does the authenticator associate itself to the server at the first place?

What is the assumption regarding the  underlying physical network and how the 
authenticator maps to the different nodes in the network (e.g. a router in a 
WiFi like setup)?

Regards
Abhijan Bhattacharyya
Associate Consultant
Scientist, Innovation Lab, Kolkata, India
Tata Consultancy Services
Mailto: abhijan.bhattachar...@tcs.com
Website: http://www.tcs.com

Experience certainty.IT Services
   Business Solutions
   Consulting





From:Mohit Sethi 
mailto:mohit.m.se...@ericsson.com>>
To:mailto:s...@ietf.org>>, 
mailto:emu@ietf.org>>
Cc:tuomas.a...@aalto.fi
Date:02/08/2016 09:10 PM
Subject:[saag] Fwd: New Version Notification for 
draft-aura-eap-noob-00.txt
Sent by:"saag" mailto:saag-boun...@ietf.org>>




Dear all

We have just submitted a new IETF Draft titled “Nimble out-of-band
authentication for EAP (EAP-NOOB)”.

The draft defines an EAP method where the authentication is based on a
user-assisted out-of-band (OOB) channel between the server and peer. It
is intended as a generic bootstrapping solution for Internet-of-Things
devices which have no pre-configured authentication credentials and
which are not yet registered on the authentication server. Consider
devices you just bought or borrowed.

The EAP-NOOB method is more generic than most ad-hoc bootstrapping
solutions in that it supports many types of OOB channels. We specify the
exact in-band messages but only the OOB message contents and not the OOB
channel details. Also, EAP-NOOB supports ubicomp devices with only
output (e.g. display) or only input (e.g. camera). Moreover, it makes
combined use of both secrecy and integrity of the OOB channel for more
robust security than the ad-hoc solutions. We have put a lot of effort
into designing a robust security protocol.

For one application example, we have used an earlier version of the
protocol for bootstrapping security for ubiquitous displays: the user
can configure wireless network access, link the device to a cloud
service, and register ownership of the device for a specific cloud user
– all in one simple step of scanning a QR code with a smart phone. There
seemed to more potential to this idea than just using it for our own
system, and thus we decided to write a generic EAP method for
out-of-band authentication.

The draft is available here:
https://tools.ietf.org/html/draft-aura-eap-noob-00

Please see if you can make use of it. We look forward to your feedback
and comments.

Regards
/--Mohit


 Forwarded Message 
Subject:  New Version Notification for 
draft-aura-eap-noob-00.txt
Date:  Mon, 08 Feb 2016 04:30:35 -0800
From:  internet-dra...@ietf.org
To:  Tuomas Aura 
mailto:tuomas.a...@aalto.fi>>, Mohit Sethi 
mailto:mo...@piuha.net>>



A new version of I-D, draft-aura-eap-noob-00.txt
has been successfully submitted by Tuomas Aura and posted to the
IETF repository.

Name:  draft-aura-eap-noob
Revision: 00
Title:  Nimble out-of-band authentication for 
EAP (EAP-NOOB)
Document date: 2016-02-08
Group: