Context Transfer Protocol (CXTP)
draft-ietf-seamoby-ctp-11
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for David Kessens |
2004-12-03
|
(System) | Posted related IPR disclosure: Nortel Networks Statement about IPR claimed in draft-ietf-seamoby-ctp-11.txt | |
2004-10-04
|
11 | Allison Mankin | State Change Notice email list have been change to , from , |
2004-10-04
|
11 | Allison Mankin | Note field has been cleared by Allison Mankin |
2004-08-27
|
11 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2004-08-26
|
11 | Amy Vezza | IESG state changed to Approved-announcement sent |
2004-08-26
|
11 | Amy Vezza | IESG has approved the document |
2004-08-26
|
11 | Amy Vezza | Closed "Approve" ballot |
2004-08-26
|
11 | Allison Mankin | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Allison Mankin |
2004-08-25
|
11 | David Kessens | [Ballot Position Update] Position for David Kessens has been changed to No Objection from Discuss by David Kessens |
2004-08-12
|
11 | (System) | New version available: draft-ietf-seamoby-ctp-11.txt |
2004-06-25
|
11 | (System) | Removed from agenda for telechat - 2004-06-24 |
2004-06-24
|
11 | Amy Vezza | State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza |
2004-06-24
|
11 | Harald Alvestrand | [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Harald Alvestrand |
2004-06-24
|
11 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2004-06-24
|
11 | David Kessens | [Ballot discuss] Comments from the ops directorate: This draft does not attempt to answer all the security considerations relating to context transfer, but nevertheless there … [Ballot discuss] Comments from the ops directorate: This draft does not attempt to answer all the security considerations relating to context transfer, but nevertheless there appear to be some pretty big holes. For example, Section 6.2 talks about using of IKE to dynamically negotiate keys for protection of Inter-Router traffic. However, it doesn't say what IKE modes need to be implemented, or what IPsec ciphersuites are required. Since context transfer security is an n by n problem, establishing the SAs to protect inter-router transfers is not an easy thing. For this reason one might conclude that pre-shared keys are difficult, since n(n-1) of them would be necessary. On the other hand, is it being suggested that each router needs to be provisioned with a certificate? On reading the draft it isn't clear what's being recommended (or even considered). In addition to the security issues described in the draft, there is also a "correctness" problem that isn't discussed. The problem is that in a context transfer it is possible that the context being transferred is not valid on the new router. In order to address this, it is necessary for a context transfer protocol to carefully specify how context is processed on the next router, and under what conditions the transfer will fail. some of the issues are laid out in Section 2.5 of draft-ietf-eap-keying: 2.5.2. Correctness in Fast Handoff Bypassing all or portions of the AAA conversation creates challenges in ensuring that authorization is properly handled. These include: [a] Consistent application of session time limits. A fast handoff should not automatically increase the available session time, allowing a user to endlessly extend their network access by changing the point of attachment. [b] Avoidance of privilege elevation. A fast handoff should not result in a user being granted access to services which they are not entitled to. [c] Consideration of dynamic state. In situations in which dynamic state is involved in the access decision (day/time, simultaneous session limit) it should be possible to take this state into account either before or after access is granted. Note that consideration of network-wide state such as simultaneous session limits can typically only be taken into account by the backend authentication server. [d] Encoding of restrictions. Since a authenticator may not be aware of the criteria considered by a backend authentication server when allowing access, in order to ensure consistent authorization during a fast handoff it may be necessary to explicitly encode the restrictions within the authorizations provided in the AAA-Token. [e] State validity. The introduction of fast handoff should not render the authentication server incapable of keeping track of network- wide state. A fast handoff mechanism capable of addressing these concerns is said to be "correct". One condition for correctness is as follows: For a fast handoff to be "correct" it MUST establish on the new device the same context as would have been created had the new device completed a AAA conversation with the authentication server. A properly designed fast handoff scheme will only succeed if it is "correct" in this way. If a successful fast handoff would establish "incorrect" state, it is preferable for it to fail, in order to avoid creation of incorrect context. Some backend authentication server and authenticator configurations are incapable of meeting this definition of "correctness". For example, if the old and new device differ in their capabilities, it may be difficult to meet this definition of correctness in a fast handoff mechanism that bypasses AAA. Backend authentication servers often perform conditional evaluation, in which the authorizations returned in an Access-Accept message are contingent on the authenticator or on dynamic state such as the time of day or number of simultaneous sessions. For example, in a heterogeneous deployment, the backend authentication server might return different authorizations depending on the authenticator making the request, in order to make sure that the requested service is consistent with the authenticator capabilities. If differences between the new and old device would result in the backend authentication server sending a different set of messages to the new device than were sent to the old device, then if the fast handoff mechanism bypasses AAA, then the fast handoff cannot be carried out correctly. For example, if some authenticator devices within a deployment support dynamic VLANs while others do not, then attributes present in the Access-Request (such as the authenticator-IP-Address, authenticator-Identifier, Vendor-Identifier, etc.) could be examined to determine when VLAN attributes will be returned, as described in [RFC3580]. VLAN support is defined in [IEEE8021Q]. If a fast handoff bypassing the backend authentication server were to occur between a authenticator supporting dynamic VLANs and another authenticator which does not, then a guest user with access restricted to a guest VLAN could be given unrestricted access to the network. Similarly, in a network where access is restricted based on the day and time, Service Set Identifier (SSID), Calling-Station-Id or other factors, unless the restrictions are encoded within the authorizations, or a partial AAA conversation is included, then a fast handoff could result in the user bypassing the restrictions. In practice, these considerations limit the situations in which fast handoff mechanisms bypassing AAA can be expected to be successful. Where the deployed devices implement the same set of services, it may be possible to do successful fast handoffs within such mechanisms. However, where the supported services differ between devices, the fast handoff may not succeed. For example, [RFC2865], section 1.1 states: "A authenticator that does not implement a given service MUST NOT implement the RADIUS attributes for that service. For example, a authenticator that is unable to offer ARAP service MUST NOT implement the RADIUS attributes for ARAP. A authenticator MUST treat a RADIUS access-accept authorizing an unavailable service as an access-reject instead." Note that this behavior only applies to attributes that are known, but not implemented. For attributes that are unknown, section of 5 of [RFC2865] states: "A RADIUS server MAY ignore Attributes with an unknown Type. A RADIUS client MAY ignore Attributes with an unknown Type." In order to perform a correct fast handoff, if a new device is provided with RADIUS context for a known but unavailable service, then it MUST process this context the same way it would handle a RADIUS Access-Accept requesting an unavailable service. This MUST cause the fast handoff to fail. However, if a new device is provided with RADIUS context that indicates an unknown attribute, then this attribute MAY be ignored. Although it may seem somewhat counter-intuitive, failure is indeed the "correct" result where a known but unsupported service is requested. Presumably a correctly configured backend authentication server would not request that a device carry out a service that it does not implement. This implies that if the new device were to complete a AAA conversation that it would be likely to receive different service instructions. In such a case, failure of the fast handoff is the desired result. This will cause the new device to go back to the AAA server in order to receive the appropriate service definition. In practice, this implies that fast handoff mechanisms which bypass AAA are most likely to be successful within a homogeneous device deployment within a single administrative domain. For example, it would not be advisable to carry out a fast handoff bypassing AAA between a authenticator providing confidentiality and another authenticator that does not support this service. The correct result of such a fast handoff would be a failure, since if the handoff were blindly carried out, then the user would be moved from a secure to an insecure channel without permission from the backend authentication server. Thus the definition of a "known but unsupported service" MUST encompass requests for unavailable security services. This includes vendor-specific attributes related to security, such as those described in [RFC2548]. |
2004-06-24
|
11 | David Kessens | [Ballot Position Update] Position for David Kessens has been changed to Discuss from No Objection by David Kessens |
2004-06-24
|
11 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2004-06-23
|
11 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2004-06-23
|
11 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley by Russ Housley |
2004-06-18
|
11 | Allison Mankin | [Note]: '"Experimental" experimental Blue Team ' added by Allison Mankin |
2004-06-18
|
11 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2004-06-17
|
11 | Allison Mankin | Placed on agenda for telechat - 2004-06-24 by Allison Mankin |
2004-06-17
|
11 | Allison Mankin | [Note]: '"Experimental" experimental' added by Allison Mankin |
2004-06-17
|
11 | Allison Mankin | [Ballot Position Update] New position, Yes, has been recorded for Allison Mankin |
2004-06-17
|
11 | Allison Mankin | Ballot has been issued by Allison Mankin |
2004-06-17
|
11 | Allison Mankin | Created "Approve" ballot |
2004-06-17
|
11 | (System) | Last call text was added |
2004-06-17
|
11 | (System) | Ballot approval text was added |
2004-06-17
|
11 | Allison Mankin | State Changes to IESG Evaluation from AD Evaluation by Allison Mankin |
2004-06-09
|
10 | (System) | New version available: draft-ietf-seamoby-ctp-10.txt |
2004-05-28
|
11 | Allison Mankin | State Changes to AD Evaluation from Publication Requested by Allison Mankin |
2004-05-25
|
11 | Dinara Suleymanova | State Changes to Publication Requested from AD Evaluation by Dinara Suleymanova |
2004-05-14
|
09 | (System) | New version available: draft-ietf-seamoby-ctp-09.txt |
2004-03-14
|
11 | Allison Mankin | State Changes to AD Evaluation from Publication Requested by Allison Mankin |
2004-01-23
|
11 | Dinara Suleymanova | State Changes to Publication Requested from AD is watching by Dinara Suleymanova |
2004-01-23
|
11 | Dinara Suleymanova | Intended Status has been changed to Experimental from Proposed Standard |
2004-01-21
|
08 | (System) | New version available: draft-ietf-seamoby-ctp-08.txt |
2004-01-14
|
07 | (System) | New version available: draft-ietf-seamoby-ctp-07.txt |
2004-01-09
|
06 | (System) | New version available: draft-ietf-seamoby-ctp-06.txt |
2003-10-28
|
05 | (System) | New version available: draft-ietf-seamoby-ctp-05.txt |
2003-10-08
|
04 | (System) | New version available: draft-ietf-seamoby-ctp-04.txt |
2003-07-02
|
03 | (System) | New version available: draft-ietf-seamoby-ctp-03.txt |
2003-05-30
|
02 | (System) | New version available: draft-ietf-seamoby-ctp-02.txt |
2003-03-07
|
01 | (System) | New version available: draft-ietf-seamoby-ctp-01.txt |
2003-02-27
|
11 | Allison Mankin | Draft Added by Mankin, Allison |
2002-11-01
|
00 | (System) | New version available: draft-ietf-seamoby-ctp-00.txt |