LDAP.com
Enabling Identity Interoperability™

 

Home

Specifications

Schema

Commentary

Mark Wahl

Web Design by
Kristen Lanum

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Identity Selection at the Data Link (20070808)

The IETF EAP WG Internet Draft "Network Discovery and Selection Problem" (last updated in June 2007) discusses the increasingly common situations in which users encounter networks for which no preconfigured settings are available, yet which offer desired services and the ability to successfully authenticate with the user's home realm. The document discusses the sub-problems of this problem, including "identifier selection" (section 2.2):

Typically, the user will choose an identity and corresponding credential set based on the selected network, perhaps with additional assistance provided by the chosen authentication mechanism. For example, if Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) is the authentication mechanism used with a particular network, then the user will select the appropriate EAP-TLS client certificate based in part on the list of trust anchors provided by the EAP-TLS server.

However, in access networks where roaming is enabled, the mapping between an access network and an identity/credential set may not be one to one. For example, it is possible for multiple identities to be usable on an access network or for a given identity to be usable on a single access network, which may or may not be available.

The 3GPP has been investigating this issue, and published "Identity Selection Hints for the Extensible Authentication Protocol" (RFC 4284 of January 2006). Identity hints are provided in the EAP-Request/Identity. Some of the limitations of this approach are:

• The hints are NAI realm names (from RFC 4282 of December 2005), which have a limited character range ([A-Za-z0-9]).
• The hints are carried within a display string.
  

      "Hello!\0NAIRealms=example.com;example.org"

• As the hints are embeddeded in the EAP-Request, it arrives 'too late' to help the supplicant determine which network to attach to. If there are multiple wireless networks, a supplicant might need to try each one in turn to find out what realms are supported.
• If each hint is 20 octets long, at most 50 roaming partners can be advertised before the EAP MTU is reached.

Other approaches to address this include:

• The "XML DTD for Roaming Access Phone Book" (RFC 3017 of December 2000) defines a syntax for representing a set of Points of Presence (POPs) for Internet connectivity, including name and contact informations of providers, user name prefixes and suffixes, etc.
• Defining a mapping between network names and realm names for data link protocols which advertise network names. For example, the client may have a convention that networks with the SSID "tmobile" should use the T-Mobile credentials set. This doesn't work for IEEE 802.1X EAP on wired Ethernet networks, however, as wired networks don't advertise a SSID.
• The "Certificate Extensions and Attributes Supporting Authentication in PPP and WLAN" (RFC 4334 of February 2006) has a WLAN SSID extension for a usage hint for client certificates. The extension contains a list of SSIDs that MAY be used to select the correct certificate for authentication in a particular WLAN.
• The Candidate Access Router Discovery (Experiemental RFC 4066 of July 2005) enables a mobile node to discover the capabilities of an access router. The PDUs are carried between a router and a node via ICMP.
• The Device Discovery Protocol (draft-maques-ddp-00 of May 2003) allows devices to announce themselves by sending link-level multicasts of SNMP variable bindings.
• IEEE 802.11u (interworking with external networks) includes a mechanism for enabling a station to determine the identities it can use to authenticate to an access network, prior to associating with that network, and is working on a "Generic Advertisement Service".
• IEEE 802.21 (handover) is developing a mechanism for capability advertisement.
• The IEEE 802.21 basic schema defines an RDF schema (ontology) for networks, operators and access points.

However these and future approaches will continue to be constrained by limitations from the underlying wired and wireless Ethernet specifications, such as

• There are scaling issues with IEEE 802.11[a/b/g] beacons with a practical limit of 50 advertised networks, and less than 20 when 802.11b is used, constraining the number of "virtual access points" which can be present.
• Neither IEEE 802.1ab (Station and MAC Connectivity Discovery) nor 802.1af (Authenticated Key Agreement for MAC Security), currently in draft form, are likely to support fragmentation of network advertisement frames.
• EAP-based mechanisms can only be used after the client is associated to the access point.