[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Privacy (Was: Re: NAI decoration: User Identity issues)

To: Barney Wolff <barney@databus.com>
Subject: Privacy (Was: Re: NAI decoration: User Identity issues)
From: Jari Arkko <jarkko@piuha.net>
Date: Fri, 16 Jul 2004 10:13:27 +0300
Cc: Bernard Aboba <aboba@internaut.com>, Avi Lior <avi@bridgewatersystems.com>, radiusext@ops.ietf.org
In-reply-to: <20040715195627.GA89703@pit.databus.com>
Organization: None
References: <F17FB067A86B2D488382C923C532EAA7024A4B9D@exch01.bridgewatersys.com> <Pine.LNX.4.56.0407151203180.5445@internaut.com> <20040715195627.GA89703@pit.databus.com>
Reply-to: jarkko@piuha.net
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316

Barney Wolff wrote:

I guess the question is whether there is a long-term one-to-one relationship between User-Alias and the user's "true" identity. If there is, then attackers can gain information of some value by correlating different accesses resulting in the same User-Alias.


This is an interesting issue. There is a very valid reason for employing
privacy at the network access protocol level (say, in 802.1X/EAP/NAI).
This is primarily to avoid being exposed to other clients on the same
network. Not so much against the service provider.

But I think there is also interest in ensuring some level of protection
against the service provider, or at least parts of it. Clearly, the home
network is going to know who you are. Maybe even the roaming consortium
and the local access network. But I'd rather not reveal my true identity
to the access point on the coffee shop wall. It is in an insecure
environment, often uses a wireless uplink or other weakly protected
physical medium. And if it runs RADIUS, the chances are that its not
running ESP so the contents of any new AVP being returned from the
home network would be relatively easily visible to those who wanted
to look.

On the other hand, there is also a valid business reason for some
intermediaries to relate different sessions to the same entity
so that fixed price model can be applied.

One way to resolve these conflicting requirements is to (a) explain
that the attribute (be it Class or something new) is to be returned
with fixed contents only if the particular business situation
requires it, (b) in the proxy, strip off the attribute from
the packets going to the NAS and insert a Class attribute with
opaque and not-fixed contents instead, and (c) when the accounting
request comes back from the NAS, take away the inserted Class and
replace with the original attribute.

But this is complicated. Feel free to suggests a more optimal
scheme :-)

--Jari

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: NAI decoration: User Identity issues
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: NAI decoration: User Identity issues
  - From: Bernard Aboba <aboba@internaut.com>
- Re: NAI decoration: User Identity issues
  - From: Barney Wolff <barney@databus.com>

Prev by Date: NAIbis effects (Was: Re: NAI decoration: User Identity issues)
Next by Date: Class vs. UserAlias (Was: Re: NAI decoration: User Identity issues)
Previous by thread: Re: NAI decoration: User Identity issues
Next by thread: RE: NAI decoration: User Identity issues
Index(es):
- Date
- Thread