SALSA - NetAuth / FWNA BoF, Spring 2005 Internet2 Member Meeting May 2, 2005

*Attendees*
Kevin Miller, Duke U. (co-chair)
Klaas Wierenga, SURFnet
David Simonsen, UNI-C
Mark Poepping, CMU
Michael Gettes, Duke U.
Heather Flanagan, Duke U.
Chas DiFatta, CMU
Juergen Rauschenbach, DFN-Verein
David Belenky, Merit Network
Russell Dwarshuis, Merit Network
Andy Rosenzweig, Merit Network
Jeff Letourneau, U. Maine
Robert Hartman, DREN
Chris Myers, GrangeNet
Robert Banz, UMBC
Mark Miller, Penn State U.
John Kalbach, Penn State U.
Jim Marsteller, Penn State U.
Rich Crop, Penn State U
Brandon Saunders, Ohio U.
Rick Keir, U. Wisconsin
John Louis, Kentucky U.
Lonna Sherwin, NPGS
Deke Kassabian, U. Pennsylvania
Tom Scavo, NGSA
Rodney Petersen, EDUCAUSE
Jack Sven, UMBC
Nick Lewis, Internet2
Dan Pritts, Internet2
Chris Heerman, Internet2
Jessica Bibbee, Internet2 (scribe)

*Discussion*
{Kevin} led the Group through a series of slides pertaining to the current work of the NetAuth and FWNA working groups. The slides from this BoF can be referenced at <http://events.internet2.edu/2005/spring-mm/sessionDetails.cfm?session=2040&event=229>.

The SALSA Federated Wireless NetAuth WG is busy developing use cases and identifying requirements for roaming implementation. The current list of requirements includes security, AuthZ, accounting, usability - are there others? One consideration that might affect this work is integration with the commercial space. Municipal networks acts similarly, if not the identically to commercial roaming. How exactly are access points defined in terms of being owned by a federation or an institution? In the instance of rogue access points, how can a network be secured against them?

An institution may not have their own users roaming to other member institutions, and therefore an institution would still have justification for joining a federation - if not only for the sake of allowing roaming visitors access to their network.

There is a wide range of possible use cases that may have similarities, but will have different layouts. An interesting point was made regarding a "federation of federations", where a user from one institution within one federation could roam to an institution belonging to separate federation. Another situation might exist where professors (administrators, etc) would have a need to "turn off wireless access" to certain students in certain areas. What is the impact of such a use case?

There was discussion about how trust models will interact, and how policy is applied. The Group is still looking to identify and differentiate between use cases with different sets of policy or access issues. In order to clarify subtleties between similarly looking use cases, emphasis will be placed on distinguishing their major technical points.

The SALSA-NetAuth roadmap v0.9 includes published drafts of a Futures document, a Strategies document, a Prerequisites document that is on hold, and finally the work of the FWNA subgroup. Is the Futures document forward-looking enough? The Group is still looking to make any necessary changes, address commonalities of existing policy enforcement systems, and move forward with these documents. Discussion of the Architectures document led to a question about the L2INIT state, and whether it could go directly to the compliant/incompliant states - there was general agreement that this did not need changing.

Discussion of the State Transitions addressed the actual flow of states, and there was a suggestion for the term "Final State" as a more appropriate defined "Stable State".

How would the system apply in the case of a network supplying partial network activity? For example, the "Final State" is connected to a VRF that limits access to a particular network. The answer might be that the system itself is a collection of policy applications. But are these states generic enough (or not specific enough) to encompass policy application through a particular technology?

Is there value in looking at the perspective of user flow? Discussion followed about how the scene changes with user-based networking, as the model focuses primarily on a host changing states. Would the model reflect a change in respective policy, based on the fact that the user is connected to the host? Is there a possibility to change dynamically on a per-flow or per-packet basis?

There will be a track session on the Activities of the SALSA-NetAuth and FWNA working groups on May 3, 2005 of the Internet2 Member Meeting. The slides for this session can be viewed at <http://events.internet2.edu/2005/spring-mm/sessionDetails.cfm?session=1983&event=229>.

The next SALSA-NetAuth conference call will be Thursday, May 12, 2005 at 12:00pm ET. The next SALSA-NetAuth - FWNA conference call will be on Thursday May 19, 2005 at 11am ET. Refer to the WGs' home pages at <http://security.internet2.edu/netauth/> and <http://security.internet2.edu/fwna/> for more information.