40 likes | 134 Views
This document addresses the need to authorize both PKI and PSK ciphersuites in CAPWAP networks. It proposes a unified approach for identity handling, including CAPWAP_Identity assignment and PSK_Hint transmission. The pros and cons of this approach are discussed, highlighting the benefits and challenges it may pose. Additionally, a split approach for handling certificates and PSKs is suggested, along with potential key name formats for PSKs. However, complex back-end authorization services may be required to manage diverse identity types effectively.
E N D
DTLS Identities Charles Clancy 25 January 2007 CAPWAP Interim
Problem • Need to authorize and authenticate both PKI and PSK ciphersuites • Certificates by default have identites • PSKs do not • Need identity to do authorization • During PSK auth: • AC sends PSK_Hint • WTP sends PSK_Identity
Unified Approach • Approach: • CAPWAP_Identity = MAC @ DOMAIN • CN = CAPWAP_Identity (AC or WTP) • PSK_Hint = CAPWAP_Identity (AC) • PSK_Identity = CAPWAP_Identity (WTP) • Pros: • Can do ACLs like (* @ DOMAIN) • Can specify NULL domain (mfgr provisioned certs) • Problem: • Not normal cert handling (O/OU specify domain) • Network-wide PSKs – need mapping on AC for all WTPs
Split Approach • Certs • CN = MAC • O/OU = Administrative Domain • PSKs Identity and Hint • Some preformatted key name • Maybe KeyName = Hash(PSK || “CAPWAP PSK”) • Leave unspecified • Provision key name with the PSK • Drawback • Need more complex back-end authorization service to handle multiple different types of identities