Directory Enabled Networking

A growing number of applications used in research and education does not offer sufficient authentication mechanisms. A lot of these applications are hard to protect against unwanted contacts like denial of service attacks. Moreover some services are build on various applications that all require specific log-on procedures. It would be preferable to have a single log-on procedure that simplifies the use from an end user perspective and improves security from an administrator perspective. In order to be able to use a standardized procedure we propose to shift some security aspects from the application to the network. We think that Directory Enabled Network (DEN) devices (switches) are the right tools to implement such a procedure. In the ideal world more DEN devices should be able to work together. In general this means that if switch A trusts switch B that from the user point of view that wants to reach a server behind switch A it should be sufficient to log on to switch B only.

In this project we specify the interaction of such devices with client/server applications. Switches that can implement policies already exist, and switches that can read these policies from an (LDAP) database are (at least) in development. Together with manufacturers we will look at the changes that would have to be made to DEN switches and the policies they can implement in order to meet the challenges described above.

If and when suitable switches are available we will build a test-environment for a distant learning application.

Some important links

A standard that also is relevant for this project is the IEEE 802.1x Port-Based Network Access Control standard. This standard is developed under authourisation of the IEEE 802 LAN/MAN Standards Committee. It should be finalised by the end of 2001 or the beginning of 2002.

Acknowledgement