Project

General

Profile

Actions

Feature #5861

open

extend charon with external authentication interface

Added by laforge about 1 year ago. Updated about 2 months ago.

Status:
In Progress
Priority:
Urgent
Assignee:
Target version:
-
Start date:
01/17/2023
Due date:
% Done:

0%


Description

right now there's a charon plugin for eap-aka. It uses a local CSV file for storage of K/OP values, and it assumes it can synchronously access that and use it to derive AUTN challenges. so basically it includes a mini-hss/hlr.

We need to modify/replace that with a system where we get an asynchronous request for authentication over some external interface (currently called CEAI in my diagram at EPDG_implementation_plan), like a unix domain socket. Charon then needs to wait until whatever external application has obtained auth tuples, and proceed with EAP-AKA only once a tuple has been received.

This can be developed and tested independent of the actual ePDG by implementing a small stub program that for example reas key material from a local CSV file (again), or possibly even by asking osmo-hlr via GSUP (we do have all the related libraries in place for C and python, AFAIR). So the latter might actually be easier than the CSV approach, where again one needs to do key derviation etc.


Related issues

Related to osmo-ePDG - VoWifi Evolved Packet Data Gateway - Bug #5868: Create a proof-of-concept to forward traffic from IPsec into a GTP tunnelClosed01/21/2023

Actions
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)