| Re: Issue 204: Peer-to-peer operation | <– Date –> <– Thread –> |
From: Nick Petroni (npetroni cs.umd.edu)
|
|
| Date: Tue, 25 Nov 2003 08:03:01 -0600 (CST) | |
> As noted in the IEEE 802.1XD7.1 ballot resolution, comment 15, the current > EAP SMs do not fully support peer-to-peer operation. I am not completely convinced of this. It seems to me what you are asking for here is for EAP to provide two signals indicating the success of authentication in each direction. This is not how I read the model of 2284bis. I would argue that the use of a method providing mutual authentication still requires EAP to provide only one answer to the conversation. It is possible to require mutual authentication before Success and even to guarantee that answer with protection, but I do not see a reason for the lower layer to get an explicit "mutual authentication" signal. If mutual authentication is required and it was not obtained then success (the signal, not the packet) will never follow for a properly configured peer. > The current EAP Peer SM does not provide a mechanism for the EAP method to > signal to EAP and the lower layer that mutual authentication has been > achieved. I disagree. If you require mutual authentication then EAP Success is this indication. > In addition, the EAP authenticator SM does not provide a mechanism for the > EAP layer to indicate to the lower layer that a protected result > indication has been received from the peer, indicating that the peer has > authenticated the authenticator. hmm, this one is slightly more interesting, but I have no idea how the backend would ever alert the passthrough of this. Still, I think it is possible to say that if mutual authentication is required and not achieved then the decision will be fail. > Similarly, the EAP Peer SM does not provide a mechanism for the EAP layer > to indicate to the lower layer that a protected result indication has been > received from the authenticator, indicating that the Authenticator has > authenticated the peer. I disagree with this too. 2284bis states that the only thing which can follow a protected success/failure is an unprotected version of the same. The EAP Success indication is therefore sufficient to indicated succes. If a protected indication is required the peer policy should reflect this and the SUCCESS state will not be reached until it comes. I disagree that peer-to-peer is not supported. I would agree that the specific interface is not provided for two signals, but I would like to understand better why those signals are needed. Also, a suggestion for where these signals would go and who sets them might help me understand this issue better. Thanks, nick
-
Issue 204: Peer-to-peer operation Bernard Aboba, November 25 2003
- Re: Issue 204: Peer-to-peer operation Nick Petroni, November 25 2003
-
Re: Issue 204: Peer-to-peer operation Bernard Aboba, November 25 2003
- Re: Issue 204: Peer-to-peer operation Nick Petroni, November 25 2003
- Re: Issue 204: Peer-to-peer operation Bernard Aboba, November 25 2003
- Re: Issue 204: Peer-to-peer operation Nick Petroni, November 25 2003
Results generated by Tiger Technologies using MHonArc.