| Re: Discrepancies between 802.1XREV and RFC 2248bis | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Wed, 21 Jan 2004 03:17:05 -0500 (EST) | |
Jim,
Your list looks good to me.
--Jari
Your list looks good to me.
--Jari
I believe the points we want to make in 6.7 are the following:
.1X is an asymmetric transport protocol (it has two separate roles). It is asymmetric due to history when only the authenticator had a controlled port.
Now that both the supplicant and authenticator both have a controlled port the asymmetry of the .1X transport does not disallow a mutual authentication EAP method from doing a bi-directional authentication over the .1X transport.
There are some idiosyncracies of the asymmetric nature of the .1X transport, the main one being that two simultaneous authentications can be run if both .1X machines are implemented and both must complete successfully for the controlled port to be unblocked.
There are reasons that you may want to utilize two simultaneous authentications, as described in section 2.4 of 2284 (as well as some of the verbage in 6.7).
It should be made clear that two coupled one-way authentications does not provide the same security as a single mutual authentication.
Each application should define which roles of the .1X state machines each device is to implement as well as the class of EAP methods (mutual authenticating or unidirectional authentication or both) that are required.
One must be careful of certain combinations of the number of machines, and be aware that a device with both .1X machines encountering a device with just the .1X authenticator will result in an asymmetric network connection (controlled port open on one device and closed on the other). I have a table that defines all the cases clearly.
--------------------------
Known uses are: 802.11 infrastructure: 1 supplicant on client and 1 authenticator on AP using mutual authenticating EAP methods.
802.11 adhoc: Each adhoc station should run both supplicant and authenticator with key generating EAP methods. The key used for group key is from the highest numbered MAC address.
802.1 bridges: Both supplicant and authenticator with special variable that makes controlled port controlled only by authenticator enabled. EAP method type not defined.
- Re: Discrepancies between 802.1XREV and RFC 2248bis, (continued)
-
Re: Discrepancies between 802.1XREV and RFC 2248bis Jim Burns, January 19 2004
-
Re: Discrepancies between 802.1XREV and RFC 2248bis Bernard Aboba, January 19 2004
- Re: Discrepancies between 802.1XREV and RFC 2248bis Jim Burns, January 20 2004
- Strawman for a modified section 6.7 for IEEE 802.1XRev Jim Burns, January 21 2004
-
Re: Discrepancies between 802.1XREV and RFC 2248bis Bernard Aboba, January 19 2004
- Re: Discrepancies between 802.1XREV and RFC 2248bis Jari Arkko, January 21 2004
-
Re: Discrepancies between 802.1XREV and RFC 2248bis Jim Burns, January 19 2004
Results generated by Tiger Technologies using MHonArc.