eap Mailing List: RE: EAP Proxy question in context of 802.16e

[Avi Lior (avi]

Title: Message

Hi Sanjay,

 

Not sure about 4-party model and comparison to PANA.  Not sure about the relevance of PANA to this.

 

Seems that the autheticator is in the Gateway - I dont see a problem with that.  I would imagine that this is very close to the CAPWAP model and other similar architectures where you have a Peer ---- a RADIO NETWORK  --- an antenna receiver ---- transport  ---- Access Router or Gateway -----  AAA infrastructure ----- Authenticator Server.

 

Proxying the EAP payload should not be problem if you meet certain percautions. For example on the AAA side the EAP message may travel over AAA protocol (RADIUS or DIAMETER) over many proxies.  While the proxies are transparent they do have to follow some security procedures.  For example, in RADIUS we have to make sure that the messages are integrity protected etc..

-----Original Message-----
From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri [at] motorola.com]
Sent: Monday, March 21, 2005 5:44 PM
To: 'Bakshi, Sanjay'; eap [at] frascone.com
Cc: Nakhjiri Madjid-MNAKHJI1
Subject: RE: [eap] EAP Proxy question in context of 802.16e

Hi Sanjay,

 

As far as I know, EAP is a 3-party model with the authenticator/ NAS sitting on the edge of layer 2 link and dealing with the other side through a AAA protocol. Is there a reason you don't want the BS to not act as a AAA client?

 

What you are describing is a 4 party model, which sort of sounds like PANA model. But PANA seems to be suggested for scenarios where there is nothing to carry the EAP signaling over layer 2 protocols.

 

I looked at the 16e spec. From the spec it seems that both PKMv1 and PKMv2 support EAP and supposedly PKM-req and response messages can carry EAP messages. I do have issues with the codes defined for EAP messages. It seems that messaging creates some layer pollution, since they seem to define different codes for different EAP messages within the PKM layer that is supposed to be below EAP layer.

 

Regards,

 

Madjid

 

-----Original Message-----
From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On Behalf Of Bakshi, Sanjay
Sent: Sunday, March 20, 2005 3:28 PM
To: eap [at] frascone.com
Subject: [eap] EAP Proxy question in context of 802.16e

 

Hello,

I have a question in context of application of EAP to 802.16e network.

 

Following figure shows the typical application of EAP to an 802.16e based network

 

EAP-method                                     EAP-method

EAP                EAP   EAP                   EAP

PKMv2              PKMv2 RADIUS                RADIUS

----------         -------------               ----------

MSS/EAP_peer     BS/EAP_Authenticator              AS              

 

802.16e defines PKMv2 as the encapsulation protocol for carrying EAP messages between MSS (802.16e Mobile Subscriber Station) and BS(802.16e Base Station). BS acts as the RADIUS client and forwards the EAP messages to the AS and vice-versa.

 

In order to better handle mobility, following is an alternative way of applying EAP model that is being considered: -

 

EAP-method                                                     EAP-method

EAP             EAP   EAP        EAP EAP                       EAP

PKMv2           PKMv2 ???        ??? RADIUS                    RADIUS

------------    ------------     -------------------------     -----------

MSS/EAP_peer    BS/EAP_Proxy     Gateway/EAP_Authenticator     AS              

 

Basically, in the context of EAP in this model BS acts as a relay and implements two functions.

 1. On uplink BS removes EAP pdus from the PKMv2 encapsulation, encapsulates them in a "to be defined"

    encapsulation and forwards them to the Gateway which is a RADIUS client.

     

 2. On downlink BS removes EAP pdus from a "to be defined" encapsulation, encapsulates them in PKMv2 and

    forwards them to the MSS

 

BS does not implement any Authenticator functions. Assuming that appropriate encapsulation protocol is defined

between BS and Gateway, does this model break any assumptions of EAP's 3-party model? Is it legal from EAP perspective?

 

Thanks,

-- Sanjay