| RE: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] | <– Date –> <– Thread –> |
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri motorola.com)
|
|
| Date: Tue, 22 Mar 2005 17:11:44 -0500 (EST) | |
Hi, Comments in line. Regards, Madjid -----Original Message----- From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On Behalf Of Bakshi, Sanjay Sent: Tuesday, March 22, 2005 12:22 PM To: Dondeti, Lakshminath Cc: eap [at] frascone.com Subject: RE: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Hi Lakshminath, Please see my comments. Thanks, sanjay <snip> >>> >>> A few questions to set the stage for this discussion: >>> >>> 1. The EAP keying framework already defines (Section 2.3 in >>> eap-keying-05 for instance) a key derivation mechanism to facilitate >>> fast handoff. Specifically, there are key derivation functions defined >>> for multiple APs or the 16e case BSs. However, that I-D does not >>> separate the Authenticator and the BS/AP functionality. [<<sbakshi>>] You are correct, but this is still in the draft state and I am not aware of any existing implementations today. Also, I am not sure if there have been any studies done with respect to how many authenticators can be supported in this manner. If authenticator is on the BS, then AAA server needs to be aware of and have trust relationships with all the BS. Madjid>>As far as I understand, there are many EAP-based authentication methods out there that are using the 3-party model and I have never heard of an EAP implementation that has two hops from peer to NAS. If the BS is not in touch with AAA server, and the authenticator is, then how does the AAA server know what BSs the authenticator has trust with? Also The TBD part of Autheticator-BS protocol would be interesting. You can't use RADIUS or Diameter, because otherwise the 4-party model would be pointless, and you can't use 802.16 L2, since it is backhaul. So how can 802.16 specify an EAP model that does not have a protocol from its BS to the server. If you do use RADIUS anyway, then you run into the proxy-chaining security problem for RADIUS. >>> >>> Q: Why is that model insufficient in the 16e architecture? What is the >>> reasoning behind separating the BS and the Authenticator functionality >>> and what is the relationship between the Authenticator and the BS? I >>> am curious as to which entity holds which keys and how are keys >>> delivered between the 4 entities. [<<sbakshi>>] Firstly, I am not clear if there are 4 entities if BS is just a relay from EAP messaging perspective. I have heard differing opinions on this and would like a definitive answer to that. Per my understanding of section 1.4.1 EAP has to be media independent. It just has some assumptions on underlying layer and as long as those are met it should not matter how EAP is carried. I don't think model defined in eap-keying-05 is insufficient, but I have some questions about its scalability and actual existing deployments. Madjid>>It is media independent, but it does not say it is "number-of-hop" independent. <snip>
-
[Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Dondeti, Lakshminath, March 21 2005
- Re: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Dondeti, Lakshminath, March 21 2005
-
RE: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Bakshi, Sanjay, March 22 2005
- Re: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Dondeti, Lakshminath, March 22 2005
- RE: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Nakhjiri Madjid-MNAKHJI1, March 22 2005
- RE: [Fwd: Re: [eap] EAP Proxy question in context of 802.16e] Bakshi, Sanjay, March 22 2005
Results generated by Tiger Technologies using MHonArc.