| Re: Basic facts about EAP | <– Date –> <– Thread –> |
From: Artur Hecker (hecker enst.fr)
|
|
| Date: Fri, 29 Apr 2005 11:43:38 -0400 (EDT) | |
hi
just some (pretty evident) thoughts on it:
Jari Arkko wrote:
I'd agree on (optional) AAA. However for the rest it might be better to use a higher abstraction level. For instance, I wouldn't restrict this "unnamed system" to network access issues only. I also don't really see why PANA would be strictly L3 and not e.g. L4 or higher :-) (since it uses EAP over UDP on the service link).
Perhaps we could talk about a "service access control system" instead. The service might be a network link with certain parameters (e.g. 802.11 link with encryption, QoS, whatever else), an L3 service (e.g. IP obtained e.g. over PANA), an application layer service (there were some proposals for EAP in SIP or EAP in HTTP, etc., I think others might follow since it is a good idea to use established authentication protocols like the standard EAP methods), or anything else.
In this view, EAP appears as a pure user-service authentication protocol. Indeed, EAP does not specify any machine-bound identity, so e.g. "network access" appears to be too special or too low. "User" is an abstract name pointing to the "accessing entity", "supplicant" or "access requestor"; it can be virtually anything, depending on the used service (which appears perfect). Note that in that particular context, "user" is also might better than the mentioned "client", because "client" is often confused with an NAS. (Btw, "NAS" is a particularly bad name: it is typically used in the context of AAA protocols where, strictly spoken, this entity is everything but a server; NAS is only a Network Access Server from the point of view of the _user_, who however is out of scope of the AAA protocol that itself is a two-party protocol).
So, EAP is used between the service requesting and the service providing entities (user and service provider?). Of course, the service providing entity may relay the requests to somebody else since EAP does not use any form of addressing. However, it is a service provider internal treatment; logically the service requestor is unaware of this difference. In that sense, I'd agree with Glen that, unless some special EAP method is used, the separation of the NAS and the AAA backend is completely transparent for the user.
Historically, AAA is just a convenient way to centralize the administration of the dispersed NASes :-)
just some (pretty evident) thoughts on it:
Jari Arkko wrote:
I usually refer to the system as the "network access control system", though this works only when EAP is used where it was originally intended to be used. The system consists of clients, NASes, proxies, and servers, and has three main protocols:
- First hop, either on L2 (e.g. 802.11i) or L3 (e.g. PANA, IKEv2) - AAA, running between NASes and servers in a fashion where the existence of the proxies is visible and known to the protocol - EAP, running between the client and the servers, unaware of NASes unless channel bindings are being provided
I'd agree on (optional) AAA. However for the rest it might be better to use a higher abstraction level. For instance, I wouldn't restrict this "unnamed system" to network access issues only. I also don't really see why PANA would be strictly L3 and not e.g. L4 or higher :-) (since it uses EAP over UDP on the service link).
Perhaps we could talk about a "service access control system" instead. The service might be a network link with certain parameters (e.g. 802.11 link with encryption, QoS, whatever else), an L3 service (e.g. IP obtained e.g. over PANA), an application layer service (there were some proposals for EAP in SIP or EAP in HTTP, etc., I think others might follow since it is a good idea to use established authentication protocols like the standard EAP methods), or anything else.
In this view, EAP appears as a pure user-service authentication protocol. Indeed, EAP does not specify any machine-bound identity, so e.g. "network access" appears to be too special or too low. "User" is an abstract name pointing to the "accessing entity", "supplicant" or "access requestor"; it can be virtually anything, depending on the used service (which appears perfect). Note that in that particular context, "user" is also might better than the mentioned "client", because "client" is often confused with an NAS. (Btw, "NAS" is a particularly bad name: it is typically used in the context of AAA protocols where, strictly spoken, this entity is everything but a server; NAS is only a Network Access Server from the point of view of the _user_, who however is out of scope of the AAA protocol that itself is a two-party protocol).
So, EAP is used between the service requesting and the service providing entities (user and service provider?). Of course, the service providing entity may relay the requests to somebody else since EAP does not use any form of addressing. However, it is a service provider internal treatment; logically the service requestor is unaware of this difference. In that sense, I'd agree with Glen that, unless some special EAP method is used, the separation of the NAS and the AAA backend is completely transparent for the user.
Historically, AAA is just a convenient way to centralize the administration of the dispersed NASes :-)
-- ___________________________________________________________ Artur Hecker http://www.enst.fr/~hecker ENST Paris ________________________________________________
- RE: Basic facts about EAP, (continued)
- RE: Basic facts about EAP Alper Yegin, May 2 2005
-
RE: Basic facts about EAP Pasi.Eronen, April 28 2005
-
RE: Basic facts about EAP Bernard Aboba, April 28 2005
- Re: Basic facts about EAP Jari Arkko, April 29 2005
- Re: Basic facts about EAP Artur Hecker, April 29 2005
- Re: Basic facts about EAP John Vollbrecht, April 29 2005
- Re: Basic facts about EAP Jari Arkko, May 2 2005
-
RE: Basic facts about EAP Bernard Aboba, April 28 2005
-
RE: Basic facts about EAP Glen Zorn (gwz), April 28 2005
- Re: Basic facts about EAP Jari Arkko, April 29 2005
Results generated by Tiger Technologies using MHonArc.