| RE: Basic facts about EAP | <– Date –> <– Thread –> |
From: Alper Yegin (alper.yegin samsung.com)
|
|
| Date: Fri, 29 Apr 2005 15:49:13 -0400 (EDT) | |
Hi Bernard, > a. EAP is a two party protocol, run between an EAP peer and server. > Saying EAP is an N-party protocol is like saying that TCP is a > N-party protocol because TCP packets pass through routers. Forwarding > an EAP packet without modification does not cause an entity to become a > "participant" in an EAP conversation any more than forwarding an IP packet > turns a router into a host. Referring to the Figure 2 in RFC 3748... I agree to that if we are talking about the "EAP method layer". But if we look at the "EAP layer" I see a third entity called "pass through authenticator" that has a specific role at the EAP layer. - It reads the EAP method payload to determine AAA routing (reading the client ID). - It reads the EAP code for sanity check. If it receives an EAP request that it should not, it can drop the EAP packet. - It can generate an EAP Identity Request. - It handles retransmissions and it can re-generate loss packets. > b. EAP can travel over any lower layer transport meeting the requirements > of RFC 3748 Section 3.1. My personal reading of Section 3.1 is these are necessary but not sufficient requirements for EAP lower layer designers. I don't expect this to be an all comprehensive list. But imo, designing an RFC3748-compliant EAP lower layer requires factoring in additional aspects of the EAP specs, such as channel binding and secure association, which are not covered in that list. > c. An EAP peer or authenticator can have multiple ports. EAP > lower layers that confuse the authenticator (or peer) with its ports are > a bit like a person who shakes hands with both arms of someone they > meet because they don't look at the head attached to the hands they are > shaking. This is a good example. I think the EAP peer should know the NAS ID (head), and know the connected port IDs (hands connected to the same head). > EAP exchanges occur between the EAP peer and server, not between > ports of the EAP server and authenticator. Similarly, the AAA-Key is > shared by all ports of an authenticator and peer. This does not mean sending the AAA-Key to the ports, right? The ports may be on separate nodes (like in AC-AP separation in WiFi). Regards, Alper
-
Basic facts about EAP Bernard Aboba, April 28 2005
- RE: Basic facts about EAP Alper Yegin, April 29 2005
-
RE: Basic facts about EAP Bernard Aboba, April 30 2005
- Re: Basic facts about EAP Yoshihiro Ohba, May 1 2005
- Re: Basic facts about EAP Jari Arkko, May 2 2005
- Re: Basic facts about EAP Bernard Aboba, May 2 2005
Results generated by Tiger Technologies using MHonArc.