eap Mailing List: RE: FW: [eap] Re: EAP key binding discussion

[Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri]

Hi Bernard,

I guess I may need to look at your performance data for 802.11. Not sure if 
that applies universally for a general wireless link, though. However, You ARE 
referring to WLAN switches, not sure how the switch is architected with respect 
to the AAA server and the AP and who acts as the authenticator? And how the key 
distribution is handled? Do you care to share some insights on that or that is 
proprietary.

Madjid



-----Original Message-----
From: Bernard Aboba [mailto:aboba [at] internaut.com] 
Sent: Thursday, April 28, 2005 12:50 PM
To: Nakhjiri Madjid-MNAKHJI1
Cc: eap [at] frascone.com
Subject: RE: FW: [eap] Re: EAP key binding discussion

> What about disclosure of the keys between the authenticators??

Here is the requirement (from RFC 4017):

      Requirement: "Compromise of a single authenticator cannot
      compromise any other part of the system, including session keys
      and long-term secrets."

"any other part of the system" would seem to include other authenticators.

> I think EAP and its key management framework has not positioned itself
> well with respect to handovers and that is why the door for interpretations
> is being opened over and over.

I'd be interested in any data that you have collected on this.  Having
recently done some tests on handover times in WLAN switches, I was
surprised by how well the equipment performs.  For example, we have
measured handoffs of 25ms or less on a consistent basis with a number of
WLAN switch products.  These measurements were made on equipment implementing
RFC 3579, RFC 3748, and WPA2 (including pre-authentication).

I have collected published material on handoff times at the following
location:
http://www.drizzle.com/~aboba/IEEE/

> the "mutual authentication" condition which requires mutual
> authentication between all parties,