| Re: Basic facts about EAP | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Mon, 2 May 2005 10:31:10 -0400 (EDT) | |
Hi Jari, On Mon, May 02, 2005 at 10:19:24AM +0300, Jari Arkko wrote: > Hi Yoshihiro, > > >I am not sure if using an EAP method to carry the NAS-ID or port-ID > >for Channel Bindings is really a good idea as it would actually make > >the EAP method media-dependent while it would make EAP media > >independent. > > > >(snip) > > > >I'd extend the algorithm something like: > > > > AAA-Key := kdf(MSK, channel-binding-parameters) > > > >['channel-binding-parameters' include NAS-ID and maybe other > >parameters as well.] > > > > > Yes, this is another approach to doing the bindings. I believe > we discussed this at some earlier time on the list. One problem > that was identified back then was that the set of parameters would > have to be pretty well specified so that everyone could actually > calculate the same key. If someone suddenly came up with a > new parameter (say, SSIDng) that somehow needed to be bound, > parties would have trouble getting to the same key. Yes, the channel binding parameters would have to be pretty well specified between the EAP peer and authenticator. My point is that this does not necessarily mean that using EAP method as the carrier of the parameters is a better way. > > The other approach is transporting opaque objects over EAP. > I don't necessarily think this makes either EAP or EAP method > layer media dependent. But certainly there has to be someone > in charge who can interpret the objects and check the binding. > Typically this would be the AAA server authorization logic. It > seems almost inevitable that if there's channel binding support, > then that part needs to know about it... Given that the channel binding parameters would have to be pretty well specified between the EAP peer and authenticator, the authenticator can send the opaque objects to the EAP server via a AAA protocol (e.g., a channel-binding attribute/AVP). The EAP server will be able to calculate the AAA-Key without necessarily knowing the semantics of the opaque objects. What do you think? Yoshihiro Ohba > > --Jari >
- Re: Basic facts about EAP, (continued)
- Re: Basic facts about EAP Yoshihiro Ohba, May 1 2005
- Re: Basic facts about EAP Jari Arkko, May 2 2005
- Re: Basic facts about EAP Bernard Aboba, May 2 2005
- Re: Basic facts about EAP Yoshihiro Ohba, May 2 2005
- Re: Basic facts about EAP Yoshihiro Ohba, May 2 2005
- Re: Basic facts about EAP Jari Arkko, May 2 2005
- Re: Basic facts about EAP Yoshihiro Ohba, May 2 2005
- Approach to channel bindings (Was; Re: [eap] Basic facts about EAP) Jari Arkko, May 3 2005
- Re: Approach to channel bindings (Was; Re: [eap] Basic facts about EAP) Yoshihiro Ohba, May 3 2005
Results generated by Tiger Technologies using MHonArc.