eap Mailing List: RE: WGLC for eap-keying: EAP server-AAA server

[Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri]

Hi,

I started reading the V08 draft and having the hindsight of some very
recent issues we are dealing with in other SDOs, I have some comments on
what I have read so far (the first 6 pages :) )


***I think the terminology section needs some more clarification on the
distinction of a backend authentication server/AAA server and EAP
server, given that the draft says: "the terms "AAA server" and "backend
authentication server" are used interchangeably." Honestly, I think the
draft might as well say "the terms AAA server, EAP sever and backend
authentication server are used interchangeably"

Backend authentication server
        A backend authentication server is an entity that provides an
     authentication service to an authenticator.  When used, this server
     typically executes EAP methods for the authenticator.  This
     terminology is also used in [IEEE-802.1X].

I think the definition of "this server typically executes EAP methods
for the authenticator" should be added to the definition of EAP server.
Here instead we may say that "the backend authentication server
typically includes EAP server functionality". The way it is, the text is
adding EAP server function to the backend authentication server
definition.

***MSK and EMSK definitions talk about export. RFC 3748 terminology does
not include "export", so it is not clear what export means. I typically
take it as EAP server passing something to the AAA server (or backend
authentication server) or lower layer as it has been called recently. I
think this is an important concept that needs to be clarified before
this document is considered complete.

***PMK definition should be generic, Example: Pair wise master key is a
key that is shared by the peer and the authenticator as a base line key
to derive session keys that protect data between the peer and the
authenticator. The current text is an example on how 802.11 does it and
should go in an appendix somewhere, it is not a definition.

***TEK and TSK both use the word "session keys" as the start of the
definition, whereas the mean completely different "session" (if you
will). One is really about the "EAP session" or exchange between peer
and server, and the other about the peer-authenticator. May be call one
authentication session and the other link session keys??? (I know not a
good suggestion, but honestly it is not worse than what is there
already)

***AAA key
It says that the key "is derived by the peer and EAP server, ...
The AAA key is transported from the backend authentication server to the
authenticator.."
How did the key end up in the AAA server (remember "backend
authentication server" being synonymous with AAA server?)?
Given that EAP methods produce MSK and EMSK and export (presumably to
the AAA server), it is probably the AAA server that creates the AAA-key
out of the MSK and send it over? Specially given that we say EAP server
dumps the MSK after export? Does it dump the MSK and keep the AAA key
then? Do we want to leave this to interpretation? 

1.3
"The EAP server also decides whether access to some service should be
granted"??? Isn't this the job of AAA server?

Thanks, and regards,

Madjid


-----Original Message-----
From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On Behalf
Of Jari Arkko
Sent: Thursday, October 27, 2005 3:01 AM
To: eap [at] frascone.com
Cc: Bernard Aboba
Subject: [eap] WGLC for eap-keying


This is a Working Group Last Call announcement for
draft-ietf-eap-keying-08.txt which is now available at:

  http://www.ietf.org/internet-drafts/draft-ietf-eap-keying-08.txt

This last call ends on Nov 30th, 2005 (longer than usual to accommodate
for IETF and IEEE meetings and leave time for detailed security review).

Please review this document and post your comments to the EAP WG mailing
list.

Jari Arkko
Bernard Aboba
EAP WG co-chairs

_______________________________________________
eap mailing list
eap [at] frascone.com
http://mail.frascone.com/mailman/listinfo/eap