| RE: WGLC for eap-keying: EAP server-AAA server | <– Date –> <– Thread –> |
From: Glen Zorn (gwz) (gwz cisco.com)
|
|
| Date: Fri, 28 Oct 2005 14:33:51 -0400 (EDT) | |
Nakhjiri Madjid-MNAKHJI1 <> supposedly scribbled: > Hi, > > I started reading the V08 draft and having the hindsight of some very > recent issues we are dealing with in other SDOs, I have some comments > on what I have read so far (the first 6 pages :) ) > > > ***I think the terminology section needs some more clarification on > the distinction of a backend authentication server/AAA server and EAP > server, given that the draft says: "the terms "AAA server" and > "backend authentication server" are used interchangeably." Honestly, > I think the draft might as well say "the terms AAA server, EAP sever > and backend authentication server are used interchangeably" Except that that would be technically incorrect. > > Backend authentication server > A backend authentication server is an entity that provides an > authentication service to an authenticator. When used, this > server typically executes EAP methods for the authenticator. > This terminology is also used in [IEEE-802.1X]. > > I think the definition of "this server typically executes EAP methods > for the authenticator" should be added to the definition of EAP > server. > Here instead we may say that "the backend authentication server > typically includes EAP server functionality". The way it is, the text > is adding EAP server function to the backend authentication server > definition. > > ***MSK and EMSK definitions talk about export. RFC 3748 terminology > does not include "export", so it is not clear what export means. I > typically take it as EAP server passing something to the AAA server > (or backend authentication server) or lower layer as it has been > called recently. I think this is an important concept that needs to > be clarified before this document is considered complete. > > ***PMK definition should be generic, Example: Pair wise master key is > a key that is shared by the peer and the authenticator as a base line > key to derive session keys that protect data between the peer and the > authenticator. The current text is an example on how 802.11 does it > and should go in an appendix somewhere, it is not a definition. > > ***TEK and TSK both use the word "session keys" as the start of the > definition, whereas the mean completely different "session" (if you > will). One is really about the "EAP session" or exchange between peer > and server, and the other about the peer-authenticator. May be call > one authentication session and the other link session keys??? (I know > not a good suggestion, but honestly it is not worse than what is > there already) > > ***AAA key > It says that the key "is derived by the peer and EAP server, ... > The AAA key is transported from the backend authentication server to > the authenticator.." > How did the key end up in the AAA server (remember "backend > authentication server" being synonymous with AAA server?)? Good question. > Given that EAP methods produce MSK and EMSK and export (presumably to > the AAA server), it is probably the AAA server that creates the > AAA-key out of the MSK and send it over? Specially given that we say > EAP server dumps the MSK after export? Does it dump the MSK and keep > the AAA key then? Do we want to leave this to interpretation? > > 1.3 > "The EAP server also decides whether access to some service should be > granted"??? Isn't this the job of AAA server? Sure is, IMHO. Some people seem to believe that EAP is an authorization protocol, however. > > Thanks, and regards, > > Madjid > > > -----Original Message----- > From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On > Behalf Of Jari Arkko > Sent: Thursday, October 27, 2005 3:01 AM > To: eap [at] frascone.com > Cc: Bernard Aboba > Subject: [eap] WGLC for eap-keying > > > This is a Working Group Last Call announcement for > draft-ietf-eap-keying-08.txt which is now available at: > > http://www.ietf.org/internet-drafts/draft-ietf-eap-keying-08.txt > > This last call ends on Nov 30th, 2005 (longer than usual to > accommodate for IETF and IEEE meetings and leave time for detailed > security review). > > Please review this document and post your comments to the EAP WG > mailing list. > > Jari Arkko > Bernard Aboba > EAP WG co-chairs > > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap Hope this helps, ~gwz Why is it that most of the world's problems can't be solved by simply listening to John Coltrane? -- Henry Gabriel
-
RE: WGLC for eap-keying: EAP server-AAA server Nakhjiri Madjid-MNAKHJI1, October 28 2005
- RE: WGLC for eap-keying: EAP server-AAA server Glen Zorn (gwz), October 28 2005
- RE: WGLC for eap-keying: EAP server-AAA server Nakhjiri Madjid-MNAKHJI1, October 28 2005
-
RE: WGLC for eap-keying: EAP server-AAA server Nakhjiri Madjid-MNAKHJI1, October 31 2005
- Re: WGLC for eap-keying: EAP server-AAA server Jari Arkko, November 7 2005
- RE: WGLC for eap-keying: EAP server-AAA server Salowey, Joe, November 1 2005
Results generated by Tiger Technologies using MHonArc.