| Re: Issue: Use of term lower layer | <– Date –> <– Thread –> |
From: Julien Bournelle (julien.bournelle int-evry.fr)
|
|
| Date: Wed, 7 Dec 2005 09:26:01 -0800 (PST) | |
Hi all, On Thu, Dec 01, 2005 at 03:05:49PM -0800, Salowey, Joe wrote: > Submitter name: Joe Salowey > Submitter email address: jsalowey [at] cisco.com > Date first submitted: 12/1/2005 > Reference: > Document: Keying Framework > Comment type: E > Priority: '1' Should fix > Section: 2 > Rationale/Explanation of issue: > > The term lower layer is used inconsistently in the document. > > Lower layer should refer to the protocol between the EAP Peer and the > EAP Authenticator. It is between these entities that the security > association protocol is typically run. The MSK is transported to the > lower layer. just a question: what do we mean here by the security association protocol ? the protocol used to secure the access (e.g. IKE or 4 way-handshake) or the EAP lower-layer ? I ask the question because in PANA, we have this distinction. From the AAA-Key, we derived the PANA_MAC_Key which is used to protect further PANA signaling between the EAP client (PaC) and the EAP Authenticator (PAA). We also derive a key from the AAA-Key which can be used as an IKE psk between the EAP peer (PaC) and the Enforcement Point located in the AR (cf. draft-ietf-pana-ipsec-xx.txt). Julien > > AAA is not an EAP lower layer except in the special case where the AAA > client and server are acting as the EAP Peer and EAP Authenticator for > some reason (an example of this could was in EUSM). Entities other than > the lower layer may obtain keys derived from the EMSK. > > Requested change: > > Section 2.1 > ----------- > change > > "Of these phases, Phase 0, 1b and Phase 2 are handled by a lower layer." > > To > > "Of these phases, Phase 0, 1b and Phase 2 are handled external to EAP. > Phases 0 and 2 are handled by the lower layer protocol and phase 1b is > typically handled by a AAA protocol." > > Section 2.2 > ------------ > (remove references to IV) > --- > Change > > "The EMSK MUST NOT be provided to the lower layer, nor is it permitted > to pass any quantity to the lower layer from which the EMSK could be > computed without breaking some cryptographic assumption, such as > inverting a one-way function." > > To > > "The EMSK MUST NOT be provided to an entity outside the EAP server or > peer, > nor is it permitted to pass any quantity to an entity outside the EAP > server or peer > from which the EMSK could be > computed without breaking some cryptographic assumption, such as > inverting a one-way function." > --- > Change > > "In order to preserve the security of keys derived within EAP methods, > lower layers other than AAA MUST NOT export keys passed down by EAP > methods. " > > To > > "In order to preserve the security of keys derived within EAP methods, > lower layers MUST NOT export keys passed down by EAP > methods. " > --- > Change > > "EAP keying material and parameters provided to a lower layer other > than AAA MUST NOT be transported to another entity." > > To > > "EAP keying material and parameters provided to a lower layer MUST NOT > be transported to another entity." > --- > Change > > "The exception to the "no sharing" rule is the AAA layer. On EAP > server, keying material requested by and passed down to the AAA layer > may be replicated to the AAA layer on the authenticator. On the > authenticator, the AAA layer may provide the replicated keying > material to the lower layer over which the EAP authentication > conversation took place. This enables "mode independence" to be > maintained. " > > To > > "The AAA layer may transport keys that are exported from the EAP server. > On EAP > server, keying material requested by and passed down to the AAA layer > may be replicated to the AAA layer on the authenticator. On the > authenticator, the AAA layer may provide the replicated keying > material to the lower layer over which the EAP authentication > conversation took place. This enables "mode independence" to be > maintained." > > ----------- > Section 2.3 > ----------- > > Change > "The caching behavior of existing EAP lower layers is as follows:" > To > "The caching behavior of existing EAP lower layers and AAA layers is as > follows:" > > > > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap -- julien.bournelle at int-evry.fr
-
Issue: Use of term lower layer Salowey, Joe, December 1 2005
- Re: Issue: Use of term lower layer Jari Arkko, December 6 2005
- Re: Issue: Use of term lower layer Julien Bournelle, December 7 2005
-
Re: Issue: Use of term lower layer Jari Arkko, December 13 2005
- Re: Issue: Use of term lower layer Yoshihiro Ohba, December 13 2005
- Re: Issue: Use of term lower layer Jari Arkko, December 13 2005
- Re: Issue: Use of term lower layer Yoshihiro Ohba, December 13 2005
Results generated by Tiger Technologies using MHonArc.