eap Mailing List: Re: Issue: Use of term lower layer

[Yoshihiro Ohba (yohba]

I have read Issue 313, but I think it does not solve the SAP issue for
PANA because PANA EP is not authenticator or even part of
authenticator.

BTW, draft-nakhjiri-aaa-hokey-ps-00.txt is introducing another secure
association protocol named Link Secure Association Protocol (LSAP)
that is run between Mobile Node and Access Node.  To me "LSAP" and
"SAP" are the same protocol and "Access Node" and "authenticator port"
are the same entity.  I really think we need to avoid introducing
multiple terms pointing to similar things.

Yoshihiro Ohba


On Tue, Dec 13, 2005 at 06:17:26PM +0200, Jari Arkko wrote:
> Yes. But would issue 313 (distributed authenticators)
> also solve the problem?
> 
> Yoshihiro Ohba wrote:
> 
> >I think there is an issue.
> >
> >In the eap-keying draft, secure association protocol is to be run
> >between the peer and authenticator, but in draft-ietf-pana-pana and
> >draft-ietf-pana-framework, secure association protocol is to be run
> >between PaC and EP, where EP in the PANA model does not have
> >authenticator functionality.
> >
> >We could resolve this issue by revising the definition of secure
> >association protocol such that it is run between peer port and
> >authenticator port.  This is not bad because the secure association
> >protocol is for particular pair of ports.
> >
> >Yoshihiro Ohba
> >
> >
> >On Tue, Dec 13, 2005 at 02:42:31PM +0200, Jari Arkko wrote:
> >  
> >
> >>Julien Bournelle wrote:
> >>
> >>    
> >>
> >>>Hi all,
> >>>
> >>>On Thu, Dec 01, 2005 at 03:05:49PM -0800, Salowey, Joe wrote:
> >>>
> >>>
> >>>      
> >>>
> >>>>Submitter name: Joe Salowey
> >>>>Submitter email address: jsalowey [at] cisco.com
> >>>>Date first submitted: 12/1/2005
> >>>>Reference: 
> >>>>Document: Keying Framework
> >>>>Comment type: E
> >>>>Priority: '1' Should fix 
> >>>>Section: 2 
> >>>>Rationale/Explanation of issue:
> >>>>
> >>>>The term lower layer is used inconsistently in the document. 
> >>>>
> >>>>Lower layer should refer to the protocol between the EAP Peer and the
> >>>>EAP Authenticator.  It is between these entities that the security
> >>>>association protocol is typically run.  The MSK is transported to the
> >>>>lower layer. 
> >>>>  
> >>>>
> >>>>        
> >>>>
> >>>just a question: what do we mean here by the security association
> >>>protocol ? the protocol used to secure the access (e.g. IKE or 4
> >>>way-handshake) or the EAP lower-layer ?
> >>>
> >>>
> >>>
> >>>      
> >>>
> >>Figure 2 and Section 3.1 should define this... let us know
> >>otherwise. Its the client - NAS protocol to run after EAP has
> >>completed.
> >>
> >>    
> >>
> >>>I ask the question because in PANA, we have this distinction. From the
> >>>AAA-Key, we derived the PANA_MAC_Key which is used to protect further
> >>>PANA signaling between the EAP client (PaC) and the EAP Authenticator
> >>>(PAA). We also derive a key from the AAA-Key which can be used as an
> >>>IKE psk between the EAP peer (PaC) and the Enforcement Point located in
> >>>the AR (cf. draft-ietf-pana-ipsec-xx.txt).
> >>>
> >>>
> >>>
> >>>      
> >>>
> >>I think that's fine.
> >>
> >>--Jari
> >>
> >>_________________________________________________________________
> >>To unsubscribe or modify your subscription options, please visit:
> >>http://lists.frascone.com/mailman/listinfo/eap
> >>
> >>Arhives: http://lists.frascone.com/pipermail/eap
> >>
> >>    
> >>
> >
> >
> >  
> >
> 
>