| RE: PANA and EAP keying framework | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Mon, 9 Jan 2006 22:59:29 -0800 (PST) | |
TSKs are generated using a Secure Association Protocol
Can you elaborate on this? If the TSKs are generated via an IKE DH exchange, with the MSK used only for authentication (as in IKEv2/EAP) then the TSKs are not dependent on the MSK and PFS is possible, right?
between the peer and and authenticator port
Not sure I understand this. The SAP exchange is between the peer and authenticator, not between specific ports. However, a result of the SAP exchange can be derivation of TSKs which are bound to specific ports.
Point), where both link-layer specific key exchange protocols and
IKE can be used as the Secure Association Protocol depending on
whether link-layer ciphering or IPsec is used between the peer
and the authenticator port.
What is a "link-layer specific key exchange protocol"? Are we talking about existing SAPs such as 802.11i 4-way handshake, or something else?
The key scope and lifetime of the
TSKs are communicated from the authenticator to the peer.
How? IKE does not define explicit lifetimes, nor does it care about key scope because it doesn't support caching.
The key scope is specified as a list of device identifiers of the
Enforcement Points.
This doesn't make sense where IKE is used as the SAP unless we are talking about MOBIKE (which can move SAs between addresses).
-
PANA and EAP keying framework Yoshihiro Ohba, January 9 2006
- RE: PANA and EAP keying framework Bernard Aboba, January 9 2006
-
Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Bernard Aboba, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Jari Arkko, January 10 2006
Results generated by Tiger Technologies using MHonArc.