| Re: PANA and EAP keying framework | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Tue, 10 Jan 2006 08:35:31 -0800 (PST) | |
Yes. When IKE is used as the SAP, the IKE PSK derived from MSK is used only for peer entity authentication for IKE DH and thus PFS is possible. On the other hand when IEEE 802.11i 4-way handshake is used as the SAP, PFS is possible if the negotiated EAP method supports this.
The IEEE 802.11i standard does not support PANA, so how can this work?
A single "virtual AP" either allows "open" authentication, or it requires 802.11i, but it can't do both simultaneously. Therefore PANA cannot be used for the initial authentication, since PANA traffic will be dropped by the AP prior to completion of 802.1X.
Since an authenticator port part of authenticator, it does not seem to conflict with the statement that the SAP exchange is between the peer and authenticator.
Are you saying that the exchange isn't between ports, but just between the authenticator and peer?
> How? IKE does not define explicit lifetimes, nor does it care about key > scope because it doesn't support caching.
The lifetime of PANA session is carried in PANA message. This lifetime is the same as the authorization lifetime which is also same as the lifetime of the MSK.
Since IKEv2 does not support caching of EAP keying parameters, including the MSK, the PANA lifetime cannot be used; the MSK is discarded by IKEv2 regardless of what is in the PANA lifetime.
Then, draft-ietf-pana-ipsec specifies that when IKE is used as the SAP, the lifetime of the IKE SA is bound to the lifetime of the MSK.
The IPsec SA lifetime is determined by IKE, not PANA. Since IKE discards the MSK after it completes, there is no notion of an MSK lifetime in IKE.
Regarding the key scope, it is important for the peer to know which authenticator ports (Enforcement Points) belong to the authenticator the peer is communicating. This fact does not seem to depend on the type of the SAP. The list of EPs clearly defines the key scope.
So PANA attempts to modify the IPsec SADB?
-
PANA and EAP keying framework Yoshihiro Ohba, January 9 2006
-
RE: PANA and EAP keying framework Bernard Aboba, January 9 2006
-
Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Bernard Aboba, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
-
Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Jari Arkko, January 10 2006
-
RE: PANA and EAP keying framework Bernard Aboba, January 9 2006
-
RE: PANA and EAP keying framework Walker, Jesse, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
Results generated by Tiger Technologies using MHonArc.