| Re: PANA and EAP keying framework | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 10 Jan 2006 12:20:56 -0800 (PST) | |
On Tue, Jan 10, 2006 at 08:35:29AM -0800, Bernard Aboba wrote: > >Yes. When IKE is used as the SAP, the IKE PSK derived from MSK is > >used only for peer entity authentication for IKE DH and thus PFS is > >possible. On the other hand when IEEE 802.11i 4-way handshake is used > >as the SAP, PFS is possible if the negotiated EAP method supports > >this. > > The IEEE 802.11i standard does not support PANA, so how can this work? > > A single "virtual AP" either allows "open" authentication, or it requires > 802.11i, but it can't do both simultaneously. Therefore PANA cannot be > used for the initial authentication, since PANA traffic will be dropped by > the AP prior to completion of 802.1X. I don't think 802.11i prohibits any IP traffic to pass throuth uncontrolled port before 4-way handshake. In fact, there is a description in section 5.4.2.2 of IEEE 802.11i 2004 specification: " IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. It is expected that most other protocol exchanges will make use of the IEEE 802.1X Controlled Ports. However, a given protocol may need to bypass the authorization function and make use of the IEEE 802.1X Uncontrolled Port. " Section 10.2.2 of draft-ietf-pana-framework-05.txt has general description on IEEE 802.11i usage in PANA. > > >> How? IKE does not define explicit lifetimes, nor does it care about key > >> scope because it doesn't support caching. > > > >The lifetime of PANA session is carried in PANA message. This > >lifetime is the same as the authorization lifetime which is also same > >as the lifetime of the MSK. > > Since IKEv2 does not support caching of EAP keying parameters, including > the MSK, the PANA lifetime cannot be used; the MSK is discarded by IKEv2 > regardless of what is in the PANA lifetime. When IKEv2 is used as the SAP for PANA, the usage is different from that of running EAP over IKEv2. In the PANA usage, IKE pre-shared key and IKE SA lifetime are dynamically configured and unconfigured using EAP parameters obtained by running PANA/EAP, while those parameters are most likely be statically configured in non-PANA IKEv2 usage. > > >Regarding the key scope, it is important for the peer to know which > >authenticator ports (Enforcement Points) belong to the authenticator > >the peer is communicating. This fact does not seem to depend on the > >type of the SAP. The list of EPs clearly defines the key scope. > > So PANA attempts to modify the IPsec SADB? > Yes. Yoshihiro Ohba
-
PANA and EAP keying framework Yoshihiro Ohba, January 9 2006
-
RE: PANA and EAP keying framework Bernard Aboba, January 9 2006
-
Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Bernard Aboba, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
-
Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
-
RE: PANA and EAP keying framework Bernard Aboba, January 9 2006
- Re: PANA and EAP keying framework Jari Arkko, January 10 2006
-
RE: PANA and EAP keying framework Walker, Jesse, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- RE: PANA and EAP keying framework Walker, Jesse, January 10 2006
Results generated by Tiger Technologies using MHonArc.