| Re: PANA and EAP keying framework | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 10 Jan 2006 15:24:49 -0800 (PST) | |
Jesse, On Tue, Jan 10, 2006 at 01:42:38PM -0800, Walker, Jesse wrote: > > " > > Upon successful completion of the 4-Way Handshake, the Authenticator > > and Supplicant have authenticated each other; and the IEEE 802.1X > > Controlled Ports are unblocked to permit general data traffic. > > " > > > > - What is the definition of "general data traffic"? > [Walker, Jesse] General data traffic are MSDUs received through the > UNITDATA.request interface that have an Ethertype different from 802.1X. (This should have been clearly stated in the specification.) > > > > - The above text does not say anything about whether any data frame > > other than 802.1X messages is not allowed to pass through uncontrolled > > port. > [Walker, Jesse] You can find the answer reading 802.1X Clause 8. The > answer is no. All data traffic passes through the control port. The > uncontrolled port passes only frames of Ethertype 802.1X. I read clause 8 of 802.1aa-D6.1 (sorry, I don't have the latest 802.1X draft standard), but I was not able to find the description on the behavior you answered. I rather found the following text in clause 6.4 of 802.1aa-D6.1: " It is expected that most protocol exchanges conducted by other functions of the System will make use of one or more of the System's controlled Ports. However, a given protocol may need to bypass the authorization function and make use of the uncontrolled Port. " I also found several descriptions in Appendix C of 802.1aa-D6.1 on allowing DHCP traffic to be forwarded to unauthenticated VLAN after authentication failure. Isn't the DHCP traffic in this case passing throuth the uncontrolled port? Regards, Yoshihiro Ohba > > > > > Yoshihiro Ohba > > > > > > > > > -----Original Message----- > > > > From: Yoshihiro Ohba [mailto:yohba [at] tari.toshiba.com] > > > > Sent: Tuesday, January 10, 2006 12:47 PM > > > > To: Walker, Jesse > > > > Cc: Yoshihiro Ohba; Bernard Aboba; eap [at] frascone.com > > > > Subject: Re: [eap] PANA and EAP keying framework > > > > > > > > Jesse, > > > > > > > > On Tue, Jan 10, 2006 at 12:30:58PM -0800, Walker, Jesse wrote: > > > > > Yoshihiro > > > > > > > > > > > I don't think 802.11i prohibits any IP traffic to pass throuth > > > > > > uncontrolled port before 4-way handshake. In fact, there is a > > > > > > description in section 5.4.2.2 of IEEE 802.11i 2004 > specification: > > > > > [Walker, Jesse] This is not true. 802.1X frames are the only > type of > > > > > data 802.11i allows to pass over the link prior to key > confirmation. > > > IP > > > > > traffic is not encapsulated with the 802.1X Ethertype, so is > > > expressly > > > > > blocked. > > > > > > > > Can you point out which text in the 802.11i specification states > this > > > > specific behavior? How can we interpret the quoted text in > section > > > > 5.4.2.2? > > > > > > > > In any case, another way is to use multiple (virtual) APs, one > > > > operating in 'open' authentication running PANA and the other > > > > operating in 802.11i, and switching from the former AP to the > latter > > > > after PANA authentication. > > > > > > > > Regards, > > > > Yoshihiro Ohba > > > > > > > >
- Re: PANA and EAP keying framework, (continued)
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
- Re: PANA and EAP keying framework Rafa Marin Lopez, January 10 2006
-
RE: PANA and EAP keying framework Walker, Jesse, January 10 2006
- Re: PANA and EAP keying framework Yoshihiro Ohba, January 10 2006
Results generated by Tiger Technologies using MHonArc.