| Re: About use of EMSK | <– Date –> <– Thread –> |
From: Rafa Marin Lopez (rafa dif.um.es)
|
|
| Date: Fri, 3 Mar 2006 13:44:00 -0800 (PST) | |
Hi Joe...
I would like to do some comments to your e-mail. Please see inline...
But in any case, i re-formulate the question: if EAP server and AAA server are co-located ... could EMSK be exported to AAA server? (From your
answer
I would say yes .
<snip>
For example (RFC 4137):
6.1.2. Variables (Backend Authenticator to AAA Interface)
.....
aaaEapKeyData (EAP key)
m.getKey()
Thus, the layer model remains....
Having said this, and after your comment
Thanks.
I would like to do some comments to your e-mail. Please see inline...
My understanding is that figure 3 is referring to AAA server.
[Joe] this would depend on where you draw your AAA and EAP server boundaries. They are two separate entities and do not even need to be collocated, but it is fairly common for the EAP server and AAA server to be collocated or for the EAP server to be part of the AAA server. How the EAP server and AAA server divide up their responsibilities depends upon local implementation so I would say that the AAA server may know the EMSK as far as it may contain the EAP server. Now I am not sure what the AAA layer is, but it may not be the same as a AAA server so I can't really answer your question. It would seem that the AAA layer would include the AAA client and AAA server communication.
But in any case, i re-formulate the question: if EAP server and AAA server are co-located ... could EMSK be exported to AAA server? (From your
answer
"the AAA server may know the EMSK as far as it may contain the EAP server"
I would say yes .
<snip>
[Joe] I'm not convinced that I understand the layers or that the layerOk, I see. In EAP key mng fwk is described this layering . Additionally , let me give some notes about EAP state machine (though it is informational).
model is the right thing to apply here,
For example (RFC 4137):
6.1.2. Variables (Backend Authenticator to AAA Interface)
.....
aaaEapKeyData (EAP key)
Set in authenticator state machine when keying material becomes
available. Set during the METHOD_RESPONSE state. Note that this
document does not define the structure of the type "EAP key". We
expect that it will be defined in [Keying].If we check the EAP state machine that method (aaaEapKeyData (EAP key) ) is provided by EAP backend authenticator state machine (Figure 5 in rfc 4137). That state machine recovers the "EAP key" from the EAP method through m.getKey()
m.getKey()
Method procedure to obtain key material for use by EAP or lower
layers. Returns an EAP key.Thus, the layer model remains....
Having said this, and after your comment
My question is : is it expected another interface (different than "aaaEapKeyData (EAP key)") to provide keys to AAA server? or could AAA server use for example something like m.getKey() to obtain a particular key from EAP method?.
but given the choices my answerIn that case, why would EAP method need to export EMSK?.
is the EAP method layer.
Thanks.
-- ------------------------------------------------------ Rafael Marin Lopez Faculty of Computer Science-University of Murcia 30071 Murcia - Spain Telf: +34968367645 e-mail: rafa [at] dif.um.es ------------------------------------------------------
- Re: About use of EMSK, (continued)
- Re: About use of EMSK Jari Arkko, March 5 2006
-
Re: About use of EMSK Jari Arkko, March 6 2006
- Re: About use of EMSK Yoshihiro Ohba, March 17 2006
-
RE: About use of EMSK Salowey, Joe, February 27 2006
- Re: About use of EMSK Rafa Marin Lopez, March 3 2006
- RE: About use of EMSK Nakhjiri Madjid-MNAKHJI1, March 1 2006
- RE: About use of EMSK Salowey, Joe, March 6 2006
-
RE: About use of EMSK Narayanan, Vidya, March 6 2006
- Re: About use of EMSK Dorothy Stanley, March 17 2006
Results generated by Tiger Technologies using MHonArc.