eap Mailing List: Re: Issue 339: Use of Session-Timeout in Pre-authentication

[Jari Arkko (jari.arkko]

Bernard Aboba wrote:

>
> During the HOAKEY BOF, Avi Lior pointed out that overloading of
> Session-Timeout for use in pre-authentication could cause problems.

Reading on...

>
> For example, it might be desirable to be able to specify both the
> pre-authentication timeout and the Session-Timeout values at the
> same time.

Yes.

> Section 3.4 of the keying document describes use of the Session-Timeout
> attribute to set the pre-authentication timeout.  Rather than
> specifying this here, it would be best to leave this to a future
> document.
>
> The proposed change is as follows:
>
> In Section 3.4, delete
>
> "Where EAP is used
> for pre-authentication, the session may not start until some future
> time, or may never occur.  Nevertheless, the Session-Timeout value
> represents the time after which transported EAP keying material,
> and all keys calculated from it, will have expired on the
> authenticator.  If the session subsequently starts, re-
> authentication will be initiated once the Session-Time has expired.
> If the session never started, or started and ended, by default keys
> transported by AAA and all keys calculated from them will be
> expired by the authenticator prior to the future time indicated by
> Session-Timeout."

I actually liked the old text since it was very clear: ALL exported
keys expire at Session-Timeout time, no exceptions. This seems
to make sense, still.

I do agree that it might make sense to have additional lifetimes
specified for the preauth case, but I see those as additional
constraints rather than something that replaces Session-Timeout.

--Jari