| Issue 411: Relationship to RFC 4962 | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Tue, 23 Oct 2007 18:42:50 -0700 (PDT) | |
Issue 411: Relationship to RFC 4962 Submitter name: Charlie Kaufman Submitter email address: charliek [at] microsoft.com Date first submitted: October 18, 2007 Reference: Document: draft-ietf-eap-keying-18.txt Comment type: Editorial Priority: S Section: Abstract, Section 1 Rationale/Explanation of Issue:
The document does not state what the relationship is between it and RFC 4962. Specifically, does it:
1. Demonstrate how EAP, AAA and SAP protocols comply with the guidelines in RFC 4962?
2. Provide detailed security requirements for EAP, AAA and SAP?
3. Over-ride RFC 4962 where the two documents disagree?
[BA] My understanding is that the relationship is most accurately described by #1 & #2. That is, Section 5 in particular analyzes compliance to RFC 4962 and much of the document includes more detail on the security issues raised in RFC 4962. I am not sure about #3.
The proposed resolution is to change the Abstract to the following:
"Abstract
The Extensible Authentication Protocol (EAP), defined in RFC 3748, enables extensible network access authentication. This document specifies the EAP key hierarchy and provides a framework for the transport and usage of keying material and parameters generated by EAP authentication algorithms, known as "methods". It also provides a detailed system-level security analysis, demonstrating compliance with the key management guidelines described in RFC 4962. "
and Section 1 to the following:
"1. Introduction
The Extensible Authentication Protocol (EAP), defined in [RFC3748], was designed to enable extensible authentication for network access in situations in which the Internet Protocol (IP) protocol is not available. Originally developed for use with Point-to-Point Protocol (PPP) [RFC1661], it has subsequently also been applied to IEEE 802 wired networks [IEEE-802.1X], IKEv2 [RFC4306] and wireless networks such as [IEEE-802.11] and [IEEE-802.16e].
EAP is a two-party protocol spoken between the EAP peer and server. Within EAP, keying material is generated by EAP authentication algorithms, known as "methods". Part of this keying material can be used by EAP methods themselves and part of this material can be exported. In addition to export of keying material, EAP methods can also export associated parameters such as authenticated peer and server identities and a unique EAP conversation identifier, and can import and export lower layer parameters known as "channel binding parameters", or simply "channel bindings".
This document specifies the EAP key hierarchy and provides a framework for the transport and usage of keying material and parameters generated by EAP methods. It also provides a detailed security analysis, demonstrating compliance with the requirements described in "Guidance for Authentication, Authorization and Accounting (AAA) Key Management" [RFC4962]. "
Proposed Resolution: Discuss
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.