[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HOKEY] ERX issues

To: Charles Clancy <clancy at cs.umd.edu>
Subject: Re: [HOKEY] ERX issues
From: Yoshihiro Ohba <yohba at tari.toshiba.com>
Date: Mon, 24 Mar 2008 13:46:58 -0400
Cc: hokey at ietf.org
Delivered-to: ietfarch-hokey-web-archive at core3.amsl.com
Delivered-to: hokey at core3.amsl.com
In-reply-to: <47E705A2.1000201 at cs.umd.edu>
List-archive: <http://www.ietf.org/pipermail/hokey>
List-help: <mailto:hokey-request@ietf.org?subject=help>
List-id: HOKEY WG Mailing List <hokey.ietf.org>
List-post: <mailto:hokey@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
References: <20080320161646.GQ7465 at steelhead.localdomain> <C24CB51D5AA800449982D9BCB903251301620F32 at NAEX13.na.qualcomm.com> <20080321220401.GC14231 at steelhead.localdomain> <47E705A2.1000201 at cs.umd.edu>
Sender: hokey-bounces at ietf.org
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

Charles,

I would like to note that this is not only my comment, but also there
are couple of comments from others.

[1] Bernard Aboba mentioned
(http://www.ietf.org/mail-archive/web/hokey/current/msg01151.html):

"
What can be done to address the problems?
The most satisfying solution from a security
perspective would be to eliminate the piggybacking
of DSRK provisioning on top of legacy EAP
exchanges.  Providing an explicit request
from the peer to the server for provisioning
of the DSRK would provide the server with
proof of client liveness within the domain
which subsequently will issue accounting
records, closing the fraud loophole, as well as
removing the RFC 4962 "authenicate all
parties" problem, and any security impact
on legacy EAP deployments.

Another potential approach would be to
introduce authorization checks on the
AAA server.  For example, the AAA server
could require that the ERX server be
only one hop away, thereby addressing
the "authenticate the parties" issue.
Also, the ERX server could now be
guaranteed to be in the same domain
as the user, limiting the potential
for fraud to roughly the same magnitude
as existing fast handoff proposals
such as 11r.
"

[2] Chunqiang Li mentioned
(http://www.ietf.org/mail-archive/web/hokey/current/msg01173.html):

"
Yes, and it is not compliant with the requirements in RFC4962 if removing
the KDE1 and KDE4.
"

Regards,
Yoshihiro Ohba

On Sun, Mar 23, 2008 at 09:36:34PM -0400, Charles Clancy wrote:
> Yoshi,
>
> > I strongly believe that peer consent of DSRK, which is eventually used
> > by the peer and visited domain to establish link-layer SAs for all
> > authenticators in the entire visited domain, is important and needed.
>
> I've added your comments to issue 40 in the tracker, but the WG  
> consensus, as measured at IETF 71, is to not implement peer consent for  
> DSRK key distribution.  I understand that you feel strongly about this  
> issue, but in the interest of making progress on our documents, I  
> request that we move on.  Are you willing to make the required changes  
> to the key-mgm document?
>
> --
> t. charles clancy, ph.d.                 eng.umd.edu/~tcc
> electrical & computer engineering, university of maryland
>
_______________________________________________
HOKEY mailing list
HOKEY at ietf.org
https://www.ietf.org/mailman/listinfo/hokey

References:
- Re: [HOKEY] ERX issues
  - From: Yoshihiro Ohba
- Re: [HOKEY] ERX issues
  - From: Narayanan, Vidya
- Re: [HOKEY] ERX issues
  - From: Yoshihiro Ohba
- Re: [HOKEY] ERX issues
  - From: Charles Clancy

Prev by Date: Re: [HOKEY] EMSK Issue
Next by Date: Re: [HOKEY] ERX issues
Previous by thread: Re: [HOKEY] ERX issues
Next by thread: Re: [HOKEY] ERX issues
Index(es):
- Date
- Thread