[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HOKEY] WGLC comments for preauth document
WGLC Comments for draft-ietf-hokey-preauth-ps-02:
Overall
-------
A terminology section is needed. The document uses a lot of terminology
without defining it or citing documents in which it has already been
defined.
This document discusses cases where we wish to pre-authenticate from one
authenticator to another, but it's not clear whether these
authenticators have to be served by the same AAA server or AAA domain.
I think one of the major benefits of pre-authentication is the ability
to pre-authenticate to a remote AAA domain that does not have a roaming
relationship with your current AAA domain. This would allow a mobile
node with multiple credential sets (with multiple AAA servers/domains)
to roam between networks that don't have a roaming relationship. For
example, this might allow you to roam from your home WiFi network to an
operator's WiMAX network. I think more discussion should be in the
document to distinguish between and clarify these cases.
Section 1:
----------
This should be moved to the end of the document.
Section 2:
----------
"When a mobile during an ...": some terminology is needed, particularly
define "mobile", or preferably refer to it using EAP terminology, i.e.
the "peer".
s/may change its subnet/may change the subnet/
s/support an interactive/support interactive,/
authentication procedure and authorization procedure are poorly defined
s/affects the ongoing/affects ongoing/
s/where an AAA/where a AAA/
Reword sentence: "Depending upon the
type of architecture, in some cases the AAA signals traverse all the
way to the AAA server in the home domain of the mobile as well before
the network service is granted to the mobile in the new network."
s/such as VoIP is very/such as VoIP are/
Section 3:
----------
s/setting up of L2/setting up L2/
s/AP (Access Point)/Access Point (AP)/
Reword sentence: "Following a successful authentication, a secure
association protocol
named four-way handshake with the wireless station derives a new set
of the session keys for use in data communications."
s/Unless PMK (Pairwise Master Key)/Unless the Pairwise Master Key (PMK)/
Need reference for: "This is
larger than the average coverage overlap of a wireless LAN (WLAN)."
s/organizations. But these/organizations, but these/
Add references for 11f and 11i
Reword sentence: "Especially, a solution is needed to
enable EAP pre-authentication in IEEE 802.11 to work even if the
station and AP are not members of the same VLAN."
s/of high bandwidth wireless/of high-bandwidth, wireless/
s/802.11a\/b\/g/802.11/
s/hotspot like coverages/hotspot-like coverage/
s/relatively lower bandwidth/relatively low bandwidth/
s/handover keying or EAP/handover keying, or EAP/
s/contact in the new/context to the new/
s/because of domino effect/because of the domino effect/
s/a compromise of/the compromise of/g
s/I-D.ietf-hokey-reauth-ps/RFC5169/
Recommend not using term "subnet" as it's not defined in the EAP
context. EAP is typically an L2 protocol, which has no notion of subnets.
s/Note that EAP pre-/Note that the EAP pre-/
s/by each link-layer/by each link layer/
s/developed at IETF/developed by the IETF/
s/ongoing data communications are/ongoing data communication is/
Figure 1: Why is "Internet" in the middle? Can't it be an arbitrary L3
network?
s/functionality of EAP authenticator/functionality of an EAP authenticator/
s/is either standalone/is either a standalone/
s/functionality of EAP server/functionality of an EAP server/
s/On the other hand, when/When/
s/with EAP server/with the EAP server/
Add references for RADIUS and Diameter
s/uses an MSK (Master Session Key)/uses a Master Session Key (MSK)/
Section 4:
----------
s/two scenarios on how/two scenarios for how/
s/a serving authenticator/serving authenticator
s/a candidate authenticator/candidate authenticator
s/a AAA server/AAA server/
s/for both pre-authentication scenarios/for either pre-authentication
scenario/
Section 4.2:
------------
Reword sentence: "Indirect pre-authentication signaling is spliced into
mobile node to
serving authenticator signaling (MN-SA signaling) and serving
authenticator to candidate authenticator signaling (SA-CA signaling)."
Section 5
---------
s/pre-authentication, i.e., authenticator/preauthentication: authenticator/
Section 5.1
-----------
s/IP address and a mechanism/IP address, and a mechanism/
Section 6
-----------
s/AAA documentations/AAA documents/
s/This means, when such/This means that when/
s/support pre-authentication function,/support pre-authentication,/
s/life time/lifetime/g
s/pre- authenticated/pre-authenticated/
s/or the NAS, when/or the NAS when/
"mobile entity"? Be consistent with terminology.
s/ping pongs/cycles/
s/common for the network operators/common for network operators/
s/maintain the control/maintain control/
s/in an anticipation for/in anticipation of/
Section 7:
----------
s/any solution for this problem needs considerations on/any solution
needs to consider/
Sentence fragment, revise: " First, a possible resource consumption
denial of service attack where
an attacker that is not on the same IP link as the mobile node or the
candidate authenticator may send unprotected pre-authentication
messages to the mobile node or the candidate authenticator to let the
legitimate mobile node and candidate authenticator spend their
computational and bandwidth resources."
s/noted that, when/noted that when/
Appendix A:
-----------
I think this should be significantly shortened, citing references, and
included in the body of the document.
--
t. charles clancy, ph.d. eng.umd.edu/~tcc
electrical & computer engineering, university of maryland
_______________________________________________
HOKEY mailing list
HOKEY at ietf.org
https://www.ietf.org/mailman/listinfo/hokey