IETF Logo Mail Archive

Re: [core] concerns re draft-oflynn-core-bootstrapping-02

Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp> Fri, 29 October 2010 07:29 UTC

Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: core@core3.amsl.com
Delivered-To: core@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 912643A6A1F for <core@core3.amsl.com>; Fri, 29 Oct 2010 00:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVh0aVPG7Kaz for <core@core3.amsl.com>; Fri, 29 Oct 2010 00:28:50 -0700 (PDT)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by core3.amsl.com (Postfix) with ESMTP id EFC8F3A6A17 for <core@ietf.org>; Fri, 29 Oct 2010 00:28:49 -0700 (PDT)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by imx12.toshiba.co.jp with ESMTP id o9T7UeKt018426; Fri, 29 Oct 2010 16:30:40 +0900 (JST)
Received: (from root@localhost) by arc11.toshiba.co.jp id o9T7UeKb018198; Fri, 29 Oct 2010 16:30:40 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by arc11.toshiba.co.jp with ESMTP id SAA18195; Fri, 29 Oct 2010 16:30:40 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id o9T7UdQu006372; Fri, 29 Oct 2010 16:30:40 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id o9T7ULFN002160; Fri, 29 Oct 2010 16:30:39 +0900 (JST)
Received: from [133.199.75.97] by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTPA id <0LB100G6UJIZJ1E0@mail.po.toshiba.co.jp>; Fri, 29 Oct 2010 16:30:36 +0900 (JST)
Date: Fri, 29 Oct 2010 16:30:33 +0900
From: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
In-reply-to: <4CCA41AC.6040800@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Message-id: <4CCA7819.6020908@toshiba.co.jp>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-2022-JP"
Content-transfer-encoding: 7bit
References: <BE21691E-1C60-4E2C-B7A8-81782F46E923@tzi.org> <E96BC2D7-3C56-4859-94B3-8B1AF1990C77@tzi.org> <935DB371-B149-486A-8AD2-3B4454C9B172@tzi.org> <4CA3BB54.8050706@gmail.com> <AANLkTimFX2BuD=UT3t4XV8XvD+ZRhgj57wDzRc2sFKOc@mail.gmail.com> <4CA5E8E0.4030503@gmail.com> <AANLkTi=0yEc6Fgi2-eahb8JtRZBxC9PWD=aEwQjh3F6R@mail.gmail.com> <4CA6095F.6040403@gmail.com> <B0F8E486-051F-4C5D-A05F-BDB3701404C5@cs.rwth-aachen.de> <4CB48B9B.9010206@gmail.com> <4CC83F61.5060109@gmail.com> <023a01cb76e1$869bfcc0$93d3f640$%yegin@yegin.org> <D266D724-C345-4980-A685-5742F76C60D3@tzi.org> <4CCA052E.2010909@toshiba.co.jp> <4CCA41AC.6040800@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.11) Gecko/20101013 Thunderbird/3.1.5
Cc: core@ietf.org
Subject: Re: [core] concerns re draft-oflynn-core-bootstrapping-02
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/core>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Oct 2010 07:29:06 -0000

Hello Rene,

Thank you very much for expressing your concerns in detail.

Basically there is no implications such as (a) and (b1) to (b4) in the
general framework of PANA, EAP and AAA.  Let me explain this in
details below..

(2010/10/29 12:38), Rene Struik wrote:
> Hi Yoshihiro:
> 
> It seems that in your example each device identifier is tied to a 
> single security manager (e.g., device A and security manager S would 
> yield device id A@S.com).
> 
> This seems to imply the following:
> (a) entangles the name space and device role space (since tie-ing node 
> A to a node S that assumes a security manager role for A);

In the case where the EAP peer identity is tied with the device in
which the EAP peer resides, you are right.  However, the EAP peer
identity is not necessarily tied with the device.  It can be also tied
with the user who uses the device.  Or when a tunneling EAP method
such as EAP-TTLS is used, it is possible to tie the EAP peer identity
for the outer EAP method with the device *and* tie the EAP peer
identity for the inner EAP method with the user.  So in general EAP
framework, there is no fixed binding is assumed between the device and
security manager.

> (b) precludes scenarios where
> (b1) a device may have multiple security managers (example: remote 
> control, spare remote under the pillow, central node);

When PANA is used, it is possible to have multiple PANA sessions
between a PaC and a PAA, and different EAP peer identities can be used
for those PANA sessions where each EAP peer identity may be tied with
a distinct security manager.  OTOH, this kind of scenario is difficult
to be supported by IEEE 802.1X which allows only one authentication
session between a pair of 802.1X Supplicant and Authenticator.

> (b2) a security manager may change over time (example: change of 
> security manager, due to malfunctioning device or ownership change);

I think this is basically a provisioning issue.  If a deployment uses
a provisioning mechanism that allows dynamically changing the EAP peer
identity associated with a particular device, it is possible to change
a security manager over time under the EAP framework.

> (b3) a device may not have a security manager yet (example: device is 
> initially taken out of generic box, without any imprinting happening 
> yet);

Again I think this is a provisioning issue.  If a deployment uses a
provisioning mechanism that supports a standalone bootstrapping
mechanism during the provisioning phase, it is possible not to use a
security manager in the provisioning phase.

> (b4) a device and security manager may not be in hierarchical 
> relationship (example: simple device pairing a la Bluetooth v2.1 EDR).
> As such, this seems to preclude many useful deployment scenarios for 
> sensor networks.

Since the EAP framework does not require to use the AAA
infrastructure, a P2P relationship can be supported by the EAP framework.

We can clarify these things in the core-bootstrapping draft if it helps.

Best Regards,
Yoshihiro Ohba


> 
> Hence, my note in my email as of Wed October 27, 2010, 11:04am EDT re 
> the latest version of draft-oflynn-core-bootstrapping-02, in which I 
> highlighted the importance of facilitating a flexible set of 
> deployment scenarios.
> 
> Please let me know if I misinterpreted your EAP-style explanation 
> (above, I only focus on logical device roles and not on communication 
> patterns).
> 
> Best regards, Rene
> 
> [excerpt email RS as of October 1, 2010, 12:16pm EDT]
> 
> In my mind, properties of suitable authenticated key agreement schemes 
> should include (a) key establishment; (b) implicit key authentication; 
> (c) key confirmation; (d) mutual entity authentication; (e) forward 
> secrecy; (f) {perhaps} some more esoteric properties (key compromise 
> impersonation resilience, etc.).
> 
> Moreover, the "name space" (device identifiers) and the "cryptographic 
> space" (public keys, etc.) should be independent, so that this would 
> allow trust lifecycle management to be reduced to proper management of 
> device identifiers (i.e., ****no** entanglement of concepts from 
> different disciplines).
> 
> 
> On 28/10/2010 7:20 PM, Yoshihiro Ohba wrote:
>> OK, then let me use the term "RADIUS server" to explain.
>>
>> Any EAP transport protocol such as IEEE 802.1X and PANA works with
>> multiple AAA domains in which a single access network may interface to
>> multiple RADIUS servers where each RADIUS server serves for a distinct
>> AAA domain. With EAP, RADIUS routing is based on the EAP peer
>> identity such as "foo@domainA.com" and "bar@domainB.com" in a way that
>> authentication messages for EAP peer "foo@domainA.com"are routed to
>> "domainA.com" RADIUS server and authentication messages for EAP peer
>> "bar@domainB.com" are routed to "domainB.com" RADIUS server. The EAP
>> peer identity is extracted from the initial EAP exchange by an EAP
>> pass-through authenticator that is co-located with a RADIUS client at
>> the border of the access network. In a large scale RADIUS deployment,
>> there may be RADIUS proxies between a RADIUS client and a RADIUS
>> server to simplify the AAA routing task for RADIUS clients. In PANA,
>> PAA (PANA Authentication Agent) is the EAP pass-through authenticator,
>> and PaC (PANA Client) is the EAP peer.
>>
>> Hope this helps,
>> Yoshihiro Ohba
>>
>> (2010/10/29 6:21), Carsten Bormann wrote:
>>> On Oct 28, 2010, at 22:48, Alper Yegin wrote:
>>>
>>>> mothership
>>> I think other terms are "mother-may-I", "trust center", "RADIUS 
>>> server", or "Policy Decision Point". Just guessing, though.
>>> I think the use case of interest here is a single constrained 
>>> network that simultaneously serves multiple trust domains, so being 
>>> authorized by any one of them should give you access.
>>>
>>> With that potential explanation, can you elucidate whether (and 
>>> maybe how) PANA would work in this scenario?
>>>
>>> Gruesse, Carsten
>>>
>>> _______________________________________________
>>> core mailing list
>>> core@ietf.org
>>> https://www.ietf.org/mailman/listinfo/core
>>>
>> _______________________________________________
>> core mailing list
>> core@ietf.org
>> https://www.ietf.org/mailman/listinfo/core
> 
>

v2.23.0 | Report a Bug | By Email