[Gen-art] Gen-ART review of draft-ietf-hokey-erp-aak-07

"Miguel A. Garcia" <Miguel.A.Garcia@ericsson.com> Thu, 02 February 2012 14:51 UTC

Return-Path: <miguel.a.garcia@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B91BA21F8596 for <gen-art@ietfa.amsl.com>; Thu, 2 Feb 2012 06:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.844
X-Spam-Status: No, score=-9.844 tagged_above=-999 required=5 tests=[AWL=0.755, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id pJHO7Fs+zqhd for <gen-art@ietfa.amsl.com>; Thu, 2 Feb 2012 06:51:40 -0800 (PST)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net []) by ietfa.amsl.com (Postfix) with ESMTP id D066D21F858F for <gen-art@ietf.org>; Thu, 2 Feb 2012 06:51:39 -0800 (PST)
X-AuditID: c1b4fb3d-b7b26ae000000a35-f8-4f2aa2fa3629
Received: from esessmw0247.eemea.ericsson.se (Unknown_Domain []) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 5A.C9.02613.AF2AA2F4; Thu, 2 Feb 2012 15:51:38 +0100 (CET)
Received: from [] ( by esessmw0247.eemea.ericsson.se ( with Microsoft SMTP Server id; Thu, 2 Feb 2012 15:51:38 +0100
Message-ID: <4F2AA2F8.4010004@ericsson.com>
Date: Thu, 02 Feb 2012 15:51:36 +0100
From: "Miguel A. Garcia" <Miguel.A.Garcia@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:10.0) Gecko/20120129 Thunderbird/10.0
MIME-Version: 1.0
To: Zhen Cao <zehn.cao@gmail.com>, Hui Deng <denghui02@gmail.com>, sunseawq@huawei.com, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Cc: General Area Review Team <gen-art@ietf.org>
Subject: [Gen-art] Gen-ART review of draft-ietf-hokey-erp-aak-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 14:51:40 -0000

I have been selected as the General Area Review Team (Gen-ART)
reviewer for this draft. For background on Gen-ART, please see the FAQ at

Please resolve these comments along with any other comments you may receive.

Document: draft-ietf-hokey-erp-aak-07
Reviewer: Miguel Garcia <miguel.a.garcia@ericsson.com>
Review Date: 2011-01-02
IETF LC End Date: 2012-02-07

Summary: This draft is on the right track but has open issues, described 
in the review.

Major issues:

- None

Minor issues:

- The main problem I have with this draft is the lack of normative text 
(RFC 2119 reserved words) in relevant paragraphs. If interoperability is 
to be granted, an effort should be taken in adding quite a few more 
normative statements.

However, having said that, the section where I find more that there 
should be more normative text, is Section 3, which is an "Overview" 
section. In general, an overview section should use descriptive, but not 
normative text.

For example, take the last paragraph in Page 5 (that continues to Page 
6). One possible change is to make normative the text and move it outside 
a section whose title is "Overview".

    Upon receiving the message, the ERP/AAK server MUST first use the
    keyName indicated in the keyName-NAI to look up the rIK and MUST
    check the integrity and freshness of the message. Then the ERP/AAK
    server MUST verify the identity of the peer by checking the username
    portion of the KeyName-NAI.  If any of the checks fail, the server
    MUST send an early- authentication finish message (EAP-Finish/Re-auth
    with E-flag set) with the Result flag set to '1'.  Next, the server
    MUST authorize the CAP specified in the CAP-Identifier TLV.  In
    success case, the server MUST derive a pMSK from the pRK for each CAP
    carried in the the CAP-Identifier field using the sequence number
    associated with CAP-Identifier as an input to the key derivation.
    (see d. in the figure 1).

    Then the ERP/AAK server MUST transport the pMSK to the authorized CAP
    via AAA Section 7 as described in figure 2 (see e.1,e.2 in the figure
    2). Note that key distribution in the figure 2 is one part of step d.
    in the figure 1.

The the last paragraph in Section 3 also contains an "Optionally", which 
I believe should be replaced with a capitalized "OPTIONAL"

Another instance: towards the end of Section 5.2, the text reads:

    HMAC-SHA256-128 is mandatory to implement and should be enabled in
    the default configuration.

and should probably be:

    HMAC-SHA256-128 is REQUIRED to be implemented and SHOULD be enabled in
    the default configuration.

Similarly, the last paragraph in Section 5.2 reads:

    If the EAP-Initiate/Re-auth packet is not supported by the SAP, it is
    discarded silently.

and should probably be:

    If the EAP-Initiate/Re-auth packet is not supported by the SAP, it
    SHOULD be discarded silently.

- Another topic, Section 9 (IANA Considerations) reads:

    Further, this document registers a Early authentication usage label
    from the "USRK Key Labels" name space with a value:

       EAP Early-Authentication Root Key@ietf.org

I am missing the sentence to name the master registry where the USRK Key 
Labels subregistry is stored. This is the Extended Master Session Key 
(EMSK) Parameters registry (I guess). And probably this comment is also 
valid for the rest of the IANA actions: the main registry is not named, 
and it is hard to find it.

Miguel A. Garcia
Ericsson Spain