[HOKEY] Proposed changes to draft-ietf-hokey-5296bis
Qin Wu <sunseawq@huawei.com> Tue, 03 May 2011 07:14 UTC
Return-Path: <sunseawq@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 16A0FE0780 for <hokey@ietfa.amsl.com>;
Tue, 3 May 2011 00:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Level:
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[AWL=0.971,
BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001,
MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQxkweeM6x70 for
<hokey@ietfa.amsl.com>; Tue, 3 May 2011 00:14:34 -0700 (PDT)
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66])
by ietfa.amsl.com (Postfix) with ESMTP id 35B11E06DB for <hokey@ietf.org>;
Tue, 3 May 2011 00:14:34 -0700 (PDT)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com
(iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id
<0LKL00LMHYOWRA@szxga03-in.huawei.com> for hokey@ietf.org;
Tue, 03 May 2011 15:12:33 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga03-in.huawei.com (iPlanet
Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id
<0LKL003JMYOW02@szxga03-in.huawei.com> for hokey@ietf.org;
Tue, 03 May 2011 15:12:32 +0800 (CST)
Received: from w53375 ([10.138.41.70]) by szxml06-in.huawei.com (iPlanet
Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id
<0LKL00DEHYOR8F@szxml06-in.huawei.com> for hokey@ietf.org;
Tue, 03 May 2011 15:12:27 +0800 (CST)
Date: Tue, 03 May 2011 15:15:54 +0800
From: Qin Wu <sunseawq@huawei.com>
To: hokey@ietf.org
Message-id: <04cd01cc0961$f166ddf0$46298a0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3664
X-Mailer: Microsoft Outlook Express 6.00.2900.3664
Content-type: multipart/alternative;
boundary="Boundary_(ID_u2lUOLq7IJFvdkfTNihqOA)"
X-Priority: 3
X-MSMail-priority: Normal
Subject: [HOKEY] Proposed changes to draft-ietf-hokey-5296bis
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>,
<mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>,
<mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2011 07:14:36 -0000
Following our discussion on the list and feedback in the last IETF meeting on simplify boostrapping, we investigate the benefit and disadvantages of
this issue. The issue can be discussed in two aspects:
======================================================================
a. Deprecate the flag ‘B’
Pro:
In implicit bootstrapping, ‘B’ flag is useless since peer will not send out ERP message;
In Explicit bootstrapping, ‘B’ flag can be used to trigger ERP message to go back to home domain and obtain the
local domain name and related keying materials
Con:
In both above cases, local ER server can decide if forward ERP message to the home domain
according to if the local server has keying materials for the peer.
============================================================================================
b. Mandate including both the name of the home domain and one of the local domain in ERP requests
Pro:
the local ER server decide if respond directly to the peer by comparing the domain name in the request with its own domain name
Con:
Need to assign two new TLVs to carry both home domain and local domain, which introduce transmission and computation complexity.
Also the local ER server decide if respond directly to the peer by comparing the realm part of keyName-NAI with its own domain name.
============================================================================================================
Based on these analysis, my understanding is 'B' flag has its value in explicit bootstapping secario, However if the local ER server has the valid
key materials corresponding to the peer, it MUST be able to respond directly in the same way as the home ER server does without forwarding
the ERP message to the home domain, even if this message contains the 'B'(bootstrapping) flag. Furthermore, if the ER authenticator has the valid
key materials corresponding to the peer and know the local domain name, it MUST also be able to repsond directly in the same way as the local ER server does.
Also I don't think it is a good idea to define two separate TLV for home domain name and local domain name and mandate including
both the name of the home domain and one of the local domain in ERP requests. This overdesign will introduce extra transmission and computation overhead.
Instead, we can use 'B' flag, existing TLV for domain name or KeyName-NAI TLV to help local ER server to determine whether ER message should be
forwarded to the home server.
If 'B' flag is carried in the ER message and TLV for domain name or realm name part of KeyName-NAI TLV carry home realm name, the local ER server doesn't have
keying materials, the ER message MUST be forwarded to the home server.
If 'B' flag is carried in the ER message and local ER server has keying materials corresponding to the peer, the local ER server should be able to respond to the peer directly.
So this note provides the proposed text changes to address this issue.
================================================================================
Section 5.1 the first paragraph:
Proposed new text:
In implicit bootstrapping, the local AAA client or Agent MUST
verify whether it has valid rMSK or rRK corresponding to the
peer. If the local AAA client or Agent has the key materials
corresponding to the peer, it MUST be able to respond directly
in the same way as the home AAA server does without forwarding
the ERP message to the home domain,
=====================================================================================
Section 5.1 paragraph 2, bullet item 4:
Proposed new text:
Upon receipt of the EAP-Initiate/Re-auth message from a peer,
the ERP-capable authenticator verifies whether it has local domain
name and valid key materials corresponding to the peer. If it knows
local domain name and valid key material corresponding to the peer,
it MUST be able to respond directly in the same way as the home
ER does with local domain name included.
======================================================================================
Section 5.1, paragraph 2 bullet item 5:
Proposed new text:
If the local ER server has the valid key materials corresponding to the peer,
it MUST be able to respond directly in the same way as the home ER server
does without forwarding the ERP message to the home domain, even if this
message contains the 'B'(bootstrapping) flag.
Many thanks to Sebastien in particular for his valuabable comments.
Regards!
-Qin