Re: [HOKEY] Change proposal for ERP-AAK - 3: Multiple CAP case support

Qin Wu <bill.wu@huawei.com> Sat, 08 October 2011 04:02 UTC

Date: Sat, 08 Oct 2011 12:05:12 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Glen Zorn <glenzorn@gmail.com>
Message-id: <24B0542929914133BFFC212E52A3E6E3@china.huawei.com>
MIME-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Content-transfer-encoding: 7bit
References: <29A088215B784663B37041D5BCD3B130@china.huawei.com> <4E8C453C.5080400@gmail.com>
Cc: hokey@ietf.org
Subject: Re: [HOKEY] Change proposal for ERP-AAK - 3: Multiple CAP case support
Precedence: list

Hi,
----- Original Message ----- 
From: "Glen Zorn" <glenzorn@gmail.com>
To: "Qin Wu" <bill.wu@huawei.com>
Cc: <hokey@ietf.org>
Sent: Wednesday, October 05, 2011 7:53 PM
Subject: Re: [HOKEY] Change proposal for ERP-AAK - 3: Multiple CAP case support

> On 9/29/2011 4:45 PM, Qin Wu wrote:
> 
>> Hi,
>> As we discussed on the list to the draft-ietf-hokey-erp-aak-04, it is
>> not difficult to support multiple CAP(s) case.
>> However we should make sure each pMSK is calculated for each CAP using
>> different Sequence number, therefore I propose to do the
>> following change to allow two ways to avoid the same pMSK derived for
>> multiple CAP,
>> one way is
>> 
>> The multiple sequence numbers can be derived from SEQ field in the
>> message header by following +1 rule.
>> 
>> e.g., we have 3 CAP, the SEQ field is set to the value 100
>> 
>> so the pMSK for CAP A will be derived using seqence number 100.
>> 
>>     the pMSK for CAP B will be derived using sequence number 100+1
>> 
>>    the pMSK for CAP C will be derived using sequence number 100+2
>> 
>>  
> 
> OK, how does the AAA server know which CAP to send which key?

[Qin]: The simple way is that the AAA sever relies on the CAP order contained in the list of
NAS-Identifiers or CAP-Identifiers.

> 
>> 
>> The second way is directly using Sequence number field carried in the TV
>> of the message for each CAP,and mandate
>> 
>> each sequence number asscicated with each CAP must always follow that
>> CAP. Also I think if multiple Sequenced number TLV are carried for each CAP,
>> 
>> the SEQ field in the ERP/AAK message header should be set to smallest 
>> value contained in the  Sequenced number TLVs. This is more flexible way
>> comparing
>> 
>> with the first way. But I think it will be better to allow both.
> 
> I'm not sure that I understand this, would you mind explaining a little
> more?  

[Qin]: Okay, when multiple CAPs are transported to the the server using EAP-Initiate message,
we may carry multiple CAPs using CAP/NAS-Identifier in one EAP-Initiate message,
also we may carry each CAP in each of multiple EAP-Initiate message.
I don't think the second choice is good choice since it introduce multiple roundtrip.
For the first choice, when multiple CAP(s) are carried in one EAP-Initiate message,
in order to  avoid the pMSK for each CAP using the same sequence number, we 
define new TV payload, i.e.,Sequence number TV. So We can carry different Sequence number
for each CAP, put each sequencer number after each CAP/NAS-Identifier.

>Also, if both are allowed, which one would be mandatory to implement?

[Qin] It dependes on if Sequence number TV payload is mandatory TV payload, if it is,
I think the server should extract each sequence number to generate different pMSK for each CAP.
If it is not, the Sequence number TV payload are not carried in the EAP-Initiate message to the server,
the server should use SEQ field in the EAP-initiate message header to generate different sequence number for each CAP.
Does it make sense?

> ...
>

[HOKEY] Change proposal for ERP-AAK - 3: Multiple… Qin Wu
Re: [HOKEY] Change proposal for ERP-AAK - 3: Mult… Glen Zorn
Re: [HOKEY] Change proposal for ERP-AAK - 3: Mult… Qin Wu