IETF Logo Mail Archive

Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design

Tina TSOU <Tina.Tsou.Zouting@huawei.com> Thu, 01 September 2011 15:59 UTC

Return-Path: <Tina.Tsou.Zouting@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3340121F9818 for <hokey@ietfa.amsl.com>; Thu, 1 Sep 2011 08:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.262
X-Spam-Level:
X-Spam-Status: No, score=-6.262 tagged_above=-999 required=5 tests=[AWL=0.337, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LQeMaIWzws6 for <hokey@ietfa.amsl.com>; Thu, 1 Sep 2011 08:59:41 -0700 (PDT)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67]) by ietfa.amsl.com (Postfix) with ESMTP id CBB7A21F980A for <hokey@ietf.org>; Thu, 1 Sep 2011 08:59:40 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LQU00A1BPU11E@szxga04-in.huawei.com> for hokey@ietf.org; Fri, 02 Sep 2011 00:01:13 +0800 (CST)
Received: from szxrg01-dlp.huawei.com ([172.24.2.119]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LQU00HAZPU11G@szxga04-in.huawei.com> for hokey@ietf.org; Fri, 02 Sep 2011 00:01:13 +0800 (CST)
Received: from szxeml203-edg.china.huawei.com ([172.24.2.119]) by szxrg01-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id ADS25537; Fri, 02 Sep 2011 00:01:13 +0800
Received: from SZXEML401-HUB.china.huawei.com (10.82.67.31) by szxeml203-edg.china.huawei.com (172.24.2.55) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 02 Sep 2011 00:01:05 +0800
Received: from SZXEML526-MBS.china.huawei.com ([169.254.7.177]) by szxeml401-hub.china.huawei.com ([10.82.67.31]) with mapi id 14.01.0270.001; Fri, 02 Sep 2011 00:00:53 +0800
Date: Thu, 01 Sep 2011 16:00:52 +0000
From: Tina TSOU <Tina.Tsou.Zouting@huawei.com>
In-reply-to: <4E5F7109.6040907@gmail.com>
X-Originating-IP: [10.193.34.96]
To: Glen Zorn <glenzorn@gmail.com>, Zhen Cao <zehn.cao@gmail.com>
Message-id: <C0E0A32284495243BDE0AC8A066631A88AD958@szxeml526-mbs.china.huawei.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-language: en-US
Content-transfer-encoding: 7BIT
Accept-Language: en-US, zh-CN
Thread-topic: [HOKEY] WGLC on draft-ietf-hokey-arch-design
Thread-index: AQHMaJ1F10NWyg3LvEqzXfur0ExLoJU4r0Vw
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-CFilter-Loop: Reflected
References: <4E3A81CB.3070106@net-zen.net> <CAProHARuiSdSuNfDf3JWKPOkLxdvQLL2E-RKrbO_YKgjnfaAow@mail.gmail.com> <4E5F7109.6040907@gmail.com>
Cc: "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2011 15:59:42 -0000

Hi,
We need an AAA consideration section.

Best Regards,
Tina TSOU
http://tinatsou.weebly.com/contact.html



-----Original Message-----
From: hokey-bounces@ietf.org [mailto:hokey-bounces@ietf.org] On Behalf Of Glen Zorn
Sent: Thursday, September 01, 2011 4:48 AM
To: Zhen Cao
Cc: hokey@ietf.org
Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design

On 8/10/2011 10:38 AM, Zhen Cao wrote:
> I have read the latest (draft-ietf-hokey-arch-design) version of this
> draft and think it is ready for publication. However I have some
> additional comments to this draft below:
> Section 1, It said
> "
> whereas in AAK the client interacts with the AAA to discover and
> connect to CAPs.
> "
> [Z]: How to understand "discover"? It seems for AAK, there are
> potentially two possible cases.
> case 1: the client has already discovered a list of CAPs and negotiate
> with the AAA to choose one appropriate CAP from the CAPs list.
> case 2: the client only knows a layer-2 identifier as index and then
> the client use index to lookup appropirate CAP by interacting with the
> AAA. which case is correct?

I think that the text regarding AAK in Section 1 is seriously flawed.
It says:

   Early authentication includes direct
   and indirect pre-authentication as well as Authenticated Anticipatory
   Keying (AKK).  All three mechanisms provide means to execute a full
   EAP authentication with a Candidate Access Point (CAP) while still
   being connected to the Serving Access Point (SAP) but vary in their
   respective system assumptions and communication paths.  In
   particular, direct pre-authentication assumes that clients are
   capable of discovering candidate access points and all communications
   are routed through the serving access point.  On the other hand,
   indirect pre-authentication assumes an existing relationship between
   SAP and CAP, whereas in AAK the client interacts with the AAA to
   discover and connect to CAPs.

However, RFC 5836 says (about AAK):

6.2.  The Authenticated Anticipatory Keying Usage Model

   In this model, it is assumed that there is no trust relationship
   between the SAP and the CAP, and the SAP is required to interact with
   the AAA server directly.  The authenticated anticipatory keying usage
   model is illustrated in Figure 6.

     Mobile            Serving               AAA Server      Candidate
     Device        Attachment Point                          Attachment
                        (SAP)                                Point (CAP)
   +---------+   +------------------+   +-----------------+  +--------+
   |         |   |                  |   |                 |  |        |
   |  Peer   |   |   Authenticator  |   |   EAP Server    |  |  AAA   |
   |         |   |                  |   |                 |  | Client |
   +---------+   +------------------+   +-----------------+  +--------+
   |  MD-SA  |<->|  MD-SAP |SAP-AAA |<->|SAP-AAA |CAP-AAA |<>|CAP-AAA |
   +---------+   +------------------+   +--------+--------+  +--------+
   {------------------------------Signaling---------------------------}

          Figure 6: Authenticated Anticipatory Keying Usage Model

   The SAP is involved in EAP authenticated anticipatory keying
   signaling.

   The role of the serving attachment point in this usage model is to
   communicate with the peer on one side and exchange authenticated
   anticipatory keying signaling with the EAP server on the other side.
   The role of the candidate authenticator is to receive the transported
   keying materials from the EAP server and to act as the serving
   attachment point after handover occurs.  The MD-SAP signaling is
   performed over L2 or L3; the SAP-AAA and AAA-CAP segments operate
   over L3.

So, the AAK client doesn't interact with AAA for any purpose (being an
EAP entity, how could it?) & furthermore, AAK doesn't necessarily
require a full EAP authentication at all (see ERP-AAK).  I think that
this needs to be rewritten; any suggestions for text?

> 
> Section 3.1.2 "Minimized User Interaction for authorization"
> [Z]: This section seems redundant since the previous section has
> already cover this case. 

Is that really so, though?  Minimizing the communication with home
servers doesn't seem to imply minimizing user interaction to me, but
maybe I'm wrong.

> Suggest to merge section 3.1.2 into section
> 3.1.1 or just delete the section 3.1.2.
> 
> Section 6:
> [Z]:In Quebec meeting, the case where multiple servers are located in
> the same domain has been
> well discussed. I am thinking if this case should be taken into
> account in this section or leave
> this case out of scope of hokey architecture?

I was going to suggest putting it into the AAA considerations section
but their doesn't seem to be one ;-).

...
_______________________________________________
HOKEY mailing list
HOKEY@ietf.org
https://www.ietf.org/mailman/listinfo/hokey

v2.8.7 | Report a Bug | By Email