IETF Logo Mail Archive

Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design

Qin Wu <bill.wu@huawei.com> Sat, 08 October 2011 02:39 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F04BC21F8B42 for <hokey@ietfa.amsl.com>; Fri, 7 Oct 2011 19:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.637
X-Spam-Level:
X-Spam-Status: No, score=-5.637 tagged_above=-999 required=5 tests=[AWL=0.962, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5z1vgKyJ5RCZ for <hokey@ietfa.amsl.com>; Fri, 7 Oct 2011 19:39:46 -0700 (PDT)
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by ietfa.amsl.com (Postfix) with ESMTP id D085521F8B3C for <hokey@ietf.org>; Fri, 7 Oct 2011 19:39:45 -0700 (PDT)
Received: from huawei.com (szxga05-in [172.24.2.49]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LSQ00G2J7JMY6@szxga05-in.huawei.com> for hokey@ietf.org; Sat, 08 Oct 2011 10:42:58 +0800 (CST)
Received: from szxrg01-dlp.huawei.com ([172.24.2.119]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LSQ00KKL7JLEO@szxga05-in.huawei.com> for hokey@ietf.org; Sat, 08 Oct 2011 10:42:58 +0800 (CST)
Received: from szxeml205-edg.china.huawei.com ([172.24.2.119]) by szxrg01-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AEH63515; Sat, 08 Oct 2011 10:42:58 +0800
Received: from SZXEML406-HUB.china.huawei.com (10.82.67.93) by szxeml205-edg.china.huawei.com (172.24.2.57) with Microsoft SMTP Server (TLS) id 14.1.270.1; Sat, 08 Oct 2011 10:42:51 +0800
Received: from w53375q (10.138.41.130) by szxeml406-hub.china.huawei.com (10.82.67.93) with Microsoft SMTP Server (TLS) id 14.1.270.1; Sat, 08 Oct 2011 10:42:49 +0800
Date: Sat, 08 Oct 2011 10:42:49 +0800
From: Qin Wu <bill.wu@huawei.com>
X-Originating-IP: [10.138.41.130]
To: Glen Zorn <glenzorn@gmail.com>
Message-id: <2DFC486C8ECD4C36A9CC601C6F60FC0C@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
X-CFilter-Loop: Reflected
References: <4E3A81CB.3070106@net-zen.net> <CAProHARuiSdSuNfDf3JWKPOkLxdvQLL2E-RKrbO_YKgjnfaAow@mail.gmail.com> <4E5F7109.6040907@gmail.com> <A7F85312C4F3414192BA49C44F61DD3F@china.huawei.com> <4E8ACB9C.90803@gmail.com>
Cc: hokey@ietf.org
Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2011 02:39:47 -0000

Hi,
----- Original Message ----- 
From: "Glen Zorn" <glenzorn@gmail.com>
To: "Qin Wu" <bill.wu@huawei.com>
Cc: <hokey@ietf.org>
Sent: Tuesday, October 04, 2011 5:02 PM
Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design


> On 9/2/2011 8:59 AM, Qin Wu wrote:
> 
>> H,:
>> ----- Original Message ----- 
>> From: "Glen Zorn" <glenzorn@gmail.com>
>> To: "Zhen Cao" <zehn.cao@gmail.com>
>> Cc: <hokey@ietf.org>
>> Sent: Thursday, September 01, 2011 7:48 PM
>> Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
>> 
>> 
>>> On 8/10/2011 10:38 AM, Zhen Cao wrote:
>>>> I have read the latest (draft-ietf-hokey-arch-design) version of this
>>>> draft and think it is ready for publication. However I have some
>>>> additional comments to this draft below:
>>>> Section 1, It said
>>>> "
>>>> whereas in AAK the client interacts with the AAA to discover and
>>>> connect to CAPs.
>>>> "
>>>> [Z]: How to understand "discover"? It seems for AAK, there are
>>>> potentially two possible cases.
>>>> case 1: the client has already discovered a list of CAPs and negotiate
>>>> with the AAA to choose one appropriate CAP from the CAPs list.
>>>> case 2: the client only knows a layer-2 identifier as index and then
>>>> the client use index to lookup appropirate CAP by interacting with the
>>>> AAA. which case is correct?
>> 
>> [Qin]: My understanding is ,in AAK, SAP is capable of discovering CAPs 
>> and is not necessary to rely on client based CAP discovery.
>> 
>>> I think that the text regarding AAK in Section 1 is seriously flawed.
>>> It says:
>>>
>>>   Early authentication includes direct
>>>   and indirect pre-authentication as well as Authenticated Anticipatory
>>>   Keying (AKK).  All three mechanisms provide means to execute a full
>>>   EAP authentication with a Candidate Access Point (CAP) while still
>>>   being connected to the Serving Access Point (SAP) but vary in their
>>>   respective system assumptions and communication paths.  In
>>>   particular, direct pre-authentication assumes that clients are
>>>   capable of discovering candidate access points and all communications
>>>   are routed through the serving access point.  On the other hand,
>>>   indirect pre-authentication assumes an existing relationship between
>>>   SAP and CAP, whereas in AAK the client interacts with the AAA to
>>>   discover and connect to CAPs.
>>>
>>> However, RFC 5836 says (about AAK):
>>>
>>> 6.2.  The Authenticated Anticipatory Keying Usage Model
>>>
>>>   In this model, it is assumed that there is no trust relationship
>>>   between the SAP and the CAP, and the SAP is required to interact with
>>>   the AAA server directly.  The authenticated anticipatory keying usage
>>>   model is illustrated in Figure 6.
>>>
>>>     Mobile            Serving               AAA Server      Candidate
>>>     Device        Attachment Point                          Attachment
>>>                        (SAP)                                Point (CAP)
>>>   +---------+   +------------------+   +-----------------+  +--------+
>>>   |         |   |                  |   |                 |  |        |
>>>   |  Peer   |   |   Authenticator  |   |   EAP Server    |  |  AAA   |
>>>   |         |   |                  |   |                 |  | Client |
>>>   +---------+   +------------------+   +-----------------+  +--------+
>>>   |  MD-SA  |<->|  MD-SAP |SAP-AAA |<->|SAP-AAA |CAP-AAA |<>|CAP-AAA |
>>>   +---------+   +------------------+   +--------+--------+  +--------+
>>>   {------------------------------Signaling---------------------------}
>>>
>>>          Figure 6: Authenticated Anticipatory Keying Usage Model
>>>
>>>   The SAP is involved in EAP authenticated anticipatory keying
>>>   signaling.
>>>
>>>   The role of the serving attachment point in this usage model is to
>>>   communicate with the peer on one side and exchange authenticated
>>>   anticipatory keying signaling with the EAP server on the other side.
>>>   The role of the candidate authenticator is to receive the transported
>>>   keying materials from the EAP server and to act as the serving
>>>   attachment point after handover occurs.  The MD-SAP signaling is
>>>   performed over L2 or L3; the SAP-AAA and AAA-CAP segments operate
>>>   over L3.
>>>
>>> So, the AAK client doesn't interact with AAA for any purpose (being an
>>> EAP entity, how could it?) & furthermore, AAK doesn't necessarily
>>> require a full EAP authentication at all (see ERP-AAK).  I think that
>>> this needs to be rewritten; any suggestions for text?
>> 
>> [Qin]: You are right, to get consistent with what it said in RFC5836, 
>> suggest to change the original text as
>> "
>>    Early authentication includes direct
>>    and indirect pre-authentication as well as Authenticated Anticipatory
>>    Keying (AKK).  All three mechanisms provide means to execute a full
>>    EAP authentication with a Candidate Access Point (CAP) while still
>>    being connected to the Serving Access Point (SAP) but vary in their
>>    respective system assumptions and communication paths.  In
>>    particular, direct pre-authentication assumes that clients are
>>    capable of discovering candidate access points and all communications
>>    are routed through the serving access point.  On the other hand,
>>    indirect pre-authentication assumes an existing relationship between
>>    SAP and CAP, whereas in AAK the SAP does not rely on an existing 
>>   relationship between SAP and CAP to interact with the AAA and the AAA
>>   discover and connect to CAPs through this interaction.
>> "
> 
> If CAP discovery is actually outside the scope of AAK, how about we just
> say that?  For example, something like this:
> 
>   Early authentication includes direct
>   and indirect pre-authentication as well as Authenticated Anticipatory
>   Keying (AAK).  All three mechanisms provide means to execute a full
>   EAP authentication with a Candidate Access Point (CAP) while still
>   being connected to the Serving Access Point (SAP) but vary in their
>   respective system assumptions and communication paths.  In
>   particular, direct pre-authentication assumes that clients are
>   capable of discovering candidate access points and all communications
>   are routed through the serving access point.  On the other hand,
>   indirect pre-authentication assumes an existing relationship between
>   SAP and CAP, whereas the discovery of Candidate Access Points is
>   outside the scope of AAK.

[Qin]: Looks good to me, thank for your proposal.

> ...
> 
>>>> Suggest to merge section 3.1.2 into section
>>>> 3.1.1 or just delete the section 3.1.2.
>>>>
>>>> Section 6:
>>>> [Z]:In Quebec meeting, the case where multiple servers are located in
>>>> the same domain has been
>>>> well discussed. I am thinking if this case should be taken into
>>>> account in this section or leave
>>>> this case out of scope of hokey architecture?
>>>
>>> I was going to suggest putting it into the AAA considerations section
>>> but their doesn't seem to be one ;-).
>> 
>> [Qin]: I thought multiple servers cases is relevant to ERP and should be 
>> discussed in RFC5296bis document. It is not good to discuss the same issue
>> in both two documents. Am I wrong?
> 
> It's not good if the two discussions are different ;-), but if they are
> substantially the same, I think it's OK.

[Qin]: Agree.

> ...
> _______________________________________________
> HOKEY mailing list
> HOKEY@ietf.org
> https://www.ietf.org/mailman/listinfo/hokey
>

v2.8.7 | Report a Bug | By Email