Re: [HOKEY] ERX-12 -- Please review changes

Hi Lakshminath,

Lakshminath Dondeti wrote:
> Hi Bernard,
>
> I have reviewed draft-ohba-eap-kde-01 before and it does not meet fast 
> reauthentication goals. 
Please see my comments inline.

>  Please see below:
>
> On 2/25/2008 3:24 PM, Bernard Aboba wrote:
>> [BA] I've recently seen a draft (from Yoshi, submitted today) that  seems
>> to provide similar functionality with no changes to RFC 3748.  Although
>> I haven't reviewed the document in depth, it did seem to provide
>> method-independent re-authentication without multiple round-trips
>> (at least for case of a local ERX server, which is the most important
>> one from a performance point of view). 
>
> The number of roundtrips on the access link is 3,
>  if we take connection 
> open or an equivalent into account.  With ERP, the peer can start 
> sending authenticated data after 1 RT.
>
>> This document will probably be discussed in IEEE 802, which could adopt
>> it as their approach to EAP re-authentication going forward.
>
> In other access technologies, the handover latency requirements are more 
> stringent and they have already adopted ERP and waiting for publication 
> of the ERP RFC.  Without further optimizations, 802.11 with 3 RTs or 
> more for connection setup and EAP-KDE and 2 more for the 4-way exchange 
> has little to no hope of really achieving low handover latency.

The reality is EAP-KDE is only adding a roundtrip in the ACCESS LINK 
(between peer and authenticator) with respect to ERP,
and NOT between authenticator and server, which is actually the bottleneck.

EAP-KDE:

<-- EAP-Request/KDE{KDE0}
--> EAP-Response/KDE{KDE1}   --> AAA{KDE2}
<-- EAP-Request/KDE{KDE4}    <-- AAA{KDE3, authorization data}
--> EAP-Response/KDE{}
<-- EAP-Success

ERP:

<-- EAP Initiate/Re-auth-Start
--> EAP Initiate/Re-auth --> AAA{EAP Initiate/Re-auth}
<-- EAP Finish/Re-auth <-- AAA{EAP Finish/Re-auth}

As you may observe, this additional roundtrip is exchanged between peer 
and authenticator. Furthermore, EAP-Response/KDE{} and EAP Success are 
very simple messages, so i would expect a really low processing time. So 
my question is how many ms do you expect in that exchange in order to 
affirm it does not meet a fast re-authentication goal?.

Furthermore, as Yoshi mentioned pre-authentication is also possible 
(e.g. based on EAP-KDE) and that time would not affect at all.

In any case, the situation is that ERP would require modifications in 
EAP-layer and existing EAP lower-layers to operate, but EAP-KDE avoids 
those modifications (at the cost of an additional single roundtrip in 
the access link which, to me, it should not be a major problem).

> -- 
> ------------------------------------------------------
> Rafael Marin Lopez
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34968398501    e-mail: rafa@um.es
> ------------------------------------------------------
>   
_______________________________________________
HOKEY mailing list
HOKEY@ietf.org
http://www.ietf.org/mailman/listinfo/hokey