Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
Glen Zorn <glenzorn@gmail.com> Thu, 01 September 2011 11:47 UTC
Return-Path: <glenzorn@gmail.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 38C5C21F8AB9 for <hokey@ietfa.amsl.com>;
Thu, 1 Sep 2011 04:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000,
BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfGtVZ0AjPSU for
<hokey@ietfa.amsl.com>; Thu, 1 Sep 2011 04:47:05 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com
[209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE9321F8A71 for
<hokey@ietf.org>; Thu, 1 Sep 2011 04:47:05 -0700 (PDT)
Received: by yie12 with SMTP id 12so1634092yie.31 for <hokey@ietf.org>;
Thu, 01 Sep 2011 04:48:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=message-id:date:from:user-agent:mime-version:to:cc:subject
:references:in-reply-to:content-type:content-transfer-encoding;
bh=BLoMUbmZiVJUPTnlG2zfEdgA4J8MT3jh8h364YkrI8A=;
b=q8xLSt0h5Q/jaju9SZLOEGvc2zxqf4//ExDW94JSGijjstwmukHGrQDR5649dbL4zF
j8U80zJG0/IRgYNYh88pD3IzgzNBeQkQJcXs8ZCdjiPcG2wAiDhL0Ctif4P/1cV4LQ5x
khpSYvTpKkqhVdvlZy8/JOUm8i71ODQSY8FUs=
Received: by 10.91.16.31 with SMTP id t31mr99541agi.165.1314877717968;
Thu, 01 Sep 2011 04:48:37 -0700 (PDT)
Received: from [192.168.1.98] (ppp-124-122-65-198.revip2.asianet.co.th
[124.122.65.198]) by mx.google.com with ESMTPS id
v4sm493864ank.51.2011.09.01.04.48.33 (version=SSLv3 cipher=OTHER);
Thu, 01 Sep 2011 04:48:36 -0700 (PDT)
Message-ID: <4E5F7109.6040907@gmail.com>
Date: Thu, 01 Sep 2011 18:48:25 +0700
From: Glen Zorn <glenzorn@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: Zhen Cao <zehn.cao@gmail.com>
References: <4E3A81CB.3070106@net-zen.net>
<CAProHARuiSdSuNfDf3JWKPOkLxdvQLL2E-RKrbO_YKgjnfaAow@mail.gmail.com>
In-Reply-To: <CAProHARuiSdSuNfDf3JWKPOkLxdvQLL2E-RKrbO_YKgjnfaAow@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: hokey@ietf.org
Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>,
<mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>,
<mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2011 11:47:06 -0000
On 8/10/2011 10:38 AM, Zhen Cao wrote:
> I have read the latest (draft-ietf-hokey-arch-design) version of this
> draft and think it is ready for publication. However I have some
> additional comments to this draft below:
> Section 1, It said
> "
> whereas in AAK the client interacts with the AAA to discover and
> connect to CAPs.
> "
> [Z]: How to understand "discover"? It seems for AAK, there are
> potentially two possible cases.
> case 1: the client has already discovered a list of CAPs and negotiate
> with the AAA to choose one appropriate CAP from the CAPs list.
> case 2: the client only knows a layer-2 identifier as index and then
> the client use index to lookup appropirate CAP by interacting with the
> AAA. which case is correct?
I think that the text regarding AAK in Section 1 is seriously flawed.
It says:
Early authentication includes direct
and indirect pre-authentication as well as Authenticated Anticipatory
Keying (AKK). All three mechanisms provide means to execute a full
EAP authentication with a Candidate Access Point (CAP) while still
being connected to the Serving Access Point (SAP) but vary in their
respective system assumptions and communication paths. In
particular, direct pre-authentication assumes that clients are
capable of discovering candidate access points and all communications
are routed through the serving access point. On the other hand,
indirect pre-authentication assumes an existing relationship between
SAP and CAP, whereas in AAK the client interacts with the AAA to
discover and connect to CAPs.
However, RFC 5836 says (about AAK):
6.2. The Authenticated Anticipatory Keying Usage Model
In this model, it is assumed that there is no trust relationship
between the SAP and the CAP, and the SAP is required to interact with
the AAA server directly. The authenticated anticipatory keying usage
model is illustrated in Figure 6.
Mobile Serving AAA Server Candidate
Device Attachment Point Attachment
(SAP) Point (CAP)
+---------+ +------------------+ +-----------------+ +--------+
| | | | | | | |
| Peer | | Authenticator | | EAP Server | | AAA |
| | | | | | | Client |
+---------+ +------------------+ +-----------------+ +--------+
| MD-SA |<->| MD-SAP |SAP-AAA |<->|SAP-AAA |CAP-AAA |<>|CAP-AAA |
+---------+ +------------------+ +--------+--------+ +--------+
{------------------------------Signaling---------------------------}
Figure 6: Authenticated Anticipatory Keying Usage Model
The SAP is involved in EAP authenticated anticipatory keying
signaling.
The role of the serving attachment point in this usage model is to
communicate with the peer on one side and exchange authenticated
anticipatory keying signaling with the EAP server on the other side.
The role of the candidate authenticator is to receive the transported
keying materials from the EAP server and to act as the serving
attachment point after handover occurs. The MD-SAP signaling is
performed over L2 or L3; the SAP-AAA and AAA-CAP segments operate
over L3.
So, the AAK client doesn't interact with AAA for any purpose (being an
EAP entity, how could it?) & furthermore, AAK doesn't necessarily
require a full EAP authentication at all (see ERP-AAK). I think that
this needs to be rewritten; any suggestions for text?
>
> Section 3.1.2 "Minimized User Interaction for authorization"
> [Z]: This section seems redundant since the previous section has
> already cover this case.
Is that really so, though? Minimizing the communication with home
servers doesn't seem to imply minimizing user interaction to me, but
maybe I'm wrong.
> Suggest to merge section 3.1.2 into section
> 3.1.1 or just delete the section 3.1.2.
>
> Section 6:
> [Z]:In Quebec meeting, the case where multiple servers are located in
> the same domain has been
> well discussed. I am thinking if this case should be taken into
> account in this section or leave
> this case out of scope of hokey architecture?
I was going to suggest putting it into the AAA considerations section
but their doesn't seem to be one ;-).
...
- [HOKEY] WGLC on draft-ietf-hokey-arch-design Glen Zorn
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design andy L
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Zhen Cao
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design andy L
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Glen Zorn
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Tina TSOU
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Qin Wu
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Glen Zorn
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Qin Wu
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Qin Wu
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Glen Zorn
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Qin Wu
- Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design Zhen Cao