IETF Logo Mail Archive

Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design

Glen Zorn <glenzorn@gmail.com> Tue, 04 October 2011 08:59 UTC

Return-Path: <glenzorn@gmail.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9471421F8CF5 for <hokey@ietfa.amsl.com>; Tue, 4 Oct 2011 01:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CymHbxd0A0Go for <hokey@ietfa.amsl.com>; Tue, 4 Oct 2011 01:59:24 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 98BD221F8C65 for <hokey@ietf.org>; Tue, 4 Oct 2011 01:59:24 -0700 (PDT)
Received: by vws5 with SMTP id 5so215555vws.31 for <hokey@ietf.org>; Tue, 04 Oct 2011 02:02:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=YJCouFd/3MMDzg+3AONXlXd9JwrvOmpTIUUKqsy4A9o=; b=i10VBIaLZSiSqt0buDNuK0bml5jIRmi9oxXBRe7kIJttAF50cGs5ppSXGNDjIVAcvp tcQAU5PGSIy4ECa55NJmqrM/+NI0+D9jvy+OOSEmKOLxjt9J3IFu+K0kUIXtIsipMEye zH3oaLkTJ6Tj7k7Vw/rhJ7VgsV8tMN1vZCbxI=
Received: by 10.52.98.5 with SMTP id ee5mr964499vdb.135.1317718948892; Tue, 04 Oct 2011 02:02:28 -0700 (PDT)
Received: from [192.168.1.98] (ppp-124-122-157-65.revip2.asianet.co.th. [124.122.157.65]) by mx.google.com with ESMTPS id em2sm16578367vdc.2.2011.10.04.02.02.24 (version=SSLv3 cipher=OTHER); Tue, 04 Oct 2011 02:02:27 -0700 (PDT)
Message-ID: <4E8ACB9C.90803@gmail.com>
Date: Tue, 04 Oct 2011 16:02:20 +0700
From: Glen Zorn <glenzorn@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Qin Wu <bill.wu@huawei.com>
References: <4E3A81CB.3070106@net-zen.net> <CAProHARuiSdSuNfDf3JWKPOkLxdvQLL2E-RKrbO_YKgjnfaAow@mail.gmail.com> <4E5F7109.6040907@gmail.com> <A7F85312C4F3414192BA49C44F61DD3F@china.huawei.com>
In-Reply-To: <A7F85312C4F3414192BA49C44F61DD3F@china.huawei.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: hokey@ietf.org
Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2011 08:59:25 -0000

On 9/2/2011 8:59 AM, Qin Wu wrote:

> H,:
> ----- Original Message ----- 
> From: "Glen Zorn" <glenzorn@gmail.com>
> To: "Zhen Cao" <zehn.cao@gmail.com>
> Cc: <hokey@ietf.org>
> Sent: Thursday, September 01, 2011 7:48 PM
> Subject: Re: [HOKEY] WGLC on draft-ietf-hokey-arch-design
> 
> 
>> On 8/10/2011 10:38 AM, Zhen Cao wrote:
>>> I have read the latest (draft-ietf-hokey-arch-design) version of this
>>> draft and think it is ready for publication. However I have some
>>> additional comments to this draft below:
>>> Section 1, It said
>>> "
>>> whereas in AAK the client interacts with the AAA to discover and
>>> connect to CAPs.
>>> "
>>> [Z]: How to understand "discover"? It seems for AAK, there are
>>> potentially two possible cases.
>>> case 1: the client has already discovered a list of CAPs and negotiate
>>> with the AAA to choose one appropriate CAP from the CAPs list.
>>> case 2: the client only knows a layer-2 identifier as index and then
>>> the client use index to lookup appropirate CAP by interacting with the
>>> AAA. which case is correct?
> 
> [Qin]: My understanding is ,in AAK, SAP is capable of discovering CAPs 
> and is not necessary to rely on client based CAP discovery.
> 
>> I think that the text regarding AAK in Section 1 is seriously flawed.
>> It says:
>>
>>   Early authentication includes direct
>>   and indirect pre-authentication as well as Authenticated Anticipatory
>>   Keying (AKK).  All three mechanisms provide means to execute a full
>>   EAP authentication with a Candidate Access Point (CAP) while still
>>   being connected to the Serving Access Point (SAP) but vary in their
>>   respective system assumptions and communication paths.  In
>>   particular, direct pre-authentication assumes that clients are
>>   capable of discovering candidate access points and all communications
>>   are routed through the serving access point.  On the other hand,
>>   indirect pre-authentication assumes an existing relationship between
>>   SAP and CAP, whereas in AAK the client interacts with the AAA to
>>   discover and connect to CAPs.
>>
>> However, RFC 5836 says (about AAK):
>>
>> 6.2.  The Authenticated Anticipatory Keying Usage Model
>>
>>   In this model, it is assumed that there is no trust relationship
>>   between the SAP and the CAP, and the SAP is required to interact with
>>   the AAA server directly.  The authenticated anticipatory keying usage
>>   model is illustrated in Figure 6.
>>
>>     Mobile            Serving               AAA Server      Candidate
>>     Device        Attachment Point                          Attachment
>>                        (SAP)                                Point (CAP)
>>   +---------+   +------------------+   +-----------------+  +--------+
>>   |         |   |                  |   |                 |  |        |
>>   |  Peer   |   |   Authenticator  |   |   EAP Server    |  |  AAA   |
>>   |         |   |                  |   |                 |  | Client |
>>   +---------+   +------------------+   +-----------------+  +--------+
>>   |  MD-SA  |<->|  MD-SAP |SAP-AAA |<->|SAP-AAA |CAP-AAA |<>|CAP-AAA |
>>   +---------+   +------------------+   +--------+--------+  +--------+
>>   {------------------------------Signaling---------------------------}
>>
>>          Figure 6: Authenticated Anticipatory Keying Usage Model
>>
>>   The SAP is involved in EAP authenticated anticipatory keying
>>   signaling.
>>
>>   The role of the serving attachment point in this usage model is to
>>   communicate with the peer on one side and exchange authenticated
>>   anticipatory keying signaling with the EAP server on the other side.
>>   The role of the candidate authenticator is to receive the transported
>>   keying materials from the EAP server and to act as the serving
>>   attachment point after handover occurs.  The MD-SAP signaling is
>>   performed over L2 or L3; the SAP-AAA and AAA-CAP segments operate
>>   over L3.
>>
>> So, the AAK client doesn't interact with AAA for any purpose (being an
>> EAP entity, how could it?) & furthermore, AAK doesn't necessarily
>> require a full EAP authentication at all (see ERP-AAK).  I think that
>> this needs to be rewritten; any suggestions for text?
> 
> [Qin]: You are right, to get consistent with what it said in RFC5836, 
> suggest to change the original text as
> "
>    Early authentication includes direct
>    and indirect pre-authentication as well as Authenticated Anticipatory
>    Keying (AKK).  All three mechanisms provide means to execute a full
>    EAP authentication with a Candidate Access Point (CAP) while still
>    being connected to the Serving Access Point (SAP) but vary in their
>    respective system assumptions and communication paths.  In
>    particular, direct pre-authentication assumes that clients are
>    capable of discovering candidate access points and all communications
>    are routed through the serving access point.  On the other hand,
>    indirect pre-authentication assumes an existing relationship between
>    SAP and CAP, whereas in AAK the SAP does not rely on an existing 
>   relationship between SAP and CAP to interact with the AAA and the AAA
>   discover and connect to CAPs through this interaction.
> "

If CAP discovery is actually outside the scope of AAK, how about we just
say that?  For example, something like this:

   Early authentication includes direct
   and indirect pre-authentication as well as Authenticated Anticipatory
   Keying (AAK).  All three mechanisms provide means to execute a full
   EAP authentication with a Candidate Access Point (CAP) while still
   being connected to the Serving Access Point (SAP) but vary in their
   respective system assumptions and communication paths.  In
   particular, direct pre-authentication assumes that clients are
   capable of discovering candidate access points and all communications
   are routed through the serving access point.  On the other hand,
   indirect pre-authentication assumes an existing relationship between
   SAP and CAP, whereas the discovery of Candidate Access Points is
   outside the scope of AAK.

...

>>> Suggest to merge section 3.1.2 into section
>>> 3.1.1 or just delete the section 3.1.2.
>>>
>>> Section 6:
>>> [Z]:In Quebec meeting, the case where multiple servers are located in
>>> the same domain has been
>>> well discussed. I am thinking if this case should be taken into
>>> account in this section or leave
>>> this case out of scope of hokey architecture?
>>
>> I was going to suggest putting it into the AAA considerations section
>> but their doesn't seem to be one ;-).
> 
> [Qin]: I thought multiple servers cases is relevant to ERP and should be 
> discussed in RFC5296bis document. It is not good to discuss the same issue
> in both two documents. Am I wrong?

It's not good if the two discussions are different ;-), but if they are
substantially the same, I think it's OK.

...

v2.8.7 | Report a Bug | By Email