Re: [consensus] comments on draft-housley-aaa-key-mgmt-07.txt
"Dan Harkins" <dharkins@lounge.org> Mon, 02 April 2007 21:28 UTC
Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HYU4I-0006pA-C0; Mon, 02 Apr 2007 17:28:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HYU4G-0006ol-Pt for ietf@ietf.org; Mon, 02 Apr 2007 17:28:00 -0400
Received: from colo.trepanning.net ([69.55.226.174] helo=mail1.trepanning.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HYU4F-00033B-Cf for ietf@ietf.org; Mon, 02 Apr 2007 17:28:00 -0400
Received: from www.trepanning.net (localhost [127.0.0.1]) by mail1.trepanning.net (Postfix) with ESMTP id 7DEF11FA6740; Mon, 2 Apr 2007 14:27:56 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 2 Apr 2007 14:27:56 -0700 (PDT)
Message-ID: <52310.69.12.173.8.1175549276.squirrel@www.trepanning.net>
In-Reply-To: <tsld52qipph.fsf_-_@cz.mit.edu>
References: <41825.12.108.168.179.1171660575.squirrel@www.trepanning.net> <tslwt2hiybm.fsf@cz.mit.edu> <C24CB51D5AA800449982D9BCB90325134F192B@NAEX13.na.qualcomm.com> <tslfy947pol.fsf@cz.mit.edu> <45D73CEB.2000701@qualcomm.com> <C24CB51D5AA800449982D9BCB90325134F192D@NAEX13.na.qualcomm.com> <0C7B902B470A264FA64D66CBF76FB821014CD3F6@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> <C24CB51D5AA800449982D9BCB90325134F1947@NAEX13.na.qualcomm.com> <tsld52qipph.fsf_-_@cz.mit.edu>
Date: Mon, 02 Apr 2007 14:27:56 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Sam Hartman <hartmans-ietf@mit.edu>
User-Agent: SquirrelMail/1.4.8
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3 (Normal)
Importance: Normal
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8de5f93cb2b4e3bee75302e9eacc33db
Cc: ietf@ietf.org, Bernard Aboba <bernarda@windows.microsoft.com>
Subject: Re: [consensus] comments on draft-housley-aaa-key-mgmt-07.txt
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
Sam, I guess the question is, what text in this I-D would prevent a new key distribution protocol based on AAA in which the authentication server sent a copy of the peer's keys willy-nilly to every authenticator it had a security association with? Another question: has the peer no say in to whom its secrets are disclosed? If you think it does then what in the I-D addresses that concern and if you don't think it does then why? As I have stated (starting with my 16 Feb 07 comments) I think this is an important I-D and we need an RFC on this subject. I just don't think it goes far enough in proscribing bad behavior and mandating good behavior. Again, the 802.11 Task Group "r" is a prime example of why this I-D does not go far enough. I think this I-D has to discuss the use of AAA as a key distribution protocol and it does not do that right now. At the SAAG meeting you said (something to the effect of) "everyone understands the 'channel binding' issue". I don't necessarily agree with you (see 802.11r) but the problem is that when AAA is used as a key distribution protocol that issue explodes in another dimension. And people think that if it's OK to ignore that issue in the traditional EAP case where an authentication server gives single key to single authenticator through whom the peer is speaking then it must be OK to ignore it when distributing keys to a multiplicity of authenticators that the peer is not, and may never be, speaking to. Dan. On Fri, March 30, 2007 10:52 am, Sam Hartman wrote: > > > Hi. I had a few discussions in Prague and think that we're all > basically on the same page about what the document should say. I'm > going to describe that consensus here. I'd like to ask Russ to > confirm that the document reflects the consensus > and if so to ask me to remove my discuss and approve the document. > > Unless I've really gotten something wrong here, I think we're done > deciding what we are trying to say and are only left with deciding if > we've managed to say it. When two parties communicate in these > protocols they must authenticate each other. Typically EAP is used to > authenticate the peer and the EAP server. Typically AAA protocols > authenticate the authenticator and the AAA server. > > Typically secure association protocols run between the peer and > authenticator. > > It's common for the EAP layer identities to be different from the > lower layer identities. > > There are two types of lower layer identities: those that are used for > authorization and those that are not. AN example of an identity not > used for authorization would be a network that had a concept like a > MAC address that is not used for access control. The MAC address is > used to look up keys, but all people granted access to the network > have the same authorizations. In this case it's not important to make > sure that the peer is claiming a MAC address that is appropriate for > the EAP layer identity of the peer. > > However in a network where the MAC address is used to make > authorization decisions, someone needs to make sure that the peer's > EAP identity is authorized to claim the MAC address that it claims. > Typically the AAA server fills this role. However it would be OK to > architect a design where the authenticator filled that role--I don't > think you'd use RADIUS or Diameter in such a design though. > > > The authenticator probably has a lower layer identity too. The AAA > server needs to authorize this identity to the peer. Typically this > would happen by the AAA server looking at what authenticator the peer > claims it is connecting to, looking at the higher layer identity that > the authenticator is using to communicate to the AAA server and > confirming that the higher layer identity is authorized to claim the > lower layer identity to peers. > > It's OK to have things like WLAN switches that are authenticators > including a large number of physical devices. They can have one > higher layer identifier and a lot of lower layer identifiers. They > could potentially also have one lower layer identifier. > > > Unlike the peer identity, we always assume that the lower layer > authenticator identity needs to be authorized. > > > _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Sam Hartman
- RE: comments on draft-houseley-aaa-key-mgmt-07.txt Narayanan, Vidya
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Sam Hartman
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Lakshminath Dondeti
- RE: comments on draft-houseley-aaa-key-mgmt-07.txt Narayanan, Vidya
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Lakshminath Dondeti
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Yoshihiro Ohba
- RE: comments on draft-houseley-aaa-key-mgmt-07.txt Narayanan, Vidya
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Sam Hartman
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Yoshihiro Ohba
- Re: comments on draft-houseley-aaa-key-mgmt-07.txt Lakshminath Dondeti
- RE: comments on draft-houseley-aaa-key-mgmt-07.txt Narayanan, Vidya
- RE: comments on draft-houseley-aaa-key-mgmt-07.txt Dan Harkins
- comments on draft-houseley-aaa-key-mgmt-07.txt Dan Harkins
- [Dan Harkins] comments on draft-houseley-aaa-key-… Sam Hartman
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Dan Harkins
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Sam Hartman
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Lakshminath Dondeti
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Dan Harkins
- RE: [Dan Harkins] comments on draft-houseley-aaa-… Narayanan, Vidya
- RE: [Dan Harkins] comments on draft-houseley-aaa-… Dan Harkins
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Lakshminath Dondeti
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Dan Harkins
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Lakshminath Dondeti
- RE: [Dan Harkins] comments on draft-houseley-aaa-… Narayanan, Vidya
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Dan Harkins
- Re: [Dan Harkins] comments on draft-houseley-aaa-… Sam Hartman
- Re: [consensus] comments on draft-housley-aaa-key… Sam Hartman
- Re: [consensus] comments on draft-housley-aaa-key… Dan Harkins
- Re: [consensus] comments on draft-housley-aaa-key… Sam Hartman
- Re: [consensus] comments on draft-housley-aaa-key… Dan Harkins
- Re: [consensus] comments on draft-housley-aaa-key… Sam Hartman
- Re: [consensus] comments on draft-housley-aaa-key… Sam Hartman
- Re: [consensus] comments on draft-housley-aaa-key… Dan Harkins
- Re: [consensus] comments on draft-housley-aaa-key… Sam Hartman
- Re: [consensus] comments on draft-housley-aaa-key… Sam Hartman
- RE: [consensus] comments on draft-housley-aaa-key… Bernard Aboba
- RE: [consensus] comments on draft-housley-aaa-key… Bernard Aboba