IETF Logo Mail Archive

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Fri, 17 April 2009 16:39 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF21A3A69DF for <pana@core3.amsl.com>; Fri, 17 Apr 2009 09:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.276
X-Spam-Level:
X-Spam-Status: No, score=-6.276 tagged_above=-999 required=5 tests=[AWL=0.323, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OA8LFMSSGdMF for <pana@core3.amsl.com>; Fri, 17 Apr 2009 09:39:11 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 3AF733A6E24 for <pana@ietf.org>; Fri, 17 Apr 2009 09:39:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.40,205,1238976000"; d="scan'208";a="155993236"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com with ESMTP; 17 Apr 2009 16:40:25 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n3HGePOF009643; Fri, 17 Apr 2009 09:40:25 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n3HGePra027657; Fri, 17 Apr 2009 16:40:25 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 17 Apr 2009 09:40:23 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 17 Apr 2009 09:40:22 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <49E5E9B7.6070509@piuha.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Thread-Index: Acm901IlkuK4V4nMTwmTJ/q9OfOkHABn4kzw
References: <C603B141.26687%basavaraj.patil@nokia.com> <007201c9b97b$30c606d0$92521470$@net> <5e2406980904100000t57c951duab69d7c0b7b7277@mail.gmail.com> <49E301EA.10605@piuha.net> <20090414235011.GQ29716@steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD@NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402@piuha.net><002d01c9bdb2$6fa9d800$4efd8800$@net><02cc01c9bdd1$dac57d00$90507700$@yegin@yegin.org> <49E5E9B7.6070509@piuha.net>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Jari Arkko <jari.arkko@piuha.net>, Alper Yegin <alper.yegin@yegin.org>
X-OriginalArrivalTime: 17 Apr 2009 16:40:23.0088 (UTC) FILETIME=[33FD2300:01C9BF7B]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1783; t=1239986425; x=1240850425; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Pana]=20What=20to=20do=20with=20I-D=3A =20draft-ietf-pana-ipsec |Sender:=20; bh=QhT0k7i7jvxI0MR2bzQlj0Ciqwg273ddndD6auLUMGk=; b=JwInVcATEbbLf2vPnIsO92aQZdF7hFh9gr/PjM/d4Q/PjYwXEwfRP7WHsg CtzNvkPgT+5r6EOcOdzJLK+05KPzIGQ1jV8HsAoFeMrbpun2W0SFCKvLzBG7 J+SBUsrWkS;
Authentication-Results: sj-dkim-2; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: yohba@tari.toshiba.com, Basavaraj.Patil@nokia.com, pana@ietf.org
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2009 16:39:13 -0000

If the use of the key is entirely within the PANA authenticator and PANA
specifications then using the MSK is OK.  If the same key is going to be
used in specifications independent of PANA (802.11, etc) or used
somewhere other than the authenticator then the MSK may not be a good
choice.  

> -----Original Message-----
> From: pana-bounces@ietf.org [mailto:pana-bounces@ietf.org] On 
> Behalf Of Jari Arkko
> Sent: Wednesday, April 15, 2009 7:06 AM
> To: Alper Yegin
> Cc: yohba@tari.toshiba.com; pana@ietf.org; Basavaraj.Patil@nokia.com
> Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
> 
> I think I agree with what Alper is saying below. It is 
> obviously important to have separated keys for PANA itself 
> and the per-packet protection (such as for IPsec). But given 
> the definition of the keys used for PANA in the RFC, I think 
> it is possible to have other MSK-derived keys for IPsec.
> 
> Jari
> 
> Alper Yegin wrote:
> >> As
> >> for draft-ohba-pana-pemk-02, it specifies (as does 5191) 
> the use of 
> >> the MSK which is a _really_ bad idea IMHO -- the EMSK 
> should really 
> >> be used instead.
> >>     
> >
> > Why so?
> >
> > Secure association protocols have been using MSK-driven keys.
> > And it makes sense, as MSK is what NAS knows (not EMSK).
> > I have no idea what value using EMSK has, but the obvious 
> cost is to 
> > impact the AAA deployment between the NAS and AAA servers. 
> Today AAA 
> > protocols deliver MSK, not EMSK or any of its children.
> >
> > Alper
> >
> >
> >
> >
> >
> >
> >   
> 
> _______________________________________________
> Pana mailing list
> Pana@ietf.org
> https://www.ietf.org/mailman/listinfo/pana
>

v2.23.0 | Report a Bug | By Email