IETF Logo Mail Archive

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

"Alper Yegin" <alper.yegin@yegin.org> Fri, 17 April 2009 17:49 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5975A3A6DF5 for <pana@core3.amsl.com>; Fri, 17 Apr 2009 10:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3U2frL4nCbU for <pana@core3.amsl.com>; Fri, 17 Apr 2009 10:49:01 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id 904263A6BAC for <pana@ietf.org>; Fri, 17 Apr 2009 10:49:01 -0700 (PDT)
Received: from LENOVO (dsl88-248-27784.ttnet.net.tr [88.248.108.136]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MKpCa-1LusCQ2T4g-000d0n; Fri, 17 Apr 2009 13:50:09 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: "'Joseph Salowey (jsalowey)'" <jsalowey@cisco.com>, 'Jari Arkko' <jari.arkko@piuha.net>
References: <C603B141.26687%basavaraj.patil@nokia.com> <007201c9b97b$30c606d0$92521470$@net> <5e2406980904100000t57c951duab69d7c0b7b7277@mail.gmail.com> <49E301EA.10605@piuha.net> <20090414235011.GQ29716@steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD@NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402@piuha.net><002d01c9bdb2$6fa9d800$4efd8800$@net><02cc01c9bdd1$dac57d00$90507700$@yegin@yegin.org> <49E5E9B7.6070509@piuha.net> <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D@xmb-sjc-225.amer.cisco.com>
Date: Fri, 17 Apr 2009 20:49:51 +0300
Message-ID: <011801c9bf84$eedc67e0$cc9537a0$@yegin>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acm901IlkuK4V4nMTwmTJ/q9OfOkHABn4kzwAARrXVA=
Content-Language: en-us
X-Provags-ID: V01U2FsdGVkX1+Wg7//pmLR7KQtpDgt8ignTig+0k3gGC45mto opWHrsKLQEpVEBxX5yw4udUk+O4jrBqZ/bR5Q/qo4qsUyEZm9v STceikxYypoN/VyybB9sw==
Cc: yohba@tari.toshiba.com, Basavaraj.Patil@nokia.com, pana@ietf.org
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2009 17:49:02 -0000

Joe,

PaC-EP key is used by the PaC and the EP.
EP may be physically separate from the PAA (e.g., a base station separated
from NAS).
PaC-EP key is used by the secure association protocol between the PaC and
the EP.

I'm not sure if these satisfy your conditions. Please let us know.

Alper





> -----Original Message-----
> From: Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com]
> Sent: Friday, April 17, 2009 7:40 PM
> To: Jari Arkko; Alper Yegin
> Cc: yohba@tari.toshiba.com; pana@ietf.org; Basavaraj.Patil@nokia.com
> Subject: RE: [Pana] What to do with I-D: draft-ietf-pana-ipsec
> 
> If the use of the key is entirely within the PANA authenticator and
> PANA
> specifications then using the MSK is OK.  If the same key is going to
> be
> used in specifications independent of PANA (802.11, etc) or used
> somewhere other than the authenticator then the MSK may not be a good
> choice.
> 
> > -----Original Message-----
> > From: pana-bounces@ietf.org [mailto:pana-bounces@ietf.org] On
> > Behalf Of Jari Arkko
> > Sent: Wednesday, April 15, 2009 7:06 AM
> > To: Alper Yegin
> > Cc: yohba@tari.toshiba.com; pana@ietf.org; Basavaraj.Patil@nokia.com
> > Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
> >
> > I think I agree with what Alper is saying below. It is
> > obviously important to have separated keys for PANA itself
> > and the per-packet protection (such as for IPsec). But given
> > the definition of the keys used for PANA in the RFC, I think
> > it is possible to have other MSK-derived keys for IPsec.
> >
> > Jari
> >
> > Alper Yegin wrote:
> > >> As
> > >> for draft-ohba-pana-pemk-02, it specifies (as does 5191)
> > the use of
> > >> the MSK which is a _really_ bad idea IMHO -- the EMSK
> > should really
> > >> be used instead.
> > >>
> > >
> > > Why so?
> > >
> > > Secure association protocols have been using MSK-driven keys.
> > > And it makes sense, as MSK is what NAS knows (not EMSK).
> > > I have no idea what value using EMSK has, but the obvious
> > cost is to
> > > impact the AAA deployment between the NAS and AAA servers.
> > Today AAA
> > > protocols deliver MSK, not EMSK or any of its children.
> > >
> > > Alper
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > _______________________________________________
> > Pana mailing list
> > Pana@ietf.org
> > https://www.ietf.org/mailman/listinfo/pana
> >

v2.23.0 | Report a Bug | By Email