IETF Logo Mail Archive

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

"Alper Yegin" <alper.yegin@yegin.org> Wed, 15 April 2009 13:54 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D148F3A6C0B for <pana@core3.amsl.com>; Wed, 15 Apr 2009 06:54:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.753
X-Spam-Level:
X-Spam-Status: No, score=-0.753 tagged_above=-999 required=5 tests=[AWL=0.397, BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpeabFxPrf-i for <pana@core3.amsl.com>; Wed, 15 Apr 2009 06:54:38 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by core3.amsl.com (Postfix) with ESMTP id 2267A3A6E31 for <pana@ietf.org>; Wed, 15 Apr 2009 06:54:38 -0700 (PDT)
Received: from LENOVO (dsl88-247-34762.ttnet.net.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MKpCa-1Lu5aW2Mfo-000cm1; Wed, 15 Apr 2009 09:55:50 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Glen Zorn' <gwz@net-zen.net>, 'Jari Arkko' <jari.arkko@piuha.net>
References: <C603B141.26687%basavaraj.patil@nokia.com> <007201c9b97b$30c606d0$92521470$@net> <5e2406980904100000t57c951duab69d7c0b7b7277@mail.gmail.com> <49E301EA.10605@piuha.net> <20090414235011.GQ29716@steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD@NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402@piuha.net> <002d01c9bdb2$6fa9d800$4efd8800$@net>
In-Reply-To: <002d01c9bdb2$6fa9d800$4efd8800$@net>
Date: Wed, 15 Apr 2009 16:55:18 +0300
Message-ID: <02cc01c9bdd1$dac57d00$90507700$@yegin>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
thread-index: Acm9q8ptZE9+enEhRrqP4wf8GQKQtQAA7aJwAAh4POA=
Content-Language: en-us
X-Provags-ID: V01U2FsdGVkX19AzqmTCkETniATd5mbQ3+F3OI8RaJrXi4AtAZ 4jS60Ds49wsk431AipPfv6pK3LOSgtkQUFQe7raTor9HFnhel5 s6x/kzPyDkxA3NoUPiSEg==
Cc: yohba@tari.toshiba.com, pana@ietf.org, Basavaraj.Patil@nokia.com
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 13:54:38 -0000

> As
> for draft-ohba-pana-pemk-02, it specifies (as does 5191) the use of the
> MSK
> which is a _really_ bad idea IMHO -- the EMSK should really be used
> instead.

Why so?

Secure association protocols have been using MSK-driven keys.
And it makes sense, as MSK is what NAS knows (not EMSK).
I have no idea what value using EMSK has, but the obvious cost is to impact
the AAA deployment between the NAS and AAA servers. Today AAA protocols
deliver MSK, not EMSK or any of its children.

Alper

v2.23.0 | Report a Bug | By Email