IETF Logo Mail Archive

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

Jari Arkko <jari.arkko@piuha.net> Wed, 15 April 2009 14:04 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A1AF03A6C1E for <pana@core3.amsl.com>; Wed, 15 Apr 2009 07:04:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.534
X-Spam-Level:
X-Spam-Status: No, score=-2.534 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1l1reNNavsAI for <pana@core3.amsl.com>; Wed, 15 Apr 2009 07:04:44 -0700 (PDT)
Received: from smtp.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by core3.amsl.com (Postfix) with ESMTP id C7F1C28C1CF for <pana@ietf.org>; Wed, 15 Apr 2009 07:04:43 -0700 (PDT)
Received: from smtp.piuha.net (localhost [127.0.0.1]) by smtp.piuha.net (Postfix) with ESMTP id 83FF619872A; Wed, 15 Apr 2009 17:05:54 +0300 (EEST)
Received: from [127.0.0.1] (unknown [IPv6:2001:14b8:400::130]) by smtp.piuha.net (Postfix) with ESMTP id 1FB8A198665; Wed, 15 Apr 2009 17:05:54 +0300 (EEST)
Message-ID: <49E5E9B7.6070509@piuha.net>
Date: Wed, 15 Apr 2009 17:05:43 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.21 (X11/20090318)
MIME-Version: 1.0
To: Alper Yegin <alper.yegin@yegin.org>
References: <C603B141.26687%basavaraj.patil@nokia.com> <007201c9b97b$30c606d0$92521470$@net> <5e2406980904100000t57c951duab69d7c0b7b7277@mail.gmail.com> <49E301EA.10605@piuha.net> <20090414235011.GQ29716@steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD@NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402@piuha.net> <002d01c9bdb2$6fa9d800$4efd8800$@net> <02cc01c9bdd1$dac57d00$90507700$@yegin@yegin.org>
In-Reply-To: <02cc01c9bdd1$dac57d00$90507700$@yegin@yegin.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: yohba@tari.toshiba.com, pana@ietf.org, Basavaraj.Patil@nokia.com
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 14:04:44 -0000

I think I agree with what Alper is saying below. It is obviously 
important to have separated keys for PANA itself and the per-packet 
protection (such as for IPsec). But given the definition of the keys 
used for PANA in the RFC, I think it is possible to have other 
MSK-derived keys for IPsec.

Jari

Alper Yegin wrote:
>> As
>> for draft-ohba-pana-pemk-02, it specifies (as does 5191) the use of the
>> MSK
>> which is a _really_ bad idea IMHO -- the EMSK should really be used
>> instead.
>>     
>
> Why so?
>
> Secure association protocols have been using MSK-driven keys.
> And it makes sense, as MSK is what NAS knows (not EMSK).
> I have no idea what value using EMSK has, but the obvious cost is to impact
> the AAA deployment between the NAS and AAA servers. Today AAA protocols
> deliver MSK, not EMSK or any of its children.
>
> Alper
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email