Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Jari Arkko <jari.arkko@piuha.net> Fri, 17 April 2009 17:35 UTC
Return-Path: <jari.arkko@piuha.net>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D96363A6E20 for <pana@core3.amsl.com>; Fri, 17 Apr 2009 10:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.516
X-Spam-Level:
X-Spam-Status: No, score=-2.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbH9nDEGPj-E for <pana@core3.amsl.com>; Fri, 17 Apr 2009 10:35:15 -0700 (PDT)
Received: from smtp.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by core3.amsl.com (Postfix) with ESMTP id CA21A3A6813 for <pana@ietf.org>; Fri, 17 Apr 2009 10:35:14 -0700 (PDT)
Received: from smtp.piuha.net (localhost [127.0.0.1]) by smtp.piuha.net (Postfix) with ESMTP id E2ABD198723; Fri, 17 Apr 2009 20:36:26 +0300 (EEST)
Received: from [127.0.0.1] (unknown [IPv6:2001:14b8:400::130]) by smtp.piuha.net (Postfix) with ESMTP id 8117A198665; Fri, 17 Apr 2009 20:36:26 +0300 (EEST)
Message-ID: <49E8BE0F.7000709@piuha.net>
Date: Fri, 17 Apr 2009 20:36:15 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.21 (X11/20090318)
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <C603B141.26687%basavaraj.patil@nokia.com> <007201c9b97b$30c606d0$92521470$@net> <5e2406980904100000t57c951duab69d7c0b7b7277@mail.gmail.com> <49E301EA.10605@piuha.net> <20090414235011.GQ29716@steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD@NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402@piuha.net><002d01c9bdb2$6fa9d800$4efd8800$@net><02cc01c9bdd1$dac57d00$90507700$@yegin@yegin.org> <49E5E9B7.6070509@piuha.net> <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D@xmb-sjc-225.amer.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: Basavaraj.Patil@nokia.com, yohba@tari.toshiba.com, pana@ietf.org
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2009 17:35:15 -0000
Right. Jari Joseph Salowey (jsalowey) wrote: > If the use of the key is entirely within the PANA authenticator and PANA > specifications then using the MSK is OK. If the same key is going to be > used in specifications independent of PANA (802.11, etc) or used > somewhere other than the authenticator then the MSK may not be a good > choice. > > >> -----Original Message----- >> From: pana-bounces@ietf.org [mailto:pana-bounces@ietf.org] On >> Behalf Of Jari Arkko >> Sent: Wednesday, April 15, 2009 7:06 AM >> To: Alper Yegin >> Cc: yohba@tari.toshiba.com; pana@ietf.org; Basavaraj.Patil@nokia.com >> Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec >> >> I think I agree with what Alper is saying below. It is >> obviously important to have separated keys for PANA itself >> and the per-packet protection (such as for IPsec). But given >> the definition of the keys used for PANA in the RFC, I think >> it is possible to have other MSK-derived keys for IPsec. >> >> Jari >> >> Alper Yegin wrote: >> >>>> As >>>> for draft-ohba-pana-pemk-02, it specifies (as does 5191) >>>> >> the use of >> >>>> the MSK which is a _really_ bad idea IMHO -- the EMSK >>>> >> should really >> >>>> be used instead. >>>> >>>> >>> Why so? >>> >>> Secure association protocols have been using MSK-driven keys. >>> And it makes sense, as MSK is what NAS knows (not EMSK). >>> I have no idea what value using EMSK has, but the obvious >>> >> cost is to >> >>> impact the AAA deployment between the NAS and AAA servers. >>> >> Today AAA >> >>> protocols deliver MSK, not EMSK or any of its children. >>> >>> Alper >>> >>> >>> >>> >>> >>> >>> >>> >> _______________________________________________ >> Pana mailing list >> Pana@ietf.org >> https://www.ietf.org/mailman/listinfo/pana >> >> > > >
- [Pana] What to do with I-D: draft-ietf-pana-ipsec Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Julien Bournelle
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… lionel.morand
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Yoshihiro Ohba
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Alper Yegin
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Alper Yegin
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Joseph Salowey (jsalowey)
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-i… Alper Yegin
- [Pana] What to do with I-D: draft-ietf-pana-ipsec Basavaraj.Patil