IETF Logo Mail Archive

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

"Glen Zorn" <gwz@net-zen.net> Wed, 15 April 2009 10:09 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F13103A6DA0 for <pana@core3.amsl.com>; Wed, 15 Apr 2009 03:09:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2QhBNHTjRj5 for <pana@core3.amsl.com>; Wed, 15 Apr 2009 03:09:33 -0700 (PDT)
Received: from smtpauth03.prod.mesa1.secureserver.net (smtpauth03.prod.mesa1.secureserver.net [64.202.165.183]) by core3.amsl.com (Postfix) with SMTP id 2F3B93A6B9E for <pana@ietf.org>; Wed, 15 Apr 2009 03:09:33 -0700 (PDT)
Received: (qmail 12675 invoked from network); 15 Apr 2009 10:10:44 -0000
Received: from unknown (124.120.222.25) by smtpauth03.prod.mesa1.secureserver.net (64.202.165.183) with ESMTP; 15 Apr 2009 10:10:43 -0000
From: Glen Zorn <gwz@net-zen.net>
To: 'Jari Arkko' <jari.arkko@piuha.net>
References: <C603B141.26687%basavaraj.patil@nokia.com> <007201c9b97b$30c606d0$92521470$@net> <5e2406980904100000t57c951duab69d7c0b7b7277@mail.gmail.com> <49E301EA.10605@piuha.net> <20090414235011.GQ29716@steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD@NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402@piuha.net>
In-Reply-To: <49E57D21.8030402@piuha.net>
Date: Wed, 15 Apr 2009 17:10:38 +0700
Organization: Network Zen
Message-ID: <002d01c9bdb2$6fa9d800$4efd8800$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acm9q8ptZE9+enEhRrqP4wf8GQKQtQAA7aJw
Content-Language: en-us
Cc: yohba@tari.toshiba.com, Basavaraj.Patil@nokia.com, pana@ietf.org
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 10:09:34 -0000

Jari Arkko [mailto:jari.arkko@piuha.net] writes:

> Can we technically specify the IPsec parts without PEMK? If yes, we
> should do it. If not, we have an issue.
> 
> Quickly scanning through the documents, PaC-EP-Master-Key does not seem
> to be defined in RFC 5191 but it is used by draft-ietf-pana-ipsec. 

One of the problems w/draft-ietf-pana-ipsec is that the precise nature of
the protection between the PaC & EP doesn't seem to be specified _anywhere_
(please correct me if I'm wrong).  For the purposes of
draft-ietf-pana-ipsec, the connection should probably be protected using
IPsec (to avoid a weakest-link attack), but that needs to be specified.  As
for draft-ohba-pana-pemk-02, it specifies (as does 5191) the use of the MSK
which is a _really_ bad idea IMHO -- the EMSK should really be used instead.

> At the very least we need a definition of Pac-EP-Master-Key in
> draft-ietf-pana-ipsec, not sure if a separate document is needed.
> 

...

~ gwz

Nuclear power: more toxic than Britney Spears.

v2.23.0 | Report a Bug | By Email