RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Bernard Aboba <aboba@internaut.com> Fri, 26 August 2005 18:55 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8jLz-0000Yf-Er; Fri, 26 Aug 2005 14:55:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8jLy-0000YH-MH for secmech@megatron.ietf.org; Fri, 26 Aug 2005 14:55:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06594 for <secmech@ietf.org>; Fri, 26 Aug 2005 14:55:01 -0400 (EDT)
Received: from outbound.mailhop.org ([63.208.196.171] ident=mailnull) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8jMj-0000E3-4e for secmech@ietf.org; Fri, 26 Aug 2005 14:55:51 -0400
Received: from c-67-182-139-247.hsd1.wa.comcast.net ([67.182.139.247] helo=internaut.com) by outbound.mailhop.org with esmtpa (Exim 4.51) id 1E8jLu-000A3L-1O; Fri, 26 Aug 2005 14:54:58 -0400
Received: by internaut.com (Postfix, from userid 1000) id E11AB23523; Fri, 26 Aug 2005 11:54:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by internaut.com (Postfix) with ESMTP id D306F1B2AE; Fri, 26 Aug 2005 11:54:56 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by DynDNS.org
X-Originating-IP: 67.182.139.247
X-Report-Abuse-To: abuse@dyndns.org (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information)
X-MHO-User: aboba
Date: Fri, 26 Aug 2005 11:54:56 -0700
From: Bernard Aboba <aboba@internaut.com>
To: Charles Clancy <clancy@cs.umd.edu>
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <Pine.GSO.4.60.0508261405280.16020@ismene>
Message-ID: <Pine.LNX.4.61.0508261146590.23743@internaut.com>
References: <7210B31550AC934A8637D6619739CE6905C8BEEC@e2k-sea-xch2.sea-alpha. cisco.com> <Pine.LNX.4.61.0508252336520.5325@internaut.com> <191B6A09CAEEC043419A68E5@cumulus> <Pine.GSO.4.60.0508261036350.16020@ismene> <Pine.LNX.4.61.0508260807091.18505@internaut.com> <Pine.GSO.4.60.0508261405280.16020@ismene>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org
> The Kerberos session key and consequently MK is bound to the EAP server, as > the Kerberos is terminated at the EAP server, right? It's a service ticket > for the EAP server, not a particular NAS, so that would seem logical. The > MSKs can be bound to the individual NASes. Should the NAI (or some other > identifier) of the NAS be explicitly included in the PRF? > > Personally, I don't see how this is any different than any other EAP method, > once you generate the MK. Fast handoff in an EAP method, and not at the link > layer, would have to involve AAA. Otherwise you would need Diffie-Hellman to > provide the forward secrecy. Without it, any NAS through which a client > roamed would be able to derive their future keys and decrypt their sessions. > > As for maintaining a cache -- the AAA server would have to maintain a cache of > MKs for authenticated clients, presumably with some associated lifetime. I'd > think any fast reconnect scheme would require something similar, unless you > were going to authenticate from scratch. > > Or, am I missing the point? As noted in the EAP Key Framework document, the EAP layer does not cache exported EAP keying material, either on the client or the server. Caching is only permitted in the lower layer (AAA is a lower layer from the EAP perspective). Several proposed fast handoff schemes require caching on the AAA server, including pre-emptive handoff and key request. However, AAA servers today do not cache EAP keying parameters -- they discard all EAP keying material (not just the transported keying material) once they send the MSK to the NAS. So asking the AAA server to implement a key cache is a significant change from the existing architecture. This doesn't mean it can't or shouldn't be done -- but a change that substantial shouldn't be done on an adhoc basis. Some open questions: a. How does the peer know what AAA server it is dealing with? The EAP Key Framework has added the Server-ID parameter to enable the peer to know this, but not all EAP methods define this parameter. Do we want fast handoff to only be supported for methods with a defined Server-ID? b. How does the peer request that the NAS contact a particular AAA server (either for requesting a key or validating a ticket)? Does it include the Server-ID in the message? c. How does the AAA server validate that the ticket is being used by the EAP peer that it granted access to? Do we require that the peer NAI be the same as the Kerberos Principal name of the peer? Do we require that the Server-ID be the same as the Kerberos Principal name of the AAA server? d. How does the peer know whether a particular NAS is configured to connect to a AAA server from whom it has received a ticket? _______________________________________________ SECMECH mailing list SECMECH@lists.ietf.org https://www1.ietf.org/mailman/listinfo/secmech
- [SECMECH] Framework Bindings Vs. Mechanism Bridges Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Ali Fessi
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Jari Arkko
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Jari Arkko
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Jari Arkko
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Clint Chaplin
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… 1und1
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy