RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Bernard Aboba <aboba@internaut.com> Fri, 26 August 2005 18:55 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8jLz-0000Yf-Er; Fri, 26 Aug 2005 14:55:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8jLy-0000YH-MH for secmech@megatron.ietf.org; Fri, 26 Aug 2005 14:55:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06594 for <secmech@ietf.org>; Fri, 26 Aug 2005 14:55:01 -0400 (EDT)
Received: from outbound.mailhop.org ([63.208.196.171] ident=mailnull) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8jMj-0000E3-4e for secmech@ietf.org; Fri, 26 Aug 2005 14:55:51 -0400
Received: from c-67-182-139-247.hsd1.wa.comcast.net ([67.182.139.247] helo=internaut.com) by outbound.mailhop.org with esmtpa (Exim 4.51) id 1E8jLu-000A3L-1O; Fri, 26 Aug 2005 14:54:58 -0400
Received: by internaut.com (Postfix, from userid 1000) id E11AB23523; Fri, 26 Aug 2005 11:54:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by internaut.com (Postfix) with ESMTP id D306F1B2AE; Fri, 26 Aug 2005 11:54:56 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by DynDNS.org
X-Originating-IP: 67.182.139.247
X-Report-Abuse-To: abuse@dyndns.org (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information)
X-MHO-User: aboba
Date: Fri, 26 Aug 2005 11:54:56 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: Charles Clancy <clancy@cs.umd.edu>
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <Pine.GSO.4.60.0508261405280.16020@ismene>
Message-ID: <Pine.LNX.4.61.0508261146590.23743@internaut.com>
References: <7210B31550AC934A8637D6619739CE6905C8BEEC@e2k-sea-xch2.sea-alpha. cisco.com> <Pine.LNX.4.61.0508252336520.5325@internaut.com> <191B6A09CAEEC043419A68E5@cumulus> <Pine.GSO.4.60.0508261036350.16020@ismene> <Pine.LNX.4.61.0508260807091.18505@internaut.com> <Pine.GSO.4.60.0508261405280.16020@ismene>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

> The Kerberos session key and consequently MK is bound to the EAP server, as
> the Kerberos is terminated at the EAP server, right?  It's a service ticket
> for the EAP server, not a particular NAS, so that would seem logical.  The
> MSKs can be bound to the individual NASes.  Should the NAI (or some other
> identifier) of the NAS be explicitly included in the PRF?
> 
> Personally, I don't see how this is any different than any other EAP method,
> once you generate the MK.  Fast handoff in an EAP method, and not at the link
> layer, would have to involve AAA.  Otherwise you would need Diffie-Hellman to
> provide the forward secrecy.  Without it, any NAS through which a client
> roamed would be able to derive their future keys and decrypt their sessions.
> 
> As for maintaining a cache -- the AAA server would have to maintain a cache of
> MKs for authenticated clients, presumably with some associated lifetime.  I'd
> think any fast reconnect scheme would require something similar, unless you
> were going to authenticate from scratch.
> 
> Or, am I missing the point?

As noted in the EAP Key Framework document, the EAP layer does not cache 
exported EAP keying material, either on the client or the server.  Caching 
is only permitted in the lower layer (AAA is a lower layer from the EAP 
perspective). 

Several proposed fast handoff schemes require caching on the AAA server, 
including pre-emptive handoff and key request. 
  
However, AAA servers today do not cache EAP keying parameters  -- they discard 
all EAP keying material (not just the transported keying material) once they 
send the MSK to the NAS.  So asking the AAA server to implement a key 
cache is a significant change from the existing architecture. 

This doesn't mean it can't or shouldn't be done -- but a change that 
substantial shouldn't be done on an adhoc basis.  Some open questions:

a. How does the peer know what AAA server it is dealing with?  The EAP Key 
Framework has added the Server-ID parameter to enable the peer to know 
this, but not all EAP methods define this parameter.  Do we want fast 
handoff to only be supported for methods with a defined Server-ID? 

b. How does the peer request that the NAS contact a particular AAA server 
(either for requesting a key or validating a ticket)?  Does it include the 
Server-ID in the message? 

c. How does the AAA server validate that the ticket is being used by the 
EAP peer that it granted access to?  Do we require that the peer NAI be 
the same as the Kerberos Principal name of the peer?  Do we require that 
the Server-ID be the same as the Kerberos Principal name of the AAA 
server? 

d. How does the peer know whether a particular NAS is configured to 
connect to a AAA server from whom it has received a ticket?  

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech