Re: [Dime] Comments on section 3 of new version draft-ietf-dime-erp-01

[Qin Wu <sunseawq at huawei.com>]

Hi, Sebastien:
----- Original Message ----- 
From: "Sebastien Decugis" <sdecugis at nict.go.jp>
To: <dime at ietf.org>
Sent: Monday, September 14, 2009 12:47 PM
Subject: Re: [Dime] Comments on section 3 of new version draft-ietf-dime-erp-01


> Hi, again :)
> 
>> [Qin]: Since DSRK is calculated based the Domain name, given home domain name
>> in the home domain I am wondering whether we can derive home domain specific DSRK
>> based on the home domain name?
>>   
> It would seem quite logical, but the RFC5295/5296 currently specify a
> different mechanism for the home domain (rRK)... So no, currently we
> cannot do that unfortunately.

[Qin]: Okay. I agree with you.
But based on the definition of rRK, rRK is not derived based on domain name.
 
>> [Qin]: Okay, I agree with your explainnation. However I have two followup comments as follows:
>> 1. The home EAP server that uses ERP is the home ER server or not?
>>   
> Can you define the "home ER server" in the context of your question? We
> don't use this in the document, I think this terminology is too vague,
> sorry...

[Qin] Home ER server is defined in the section 2 of RFC5296.
Home ER server is refered as an logical entity that performs the server portion of ERP
in the home domain.

>> 2. Who actually authorize the use of ERP, home EAP server or home ER server?
>>   
> The home EAP server when it derives the DSRK from the EMSK, and provide
> it to a foreign ER server.

[Qin]: What you said here  is not consistent with what RFC5296 describes. According to the section 5.1 of RFC5296,
it said:
"
the home ER server MUST include the DSRK for the
      local ER server (derived using the EMSK and the domain name as
      specified in [3]), EMSKname, and DSRK lifetime along with the EAP-
      Finish/Re-auth message.
"
Based the above description, it is home ER server to derive DSRK from the EMSK.
Am I missing something?

>> [Qin]: I agree, without this assumption, it seems ERP exchange and EAP 
>> Re-authentication operations on the peer, authenticator and server will
>> be complicated.
>> I wonder what do you think of the case where the home realm contains several
>>  EAP servers described in the "open issues"section? Isn't it the same thing?
>>   
> Unfortunately, the architecture for EAP is already defined, so we cannot
> change it, and it has different assumptions (which are justified because
> each EAP server may support a different set of EAP methods). So, we have
> to deal with it, as described in the open issues...
[Qin]: 
In this sense, does it mean each EAP server only support one EAP method?
Given the home realm name, how the foreign ER server route the message to
the given EAP server which support the same EAP method as the peer?

> BR
> Sebastien.
> 
> -- 
> Sebastien Decugis
> Research fellow
> Network Architecture Group
> NICT (nict.go.jp)
> 
> _______________________________________________
> DiME mailing list
> DiME at ietf.org
> https://www.ietf.org/mailman/listinfo/dime