Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01

To: dime at ietf.org
Subject: Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01
From: Sebastien Decugis <sdecugis at nict.go.jp>
Date: Mon, 14 Sep 2009 17:34:26 +0900
Delivered-to: dime at core3.amsl.com
In-reply-to: <015501ca3508$5a097460$260ca40a at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/dime>
List-help: <mailto:dime-request@ietf.org?subject=help>
List-id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-post: <mailto:dime@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
Openpgp: id=33D9F61D
References: <01df01ca3101$7aba52c0$260ca40a at china.huawei.com> <4AAA0DF2.9000806 at nict.go.jp> <00ac01ca34e6$64f43990$260ca40a at china.huawei.com> <4AADC515.9000609 at nict.go.jp> <015501ca3508$5a097460$260ca40a at china.huawei.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Hi again,

> [Qin]: It is not very strange to me. Because it is not the ER server but the peer to do bootstrapping.
> So it is natual for peer to set B flag in the ERP message. when the peer gets response from the home server,
> the peer need to compute DSRK, DS-rRK, DS-rIK, and keyName- NAI based on the local domain name
> and install these key on the peer. That's what is called "bootstrapping", in my understanding.
>   
The peer does not receive any key material during the ERP exchange: it
already possess the EMSK. The only eventual benefit for the peer in
explicit bootstrapping is to learn the domain of the local ER server.
The main goal is the bootstrapping of this local server, IIUC.

>> In explicit bootstrapping we have really two different things in the same exchange:
>> 1) peer <-> home server : re-authentication
>> 2) local ER server <-> home server : bootstrapping
>> For (1) to occur, it supposes that the home server already have the key
>> material. Therefore it is either collocated with EAP server (and so the
>> key material is locally available) or has already bootstrapped
>> previously (kind of recursive architecture in this case).
>>     
>
> [Qin] Unlike explicit bootstrapping, Implicit bootstrapping only has 2) in the exchange.
> 1) does not happen in the implicit bootstrapping. Am I right?
>   
Yes that is right for the bootstrapping exchange; but then later ERP
exchange are performed to actually re-authenticate the peer.

> Another concern is whether we can say local ER server<--> home ER server can be viewed as "bootstrapping"?
> How to understand bootstrapping? 
>   
Bootstrapping is providing the ERP root key to the ER server that need
it, to perform the re-authentication of the peer.

> [Qin]: The difference is using *Re-auth root key transport* instead of *Bootstrapping*
> Because I am afraid that bootstrapping is not used by local server but by the peer to request Re-authentication key.
> What do you think of it?
>   
Well, since bootstrapping is creating and transporting the key material
to the ER server, I still think it is equivalent :) The peer never
request any key to the server, otherwise there would be no security...

Best regards,
Sebastien.

-- 
Sebastien Decugis
Research fellow
Network Architecture Group
NICT (nict.go.jp)

Follow-Ups:
- Re: [Dime] Comments on abstract and section 1 ofnewversiondraft-ietf-dime-erp-01
  - From: Qin Wu

References:
- [Dime] Comments on abstract and section 1 of new version draft-ietf-dime-erp-01
  - From: Qin Wu
- Re: [Dime] Comments on abstract and section 1 of new version draft-ietf-dime-erp-01
  - From: Sebastien Decugis
- Re: [Dime] Comments on abstract and section 1 of new versiondraft-ietf-dime-erp-01
  - From: Qin Wu
- Re: [Dime] Comments on abstract and section 1 of new versiondraft-ietf-dime-erp-01
  - From: Sebastien Decugis
- Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01
  - From: Qin Wu

Prev by Date: Re: [Dime] Comments on section 3 of new version draft-ietf-dime-erp-01
Next by Date: Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
Previous by thread: Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01
Next by thread: Re: [Dime] Comments on abstract and section 1 ofnewversiondraft-ietf-dime-erp-01
Index(es):
- Date
- Thread

Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.