Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01

To: dime at ietf.org
Subject: Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
From: Sebastien Decugis <sdecugis at nict.go.jp>
Date: Tue, 15 Sep 2009 10:51:57 +0900
Delivered-to: dime at core3.amsl.com
In-reply-to: <015f01ca350b$c950d270$260ca40a at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/dime>
List-help: <mailto:dime-request@ietf.org?subject=help>
List-id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-post: <mailto:dime@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
Openpgp: id=33D9F61D
References: <01e301ca3101$8feef150$260ca40a at china.huawei.com> <4AAA0F84.3010601 at nict.go.jp> <00ad01ca34e6$6f603960$260ca40a at china.huawei.com> <4AADC86B.7060904 at nict.go.jp> <015f01ca350b$c950d270$260ca40a at china.huawei.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Hi,

Sorry for late answer.

> [Qin]: Sorry for your misunderstanding here. what I want to say here is
> suppose both the local ER server and the home ER server support *EAP*, 
>   
...
> we can simply assume the home EAP server and the peer has already export
> the same EMSK during the initial EAP exchange.
That's the base assumption of ERP, yes.
>  In this way, the Re-authentication
> root key can be derived  from EMSK. There is no extra delay to be introduced.
>   
Do you mean that intermediary nodes (such as local ER server) can derive
the EMSK also? This would be a security issue...

> [Qin]: Sorry for your misunderstanding, Here mentioned AAA server or AAA agent  is not third entity but the EAP sever.
> So it is not necessary to define new message for key exchange here. If the EAP sever is not able to derive ERP stuff,
> the ERP exchange will fail and fall back to the full EAP exchange.
>   
I think this is what is written in the document, yes...

> [Qin]: Okay.
> Suppose there is serveral EAP servers in the home domain, 
> If one EAP server can not use specific EAP method to export EMSK, why do we
> need to deploy such kind of EAP server? 
>   
There can be several EAP servers that are able to derive EMSK...

Sebastien.

-- 
Sebastien Decugis
Research fellow
Network Architecture Group
NICT (nict.go.jp)

References:
- [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
  - From: Qin Wu
- Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
  - From: Sebastien Decugis
- Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
  - From: Qin Wu
- Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
  - From: Sebastien Decugis
- Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
  - From: Qin Wu

Prev by Date: Re: [Dime] Comments on abstract and section 1 of newversiondraft-ietf-dime-erp-01
Next by Date: Re: [Dime] Comments on section 3 of new version draft-ietf-dime-erp-01
Previous by thread: Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01
Next by thread: [Dime] Comments on section 3 of new version draft-ietf-dime-erp-01
Index(es):
- Date
- Thread

Re: [Dime] Comments on section 2 of new version draft-ietf-dime-erp-01

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.