Re: [Dime] Review of draft-ietf-dime-local-keytran-03

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Thu, 13 May 2010 16:35 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DA733A691A for <dime@core3.amsl.com>; Thu, 13 May 2010 09:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.129
X-Spam-Level:
X-Spam-Status: No, score=-10.129 tagged_above=-999 required=5 tests=[AWL=0.470, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRXnR4tKgLxO for <dime@core3.amsl.com>; Thu, 13 May 2010 09:35:29 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id DDB143A685A for <dime@ietf.org>; Thu, 13 May 2010 09:35:15 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIvH60urR7Ht/2dsb2JhbACeIHGkCZk6hRIEg0A
X-IronPort-AV: E=Sophos;i="4.53,223,1272844800"; d="scan'208";a="129308358"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-4.cisco.com with ESMTP; 13 May 2010 16:35:06 +0000
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o4DGZ6JP028723; Thu, 13 May 2010 16:35:06 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 13 May 2010 09:35:05 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 13 May 2010 09:35:04 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE50A554399@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <BLU0-SMTP1379FA02B7E014A72ABF23D8FC0@phx.gbl>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Dime] Review of draft-ietf-dime-local-keytran-03
Thread-Index: AcrynG3eS/86VoyNTOCVMDP0tA/98gAHZHpA
References: <AC1CFD94F59A264488DC2BEC3E890DE50A43AE83@xmb-sjc-225.amer.cisco.com> <00b701caedc5$92e4d150$b8ae73f0$@net> <AC1CFD94F59A264488DC2BEC3E890DE50A554125@xmb-sjc-225.amer.cisco.com> <000401caf25d$420b7d50$c62277f0$@net> <BLU0-SMTP1379FA02B7E014A72ABF23D8FC0@phx.gbl>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Tom Taylor <tom111.taylor@bell.net>, Glen Zorn <gwz@net-zen.net>
X-OriginalArrivalTime: 13 May 2010 16:35:05.0850 (UTC) FILETIME=[3E6AB5A0:01CAF2BA]
Cc: dime@ietf.org
Subject: Re: [Dime] Review of draft-ietf-dime-local-keytran-03
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 16:35:30 -0000

> >
> > Tom Taylor mentioned this as well but I am still puzzled by it: in
what
> > scenario could this occur?  AFAIK all the keys are bound to a
particular
> > session which is itself bound to a particular access point.  What am
I
> > missing?
> >
> > ...
> [PTT]
> OK, this is one for the architecture to answer. I'll review the
different
> interfaces to see if there is a case of anticipatory keying that isn't
> bound as
> tightly as you suggest. At the very least, I don't think the keys
passed
> to a
> local ER server would be bound to a particular access point, but they
may
> indeed
> be bound to a particular session, in some sense of session.


[Joe] I can't think of a reason why the domain wouldn't already be known
to the session.  I'd be okay with leaving the domain out until there is
a use-case for it.