Re: [AAA-WG]: RE: [Mip4] dynamic keys

Subject: Re: [AAA-WG]: RE: [Mip4] dynamic keys
From: Tom Hiller <tomhiller at lucent.com>
Date: Wed, 11 Feb 2004 08:51:37 -0600
Cc: mip4 at ietf.org, aaa-wg at merit.edu
In-reply-to: <87ED4812394BA14980CC352C3A7483CC816700@tatara.tatarasystems.com>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>,<mailto:mip4-request@ietf.org?subject=unsubscribe>
Organization: Lucent Technologies
References: <87ED4812394BA14980CC352C3A7483CC816700@tatara.tatarasystems.com>
Sender: mip4-admin at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Jeremy,

In 3GPP2 there is an over the air provisioning mechanisms that sets up a TLS connection between the mobile and a trusted provisioning server. The mobile runs http over TLS to get various parameters, including the MN-AAA shared secret. The trusted provisioning system provides this information to the home AAA server of the mobile, too. The trusted provisioning system can run without user intervention, so that mobile station information may be updated.

http://www.3gpp2.org/Public_html/specs/C.S0040-0_v1.0_110403.pdf

- Tom

Jeremy A. Greene wrote:

So, it doesn't make the initial deployment any easier (if there's one
HA), just ongoing use more secure. Each MN needs to be manually
configured in some manually intensive secure manner and/or use a
proprietary mechanism.

I guess I was looking more for a standardized server-side-only (aaa)
configuration solution. More like the web, using server-side cert and
client-side username/pw (over ssl).

Jeremy

-----Original Message-----
From: Henrik Levkowetz [mailto:henrik@levkowetz.com] Sent: Tuesday, February 10, 2004 7:00 PM
To: Jeremy A. Greene
Cc: mip4@ietf.org; aaa-wg@merit.edu
Subject: Re: [Mip4] dynamic keys

Hi Jeremy,

Tuesday 10 February 2004, Jeremy A. Greene wrote:
In the mip4-aaa-key-03 draft (and aaa-diameter-mobileip-16) it
requires
the use of a single, widely used (by all MNs??), long term pre-shared
key between the MN and AAAH. Since this key is directly used to
calculate dynamic keys, this does not seem terrible secure.
I see no reason why the preshared key between MN and AAAH should be the
same for all MNs, rather than individual per-MN?  Or is it I who have
missed something?

	Henrik


--
Mip4 mailing list
Mip4@ietf.org
https://www.ietf.org/mailman/listinfo/mip4

References:
- RE: [Mip4] dynamic keys
  - From: Jeremy A. Greene

Prev by Date: Re: [Mip4] dynamic keys
Next by Date: RE: [Mip4] dynamic keys
Previous by thread: Re: [Mip4] dynamic keys
Next by thread: RE: [Mip4] dynamic keys
Index(es):
- Date
- Thread

Re: [AAA-WG]: RE: [Mip4] dynamic keys

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.