RE: [Mipshop] RE: Review of draft-yegin-hmip-sa-00

To: "Alper Yegin" <alper.yegin at yegin.org>
Subject: RE: [Mipshop] RE: Review of draft-yegin-hmip-sa-00
From: "Giaretta Gerardo" <gerardo.giaretta at telecomitalia.it>
Date: Wed, 16 Aug 2006 17:46:16 +0200
Cc: mipshop at ietf.org, Lakshminath Dondeti <ldondeti at qualcomm.com>
Importance: normal
List-help: <mailto:mipshop-request@ietf.org?subject=help>
List-id: mipshop.ietf.org
List-post: <mailto:mipshop@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
Priority: normal
Thread-index: AcayfQa3RaYOZlbTQk2q8XXscg/ESwAZN/KgA5lZABA=
Thread-topic: [Mipshop] RE: Review of draft-yegin-hmip-sa-00

Hi Alper,

plerase find below one question about the approach suggested by the draft.

> > I don't think the NAS should be involved in the
> > key delivery. My (limited) understanding of 4140
> > tells me that the MAP is deeper in the network
> > than a typical NAS
>
> In my understanding, MAP is part of the "access network", not
> the "home
> network." For that, putting aside the physical and
> topological aspects, from
> "administrative domain" aspect NAS and MAP are the part of
> the same network.
>
> > I am fine with the notion of using a key from the
> > EAP keying hierarchy for IKEv2
> > authentication. However, I don't think we should
> > use the MSK for the key derivation. Instead a
> > key from the EMSK hierarchy might be used. We
> > can discuss the specifics in detail if you want.
>
> Why do you think so?
>

As you know, there were some proposals for MIP6 bootstrapping similar to this, deriving keys from network access authentication for MIPv6 bootstrapping. These proposals have not been accepted because there were strong suggestions to keep authentication procedures for network access services and mobility services separate. In his review of the MIP6 bootstrapping PS document, Sam mentioned again that these two authentications must be fully separated.

Since I originally proposed this approach for MIP6, I am wondering why you think this should be acceptable for HMIP. Is there any real difference in the scenario in your opinion?

--Gerardo

> We proposed use of MSK because we assume MAP and NAS are part
> of the same
> administrative domain. NAS can generate the HMIP-SA and pass
> it to the MAP.
> Use of EMSK would have been more appropriate if MAP were part
> of the home
> network along with the HAAA server.
>
> Alper
>
>
>
>
> _______________________________________________
> Mipshop mailing list
> Mipshop at ietf.org
> https://www1.ietf.org/mailman/listinfo/mipshop
>

--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to webmaster at telecomitalia.it.
Thank you
www.telecomitalia.it
--------------------------------------------------------------------

_______________________________________________
Mipshop mailing list
Mipshop at ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop

Follow-Ups:
- RE: [Mipshop] RE: Review of draft-yegin-hmip-sa-00
  - From: Alper Yegin

Prev by Date: Re: CGA-based HoA generation for MIP6 (was RE: [Mipshop] Review of draft-arkko-mipshop-cga-cba-04)
Next by Date: [Mipshop] New Intro for ietf-mipshop-cga-cba
Previous by thread: [Mipshop] New SecCons for ietf-mipshop-cga-cba
Next by thread: RE: [Mipshop] RE: Review of draft-yegin-hmip-sa-00
Index(es):
- Date
- Thread

RE: [Mipshop] RE: Review of draft-yegin-hmip-sa-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.