Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

To: "'Jari Arkko'" <jari.arkko at piuha.net>
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
From: "Glen Zorn" <gwz at net-zen.net>
Date: Wed, 15 Apr 2009 17:10:38 +0700
Cc: yohba at tari.toshiba.com, Basavaraj.Patil at nokia.com, pana at ietf.org
Delivered-to: pana at core3.amsl.com
In-reply-to: <49E57D21.8030402 at piuha.net>
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
Organization: Network Zen
References: <C603B141.26687%basavaraj.patil at nokia.com> <007201c9b97b$30c606d0$92521470$ at net> <5e2406980904100000t57c951duab69d7c0b7b7277 at mail.gmail.com> <49E301EA.10605 at piuha.net> <20090414235011.GQ29716 at steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD at NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402 at piuha.net>
Thread-index: Acm9q8ptZE9+enEhRrqP4wf8GQKQtQAA7aJw

Jari Arkko [mailto:jari.arkko at piuha.net] writes:

> Can we technically specify the IPsec parts without PEMK? If yes, we
> should do it. If not, we have an issue.
> 
> Quickly scanning through the documents, PaC-EP-Master-Key does not seem
> to be defined in RFC 5191 but it is used by draft-ietf-pana-ipsec. 

One of the problems w/draft-ietf-pana-ipsec is that the precise nature of
the protection between the PaC & EP doesn't seem to be specified _anywhere_
(please correct me if I'm wrong).  For the purposes of
draft-ietf-pana-ipsec, the connection should probably be protected using
IPsec (to avoid a weakest-link attack), but that needs to be specified.  As
for draft-ohba-pana-pemk-02, it specifies (as does 5191) the use of the MSK
which is a _really_ bad idea IMHO -- the EMSK should really be used instead.

> At the very least we need a definition of Pac-EP-Master-Key in
> draft-ietf-pana-ipsec, not sure if a separate document is needed.
> 

...

~ gwz

Nuclear power: more toxic than Britney Spears.

Follow-Ups:
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Alper Yegin

References:
- [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Julien Bournelle
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Yoshihiro Ohba
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko

Prev by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Previous by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Index(es):
- Date
- Thread

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.