Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

To: "'Glen Zorn'" <gwz at net-zen.net>, "'Jari Arkko'" <jari.arkko at piuha.net>
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
From: "Alper Yegin" <alper.yegin at yegin.org>
Date: Wed, 15 Apr 2009 16:55:18 +0300
Cc: yohba at tari.toshiba.com, pana at ietf.org, Basavaraj.Patil at nokia.com
Delivered-to: pana at core3.amsl.com
In-reply-to: <002d01c9bdb2$6fa9d800$4efd8800$ at net>
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
References: <C603B141.26687%basavaraj.patil at nokia.com> <007201c9b97b$30c606d0$92521470$ at net> <5e2406980904100000t57c951duab69d7c0b7b7277 at mail.gmail.com> <49E301EA.10605 at piuha.net> <20090414235011.GQ29716 at steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD at NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402 at piuha.net> <002d01c9bdb2$6fa9d800$4efd8800$ at net>
Thread-index: Acm9q8ptZE9+enEhRrqP4wf8GQKQtQAA7aJwAAh4POA=

> As
> for draft-ohba-pana-pemk-02, it specifies (as does 5191) the use of the
> MSK
> which is a _really_ bad idea IMHO -- the EMSK should really be used
> instead.

Why so?

Secure association protocols have been using MSK-driven keys.
And it makes sense, as MSK is what NAS knows (not EMSK).
I have no idea what value using EMSK has, but the obvious cost is to impact
the AAA deployment between the NAS and AAA servers. Today AAA protocols
deliver MSK, not EMSK or any of its children.

Alper

Follow-Ups:
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko

References:
- [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Julien Bournelle
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Yoshihiro Ohba
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn

Prev by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Previous by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Index(es):
- Date
- Thread

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.