Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

To: "Jari Arkko" <jari.arkko at piuha.net>, "Alper Yegin" <alper.yegin at yegin.org>
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Fri, 17 Apr 2009 09:40:22 -0700
Authentication-results: sj-dkim-2; header.From=jsalowey at cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: yohba at tari.toshiba.com, Basavaraj.Patil at nokia.com, pana at ietf.org
Delivered-to: pana at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1783; t=1239986425; x=1240850425; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey at cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey at ci sco.com> |Subject:=20RE=3A=20[Pana]=20What=20to=20do=20with=20I-D=3A =20draft-ietf-pana-ipsec |Sender:=20; bh=QhT0k7i7jvxI0MR2bzQlj0Ciqwg273ddndD6auLUMGk=; b=JwInVcATEbbLf2vPnIsO92aQZdF7hFh9gr/PjM/d4Q/PjYwXEwfRP7WHsg CtzNvkPgT+5r6EOcOdzJLK+05KPzIGQ1jV8HsAoFeMrbpun2W0SFCKvLzBG7 J+SBUsrWkS;
In-reply-to: <49E5E9B7.6070509 at piuha.net>
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
References: <C603B141.26687%basavaraj.patil at nokia.com> <007201c9b97b$30c606d0$92521470$ at net> <5e2406980904100000t57c951duab69d7c0b7b7277 at mail.gmail.com> <49E301EA.10605 at piuha.net> <20090414235011.GQ29716 at steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD at NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402 at piuha.net><002d01c9bdb2$6fa9d800$4efd8800$ at net><02cc01c9bdd1$dac57d00$90507700$ at yegin@yegin.org> <49E5E9B7.6070509 at piuha.net>
Thread-index: Acm901IlkuK4V4nMTwmTJ/q9OfOkHABn4kzw
Thread-topic: [Pana] What to do with I-D: draft-ietf-pana-ipsec

If the use of the key is entirely within the PANA authenticator and PANA
specifications then using the MSK is OK.  If the same key is going to be
used in specifications independent of PANA (802.11, etc) or used
somewhere other than the authenticator then the MSK may not be a good
choice.  

> -----Original Message-----
> From: pana-bounces at ietf.org [mailto:pana-bounces at ietf.org] On 
> Behalf Of Jari Arkko
> Sent: Wednesday, April 15, 2009 7:06 AM
> To: Alper Yegin
> Cc: yohba at tari.toshiba.com; pana at ietf.org; Basavaraj.Patil at nokia.com
> Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
> 
> I think I agree with what Alper is saying below. It is 
> obviously important to have separated keys for PANA itself 
> and the per-packet protection (such as for IPsec). But given 
> the definition of the keys used for PANA in the RFC, I think 
> it is possible to have other MSK-derived keys for IPsec.
> 
> Jari
> 
> Alper Yegin wrote:
> >> As
> >> for draft-ohba-pana-pemk-02, it specifies (as does 5191) 
> the use of 
> >> the MSK which is a _really_ bad idea IMHO -- the EMSK 
> should really 
> >> be used instead.
> >>     
> >
> > Why so?
> >
> > Secure association protocols have been using MSK-driven keys.
> > And it makes sense, as MSK is what NAS knows (not EMSK).
> > I have no idea what value using EMSK has, but the obvious 
> cost is to 
> > impact the AAA deployment between the NAS and AAA servers. 
> Today AAA 
> > protocols deliver MSK, not EMSK or any of its children.
> >
> > Alper
> >
> >
> >
> >
> >
> >
> >   
> 
> _______________________________________________
> Pana mailing list
> Pana at ietf.org
> https://www.ietf.org/mailman/listinfo/pana
>

Follow-Ups:
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Alper Yegin
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko

References:
- [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Julien Bournelle
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Yoshihiro Ohba
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Alper Yegin
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko

Prev by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Previous by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Index(es):
- Date
- Thread

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.