Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

Right.

Jari

Joseph Salowey (jsalowey) wrote:

If the use of the key is entirely within the PANA authenticator and PANA
specifications then using the MSK is OK.  If the same key is going to be
used in specifications independent of PANA (802.11, etc) or used
somewhere other than the authenticator then the MSK may not be a good
choice. 
-----Original Message-----
From: pana-bounces at ietf.org [mailto:pana-bounces at ietf.org] On Behalf Of Jari Arkko 
Sent: Wednesday, April 15, 2009 7:06 AM
To: Alper Yegin
Cc: yohba at tari.toshiba.com; pana at ietf.org; Basavaraj.Patil at nokia.com
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
I think I agree with what Alper is saying below. It is obviously important to have separated keys for PANA itself and the per-packet protection (such as for IPsec). But given the definition of the keys used for PANA in the RFC, I think it is possible to have other MSK-derived keys for IPsec. 

Jari

Alper Yegin wrote:

As
for draft-ohba-pana-pemk-02, it specifies (as does 5191)
the use of
the MSK which is a _really_ bad idea IMHO -- the EMSK
should really 
be used instead.

Why so?

Secure association protocols have been using MSK-driven keys.
And it makes sense, as MSK is what NAS knows (not EMSK).
I have no idea what value using EMSK has, but the obvious
cost is to
impact the AAA deployment between the NAS and AAA servers.
Today AAA 
protocols deliver MSK, not EMSK or any of its children.

Alper







_______________________________________________
Pana mailing list
Pana at ietf.org
https://www.ietf.org/mailman/listinfo/pana

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.