Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

To: "'Joseph Salowey $jsalowey$'" <jsalowey at cisco.com>, "'Jari Arkko'" <jari.arkko at piuha.net>
Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
From: "Alper Yegin" <alper.yegin at yegin.org>
Date: Fri, 17 Apr 2009 20:49:51 +0300
Cc: yohba at tari.toshiba.com, Basavaraj.Patil at nokia.com, pana at ietf.org
Delivered-to: pana at core3.amsl.com
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D at xmb-sjc-225.amer.cisco.com>
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
References: <C603B141.26687%basavaraj.patil at nokia.com> <007201c9b97b$30c606d0$92521470$ at net> <5e2406980904100000t57c951duab69d7c0b7b7277 at mail.gmail.com> <49E301EA.10605 at piuha.net> <20090414235011.GQ29716 at steelhead.localdomain> <FAAB54171A6C764E969E6B4CB3C2ADD20A44A0AFFD at NOK-EUMSG-03.mgdnok.nokia.com> <49E57D21.8030402 at piuha.net><002d01c9bdb2$6fa9d800$4efd8800$ at net><02cc01c9bdd1$dac57d00$90507700$ at yegin@yegin.org> <49E5E9B7.6070509 at piuha.net> <AC1CFD94F59A264488DC2BEC3E890DE507D92D4D at xmb-sjc-225.amer.cisco.com>
Thread-index: Acm901IlkuK4V4nMTwmTJ/q9OfOkHABn4kzwAARrXVA=

Joe,

PaC-EP key is used by the PaC and the EP.
EP may be physically separate from the PAA (e.g., a base station separated
from NAS).
PaC-EP key is used by the secure association protocol between the PaC and
the EP.

I'm not sure if these satisfy your conditions. Please let us know.

Alper





> -----Original Message-----
> From: Joseph Salowey (jsalowey) [mailto:jsalowey at cisco.com]
> Sent: Friday, April 17, 2009 7:40 PM
> To: Jari Arkko; Alper Yegin
> Cc: yohba at tari.toshiba.com; pana at ietf.org; Basavaraj.Patil at nokia.com
> Subject: RE: [Pana] What to do with I-D: draft-ietf-pana-ipsec
> 
> If the use of the key is entirely within the PANA authenticator and
> PANA
> specifications then using the MSK is OK.  If the same key is going to
> be
> used in specifications independent of PANA (802.11, etc) or used
> somewhere other than the authenticator then the MSK may not be a good
> choice.
> 
> > -----Original Message-----
> > From: pana-bounces at ietf.org [mailto:pana-bounces at ietf.org] On
> > Behalf Of Jari Arkko
> > Sent: Wednesday, April 15, 2009 7:06 AM
> > To: Alper Yegin
> > Cc: yohba at tari.toshiba.com; pana at ietf.org; Basavaraj.Patil at nokia.com
> > Subject: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
> >
> > I think I agree with what Alper is saying below. It is
> > obviously important to have separated keys for PANA itself
> > and the per-packet protection (such as for IPsec). But given
> > the definition of the keys used for PANA in the RFC, I think
> > it is possible to have other MSK-derived keys for IPsec.
> >
> > Jari
> >
> > Alper Yegin wrote:
> > >> As
> > >> for draft-ohba-pana-pemk-02, it specifies (as does 5191)
> > the use of
> > >> the MSK which is a _really_ bad idea IMHO -- the EMSK
> > should really
> > >> be used instead.
> > >>
> > >
> > > Why so?
> > >
> > > Secure association protocols have been using MSK-driven keys.
> > > And it makes sense, as MSK is what NAS knows (not EMSK).
> > > I have no idea what value using EMSK has, but the obvious
> > cost is to
> > > impact the AAA deployment between the NAS and AAA servers.
> > Today AAA
> > > protocols deliver MSK, not EMSK or any of its children.
> > >
> > > Alper
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > _______________________________________________
> > Pana mailing list
> > Pana at ietf.org
> > https://www.ietf.org/mailman/listinfo/pana
> >

References:
- [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Julien Bournelle
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Yoshihiro Ohba
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Basavaraj.Patil
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Glen Zorn
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Alper Yegin
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Jari Arkko
- Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
  - From: Joseph Salowey (jsalowey)

Prev by Date: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by Date: [Pana] I-D Action:draft-ietf-pana-statemachine-11.txt
Previous by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Next by thread: Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec
Index(es):
- Date
- Thread

Re: [Pana] What to do with I-D: draft-ietf-pana-ipsec

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.