eap-3----Page:17
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
|
Thoughts on Exported Key Lifetimes Where we are today EAP methods do not negotiate the lifetime of the exported keys. EAP, defined in [RFC3748], also does not support the negotiation of lifetimes for exported keying material such as the MSK, EMSK and IV. To date, Secure Association Protocols also do not negotiate the lifetime of exported keys. Gap may exist between EAP authentication and the Secure Association Protocol, so not clear it would help Discovery (phase 0) solutions under investigation Recommendations On the EAP server, it is RECOMMENDED that the cache lifetime of exported keys be managed as a system parameter. Where a negotiation mechanism is not provided by the lower lower, it is RECOMMENDED that the peer assume a default value of the exported key lifetime. May be desirable to manage the TSK re-key time via AAA. Not clear it is helpful that AAA management of exported key cache lifetime is helpful. AAA server is not aware of authenticator resource constraints Not clear how AAA server, authenticator and peer keep in sync Per-user cache lifetime management may complicate discovery phase solutions |