headers
Bernard Aboba | 14 Jul 2006 16:04
Picon
Favicon

WGLC on EAP Network Selection Document

No comments were received on the EAP Network Selection document during EAP 
WG last call.

This makes it difficult to tell whether this is because lots of people read 
it and could not find fault with it, or because few people read it.

Therefore in order to move the document forward, we are going to request 
that individuals who have read the document post to the list to indicate 
that they approve its publication.   If you have read it and have comments, 
please post these to the list as well.   In order to move forward, we will 
need at least 5 people (other than the authors and WG chairs) to indicate 
approval.

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 4 comments |
headers
Bernard Aboba | 14 Jul 2006 16:09
Picon
Favicon

EAP WG LC on Key Management Framework Document

This is to announce an EAP WG LC on the EAP Key Management framework 
document prior to sending it on to the IESG for publication as a Proposed 
Standard.   The document is available for inspection here:
http://www.ietf.org/internet-drafts/draft-ietf-eap-keying-14.txt

EAP WG last call will last until July 30, 2006.  Please send your comments 
to the EAP WG list in the format described on the Issues list 
(http://www.drizzle.com/~aboba/EAP/).

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 0 comments |
headers
Bernard Aboba | 14 Jul 2006 18:08
Picon
Favicon

Re: WGLC on EAP Network Selection Document

P.S. The deadline for posting comments is July 30, 2006.

>From: "Bernard Aboba" <bernard_aboba <at> hotmail.com>
>To: eap <at> frascone.com
>Subject: [eap] WGLC on EAP Network Selection Document
>Date: Fri, 14 Jul 2006 07:04:28 -0700
>
>No comments were received on the EAP Network Selection document during EAP
>WG last call.
>
>This makes it difficult to tell whether this is because lots of people read
>it and could not find fault with it, or because few people read it.
>
>Therefore in order to move the document forward, we are going to request
>that individuals who have read the document post to the list to indicate
>that they approve its publication.   If you have read it and have comments,
>please post these to the list as well.   In order to move forward, we will
>need at least 5 people (other than the authors and WG chairs) to indicate
>approval.
>
>
>_________________________________________________________________
>To unsubscribe or modify your subscription options, please visit:
>http://lists.frascone.com/mailman/listinfo/eap
>
>Arhives: http://lists.frascone.com/pipermail/eap

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap
(Continue reading)

Permalink | Reply | 0 comments |
headers
Bari, Farooq | 17 Jul 2006 22:51

Re: WGLC on EAP Network Selection Document

FYI- I have posted Bernard's message to IEEE and 3GPP reflectors for
their review of the draft.

Farooq Bari
Cingular Wireless
Core Network Standards

farooq.bari <at> cingular.com
+1 425 580 5526

> -----Original Message-----
> From: Ophir Shai [mailto:Shai.Ophir <at> starhome.com]
> Sent: Monday, July 17, 2006 12:57 AM
> To: Bari, Farooq
> Subject: RE: [eap] WGLC on EAP Network Selection Document
> 
> Thanks.
> I've read previous versions of this doc and agree with it all.
> Shai Ophir
> Starhome
> 
> -----Original Message-----
> From: Bari, Farooq [mailto:farooq.bari <at> cingular.com]
> Sent: Monday, July 17, 2006 1:27 AM
> To: Ophir Shai
> Subject: RE: [eap] WGLC on EAP Network Selection Document
> 
> Hi Shai,
> 
> The draft's link is as follows. It is a problem statement draft and
(Continue reading)

Permalink | Reply | 1 comment |
headers
Bari, Farooq | 18 Jul 2006 23:26

Re: WGLC on EAP Network Selection Document

During IEEE 802.11u meeting today, a motion was passed to respond to
IETF with any comments on this draft. However 11u would be doing it by
the next IEEE meeting scheduled for September.

BR

Farooq Bari
Cingular Wireless
Core Network Standards

farooq.bari <at> cingular.com
+1 425 580 5526

> -----Original Message-----
> From: Bari, Farooq
> Sent: Monday, July 17, 2006 1:52 PM
> To: Ophir Shai; Bernard Aboba; eap <at> frascone.com
> Subject: Re: [eap] WGLC on EAP Network Selection Document
> 
> FYI- I have posted Bernard's message to IEEE and 3GPP reflectors for
> their review of the draft.
> 
> Farooq Bari
> Cingular Wireless
> Core Network Standards
> 
> farooq.bari <at> cingular.com
> +1 425 580 5526
> 
> > -----Original Message-----
(Continue reading)

Permalink | Reply | 0 comments |
headers
M. Vanderveen | 19 Jul 2006 07:08
Picon
Favicon

Re: WGLC on EAP Network Selection Document

The draft is a good summary of the network selection problem.
I wonder if there is a plan to update this document after the various SDOs make some progress in this area. Overall it looks good to go.
 
 
Some editorials:
- Page 4: "The selection is dependent upon for example the
      authentication credentials for the user / device and the roaming
      agreements."  If there are no other factors that selection is dependent on
(besides that mentioned in the sentence immediately following this one), then
remove the "for example".
 
- Page 4: "The selection will be dependent upon for
      example the support for an access technology by the device and
      availability of such access technology based networks."
      Same comment as above.
 
- Page 15: "APs must support 802.1X pre-authentication (optional
in IEEE 802.11i) ". The year of this standard should be specified,
just like it is earlier in that sentence. What is meant here is
probably IEEE 802.11i-2004.
 
- Page 20: "solutions for problem of network selection" -- insert "the"
before "problem".
 
-Page 20: "more than one points" -- replace "points" with "point"
 
Michaela
 

 
 


Bernard Aboba <bernard_aboba <at> hotmail.com> wrote:
No comments were received on the EAP Network Selection document during EAP
WG last call.

This makes it difficult to tell whether this is because lots of people read
it and could not find fault with it, or because few people read it.

Therefore in order to move the document forward, we are going to request
that individuals who have read the document post to the list to indicate
that they approve its publication. If you have read it and have comments,
please post these to the list as well. In order to move forward, we will
need at least 5 people (other than the authors and WG chairs) to indicate
approval.


_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min. 
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 0 comments |
headers
Alper Yegin | 19 Jul 2006 23:26

Keying lifetimes (WG LC "Keying Fwk")

Key lifetime management needs revision
Submitter name: Alper Yegin 
Submitter email address: alper.yegin <at> yegin.org
Date first submitted: 7/19/2006
Reference: 
Document: Keying Framework
Comment type: T
Priority: S
Section: 3.5.  Exported and Calculated Key Lifetimes
Rationale/Explanation of issue:

3.5.  Exported and Calculated Key Lifetimes

   All EAP methods generating keys are required to generate the MSK and
   EMSK, and may optionally generate the IV.  However, EAP, defined in
   [RFC3748], does not itself support the negotiation of lifetimes for
   exported keying material such as the MSK, EMSK and IV.

   Several mechanisms exist for managing key lifetimes:

[a]  AAA attributes.  AAA protocols such as RADIUS [RFC2865] and
     Diameter [RFC4072] support the Session-Timeout attribute.  The
     Session-Timeout attribute represents the maximum lifetime of the
     exported keying material, and all keys depending on it, on the
     authenticator.  Since existing backend authentication servers do
     not cache keys exported by EAP methods, or keys calculated from
     exported keys, the value of the Session-Timeout attribute has no
     bearing on the key lifetime within the backend authentication
     server.

     On the authenticator,  where EAP is used for authentication the
     Session-Timeout attribute represents the maximum session time prior
     to re-authentication.  As described in [RFC3580] Section 3.17, when
     sent in an Access-Accept along with a Termination-Action value of
     RADIUS-Request, the Session-Timeout attribute specifies the maximum
     number of seconds of service provided prior to re-authentication.

     Where EAP is used for pre-authentication, the session may not start
     until some future time, or may never occur.  Nevertheless, the
     Session-Timeout value represents the maximum time after which
     transported EAP keying material, and all keys dependent on it, will
     have expired on the authenticator.  If the session subsequently
     starts, re-authentication will be initiated once the Session-Time
     has expired. If the session never started, or started and ended, by
     default keys transported by AAA and all keys dependent on them be
     expired by the authenticator prior to the future time indicated by
     Session-Timeout; this feature is utilized by [IEEE-802.11i].  Note
     that in future additional attributes may be specified to control
     the lifetime of cached keys; these attributes may modify the
     meaning of the Session-Timeout attribute in specific circumstances.

     Since the TSK lifetime is often determined by authenticator
     resources, and the backend authentication server has no insight
     into the TSK derivation process, by the principle of ciphersuite
     independence, it is not appropriate for the backend authentication
     server to manage any aspect of the TSK derivation process,
     including the TSK lifetime.

Alper: We shall not present this (a) as if it is a complete mechanism that
can manage key lifetimes on all relevant parties (peer, authenticator,
authentication server). This only provides the MSK lifetime to the
authenticator. Only when coupled with how peer learns the key lifetime for
MSK and EMSK we'd have a complete solution. 

Alper: I think what I'm suggesting is to enumerate these alternatives, such
that (a) appears under "how authenticator dynamically learns the MSK
lifetime."

[b]  Lower layer mechanisms.  While AAA attributes can communicate the
     maximum exported key lifetime, this only serves to synchronize the
     key lifetime between the backend authentication server and the
     authenticator.  Lower layer mechanisms such as the Secure
     Association Protocol can then be used to enable the lifetime of
     exported and calculated keys to be negotiated between the peer and
     authenticator.

     Where TSKs are established as the result of a Secure Association
     Protocol exchange, it is RECOMMENDED that the Secure Association
     Protocol include support for TSK re-key.  Where the TSK is taken
     directly from the MSK, there is no need to manage the TSK lifetime
     as a separate parameter, since the TSK lifetime and MSK lifetime
     are identical.

Alper: Secure Association Protocol is a "consumer" of MSK. For that, I don't
expect it to set the any attributes of the MSK it is "using." Doing
otherwise is a hack, IMHO. I recommend we remove the current text from this
option.

Alper: But, we shall retain the option. IMO, the technically correct way of
doing this is not via the "secure association" protocol, but via the "eap
transport". The lifetime learned from the authentication server via AAA
protocols can be conveyed to the EAP peer via such protocols. If people
agree, I can propose text.

[c]  System defaults.  Where the EAP method does not support the
     negotiation of the lifetime of exported keys, and a key lifetime
     negotiation mechanism is not provided by the lower lower, there may
     be no way for the peer to learn the lifetime of exported keys.  In
     this case it is RECOMMENDED that the peer assume a default value; 8
     hours is recommended.  Similarly, the lifetime of calculated keys
     can also be managed as a system parameter on the authenticator.

[d]  Method specific negotiation within EAP.  While EAP itself does not
     support lifetime negotiation, it would be possible to specify
     methods that do.  However, systems that rely on such negotiation
     for exported keys would only function with these methods.  In the
     interest of method independence, key management of exported or
     derived keys SHOULD NOT be provided within EAP methods.

Alper: again, this is all about how peer and authentication server agrees on
the MSK and EMSK lifetimes. It does not help the authenticator. We shall
categorize this mechanism as such.

Alper: Besides, what is the interaction between the lifetimes known and
delivered by the EAP methods and the AAA protocols? My understanding is, EAP
methods may export lifetimes, and the AAA protocol has the last say whether
the lifetime should be same as reported by the EAP method, or something
less. This is all about the "authorization" aspect. 

Requested change:

See above.

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 2 comments |
headers
Yoshihiro Ohba | 20 Jul 2006 22:58

Re: WGLC on EAP Network Selection Document

Hi,

The document looks good to me.

One minor comment on Section 3.1:

"
   The PANA protocol [17] has a mechanism to advertise and select "ISPs"
   through the exchange of the ISP-Information AVP in its initial
   exchange.
"

"
   The use of
   other network identifiers than domain names is also possible, for
   instance the PANA protocol uses an a free form string and an SMI
   Network Management Private Enterprise Code [17], or Mobile Network
   Codes embedded in NAIs as specified in 3GPP.
"

The description is true for the current version of PANA specification.
However, the latest discussion in the PANA WG will make the network
selection functionality be specified in a separate document other than
specifying it in the PANA base specification.  

Best regards,
Yoshihiro Ohba

On Fri, Jul 14, 2006 at 07:04:28AM -0700, Bernard Aboba wrote:
> No comments were received on the EAP Network Selection document during EAP 
> WG last call.
> 
> This makes it difficult to tell whether this is because lots of people read 
> it and could not find fault with it, or because few people read it.
> 
> Therefore in order to move the document forward, we are going to request 
> that individuals who have read the document post to the list to indicate 
> that they approve its publication.   If you have read it and have comments, 
> please post these to the list as well.   In order to move forward, we will 
> need at least 5 people (other than the authors and WG chairs) to indicate 
> approval.
> 
> 
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.frascone.com/pipermail/eap
> 
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 1 comment |
headers
Yoshihiro Ohba | 20 Jul 2006 23:21

Re: WGLC on EAP Network Selection Document

Please disregard my minor comment in my previous email.  I was
referring that NAP and ISP separate authentication to be removed from
PANA basic specification.  There was no discussion to remove the ISP
selection functionality in the PANA basic specification.
Sorry for my confusion.

Yoshihiro Ohba

On Thu, Jul 20, 2006 at 04:58:39PM -0400, Yoshihiro Ohba wrote:
> Hi,
> 
> The document looks good to me.
> 
> One minor comment on Section 3.1:
> 
> "
>    The PANA protocol [17] has a mechanism to advertise and select "ISPs"
>    through the exchange of the ISP-Information AVP in its initial
>    exchange.
> "
> 
> "
>    The use of
>    other network identifiers than domain names is also possible, for
>    instance the PANA protocol uses an a free form string and an SMI
>    Network Management Private Enterprise Code [17], or Mobile Network
>    Codes embedded in NAIs as specified in 3GPP.
> "
> 
> The description is true for the current version of PANA specification.
> However, the latest discussion in the PANA WG will make the network
> selection functionality be specified in a separate document other than
> specifying it in the PANA base specification.  
> 
> Best regards,
> Yoshihiro Ohba
> 
> 
> On Fri, Jul 14, 2006 at 07:04:28AM -0700, Bernard Aboba wrote:
> > No comments were received on the EAP Network Selection document during EAP 
> > WG last call.
> > 
> > This makes it difficult to tell whether this is because lots of people read 
> > it and could not find fault with it, or because few people read it.
> > 
> > Therefore in order to move the document forward, we are going to request 
> > that individuals who have read the document post to the list to indicate 
> > that they approve its publication.   If you have read it and have comments, 
> > please post these to the list as well.   In order to move forward, we will 
> > need at least 5 people (other than the authors and WG chairs) to indicate 
> > approval.
> > 
> > 
> > _________________________________________________________________
> > To unsubscribe or modify your subscription options, please visit:
> > http://lists.frascone.com/mailman/listinfo/eap
> > 
> > Arhives: http://lists.frascone.com/pipermail/eap
> > 
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.frascone.com/pipermail/eap
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 0 comments |
headers
Bernard Aboba | 21 Jul 2006 23:30
Picon
Favicon

Re: Keying lifetimes (WG LC "Keying Fwk")

>Alper: We shall not present this (a) as if it is a complete mechanism that
>can manage key lifetimes on all relevant parties (peer, authenticator,
>authentication server). This only provides the MSK lifetime to the
>authenticator. Only when coupled with how peer learns the key lifetime for
>MSK and EMSK we'd have a complete solution.

Right.

>Alper: I think what I'm suggesting is to enumerate these alternatives, such
>that (a) appears under "how authenticator dynamically learns the MSK
>lifetime."

This makes sense.

>Alper: Secure Association Protocol is a "consumer" of MSK. For that, I 
>don't
>expect it to set the any attributes of the MSK it is "using." Doing
>otherwise is a hack, IMHO. I recommend we remove the current text from this
>option.

In practice the SAP handles this in a number of cases, including IKEv2, 
802.16e, and 11r.   So I don't think we can leave it out.

>Alper: But, we shall retain the option. IMO, the technically correct way of
>doing this is not via the "secure association" protocol, but via the "eap
>transport". The lifetime learned from the authentication server via AAA
>protocols can be conveyed to the EAP peer via such protocols. If people
>agree, I can propose text.

We should probably describe this as another option.

>[d]  Method specific negotiation within EAP.  While EAP itself does not
>      support lifetime negotiation, it would be possible to specify
>      methods that do.  However, systems that rely on such negotiation
>      for exported keys would only function with these methods.  In the
>      interest of method independence, key management of exported or
>      derived keys SHOULD NOT be provided within EAP methods.
>
>Alper: again, this is all about how peer and authentication server agrees 
>on
>the MSK and EMSK lifetimes. It does not help the authenticator. We shall
>categorize this mechanism as such.

Yes.  In fact, it might create problems if *both* the method and 
SAP/transport are trying to negotiate the lifetime.  Do you have text to 
suggest?

>Alper: Besides, what is the interaction between the lifetimes known and
>delivered by the EAP methods and the AAA protocols?  My understanding is, 
>EAP
>methods may export lifetimes, and the AAA protocol has the last say whether
>the lifetime should be same as reported by the EAP method, or something
>less. This is all about the "authorization" aspect.

Right.  Another potential conflict.

_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.frascone.com/pipermail/eap
Permalink | Reply | 1 comment |

Gmane