Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>> "Charles" == Charles Clancy <clancy@xxxxxxxxxx> writes:

    >>> to be an L2 identity.  It can be any identity that's
    >>> meaningful to the parties involved, and can serve as the basis
    >>> for making authorization decisions.
    >>  As long as it's cryptographically bound to the L2 channel and
    >> that channel provides suitable protection for the EAP method
    >> doing the EAP channel binding, THEN Sam's observation is
    >> correct: "EAP channel binding" uses what I termed "end-point
    >> channel binding" and "EAP cryptographic binding" uses what I
    >> termed "unique channel binding."

    Charles> I don't think I'm convinced that EAP channel bindings are
    Charles> doing this binding to the L2 channel.  The identity used
    Charles> in an EAP channel binding must be bound to the AAA
    Charles> security association between the authenticator and the
    Charles> peer in order for everything to work, so it would be more

I'm not sure I'd describe the association between the peer and authenticator as an AAA association.
I agree with the rest.

    Charles> 
    Charles> likely a NAS-ID than a MAC address.
Are you sure that the binding happens between the mac address and NAS
ID?  I don't understand how the peer ever confirms the NAS ID at layer
two unless it also happens to be a MAC address.

I do agree with you though that EAP channel bindings include the
peer's lower layer identity and the identity of the authenticator that
the peer will later be able to verify.



    Charles> That's not to say there isn't an L2 binding happening --
    Charles> but I think it's being performed by the L2 secure
    Charles> association phase that uses the EAP key to derive L2
    Charles> keys.  Then during that handshake, a MAC address may be
    Charles> involved, binding in an L2 identity.

ANd if things are secure some L2 identity of the authenticator.


    Charles> I guess I see EAP channel bindings as an EAP<->AAA
    Charles> binding, and the L2 secure association protocol as the
    Charles> EAP<->L2 binding.

The L2 secure association protocol cannot be an eap->anything binding:
it does not typically use EAP level identifiers.

    Charles> -- t. charles clancy, ph.d.  <> tcc@xxxxxxx <>
    Charles> www.cs.umd.edu/~clancy





_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]