RE: draft-zorn-radius-pkmv1-05.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bernard Aboba [mailto:bernard_aboba@xxxxxxxxxxx] writes:

 

Donald Eastlake said:

"Doing a little more research, 802.16e-2005, which 
you don't reference, does begin to touch on this by at least 
specifying how EAP fits into 802.16."

[BA] As I understand it, this document is focused entirely on
PKMv1, which does not support EAP.  So it does not apply to
IEEE 802.16e-2005.  That's quite an important point, since
there are existing specifications (from WiMAX forum) that
deal extensively with IEEE 802.16e/AAA interactions.

If that point is not very clear from the document, then it needs
to be.

If you can suggest a way to make it clearer, I’d appreciate it: only PLMv1 is ever mentioned, the only referenced IEEE standard is 802.16-2006, the attributes defined have nothing to do with EAP, etc.


[Donald Eastlake]

If above you are saying that the security of these new RADIUS 
attributes can be evaluated entirely based on a knowledge of RADIUS, I 
do not agree with this.

[BA]

PKMv1 has some fairly serious security problems that are described here:
http://www2.computer.org/portal/web/csdl/doi/10.1109/SNPD.2008.138

So I think the question is whether this document can make those serious
security problems even worse, in a way that has not already been
documented.

AFAICT, this is not the case.  The use of RADIUS doesn’t improve the security of PKMv2 but it doesn’t seem to reduce it either .  The suggested use of the MS-MPPE-Send-Key Attribute may be problematic but seems pretty much unavoidable at present.



I'd suggest that the document reference the known security
issues that are covered in other documents, such as the ones above and
others (such as RFC 3579) that describe weaknesses in the MPPE-Key
attributes.

OK
[Donald Eastlake]

If above, you are saying is that there is no 
need for there to be some explanation, in your draft or in some 
document referenced by it, of how RADIUS fits into 802.16 and that 
people who don't have an a priori knowledge of this should just keep 
their noses out of your document, I don't agree with that either.

[BA]  I would suggest that the document could reference the
RADIUS specifications from WiMAX forum that relate
to IEEE 802.16e-2005 to make it clear that operation with
that updated specification is out of scope.
I have no idea how that would make anything clear.  Can you explain?

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]