ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings

2007-04-06 13:15:09
from [Sam Hartman] [Permanent Link] 
"Charles" == Charles Clancy <clancy(_at_)cs(_dot_)umd(_dot_)edu> writes:


    >>> to be an L2 identity.  It can be any identity that's
    >>> meaningful to the parties involved, and can serve as the basis
    >>> for making authorization decisions.
    >>  As long as it's cryptographically bound to the L2 channel and
    >> that channel provides suitable protection for the EAP method
    >> doing the EAP channel binding, THEN Sam's observation is
    >> correct: "EAP channel binding" uses what I termed "end-point
    >> channel binding" and "EAP cryptographic binding" uses what I
    >> termed "unique channel binding."

    Charles> I don't think I'm convinced that EAP channel bindings are
    Charles> doing this binding to the L2 channel.  The identity used
    Charles> in an EAP channel binding must be bound to the AAA
    Charles> security association between the authenticator and the
    Charles> peer in order for everything to work, so it would be more

I'm not sure I'd describe the association between the peer and authenticator as 
an AAA association.
I agree with the rest.

    Charles> 
    Charles> likely a NAS-ID than a MAC address.
Are you sure that the binding happens between the mac address and NAS
ID?  I don't understand how the peer ever confirms the NAS ID at layer
two unless it also happens to be a MAC address.

I do agree with you though that EAP channel bindings include the
peer's lower layer identity and the identity of the authenticator that
the peer will later be able to verify.



    Charles> That's not to say there isn't an L2 binding happening --
    Charles> but I think it's being performed by the L2 secure
    Charles> association phase that uses the EAP key to derive L2
    Charles> keys.  Then during that handshake, a MAC address may be
    Charles> involved, binding in an L2 identity.

ANd if things are secure some L2 identity of the authenticator.


    Charles> I guess I see EAP channel bindings as an EAP<->AAA
    Charles> binding, and the L2 secure association protocol as the
    Charles> EAP<->L2 binding.

The L2 secure association protocol cannot be an eap->anything binding:
it does not typically use EAP level identifiers.

    Charles> -- t. charles clancy, ph.d.  <> tcc(_at_)umd(_dot_)edu <>
    Charles> www.cs.umd.edu/~clancy





_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings, Sam Hartman
Next by Date:  RE: Withdrawal of Approval and Second Last Call: draft-housley-tls-authz-extns, Russ Housley
Previous by Thread:  Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings, Charles Clancy
Next by Thread:  Re: [Emu] Last call comments: draft-williams-on-channel-binding-01.txt: EAP channel bindings, Charles Clancy
Indexes:  [Date] [Thread] [Top] [All Lists]