"Charles" == Charles Clancy <clancy(_at_)cs(_dot_)umd(_dot_)edu> writes:
>>> to be an L2 identity. It can be any identity that's
>>> meaningful to the parties involved, and can serve as the basis
>>> for making authorization decisions.
>> As long as it's cryptographically bound to the L2 channel and
>> that channel provides suitable protection for the EAP method
>> doing the EAP channel binding, THEN Sam's observation is
>> correct: "EAP channel binding" uses what I termed "end-point
>> channel binding" and "EAP cryptographic binding" uses what I
>> termed "unique channel binding."
Charles> I don't think I'm convinced that EAP channel bindings are
Charles> doing this binding to the L2 channel. The identity used
Charles> in an EAP channel binding must be bound to the AAA
Charles> security association between the authenticator and the
Charles> peer in order for everything to work, so it would be more
I'm not sure I'd describe the association between the peer and authenticator as
an AAA association.
I agree with the rest.
Charles>
Charles> likely a NAS-ID than a MAC address.
Are you sure that the binding happens between the mac address and NAS
ID? I don't understand how the peer ever confirms the NAS ID at layer
two unless it also happens to be a MAC address.
I do agree with you though that EAP channel bindings include the
peer's lower layer identity and the identity of the authenticator that
the peer will later be able to verify.
Charles> That's not to say there isn't an L2 binding happening --
Charles> but I think it's being performed by the L2 secure
Charles> association phase that uses the EAP key to derive L2
Charles> keys. Then during that handshake, a MAC address may be
Charles> involved, binding in an L2 identity.
ANd if things are secure some L2 identity of the authenticator.
Charles> I guess I see EAP channel bindings as an EAP<->AAA
Charles> binding, and the L2 secure association protocol as the
Charles> EAP<->L2 binding.
The L2 secure association protocol cannot be an eap->anything binding:
it does not typically use EAP level identifiers.
Charles> -- t. charles clancy, ph.d. <> tcc(_at_)umd(_dot_)edu <>
Charles> www.cs.umd.edu/~clancy
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf