[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: RADEXT Milestone revisions

To: "Nelson, David" <dnelson@enterasys.com>, <radiusext@ops.ietf.org>
Subject: AW: RADEXT Milestone revisions
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
Date: Tue, 21 Feb 2006 18:13:07 +0100

Hi David, 

> Hannes Tschofenig writes...
> 
> > wouldn't be something like radius domain of interopretation 
> for isakmp
> > be appropriate here.
> 
> I don't know.  We're talking about keywrap for specific uses, e.g.
> 802.11.  OTOH, there is a charter prohibition on developing a new
> security model for RADIUS.

Here is my understanding what is going on with the keywrap:

The Problem: 
 
EAP-derived keying material has to be sent confidentiality protected
from the RADIUS server to the RADIUS client. 
Intermediate proxies MUST NOT see the EAP-derived keying material.

The Solution: 

KeyWrap keys* need to be available at the RADIUS server and the RADIUS
client to allow protected key transport between these two endpoints. 

*: These keys can either be static or dynamically established. Key
management is known to be difficult. 

The Open Question: 

Is an out-of-band based key management really an option? 
My argument is that you also have to care about the key management.
Dealing also with the encryption of the EAP-derived keying material is
not enough. 

> 
> > there is also a rule that says "adding manpower to a late project
> makes
> > it later."
> 
> Yes.  "The Mythical Man-Month".  :-)  It is a balance, to be sure.
>  
> > in ecrit we scheduled an interim meeting that helped a lot 
> to speedup
> > the work on the document.
> > you might also want to think about it.
> 
> This is something that we could consider.  Sometimes a couple 
> of days of
> face-time is very  helpful.  The other alternative is teleconferences.

yes, we also investigated this option. the problem is: the rules for
official phone conferences and interim meetings are the same. this gives
very little time for phone conferences and a face-to-face meeting is
more efficient. 
these rules are also probably something to revisit. 
 
> While providing less bandwidth, teleconferences have the 
> benefit of not
> requiring travel (and travel budget).
sure. 

i am willing to host a meeting in munich, if you would like to schedule
one.

ciao
hannes

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: RADEXT Milestone revisions
  - From: Julien Bournelle <julien.bournelle@int-evry.fr>

Prev by Date: RE: QoS and IEEE 802
Next by Date: Re: AW: RADEXT Milestone revisions
Previous by thread: AW: RADEXT Milestone revisions
Next by thread: Re: RADEXT Milestone revisions
Index(es):
- Date
- Thread