>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
Rafa> Hi Sam: El 18/10/2011, a las 18:55, Sam Hartman escribió:
>>>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
>>
Rafa> Hi Sam: El 18/10/2011, a las 17:35, Sam Hartman escribió:
>>
>>>> I think I may have been unclear in what I was proposing. I'm
>>>> proposing that the peer send its identity in the first message
>>>> (*) and that the server gets to respond with type 4 or greater
>>>> (a specific EAP method).
>>
Rafa> Sending its identity does not mean that it must be carried in
Rafa> the EAP response/identity. In fact what I suggested is to
Rafa> carry the identity in the first message but not contained in
Rafa> the EAP response/identity.
>>
>> OK. Why not carry it in the EAP response/identity? It seems
>> easier than developing new encoding.
Rafa> Basically EAP is a lock-step protocol where it is required to
Rafa> get a request to obtain a response (in the peer side)). So the
Rafa> EAP peer state machine implementing the EAP standard protocol
Rafa> will react after receiving an EAP request. So I see two
Rafa> options: either you hack the EAP peer state machine to return
Rafa> an EAP response/identity without receiving any EAP
Rafa> request/identity (this "violates" the standard and so we need
Rafa> to hack the EAP peer state machine)
Or the initiator synthesizes a request and feeds it to the peer's state
machine.
IN our implementation, even if the IETF decides on an an alternate
encoding for the identity, we'll end up synthesizing an identity request
and doing something with the identity response.
With a standard EAP library that is lock-step in the manner you
describe, it's far easier to produce a synthetic identity request in the
initiator than to hack the state machine or do anything else. Think of
it this way. In GSS-EAP, the identity request is generated by a party
very close to the initiator. EAP already supports the identity request
being generated by a different party than the actual EAP messages. Why
does it matter whether the request comes from inside the peer or from a
NAS?
Rafa> or directly at GSS-API
Rafa> level you create a EAP response/identity and include the
Rafa> identity (which seems weird taking into account that we have
Rafa> an EAP stack in charge of creating EAP messages)
But if you don't create an EAP response/identity on the initiator you
probably do have to do it on the acceptor to trigger AAA to use EAP.
Rafa> Personally, I do not like either (considering the standard RFC
Rafa> 3748). So, I would prefer to define a subtoken for this.
We can do that. It means faking up an identity response on the
acceptor. But that is certainly not a big deal.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
