Hi, Rafa: Thanks for your comments! Fast re-authentication is one promising mechanism to reduce the delay in access authentication. You have pointed out the possible ways for this scenario in abfab: - problem statment, requirement, solution(1. extend GSS-EAP, or 2. create a GSS-ERP mechanism) Your suggestion is fine for me.
------------ Yinxing Wei Rafa Marin Lopez <[email protected]> 2012/03/12 20:16 收件人 [email protected] 抄送 Rafa Marin Lopez <[email protected]>, [email protected] 主题 Re: [abfab] draft-wei-abfab-fcla-02 is posted (fast re-auth) Hi Yinxing: I have seen that you have also mentioned and described the problem of fast re-authentication in your I-D. We have been just discussing as you may have noticed. Although I am still in favor to define a general problem statement for this in ABFAB before going to solution space, I must say that here in UMU we have been thinking about a possible solution for providing this fast re-authentication procedure, which may have some similarities with yours. Basically, since GSS-EAP is used in ABFAB to provide authentication, our idea is to use ERP (RFC 5296) (and the associated infrastructure) to provide fast re-authentication in ABFAB. After all, ERP is the standard to reduce the authentication time in EAP-based authentications. In this way, we could extend GSS-EAP or create a GSS-ERP mechanism to transport ERP messages within GSS tokens. Something like: 1. Initiator --> Acceptor: GSS-EAP (EAP Initiate/Re-auth(SEQ, keyName-NAI, cryptosuite,Auth-tag*)) 1a. Acceptor --> ER-Server: AAA-Request{Authenticator-Id, EAP Initiate/Re-auth(SEQ,keyName-NAI, cryptosuite,Auth-tag*) 2. ER-Server --> Acceptor: AAA-Response{rMSK, EAP-Finish/Re-auth(SEQ,keyName-NAI, cryptosuite,[CB-Info],Auth-tag*) 2b. Acceptor --> Initiator: GSS-EAP (EAP-Finish/Re-auth(SEQ,keyName-NAI, cryptosuite,[CB-Info],Auth-tag*)) Even the ER-Server could be placed near the server (local ER server) reducing the travel time of the messages. Obviously this is just an idea, which needs to be elaborated and discussed. In fact, as I said, I think it would be better to start defining a problem statement, requirements etc... for fast re-authentication in ABFAB. UMU would be willing to work on that. Best regards. El 12/03/2012, a las 10:18, [email protected] escribió: Hi, all An updated version of Federated Cross-Layer Access (draft-wei-abfab-fcla-02) is posted. The major changes is in claust 4 : - 4. message flow - 4.1 fast re-authentication - 4.2 secure data sharing here is the draft: http://www.ietf.org/id/draft-wei-abfab-fcla-02.txt Any comments are appreciated! ------------- Yinxing Wei abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] -------------------------------------------------------
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
