Alper Yegin wrote: > Sam is proposing to decouple EAP security association management from the > application state. > More specifically, even after the EAP session is release/timed out, > application may still be in use. > What that means is, if the server has an application message that is pending > to be transmitted to the client, and if at that time there's no security > association available (see above), then the server needs to initiate > re-authentication in order to re-generate a security association and send the > app message securely.
This is what's done today for 802.1X authentication. Both wired && wireless. The solution is to re-establish authentication before sending another application message. The hard part about 802.1X is that the application doesn't know there's an underlying security association. All it knows is that the network went away for a bit, and then came back. For PCP, it's reasonable that the application knows the EAP session has timed out. It can re-establish it before sending the next message. Or, if messages are rare, it can wait and re-establish it later. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
