Hi Mališa,
El 11/12/2020 a las 19:45, Mališa Vučinić escribió:
Hi Dan,
Thanks for the clarification regarding minimal-security. The points
that you mention below, e.g. flexible authentication or the fresh
generation of the PSK, were never in the design scope of our work.
While I fail to understand what exactly do you plan on using
EAP-over-CoAP for, I do not object on this work being done in ACE if
you are willing to spend cycles on it. I do have reservations on the
lightweight aspect of this, however, considering that the sequence
diagram that you depict in Fig. 2 in draft-marin-ace-wg-coap-eap-06
spans 3 pages and consumes 2 round trips just to get things started!
Surely, we can do better?
Yes, we will submit an updated version of the draft.
Best Regards,
Dan
Mališa
*From: *Dan Garcia Carrillo <garcia...@uniovi.es>
*Date: *Friday 11 December 2020 at 18:41
*To: *Mališa Vučinić <malisa.vuci...@inria.fr>, Michael Richardson
<mcr+i...@sandelman.ca>, EMU WG <emu@ietf.org>, "c...@ietf.org WG
(c...@ietf.org)" <c...@ietf.org>, "a...@ietf.org" <a...@ietf.org>
*Cc: *<garcia...@uniovi.es>
*Subject: *Re: [core] [Ace] Proposed charter for ACE (EAP over CoAP?)
Hi Mališa,
My intention was not to turn this conversation into a criticism of
your work. “deficiencies” was not the most appropriate word.
What we had in mind was a way of providing authentication to the
variety of IoT devices with different capabilities, limitations or
different types of supported credentials. A way of doing that is to
provide different authentication methods. Since in IoT there are
different technologies we looked for a link-layer independent
solution. Additionally, since some technologies are very constrained,
we needed a very constrained protocol to carry out the process.
EAP provides flexible authentication, and it has EAP Key Management
Framework which is well specified and working for many years, from
which you can generate generate a fresh pre-shared key (MSK)
dynamically. This is even possible if you do not want to interact with
AAA infrastructures running EAP in standalone mode. Having said this,
another thing that we looked into was to give support to large scale
deployments. We can ease this process with EAP and its interaction
with a AAA infrastructure, which gains relevance in Industrial IoT and
5G.
All these characteristics can be provided by the use of EAP, if we of
course have a lightweight EAP lower layer to transport EAP from the
IoT device. Then we considered the usage of CoAP as EAP lower-layer.
In this sense, we saw minimal security did not fit our view (no
potential interaction with AAA , flexible authentication, fresh
generation of PSK). In fact, the provisioning of the PSK was out of
scope.
At some level, we could even consider the work complementary. EAP over
CoAP could be a way of providing the PSK for the work of minimal
security.
Best Regards,
Dan.
El 10/12/2020 a las 18:43, Mališa Vučinić escribió:
Hi Dan,
Could you be more specific on the point below, what deficiencies
do you have in mind?
Mališa
*From: *core <core-boun...@ietf.org>
<mailto:core-boun...@ietf.org> on behalf of Dan Garcia
<garcia...@uniovi.es> <mailto:garcia...@uniovi.es>
*Date: *Thursday 10 December 2020 at 10:06
*To: *Michael Richardson <mcr+i...@sandelman.ca>
<mailto:mcr+i...@sandelman.ca>, EMU WG <emu@ietf.org>
<mailto:emu@ietf.org>, "c...@ietf.org WG (c...@ietf.org)"
<mailto:core@ietf.orgWG(c...@ietf.org)> <c...@ietf.org>
<mailto:c...@ietf.org>, "a...@ietf.org" <mailto:a...@ietf.org>
<a...@ietf.org> <mailto:a...@ietf.org>
*Subject: *Re: [core] [Ace] Proposed charter for ACE (EAP over CoAP?)
As you comment , draft-ietf-6tisch-minimal-security - offers
minimal security and has several deficiencies that can be solved
by using EAP and AAA infrastructures.
-->
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu