Jari Arkko [mailto:jari.ar...@piuha.net] writes:
> Can we technically specify the IPsec parts without PEMK? If yes, we > should do it. If not, we have an issue. > > Quickly scanning through the documents, PaC-EP-Master-Key does not seem > to be defined in RFC 5191 but it is used by draft-ietf-pana-ipsec. One of the problems w/draft-ietf-pana-ipsec is that the precise nature of the protection between the PaC & EP doesn't seem to be specified _anywhere_ (please correct me if I'm wrong). For the purposes of draft-ietf-pana-ipsec, the connection should probably be protected using IPsec (to avoid a weakest-link attack), but that needs to be specified. As for draft-ohba-pana-pemk-02, it specifies (as does 5191) the use of the MSK which is a _really_ bad idea IMHO -- the EMSK should really be used instead. > At the very least we need a definition of Pac-EP-Master-Key in > draft-ietf-pana-ipsec, not sure if a separate document is needed. > ... ~ gwz Nuclear power: more toxic than Britney Spears. _______________________________________________ Pana mailing list Pana@ietf.org https://www.ietf.org/mailman/listinfo/pana