| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
|
Bernard,
In 802.11 ad-hoc, I think that currently the same key is used in both directions for unicast frames transferred between a pair of stations – while two keys are generated, one is discarded.
Different keys would be used for each direction where two stations are exchanging broadcast frames (neglecting for the purposes of explanation all the others who might hear them), however these keys are randomly generated rather than being derived from EAP.
I think that the only keys that are derived from EAP, and that are different in the two directions, are those that are used to protect the post-EAP 802.1X messages (4 way and group handshake). I think it’s the decision to use these handshakes unmodified in two directions, rather than create a new bi-directional handshake that leads to the requirement to generate two sets of keys, not anything inherent about the architecture of 802.11 ad-hoc.
Though as ever, I’ll be more than happy to be educated by those more expert than myself in these matters!
My original issue with the TGi draft was not that what it does is incorrect (in my opinion) but that the informative, descriptive text seemed to be describing something different from what the normative text said.
Mike.
Mike Moreton Synad Technologies Ltd.
-----Original Message-----
FYI... Of interest to these groups I'm sure...
-----Original
Message----- There is something of a misunderstanding relating to Section 6.7 that needs to be clarified both in IEEE 802.1X/D6 as well as in IEEE 802.11i. EAP is fundamentally a peer-to-peer protocol, and as a result, after a mutual authentication, both sides are capable of communicating. There is no need to do bi-direction authentication, for example, in order to enable exchange of Bridge PDUs in LinkSec. Yet, because of the Section 6.7 language this misunderstanding persists.
I believe that Section 6.7 needs to be clarified so as to make clear bi-directional authentication is required and for what reasons. As I understand it, the reason why this is needed for IEEE 802.11i adhoc has nothing to do with EAP, or even IEEE 802.1X but rather relates to specific issues encountered in IEEE 802.11 adhoc. For example, where different keys are needed in each direction and a single key will not suffice, or where the sequence space cannot be guaranteed to be distinct in each direction, it may be necessary to derive more than a single key. This is the requirement that is driving use of bi-directional authentication within IEEE 802.11i adhoc.
There really is no issue with respect to "asymmetry of the controlled/uncontrolled port". RFC 2284bis will make it clear that no such asymmetry exists within EAP or any encapsulating media such as IEEE 802.1X. In reality, each side of the conversation decides when they wish to enable communications and therefore a single mutual authentication is sufficient in many cases, including those considered by LINKSEC.
|