Questions for draft-barany-eap-gee-01

I still don't understand how what you write below is
relevant to the 
discussion at hand, but anyway, I think I made my point.

I will note that the word "service" seems to
throw people off into 
debates on authentication vs. authorization and that may be
what's 
happening here.  If it helps, perhaps the use of the terms
L2 access 
and L3 access might be better.

Further, multiple parallel authentications could also be for
device 
and user authentications as Kuntal points out.  Other use
cases are 
also possible.

regards,
Lakshminath

At 09:00 AM 6/21/2006, Nakhjiri Madjid-MNAKHJI1 wrote:
>Inclusion of information regarding access versus service
is an
>authorization act.
>
>Madjid
>
>-----Original Message-----
>From: Lakshminath Dondeti [mailto:ldondetiqualcomm.com]
>Sent: Tuesday, June 20, 2006 10:41 PM
>To: Nakhjiri Madjid-MNAKHJI1; M. Vanderveen; Quinn Li;
Cao Zhen
>Cc: eapfrascone.com
>Subject: RE: [eap] Questions for draft-barany-eap-gee-01
>
>At 11:58 AM 6/20/2006, Nakhjiri Madjid-MNAKHJI1 wrote:
> >I agree, it seems that AAA functions that are
typically done after
> >authentication are introduced into EAP messaging,
while EAP is just
> >a protocol to carry authentication exchanges. EAP
is an
> >"authentication" protocol, not a AAA
protocol.
>
>I am confused here.  I see no reference to AAA,
especially the AAA
>protocol, in the emails below.  What are you referring
to?
>
>Lakshminath
>
> >
> >Madjid
> >
> >
> >
> >----------
> >From: M. Vanderveen [mailto:mvandervnyahoo.com]
> >Sent: Tuesday, June 20, 2006 1:51 PM
> >To: Nakhjiri Madjid-MNAKHJI1; Lakshminath Dondeti;
Quinn Li; Cao Zhen
> >Cc: eapfrascone.com
> >Subject: Re: [eap] Questions for
draft-barany-eap-gee-01
> >
> >While a solution for demultiplexing several EAP
sessions might be
> >helpful, part of the resistance to the introduction
of this sublayer
> >is probably due to the fact that there are ways
around this issue.
> >
> >It's not clear to me why we are trying to inform
the peer as whether
> >the current EAP session is for service vs. for
access. Looking at
> >the newly emerged EAP-GPSK, all the peer needs to
know is the ID it
> >gave the server and the server ID, in order to pull
out the correct
> >security association to carry out EAP-GPSK. It can
be informed
> >whether access or service was granted *after* this
is all done, by
> >some other means that have nothing to do with EAP.
> >
> >In the network that we have deployed, and in others
that we hope to
> >deploy some day, multiple EAP sessions do come into
play but the
> >overall authentication mechanism can be made to
work in a fairly
> >simple fashion without any additional EAP-related
mechanisms/layers.
> >
> >Michaela
> >
> >Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjirimotorola.com> wrote:
> >
> >
> >-----Original Message-----
> >From: Lakshminath Dondeti [mailto:ldondetiqualcomm.com]
> >Sent: Monday, June 12, 2006 11:58 PM
> >To: Quinn Li; Cao Zhen
> >Cc: eapfrascone.com
> >Subject: Re: [eap] Questions for
draft-barany-eap-gee-01
> >
> >Hi,
> >
> >GEE is not a general purpose authentication
protocol. It is a
> >generic EAP encapsulation mechanism that allows
demultiplexing of
> >multiple simultaneous EAP conversations between a
peer and an
> >authenticator. You say that the draft does describe
the MVNO
> >scenarios well, so I guess we can safely conclude
that it does its job
> >then.
> >
> >EAP is not used for IMS or Mobile IPv6
authentication, is it? So, in
> >simple terms, it's not the purpose of the GEE
draft to specify
> >support for those services.
> >
> >Madjid>>EAP is being used for non-cellular
access into IMS.
> >EAP is being considered for MIP6 bootstrapping.
> >If the idea is to standardize the usage, then it
should not be
> >customized for a specific use case.
> >
>
>________________________________________________________
_________
> >To unsubscribe or modify your subscription options,
please visit:
> >http:/
/lists.frascone.com/mailman/listinfo/eap
> >
> >Arhives: http://lists.
frascone.com/pipermail/eap
> >
> >
> >
> > 
__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam
protection around
> >http://mail.yahoo.com

____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap

-----Original Message-----
From: Lakshminath Dondeti [mailto:ldondetiqualcomm.com] 
Sent: Wednesday, June 21, 2006 11:36 AM
To: Nakhjiri Madjid-MNAKHJI1; M. Vanderveen; Quinn Li; Cao
Zhen
Cc: eapfrascone.com
Subject: RE: [eap] Questions for draft-barany-eap-gee-01

I still don't understand how what you write below is
relevant to the 
discussion at hand, but anyway, I think I made my point.

Madjid>>Not sure what that means, but I guess that is
good for you.

I will note that the word "service" seems to
throw people off into 
debates on authentication vs. authorization and that may be
what's 
happening here.  

Madjid>>yes,

If it helps, perhaps the use of the terms L2 access 
and L3 access might be better.

Madjid>>Ok, that is better, but still L3 access is
vague: is it getting
IP addresses? Setting IP connectivity? And regardless of
what it means,
multiplexing multiple purposes in one EAP signaling, means
you need to
include indication for these purposes in the EAP signaling.
I don't know
how you would do it in a way that does not break existing
implementations of EAP? 

Further, multiple parallel authentications could also be for
device 
and user authentications as Kuntal points out.  Other use
cases are 
also possible.

Madjid>> There are many cases, if not all cases, where
device and user
authentication do not happen in parallel but in series as a
form of
multifactor authentication.


regards,
Lakshminath

At 09:00 AM 6/21/2006, Nakhjiri Madjid-MNAKHJI1 wrote:
>Inclusion of information regarding access versus service
is an
>authorization act.
>
>Madjid
>
>-----Original Message-----
>From: Lakshminath Dondeti [mailto:ldondetiqualcomm.com]
>Sent: Tuesday, June 20, 2006 10:41 PM
>To: Nakhjiri Madjid-MNAKHJI1; M. Vanderveen; Quinn Li;
Cao Zhen
>Cc: eapfrascone.com
>Subject: RE: [eap] Questions for draft-barany-eap-gee-01
>
>At 11:58 AM 6/20/2006, Nakhjiri Madjid-MNAKHJI1 wrote:
> >I agree, it seems that AAA functions that are
typically done after
> >authentication are introduced into EAP messaging,
while EAP is just
> >a protocol to carry authentication exchanges. EAP
is an
> >"authentication" protocol, not a AAA
protocol.
>
>I am confused here.  I see no reference to AAA,
especially the AAA
>protocol, in the emails below.  What are you referring
to?
>
>Lakshminath
>
> >
> >Madjid
> >
> >
> >
> >----------
> >From: M. Vanderveen [mailto:mvandervnyahoo.com]
> >Sent: Tuesday, June 20, 2006 1:51 PM
> >To: Nakhjiri Madjid-MNAKHJI1; Lakshminath Dondeti;
Quinn Li; Cao Zhen
> >Cc: eapfrascone.com
> >Subject: Re: [eap] Questions for
draft-barany-eap-gee-01
> >
> >While a solution for demultiplexing several EAP
sessions might be
> >helpful, part of the resistance to the introduction
of this sublayer
> >is probably due to the fact that there are ways
around this issue.
> >
> >It's not clear to me why we are trying to inform
the peer as whether
> >the current EAP session is for service vs. for
access. Looking at
> >the newly emerged EAP-GPSK, all the peer needs to
know is the ID it
> >gave the server and the server ID, in order to pull
out the correct
> >security association to carry out EAP-GPSK. It can
be informed
> >whether access or service was granted *after* this
is all done, by
> >some other means that have nothing to do with EAP.
> >
> >In the network that we have deployed, and in others
that we hope to
> >deploy some day, multiple EAP sessions do come into
play but the
> >overall authentication mechanism can be made to
work in a fairly
> >simple fashion without any additional EAP-related
mechanisms/layers.
> >
> >Michaela
> >
> >Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjirimotorola.com> wrote:
> >
> >
> >-----Original Message-----
> >From: Lakshminath Dondeti [mailto:ldondetiqualcomm.com]
> >Sent: Monday, June 12, 2006 11:58 PM
> >To: Quinn Li; Cao Zhen
> >Cc: eapfrascone.com
> >Subject: Re: [eap] Questions for
draft-barany-eap-gee-01
> >
> >Hi,
> >
> >GEE is not a general purpose authentication
protocol. It is a
> >generic EAP encapsulation mechanism that allows
demultiplexing of
> >multiple simultaneous EAP conversations between a
peer and an
> >authenticator. You say that the draft does describe
the MVNO
> >scenarios well, so I guess we can safely conclude
that it does its
job
> >then.
> >
> >EAP is not used for IMS or Mobile IPv6
authentication, is it? So, in
> >simple terms, it's not the purpose of the GEE
draft to specify
> >support for those services.
> >
> >Madjid>>EAP is being used for non-cellular
access into IMS.
> >EAP is being considered for MIP6 bootstrapping.
> >If the idea is to standardize the usage, then it
should not be
> >customized for a specific use case.
> >
>
>________________________________________________________
_________
> >To unsubscribe or modify your subscription options,
please visit:
> >http:/
/lists.frascone.com/mailman/listinfo/eap
> >
> >Arhives: http://lists.
frascone.com/pipermail/eap
> >
> >
> >
> > 
__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam
protection around
> >http://mail.yahoo.com

____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap