On Wed, Sep 27, 2006 at 03:19:34PM +0200, Mark Townsley wrote: > > Now that the handshake phase is no longer being used for discovery, > could we collapse the information in 3-way Handshake phase into the > Authentication and Authorization phase? It seems that this is a MAY > according to this text, so it should at least be possible: > > The initial EAP Request message MAY be optionally carried by the > PANA-Start-Request (as opposed to by a later PANA-Auth-Request) > message in order to reduce the number of round-trips. This > optimization SHOULD NOT be used if the PAA is desired to be stateless > in the handshake phase since transmission of an EAP Request message > creates a state at EAP layer. See [RFC4137] for more information on > the EAP state machine and the allocation of state information in the > respective protocol steps. > > I'm not sure the state at the EAP layer is significant enough to burden > PANA with an entire phase and 3-way handshake.
Since PaC and PAA may be communicating over multiple IP hops (and thus PAA is exposed to attackers in the Internet in general), it is important from security perspective to support stateless operation until rechability of the PaC from the PAA is verified as much as possible. Speaking of EAP layer state, I know of an existing EAP authenticator state machine implementation that requires more than 500 bytes of memory allocation per EAP session. > > Given that discovery is now out of scope in this document and the IP > address of the PAA is obtained from DHCP, I think that it would be > better to go ahead and send EAP payloads right away. Removal of the > entire Handshake phase would be a significant simplification to the > protocol. I don't think we can entirely remove handshake phase because of stateless handshake and network selection, both of which are important optional features to support. Yoshihiro Ohba > > - Mark > > _______________________________________________ > Pana mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/pana _______________________________________________ Pana mailing list [email protected] https://www1.ietf.org/mailman/listinfo/pana
